@go-to-k/cdkd 0.16.0 → 0.17.0

package/dist/cli.js

@@ -1008,11 +1008,27 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
   const legacyName = getLegacyStateBucketName(accountId, region);
   const probe = new S3Client11({ region: "us-east-1" });
   try {
-    if (await bucketExists(probe, newName)) {
+    const newExists = await bucketExists(probe, newName);
+    const legacyExists = await bucketExists(probe, legacyName);
+    if (newExists && legacyExists) {
+      const newHasState = await bucketHasAnyState(probe, newName);
+      if (!newHasState) {
+        const legacyHasState = await bucketHasAnyState(probe, legacyName);
+        if (legacyHasState) {
+          logger.warn(
+            `Both '${newName}' (new default) and '${legacyName}' (legacy default) exist, but the new bucket is empty and the legacy one has state. Reading from legacy. Run \`cdkd state migrate --region ${region}\` to copy the state into the new bucket and stop seeing this warning.`
+          );
+          return { bucket: legacyName, source: "default-legacy" };
+        }
+      }
       logger.debug(`State bucket: ${newName}`);
       return { bucket: newName, source: "default" };
     }
-    if (await bucketExists(probe, legacyName)) {
+    if (newExists) {
+      logger.debug(`State bucket: ${newName}`);
+      return { bucket: newName, source: "default" };
+    }
+    if (legacyExists) {
       logger.warn(
         `Using legacy state bucket name '${legacyName}'. The default has changed to '${newName}'. To migrate, run:
 
@@ -1029,6 +1045,21 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
     probe.destroy();
   }
 }
+async function bucketHasAnyState(client, bucketName) {
+  const { ListObjectsV2Command: ListObjectsV2Command5 } = await import("@aws-sdk/client-s3");
+  try {
+    const resp = await client.send(
+      new ListObjectsV2Command5({
+        Bucket: bucketName,
+        Prefix: "cdkd/",
+        MaxKeys: 1
+      })
+    );
+    return (resp.KeyCount ?? 0) > 0;
+  } catch {
+    return true;
+  }
+}
 async function bucketExists(client, bucketName) {
   const { HeadBucketCommand: HeadBucketCommand5 } = await import("@aws-sdk/client-s3");
   try {
@@ -17482,6 +17513,85 @@ var EC2Provider = class {
     const name = error.name ?? "";
     return message.includes("not found") || message.includes("does not exist") || message.includes("invalidparametervalue") || name === "InvalidVpcID.NotFound" || name === "InvalidSubnetID.NotFound" || name === "InvalidInternetGatewayID.NotFound" || name === "InvalidRouteTableID.NotFound" || name === "InvalidGroup.NotFound" || name === "InvalidAssociationID.NotFound" || name === "InvalidRoute.NotFound" || name === "InvalidInstanceID.NotFound" || name === "InvalidNetworkAclID.NotFound" || name === "InvalidNetworkAclEntry.NotFound";
   }
+  /**
+   * Adopt an existing EC2 networking resource into cdkd state.
+   *
+   * Supported types: `AWS::EC2::VPC`, `AWS::EC2::Subnet`,
+   * `AWS::EC2::SecurityGroup`. Other EC2 types this provider creates
+   * (RouteTable, Route, InternetGateway, VPCGatewayAttachment,
+   * NetworkAcl, Instance) return `null` from import — most have no
+   * stable identity to look up by tag (Routes are derived; SGIngress
+   * is rule-level), and the typical adoption story is "find the VPC,
+   * cdkd reconstructs the rest at deploy time".
+   *
+   * EC2 supports `Filters: [{Name: 'tag:aws:cdk:path', Values: [path]}]`
+   * directly on `Describe*`, so the lookup is one API call per type.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return this.verifyExplicit(input.resourceType, input.knownPhysicalId);
+    }
+    if (!input.cdkPath)
+      return null;
+    const tagFilter = { Name: `tag:${CDK_PATH_TAG}`, Values: [input.cdkPath] };
+    try {
+      switch (input.resourceType) {
+        case "AWS::EC2::VPC": {
+          const resp = await this.ec2Client.send(new DescribeVpcsCommand2({ Filters: [tagFilter] }));
+          const vpc = resp.Vpcs?.[0];
+          return vpc?.VpcId ? { physicalId: vpc.VpcId, attributes: {} } : null;
+        }
+        case "AWS::EC2::Subnet": {
+          const resp = await this.ec2Client.send(
+            new DescribeSubnetsCommand2({ Filters: [tagFilter] })
+          );
+          const subnet = resp.Subnets?.[0];
+          return subnet?.SubnetId ? { physicalId: subnet.SubnetId, attributes: {} } : null;
+        }
+        case "AWS::EC2::SecurityGroup": {
+          const resp = await this.ec2Client.send(
+            new DescribeSecurityGroupsCommand2({ Filters: [tagFilter] })
+          );
+          const sg = resp.SecurityGroups?.[0];
+          return sg?.GroupId ? { physicalId: sg.GroupId, attributes: {} } : null;
+        }
+        default:
+          return null;
+      }
+    } catch (error) {
+      if (this.isNotFoundError(error))
+        return null;
+      throw error;
+    }
+  }
+  async verifyExplicit(resourceType, physicalId) {
+    try {
+      switch (resourceType) {
+        case "AWS::EC2::VPC": {
+          const resp = await this.ec2Client.send(new DescribeVpcsCommand2({ VpcIds: [physicalId] }));
+          return resp.Vpcs?.[0] ? { physicalId, attributes: {} } : null;
+        }
+        case "AWS::EC2::Subnet": {
+          const resp = await this.ec2Client.send(
+            new DescribeSubnetsCommand2({ SubnetIds: [physicalId] })
+          );
+          return resp.Subnets?.[0] ? { physicalId, attributes: {} } : null;
+        }
+        case "AWS::EC2::SecurityGroup": {
+          const resp = await this.ec2Client.send(
+            new DescribeSecurityGroupsCommand2({ GroupIds: [physicalId] })
+          );
+          return resp.SecurityGroups?.[0] ? { physicalId, attributes: {} } : null;
+        }
+        default:
+          return null;
+      }
+    } catch (error) {
+      if (this.isNotFoundError(error))
+        return null;
+      throw error;
+    }
+  }
 };
 
 // src/provisioning/providers/apigateway-provider.ts
@@ -18486,6 +18596,32 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
     return result;
   }
+  /**
+   * Adopt an existing API Gateway sub-resource into cdkd state.
+   *
+   * **Explicit override only.** API Gateway sub-resources (Authorizer,
+   * Resource, Deployment, Stage, Method) live under a parent `RestApi`,
+   * and their physical ids are not globally unique — they're scoped
+   * `<restApiId>/<sub-id>`. Auto-lookup by `aws:cdk:path` would need to
+   * walk every RestApi in the account, then every sub-resource within
+   * each, which is impractical and error-prone.
+   *
+   * `AWS::ApiGateway::RestApi` itself is handled by the Cloud Control
+   * API fallback (also explicit-override only — see
+   * `cloud-control-provider.ts`).
+   *
+   * Users adopting an existing API Gateway should pass
+   * `--resource <logicalId>=<physicalId>` for each sub-resource; the
+   * physical id format follows what `create()` returns for the same
+   * type (e.g. `<restApiId>|<resourceId>` for `AWS::ApiGateway::Resource`).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/apigatewayv2-provider.ts
@@ -19206,6 +19342,8 @@ import {
   DeleteDistributionCommand,
   GetDistributionCommand,
   GetDistributionConfigCommand,
+  ListDistributionsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand5,
   NoSuchDistribution
 } from "@aws-sdk/client-cloudfront";
 init_aws_clients();
@@ -19610,6 +19748,52 @@ var CloudFrontDistributionProvider = class {
       this.applyQuantityAtPath(nested, rest);
     }
   }
+  /**
+   * Adopt an existing CloudFront distribution into cdkd state.
+   *
+   * CloudFront distributions don't carry a template-supplied name
+   * (physical id is the AWS-generated `E...` distribution id), so the
+   * lookup is either explicit-override or `aws:cdk:path` tag match
+   * via `ListDistributions` + `ListTagsForResource(ARN)`.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.cloudFrontClient.send(new GetDistributionCommand({ Id: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchDistribution)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.cloudFrontClient.send(
+        new ListDistributionsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const d of list.DistributionList?.Items ?? []) {
+        if (!d.Id || !d.ARN)
+          continue;
+        try {
+          const tagsResp = await this.cloudFrontClient.send(
+            new ListTagsForResourceCommand5({ Resource: d.ARN })
+          );
+          if (matchesCdkPath(tagsResp.Tags?.Items, input.cdkPath)) {
+            return { physicalId: d.Id, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof NoSuchDistribution)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.DistributionList?.IsTruncated ? list.DistributionList?.NextMarker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/agentcore-runtime-provider.ts
@@ -20099,7 +20283,10 @@ import {
   CreateServiceCommand,
   UpdateServiceCommand,
   DeleteServiceCommand,
-  DescribeServicesCommand
+  DescribeServicesCommand,
+  ListClustersCommand,
+  ListServicesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand6
 } from "@aws-sdk/client-ecs";
 function convertTags(tags) {
   if (!tags || tags.length === 0)
@@ -20828,6 +21015,128 @@ var ECSProvider = class {
     }
     return false;
   }
+  /**
+   * Adopt an existing ECS resource into cdkd state.
+   *
+   * Supported types: `AWS::ECS::Cluster`, `AWS::ECS::Service`,
+   * `AWS::ECS::TaskDefinition`. ECS uses lowercase `key`/`value` tags
+   * (vs the standard CFn `Key`/`Value`), so the standard
+   * `matchesCdkPath` helper doesn't apply — match the tag manually.
+   *
+   * Service has a composite physical id of `<clusterArn>|<serviceName>`
+   * (the form ECSProvider uses internally for mutation operations),
+   * so the explicit-override path takes that composite form when
+   * supplied.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ECS::Cluster":
+        return this.importCluster(input);
+      case "AWS::ECS::Service":
+        return this.importService(input);
+      case "AWS::ECS::TaskDefinition":
+        return this.importTaskDefinition(input);
+      default:
+        return null;
+    }
+  }
+  async importCluster(input) {
+    const explicit = resolveExplicitPhysicalId(input, "ClusterName");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeClustersCommand({ clusters: [explicit] })
+        );
+        return resp.clusters?.[0]?.clusterName ? { physicalId: resp.clusters[0].clusterName, attributes: {} } : null;
+      } catch (err) {
+        if (this.isClusterNotFoundException(err) || this.isServiceNotFoundException(err)) {
+          return null;
+        }
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListClustersCommand({ ...nextToken && { nextToken } })
+      );
+      for (const arn of list.clusterArns ?? []) {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand6({ resourceArn: arn })
+        );
+        if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
+          const name = arn.substring(arn.lastIndexOf("/") + 1);
+          return { physicalId: name, attributes: {} };
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
+  async importService(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    if (!input.cdkPath)
+      return null;
+    let clusterToken;
+    do {
+      const clusterList = await this.getClient().send(
+        new ListClustersCommand({ ...clusterToken && { nextToken: clusterToken } })
+      );
+      for (const clusterArn of clusterList.clusterArns ?? []) {
+        let svcToken;
+        do {
+          const svcList = await this.getClient().send(
+            new ListServicesCommand({
+              cluster: clusterArn,
+              ...svcToken && { nextToken: svcToken }
+            })
+          );
+          for (const svcArn of svcList.serviceArns ?? []) {
+            const tagsResp = await this.getClient().send(
+              new ListTagsForResourceCommand6({ resourceArn: svcArn })
+            );
+            if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
+              const svcName = svcArn.substring(svcArn.lastIndexOf("/") + 1);
+              return { physicalId: `${clusterArn}|${svcName}`, attributes: {} };
+            }
+          }
+          svcToken = svcList.nextToken;
+        } while (svcToken);
+      }
+      clusterToken = clusterList.nextToken;
+    } while (clusterToken);
+    return null;
+  }
+  async importTaskDefinition(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeTaskDefinitionCommand({ taskDefinition: input.knownPhysicalId })
+        );
+        const arn = resp.taskDefinition?.taskDefinitionArn;
+        return arn ? { physicalId: arn, attributes: {} } : null;
+      } catch (err) {
+        if (this.isClusterNotFoundException(err) || this.isServiceNotFoundException(err)) {
+          return null;
+        }
+        throw err;
+      }
+    }
+    return null;
+  }
+  tagsMatchCdkPath(tags, cdkPath) {
+    if (!tags)
+      return false;
+    for (const t of tags) {
+      if (t.key === "aws:cdk:path" && t.value === cdkPath)
+        return true;
+    }
+    return false;
+  }
 };
 
 // src/provisioning/providers/elbv2-provider.ts
@@ -21360,7 +21669,9 @@ import {
   DescribeDBInstancesCommand,
   CreateDBSubnetGroupCommand,
   DeleteDBSubnetGroupCommand,
-  ModifyDBSubnetGroupCommand
+  DescribeDBSubnetGroupsCommand,
+  ModifyDBSubnetGroupCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand7
 } from "@aws-sdk/client-rds";
 var RDSProvider = class {
   rdsClient;
@@ -21954,6 +22265,133 @@ var RDSProvider = class {
   sleep(ms) {
     return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
+  /**
+   * Adopt an existing RDS resource into cdkd state.
+   *
+   * Supported types: `AWS::RDS::DBInstance`, `AWS::RDS::DBCluster`,
+   * `AWS::RDS::DBSubnetGroup`. Identifier name properties (`DBInstance
+   * Identifier` / `DBClusterIdentifier` / `DBSubnetGroupName`) are
+   * usually present in CDK templates; fall back to `aws:cdk:path` tag
+   * lookup via the corresponding `Describe*` + `ListTagsForResource`
+   * pair otherwise.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::RDS::DBInstance":
+        return this.importDBInstance(input);
+      case "AWS::RDS::DBCluster":
+        return this.importDBCluster(input);
+      case "AWS::RDS::DBSubnetGroup":
+        return this.importDBSubnetGroup(input);
+      default:
+        return null;
+    }
+  }
+  async importDBInstance(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBInstanceIdentifier");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBInstancesCommand({ DBInstanceIdentifier: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBInstanceNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBInstancesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const inst of list.DBInstances ?? []) {
+        if (!inst.DBInstanceIdentifier || !inst.DBInstanceArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand7({ ResourceName: inst.DBInstanceArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: inst.DBInstanceIdentifier, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importDBCluster(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBClusterIdentifier");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBClustersCommand({ DBClusterIdentifier: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBClusterNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBClustersCommand({ ...marker && { Marker: marker } })
+      );
+      for (const c of list.DBClusters ?? []) {
+        if (!c.DBClusterIdentifier || !c.DBClusterArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand7({ ResourceName: c.DBClusterArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: c.DBClusterIdentifier, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importDBSubnetGroup(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBSubnetGroupName");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBSubnetGroupsCommand({ DBSubnetGroupName: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBSubnetGroupNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const sg of list.DBSubnetGroups ?? []) {
+        if (!sg.DBSubnetGroupName || !sg.DBSubnetGroupArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand7({ ResourceName: sg.DBSubnetGroupArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: sg.DBSubnetGroupName, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/route53-provider.ts
@@ -22849,6 +23287,8 @@ import {
   DeleteUserPoolCommand,
   UpdateUserPoolCommand,
   DescribeUserPoolCommand,
+  ListUserPoolsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand8,
   ResourceNotFoundException as ResourceNotFoundException12
 } from "@aws-sdk/client-cognito-identity-provider";
 var CognitoUserPoolProvider = class {
@@ -23184,6 +23624,71 @@ var CognitoUserPoolProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Cognito User Pool into cdkd state.
+   *
+   * User Pool physical id is the AWS-generated `<region>_<random>` id.
+   * Lookup chain:
+   *  1. `--resource` override → `DescribeUserPool` to verify.
+   *  2. `Properties.UserPoolName` (when CDK template carries it) →
+   *     `ListUserPools` walk + name match.
+   *  3. `aws:cdk:path` tag match via `ListUserPools` +
+   *     `ListTagsForResource(<arn>)`. Cognito's tag map uses the same
+   *     `Tags: { [key]: value }` shape as Lambda.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(
+          new DescribeUserPoolCommand({ UserPoolId: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException12)
+          return null;
+        throw err;
+      }
+    }
+    const desiredName = typeof input.properties?.["UserPoolName"] === "string" ? input.properties["UserPoolName"] : void 0;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListUserPoolsCommand({
+          MaxResults: 60,
+          ...nextToken && { NextToken: nextToken }
+        })
+      );
+      for (const pool of list.UserPools ?? []) {
+        if (!pool.Id)
+          continue;
+        if (desiredName && pool.Name === desiredName) {
+          return { physicalId: pool.Id, attributes: {} };
+        }
+        if (input.cdkPath) {
+          try {
+            const desc = await this.getClient().send(
+              new DescribeUserPoolCommand({ UserPoolId: pool.Id })
+            );
+            const arn = desc.UserPool?.Arn;
+            if (!arn)
+              continue;
+            const tagsResp = await this.getClient().send(
+              new ListTagsForResourceCommand8({ ResourceArn: arn })
+            );
+            if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+              return { physicalId: pool.Id, attributes: {} };
+            }
+          } catch (err) {
+            if (err instanceof ResourceNotFoundException12)
+              continue;
+            throw err;
+          }
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/elasticache-provider.ts
@@ -31630,7 +32135,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command12();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.16.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.17.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());