npm - @go-to-k/cdkd - Versions diffs - 0.155.0 → 0.157.0 - Mend

@go-to-k/cdkd 0.155.0 → 0.157.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/{aws-clients-BF03Alpe.js → aws-clients-B15NAPbL.js} +24 -1
package/dist/aws-clients-B15NAPbL.js.map +1 -0
package/dist/cli.js +401 -26
package/dist/cli.js.map +1 -1
package/dist/{deploy-engine-DWLTHfXj.js → deploy-engine-UmoqjtWH.js} +2063 -6
package/dist/deploy-engine-UmoqjtWH.js.map +1 -0
package/dist/index.d.ts +11 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -2
package/package.json +2 -1
package/dist/aws-clients-BF03Alpe.js.map +0 -1
package/dist/deploy-engine-DWLTHfXj.js.map +0 -1

package/dist/cli.js CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { $ as CdkdError, A as shouldRetainResource, B as resolveSkipPrefix, C as IntrinsicFunctionResolver, D as TemplateParser, E as DagBuilder, F as Synthesizer, G as CFN_TEMPLATE_URL_LIMIT, H as resolveStateBucketWithDefaultAndSource, I as getDefaultStateBucketName, J as uploadCfnTemplate, K as MIGRATE_TMP_PREFIX, L as getLegacyStateBucketName, M as stringifyValue, N as WorkGraph, O as LockManager, P as buildDockerImage, R as resolveApp, S as assertRegionMatch, T as DiffCalculator, U as warnDeprecatedNoPrefixCliFlag, V as resolveStateBucketWithDefault, W as CFN_TEMPLATE_BODY_LIMIT, Y as AssemblyReader, Z as resolveBucketRegion, _ as matchesCdkPath, a as withRetry, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as PartialFailureError, d as green, dt as ResourceUpdateNotSupportedError, f as red, ft as RouteDiscoveryError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalStartServiceError, j as AssetPublisher, k as S3StateBackend, l as cyan, lt as ProvisioningError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalInvokeBuildError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as MissingCdkCliError, p as yellow, pt as StackHasActiveImportsError, q as findLargeInlineResources, r as DeployEngine, rt as LocalMigrateError, s as formatResourceLine, st as NestedStackChildDirectDestroyError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ResourceTimeoutError, v as normalizeAwsTagsToCfn, w as applyRoleArnIfSet, x as CloudControlProvider, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveCaptureObservedState } from "./deploy-engine-DWLTHfXj.js";
-import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-BF03Alpe.js";
+import { $ as CdkdError, A as shouldRetainResource, B as resolveSkipPrefix, C as IntrinsicFunctionResolver, D as TemplateParser, E as DagBuilder, F as Synthesizer, G as CFN_TEMPLATE_URL_LIMIT, H as resolveStateBucketWithDefaultAndSource, I as getDefaultStateBucketName, J as uploadCfnTemplate, K as MIGRATE_TMP_PREFIX, L as getLegacyStateBucketName, M as stringifyValue, N as WorkGraph, O as LockManager, P as buildDockerImage, R as resolveApp, S as assertRegionMatch, T as DiffCalculator, U as warnDeprecatedNoPrefixCliFlag, V as resolveStateBucketWithDefault, W as CFN_TEMPLATE_BODY_LIMIT, Y as AssemblyReader, Z as resolveBucketRegion, _ as matchesCdkPath, a as withRetry, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as PartialFailureError, d as green, dt as ResourceUpdateNotSupportedError, f as red, ft as RouteDiscoveryError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalStartServiceError, j as AssetPublisher, k as S3StateBackend, l as cyan, lt as ProvisioningError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalInvokeBuildError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as MissingCdkCliError, p as yellow, pt as StackHasActiveImportsError, q as findLargeInlineResources, r as DeployEngine, rt as LocalMigrateError, s as formatResourceLine, st as NestedStackChildDirectDestroyError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ResourceTimeoutError, v as normalizeAwsTagsToCfn, w as applyRoleArnIfSet, x as CloudControlProvider, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveCaptureObservedState } from "./deploy-engine-UmoqjtWH.js";
+import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -21,6 +21,7 @@ import { CloudFrontClient, CreateCloudFrontOriginAccessIdentityCommand, CreateDi
 import { CloudWatchClient, DeleteAlarmsCommand, DescribeAlarmsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$4, PutMetricAlarmCommand, TagResourceCommand as TagResourceCommand$6, UntagResourceCommand as UntagResourceCommand$6 } from "@aws-sdk/client-cloudwatch";
 import { CloudWatchLogsClient, CreateLogGroupCommand, DeleteDataProtectionPolicyCommand, DeleteIndexPolicyCommand, DeleteLogGroupCommand, DeleteRetentionPolicyCommand, DescribeIndexPoliciesCommand, DescribeLogGroupsCommand, GetDataProtectionPolicyCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$5, PutBearerTokenAuthenticationCommand, PutDataProtectionPolicyCommand, PutIndexPolicyCommand, PutLogGroupDeletionProtectionCommand, PutRetentionPolicyCommand, ResourceAlreadyExistsException, ResourceNotFoundException as ResourceNotFoundException$4, TagResourceCommand as TagResourceCommand$7, UntagResourceCommand as UntagResourceCommand$7 } from "@aws-sdk/client-cloudwatch-logs";
 import { BedrockAgentCoreControlClient, CreateAgentRuntimeCommand, DeleteAgentRuntimeCommand, GetAgentRuntimeCommand, ResourceNotFoundException as ResourceNotFoundException$5, UpdateAgentRuntimeCommand } from "@aws-sdk/client-bedrock-agentcore-control";
+import { ACMClient, AddTagsToCertificateCommand, DeleteCertificateCommand, DescribeCertificateCommand, ListCertificatesCommand, ListTagsForCertificateCommand, RemoveTagsFromCertificateCommand, RequestCertificateCommand, ResourceNotFoundException as ResourceNotFoundException$6, UpdateCertificateOptionsCommand } from "@aws-sdk/client-acm";
 import * as fs from "node:fs";
 import { cpSync, createWriteStream, existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
 import * as path from "node:path";
@@ -44,17 +45,17 @@ import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, Delet
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$2, CreateDBClusterCommand as CreateDBClusterCommand$1, CreateDBInstanceCommand as CreateDBInstanceCommand$1, CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand$1, DeleteDBClusterCommand as DeleteDBClusterCommand$1, DeleteDBInstanceCommand as DeleteDBInstanceCommand$1, DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand$1, DescribeDBClustersCommand as DescribeDBClustersCommand$1, DescribeDBInstancesCommand as DescribeDBInstancesCommand$1, DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand$1, DocDBClient, ListTagsForResourceCommand as ListTagsForResourceCommand$11, ModifyDBClusterCommand as ModifyDBClusterCommand$1, ModifyDBInstanceCommand as ModifyDBInstanceCommand$1, ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand$1, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$2 } from "@aws-sdk/client-docdb";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$3, CreateDBClusterCommand as CreateDBClusterCommand$2, CreateDBInstanceCommand as CreateDBInstanceCommand$2, CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand$2, DeleteDBClusterCommand as DeleteDBClusterCommand$2, DeleteDBInstanceCommand as DeleteDBInstanceCommand$2, DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand$2, DescribeDBClustersCommand as DescribeDBClustersCommand$2, DescribeDBInstancesCommand as DescribeDBInstancesCommand$2, DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand$2, ListTagsForResourceCommand as ListTagsForResourceCommand$12, ModifyDBClusterCommand as ModifyDBClusterCommand$2, ModifyDBInstanceCommand as ModifyDBInstanceCommand$2, ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand$2, NeptuneClient, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$3 } from "@aws-sdk/client-neptune";
 import { CreateWebACLCommand, DeleteWebACLCommand, GetWebACLCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$13, ListWebACLsCommand, TagResourceCommand as TagResourceCommand$12, UntagResourceCommand as UntagResourceCommand$11, UpdateWebACLCommand, WAFNonexistentItemException, WAFV2Client } from "@aws-sdk/client-wafv2";
-import { CognitoIdentityProviderClient, CreateUserPoolCommand, DeleteUserPoolCommand, DescribeUserPoolCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$14, ListUserPoolsCommand, ResourceNotFoundException as ResourceNotFoundException$6, UpdateUserPoolCommand } from "@aws-sdk/client-cognito-identity-provider";
+import { CognitoIdentityProviderClient, CreateUserPoolCommand, DeleteUserPoolCommand, DescribeUserPoolCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$14, ListUserPoolsCommand, ResourceNotFoundException as ResourceNotFoundException$7, UpdateUserPoolCommand } from "@aws-sdk/client-cognito-identity-provider";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$4, CreateCacheClusterCommand, CreateCacheSubnetGroupCommand, DeleteCacheClusterCommand, DeleteCacheSubnetGroupCommand, DescribeCacheClustersCommand, DescribeCacheSubnetGroupsCommand, ElastiCacheClient, ListTagsForResourceCommand as ListTagsForResourceCommand$15, ModifyCacheClusterCommand, ModifyCacheSubnetGroupCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$4 } from "@aws-sdk/client-elasticache";
 import { CreatePrivateDnsNamespaceCommand, CreateServiceCommand as CreateServiceCommand$1, DeleteNamespaceCommand, DeleteServiceCommand as DeleteServiceCommand$1, GetNamespaceCommand, GetOperationCommand, GetServiceCommand, ListNamespacesCommand, ListServicesCommand as ListServicesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$16, NamespaceNotFound, ServiceDiscoveryClient, ServiceNotFound, UpdatePrivateDnsNamespaceCommand, UpdateServiceCommand as UpdateServiceCommand$1 } from "@aws-sdk/client-servicediscovery";
 import { AppSyncClient, CreateApiKeyCommand, CreateDataSourceCommand, CreateGraphqlApiCommand, CreateResolverCommand, DeleteApiKeyCommand, DeleteDataSourceCommand, DeleteGraphqlApiCommand, DeleteResolverCommand, GetDataSourceCommand, GetGraphqlApiCommand, GetIntrospectionSchemaCommand, GetResolverCommand, ListApiKeysCommand, ListGraphqlApisCommand, NotFoundException as NotFoundException$4, StartSchemaCreationCommand, TagResourceCommand as TagResourceCommand$13, UntagResourceCommand as UntagResourceCommand$12, UpdateApiKeyCommand, UpdateDataSourceCommand, UpdateGraphqlApiCommand, UpdateResolverCommand } from "@aws-sdk/client-appsync";
 import { parse, print } from "graphql";
 import { CreateConnectionCommand, CreateCrawlerCommand, CreateDatabaseCommand, CreateJobCommand, CreateSecurityConfigurationCommand, CreateTableCommand as CreateTableCommand$1, CreateTriggerCommand, CreateWorkflowCommand, DeleteConnectionCommand, DeleteCrawlerCommand, DeleteDatabaseCommand, DeleteJobCommand, DeleteSecurityConfigurationCommand, DeleteTableCommand as DeleteTableCommand$1, DeleteTriggerCommand, DeleteWorkflowCommand, EntityNotFoundException, GetConnectionCommand, GetCrawlerCommand, GetDatabaseCommand, GetDatabasesCommand, GetJobCommand, GetSecurityConfigurationCommand, GetSecurityConfigurationsCommand, GetTableCommand, GetTablesCommand, GetTagsCommand, GetTriggerCommand, GetWorkflowCommand, GlueClient, ListWorkflowsCommand, StartCrawlerScheduleCommand, StartTriggerCommand, StopCrawlerScheduleCommand, StopTriggerCommand, UpdateConnectionCommand, UpdateCrawlerCommand, UpdateDatabaseCommand, UpdateJobCommand, UpdateTableCommand as UpdateTableCommand$1, UpdateTriggerCommand, UpdateWorkflowCommand } from "@aws-sdk/client-glue";
-import { AddTagsToStreamCommand, CreateStreamCommand, DecreaseStreamRetentionPeriodCommand, DeleteStreamCommand, DeregisterStreamConsumerCommand, DescribeStreamCommand, DescribeStreamConsumerCommand, IncreaseStreamRetentionPeriodCommand, KinesisClient, ListStreamsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$17, ListTagsForStreamCommand, RegisterStreamConsumerCommand, RemoveTagsFromStreamCommand, ResourceNotFoundException as ResourceNotFoundException$7, StartStreamEncryptionCommand, StopStreamEncryptionCommand, TagResourceCommand as TagResourceCommand$14, UntagResourceCommand as UntagResourceCommand$13, UpdateShardCountCommand } from "@aws-sdk/client-kinesis";
+import { AddTagsToStreamCommand, CreateStreamCommand, DecreaseStreamRetentionPeriodCommand, DeleteStreamCommand, DeregisterStreamConsumerCommand, DescribeStreamCommand, DescribeStreamConsumerCommand, IncreaseStreamRetentionPeriodCommand, KinesisClient, ListStreamsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$17, ListTagsForStreamCommand, RegisterStreamConsumerCommand, RemoveTagsFromStreamCommand, ResourceNotFoundException as ResourceNotFoundException$8, StartStreamEncryptionCommand, StopStreamEncryptionCommand, TagResourceCommand as TagResourceCommand$14, UntagResourceCommand as UntagResourceCommand$13, UpdateShardCountCommand } from "@aws-sdk/client-kinesis";
 import { AccessPointNotFound, CreateAccessPointCommand, CreateFileSystemCommand, CreateMountTargetCommand, DeleteAccessPointCommand, DeleteFileSystemCommand, DeleteMountTargetCommand, DescribeAccessPointsCommand, DescribeBackupPolicyCommand, DescribeFileSystemsCommand, DescribeLifecycleConfigurationCommand, DescribeMountTargetSecurityGroupsCommand, DescribeMountTargetsCommand, EFSClient, FileSystemNotFound, ModifyMountTargetSecurityGroupsCommand, MountTargetNotFound, UpdateFileSystemCommand } from "@aws-sdk/client-efs";
-import { CreateDeliveryStreamCommand, DeleteDeliveryStreamCommand, DescribeDeliveryStreamCommand, FirehoseClient, ListDeliveryStreamsCommand, ListTagsForDeliveryStreamCommand, ResourceNotFoundException as ResourceNotFoundException$8, TagDeliveryStreamCommand, UntagDeliveryStreamCommand, UpdateDestinationCommand } from "@aws-sdk/client-firehose";
+import { CreateDeliveryStreamCommand, DeleteDeliveryStreamCommand, DescribeDeliveryStreamCommand, FirehoseClient, ListDeliveryStreamsCommand, ListTagsForDeliveryStreamCommand, ResourceNotFoundException as ResourceNotFoundException$9, TagDeliveryStreamCommand, UntagDeliveryStreamCommand, UpdateDestinationCommand } from "@aws-sdk/client-firehose";
 import { AddTagsCommand as AddTagsCommand$1, CloudTrailClient, CreateTrailCommand, DeleteTrailCommand, GetEventSelectorsCommand, GetInsightSelectorsCommand, GetTrailCommand, GetTrailStatusCommand, ListTagsCommand as ListTagsCommand$1, ListTrailsCommand, PutEventSelectorsCommand, PutInsightSelectorsCommand, RemoveTagsCommand as RemoveTagsCommand$1, StartLoggingCommand, StopLoggingCommand, TrailNotFoundException, UpdateTrailCommand } from "@aws-sdk/client-cloudtrail";
-import { BatchGetProjectsCommand, CodeBuildClient, CreateProjectCommand, DeleteProjectCommand, ListProjectsCommand, ResourceNotFoundException as ResourceNotFoundException$9, UpdateProjectCommand } from "@aws-sdk/client-codebuild";
+import { BatchGetProjectsCommand, CodeBuildClient, CreateProjectCommand, DeleteProjectCommand, ListProjectsCommand, ResourceNotFoundException as ResourceNotFoundException$10, UpdateProjectCommand } from "@aws-sdk/client-codebuild";
 import { CreateVectorBucketCommand, DeleteIndexCommand, DeleteVectorBucketCommand, GetVectorBucketCommand, ListIndexesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$18, ListVectorBucketsCommand, S3VectorsClient } from "@aws-sdk/client-s3vectors";
 import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient } from "@aws-sdk/client-s3tables";
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
@@ -395,6 +396,33 @@ function parseAllowUnsupportedTypesToken(value, previous) {
 	return [...previous ?? [], ...parsed];
 }
 const allowUnsupportedTypesOption = new Option("--allow-unsupported-types <types>", "Comma-separated resource types to attempt via Cloud Control even though cdkd reports them unsupported (AWS NON_PROVISIONABLE). Escape hatch — Cloud Control will likely still fail. Example: --allow-unsupported-types AWS::Foo::Bar,AWS::Baz::Qux").argParser(parseAllowUnsupportedTypesToken);
+/**
+* Escape hatch for the property-level silent-drop pre-flight reject.
+* Comma-separated (and repeatable) `<ResourceType>:<PropertyName>` tokens
+* the user explicitly accepts as silently dropped at deploy time. Per
+* type+property pair (not blanket) so each silent drop is acknowledged
+* by name.
+*
+* Format-checks each token against `<Namespace>::<Service>::<Type>:<Prop>`
+* with both halves PascalCase, so a typo aborts at parse time instead of
+* being silently added to the allowlist with no effect.
+*
+* The check is Tier-1-only by design (Cloud Control forwards every property
+* to AWS, so there is no write-side silent drop for Tier 2 / Custom). A
+* `Custom::Foo:Bar` token is therefore always a user mistake — it would be
+* added to the allowlist but never consulted at runtime. Reject it at parse
+* time so the user sees the error immediately.
+*/
+const RESOURCE_PROPERTY_FORMAT = /^[A-Z][A-Za-z0-9]+(::[A-Z][A-Za-z0-9]+)+:[A-Z][A-Za-z0-9]*$/;
+function parseAllowUnsupportedPropertiesToken(value, previous) {
+	const parsed = value.split(",").map((s) => s.trim()).filter(Boolean);
+	for (const token of parsed) {
+		if (!RESOURCE_PROPERTY_FORMAT.test(token)) throw new Error(`Invalid --allow-unsupported-properties value "${token}": expected <ResourceType>:<PropertyName> with PascalCase on both halves (e.g. AWS::Lambda::Function:LoggingConfig).`);
+		if (token.startsWith("Custom::")) throw new Error(`Invalid --allow-unsupported-properties value "${token}": Custom:: resources are routed through cfn-response and have no write-side silent drop at cdkd, so the flag would have no effect. Use --allow-unsupported-types for type-level escape hatches instead.`);
+	}
+	return [...previous ?? [], ...parsed];
+}
+const allowUnsupportedPropertiesOption = new Option("--allow-unsupported-properties <entries>", "Comma-separated <ResourceType>:<PropertyName> tokens to accept as silently dropped at deploy time. Escape hatch — the property will NOT be written to AWS, the deployed resource will be missing the field. Example: --allow-unsupported-properties AWS::Lambda::Function:LoggingConfig,AWS::RDS::DBInstance:CACertificateIdentifier").argParser(parseAllowUnsupportedPropertiesToken);
 const deployOptions = [
 	new Option("--concurrency <number>", "Maximum concurrent resource operations").default(10).argParser((value) => parseInt(value, 10)),
 	new Option("--stack-concurrency <number>", "Maximum concurrent stack deployments").default(4).argParser((value) => parseInt(value, 10)),
@@ -409,6 +437,7 @@ const deployOptions = [
 	aggressiveVpcParallelOption,
 	new Option("-e, --exclusively", "Only deploy requested stacks, do not include dependencies").default(false),
 	allowUnsupportedTypesOption,
+	allowUnsupportedPropertiesOption,
 	...resourceTimeoutOptions
 ];
 /**
@@ -22615,7 +22644,7 @@ var CognitoUserPoolProvider = class {
 				if (!templatedActive) try {
 					needsFlip = (await this.getClient().send(new DescribeUserPoolCommand({ UserPoolId: physicalId }))).UserPool?.DeletionProtection === "ACTIVE";
 				} catch (descError) {
-					if (descError instanceof ResourceNotFoundException$6) {
+					if (descError instanceof ResourceNotFoundException$7) {
 						assertRegionMatch(await this.getClient().config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
 						this.logger.debug(`Cognito User Pool ${physicalId} does not exist, skipping deletion`);
 						return;
@@ -22638,7 +22667,7 @@ var CognitoUserPoolProvider = class {
 			await this.getClient().send(new DeleteUserPoolCommand({ UserPoolId: physicalId }));
 			this.logger.debug(`Successfully deleted Cognito User Pool ${logicalId}`);
 		} catch (error) {
-			if (error instanceof ResourceNotFoundException$6) {
+			if (error instanceof ResourceNotFoundException$7) {
 				assertRegionMatch(await this.getClient().config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
 				this.logger.debug(`Cognito User Pool ${physicalId} does not exist, skipping deletion`);
 				return;
@@ -22671,7 +22700,7 @@ var CognitoUserPoolProvider = class {
 		try {
 			resp = await this.getClient().send(new DescribeUserPoolCommand({ UserPoolId: physicalId }));
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$6) return void 0;
+			if (err instanceof ResourceNotFoundException$7) return void 0;
 			throw err;
 		}
 		const pool = resp.UserPool;
@@ -22726,7 +22755,7 @@ var CognitoUserPoolProvider = class {
 				attributes: {}
 			};
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$6) return null;
+			if (err instanceof ResourceNotFoundException$7) return null;
 			throw err;
 		}
 		const desiredName = typeof input.properties?.["UserPoolName"] === "string" ? input.properties["UserPoolName"] : void 0;
@@ -22750,7 +22779,7 @@ var CognitoUserPoolProvider = class {
 						attributes: {}
 					};
 				} catch (err) {
-					if (err instanceof ResourceNotFoundException$6) continue;
+					if (err instanceof ResourceNotFoundException$7) continue;
 					throw err;
 				}
 			}
@@ -26980,7 +27009,7 @@ var KinesisStreamProvider = class {
 			}));
 			this.logger.debug(`Successfully deleted Kinesis stream ${logicalId}`);
 		} catch (error) {
-			if (error instanceof ResourceNotFoundException$7) {
+			if (error instanceof ResourceNotFoundException$8) {
 				assertRegionMatch(await this.getClient().config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
 				this.logger.debug(`Kinesis stream ${physicalId} does not exist, skipping deletion`);
 				return;
@@ -27060,7 +27089,7 @@ var KinesisStreamProvider = class {
 		try {
 			stream = (await this.getClient().send(new DescribeStreamCommand({ StreamName: physicalId }))).StreamDescription;
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$7) return void 0;
+			if (err instanceof ResourceNotFoundException$8) return void 0;
 			throw err;
 		}
 		if (!stream) return void 0;
@@ -27078,7 +27107,7 @@ var KinesisStreamProvider = class {
 		try {
 			result["Tags"] = normalizeAwsTagsToCfn((await this.getClient().send(new ListTagsForStreamCommand({ StreamName: physicalId }))).Tags);
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$7) return void 0;
+			if (err instanceof ResourceNotFoundException$8) return void 0;
 			this.logger.debug(`Kinesis ListTagsForStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`);
 		}
 		return result;
@@ -27092,7 +27121,7 @@ var KinesisStreamProvider = class {
 				attributes: {}
 			};
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$7) return null;
+			if (err instanceof ResourceNotFoundException$8) return null;
 			throw err;
 		}
 		if (!input.cdkPath) return null;
@@ -27263,7 +27292,7 @@ var KinesisStreamConsumerProvider = class {
 			await this.getClient().send(new DeregisterStreamConsumerCommand({ ConsumerARN: physicalId }));
 			this.logger.debug(`Successfully deregistered Kinesis stream consumer ${logicalId}`);
 		} catch (error) {
-			if (error instanceof ResourceNotFoundException$7) {
+			if (error instanceof ResourceNotFoundException$8) {
 				assertRegionMatch(await this.getClient().config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
 				this.logger.debug(`Kinesis stream consumer ${physicalId} not found, skipping`);
 				return;
@@ -27309,7 +27338,7 @@ var KinesisStreamConsumerProvider = class {
 		try {
 			desc = (await this.getClient().send(new DescribeStreamConsumerCommand({ ConsumerARN: physicalId }))).ConsumerDescription;
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$7) return void 0;
+			if (err instanceof ResourceNotFoundException$8) return void 0;
 			throw err;
 		}
 		if (!desc) return void 0;
@@ -27319,7 +27348,7 @@ var KinesisStreamConsumerProvider = class {
 		try {
 			result["Tags"] = normalizeAwsTagsToCfn((await this.getClient().send(new ListTagsForResourceCommand$17({ ResourceARN: physicalId }))).Tags);
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$7) return void 0;
+			if (err instanceof ResourceNotFoundException$8) return void 0;
 			this.logger.debug(`ListTagsForResource(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`);
 			result["Tags"] = [];
 		}
@@ -28386,7 +28415,7 @@ var FirehoseProvider = class {
 			await this.getClient().send(new DeleteDeliveryStreamCommand({ DeliveryStreamName: physicalId }));
 			this.logger.debug(`Successfully deleted Firehose delivery stream ${logicalId}`);
 		} catch (error) {
-			if (error instanceof ResourceNotFoundException$8) {
+			if (error instanceof ResourceNotFoundException$9) {
 				assertRegionMatch(await this.getClient().config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
 				this.logger.debug(`Firehose delivery stream ${physicalId} does not exist, skipping deletion`);
 				return;
@@ -28923,7 +28952,7 @@ var FirehoseProvider = class {
 		try {
 			desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$8) return void 0;
+			if (err instanceof ResourceNotFoundException$9) return void 0;
 			throw err;
 		}
 		if (!desc) return void 0;
@@ -28954,7 +28983,7 @@ var FirehoseProvider = class {
 		try {
 			result["Tags"] = normalizeAwsTagsToCfn((await this.getClient().send(new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).Tags);
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$8) return void 0;
+			if (err instanceof ResourceNotFoundException$9) return void 0;
 			this.logger.debug(`Firehose ListTagsForDeliveryStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`);
 			result["Tags"] = [];
 		}
@@ -28991,7 +29020,7 @@ var FirehoseProvider = class {
 				attributes: {}
 			};
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$8) return null;
+			if (err instanceof ResourceNotFoundException$9) return null;
 			throw err;
 		}
 		if (!input.cdkPath) return null;
@@ -29762,7 +29791,7 @@ var CodeBuildProvider = class {
 			await this.getClient().send(new DeleteProjectCommand({ name: physicalId }));
 			this.logger.debug(`Successfully deleted CodeBuild Project ${logicalId}`);
 		} catch (error) {
-			if (error instanceof ResourceNotFoundException$9) {
+			if (error instanceof ResourceNotFoundException$10) {
 				assertRegionMatch(await this.getClient().config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
 				this.logger.debug(`CodeBuild Project ${physicalId} does not exist, skipping deletion`);
 				return;
@@ -29817,7 +29846,7 @@ var CodeBuildProvider = class {
 		try {
 			project = (await this.getClient().send(new BatchGetProjectsCommand({ names: [physicalId] }))).projects?.[0];
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$9) return void 0;
+			if (err instanceof ResourceNotFoundException$10) return void 0;
 			throw err;
 		}
 		if (!project) return void 0;
@@ -29961,7 +29990,7 @@ var CodeBuildProvider = class {
 				attributes: {}
 			} : null;
 		} catch (err) {
-			if (err instanceof ResourceNotFoundException$9) return null;
+			if (err instanceof ResourceNotFoundException$10) return null;
 			throw err;
 		}
 		if (!input.cdkPath) return null;
@@ -32497,6 +32526,350 @@ var NestedStackProvider = class {
 	}
 };
+//#endregion
+//#region src/provisioning/providers/acm-certificate-provider.ts
+/**
+* AWS ACM Certificate Provider
+*
+* Implements `AWS::CertificateManager::Certificate` using the ACM SDK.
+*
+* **DNS / EMAIL validation is asynchronous.** `RequestCertificate` returns
+* immediately with status `PENDING_VALIDATION`; the certificate only reaches
+* `ISSUED` once AWS has confirmed the DNS records (or the email click).
+*
+* `create()` polls `DescribeCertificate` until status flips to `ISSUED`. On
+* the first poll that returns PENDING_VALIDATION, the provider logs the
+* `DomainValidationOptions` AWS posted so the user knows which CNAME records
+* to add to their DNS zone. `CDKD_NO_WAIT=true` (or `cdkd deploy --no-wait`)
+* short-circuits the loop and returns immediately with the ARN — downstream
+* consumers (CloudFront, ALB) will fail to start if they reach the cert
+* before it issues, but that's the documented trade-off.
+*
+* **CloudFront cross-region note**: ACM certificates referenced by a
+* CloudFront Distribution MUST live in `us-east-1`. cdkd does not enforce
+* this — it's the developer's responsibility to deploy the certificate
+* stack to `us-east-1`. The provider uses the single ACMClient configured
+* in `aws-clients.ts` (region = stack's region) and does NOT override.
+*
+* Physical id is the certificate ARN. CFn exposes only `Ref` (returns the
+* ARN); `getAttribute('Arn')` / `getAttribute('CertificateArn')` also
+* return the ARN for any defensive call site.
+*/
+var ACMCertificateProvider = class {
+	acmClient;
+	logger = getLogger().child("ACMCertificateProvider");
+	maxPollAttempts = Number(process.env["CDKD_ACM_POLL_ATTEMPTS"] ?? 60);
+	pollIntervalMs = Number(process.env["CDKD_ACM_POLL_INTERVAL_MS"] ?? 1e4);
+	constructor() {
+		this.acmClient = getAwsClients().acm;
+	}
+	handledProperties = new Map([["AWS::CertificateManager::Certificate", new Set([
+		"DomainName",
+		"ValidationMethod",
+		"SubjectAlternativeNames",
+		"DomainValidationOptions",
+		"CertificateAuthorityArn",
+		"CertificateTransparencyLoggingPreference",
+		"CertificateExport",
+		"KeyAlgorithm",
+		"Tags"
+	])]]);
+	async create(logicalId, resourceType, properties) {
+		this.logger.debug(`Requesting ACM certificate ${logicalId}`);
+		const domainName = properties["DomainName"];
+		if (!domainName) throw new ProvisioningError(`DomainName is required for ACM certificate ${logicalId}`, resourceType, logicalId);
+		const input = { DomainName: domainName };
+		if (properties["ValidationMethod"]) input["ValidationMethod"] = properties["ValidationMethod"];
+		if (Array.isArray(properties["SubjectAlternativeNames"])) input["SubjectAlternativeNames"] = properties["SubjectAlternativeNames"];
+		if (Array.isArray(properties["DomainValidationOptions"])) input["DomainValidationOptions"] = properties["DomainValidationOptions"].map((opt) => {
+			const cleaned = { DomainName: opt["DomainName"] };
+			if (opt["ValidationDomain"]) cleaned["ValidationDomain"] = opt["ValidationDomain"];
+			return cleaned;
+		}).filter((opt) => opt["DomainName"]);
+		if (properties["CertificateAuthorityArn"]) input["CertificateAuthorityArn"] = properties["CertificateAuthorityArn"];
+		if (properties["KeyAlgorithm"]) input["KeyAlgorithm"] = properties["KeyAlgorithm"];
+		const options = {};
+		if (properties["CertificateTransparencyLoggingPreference"]) options["CertificateTransparencyLoggingPreference"] = properties["CertificateTransparencyLoggingPreference"];
+		if (properties["CertificateExport"]) options["Export"] = properties["CertificateExport"];
+		if (Object.keys(options).length > 0) input["Options"] = options;
+		const tags = properties["Tags"];
+		if (tags && Array.isArray(tags) && tags.length > 0) input["Tags"] = tags;
+		try {
+			const certificateArn = (await this.acmClient.send(new RequestCertificateCommand(input))).CertificateArn;
+			if (!certificateArn) throw new ProvisioningError(`RequestCertificate succeeded but no CertificateArn returned for ${logicalId}`, resourceType, logicalId);
+			this.logger.debug(`Requested ACM certificate: ${certificateArn}`);
+			if (!(process.env["CDKD_NO_WAIT"] === "true")) await this.waitForCertificateIssued(certificateArn, logicalId);
+			else this.logger.warn(`Skipping wait for ACM certificate ${logicalId} (CDKD_NO_WAIT=true). Downstream consumers (CloudFront / ALB) will fail until the cert reaches ISSUED.`);
+			return {
+				physicalId: certificateArn,
+				attributes: {
+					Arn: certificateArn,
+					CertificateArn: certificateArn
+				}
+			};
+		} catch (error) {
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to create ACM certificate ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, void 0, cause);
+		}
+	}
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		this.logger.debug(`Updating ACM certificate ${logicalId}: ${physicalId}`);
+		const changedImmutable = [
+			"DomainName",
+			"ValidationMethod",
+			"SubjectAlternativeNames",
+			"DomainValidationOptions",
+			"CertificateAuthorityArn",
+			"KeyAlgorithm"
+		].find((k) => JSON.stringify(properties[k]) !== JSON.stringify(previousProperties[k]));
+		if (changedImmutable) {
+			this.logger.debug(`${changedImmutable} changed, replacing ACM certificate: ${physicalId}`);
+			const createResult = await this.create(logicalId, resourceType, properties);
+			try {
+				await this.delete(logicalId, physicalId, resourceType, previousProperties);
+			} catch (error) {
+				this.logger.warn(`Failed to delete old ACM certificate ${physicalId} during replacement: ${String(error)}. The old certificate may be orphaned and require manual cleanup.`);
+			}
+			const result = {
+				physicalId: createResult.physicalId,
+				wasReplaced: true
+			};
+			if (createResult.attributes) result.attributes = createResult.attributes;
+			return result;
+		}
+		try {
+			const newCt = properties["CertificateTransparencyLoggingPreference"];
+			const oldCt = previousProperties["CertificateTransparencyLoggingPreference"];
+			const newExport = properties["CertificateExport"];
+			const oldExport = previousProperties["CertificateExport"];
+			if (newCt !== oldCt || newExport !== oldExport) {
+				const options = {};
+				if (newCt) options["CertificateTransparencyLoggingPreference"] = newCt;
+				if (newExport) options["Export"] = newExport;
+				if (Object.keys(options).length > 0) {
+					await this.acmClient.send(new UpdateCertificateOptionsCommand({
+						CertificateArn: physicalId,
+						Options: options
+					}));
+					this.logger.debug(`Updated certificate Options on ${physicalId}`);
+				}
+			}
+			await this.updateTags(physicalId, properties["Tags"], previousProperties["Tags"]);
+			return {
+				physicalId,
+				wasReplaced: false,
+				attributes: {
+					Arn: physicalId,
+					CertificateArn: physicalId
+				}
+			};
+		} catch (error) {
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to update ACM certificate ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+		}
+	}
+	async delete(logicalId, physicalId, resourceType, _properties, context) {
+		this.logger.debug(`Deleting ACM certificate ${logicalId}: ${physicalId}`);
+		try {
+			try {
+				await this.acmClient.send(new DeleteCertificateCommand({ CertificateArn: physicalId }));
+			} catch (error) {
+				if (error instanceof ResourceNotFoundException$6) {
+					assertRegionMatch(await this.acmClient.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+					this.logger.debug(`Certificate ${physicalId} does not exist, skipping deletion`);
+					return;
+				}
+				throw error;
+			}
+			this.logger.debug(`Successfully deleted ACM certificate ${logicalId}`);
+		} catch (error) {
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to delete ACM certificate ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+		}
+	}
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		if (attributeName === "Arn" || attributeName === "CertificateArn") return physicalId;
+	}
+	/**
+	* Read the AWS-current certificate properties in CFn-property shape.
+	*
+	* Coverage:
+	*  - `DomainName`, `SubjectAlternativeNames`, `KeyAlgorithm` straight from
+	*    `DescribeCertificate.Certificate.*`.
+	*  - `CertificateTransparencyLoggingPreference` extracted from the nested
+	*    `Options` field and flattened to match CFn shape.
+	*  - `Tags` via `ListTagsForCertificate`, with the `aws:cdk:path` etc.
+	*    auto-tags filtered out by `normalizeAwsTagsToCfn`.
+	*  - `ValidationMethod` / `DomainValidationOptions` are intentionally NOT
+	*    surfaced — the deployed cert's validation state is observation-only;
+	*    cdkd state stores the request-time input, which can legitimately
+	*    diverge from the observed state without indicating drift.
+	*
+	* Returns `undefined` when the cert is gone (`ResourceNotFoundException`).
+	*/
+	async readCurrentState(physicalId, _logicalId, _resourceType, _properties) {
+		let cert;
+		try {
+			cert = (await this.acmClient.send(new DescribeCertificateCommand({ CertificateArn: physicalId }))).Certificate;
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$6) return void 0;
+			throw err;
+		}
+		if (!cert) return void 0;
+		const result = {};
+		if (cert.DomainName !== void 0) result["DomainName"] = cert.DomainName;
+		if (Array.isArray(cert.SubjectAlternativeNames)) result["SubjectAlternativeNames"] = cert.SubjectAlternativeNames;
+		if (cert.KeyAlgorithm !== void 0) result["KeyAlgorithm"] = cert.KeyAlgorithm;
+		if (cert.CertificateAuthorityArn !== void 0) result["CertificateAuthorityArn"] = cert.CertificateAuthorityArn;
+		if (cert.Options?.CertificateTransparencyLoggingPreference !== void 0) result["CertificateTransparencyLoggingPreference"] = cert.Options.CertificateTransparencyLoggingPreference;
+		if (cert.Options?.Export !== void 0) result["CertificateExport"] = cert.Options.Export;
+		try {
+			result["Tags"] = normalizeAwsTagsToCfn((await this.acmClient.send(new ListTagsForCertificateCommand({ CertificateArn: physicalId }))).Tags);
+		} catch (err) {
+			if (!(err instanceof ResourceNotFoundException$6)) throw err;
+		}
+		return result;
+	}
+	/**
+	* Path the deploy engine queries to compare drift snapshots — paths
+	* `readCurrentState` deliberately does NOT round-trip.
+	*/
+	getDriftUnknownPaths(_resourceType) {
+		return ["ValidationMethod", "DomainValidationOptions"];
+	}
+	/**
+	* Adopt an existing certificate into cdkd state.
+	*
+	* Lookup order:
+	*  1. `--resource` override (must be an ARN — ACM has no other unique id).
+	*  2. Tag-based `aws:cdk:path` match across `ListCertificates` +
+	*     `ListTagsForCertificate`. NOTE: ACM has no `Scope: Local` filter —
+	*     `ListCertificates` returns customer-managed certs only (AWS-managed
+	*     certs are not surfaced via this API), so no extra guard is needed.
+	*/
+	async import(input) {
+		if (input.knownPhysicalId) {
+			const arn = input.knownPhysicalId;
+			if (!arn.startsWith("arn:")) throw new Error(`--resource override for ${input.logicalId} must be an ARN (got '${arn}'). ACM certificates have no human-readable physical id.`);
+			try {
+				await this.acmClient.send(new DescribeCertificateCommand({ CertificateArn: arn }));
+				return {
+					physicalId: arn,
+					attributes: {
+						Arn: arn,
+						CertificateArn: arn
+					}
+				};
+			} catch (err) {
+				if (err instanceof ResourceNotFoundException$6) return null;
+				throw err;
+			}
+		}
+		if (!input.cdkPath) return null;
+		let nextToken;
+		do {
+			const list = await this.acmClient.send(new ListCertificatesCommand({ ...nextToken ? { NextToken: nextToken } : {} }));
+			for (const summary of list.CertificateSummaryList ?? []) {
+				if (!summary.CertificateArn) continue;
+				try {
+					if (matchesCdkPath((await this.acmClient.send(new ListTagsForCertificateCommand({ CertificateArn: summary.CertificateArn }))).Tags, input.cdkPath)) return {
+						physicalId: summary.CertificateArn,
+						attributes: {
+							Arn: summary.CertificateArn,
+							CertificateArn: summary.CertificateArn
+						}
+					};
+				} catch (err) {
+					if (err instanceof ResourceNotFoundException$6) continue;
+					throw err;
+				}
+			}
+			nextToken = list.NextToken;
+		} while (nextToken);
+		return null;
+	}
+	/**
+	* Poll `DescribeCertificate` until status === `ISSUED`. On the FIRST poll
+	* that returns PENDING_VALIDATION, log the DomainValidationOptions AWS
+	* posted so the user knows which CNAME records to add to their DNS zone.
+	*
+	* Throws on `VALIDATION_TIMED_OUT` / `FAILED` (terminal failures) and on
+	* polling-cap exhaustion (treated as timeout). SIGINT short-circuits the
+	* loop and returns control to the deploy engine's cleanup path.
+	*/
+	async waitForCertificateIssued(certificateArn, logicalId) {
+		this.logger.debug(`Waiting for ACM certificate ${certificateArn} to reach ISSUED status...`);
+		let interrupted = false;
+		let validationOptionsLogged = false;
+		const sigintHandler = () => {
+			interrupted = true;
+		};
+		process.on("SIGINT", sigintHandler);
+		try {
+			for (let attempt = 1; attempt <= this.maxPollAttempts; attempt++) {
+				if (interrupted) {
+					this.logger.debug(`ACM certificate ${certificateArn} wait interrupted by SIGINT, proceeding`);
+					return;
+				}
+				const resp = await this.acmClient.send(new DescribeCertificateCommand({ CertificateArn: certificateArn }));
+				const status = resp.Certificate?.Status;
+				const validations = resp.Certificate?.DomainValidationOptions ?? [];
+				if (status === "ISSUED") {
+					this.logger.debug(`ACM certificate ${certificateArn} is ISSUED`);
+					return;
+				}
+				if (status === "FAILED" || status === "VALIDATION_TIMED_OUT" || status === "INACTIVE" || status === "REVOKED" || status === "EXPIRED") throw new Error(`ACM certificate ${logicalId} (${certificateArn}) entered terminal status ${status} during validation. Check ACM console / DNS records to diagnose.`);
+				if (status === "PENDING_VALIDATION" && !validationOptionsLogged && validations.length > 0) {
+					this.logValidationOptions(validations);
+					validationOptionsLogged = true;
+				}
+				this.logger.debug(`ACM certificate ${certificateArn} status: ${status} (attempt ${attempt}/${this.maxPollAttempts})`);
+				const sleepEnd = Date.now() + this.pollIntervalMs;
+				const tickMs = Math.min(1e3, this.pollIntervalMs);
+				while (Date.now() < sleepEnd && !interrupted) await new Promise((resolve) => setTimeout(resolve, tickMs));
+			}
+			throw new Error(`ACM certificate ${logicalId} (${certificateArn}) did not reach ISSUED status within ${this.maxPollAttempts * this.pollIntervalMs / 1e3}s. If your DNS zone is manually managed, you may need to increase --resource-timeout AWS::CertificateManager::Certificate=<duration> or set CDKD_NO_WAIT=true.`);
+		} finally {
+			process.removeListener("SIGINT", sigintHandler);
+		}
+	}
+	/**
+	* Pretty-print the validation records AWS expects in the DNS zone, so the
+	* user can copy / paste them into Route 53 / Cloudflare / etc. while the
+	* cert is still PENDING_VALIDATION.
+	*/
+	logValidationOptions(validations) {
+		const lines = ["ACM certificate is PENDING_VALIDATION. Add the following DNS records to validate:"];
+		for (const v of validations) if (v.ValidationMethod === "DNS" && v.ResourceRecord) {
+			const r = v.ResourceRecord;
+			lines.push(`  ${v.DomainName} — ${r.Type} ${r.Name} -> ${r.Value}`);
+		} else if (v.ValidationMethod === "EMAIL") {
+			const emails = (v.ValidationEmails ?? []).join(", ");
+			lines.push(`  ${v.DomainName} — confirmation email sent to: ${emails || "<none>"}`);
+		}
+		this.logger.info(lines.join("\n"));
+	}
+	async updateTags(certificateArn, newTags, oldTags) {
+		const newTagMap = new Map((newTags || []).map((t) => [t.Key, t.Value]));
+		const oldTagMap = new Map((oldTags || []).map((t) => [t.Key, t.Value]));
+		const tagsToRemove = [];
+		for (const key of oldTagMap.keys()) if (!newTagMap.has(key)) tagsToRemove.push({ Key: key });
+		const tagsToAdd = [];
+		for (const [key, value] of newTagMap) if (oldTagMap.get(key) !== value) tagsToAdd.push({
+			Key: key,
+			Value: value
+		});
+		if (tagsToRemove.length > 0) await this.acmClient.send(new RemoveTagsFromCertificateCommand({
+			CertificateArn: certificateArn,
+			Tags: tagsToRemove
+		}));
+		if (tagsToAdd.length > 0) await this.acmClient.send(new AddTagsToCertificateCommand({
+			CertificateArn: certificateArn,
+			Tags: tagsToAdd
+		}));
+	}
+};
 //#endregion
 //#region src/provisioning/register-providers.ts
 /**
@@ -32592,6 +32965,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::Route53::RecordSet", route53Provider);
 	registry.register("AWS::WAFv2::WebACL", new WAFv2WebACLProvider());
 	registry.register("AWS::Cognito::UserPool", new CognitoUserPoolProvider());
+	registry.register("AWS::CertificateManager::Certificate", new ACMCertificateProvider());
 	const elasticacheProvider = new ElastiCacheProvider();
 	registry.register("AWS::ElastiCache::SubnetGroup", elasticacheProvider);
 	registry.register("AWS::ElastiCache::CacheCluster", elasticacheProvider);
@@ -32904,6 +33278,7 @@ async function deployCommand(stacks, options) {
 			registerAllProviders(stackProviderRegistry);
 			stackProviderRegistry.setCustomResourceResponseBucket(stateBucket, baseRegion);
 			if (options.allowUnsupportedTypes?.length) stackProviderRegistry.allowUnsupportedTypes(options.allowUnsupportedTypes);
+			if (options.allowUnsupportedProperties?.length) stackProviderRegistry.allowUnsupportedProperties(options.allowUnsupportedProperties);
 			try {
 				if (skipPrefix) {
 					const existing = await stackStateBackend.getState(stackInfo.stackName, stackRegion);
@@ -58580,7 +58955,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.155.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.157.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());