npm - @go-to-k/cdkd - Versions diffs - 0.154.0 → 0.156.0 - Mend

@go-to-k/cdkd 0.154.0 → 0.156.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/cli.js +548 -8
package/dist/cli.js.map +1 -1
package/dist/{deploy-engine-Yb3E5e9J.js → deploy-engine-YQwoPaCE.js} +2046 -6
package/dist/deploy-engine-YQwoPaCE.js.map +1 -0
package/dist/{docker-cmd-EtWSTAje.js → docker-cmd-iDMcWcre.js} +7 -1
package/dist/docker-cmd-iDMcWcre.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -2
package/package.json +1 -1
package/dist/deploy-engine-Yb3E5e9J.js.map +0 -1
package/dist/docker-cmd-EtWSTAje.js.map +0 -1

package/dist/cli.js CHANGED Viewed

@@ -1,14 +1,14 @@
 #!/usr/bin/env node
-import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-EtWSTAje.js";
-import { $ as CdkdError, A as shouldRetainResource, B as resolveSkipPrefix, C as IntrinsicFunctionResolver, D as TemplateParser, E as DagBuilder, F as Synthesizer, G as CFN_TEMPLATE_URL_LIMIT, H as resolveStateBucketWithDefaultAndSource, I as getDefaultStateBucketName, J as uploadCfnTemplate, K as MIGRATE_TMP_PREFIX, L as getLegacyStateBucketName, M as stringifyValue, N as WorkGraph, O as LockManager, P as buildDockerImage, R as resolveApp, S as assertRegionMatch, T as DiffCalculator, U as warnDeprecatedNoPrefixCliFlag, V as resolveStateBucketWithDefault, W as CFN_TEMPLATE_BODY_LIMIT, Y as AssemblyReader, Z as resolveBucketRegion, _ as matchesCdkPath, a as withRetry, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as PartialFailureError, d as green, dt as ResourceUpdateNotSupportedError, f as red, ft as RouteDiscoveryError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalStartServiceError, j as AssetPublisher, k as S3StateBackend, l as cyan, lt as ProvisioningError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalInvokeBuildError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as MissingCdkCliError, p as yellow, pt as StackHasActiveImportsError, q as findLargeInlineResources, r as DeployEngine, rt as LocalMigrateError, s as formatResourceLine, st as NestedStackChildDirectDestroyError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ResourceTimeoutError, v as normalizeAwsTagsToCfn, w as applyRoleArnIfSet, x as CloudControlProvider, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveCaptureObservedState } from "./deploy-engine-Yb3E5e9J.js";
+import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
+import { $ as CdkdError, A as shouldRetainResource, B as resolveSkipPrefix, C as IntrinsicFunctionResolver, D as TemplateParser, E as DagBuilder, F as Synthesizer, G as CFN_TEMPLATE_URL_LIMIT, H as resolveStateBucketWithDefaultAndSource, I as getDefaultStateBucketName, J as uploadCfnTemplate, K as MIGRATE_TMP_PREFIX, L as getLegacyStateBucketName, M as stringifyValue, N as WorkGraph, O as LockManager, P as buildDockerImage, R as resolveApp, S as assertRegionMatch, T as DiffCalculator, U as warnDeprecatedNoPrefixCliFlag, V as resolveStateBucketWithDefault, W as CFN_TEMPLATE_BODY_LIMIT, Y as AssemblyReader, Z as resolveBucketRegion, _ as matchesCdkPath, a as withRetry, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as PartialFailureError, d as green, dt as ResourceUpdateNotSupportedError, f as red, ft as RouteDiscoveryError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalStartServiceError, j as AssetPublisher, k as S3StateBackend, l as cyan, lt as ProvisioningError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalInvokeBuildError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as MissingCdkCliError, p as yellow, pt as StackHasActiveImportsError, q as findLargeInlineResources, r as DeployEngine, rt as LocalMigrateError, s as formatResourceLine, st as NestedStackChildDirectDestroyError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ResourceTimeoutError, v as normalizeAwsTagsToCfn, w as applyRoleArnIfSet, x as CloudControlProvider, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveCaptureObservedState } from "./deploy-engine-YQwoPaCE.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-BF03Alpe.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
-import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
+import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachRolePolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreatePolicyCommand, CreatePolicyVersionCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeletePolicyCommand, DeletePolicyVersionCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachRolePolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetPolicyCommand, GetPolicyVersionCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListEntitiesForPolicyCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListPoliciesCommand, ListPolicyTagsCommand, ListPolicyVersionsCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagPolicyCommand, TagUserCommand, UntagPolicyCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
 import { CreateQueueCommand, DeleteQueueCommand, GetQueueAttributesCommand, GetQueueUrlCommand, ListQueueTagsCommand, ListQueuesCommand, QueueDoesNotExist, SQSClient, SetQueueAttributesCommand, TagQueueCommand, UntagQueueCommand } from "@aws-sdk/client-sqs";
 import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesCommand, GetTopicAttributesCommand, ListTagsForResourceCommand, ListTopicsCommand, NotFoundException, SNSClient, SetTopicAttributesCommand, SubscribeCommand, TagResourceCommand, UnsubscribeCommand, UntagResourceCommand } from "@aws-sdk/client-sns";
-import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
+import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand as GetPolicyCommand$1, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
 import { CreateTableCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
@@ -395,6 +395,33 @@ function parseAllowUnsupportedTypesToken(value, previous) {
 	return [...previous ?? [], ...parsed];
 }
 const allowUnsupportedTypesOption = new Option("--allow-unsupported-types <types>", "Comma-separated resource types to attempt via Cloud Control even though cdkd reports them unsupported (AWS NON_PROVISIONABLE). Escape hatch — Cloud Control will likely still fail. Example: --allow-unsupported-types AWS::Foo::Bar,AWS::Baz::Qux").argParser(parseAllowUnsupportedTypesToken);
+/**
+* Escape hatch for the property-level silent-drop pre-flight reject.
+* Comma-separated (and repeatable) `<ResourceType>:<PropertyName>` tokens
+* the user explicitly accepts as silently dropped at deploy time. Per
+* type+property pair (not blanket) so each silent drop is acknowledged
+* by name.
+*
+* Format-checks each token against `<Namespace>::<Service>::<Type>:<Prop>`
+* with both halves PascalCase, so a typo aborts at parse time instead of
+* being silently added to the allowlist with no effect.
+*
+* The check is Tier-1-only by design (Cloud Control forwards every property
+* to AWS, so there is no write-side silent drop for Tier 2 / Custom). A
+* `Custom::Foo:Bar` token is therefore always a user mistake — it would be
+* added to the allowlist but never consulted at runtime. Reject it at parse
+* time so the user sees the error immediately.
+*/
+const RESOURCE_PROPERTY_FORMAT = /^[A-Z][A-Za-z0-9]+(::[A-Z][A-Za-z0-9]+)+:[A-Z][A-Za-z0-9]*$/;
+function parseAllowUnsupportedPropertiesToken(value, previous) {
+	const parsed = value.split(",").map((s) => s.trim()).filter(Boolean);
+	for (const token of parsed) {
+		if (!RESOURCE_PROPERTY_FORMAT.test(token)) throw new Error(`Invalid --allow-unsupported-properties value "${token}": expected <ResourceType>:<PropertyName> with PascalCase on both halves (e.g. AWS::Lambda::Function:LoggingConfig).`);
+		if (token.startsWith("Custom::")) throw new Error(`Invalid --allow-unsupported-properties value "${token}": Custom:: resources are routed through cfn-response and have no write-side silent drop at cdkd, so the flag would have no effect. Use --allow-unsupported-types for type-level escape hatches instead.`);
+	}
+	return [...previous ?? [], ...parsed];
+}
+const allowUnsupportedPropertiesOption = new Option("--allow-unsupported-properties <entries>", "Comma-separated <ResourceType>:<PropertyName> tokens to accept as silently dropped at deploy time. Escape hatch — the property will NOT be written to AWS, the deployed resource will be missing the field. Example: --allow-unsupported-properties AWS::Lambda::Function:LoggingConfig,AWS::RDS::DBInstance:CACertificateIdentifier").argParser(parseAllowUnsupportedPropertiesToken);
 const deployOptions = [
 	new Option("--concurrency <number>", "Maximum concurrent resource operations").default(10).argParser((value) => parseInt(value, 10)),
 	new Option("--stack-concurrency <number>", "Maximum concurrent stack deployments").default(4).argParser((value) => parseInt(value, 10)),
@@ -409,6 +436,7 @@ const deployOptions = [
 	aggressiveVpcParallelOption,
 	new Option("-e, --exclusively", "Only deploy requested stacks, do not include dependencies").default(false),
 	allowUnsupportedTypesOption,
+	allowUnsupportedPropertiesOption,
 	...resourceTimeoutOptions
 ];
 /**
@@ -1532,6 +1560,517 @@ var IAMPolicyProvider = class {
 	}
 };
+//#endregion
+//#region src/provisioning/providers/iam-managed-policy-provider.ts
+/**
+* AWS IAM Managed Policy Provider
+*
+* Implements resource provisioning for AWS::IAM::ManagedPolicy using the IAM SDK.
+* Cloud Control API does support this type, but a dedicated SDK provider wins
+* via Tier 1 of the provider registry and gives cdkd direct control over:
+*   - PolicyDocument updates (via CreatePolicyVersion + SetDefaultPolicyVersion +
+*     prune oldest non-default when at the 5-version limit)
+*   - Attachment fan-out (Groups / Roles / Users) on create + update
+*   - Detach-before-delete cleanup (a ManagedPolicy with attached principals
+*     or with non-default versions cannot be deleted directly)
+*
+* Physical id is the policy ARN (`arn:aws:iam::<account>:policy/<path><name>`)
+* since path is part of the identity — two policies with the same name in
+* different paths are distinct.
+*/
+var IAMManagedPolicyProvider = class {
+	iamClient;
+	logger = getLogger().child("IAMManagedPolicyProvider");
+	handledProperties = new Map([["AWS::IAM::ManagedPolicy", new Set([
+		"ManagedPolicyName",
+		"Description",
+		"Path",
+		"PolicyDocument",
+		"Groups",
+		"Roles",
+		"Users",
+		"Tags"
+	])]]);
+	constructor() {
+		const awsClients = getAwsClients();
+		this.iamClient = awsClients.iam;
+	}
+	async create(logicalId, resourceType, properties) {
+		this.logger.debug(`Creating IAM managed policy ${logicalId}`);
+		const policyName = generateResourceNameWithFallback(properties["ManagedPolicyName"], logicalId, { maxLength: 128 });
+		const policyDocument = properties["PolicyDocument"];
+		if (!policyDocument) throw new ProvisioningError(`PolicyDocument is required for IAM managed policy ${logicalId}`, resourceType, logicalId);
+		const policyDoc = typeof policyDocument === "string" ? policyDocument : JSON.stringify(policyDocument);
+		try {
+			const createParams = {
+				PolicyName: policyName,
+				PolicyDocument: policyDoc
+			};
+			if (properties["Description"]) createParams.Description = properties["Description"];
+			if (properties["Path"]) createParams.Path = properties["Path"];
+			const tags = properties["Tags"];
+			if (tags && Array.isArray(tags) && tags.length > 0) createParams.Tags = tags;
+			const policyArn = (await this.iamClient.send(new CreatePolicyCommand(createParams))).Policy?.Arn;
+			if (!policyArn) throw new ProvisioningError(`CreatePolicy succeeded but no Arn returned for ${logicalId}`, resourceType, logicalId, policyName);
+			this.logger.debug(`Created IAM managed policy: ${policyArn}`);
+			try {
+				await this.attachToPrincipals(policyArn, properties["Groups"], properties["Roles"], properties["Users"]);
+			} catch (innerError) {
+				try {
+					await this.detachAllPrincipals(policyArn);
+					await this.deleteAllNonDefaultVersions(policyArn);
+					await this.iamClient.send(new DeletePolicyCommand({ PolicyArn: policyArn }));
+					this.logger.debug(`Cleaned up partially-created managed policy ${logicalId} (${policyArn}) after attachment failure`);
+				} catch (cleanupError) {
+					this.logger.warn(`Failed to clean up partially-created managed policy ${logicalId} (${policyArn}): ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}. Manual deletion may be required: detach principals (aws iam list-entities-for-policy --policy-arn ${policyArn}), delete versions (aws iam list-policy-versions --policy-arn ${policyArn} then aws iam delete-policy-version), then aws iam delete-policy --policy-arn ${policyArn}`);
+				}
+				throw innerError;
+			}
+			return {
+				physicalId: policyArn,
+				attributes: { PolicyArn: policyArn }
+			};
+		} catch (error) {
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to create IAM managed policy ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, policyName, cause);
+		}
+	}
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		this.logger.debug(`Updating IAM managed policy ${logicalId}: ${physicalId}`);
+		const newPolicyName = generateResourceNameWithFallback(properties["ManagedPolicyName"], logicalId, { maxLength: 128 });
+		const oldPolicyName = derivePolicyNameFromArn(physicalId);
+		const newPath = properties["Path"] || "/";
+		const oldPath = previousProperties["Path"] || "/";
+		const newDescription = properties["Description"];
+		const oldDescription = previousProperties["Description"];
+		if (newPolicyName !== oldPolicyName || newPath !== oldPath || (newDescription ?? "") !== (oldDescription ?? "")) {
+			const reason = newPolicyName !== oldPolicyName ? "ManagedPolicyName" : newPath !== oldPath ? "Path" : "Description";
+			this.logger.debug(`${reason} changed, replacing managed policy: ${physicalId} (${reason} mutation)`);
+			const createResult = await this.create(logicalId, resourceType, properties);
+			try {
+				await this.delete(logicalId, physicalId, resourceType, previousProperties);
+			} catch (error) {
+				this.logger.warn(`Failed to delete old managed policy ${physicalId} during replacement: ${String(error)}. The old policy may be orphaned and require manual cleanup.`);
+			}
+			const result = {
+				physicalId: createResult.physicalId,
+				wasReplaced: true
+			};
+			if (createResult.attributes) result.attributes = createResult.attributes;
+			return result;
+		}
+		try {
+			const newDocument = properties["PolicyDocument"];
+			const oldDocument = previousProperties["PolicyDocument"];
+			if (newDocument) {
+				const newDocStr = typeof newDocument === "string" ? newDocument : JSON.stringify(newDocument);
+				if (newDocStr !== (oldDocument ? typeof oldDocument === "string" ? oldDocument : JSON.stringify(oldDocument) : "")) {
+					await this.ensureVersionCapacity(physicalId);
+					await this.iamClient.send(new CreatePolicyVersionCommand({
+						PolicyArn: physicalId,
+						PolicyDocument: newDocStr,
+						SetAsDefault: true
+					}));
+					this.logger.debug(`Updated PolicyDocument for ${physicalId}`);
+				}
+			}
+			await this.updatePrincipals(physicalId, properties["Groups"], previousProperties["Groups"], properties["Roles"], previousProperties["Roles"], properties["Users"], previousProperties["Users"]);
+			await this.updateTags(physicalId, properties["Tags"], previousProperties["Tags"]);
+			return {
+				physicalId,
+				wasReplaced: false,
+				attributes: { PolicyArn: physicalId }
+			};
+		} catch (error) {
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to update IAM managed policy ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+		}
+	}
+	async delete(logicalId, physicalId, resourceType, _properties, context) {
+		this.logger.debug(`Deleting IAM managed policy ${logicalId}: ${physicalId}`);
+		try {
+			try {
+				await this.iamClient.send(new GetPolicyCommand({ PolicyArn: physicalId }));
+			} catch (error) {
+				if (error instanceof NoSuchEntityException) {
+					assertRegionMatch(await this.iamClient.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+					this.logger.debug(`Managed policy ${physicalId} does not exist, skipping deletion`);
+					return;
+				}
+				throw error;
+			}
+			await this.detachAllPrincipals(physicalId);
+			await this.deleteAllNonDefaultVersions(physicalId);
+			await this.iamClient.send(new DeletePolicyCommand({ PolicyArn: physicalId }));
+			this.logger.debug(`Successfully deleted IAM managed policy ${logicalId}`);
+		} catch (error) {
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to delete IAM managed policy ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+		}
+	}
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		if (attributeName === "PolicyArn") return physicalId;
+	}
+	/**
+	* Read the AWS-current managed policy configuration in CFn-property shape.
+	*
+	* Coverage:
+	*  - `ManagedPolicyName`, `Description`, `Path` — straight from `GetPolicy`.
+	*  - `PolicyDocument` — fetched via `GetPolicyVersion` on the default
+	*    version, URL-decoded + JSON-parsed.
+	*  - `Groups` / `Roles` / `Users` — string arrays from
+	*    `ListEntitiesForPolicy`.
+	*  - `Tags` — via `ListPolicyTags`, with the `aws:cdk:path` etc. filtered
+	*    out by `normalizeAwsTagsToCfn`.
+	*
+	* Returns `undefined` when the policy is gone (`NoSuchEntityException`).
+	*/
+	async readCurrentState(physicalId, _logicalId, _resourceType, _properties) {
+		let policy;
+		try {
+			policy = (await this.iamClient.send(new GetPolicyCommand({ PolicyArn: physicalId }))).Policy;
+		} catch (err) {
+			if (err instanceof NoSuchEntityException) return void 0;
+			throw err;
+		}
+		if (!policy) return void 0;
+		const result = {};
+		if (policy.PolicyName !== void 0) result["ManagedPolicyName"] = policy.PolicyName;
+		result["Description"] = policy.Description ?? "";
+		if (policy.Path !== void 0) result["Path"] = policy.Path;
+		if (policy.DefaultVersionId) try {
+			const doc = (await this.iamClient.send(new GetPolicyVersionCommand({
+				PolicyArn: physicalId,
+				VersionId: policy.DefaultVersionId
+			}))).PolicyVersion?.Document;
+			if (typeof doc === "string") try {
+				result["PolicyDocument"] = JSON.parse(decodeURIComponent(doc));
+			} catch {
+				result["PolicyDocument"] = doc;
+			}
+		} catch (err) {
+			if (!(err instanceof NoSuchEntityException)) throw err;
+		}
+		try {
+			const groups = [];
+			const roles = [];
+			const users = [];
+			let marker;
+			while (true) {
+				const resp = await this.iamClient.send(new ListEntitiesForPolicyCommand({
+					PolicyArn: physicalId,
+					...marker ? { Marker: marker } : {}
+				}));
+				for (const g of resp.PolicyGroups ?? []) if (g.GroupName) groups.push(g.GroupName);
+				for (const r of resp.PolicyRoles ?? []) if (r.RoleName) roles.push(r.RoleName);
+				for (const u of resp.PolicyUsers ?? []) if (u.UserName) users.push(u.UserName);
+				if (!resp.IsTruncated) break;
+				marker = resp.Marker;
+			}
+			result["Groups"] = groups;
+			result["Roles"] = roles;
+			result["Users"] = users;
+		} catch (err) {
+			if (!(err instanceof NoSuchEntityException)) throw err;
+		}
+		try {
+			const collected = [];
+			let marker;
+			while (true) {
+				const tagsResp = await this.iamClient.send(new ListPolicyTagsCommand({
+					PolicyArn: physicalId,
+					...marker ? { Marker: marker } : {}
+				}));
+				for (const t of tagsResp.Tags ?? []) collected.push({
+					Key: t.Key,
+					Value: t.Value
+				});
+				if (!tagsResp.IsTruncated) break;
+				marker = tagsResp.Marker;
+			}
+			result["Tags"] = normalizeAwsTagsToCfn(collected);
+		} catch (err) {
+			if (!(err instanceof NoSuchEntityException)) throw err;
+		}
+		return result;
+	}
+	/**
+	* Adopt an existing IAM managed policy into cdkd state.
+	*
+	* Lookup order:
+	*  1. `--resource` override or `Properties.ManagedPolicyName` → walk
+	*     `ListPolicies(Scope: 'Local')` to find the matching ARN.
+	*  2. `ListPolicies(Scope: 'Local')` → for each candidate, `ListPolicyTags`
+	*     and match against `aws:cdk:path`.
+	*
+	* Scope is forced to `'Local'` (customer-managed policies) — adopting an
+	* AWS-managed policy would let cdkd delete it on next destroy, which would
+	* be a major footgun.
+	*/
+	async import(input) {
+		const explicit = resolveExplicitPhysicalId(input, "ManagedPolicyName");
+		if (explicit) {
+			if (explicit.startsWith("arn:")) {
+				if (explicit.startsWith("arn:aws:iam::aws:")) throw new Error(`Refusing to import AWS-managed policy ${explicit}: cdkd only adopts customer-managed policies. If you need to attach an AWS-managed policy to a role / user / group, reference it via ManagedPolicyArns on the principal instead.`);
+				try {
+					await this.iamClient.send(new GetPolicyCommand({ PolicyArn: explicit }));
+					return {
+						physicalId: explicit,
+						attributes: { PolicyArn: explicit }
+					};
+				} catch (err) {
+					if (err instanceof NoSuchEntityException) return null;
+					throw err;
+				}
+			}
+			const arnByName = await this.findPolicyArnByName(explicit);
+			if (arnByName) return {
+				physicalId: arnByName,
+				attributes: { PolicyArn: arnByName }
+			};
+			return null;
+		}
+		if (!input.cdkPath) return null;
+		let marker;
+		do {
+			const list = await this.iamClient.send(new ListPoliciesCommand({
+				Scope: "Local",
+				...marker ? { Marker: marker } : {}
+			}));
+			for (const policy of list.Policies ?? []) {
+				if (!policy.Arn) continue;
+				try {
+					if (matchesCdkPath((await this.iamClient.send(new ListPolicyTagsCommand({ PolicyArn: policy.Arn }))).Tags, input.cdkPath)) return {
+						physicalId: policy.Arn,
+						attributes: { PolicyArn: policy.Arn }
+					};
+				} catch (err) {
+					if (err instanceof NoSuchEntityException) continue;
+					throw err;
+				}
+			}
+			marker = list.IsTruncated ? list.Marker : void 0;
+		} while (marker);
+		return null;
+	}
+	async attachToPrincipals(policyArn, groups, roles, users) {
+		if (groups && Array.isArray(groups)) for (const groupName of groups) {
+			await this.iamClient.send(new AttachGroupPolicyCommand({
+				GroupName: groupName,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Attached ${policyArn} to group ${groupName}`);
+		}
+		if (roles && Array.isArray(roles)) for (const roleName of roles) {
+			await this.iamClient.send(new AttachRolePolicyCommand({
+				RoleName: roleName,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Attached ${policyArn} to role ${roleName}`);
+		}
+		if (users && Array.isArray(users)) for (const userName of users) {
+			await this.iamClient.send(new AttachUserPolicyCommand({
+				UserName: userName,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Attached ${policyArn} to user ${userName}`);
+		}
+	}
+	async updatePrincipals(policyArn, newGroups, oldGroups, newRoles, oldRoles, newUsers, oldUsers) {
+		const newGroupSet = new Set(newGroups || []);
+		const oldGroupSet = new Set(oldGroups || []);
+		for (const g of newGroupSet) if (!oldGroupSet.has(g)) {
+			await this.iamClient.send(new AttachGroupPolicyCommand({
+				GroupName: g,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Attached ${policyArn} to group ${g}`);
+		}
+		for (const g of oldGroupSet) if (!newGroupSet.has(g)) try {
+			await this.iamClient.send(new DetachGroupPolicyCommand({
+				GroupName: g,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Detached ${policyArn} from group ${g}`);
+		} catch (err) {
+			if (!(err instanceof NoSuchEntityException)) throw err;
+		}
+		const newRoleSet = new Set(newRoles || []);
+		const oldRoleSet = new Set(oldRoles || []);
+		for (const r of newRoleSet) if (!oldRoleSet.has(r)) {
+			await this.iamClient.send(new AttachRolePolicyCommand({
+				RoleName: r,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Attached ${policyArn} to role ${r}`);
+		}
+		for (const r of oldRoleSet) if (!newRoleSet.has(r)) try {
+			await this.iamClient.send(new DetachRolePolicyCommand({
+				RoleName: r,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Detached ${policyArn} from role ${r}`);
+		} catch (err) {
+			if (!(err instanceof NoSuchEntityException)) throw err;
+		}
+		const newUserSet = new Set(newUsers || []);
+		const oldUserSet = new Set(oldUsers || []);
+		for (const u of newUserSet) if (!oldUserSet.has(u)) {
+			await this.iamClient.send(new AttachUserPolicyCommand({
+				UserName: u,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Attached ${policyArn} to user ${u}`);
+		}
+		for (const u of oldUserSet) if (!newUserSet.has(u)) try {
+			await this.iamClient.send(new DetachUserPolicyCommand({
+				UserName: u,
+				PolicyArn: policyArn
+			}));
+			this.logger.debug(`Detached ${policyArn} from user ${u}`);
+		} catch (err) {
+			if (!(err instanceof NoSuchEntityException)) throw err;
+		}
+	}
+	async detachAllPrincipals(policyArn) {
+		try {
+			let marker;
+			while (true) {
+				const resp = await this.iamClient.send(new ListEntitiesForPolicyCommand({
+					PolicyArn: policyArn,
+					...marker ? { Marker: marker } : {}
+				}));
+				for (const g of resp.PolicyGroups ?? []) {
+					if (!g.GroupName) continue;
+					try {
+						await this.iamClient.send(new DetachGroupPolicyCommand({
+							GroupName: g.GroupName,
+							PolicyArn: policyArn
+						}));
+					} catch (err) {
+						if (!(err instanceof NoSuchEntityException)) throw err;
+					}
+				}
+				for (const r of resp.PolicyRoles ?? []) {
+					if (!r.RoleName) continue;
+					try {
+						await this.iamClient.send(new DetachRolePolicyCommand({
+							RoleName: r.RoleName,
+							PolicyArn: policyArn
+						}));
+					} catch (err) {
+						if (!(err instanceof NoSuchEntityException)) throw err;
+					}
+				}
+				for (const u of resp.PolicyUsers ?? []) {
+					if (!u.UserName) continue;
+					try {
+						await this.iamClient.send(new DetachUserPolicyCommand({
+							UserName: u.UserName,
+							PolicyArn: policyArn
+						}));
+					} catch (err) {
+						if (!(err instanceof NoSuchEntityException)) throw err;
+					}
+				}
+				if (!resp.IsTruncated) break;
+				marker = resp.Marker;
+			}
+		} catch (err) {
+			if (err instanceof NoSuchEntityException) return;
+			throw err;
+		}
+	}
+	/**
+	* Delete every non-default version of the policy. Required before
+	* `DeletePolicy` — AWS refuses to delete a policy that still has
+	* non-default versions.
+	*/
+	async deleteAllNonDefaultVersions(policyArn) {
+		try {
+			let marker;
+			while (true) {
+				const resp = await this.iamClient.send(new ListPolicyVersionsCommand({
+					PolicyArn: policyArn,
+					...marker ? { Marker: marker } : {}
+				}));
+				for (const v of resp.Versions ?? []) {
+					if (v.IsDefaultVersion) continue;
+					if (!v.VersionId) continue;
+					try {
+						await this.iamClient.send(new DeletePolicyVersionCommand({
+							PolicyArn: policyArn,
+							VersionId: v.VersionId
+						}));
+					} catch (err) {
+						if (!(err instanceof NoSuchEntityException)) throw err;
+					}
+				}
+				if (!resp.IsTruncated) break;
+				marker = resp.Marker;
+			}
+		} catch (err) {
+			if (err instanceof NoSuchEntityException) return;
+			throw err;
+		}
+	}
+	/**
+	* AWS caps managed policies at 5 versions. Before creating a new version,
+	* prune the oldest non-default version if at the cap.
+	*/
+	async ensureVersionCapacity(policyArn) {
+		const versions = (await this.iamClient.send(new ListPolicyVersionsCommand({ PolicyArn: policyArn }))).Versions ?? [];
+		if (versions.length < 5) return;
+		const victim = versions.filter((v) => !v.IsDefaultVersion && v.VersionId).sort((a, b) => (a.CreateDate?.getTime() ?? 0) - (b.CreateDate?.getTime() ?? 0))[0];
+		if (!victim?.VersionId) return;
+		await this.iamClient.send(new DeletePolicyVersionCommand({
+			PolicyArn: policyArn,
+			VersionId: victim.VersionId
+		}));
+		this.logger.debug(`Pruned oldest non-default version ${victim.VersionId} of ${policyArn}`);
+	}
+	async updateTags(policyArn, newTags, oldTags) {
+		const newTagMap = new Map((newTags || []).map((t) => [t.Key, t.Value]));
+		const oldTagMap = new Map((oldTags || []).map((t) => [t.Key, t.Value]));
+		const tagsToRemove = [];
+		for (const key of oldTagMap.keys()) if (!newTagMap.has(key)) tagsToRemove.push(key);
+		const tagsToAdd = [];
+		for (const [key, value] of newTagMap) if (oldTagMap.get(key) !== value) tagsToAdd.push({
+			Key: key,
+			Value: value
+		});
+		if (tagsToRemove.length > 0) await this.iamClient.send(new UntagPolicyCommand({
+			PolicyArn: policyArn,
+			TagKeys: tagsToRemove
+		}));
+		if (tagsToAdd.length > 0) await this.iamClient.send(new TagPolicyCommand({
+			PolicyArn: policyArn,
+			Tags: tagsToAdd
+		}));
+	}
+	async findPolicyArnByName(policyName) {
+		let marker;
+		do {
+			const resp = await this.iamClient.send(new ListPoliciesCommand({
+				Scope: "Local",
+				...marker ? { Marker: marker } : {}
+			}));
+			for (const p of resp.Policies ?? []) if (p.PolicyName === policyName && p.Arn) return p.Arn;
+			marker = resp.IsTruncated ? resp.Marker : void 0;
+		} while (marker);
+	}
+};
+/**
+* Recover the policy name from `arn:aws:iam::<account>:policy/<path><name>`.
+* Used to decide whether `ManagedPolicyName` was mutated relative to the
+* physical id we recorded — name + path are immutable on AWS, so any
+* difference is a replacement signal.
+*/
+function derivePolicyNameFromArn(arn) {
+	const ix = arn.lastIndexOf("/");
+	return ix >= 0 ? arn.slice(ix + 1) : arn;
+}
 //#endregion
 //#region src/provisioning/providers/iam-instance-profile-provider.ts
 /**
@@ -6684,7 +7223,7 @@ var LambdaPermissionProvider = class {
 		const statementId = physicalId.includes("|") ? physicalId.split("|").pop() : physicalId;
 		let policyDoc;
 		try {
-			policyDoc = (await this.lambdaClient.send(new GetPolicyCommand({ FunctionName: functionName }))).Policy;
+			policyDoc = (await this.lambdaClient.send(new GetPolicyCommand$1({ FunctionName: functionName }))).Policy;
 		} catch (err) {
 			if (err instanceof ResourceNotFoundException) return void 0;
 			throw err;
@@ -31995,6 +32534,7 @@ var NestedStackProvider = class {
 function registerAllProviders(registry) {
 	registry.register("AWS::IAM::Role", new IAMRoleProvider());
 	registry.register("AWS::IAM::Policy", new IAMPolicyProvider());
+	registry.register("AWS::IAM::ManagedPolicy", new IAMManagedPolicyProvider());
 	registry.register("AWS::IAM::InstanceProfile", new IAMInstanceProfileProvider());
 	const iamUserGroupProvider = new IAMUserGroupProvider();
 	registry.register("AWS::IAM::User", iamUserGroupProvider);
@@ -32392,6 +32932,7 @@ async function deployCommand(stacks, options) {
 			registerAllProviders(stackProviderRegistry);
 			stackProviderRegistry.setCustomResourceResponseBucket(stateBucket, baseRegion);
 			if (options.allowUnsupportedTypes?.length) stackProviderRegistry.allowUnsupportedTypes(options.allowUnsupportedTypes);
+			if (options.allowUnsupportedProperties?.length) stackProviderRegistry.allowUnsupportedProperties(options.allowUnsupportedProperties);
 			try {
 				if (skipPrefix) {
 					const existing = await stackStateBackend.getState(stackInfo.stackName, stackRegion);
@@ -33870,7 +34411,6 @@ function isPlainObject(value) {
 * `Record<string, string>` for trivial JSON serialization if ever needed).
 */
 const CC_API_FALLBACK_DENY_LIST = {
-	"AWS::IAM::ManagedPolicy": "PolicyDocument is URL-encoded JSON in CC API responses, but cdkd state stores it as a parsed object — needs per-type decode",
 	"AWS::ApiGateway::RestApi": "Body / BodyS3Location are write-only inputs not returned by CC API GetResource; cdkd state preserves them",
 	"AWS::CloudFormation::Stack": "CC API returns runtime stack state (outputs/status), not the template parameters cdkd state stores",
 	"AWS::EC2::LaunchTemplate": "CC API returns version-bumped LaunchTemplateData with synthetic LatestVersionNumber that diverges from the CFn input shape"
@@ -55560,7 +56100,7 @@ function pickEssentialContainerId(instance, service) {
 const defaultWaitForExitImpl = async (containerId) => {
 	const { execFile } = await import("node:child_process");
 	const { promisify } = await import("node:util");
-	const { getDockerCmd } = await import("./docker-cmd-EtWSTAje.js").then((n) => n.t);
+	const { getDockerCmd } = await import("./docker-cmd-iDMcWcre.js").then((n) => n.t);
 	const { stdout } = await promisify(execFile)(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
 	const code = parseInt(stdout.trim(), 10);
 	return Number.isFinite(code) ? code : -1;
@@ -58069,7 +58609,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.154.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.156.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());