@go-to-k/cdkd 0.152.2 → 0.154.0

package/dist/{deploy-engine-C4yMO329.js → deploy-engine-Yb3E5e9J.js}

@@ -5423,6 +5423,69 @@ async function applyRoleArnIfSet(opts) {
 * This is used for conditional property omission in CloudFormation templates.
 */
 const AWS_NO_VALUE = Symbol("AWS::NoValue");
+/**
+* Intrinsic-function keys the resolver knows how to handle.
+*
+* A CloudFormation intrinsic is ALWAYS a single-key object — `{ "Ref": ... }`
+* or `{ "Fn::X": ... }`. When `resolveValue` encounters a single-key object
+* whose key is `Ref` or starts with `Fn::` but is NOT in this set, it throws
+* (rather than silently passing the broken value through to the provider).
+*
+* `Fn::Transform` (CloudFormation macros) is intentionally treated as handled:
+* it is expanded server-side at the SYNTHESIS layer (see
+* `src/synthesis/macro-expander.ts`, routed via `Synthesizer`) BEFORE the
+* resolver ever runs, so by resolution time it should already be gone. Listing
+* it here keeps a stray (already-expanded) occurrence from hard-erroring.
+*/
+const HANDLED_INTRINSIC_KEYS = new Set([
+	"Ref",
+	"Fn::GetAtt",
+	"Fn::Join",
+	"Fn::Sub",
+	"Fn::Select",
+	"Fn::Split",
+	"Fn::If",
+	"Fn::Equals",
+	"Fn::And",
+	"Fn::Or",
+	"Fn::Not",
+	"Fn::ImportValue",
+	"Fn::GetStackOutput",
+	"Fn::FindInMap",
+	"Fn::Base64",
+	"Fn::GetAZs",
+	"Fn::Cidr",
+	"Fn::Transform"
+]);
+/**
+* Detect an unresolved / unknown CloudFormation intrinsic function.
+*
+* A CloudFormation intrinsic is ALWAYS a single-key object whose key is `Ref`
+* or starts with `Fn::`. Requiring EXACTLY ONE key avoids false positives on a
+* real resource property that happens to be literally named `Ref` or
+* `Fn::Something` (those would be multi-key objects, or sit alongside sibling
+* keys), so only a genuine lone intrinsic node is flagged.
+*
+* @returns the unknown intrinsic key (e.g. `Fn::ToJsonString`) or `undefined`
+*   when the object is not an unknown single-key intrinsic.
+*/
+function detectUnknownIntrinsicKey(obj) {
+	const keys = Object.keys(obj);
+	if (keys.length !== 1) return;
+	const key = keys[0];
+	if (key !== "Ref" && !key.startsWith("Fn::")) return;
+	if (HANDLED_INTRINSIC_KEYS.has(key)) return;
+	return key;
+}
+/**
+* Build a clear, English error message for an unsupported intrinsic, including
+* a one-click pre-filled GitHub issue link so users can request support.
+*/
+function buildUnknownIntrinsicError(key) {
+	const title = `Support intrinsic ${key}`;
+	const issueUrl = `https://github.com/go-to-k/cdkd/issues/new?title=${encodeURIComponent(title)}&labels=intrinsic-support`;
+	return /* @__PURE__ */ new Error(`Unsupported CloudFormation intrinsic function "${key}": cdkd does not support resolving it yet. Deploying this template would produce a broken value. Please request support by opening an issue: ${issueUrl}`);
+}
 let cachedAccountInfo = null;
 /**
 * Cache for availability zones per region
@@ -5588,6 +5651,8 @@ var IntrinsicFunctionResolver = class {
 		if ("Fn::Base64" in obj) return await this.resolveBase64(obj["Fn::Base64"], context);
 		if ("Fn::GetAZs" in obj) return await this.resolveGetAZs(obj["Fn::GetAZs"], context);
 		if ("Fn::Cidr" in obj) return await this.resolveCidr(obj["Fn::Cidr"], context);
+		const unknownIntrinsicKey = detectUnknownIntrinsicKey(obj);
+		if (unknownIntrinsicKey !== void 0) throw buildUnknownIntrinsicError(unknownIntrinsicKey);
 		const resolved = {};
 		for (const [key, val] of Object.entries(obj)) {
 			const resolvedVal = await this.resolveValue(val, context);
@@ -6683,6 +6748,231 @@ function assertRegionMatch(clientRegion, expectedRegion, resourceType, logicalId
 	if (clientRegion !== expectedRegion) throw new ProvisioningError(`Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region ${clientRegion} does not match stack state region ${expectedRegion}. The resource likely still exists in ${expectedRegion}; rerun the destroy with the correct region (e.g. --region ${expectedRegion}).`, resourceType, logicalId, physicalId);
 }
 
+//#endregion
+//#region src/provisioning/unsupported-types.generated.ts
+/**
+* AUTO-GENERATED by scripts/gen-unsupported-types.ts — DO NOT EDIT BY HAND.
+* Source: docs/_generated/provider-coverage.json (tier3).
+* Regenerate: `vp run gen:unsupported-types`.
+*
+* AWS CloudFormation resource types AWS reports as
+* `ProvisioningType: NON_PROVISIONABLE` (Cloud Control API cannot
+* create/update/delete them) and for which cdkd has no SDK provider. cdkd
+* pre-flight rejects these fast with an actionable message instead of letting
+* the optimistic Cloud Control fallthrough fail mid-deploy.
+*/
+const NON_PROVISIONABLE_TYPES = new Set([
+	"Alexa::ASK::Skill",
+	"AWS::AmazonMQ::ConfigurationAssociation",
+	"AWS::ApiGatewayV2::ApiGatewayManagedOverrides",
+	"AWS::AppMesh::GatewayRoute",
+	"AWS::AppMesh::Mesh",
+	"AWS::AppMesh::Route",
+	"AWS::AppMesh::VirtualGateway",
+	"AWS::AppMesh::VirtualNode",
+	"AWS::AppMesh::VirtualRouter",
+	"AWS::AppMesh::VirtualService",
+	"AWS::AppStream::Fleet",
+	"AWS::AppStream::StackFleetAssociation",
+	"AWS::AppStream::StackUserAssociation",
+	"AWS::AppStream::User",
+	"AWS::AppSync::ApiCache",
+	"AWS::AutoScalingPlans::ScalingPlan",
+	"AWS::BedrockAgentCore::Browser",
+	"AWS::Budgets::Budget",
+	"AWS::CertificateManager::Certificate",
+	"AWS::Cloud9::EnvironmentEC2",
+	"AWS::CloudFormation::CustomResource",
+	"AWS::CloudFormation::Macro",
+	"AWS::CloudFormation::WaitCondition",
+	"AWS::CloudFormation::WaitConditionHandle",
+	"AWS::CloudFront::StreamingDistribution",
+	"AWS::CloudWatch::AnomalyDetector",
+	"AWS::CloudWatch::InsightRule",
+	"AWS::CodeBuild::ReportGroup",
+	"AWS::CodeBuild::SourceCredential",
+	"AWS::CodeCommit::Repository",
+	"AWS::CodeStar::GitHubRepository",
+	"AWS::Config::ConfigurationRecorder",
+	"AWS::Config::DeliveryChannel",
+	"AWS::Config::OrganizationConfigRule",
+	"AWS::Config::RemediationConfiguration",
+	"AWS::DataZone::ProjectProfile",
+	"AWS::DAX::Cluster",
+	"AWS::DAX::ParameterGroup",
+	"AWS::DAX::SubnetGroup",
+	"AWS::Deadline::Limit",
+	"AWS::Deadline::QueueFleetAssociation",
+	"AWS::DirectoryService::MicrosoftAD",
+	"AWS::DLM::LifecyclePolicy",
+	"AWS::DMS::Certificate",
+	"AWS::DMS::Endpoint",
+	"AWS::DMS::EventSubscription",
+	"AWS::DMS::ReplicationInstance",
+	"AWS::DMS::ReplicationSubnetGroup",
+	"AWS::DMS::ReplicationTask",
+	"AWS::DocDB::DBClusterParameterGroup",
+	"AWS::DocDB::EventSubscription",
+	"AWS::EC2::ClientVpnAuthorizationRule",
+	"AWS::EC2::ClientVpnEndpoint",
+	"AWS::EC2::ClientVpnRoute",
+	"AWS::EC2::ClientVpnTargetNetworkAssociation",
+	"AWS::EC2::NetworkInterfacePermission",
+	"AWS::EC2::VPNGatewayRoutePropagation",
+	"AWS::ElastiCache::SecurityGroup",
+	"AWS::ElastiCache::SecurityGroupIngress",
+	"AWS::ElasticLoadBalancing::LoadBalancer",
+	"AWS::ElasticLoadBalancingV2::ListenerCertificate",
+	"AWS::Elasticsearch::Domain",
+	"AWS::EMR::Cluster",
+	"AWS::EMR::InstanceFleetConfig",
+	"AWS::EMR::InstanceGroupConfig",
+	"AWS::FSx::FileSystem",
+	"AWS::FSx::Snapshot",
+	"AWS::FSx::StorageVirtualMachine",
+	"AWS::FSx::Volume",
+	"AWS::Glue::Classifier",
+	"AWS::Glue::CustomEntityType",
+	"AWS::Glue::DataCatalogEncryptionSettings",
+	"AWS::Glue::DataQualityRuleset",
+	"AWS::Glue::DevEndpoint",
+	"AWS::Glue::MLTransform",
+	"AWS::Glue::Partition",
+	"AWS::Glue::TableOptimizer",
+	"AWS::Greengrass::ConnectorDefinition",
+	"AWS::Greengrass::ConnectorDefinitionVersion",
+	"AWS::Greengrass::CoreDefinition",
+	"AWS::Greengrass::CoreDefinitionVersion",
+	"AWS::Greengrass::DeviceDefinition",
+	"AWS::Greengrass::DeviceDefinitionVersion",
+	"AWS::Greengrass::FunctionDefinition",
+	"AWS::Greengrass::FunctionDefinitionVersion",
+	"AWS::Greengrass::Group",
+	"AWS::Greengrass::GroupVersion",
+	"AWS::Greengrass::LoggerDefinition",
+	"AWS::Greengrass::LoggerDefinitionVersion",
+	"AWS::Greengrass::ResourceDefinition",
+	"AWS::Greengrass::ResourceDefinitionVersion",
+	"AWS::Greengrass::SubscriptionDefinition",
+	"AWS::Greengrass::SubscriptionDefinitionVersion",
+	"AWS::IAM::AccessKey",
+	"AWS::IoT::PolicyPrincipalAttachment",
+	"AWS::IoT::ThingPrincipalAttachment",
+	"AWS::IoTThingsGraph::FlowTemplate",
+	"AWS::KinesisAnalytics::Application",
+	"AWS::KinesisAnalytics::ApplicationOutput",
+	"AWS::KinesisAnalytics::ApplicationReferenceDataSource",
+	"AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption",
+	"AWS::KinesisAnalyticsV2::ApplicationOutput",
+	"AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource",
+	"AWS::LakeFormation::DataLakeSettings",
+	"AWS::LakeFormation::Permissions",
+	"AWS::LakeFormation::Resource",
+	"AWS::ManagedBlockchain::Member",
+	"AWS::ManagedBlockchain::Node",
+	"AWS::MediaConvert::JobTemplate",
+	"AWS::MediaConvert::Preset",
+	"AWS::MediaConvert::Queue",
+	"AWS::MediaLive::Channel",
+	"AWS::MediaLive::Input",
+	"AWS::MediaLive::InputSecurityGroup",
+	"AWS::MediaStore::Container",
+	"AWS::OpsWorks::App",
+	"AWS::OpsWorks::ElasticLoadBalancerAttachment",
+	"AWS::OpsWorks::Instance",
+	"AWS::OpsWorks::Layer",
+	"AWS::OpsWorks::Stack",
+	"AWS::OpsWorks::UserProfile",
+	"AWS::OpsWorks::Volume",
+	"AWS::Pinpoint::ADMChannel",
+	"AWS::Pinpoint::APNSChannel",
+	"AWS::Pinpoint::APNSSandboxChannel",
+	"AWS::Pinpoint::APNSVoipChannel",
+	"AWS::Pinpoint::APNSVoipSandboxChannel",
+	"AWS::Pinpoint::App",
+	"AWS::Pinpoint::ApplicationSettings",
+	"AWS::Pinpoint::BaiduChannel",
+	"AWS::Pinpoint::Campaign",
+	"AWS::Pinpoint::EmailChannel",
+	"AWS::Pinpoint::EmailTemplate",
+	"AWS::Pinpoint::EventStream",
+	"AWS::Pinpoint::GCMChannel",
+	"AWS::Pinpoint::PushTemplate",
+	"AWS::Pinpoint::Segment",
+	"AWS::Pinpoint::SMSChannel",
+	"AWS::Pinpoint::SmsTemplate",
+	"AWS::Pinpoint::VoiceChannel",
+	"AWS::PinpointEmail::ConfigurationSet",
+	"AWS::PinpointEmail::ConfigurationSetEventDestination",
+	"AWS::PinpointEmail::DedicatedIpPool",
+	"AWS::PinpointEmail::Identity",
+	"AWS::QLDB::Ledger",
+	"AWS::RDS::DBSecurityGroup",
+	"AWS::RDS::DBSecurityGroupIngress",
+	"AWS::Redshift::ClusterSecurityGroup",
+	"AWS::Redshift::ClusterSecurityGroupIngress",
+	"AWS::Route53::RecordSetGroup",
+	"AWS::SageMaker::CodeRepository",
+	"AWS::SageMaker::EndpointConfig",
+	"AWS::SageMaker::NotebookInstance",
+	"AWS::SageMaker::NotebookInstanceLifecycleConfig",
+	"AWS::SageMaker::Workteam",
+	"AWS::SDB::Domain",
+	"AWS::ServiceCatalog::AcceptedPortfolioShare",
+	"AWS::ServiceCatalog::CloudFormationProduct",
+	"AWS::ServiceDiscovery::HttpNamespace",
+	"AWS::ServiceDiscovery::Instance",
+	"AWS::ServiceDiscovery::PublicDnsNamespace",
+	"AWS::SES::ReceiptFilter",
+	"AWS::SES::ReceiptRule",
+	"AWS::SES::ReceiptRuleSet",
+	"AWS::WAF::ByteMatchSet",
+	"AWS::WAF::IPSet",
+	"AWS::WAF::Rule",
+	"AWS::WAF::SizeConstraintSet",
+	"AWS::WAF::SqlInjectionMatchSet",
+	"AWS::WAF::WebACL",
+	"AWS::WAF::XssMatchSet",
+	"AWS::WAFRegional::ByteMatchSet",
+	"AWS::WAFRegional::GeoMatchSet",
+	"AWS::WAFRegional::IPSet",
+	"AWS::WAFRegional::RateBasedRule",
+	"AWS::WAFRegional::RegexPatternSet",
+	"AWS::WAFRegional::Rule",
+	"AWS::WAFRegional::SizeConstraintSet",
+	"AWS::WAFRegional::SqlInjectionMatchSet",
+	"AWS::WAFRegional::WebACL",
+	"AWS::WAFRegional::WebACLAssociation",
+	"AWS::WAFRegional::XssMatchSet"
+]);
+
+//#endregion
+//#region src/provisioning/unsupported-types.ts
+/**
+* Helpers for cdkd's genuinely-unsupported resource types.
+*
+* The data ({@link NON_PROVISIONABLE_TYPES}) is generated from the
+* provider-coverage audit (`vp run gen:unsupported-types`); this module adds
+* the runtime predicates + the actionable issue link used by the pre-flight
+* check (see {@link ../provisioning/provider-registry.ProviderRegistry.validateResourceTypes}).
+*/
+/**
+* True if AWS reports the type as `ProvisioningType: NON_PROVISIONABLE`
+* (Cloud Control API cannot create/update/delete it) and cdkd has no SDK
+* provider for it.
+*/
+function isNonProvisionable(resourceType) {
+	return NON_PROVISIONABLE_TYPES.has(resourceType);
+}
+/**
+* A 1-click pre-filled GitHub issue link requesting cdkd support for a
+* resource type. Surfaced in the pre-flight error so a user hitting an
+* unsupported type lands directly in the "request support" flow.
+*/
+function unsupportedTypeIssueUrl(resourceType) {
+	return `https://github.com/go-to-k/cdkd/issues/new?title=${encodeURIComponent(`Support resource type ${resourceType}`)}&labels=resource-support`;
+}
+
 //#endregion
 //#region src/provisioning/cloud-control-provider.ts
 /**
@@ -7058,6 +7348,7 @@ var CloudControlProvider = class {
 			"AWS::CertificateManager::Certificate"
 		]).has(resourceType)) return false;
 		if (resourceType.startsWith("Custom::") || resourceType.startsWith("AWS::CloudFormation::CustomResource")) return false;
+		if (isNonProvisionable(resourceType)) return false;
 		return resourceType.startsWith("AWS::");
 	}
 	/**
@@ -7685,11 +7976,25 @@ var ProviderRegistry = class {
 	cloudControlProvider;
 	customResourceProvider;
 	skipResourceTypes = /* @__PURE__ */ new Set();
+	allowedUnsupportedTypes = /* @__PURE__ */ new Set();
 	constructor() {
 		this.cloudControlProvider = new CloudControlProvider();
 		this.customResourceProvider = new CustomResourceProvider();
 	}
 	/**
+	* Escape hatch for the `--allow-unsupported-types` CLI flag. Named types
+	* bypass the pre-flight unsupported-type rejection and are routed through
+	* Cloud Control optimistically (which will likely still fail for genuinely
+	* NON_PROVISIONABLE types — but the choice is the user's). Per-type rather
+	* than a blanket flag so the user explicitly acknowledges each type.
+	*/
+	allowUnsupportedTypes(resourceTypes) {
+		for (const resourceType of resourceTypes) {
+			this.allowedUnsupportedTypes.add(resourceType);
+			this.logger.debug(`Allowing unsupported resource type via escape hatch: ${resourceType}`);
+		}
+	}
+	/**
 	* Configure the response bucket for custom resources
 	* This allows Lambda handlers using cfn-response to send responses via S3
 	*/
@@ -7749,6 +8054,10 @@ var ProviderRegistry = class {
 			this.logger.debug(`Using Custom Resource provider for ${resourceType}`);
 			return this.customResourceProvider;
 		}
+		if (this.allowedUnsupportedTypes.has(resourceType)) {
+			this.logger.debug(`Routing escape-hatch-allowed type ${resourceType} through Cloud Control API`);
+			return this.cloudControlProvider;
+		}
 		throw new Error(`No provider available for resource type: ${resourceType}. This resource type is not supported by Cloud Control API and no SDK provider is registered.`);
 	}
 	/**
@@ -7762,6 +8071,7 @@ var ProviderRegistry = class {
 	*/
 	hasProvider(resourceType) {
 		if (this.shouldSkipResource(resourceType)) return true;
+		if (this.allowedUnsupportedTypes.has(resourceType)) return true;
 		return this.providers.has(resourceType) || CloudControlProvider.isSupportedResourceType(resourceType) || resourceType.startsWith("Custom::") || resourceType === "AWS::CloudFormation::CustomResource";
 	}
 	/**
@@ -7784,6 +8094,7 @@ var ProviderRegistry = class {
 	getProviderType(resourceType) {
 		if (this.providers.has(resourceType)) return "sdk";
 		if (CloudControlProvider.isSupportedResourceType(resourceType)) return "cloud-control";
+		if (this.allowedUnsupportedTypes.has(resourceType)) return "cloud-control";
 		return null;
 	}
 	/**
@@ -7797,7 +8108,12 @@ var ProviderRegistry = class {
 	validateResourceTypes(resourceTypes) {
 		const unsupportedTypes = [];
 		for (const resourceType of resourceTypes) if (!this.hasProvider(resourceType)) unsupportedTypes.push(resourceType);
-		if (unsupportedTypes.length > 0) throw new Error(`The following resource types are not supported:\n` + unsupportedTypes.map((type) => `  - ${type}`).join("\n") + "\n\nThese resource types are not supported by Cloud Control API and no SDK provider is registered.\nPlease report this issue at https://github.com/go-to-k/cdkd/issues so we can add SDK provider support.");
+		if (unsupportedTypes.length > 0) {
+			const details = unsupportedTypes.map((type) => {
+				return `  - ${type}\n      ${isNonProvisionable(type) ? "AWS reports this type as NON_PROVISIONABLE (Cloud Control API cannot manage it) and cdkd has no SDK provider for it." : "cdkd does not currently support this type — no SDK provider is registered, and the type is either on cdkd's Cloud Control blocklist (pending a dedicated SDK provider) or is not an AWS:: namespace."}\n      Request support: ${unsupportedTypeIssueUrl(type)}`;
+			}).join("\n");
+			throw new Error(`The following resource types are not supported by cdkd:\n` + details + `\n\nTo attempt deployment anyway (Cloud Control will likely fail for NON_PROVISIONABLE types), re-run with: --allow-unsupported-types ${unsupportedTypes.join(",")}`);
+		}
 		this.logger.debug(`Validated ${resourceTypes.size} resource types: all have available providers`);
 	}
 };
@@ -10000,4 +10316,4 @@ var DeployEngine = class {
 
 //#endregion
 export { CdkdError as $, shouldRetainResource as A, resolveSkipPrefix as B, IntrinsicFunctionResolver as C, TemplateParser as D, DagBuilder as E, Synthesizer as F, CFN_TEMPLATE_URL_LIMIT as G, resolveStateBucketWithDefaultAndSource as H, getDefaultStateBucketName as I, uploadCfnTemplate as J, MIGRATE_TMP_PREFIX as K, getLegacyStateBucketName as L, stringifyValue as M, WorkGraph as N, LockManager as O, buildDockerImage as P, AssetError as Q, resolveApp as R, assertRegionMatch as S, DiffCalculator as T, warnDeprecatedNoPrefixCliFlag as U, resolveStateBucketWithDefault as V, CFN_TEMPLATE_BODY_LIMIT as W, clearBucketRegionCache as X, AssemblyReader as Y, resolveBucketRegion as Z, matchesCdkPath as _, formatError as _t, withRetry as a, LockError as at, ProviderRegistry as b, withErrorHandling as bt, bold as c, PartialFailureError as ct, green as d, ResourceUpdateNotSupportedError as dt, ConfigError as et, red as f, RouteDiscoveryError as ft, CDK_PATH_TAG as g, SynthesisError as gt, collectInlinePolicyNamesManagedBySiblings as h, StateError as ht, withResourceDeadline as i, LocalStartServiceError as it, AssetPublisher as j, S3StateBackend as k, cyan as l, ProvisioningError as lt, IAMRoleProvider as m, StackTerminationProtectionError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, LocalInvokeBuildError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, MissingCdkCliError as ot, yellow as p, StackHasActiveImportsError as pt, findLargeInlineResources as q, DeployEngine as r, LocalMigrateError as rt, formatResourceLine as s, NestedStackChildDirectDestroyError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, DependencyError as tt, gray as u, ResourceTimeoutError as ut, normalizeAwsTagsToCfn as v, isCdkdError as vt, applyRoleArnIfSet as w, CloudControlProvider as x, resolveExplicitPhysicalId as y, normalizeAwsError as yt, resolveCaptureObservedState as z };
-//# sourceMappingURL=deploy-engine-C4yMO329.js.map
+//# sourceMappingURL=deploy-engine-Yb3E5e9J.js.map