@go-to-k/cdkd 0.162.0 → 0.162.1

package/dist/cli.js

@@ -51153,6 +51153,140 @@ function pickStringArray(value) {
 	return out;
 }
 /**
+* Build a `fnUrlLogicalId → CorsConfig` map by tracing CloudFront →
+* Function URL chains in the template (issue #646).
+*
+* Production-correct CDK pattern: Function URL fronted by a CloudFront
+* Distribution where CORS is declared on the CloudFront
+* `ResponseHeadersPolicy` (NOT on the Function URL itself). Without this
+* helper, `cdkd local start-api` sees `Cors: null` on the Function URL
+* and emits no preflight headers — even though the CDK code correctly
+* declares the allowed origins on the CloudFront side.
+*
+* Detection: an `AWS::CloudFront::Distribution` whose `Origins[].DomainName`
+* matches the canonical CDK 2.x shape
+* `Fn::Select[2, Fn::Split['/', Fn::GetAtt[<FnUrlLogicalId>, 'FunctionUrl']]]`
+* is the chain marker. For each such origin, we walk every cache behavior
+* (`DefaultCacheBehavior` + `CacheBehaviors[]`), resolve their
+* `ResponseHeadersPolicyId: { Ref: <RhpLogicalId> }` to the
+* `AWS::CloudFront::ResponseHeadersPolicy` resource, and extract its
+* `Properties.ResponseHeadersPolicyConfig.CorsConfig`.
+*
+* Schema mapping (CloudFront → internal `CorsConfig`):
+*
+*   AccessControlAllowOrigins.Items  → AllowOrigins
+*   AccessControlAllowMethods.Items  → AllowMethods
+*   AccessControlAllowHeaders.Items  → AllowHeaders
+*   AccessControlExposeHeaders.Items → ExposeHeaders
+*   AccessControlMaxAgeSec           → MaxAge
+*   AccessControlAllowCredentials    → AllowCredentials
+*   (OriginOverride is ignored — cdkd has only one config slot)
+*
+* Multiple distributions fronting the same Function URL: last write
+* wins (rare in practice). Per-path CORS via `CacheBehaviors[]` is
+* NOT supported in v1 — the `DefaultCacheBehavior`'s policy applies
+* to all paths.
+*/
+function buildCorsConfigFromCloudFrontChain(template) {
+	const out = /* @__PURE__ */ new Map();
+	const resources = template.Resources ?? {};
+	for (const [, resource] of Object.entries(resources)) {
+		if (resource.Type !== "AWS::CloudFront::Distribution") continue;
+		const distConfig = (resource.Properties ?? {})["DistributionConfig"];
+		if (!distConfig || typeof distConfig !== "object") continue;
+		const dc = distConfig;
+		const origins = Array.isArray(dc["Origins"]) ? dc["Origins"] : [];
+		for (const origin of origins) {
+			if (!origin || typeof origin !== "object") continue;
+			const fnUrlLogicalId = pickFnUrlLogicalIdFromOriginDomainName(origin["DomainName"]);
+			if (!fnUrlLogicalId) continue;
+			const cacheBehaviors = [dc["DefaultCacheBehavior"], ...Array.isArray(dc["CacheBehaviors"]) ? dc["CacheBehaviors"] : []];
+			for (const behavior of cacheBehaviors) {
+				if (!behavior || typeof behavior !== "object") continue;
+				const rhpId = pickRhpRefLogicalId(behavior["ResponseHeadersPolicyId"]);
+				if (!rhpId) continue;
+				const rhpResource = resources[rhpId];
+				if (!rhpResource || rhpResource.Type !== "AWS::CloudFront::ResponseHeadersPolicy") continue;
+				const rhpConfig = (rhpResource.Properties ?? {})["ResponseHeadersPolicyConfig"];
+				if (!rhpConfig || typeof rhpConfig !== "object") continue;
+				const corsConfig = rhpConfig["CorsConfig"];
+				if (!corsConfig || typeof corsConfig !== "object" || Array.isArray(corsConfig)) continue;
+				const parsed = parseCloudFrontCorsConfig(corsConfig);
+				if (parsed) out.set(fnUrlLogicalId, parsed);
+			}
+		}
+	}
+	return out;
+}
+/**
+* Detect the canonical CDK 2.x `DomainName` shape that points a
+* CloudFront Origin at a Function URL:
+*   {Fn::Select: [2, {Fn::Split: ['/', {Fn::GetAtt: [<id>, 'FunctionUrl']}]}]}
+* Returns the Function URL's logical ID, or undefined if the shape
+* doesn't match.
+*/
+function pickFnUrlLogicalIdFromOriginDomainName(value) {
+	if (!value || typeof value !== "object") return void 0;
+	const sel = value["Fn::Select"];
+	if (!Array.isArray(sel) || sel.length !== 2 || sel[0] !== 2) return void 0;
+	const split = sel[1];
+	if (!split || typeof split !== "object") return void 0;
+	const splitArgs = split["Fn::Split"];
+	if (!Array.isArray(splitArgs) || splitArgs.length !== 2 || splitArgs[0] !== "/") return void 0;
+	const getAtt = splitArgs[1];
+	if (!getAtt || typeof getAtt !== "object") return void 0;
+	const ga = getAtt["Fn::GetAtt"];
+	if (!Array.isArray(ga) || ga.length !== 2 || typeof ga[0] !== "string" || ga[1] !== "FunctionUrl") return;
+	return ga[0];
+}
+/**
+* Unwrap a `ResponseHeadersPolicyId` value to its referenced logical
+* ID. CDK 2.x synthesizes this as `{ Ref: <id> }`. Returns undefined
+* for the AWS-managed-policy ID form (literal UUID string) since
+* cdkd can't fetch those — and for any non-Ref shape.
+*/
+function pickRhpRefLogicalId(value) {
+	if (!value || typeof value !== "object") return void 0;
+	const ref = value["Ref"];
+	if (typeof ref !== "string" || ref.length === 0) return void 0;
+	return ref;
+}
+/**
+* Parse a CloudFront `ResponseHeadersPolicyConfig.CorsConfig` block
+* into the internal `CorsConfig` shape. Schema differs from Function
+* URL / HTTP API v2 (`AccessControl*` prefix + nested `Items` wrapper);
+* see `buildCorsConfigFromCloudFrontChain` JSDoc for the field mapping.
+*
+* Returns undefined when every value-bearing field is missing.
+*/
+function parseCloudFrontCorsConfig(raw) {
+	const allowOrigins = pickItemsStringArray(raw["AccessControlAllowOrigins"]);
+	const allowMethods = pickItemsStringArray(raw["AccessControlAllowMethods"]);
+	const allowHeaders = pickItemsStringArray(raw["AccessControlAllowHeaders"]);
+	const exposeHeaders = pickItemsStringArray(raw["AccessControlExposeHeaders"]);
+	const maxAgeRaw = raw["AccessControlMaxAgeSec"];
+	const allowCreds = raw["AccessControlAllowCredentials"];
+	if (allowOrigins.length === 0 && allowMethods.length === 0 && allowHeaders.length === 0 && exposeHeaders.length === 0 && maxAgeRaw === void 0 && allowCreds === void 0) return;
+	const config = {
+		AllowOrigins: allowOrigins,
+		AllowMethods: allowMethods,
+		AllowHeaders: allowHeaders,
+		ExposeHeaders: exposeHeaders
+	};
+	if (typeof maxAgeRaw === "number" && Number.isFinite(maxAgeRaw)) config.MaxAge = Math.trunc(maxAgeRaw);
+	if (typeof allowCreds === "boolean") config.AllowCredentials = allowCreds;
+	return config;
+}
+/**
+* CloudFront `AccessControl*Origins/Methods/Headers` use a nested
+* `Items: string[]` wrapper. Unwrap to a plain `string[]`.
+*/
+function pickItemsStringArray(value) {
+	if (!value || typeof value !== "object") return [];
+	const items = value["Items"];
+	return pickStringArray(items);
+}
+/**
 * Try to match an OPTIONS preflight request against the given CORS
 * config. Returns the canonical response when every check passes;
 * `null` when the request didn't satisfy AllowOrigins / AllowMethods /
@@ -54528,8 +54662,10 @@ async function localStartApiCommand(target, options) {
 		}
 		const corsConfigByApiId = /* @__PURE__ */ new Map();
 		for (const stack of targetStacks) {
-			const m = buildCorsConfigByApiId(stack.template);
-			for (const [k, v] of m) corsConfigByApiId.set(k, v);
+			const fromCloudFront = buildCorsConfigFromCloudFrontChain(stack.template);
+			for (const [k, v] of fromCloudFront) corsConfigByApiId.set(k, v);
+			const direct = buildCorsConfigByApiId(stack.template);
+			for (const [k, v] of direct) corsConfigByApiId.set(k, v);
 		}
 		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
@@ -60065,7 +60201,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());