@go-to-k/cdkd 0.154.0 → 0.156.0

package/dist/{deploy-engine-Yb3E5e9J.js → deploy-engine-YQwoPaCE.js}

@@ -1,4 +1,4 @@
-import { a as runDockerStreaming, c as getLogger, d as getLiveRenderer, g as generateResourceNameWithFallback, m as applyDefaultNameForFallback, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, v as withStackName } from "./docker-cmd-EtWSTAje.js";
+import { a as runDockerStreaming, c as getLogger, d as getLiveRenderer, g as generateResourceNameWithFallback, m as applyDefaultNameForFallback, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, v as withStackName } from "./docker-cmd-iDMcWcre.js";
 import { r as getAwsClients } from "./aws-clients-BF03Alpe.js";
 import { randomUUID } from "node:crypto";
 import { DeleteObjectCommand, GetBucketLocationCommand, GetObjectCommand, HeadBucketCommand, HeadObjectCommand, ListObjectsV2Command, NoSuchKey, PutObjectCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -6797,12 +6797,9 @@ const NON_PROVISIONABLE_TYPES = new Set([
 	"AWS::Config::DeliveryChannel",
 	"AWS::Config::OrganizationConfigRule",
 	"AWS::Config::RemediationConfiguration",
-	"AWS::DataZone::ProjectProfile",
 	"AWS::DAX::Cluster",
 	"AWS::DAX::ParameterGroup",
 	"AWS::DAX::SubnetGroup",
-	"AWS::Deadline::Limit",
-	"AWS::Deadline::QueueFleetAssociation",
 	"AWS::DirectoryService::MicrosoftAD",
 	"AWS::DLM::LifecyclePolicy",
 	"AWS::DMS::Certificate",
@@ -7331,7 +7328,6 @@ var CloudControlProvider = class {
 		if (new Set([
 			"AWS::IAM::Role",
 			"AWS::IAM::Policy",
-			"AWS::IAM::ManagedPolicy",
 			"AWS::IAM::User",
 			"AWS::IAM::Group",
 			"AWS::IAM::InstanceProfile",
@@ -7960,6 +7956,1956 @@ var CustomResourceProvider = class CustomResourceProvider {
 	}
 };
 
+//#endregion
+//#region src/provisioning/property-coverage.generated.ts
+const PROPERTY_COVERAGE_BY_TYPE = new Map([
+	["AWS::ApiGateway::Account", {
+		handled: new Set(["CloudWatchRoleArn"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::ApiGateway::Authorizer", {
+		handled: new Set([
+			"AuthorizerCredentials",
+			"AuthorizerResultTtlInSeconds",
+			"AuthorizerUri",
+			"IdentitySource",
+			"IdentityValidationExpression",
+			"Name",
+			"ProviderARNs",
+			"RestApiId",
+			"Type"
+		]),
+		silentDrop: new Map([["AuthType", "not yet implemented by cdkd"]])
+	}],
+	["AWS::ApiGateway::Deployment", {
+		handled: new Set(["Description", "RestApiId"]),
+		silentDrop: new Map([
+			["DeploymentCanarySettings", "not yet implemented by cdkd"],
+			["StageDescription", "not yet implemented by cdkd"],
+			["StageName", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ApiGateway::Method", {
+		handled: new Set([
+			"ApiKeyRequired",
+			"AuthorizationScopes",
+			"AuthorizationType",
+			"AuthorizerId",
+			"HttpMethod",
+			"Integration",
+			"MethodResponses",
+			"OperationName",
+			"RequestModels",
+			"RequestParameters",
+			"RequestValidatorId",
+			"ResourceId",
+			"RestApiId"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::ApiGateway::Resource", {
+		handled: new Set([
+			"ParentId",
+			"PathPart",
+			"RestApiId"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::ApiGateway::Stage", {
+		handled: new Set([
+			"DeploymentId",
+			"Description",
+			"RestApiId",
+			"StageName",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["AccessLogSetting", "not yet implemented by cdkd"],
+			["CacheClusterEnabled", "not yet implemented by cdkd"],
+			["CacheClusterSize", "not yet implemented by cdkd"],
+			["CanarySetting", "not yet implemented by cdkd"],
+			["ClientCertificateId", "not yet implemented by cdkd"],
+			["DocumentationVersion", "not yet implemented by cdkd"],
+			["MethodSettings", "not yet implemented by cdkd"],
+			["TracingEnabled", "not yet implemented by cdkd"],
+			["Variables", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ApiGatewayV2::Api", {
+		handled: new Set([
+			"CorsConfiguration",
+			"Description",
+			"Name",
+			"ProtocolType",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["ApiKeySelectionExpression", "not yet implemented by cdkd"],
+			["BasePath", "OpenAPI-import-only basePath override; meaningful only on the ImportApi code path."],
+			["Body", "OpenAPI/Swagger inline spec; routed through ImportApi, not the field-by-field CreateApi path."],
+			["BodyS3Location", "OpenAPI/Swagger spec on S3; routed through ImportApi, not the field-by-field CreateApi path."],
+			["CredentialsArn", "not yet implemented by cdkd"],
+			["DisableExecuteApiEndpoint", "not yet implemented by cdkd"],
+			["DisableSchemaValidation", "Schema-validation toggle on CreateApi/UpdateApi that AWS docs scope to WebSocket APIs using AWS::ApiGatewayV2::Model — that resource type is not yet registered in cdkd, so the toggle has no effect to wire."],
+			["FailOnWarnings", "OpenAPI-import-only flag; meaningful only on the ImportApi code path."],
+			["IpAddressType", "not yet implemented by cdkd"],
+			["RouteKey", "not yet implemented by cdkd"],
+			["RouteSelectionExpression", "not yet implemented by cdkd"],
+			["Target", "not yet implemented by cdkd"],
+			["Version", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ApiGatewayV2::Authorizer", {
+		handled: new Set([
+			"ApiId",
+			"AuthorizerPayloadFormatVersion",
+			"AuthorizerType",
+			"AuthorizerUri",
+			"IdentitySource",
+			"JwtConfiguration",
+			"Name"
+		]),
+		silentDrop: new Map([
+			["AuthorizerCredentialsArn", "not yet implemented by cdkd"],
+			["AuthorizerResultTtlInSeconds", "not yet implemented by cdkd"],
+			["EnableSimpleResponses", "not yet implemented by cdkd"],
+			["IdentityValidationExpression", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ApiGatewayV2::Integration", {
+		handled: new Set([
+			"ApiId",
+			"IntegrationMethod",
+			"IntegrationType",
+			"IntegrationUri",
+			"PayloadFormatVersion"
+		]),
+		silentDrop: new Map([
+			["ConnectionId", "not yet implemented by cdkd"],
+			["ConnectionType", "not yet implemented by cdkd"],
+			["ContentHandlingStrategy", "not yet implemented by cdkd"],
+			["CredentialsArn", "not yet implemented by cdkd"],
+			["Description", "not yet implemented by cdkd"],
+			["IntegrationSubtype", "not yet implemented by cdkd"],
+			["PassthroughBehavior", "not yet implemented by cdkd"],
+			["RequestParameters", "not yet implemented by cdkd"],
+			["RequestTemplates", "not yet implemented by cdkd"],
+			["ResponseParameters", "not yet implemented by cdkd"],
+			["TemplateSelectionExpression", "not yet implemented by cdkd"],
+			["TimeoutInMillis", "not yet implemented by cdkd"],
+			["TlsConfig", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ApiGatewayV2::Route", {
+		handled: new Set([
+			"ApiId",
+			"AuthorizationType",
+			"AuthorizerId",
+			"RouteKey",
+			"Target"
+		]),
+		silentDrop: new Map([
+			["ApiKeyRequired", "not yet implemented by cdkd"],
+			["AuthorizationScopes", "not yet implemented by cdkd"],
+			["ModelSelectionExpression", "not yet implemented by cdkd"],
+			["OperationName", "not yet implemented by cdkd"],
+			["RequestModels", "not yet implemented by cdkd"],
+			["RequestParameters", "not yet implemented by cdkd"],
+			["RouteResponseSelectionExpression", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ApiGatewayV2::Stage", {
+		handled: new Set([
+			"ApiId",
+			"AutoDeploy",
+			"Description",
+			"StageName",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["AccessLogSettings", "not yet implemented by cdkd"],
+			["ClientCertificateId", "not yet implemented by cdkd"],
+			["DefaultRouteSettings", "not yet implemented by cdkd"],
+			["DeploymentId", "not yet implemented by cdkd"],
+			["RouteSettings", "not yet implemented by cdkd"],
+			["StageVariables", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::AppSync::ApiKey", {
+		handled: new Set([
+			"ApiId",
+			"Description",
+			"Expires"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::AppSync::DataSource", {
+		handled: new Set([
+			"ApiId",
+			"Description",
+			"DynamoDBConfig",
+			"HttpConfig",
+			"LambdaConfig",
+			"Name",
+			"ServiceRoleArn",
+			"Type"
+		]),
+		silentDrop: new Map([
+			["ElasticsearchConfig", "not yet implemented by cdkd"],
+			["EventBridgeConfig", "not yet implemented by cdkd"],
+			["MetricsConfig", "not yet implemented by cdkd"],
+			["OpenSearchServiceConfig", "not yet implemented by cdkd"],
+			["RelationalDatabaseConfig", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::AppSync::GraphQLApi", {
+		handled: new Set([
+			"AuthenticationType",
+			"LogConfig",
+			"Name",
+			"Tags",
+			"XrayEnabled"
+		]),
+		silentDrop: new Map([
+			["AdditionalAuthenticationProviders", "not yet implemented by cdkd"],
+			["ApiType", "not yet implemented by cdkd"],
+			["EnhancedMetricsConfig", "not yet implemented by cdkd"],
+			["EnvironmentVariables", "not yet implemented by cdkd"],
+			["IntrospectionConfig", "not yet implemented by cdkd"],
+			["LambdaAuthorizerConfig", "not yet implemented by cdkd"],
+			["MergedApiExecutionRoleArn", "not yet implemented by cdkd"],
+			["OpenIDConnectConfig", "not yet implemented by cdkd"],
+			["OwnerContact", "not yet implemented by cdkd"],
+			["QueryDepthLimit", "not yet implemented by cdkd"],
+			["ResolverCountLimit", "not yet implemented by cdkd"],
+			["UserPoolConfig", "not yet implemented by cdkd"],
+			["Visibility", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::AppSync::GraphQLSchema", {
+		handled: new Set([
+			"ApiId",
+			"Definition",
+			"DefinitionS3Location"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::AppSync::Resolver", {
+		handled: new Set([
+			"ApiId",
+			"Code",
+			"DataSourceName",
+			"FieldName",
+			"Kind",
+			"PipelineConfig",
+			"RequestMappingTemplate",
+			"ResponseMappingTemplate",
+			"Runtime",
+			"TypeName"
+		]),
+		silentDrop: new Map([
+			["CachingConfig", "not yet implemented by cdkd"],
+			["CodeS3Location", "not yet implemented by cdkd"],
+			["MaxBatchSize", "not yet implemented by cdkd"],
+			["MetricsConfig", "not yet implemented by cdkd"],
+			["RequestMappingTemplateS3Location", "not yet implemented by cdkd"],
+			["ResponseMappingTemplateS3Location", "not yet implemented by cdkd"],
+			["SyncConfig", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::AutoScaling::AutoScalingGroup", {
+		handled: new Set([
+			"AutoScalingGroupName",
+			"AvailabilityZoneDistribution",
+			"AvailabilityZoneImpairmentPolicy",
+			"AvailabilityZones",
+			"CapacityRebalance",
+			"CapacityReservationSpecification",
+			"Context",
+			"Cooldown",
+			"DefaultCooldown",
+			"DefaultInstanceWarmup",
+			"DeletionProtection",
+			"DesiredCapacity",
+			"DesiredCapacityType",
+			"HealthCheckGracePeriod",
+			"HealthCheckType",
+			"InstanceMaintenancePolicy",
+			"LaunchTemplate",
+			"LifecycleHookSpecificationList",
+			"LoadBalancerNames",
+			"MaxInstanceLifetime",
+			"MaxSize",
+			"MetricsCollection",
+			"MinSize",
+			"MixedInstancesPolicy",
+			"NewInstancesProtectedFromScaleIn",
+			"NotificationConfigurations",
+			"ServiceLinkedRoleARN",
+			"SkipZonalShiftValidation",
+			"Tags",
+			"TargetGroupARNs",
+			"TerminationPolicies",
+			"TrafficSources",
+			"VPCZoneIdentifier"
+		]),
+		silentDrop: new Map([
+			["AvailabilityZoneIds", "not yet implemented by cdkd"],
+			["InstanceId", "not yet implemented by cdkd"],
+			["InstanceLifecyclePolicy", "not yet implemented by cdkd"],
+			["LaunchConfigurationName", "not yet implemented by cdkd"],
+			["NotificationConfiguration", "not yet implemented by cdkd"],
+			["PlacementGroup", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::BedrockAgentCore::Runtime", {
+		handled: new Set([
+			"AgentRuntimeArtifact",
+			"AgentRuntimeName",
+			"AuthorizerConfiguration",
+			"ClientToken",
+			"Description",
+			"EnvironmentVariables",
+			"LifecycleConfiguration",
+			"NetworkConfiguration",
+			"ProtocolConfiguration",
+			"RoleArn"
+		]),
+		silentDrop: new Map([
+			["FilesystemConfigurations", "not yet implemented by cdkd"],
+			["RequestHeaderConfiguration", "not yet implemented by cdkd"],
+			["Tags", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::CloudFormation::Stack", {
+		handled: new Set(["Parameters", "TemplateURL"]),
+		silentDrop: new Map([
+			["Capabilities", "CFn-only IAM capability declaration — cdkd does not go through CloudFormation so capabilities have no equivalent"],
+			["Description", "CFn-only informational — no semantic effect on the recursive deploy"],
+			["DisableRollback", "CFn-only — cdkd controls rollback via the top-level deploy-engine --no-rollback flag, not per nested stack"],
+			["EnableTerminationProtection", "CFn-only per-nested-stack flag — cdkd records stack-level terminationProtection at CDK synth time (parent only) and `cdkd destroy` consults that for refusal"],
+			["NotificationARNs", "CFn-only SNS-on-stack-event surface — cdkd has no equivalent (issue #459 design §9)"],
+			["RoleARN", "CFn-only role-assumption — cdkd uses the caller credentials directly, no per-resource role assumption"],
+			["StackName", "cdkd derives the child stack name as `<parent>~<logicalId>` per design §3 (state-key uniqueness); a user-provided StackName has no effect"],
+			["StackPolicyBody", "CFn-only stack-update policy — cdkd has no equivalent (per-resource diff replaces stack-level policy)"],
+			["StackPolicyURL", "CFn-only stack-update policy URL — cdkd has no equivalent"],
+			["StackStatusReason", "CFn-only read-only output — never a real input property"],
+			["Tags", "CFn-only — cdkd does not tag the synthesized \"stack\" (the parent's synthesized ARN is a cdkd-local placeholder, not a real AWS resource)"],
+			["TemplateBody", "CFn-only inline template — cdkd reads the child template from the synth output via Metadata['aws:asset:path'] instead of accepting it inline"],
+			["TimeoutInMinutes", "CFn-only stack-create deadline — cdkd uses per-resource --resource-timeout instead (issue #459 design §9)"]
+		])
+	}],
+	["AWS::CloudFront::CloudFrontOriginAccessIdentity", {
+		handled: new Set(["CloudFrontOriginAccessIdentityConfig"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::CloudFront::Distribution", {
+		handled: new Set(["DistributionConfig"]),
+		silentDrop: new Map([["Tags", "not yet implemented by cdkd"]])
+	}],
+	["AWS::CloudTrail::Trail", {
+		handled: new Set([
+			"CloudWatchLogsLogGroupArn",
+			"CloudWatchLogsRoleArn",
+			"EnableLogFileValidation",
+			"EventSelectors",
+			"IncludeGlobalServiceEvents",
+			"InsightSelectors",
+			"IsLogging",
+			"IsMultiRegionTrail",
+			"IsOrganizationTrail",
+			"KMSKeyId",
+			"S3BucketName",
+			"S3KeyPrefix",
+			"SnsTopicName",
+			"Tags",
+			"TrailName"
+		]),
+		silentDrop: new Map([["AdvancedEventSelectors", "not yet implemented by cdkd"], ["AggregationConfigurations", "not yet implemented by cdkd"]])
+	}],
+	["AWS::CloudWatch::Alarm", {
+		handled: new Set([
+			"ActionsEnabled",
+			"AlarmActions",
+			"AlarmDescription",
+			"AlarmName",
+			"ComparisonOperator",
+			"DatapointsToAlarm",
+			"Dimensions",
+			"EvaluationPeriods",
+			"InsufficientDataActions",
+			"MetricName",
+			"Metrics",
+			"Namespace",
+			"OKActions",
+			"Period",
+			"Statistic",
+			"Threshold",
+			"TreatMissingData",
+			"Unit"
+		]),
+		silentDrop: new Map([
+			["EvaluateLowSampleCountPercentile", "not yet implemented by cdkd"],
+			["EvaluationCriteria", "not yet implemented by cdkd"],
+			["EvaluationInterval", "not yet implemented by cdkd"],
+			["ExtendedStatistic", "not yet implemented by cdkd"],
+			["Tags", "not yet implemented by cdkd"],
+			["ThresholdMetricId", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::CodeBuild::Project", {
+		handled: new Set([
+			"Artifacts",
+			"BadgeEnabled",
+			"BuildBatchConfig",
+			"Cache",
+			"ConcurrentBuildLimit",
+			"Description",
+			"EncryptionKey",
+			"Environment",
+			"FileSystemLocations",
+			"LogsConfig",
+			"Name",
+			"QueuedTimeoutInMinutes",
+			"SecondaryArtifacts",
+			"SecondarySources",
+			"SecondarySourceVersions",
+			"ServiceRole",
+			"Source",
+			"SourceVersion",
+			"Tags",
+			"TimeoutInMinutes",
+			"VpcConfig"
+		]),
+		silentDrop: new Map([
+			["AutoRetryLimit", "not yet implemented by cdkd"],
+			["ResourceAccessRole", "not yet implemented by cdkd"],
+			["Triggers", "not yet implemented by cdkd"],
+			["Visibility", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::Cognito::UserPool", {
+		handled: new Set([
+			"AccountRecoverySetting",
+			"AdminCreateUserConfig",
+			"AliasAttributes",
+			"AutoVerifiedAttributes",
+			"DeletionProtection",
+			"DeviceConfiguration",
+			"EmailConfiguration",
+			"EmailVerificationMessage",
+			"EmailVerificationSubject",
+			"LambdaConfig",
+			"MfaConfiguration",
+			"Policies",
+			"Schema",
+			"SmsAuthenticationMessage",
+			"SmsConfiguration",
+			"SmsVerificationMessage",
+			"UserAttributeUpdateSettings",
+			"UsernameAttributes",
+			"UsernameConfiguration",
+			"UserPoolAddOns",
+			"UserPoolName",
+			"UserPoolTags",
+			"VerificationMessageTemplate"
+		]),
+		silentDrop: new Map([
+			["EmailAuthenticationMessage", "not yet implemented by cdkd"],
+			["EmailAuthenticationSubject", "not yet implemented by cdkd"],
+			["EnabledMfas", "not yet implemented by cdkd"],
+			["UserPoolTier", "not yet implemented by cdkd"],
+			["WebAuthnFactorConfiguration", "not yet implemented by cdkd"],
+			["WebAuthnRelyingPartyID", "not yet implemented by cdkd"],
+			["WebAuthnUserVerification", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::DocDB::DBCluster", {
+		handled: new Set([
+			"BackupRetentionPeriod",
+			"DBClusterIdentifier",
+			"DBClusterParameterGroupName",
+			"DBSubnetGroupName",
+			"DeletionProtection",
+			"EngineVersion",
+			"KmsKeyId",
+			"MasterUsername",
+			"MasterUserPassword",
+			"Port",
+			"PreferredBackupWindow",
+			"PreferredMaintenanceWindow",
+			"StorageEncrypted",
+			"Tags",
+			"VpcSecurityGroupIds"
+		]),
+		silentDrop: new Map([
+			["AvailabilityZones", "not yet implemented by cdkd"],
+			["CopyTagsToSnapshot", "not yet implemented by cdkd"],
+			["EnableCloudwatchLogsExports", "not yet implemented by cdkd"],
+			["GlobalClusterIdentifier", "not yet implemented by cdkd"],
+			["ManageMasterUserPassword", "not yet implemented by cdkd"],
+			["MasterUserSecretKmsKeyId", "not yet implemented by cdkd"],
+			["NetworkType", "not yet implemented by cdkd"],
+			["RestoreToTime", "not yet implemented by cdkd"],
+			["RestoreType", "not yet implemented by cdkd"],
+			["RotateMasterUserPassword", "not yet implemented by cdkd"],
+			["ServerlessV2ScalingConfiguration", "not yet implemented by cdkd"],
+			["SnapshotIdentifier", "not yet implemented by cdkd"],
+			["SourceDBClusterIdentifier", "not yet implemented by cdkd"],
+			["StorageType", "not yet implemented by cdkd"],
+			["UseLatestRestorableTime", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::DocDB::DBInstance", {
+		handled: new Set([
+			"AutoMinorVersionUpgrade",
+			"AvailabilityZone",
+			"DBClusterIdentifier",
+			"DBInstanceClass",
+			"DBInstanceIdentifier",
+			"PreferredMaintenanceWindow",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["CACertificateIdentifier", "not yet implemented by cdkd"],
+			["CertificateRotationRestart", "not yet implemented by cdkd"],
+			["EnablePerformanceInsights", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::DocDB::DBSubnetGroup", {
+		handled: new Set([
+			"DBSubnetGroupDescription",
+			"DBSubnetGroupName",
+			"SubnetIds",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::DynamoDB::GlobalTable", {
+		handled: new Set([
+			"AttributeDefinitions",
+			"BillingMode",
+			"DeletionProtectionEnabled",
+			"GlobalSecondaryIndexes",
+			"KeySchema",
+			"LocalSecondaryIndexes",
+			"Replicas",
+			"SSESpecification",
+			"StreamSpecification",
+			"TableClass",
+			"TableName",
+			"TimeToLiveSpecification",
+			"WriteOnDemandThroughputSettings",
+			"WriteProvisionedThroughputSettings"
+		]),
+		silentDrop: new Map([
+			["GlobalTableSourceArn", "not yet implemented by cdkd"],
+			["GlobalTableWitnesses", "not yet implemented by cdkd"],
+			["MultiRegionConsistency", "not yet implemented by cdkd"],
+			["ReadOnDemandThroughputSettings", "not yet implemented by cdkd"],
+			["ReadProvisionedThroughputSettings", "not yet implemented by cdkd"],
+			["WarmThroughput", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::DynamoDB::Table", {
+		handled: new Set([
+			"AttributeDefinitions",
+			"BillingMode",
+			"DeletionProtectionEnabled",
+			"GlobalSecondaryIndexes",
+			"KeySchema",
+			"LocalSecondaryIndexes",
+			"ProvisionedThroughput",
+			"SSESpecification",
+			"StreamSpecification",
+			"TableClass",
+			"TableName",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["ContributorInsightsSpecification", "not yet implemented by cdkd"],
+			["ImportSourceSpecification", "not yet implemented by cdkd"],
+			["KinesisStreamSpecification", "not yet implemented by cdkd"],
+			["OnDemandThroughput", "not yet implemented by cdkd"],
+			["PointInTimeRecoverySpecification", "not yet implemented by cdkd"],
+			["ResourcePolicy", "not yet implemented by cdkd"],
+			["TimeToLiveSpecification", "not yet implemented by cdkd"],
+			["WarmThroughput", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::EC2::Instance", {
+		handled: new Set([
+			"BlockDeviceMappings",
+			"IamInstanceProfile",
+			"ImageId",
+			"InstanceType",
+			"KeyName",
+			"SecurityGroupIds",
+			"SecurityGroups",
+			"SubnetId",
+			"Tags",
+			"UserData"
+		]),
+		silentDrop: new Map([
+			["AdditionalInfo", "not yet implemented by cdkd"],
+			["Affinity", "not yet implemented by cdkd"],
+			["AvailabilityZone", "not yet implemented by cdkd"],
+			["CpuOptions", "not yet implemented by cdkd"],
+			["CreditSpecification", "not yet implemented by cdkd"],
+			["DisableApiTermination", "not yet implemented by cdkd"],
+			["EbsOptimized", "not yet implemented by cdkd"],
+			["ElasticGpuSpecifications", "not yet implemented by cdkd"],
+			["ElasticInferenceAccelerators", "not yet implemented by cdkd"],
+			["EnclaveOptions", "not yet implemented by cdkd"],
+			["HibernationOptions", "not yet implemented by cdkd"],
+			["HostId", "not yet implemented by cdkd"],
+			["HostResourceGroupArn", "not yet implemented by cdkd"],
+			["InstanceInitiatedShutdownBehavior", "not yet implemented by cdkd"],
+			["Ipv6AddressCount", "not yet implemented by cdkd"],
+			["Ipv6Addresses", "not yet implemented by cdkd"],
+			["KernelId", "not yet implemented by cdkd"],
+			["LaunchTemplate", "not yet implemented by cdkd"],
+			["LicenseSpecifications", "not yet implemented by cdkd"],
+			["MetadataOptions", "not yet implemented by cdkd"],
+			["Monitoring", "not yet implemented by cdkd"],
+			["NetworkInterfaces", "not yet implemented by cdkd"],
+			["PlacementGroupName", "not yet implemented by cdkd"],
+			["PrivateDnsNameOptions", "not yet implemented by cdkd"],
+			["PrivateIpAddress", "not yet implemented by cdkd"],
+			["PropagateTagsToVolumeOnCreation", "not yet implemented by cdkd"],
+			["RamdiskId", "not yet implemented by cdkd"],
+			["SourceDestCheck", "not yet implemented by cdkd"],
+			["SsmAssociations", "not yet implemented by cdkd"],
+			["Tenancy", "not yet implemented by cdkd"],
+			["Volumes", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::EC2::InternetGateway", {
+		handled: new Set(["Tags"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::EC2::NatGateway", {
+		handled: new Set([
+			"AllocationId",
+			"ConnectivityType",
+			"MaxDrainDurationSeconds",
+			"PrivateIpAddress",
+			"SecondaryAllocationIds",
+			"SecondaryPrivateIpAddressCount",
+			"SecondaryPrivateIpAddresses",
+			"SubnetId",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["AvailabilityMode", "not yet implemented by cdkd"],
+			["AvailabilityZoneAddresses", "not yet implemented by cdkd"],
+			["VpcId", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::EC2::NetworkAcl", {
+		handled: new Set(["Tags", "VpcId"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::EC2::NetworkAclEntry", {
+		handled: new Set([
+			"CidrBlock",
+			"Egress",
+			"IcmpTypeCode",
+			"Ipv6CidrBlock",
+			"NetworkAclId",
+			"PortRange",
+			"Protocol",
+			"RuleAction",
+			"RuleNumber"
+		]),
+		silentDrop: new Map([["Icmp", "not yet implemented by cdkd"]])
+	}],
+	["AWS::EC2::Route", {
+		handled: new Set([
+			"DestinationCidrBlock",
+			"DestinationIpv6CidrBlock",
+			"EgressOnlyInternetGatewayId",
+			"GatewayId",
+			"InstanceId",
+			"NatGatewayId",
+			"NetworkInterfaceId",
+			"RouteTableId",
+			"VpcPeeringConnectionId"
+		]),
+		silentDrop: new Map([
+			["CarrierGatewayId", "not yet implemented by cdkd"],
+			["CoreNetworkArn", "not yet implemented by cdkd"],
+			["DestinationPrefixListId", "not yet implemented by cdkd"],
+			["LocalGatewayId", "not yet implemented by cdkd"],
+			["TransitGatewayId", "not yet implemented by cdkd"],
+			["VpcEndpointId", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::EC2::RouteTable", {
+		handled: new Set(["Tags", "VpcId"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::EC2::SecurityGroup", {
+		handled: new Set([
+			"GroupDescription",
+			"GroupName",
+			"SecurityGroupEgress",
+			"SecurityGroupIngress",
+			"Tags",
+			"VpcId"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::EC2::SecurityGroupIngress", {
+		handled: new Set([
+			"CidrIp",
+			"Description",
+			"FromPort",
+			"GroupId",
+			"IpProtocol",
+			"SourceSecurityGroupId",
+			"SourceSecurityGroupOwnerId",
+			"ToPort"
+		]),
+		silentDrop: new Map([
+			["CidrIpv6", "not yet implemented by cdkd"],
+			["GroupName", "not yet implemented by cdkd"],
+			["SourcePrefixListId", "not yet implemented by cdkd"],
+			["SourceSecurityGroupName", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::EC2::Subnet", {
+		handled: new Set([
+			"AvailabilityZone",
+			"CidrBlock",
+			"MapPublicIpOnLaunch",
+			"Tags",
+			"VpcId"
+		]),
+		silentDrop: new Map([
+			["AssignIpv6AddressOnCreation", "not yet implemented by cdkd"],
+			["AvailabilityZoneId", "not yet implemented by cdkd"],
+			["EnableDns64", "not yet implemented by cdkd"],
+			["EnableLniAtDeviceIndex", "not yet implemented by cdkd"],
+			["Ipv4IpamPoolId", "not yet implemented by cdkd"],
+			["Ipv4NetmaskLength", "not yet implemented by cdkd"],
+			["Ipv6CidrBlock", "not yet implemented by cdkd"],
+			["Ipv6IpamPoolId", "not yet implemented by cdkd"],
+			["Ipv6Native", "not yet implemented by cdkd"],
+			["Ipv6NetmaskLength", "not yet implemented by cdkd"],
+			["OutpostArn", "not yet implemented by cdkd"],
+			["PrivateDnsNameOptionsOnLaunch", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::EC2::SubnetNetworkAclAssociation", {
+		handled: new Set(["NetworkAclId", "SubnetId"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::EC2::SubnetRouteTableAssociation", {
+		handled: new Set(["RouteTableId", "SubnetId"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::EC2::VPC", {
+		handled: new Set([
+			"CidrBlock",
+			"EnableDnsHostnames",
+			"EnableDnsSupport",
+			"InstanceTenancy",
+			"Tags"
+		]),
+		silentDrop: new Map([["Ipv4IpamPoolId", "not yet implemented by cdkd"], ["Ipv4NetmaskLength", "not yet implemented by cdkd"]])
+	}],
+	["AWS::EC2::VPCGatewayAttachment", {
+		handled: new Set(["InternetGatewayId", "VpcId"]),
+		silentDrop: new Map([["VpnGatewayId", "not yet implemented by cdkd"]])
+	}],
+	["AWS::ECR::Repository", {
+		handled: new Set([
+			"EmptyOnDelete",
+			"EncryptionConfiguration",
+			"ImageScanningConfiguration",
+			"ImageTagMutability",
+			"ImageTagMutabilityExclusionFilters",
+			"LifecyclePolicy",
+			"RepositoryName",
+			"RepositoryPolicyText",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::ECS::Cluster", {
+		handled: new Set([
+			"CapacityProviders",
+			"ClusterName",
+			"ClusterSettings",
+			"Configuration",
+			"DefaultCapacityProviderStrategy",
+			"Tags"
+		]),
+		silentDrop: new Map([["ServiceConnectDefaults", "not yet implemented by cdkd"]])
+	}],
+	["AWS::ECS::Service", {
+		handled: new Set([
+			"CapacityProviderStrategy",
+			"Cluster",
+			"DeploymentConfiguration",
+			"DesiredCount",
+			"EnableECSManagedTags",
+			"EnableExecuteCommand",
+			"HealthCheckGracePeriodSeconds",
+			"LaunchType",
+			"LoadBalancers",
+			"NetworkConfiguration",
+			"PlacementConstraints",
+			"PlacementStrategy",
+			"PlatformVersion",
+			"PropagateTags",
+			"SchedulingStrategy",
+			"ServiceName",
+			"ServiceRegistries",
+			"Tags",
+			"TaskDefinition"
+		]),
+		silentDrop: new Map([
+			["AvailabilityZoneRebalancing", "not yet implemented by cdkd"],
+			["DeploymentController", "not yet implemented by cdkd"],
+			["ForceNewDeployment", "not yet implemented by cdkd"],
+			["PlacementStrategies", "not yet implemented by cdkd"],
+			["Role", "not yet implemented by cdkd"],
+			["ServiceConnectConfiguration", "not yet implemented by cdkd"],
+			["VolumeConfigurations", "not yet implemented by cdkd"],
+			["VpcLatticeConfigurations", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ECS::TaskDefinition", {
+		handled: new Set([
+			"ContainerDefinitions",
+			"Cpu",
+			"EphemeralStorage",
+			"ExecutionRoleArn",
+			"Family",
+			"IpcMode",
+			"Memory",
+			"NetworkMode",
+			"PidMode",
+			"PlacementConstraints",
+			"ProxyConfiguration",
+			"RequiresCompatibilities",
+			"RuntimePlatform",
+			"Tags",
+			"TaskRoleArn",
+			"Volumes"
+		]),
+		silentDrop: new Map([["EnableFaultInjection", "not yet implemented by cdkd"], ["InferenceAccelerators", "not yet implemented by cdkd"]])
+	}],
+	["AWS::EFS::AccessPoint", {
+		handled: new Set([
+			"AccessPointTags",
+			"FileSystemId",
+			"PosixUser",
+			"RootDirectory"
+		]),
+		silentDrop: new Map([["ClientToken", "not yet implemented by cdkd"]])
+	}],
+	["AWS::EFS::FileSystem", {
+		handled: new Set([
+			"Encrypted",
+			"FileSystemTags",
+			"KmsKeyId",
+			"PerformanceMode",
+			"ProvisionedThroughputInMibps",
+			"ThroughputMode"
+		]),
+		silentDrop: new Map([
+			["AvailabilityZoneName", "not yet implemented by cdkd"],
+			["BackupPolicy", "not yet implemented by cdkd"],
+			["BypassPolicyLockoutSafetyCheck", "not yet implemented by cdkd"],
+			["FileSystemPolicy", "not yet implemented by cdkd"],
+			["FileSystemProtection", "not yet implemented by cdkd"],
+			["LifecyclePolicies", "not yet implemented by cdkd"],
+			["ReplicationConfiguration", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::EFS::MountTarget", {
+		handled: new Set([
+			"FileSystemId",
+			"SecurityGroups",
+			"SubnetId"
+		]),
+		silentDrop: new Map([
+			["IpAddress", "not yet implemented by cdkd"],
+			["IpAddressType", "not yet implemented by cdkd"],
+			["Ipv6Address", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ElastiCache::CacheCluster", {
+		handled: new Set([
+			"AutoMinorVersionUpgrade",
+			"AZMode",
+			"CacheNodeType",
+			"CacheParameterGroupName",
+			"CacheSubnetGroupName",
+			"ClusterName",
+			"Engine",
+			"EngineVersion",
+			"IpDiscovery",
+			"LogDeliveryConfigurations",
+			"NetworkType",
+			"NotificationTopicArn",
+			"NumCacheNodes",
+			"Port",
+			"PreferredAvailabilityZone",
+			"PreferredAvailabilityZones",
+			"PreferredMaintenanceWindow",
+			"SnapshotName",
+			"SnapshotRetentionLimit",
+			"SnapshotWindow",
+			"Tags",
+			"TransitEncryptionEnabled",
+			"VpcSecurityGroupIds"
+		]),
+		silentDrop: new Map([["CacheSecurityGroupNames", "not yet implemented by cdkd"], ["SnapshotArns", "not yet implemented by cdkd"]])
+	}],
+	["AWS::ElastiCache::SubnetGroup", {
+		handled: new Set([
+			"CacheSubnetGroupDescription",
+			"CacheSubnetGroupName",
+			"SubnetIds",
+			"Tags"
+		]),
+		silentDrop: new Map([["Description", "not yet implemented by cdkd"]])
+	}],
+	["AWS::ElasticLoadBalancingV2::Listener", {
+		handled: new Set([
+			"AlpnPolicy",
+			"Certificates",
+			"DefaultActions",
+			"LoadBalancerArn",
+			"MutualAuthentication",
+			"Port",
+			"Protocol",
+			"SslPolicy"
+		]),
+		silentDrop: new Map([["ListenerAttributes", "not yet implemented by cdkd"]])
+	}],
+	["AWS::ElasticLoadBalancingV2::LoadBalancer", {
+		handled: new Set([
+			"IpAddressType",
+			"LoadBalancerAttributes",
+			"Name",
+			"Scheme",
+			"SecurityGroups",
+			"SubnetMappings",
+			"Subnets",
+			"Tags",
+			"Type"
+		]),
+		silentDrop: new Map([
+			["EnableCapacityReservationProvisionStabilize", "not yet implemented by cdkd"],
+			["EnablePrefixForIpv6SourceNat", "not yet implemented by cdkd"],
+			["EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic", "not yet implemented by cdkd"],
+			["Ipv4IpamPoolId", "not yet implemented by cdkd"],
+			["MinimumLoadBalancerCapacity", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::ElasticLoadBalancingV2::TargetGroup", {
+		handled: new Set([
+			"HealthCheckEnabled",
+			"HealthCheckIntervalSeconds",
+			"HealthCheckPath",
+			"HealthCheckPort",
+			"HealthCheckProtocol",
+			"HealthCheckTimeoutSeconds",
+			"HealthyThresholdCount",
+			"Matcher",
+			"Name",
+			"Port",
+			"Protocol",
+			"ProtocolVersion",
+			"Tags",
+			"TargetType",
+			"UnhealthyThresholdCount",
+			"VpcId"
+		]),
+		silentDrop: new Map([
+			["IpAddressType", "not yet implemented by cdkd"],
+			["TargetControlPort", "not yet implemented by cdkd"],
+			["TargetGroupAttributes", "not yet implemented by cdkd"],
+			["Targets", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::Events::EventBus", {
+		handled: new Set([
+			"DeadLetterConfig",
+			"Description",
+			"EventSourceName",
+			"KmsKeyIdentifier",
+			"Name",
+			"Policy",
+			"Tags"
+		]),
+		silentDrop: new Map([["LogConfig", "not yet implemented by cdkd"]])
+	}],
+	["AWS::Events::Rule", {
+		handled: new Set([
+			"Description",
+			"EventBusName",
+			"EventPattern",
+			"Name",
+			"RoleArn",
+			"ScheduleExpression",
+			"State",
+			"Tags",
+			"Targets"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Glue::Connection", {
+		handled: new Set(["CatalogId", "ConnectionInput"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Glue::Crawler", {
+		handled: new Set([
+			"Classifiers",
+			"Configuration",
+			"CrawlerSecurityConfiguration",
+			"DatabaseName",
+			"Description",
+			"LakeFormationConfiguration",
+			"LineageConfiguration",
+			"Name",
+			"RecrawlPolicy",
+			"Role",
+			"Schedule",
+			"SchemaChangePolicy",
+			"TablePrefix",
+			"Tags",
+			"Targets"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Glue::Database", {
+		handled: new Set(["CatalogId", "DatabaseInput"]),
+		silentDrop: new Map([["DatabaseName", "not yet implemented by cdkd"]])
+	}],
+	["AWS::Glue::Job", {
+		handled: new Set([
+			"AllocatedCapacity",
+			"Command",
+			"Connections",
+			"DefaultArguments",
+			"Description",
+			"ExecutionClass",
+			"ExecutionProperty",
+			"GlueVersion",
+			"JobMode",
+			"JobRunQueuingEnabled",
+			"LogUri",
+			"MaintenanceWindow",
+			"MaxCapacity",
+			"MaxRetries",
+			"Name",
+			"NonOverridableArguments",
+			"NotificationProperty",
+			"NumberOfWorkers",
+			"Role",
+			"SecurityConfiguration",
+			"SourceControlDetails",
+			"Tags",
+			"Timeout",
+			"WorkerType"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Glue::SecurityConfiguration", {
+		handled: new Set(["EncryptionConfiguration", "Name"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Glue::Table", {
+		handled: new Set([
+			"CatalogId",
+			"DatabaseName",
+			"TableInput"
+		]),
+		silentDrop: new Map([["Name", "not yet implemented by cdkd"], ["OpenTableFormatInput", "not yet implemented by cdkd"]])
+	}],
+	["AWS::Glue::Trigger", {
+		handled: new Set([
+			"Actions",
+			"Description",
+			"EventBatchingCondition",
+			"Name",
+			"Predicate",
+			"Schedule",
+			"StartOnCreation",
+			"Tags",
+			"Type",
+			"WorkflowName"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Glue::Workflow", {
+		handled: new Set([
+			"DefaultRunProperties",
+			"Description",
+			"MaxConcurrentRuns",
+			"Name",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::IAM::Group", {
+		handled: new Set([
+			"GroupName",
+			"ManagedPolicyArns",
+			"Path",
+			"Policies"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::IAM::InstanceProfile", {
+		handled: new Set([
+			"InstanceProfileName",
+			"Path",
+			"Roles"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::IAM::ManagedPolicy", {
+		handled: new Set([
+			"Description",
+			"Groups",
+			"ManagedPolicyName",
+			"Path",
+			"PolicyDocument",
+			"Roles",
+			"Tags",
+			"Users"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::IAM::Policy", {
+		handled: new Set([
+			"Groups",
+			"PolicyDocument",
+			"PolicyName",
+			"Roles",
+			"Users"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::IAM::Role", {
+		handled: new Set([
+			"AssumeRolePolicyDocument",
+			"Description",
+			"ManagedPolicyArns",
+			"MaxSessionDuration",
+			"Path",
+			"PermissionsBoundary",
+			"Policies",
+			"RoleName",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::IAM::User", {
+		handled: new Set([
+			"Groups",
+			"LoginProfile",
+			"ManagedPolicyArns",
+			"Path",
+			"PermissionsBoundary",
+			"Policies",
+			"Tags",
+			"UserName"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::IAM::UserToGroupAddition", {
+		handled: new Set(["GroupName", "Users"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Kinesis::Stream", {
+		handled: new Set([
+			"Name",
+			"RetentionPeriodHours",
+			"ShardCount",
+			"StreamEncryption",
+			"StreamModeDetails",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["DesiredShardLevelMetrics", "not yet implemented by cdkd"],
+			["MaxRecordSizeInKiB", "not yet implemented by cdkd"],
+			["WarmThroughputMiBps", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::Kinesis::StreamConsumer", {
+		handled: new Set([
+			"ConsumerName",
+			"StreamARN",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::KinesisFirehose::DeliveryStream", {
+		handled: new Set([
+			"AmazonOpenSearchServerlessDestinationConfiguration",
+			"AmazonopensearchserviceDestinationConfiguration",
+			"DeliveryStreamEncryptionConfigurationInput",
+			"DeliveryStreamName",
+			"DeliveryStreamType",
+			"ElasticsearchDestinationConfiguration",
+			"ExtendedS3DestinationConfiguration",
+			"HttpEndpointDestinationConfiguration",
+			"KinesisStreamSourceConfiguration",
+			"RedshiftDestinationConfiguration",
+			"S3DestinationConfiguration",
+			"SplunkDestinationConfiguration",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["DatabaseSourceConfiguration", "not yet implemented by cdkd"],
+			["DirectPutSourceConfiguration", "not yet implemented by cdkd"],
+			["IcebergDestinationConfiguration", "not yet implemented by cdkd"],
+			["MSKSourceConfiguration", "not yet implemented by cdkd"],
+			["SnowflakeDestinationConfiguration", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::KMS::Alias", {
+		handled: new Set(["AliasName", "TargetKeyId"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::KMS::Key", {
+		handled: new Set([
+			"BypassPolicyLockoutSafetyCheck",
+			"Description",
+			"Enabled",
+			"EnableKeyRotation",
+			"KeyPolicy",
+			"KeySpec",
+			"KeyUsage",
+			"MultiRegion",
+			"Origin",
+			"PendingWindowInDays",
+			"RotationPeriodInDays",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Lambda::EventSourceMapping", {
+		handled: new Set([
+			"AmazonManagedKafkaEventSourceConfig",
+			"BatchSize",
+			"BisectBatchOnFunctionError",
+			"DestinationConfig",
+			"DocumentDBEventSourceConfig",
+			"Enabled",
+			"EventSourceArn",
+			"FilterCriteria",
+			"FunctionName",
+			"FunctionResponseTypes",
+			"MaximumBatchingWindowInSeconds",
+			"MaximumRecordAgeInSeconds",
+			"MaximumRetryAttempts",
+			"ParallelizationFactor",
+			"ScalingConfig",
+			"SelfManagedEventSource",
+			"SelfManagedKafkaEventSourceConfig",
+			"SourceAccessConfigurations",
+			"StartingPosition",
+			"Tags",
+			"TumblingWindowInSeconds"
+		]),
+		silentDrop: new Map([
+			["KmsKeyArn", "not yet implemented by cdkd"],
+			["LoggingConfig", "not yet implemented by cdkd"],
+			["MetricsConfig", "not yet implemented by cdkd"],
+			["ProvisionedPollerConfig", "not yet implemented by cdkd"],
+			["Queues", "not yet implemented by cdkd"],
+			["StartingPositionTimestamp", "not yet implemented by cdkd"],
+			["Topics", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::Lambda::Function", {
+		handled: new Set([
+			"Architectures",
+			"Code",
+			"Description",
+			"Environment",
+			"EphemeralStorage",
+			"FunctionName",
+			"Handler",
+			"Layers",
+			"MemorySize",
+			"PackageType",
+			"Role",
+			"Runtime",
+			"Tags",
+			"Timeout",
+			"TracingConfig",
+			"VpcConfig"
+		]),
+		silentDrop: new Map([
+			["CapacityProviderConfig", "not yet implemented by cdkd"],
+			["CodeSigningConfigArn", "not yet implemented by cdkd"],
+			["DeadLetterConfig", "not yet implemented by cdkd"],
+			["DurableConfig", "not yet implemented by cdkd"],
+			["FileSystemConfigs", "not yet implemented by cdkd"],
+			["FunctionScalingConfig", "not yet implemented by cdkd"],
+			["ImageConfig", "not yet implemented by cdkd"],
+			["KmsKeyArn", "not yet implemented by cdkd"],
+			["LoggingConfig", "not yet implemented by cdkd"],
+			["PublishToLatestPublished", "not yet implemented by cdkd"],
+			["RecursiveLoop", "not yet implemented by cdkd"],
+			["ReservedConcurrentExecutions", "not yet implemented by cdkd"],
+			["RuntimeManagementConfig", "not yet implemented by cdkd"],
+			["SnapStart", "not yet implemented by cdkd"],
+			["TenancyConfig", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::Lambda::LayerVersion", {
+		handled: new Set([
+			"CompatibleArchitectures",
+			"CompatibleRuntimes",
+			"Content",
+			"Description",
+			"LayerName",
+			"LicenseInfo"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Lambda::Permission", {
+		handled: new Set([
+			"Action",
+			"EventSourceToken",
+			"FunctionName",
+			"FunctionUrlAuthType",
+			"Principal",
+			"PrincipalOrgID",
+			"SourceAccount",
+			"SourceArn"
+		]),
+		silentDrop: new Map([["InvokedViaFunctionUrl", "not yet implemented by cdkd"]])
+	}],
+	["AWS::Lambda::Url", {
+		handled: new Set([
+			"AuthType",
+			"Cors",
+			"InvokeMode",
+			"Qualifier",
+			"TargetFunctionArn"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Logs::LogGroup", {
+		handled: new Set([
+			"BearerTokenAuthenticationEnabled",
+			"DataProtectionPolicy",
+			"DeletionProtectionEnabled",
+			"FieldIndexPolicies",
+			"KmsKeyId",
+			"LogGroupClass",
+			"LogGroupName",
+			"ResourcePolicyDocument",
+			"RetentionInDays",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Neptune::DBCluster", {
+		handled: new Set([
+			"BackupRetentionPeriod",
+			"DBClusterIdentifier",
+			"DBClusterParameterGroupName",
+			"DBSubnetGroupName",
+			"DeletionProtection",
+			"EngineVersion",
+			"IamAuthEnabled",
+			"KmsKeyId",
+			"Port",
+			"PreferredBackupWindow",
+			"PreferredMaintenanceWindow",
+			"StorageEncrypted",
+			"Tags",
+			"VpcSecurityGroupIds"
+		]),
+		silentDrop: new Map([
+			["AssociatedRoles", "not yet implemented by cdkd"],
+			["AvailabilityZones", "not yet implemented by cdkd"],
+			["CopyTagsToSnapshot", "not yet implemented by cdkd"],
+			["DBInstanceParameterGroupName", "not yet implemented by cdkd"],
+			["DBPort", "not yet implemented by cdkd"],
+			["EnableCloudwatchLogsExports", "not yet implemented by cdkd"],
+			["RestoreToTime", "not yet implemented by cdkd"],
+			["RestoreType", "not yet implemented by cdkd"],
+			["ServerlessScalingConfiguration", "not yet implemented by cdkd"],
+			["SnapshotIdentifier", "not yet implemented by cdkd"],
+			["SourceDBClusterIdentifier", "not yet implemented by cdkd"],
+			["UseLatestRestorableTime", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::Neptune::DBInstance", {
+		handled: new Set([
+			"AutoMinorVersionUpgrade",
+			"AvailabilityZone",
+			"DBClusterIdentifier",
+			"DBInstanceClass",
+			"DBInstanceIdentifier",
+			"DBParameterGroupName",
+			"DBSubnetGroupName",
+			"DeletionProtection",
+			"PreferredMaintenanceWindow",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["AllowMajorVersionUpgrade", "not yet implemented by cdkd"],
+			["DBSnapshotIdentifier", "not yet implemented by cdkd"],
+			["PubliclyAccessible", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::Neptune::DBSubnetGroup", {
+		handled: new Set([
+			"DBSubnetGroupDescription",
+			"DBSubnetGroupName",
+			"SubnetIds",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::RDS::DBCluster", {
+		handled: new Set([
+			"BackupRetentionPeriod",
+			"DatabaseName",
+			"DBClusterIdentifier",
+			"DBSubnetGroupName",
+			"DeletionProtection",
+			"Engine",
+			"EngineVersion",
+			"KmsKeyId",
+			"MasterUsername",
+			"MasterUserPassword",
+			"Port",
+			"ServerlessV2ScalingConfiguration",
+			"StorageEncrypted",
+			"Tags",
+			"VpcSecurityGroupIds"
+		]),
+		silentDrop: new Map([
+			["AllocatedStorage", "not yet implemented by cdkd"],
+			["AssociatedRoles", "not yet implemented by cdkd"],
+			["AutoMinorVersionUpgrade", "not yet implemented by cdkd"],
+			["AvailabilityZones", "not yet implemented by cdkd"],
+			["BacktrackWindow", "not yet implemented by cdkd"],
+			["ClusterScalabilityType", "not yet implemented by cdkd"],
+			["CopyTagsToSnapshot", "not yet implemented by cdkd"],
+			["DatabaseInsightsMode", "not yet implemented by cdkd"],
+			["DBClusterInstanceClass", "not yet implemented by cdkd"],
+			["DBClusterParameterGroupName", "not yet implemented by cdkd"],
+			["DBInstanceParameterGroupName", "not yet implemented by cdkd"],
+			["DBSystemId", "not yet implemented by cdkd"],
+			["DeleteAutomatedBackups", "not yet implemented by cdkd"],
+			["Domain", "not yet implemented by cdkd"],
+			["DomainIAMRoleName", "not yet implemented by cdkd"],
+			["EnableCloudwatchLogsExports", "not yet implemented by cdkd"],
+			["EnableGlobalWriteForwarding", "not yet implemented by cdkd"],
+			["EnableHttpEndpoint", "not yet implemented by cdkd"],
+			["EnableIAMDatabaseAuthentication", "not yet implemented by cdkd"],
+			["EnableLocalWriteForwarding", "not yet implemented by cdkd"],
+			["EngineLifecycleSupport", "not yet implemented by cdkd"],
+			["EngineMode", "not yet implemented by cdkd"],
+			["GlobalClusterIdentifier", "not yet implemented by cdkd"],
+			["Iops", "not yet implemented by cdkd"],
+			["ManageMasterUserPassword", "not yet implemented by cdkd"],
+			["MasterUserAuthenticationType", "not yet implemented by cdkd"],
+			["MasterUserSecret", "not yet implemented by cdkd"],
+			["MonitoringInterval", "not yet implemented by cdkd"],
+			["MonitoringRoleArn", "not yet implemented by cdkd"],
+			["NetworkType", "not yet implemented by cdkd"],
+			["PerformanceInsightsEnabled", "not yet implemented by cdkd"],
+			["PerformanceInsightsKmsKeyId", "not yet implemented by cdkd"],
+			["PerformanceInsightsRetentionPeriod", "not yet implemented by cdkd"],
+			["PreferredBackupWindow", "not yet implemented by cdkd"],
+			["PreferredMaintenanceWindow", "not yet implemented by cdkd"],
+			["PubliclyAccessible", "not yet implemented by cdkd"],
+			["ReplicationSourceIdentifier", "not yet implemented by cdkd"],
+			["RestoreToTime", "not yet implemented by cdkd"],
+			["RestoreType", "not yet implemented by cdkd"],
+			["ScalingConfiguration", "not yet implemented by cdkd"],
+			["SnapshotIdentifier", "not yet implemented by cdkd"],
+			["SourceDBClusterIdentifier", "not yet implemented by cdkd"],
+			["SourceDbClusterResourceId", "not yet implemented by cdkd"],
+			["SourceRegion", "not yet implemented by cdkd"],
+			["StorageType", "not yet implemented by cdkd"],
+			["UseLatestRestorableTime", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::RDS::DBInstance", {
+		handled: new Set([
+			"DBClusterIdentifier",
+			"DBInstanceClass",
+			"DBInstanceIdentifier",
+			"DBSubnetGroupName",
+			"Engine",
+			"PubliclyAccessible",
+			"Tags"
+		]),
+		silentDrop: new Map([
+			["AdditionalStorageVolumes", "not yet implemented by cdkd"],
+			["AllocatedStorage", "not yet implemented by cdkd"],
+			["AllowMajorVersionUpgrade", "not yet implemented by cdkd"],
+			["ApplyImmediately", "not yet implemented by cdkd"],
+			["AssociatedRoles", "not yet implemented by cdkd"],
+			["AutomaticBackupReplicationKmsKeyId", "not yet implemented by cdkd"],
+			["AutomaticBackupReplicationRegion", "not yet implemented by cdkd"],
+			["AutomaticBackupReplicationRetentionPeriod", "not yet implemented by cdkd"],
+			["AutoMinorVersionUpgrade", "not yet implemented by cdkd"],
+			["AvailabilityZone", "not yet implemented by cdkd"],
+			["BackupRetentionPeriod", "not yet implemented by cdkd"],
+			["BackupTarget", "not yet implemented by cdkd"],
+			["CACertificateIdentifier", "not yet implemented by cdkd"],
+			["CertificateRotationRestart", "not yet implemented by cdkd"],
+			["CharacterSetName", "not yet implemented by cdkd"],
+			["CopyTagsToSnapshot", "not yet implemented by cdkd"],
+			["CustomIAMInstanceProfile", "not yet implemented by cdkd"],
+			["DatabaseInsightsMode", "not yet implemented by cdkd"],
+			["DBClusterSnapshotIdentifier", "not yet implemented by cdkd"],
+			["DBName", "not yet implemented by cdkd"],
+			["DBParameterGroupName", "not yet implemented by cdkd"],
+			["DBSecurityGroups", "not yet implemented by cdkd"],
+			["DBSnapshotIdentifier", "not yet implemented by cdkd"],
+			["DBSystemId", "not yet implemented by cdkd"],
+			["DedicatedLogVolume", "not yet implemented by cdkd"],
+			["DeleteAutomatedBackups", "not yet implemented by cdkd"],
+			["DeletionProtection", "not yet implemented by cdkd"],
+			["Domain", "not yet implemented by cdkd"],
+			["DomainAuthSecretArn", "not yet implemented by cdkd"],
+			["DomainDnsIps", "not yet implemented by cdkd"],
+			["DomainFqdn", "not yet implemented by cdkd"],
+			["DomainIAMRoleName", "not yet implemented by cdkd"],
+			["DomainOu", "not yet implemented by cdkd"],
+			["EnableCloudwatchLogsExports", "not yet implemented by cdkd"],
+			["EnableIAMDatabaseAuthentication", "not yet implemented by cdkd"],
+			["EnablePerformanceInsights", "not yet implemented by cdkd"],
+			["EngineLifecycleSupport", "not yet implemented by cdkd"],
+			["EngineVersion", "not yet implemented by cdkd"],
+			["Iops", "not yet implemented by cdkd"],
+			["KmsKeyId", "not yet implemented by cdkd"],
+			["LicenseModel", "not yet implemented by cdkd"],
+			["ManageMasterUserPassword", "not yet implemented by cdkd"],
+			["MasterUserAuthenticationType", "not yet implemented by cdkd"],
+			["MasterUsername", "not yet implemented by cdkd"],
+			["MasterUserPassword", "not yet implemented by cdkd"],
+			["MasterUserSecret", "not yet implemented by cdkd"],
+			["MaxAllocatedStorage", "not yet implemented by cdkd"],
+			["MonitoringInterval", "not yet implemented by cdkd"],
+			["MonitoringRoleArn", "not yet implemented by cdkd"],
+			["MultiAZ", "not yet implemented by cdkd"],
+			["NcharCharacterSetName", "not yet implemented by cdkd"],
+			["NetworkType", "not yet implemented by cdkd"],
+			["OptionGroupName", "not yet implemented by cdkd"],
+			["PerformanceInsightsKMSKeyId", "not yet implemented by cdkd"],
+			["PerformanceInsightsRetentionPeriod", "not yet implemented by cdkd"],
+			["Port", "not yet implemented by cdkd"],
+			["PreferredBackupWindow", "not yet implemented by cdkd"],
+			["PreferredMaintenanceWindow", "not yet implemented by cdkd"],
+			["ProcessorFeatures", "not yet implemented by cdkd"],
+			["PromotionTier", "not yet implemented by cdkd"],
+			["ReplicaMode", "not yet implemented by cdkd"],
+			["RestoreTime", "not yet implemented by cdkd"],
+			["SourceDBClusterIdentifier", "not yet implemented by cdkd"],
+			["SourceDBInstanceAutomatedBackupsArn", "not yet implemented by cdkd"],
+			["SourceDBInstanceIdentifier", "not yet implemented by cdkd"],
+			["SourceDbiResourceId", "not yet implemented by cdkd"],
+			["SourceRegion", "not yet implemented by cdkd"],
+			["StorageEncrypted", "not yet implemented by cdkd"],
+			["StorageThroughput", "not yet implemented by cdkd"],
+			["StorageType", "not yet implemented by cdkd"],
+			["TdeCredentialArn", "not yet implemented by cdkd"],
+			["TdeCredentialPassword", "not yet implemented by cdkd"],
+			["Timezone", "not yet implemented by cdkd"],
+			["UseDefaultProcessorFeatures", "not yet implemented by cdkd"],
+			["UseLatestRestorableTime", "not yet implemented by cdkd"],
+			["VPCSecurityGroups", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::RDS::DBProxy", {
+		handled: new Set([
+			"Auth",
+			"DBProxyName",
+			"DebugLogging",
+			"EngineFamily",
+			"IdleClientTimeout",
+			"RequireTLS",
+			"RoleArn",
+			"Tags",
+			"VpcSecurityGroupIds",
+			"VpcSubnetIds"
+		]),
+		silentDrop: new Map([
+			["DefaultAuthScheme", "not yet implemented by cdkd"],
+			["EndpointNetworkType", "not yet implemented by cdkd"],
+			["TargetConnectionNetworkType", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::RDS::DBProxyEndpoint", {
+		handled: new Set([
+			"DBProxyEndpointName",
+			"DBProxyName",
+			"Tags",
+			"TargetRole",
+			"VpcSecurityGroupIds",
+			"VpcSubnetIds"
+		]),
+		silentDrop: new Map([["EndpointNetworkType", "not yet implemented by cdkd"]])
+	}],
+	["AWS::RDS::DBProxyTargetGroup", {
+		handled: new Set([
+			"ConnectionPoolConfigurationInfo",
+			"DBClusterIdentifiers",
+			"DBInstanceIdentifiers",
+			"DBProxyName",
+			"TargetGroupName"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::RDS::DBSubnetGroup", {
+		handled: new Set([
+			"DBSubnetGroupDescription",
+			"DBSubnetGroupName",
+			"SubnetIds",
+			"Tags"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::Route53::HostedZone", {
+		handled: new Set([
+			"HostedZoneConfig",
+			"HostedZoneTags",
+			"Name",
+			"QueryLoggingConfig",
+			"VPCs"
+		]),
+		silentDrop: new Map([["HostedZoneFeatures", "not yet implemented by cdkd"]])
+	}],
+	["AWS::Route53::RecordSet", {
+		handled: new Set([
+			"AliasTarget",
+			"Comment",
+			"Failover",
+			"GeoLocation",
+			"HealthCheckId",
+			"HostedZoneId",
+			"HostedZoneName",
+			"MultiValueAnswer",
+			"Name",
+			"Region",
+			"ResourceRecords",
+			"SetIdentifier",
+			"TTL",
+			"Type",
+			"Weight"
+		]),
+		silentDrop: new Map([["CidrRoutingConfig", "not yet implemented by cdkd"], ["GeoProximityLocation", "not yet implemented by cdkd"]])
+	}],
+	["AWS::S3::Bucket", {
+		handled: new Set([
+			"AccelerateConfiguration",
+			"AnalyticsConfigurations",
+			"BucketEncryption",
+			"BucketName",
+			"CorsConfiguration",
+			"IntelligentTieringConfigurations",
+			"InventoryConfigurations",
+			"LifecycleConfiguration",
+			"LoggingConfiguration",
+			"MetricsConfigurations",
+			"NotificationConfiguration",
+			"ObjectLockConfiguration",
+			"ObjectLockEnabled",
+			"OwnershipControls",
+			"PublicAccessBlockConfiguration",
+			"ReplicationConfiguration",
+			"Tags",
+			"VersioningConfiguration",
+			"WebsiteConfiguration"
+		]),
+		silentDrop: new Map([
+			["AbacStatus", "not yet implemented by cdkd"],
+			["AccessControl", "not yet implemented by cdkd"],
+			["BucketNamePrefix", "not yet implemented by cdkd"],
+			["BucketNamespace", "not yet implemented by cdkd"],
+			["MetadataConfiguration", "not yet implemented by cdkd"],
+			["MetadataTableConfiguration", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::S3::BucketPolicy", {
+		handled: new Set(["Bucket", "PolicyDocument"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::S3Express::DirectoryBucket", {
+		handled: new Set([
+			"BucketName",
+			"DataRedundancy",
+			"LocationName"
+		]),
+		silentDrop: new Map([
+			["BucketEncryption", "not yet implemented by cdkd"],
+			["InventoryConfigurations", "not yet implemented by cdkd"],
+			["LifecycleConfiguration", "not yet implemented by cdkd"],
+			["MetricsConfigurations", "not yet implemented by cdkd"],
+			["Tags", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::S3Tables::Namespace", {
+		handled: new Set(["Namespace", "TableBucketARN"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::S3Tables::Table", {
+		handled: new Set([
+			"Format",
+			"Name",
+			"Namespace",
+			"TableBucketARN"
+		]),
+		silentDrop: new Map([
+			["Compaction", "not yet implemented by cdkd"],
+			["IcebergMetadata", "not yet implemented by cdkd"],
+			["OpenTableFormat", "not yet implemented by cdkd"],
+			["SnapshotManagement", "not yet implemented by cdkd"],
+			["StorageClassConfiguration", "not yet implemented by cdkd"],
+			["TableName", "not yet implemented by cdkd"],
+			["Tags", "not yet implemented by cdkd"],
+			["WithoutMetadata", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::S3Tables::TableBucket", {
+		handled: new Set(["TableBucketName"]),
+		silentDrop: new Map([
+			["EncryptionConfiguration", "not yet implemented by cdkd"],
+			["MetricsConfiguration", "not yet implemented by cdkd"],
+			["ReplicationConfiguration", "not yet implemented by cdkd"],
+			["StorageClassConfiguration", "not yet implemented by cdkd"],
+			["Tags", "not yet implemented by cdkd"],
+			["UnreferencedFileRemoval", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::S3Vectors::VectorBucket", {
+		handled: new Set(["EncryptionConfiguration", "VectorBucketName"]),
+		silentDrop: new Map([["Tags", "not yet implemented by cdkd"]])
+	}],
+	["AWS::SecretsManager::Secret", {
+		handled: new Set([
+			"Description",
+			"GenerateSecretString",
+			"KmsKeyId",
+			"Name",
+			"ReplicaRegions",
+			"SecretString",
+			"Tags"
+		]),
+		silentDrop: new Map([["Type", "not yet implemented by cdkd"]])
+	}],
+	["AWS::ServiceDiscovery::PrivateDnsNamespace", {
+		handled: new Set([
+			"Description",
+			"Name",
+			"Properties",
+			"Tags",
+			"Vpc"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::ServiceDiscovery::Service", {
+		handled: new Set([
+			"Description",
+			"DnsConfig",
+			"HealthCheckConfig",
+			"HealthCheckCustomConfig",
+			"Name",
+			"NamespaceId",
+			"Tags",
+			"Type"
+		]),
+		silentDrop: new Map([["ServiceAttributes", "not yet implemented by cdkd"]])
+	}],
+	["AWS::SNS::Subscription", {
+		handled: new Set([
+			"Endpoint",
+			"FilterPolicy",
+			"Protocol",
+			"TopicArn"
+		]),
+		silentDrop: new Map([
+			["DeliveryPolicy", "not yet implemented by cdkd"],
+			["FilterPolicyScope", "not yet implemented by cdkd"],
+			["RawMessageDelivery", "not yet implemented by cdkd"],
+			["RedrivePolicy", "not yet implemented by cdkd"],
+			["Region", "not yet implemented by cdkd"],
+			["ReplayPolicy", "not yet implemented by cdkd"],
+			["SubscriptionRoleArn", "not yet implemented by cdkd"]
+		])
+	}],
+	["AWS::SNS::Topic", {
+		handled: new Set([
+			"ArchivePolicy",
+			"ContentBasedDeduplication",
+			"DataProtectionPolicy",
+			"DeliveryStatusLogging",
+			"DisplayName",
+			"FifoThroughputScope",
+			"FifoTopic",
+			"KmsMasterKeyId",
+			"SignatureVersion",
+			"Subscription",
+			"Tags",
+			"TopicName",
+			"TracingConfig"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::SNS::TopicPolicy", {
+		handled: new Set(["PolicyDocument", "Topics"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::SQS::Queue", {
+		handled: new Set([
+			"ContentBasedDeduplication",
+			"DeduplicationScope",
+			"DelaySeconds",
+			"FifoQueue",
+			"FifoThroughputLimit",
+			"KmsDataKeyReusePeriodSeconds",
+			"KmsMasterKeyId",
+			"MaximumMessageSize",
+			"MessageRetentionPeriod",
+			"QueueName",
+			"ReceiveMessageWaitTimeSeconds",
+			"RedrivePolicy",
+			"SqsManagedSseEnabled",
+			"Tags",
+			"VisibilityTimeout"
+		]),
+		silentDrop: new Map([["RedriveAllowPolicy", "not yet implemented by cdkd"]])
+	}],
+	["AWS::SQS::QueuePolicy", {
+		handled: new Set(["PolicyDocument", "Queues"]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::SSM::Parameter", {
+		handled: new Set([
+			"AllowedPattern",
+			"DataType",
+			"Description",
+			"Name",
+			"Policies",
+			"Tags",
+			"Tier",
+			"Type",
+			"Value"
+		]),
+		silentDrop: /* @__PURE__ */ new Map()
+	}],
+	["AWS::StepFunctions::StateMachine", {
+		handled: new Set([
+			"Definition",
+			"DefinitionString",
+			"DefinitionSubstitutions",
+			"EncryptionConfiguration",
+			"LoggingConfiguration",
+			"RoleArn",
+			"StateMachineName",
+			"StateMachineType",
+			"Tags",
+			"TracingConfiguration"
+		]),
+		silentDrop: new Map([["DefinitionS3Location", "not yet implemented by cdkd"]])
+	}],
+	["AWS::WAFv2::WebACL", {
+		handled: new Set([
+			"AssociationConfig",
+			"CaptchaConfig",
+			"ChallengeConfig",
+			"CustomResponseBodies",
+			"DefaultAction",
+			"Description",
+			"Name",
+			"Rules",
+			"Scope",
+			"Tags",
+			"TokenDomains",
+			"VisibilityConfig"
+		]),
+		silentDrop: new Map([
+			["ApplicationConfig", "not yet implemented by cdkd"],
+			["DataProtectionConfig", "not yet implemented by cdkd"],
+			["OnSourceDDoSProtectionConfig", "not yet implemented by cdkd"]
+		])
+	}]
+]);
+
+//#endregion
+//#region src/provisioning/property-coverage.ts
+/**
+* Helpers for cdkd's deploy-time property-coverage pre-flight check.
+*
+* The data ({@link PROPERTY_COVERAGE_BY_TYPE}) is generated by
+* `scripts/gen-property-coverage.ts` (run via `vp run gen:property-coverage`)
+* from the CFn schema fixtures (`tests/fixtures/cfn-schemas/*.json`) and
+* each SDK provider's `handledProperties` / `unhandledByDesign` declarations.
+* This module adds the runtime predicates + the actionable issue link used
+* by the pre-flight check (see {@link ./provider-registry.ProviderRegistry.validateResourceProperties}).
+*
+* The pre-flight rejects deploys whose templates use top-level CFn properties
+* for which cdkd's SDK provider does not write to AWS (= silent drop). The
+* user can opt in to the silent drop on a per-property basis via
+* `--allow-unsupported-properties <Type:Prop>,...`. v0 stance: silent drop
+* is a bug; explicit opt-in is required to proceed.
+*/
+/**
+* Look up a Tier 1 type's property-coverage record. Returns `undefined` for
+* Tier 2 (CC API) types (deliberately not in the map — CC forwards the full
+* property map to AWS, so there is no write-side silent drop at cdkd) and
+* for unknown / Custom types.
+*/
+function getPropertyCoverage(resourceType) {
+	return PROPERTY_COVERAGE_BY_TYPE.get(resourceType);
+}
+/**
+* Identify top-level template properties cdkd would silently drop on write
+* for a single resource. Returns an array of `{ property, rationale }` for
+* each unhandled top-level key in `templateProperties`, sorted alphabetically.
+*
+* Properties NOT in the CFn schema (likely a user typo or
+* `addPropertyOverride` escape hatch) are silently allowed: matching CFn's
+* own tolerance, and we cannot judge intent.
+*/
+function findSilentDropProperties(resourceType, templateProperties) {
+	if (!templateProperties) return [];
+	const coverage = getPropertyCoverage(resourceType);
+	if (!coverage) return [];
+	const drops = [];
+	for (const prop of Object.keys(templateProperties)) {
+		if (coverage.handled.has(prop)) continue;
+		const rationale = coverage.silentDrop.get(prop);
+		if (rationale === void 0) continue;
+		drops.push({
+			property: prop,
+			rationale
+		});
+	}
+	return drops.sort((a, b) => a.property.localeCompare(b.property));
+}
+/**
+* A 1-click pre-filled GitHub issue link requesting cdkd support for a
+* specific top-level property on a resource type. Surfaced in the pre-flight
+* error so a user hitting a silent drop lands directly in the "request
+* support" flow.
+*/
+function unsupportedPropertyIssueUrl(resourceType, property) {
+	return `https://github.com/go-to-k/cdkd/issues/new?title=${encodeURIComponent(`Support property ${resourceType}.${property}`)}&labels=resource-support`;
+}
+
 //#endregion
 //#region src/provisioning/provider-registry.ts
 /**
@@ -7977,6 +9923,7 @@ var ProviderRegistry = class {
 	customResourceProvider;
 	skipResourceTypes = /* @__PURE__ */ new Set();
 	allowedUnsupportedTypes = /* @__PURE__ */ new Set();
+	allowedUnsupportedProperties = /* @__PURE__ */ new Set();
 	constructor() {
 		this.cloudControlProvider = new CloudControlProvider();
 		this.customResourceProvider = new CustomResourceProvider();
@@ -7995,6 +9942,20 @@ var ProviderRegistry = class {
 		}
 	}
 	/**
+	* Escape hatch for the `--allow-unsupported-properties` CLI flag. Each entry
+	* is a `<ResourceType>:<PropertyName>` token (e.g.
+	* `AWS::Lambda::Function:LoggingConfig`). Named entries bypass the
+	* property-level silent-drop pre-flight reject for that exact type+property
+	* pair. Per-type-property (not blanket) so the user explicitly acknowledges
+	* each silent drop they accept.
+	*/
+	allowUnsupportedProperties(entries) {
+		for (const entry of entries) {
+			this.allowedUnsupportedProperties.add(entry);
+			this.logger.debug(`Allowing unsupported property via escape hatch: ${entry}`);
+		}
+	}
+	/**
 	* Configure the response bucket for custom resources
 	* This allows Lambda handlers using cfn-response to send responses via S3
 	*/
@@ -8116,7 +10077,79 @@ var ProviderRegistry = class {
 		}
 		this.logger.debug(`Validated ${resourceTypes.size} resource types: all have available providers`);
 	}
+	/**
+	* Pre-flight reject: walk every resource in the template and identify
+	* top-level CFn properties cdkd's SDK provider would silently drop on
+	* write. Throws with a per-resource per-property breakdown + the exact
+	* `--allow-unsupported-properties` re-run command. No-op for Tier 2 (Cloud
+	* Control) types — CC forwards the full property map to AWS, so cdkd has
+	* no write-side silent drop for those.
+	*
+	* Must be called AFTER {@link validateResourceTypes} — type-level errors
+	* are reported first. For a type allowed via `--allow-unsupported-types`,
+	* the type-level check passes and this property check is a no-op
+	* (`findSilentDropProperties` returns `[]` for non-Tier-1 / unknown types).
+	*/
+	validateResourceProperties(resources) {
+		const errors = [];
+		for (const { logicalId, resourceType, properties } of resources) {
+			const drops = findSilentDropProperties(resourceType, properties);
+			for (const { property, rationale } of drops) {
+				const allowKey = `${resourceType}:${property}`;
+				if (this.allowedUnsupportedProperties.has(allowKey)) continue;
+				errors.push({
+					logicalId,
+					resourceType,
+					property,
+					rationale
+				});
+			}
+		}
+		if (errors.length === 0) return;
+		throw new Error(renderPropertyCoverageError(errors));
+	}
 };
+/**
+* Render the actionable pre-flight error for property-level silent drops.
+* Groups by logical ID, sorts properties within each resource, and emits
+* a comma-joined `--allow-unsupported-properties` re-run command with
+* deduplicated `Type:Prop` entries (the same type appearing in two
+* resources only needs one entry — the flag is per-type-prop, not
+* per-resource).
+*/
+function renderPropertyCoverageError(errors) {
+	const byLogicalId = /* @__PURE__ */ new Map();
+	for (const e of errors) {
+		let entry = byLogicalId.get(e.logicalId);
+		if (!entry) {
+			entry = {
+				resourceType: e.resourceType,
+				props: []
+			};
+			byLogicalId.set(e.logicalId, entry);
+		}
+		entry.props.push({
+			property: e.property,
+			rationale: e.rationale
+		});
+	}
+	const sections = [];
+	const sortedLogicalIds = [...byLogicalId.keys()].sort((a, b) => a.localeCompare(b));
+	for (const logicalId of sortedLogicalIds) {
+		const { resourceType, props } = byLogicalId.get(logicalId);
+		const propLines = [...props].sort((a, b) => a.property.localeCompare(b.property)).map(({ property, rationale }) => {
+			return `    - ${property}\n        ${rationale}\n        Request support: ${unsupportedPropertyIssueUrl(resourceType, property)}`;
+		}).join("\n");
+		sections.push(`  ${logicalId} (${resourceType}):\n${propLines}`);
+	}
+	const dedupRerun = Array.from(new Set(errors.map((e) => `${e.resourceType}:${e.property}`))).join(",");
+	return `cdkd would silently drop these properties at deploy time:\n\n` + sections.join("\n\n") + `
+
+These properties exist in your CDK code but cdkd will not write them to AWS. The deployed resource will be missing these fields.
+
+To proceed anyway (accepts the silent drop), re-run with:
+  --allow-unsupported-properties ${dedupRerun}`;
+}
 
 //#endregion
 //#region src/provisioning/import-helpers.ts
@@ -9479,6 +11512,13 @@ var DeployEngine = class {
 			const resourceTypes = new Set(Object.values(template.Resources || {}).map((r) => r.Type).filter((type) => type !== "AWS::CDK::Metadata"));
 			this.providerRegistry.validateResourceTypes(resourceTypes);
 			this.logger.debug(`All resource types validated`);
+			const resourcesForPropertyCheck = Object.entries(template.Resources || {}).filter(([, r]) => r.Type !== "AWS::CDK::Metadata").map(([logicalId, r]) => ({
+				logicalId,
+				resourceType: r.Type,
+				properties: r.Properties
+			}));
+			this.providerRegistry.validateResourceProperties(resourcesForPropertyCheck);
+			this.logger.debug(`All resource properties validated`);
 			const dag = this.dagBuilder.buildGraph(template);
 			const executionLevels = this.dagBuilder.getExecutionLevels(dag);
 			this.logger.debug(`Dependency graph: ${executionLevels.length} execution levels`);
@@ -10316,4 +12356,4 @@ var DeployEngine = class {
 
 //#endregion
 export { CdkdError as $, shouldRetainResource as A, resolveSkipPrefix as B, IntrinsicFunctionResolver as C, TemplateParser as D, DagBuilder as E, Synthesizer as F, CFN_TEMPLATE_URL_LIMIT as G, resolveStateBucketWithDefaultAndSource as H, getDefaultStateBucketName as I, uploadCfnTemplate as J, MIGRATE_TMP_PREFIX as K, getLegacyStateBucketName as L, stringifyValue as M, WorkGraph as N, LockManager as O, buildDockerImage as P, AssetError as Q, resolveApp as R, assertRegionMatch as S, DiffCalculator as T, warnDeprecatedNoPrefixCliFlag as U, resolveStateBucketWithDefault as V, CFN_TEMPLATE_BODY_LIMIT as W, clearBucketRegionCache as X, AssemblyReader as Y, resolveBucketRegion as Z, matchesCdkPath as _, formatError as _t, withRetry as a, LockError as at, ProviderRegistry as b, withErrorHandling as bt, bold as c, PartialFailureError as ct, green as d, ResourceUpdateNotSupportedError as dt, ConfigError as et, red as f, RouteDiscoveryError as ft, CDK_PATH_TAG as g, SynthesisError as gt, collectInlinePolicyNamesManagedBySiblings as h, StateError as ht, withResourceDeadline as i, LocalStartServiceError as it, AssetPublisher as j, S3StateBackend as k, cyan as l, ProvisioningError as lt, IAMRoleProvider as m, StackTerminationProtectionError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, LocalInvokeBuildError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, MissingCdkCliError as ot, yellow as p, StackHasActiveImportsError as pt, findLargeInlineResources as q, DeployEngine as r, LocalMigrateError as rt, formatResourceLine as s, NestedStackChildDirectDestroyError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, DependencyError as tt, gray as u, ResourceTimeoutError as ut, normalizeAwsTagsToCfn as v, isCdkdError as vt, applyRoleArnIfSet as w, CloudControlProvider as x, resolveExplicitPhysicalId as y, normalizeAwsError as yt, resolveCaptureObservedState as z };
-//# sourceMappingURL=deploy-engine-Yb3E5e9J.js.map
+//# sourceMappingURL=deploy-engine-YQwoPaCE.js.map