@go-to-k/cdkd 0.162.2 → 0.163.0

package/dist/cli.js

@@ -1004,9 +1004,12 @@ const MULTI_REGION_RECREATE_BLOCKED_TYPES = new Set(["AWS::DynamoDB::GlobalTable
 * Cheap, synchronous read of the resource's recorded properties only.
 * For `AWS::S3::Bucket` this returns `null` — the live `ListObjectsV2`
 * probe to distinguish empty buckets (safe to recreate) from
-* non-empty (data loss) needs an S3 client + an AWS round-trip and is
-* deferred to a follow-up issue (v1 sync-defers; an `--force-stateful-
-* recreation` is recommended for any potentially-non-empty S3 target).
+* non-empty (data loss) lives in
+* `src/deployment/recreate-targets.ts#probeStatefulRecreateTargetsAsync`
+* (issue [#648]) and runs after this sync first-cut. Sync callers can
+* still treat `null` as "not stateful" — the deploy command does both
+* passes back-to-back; only callers that explicitly opt out of the
+* async probe need to assume conservative "stateful" semantics.
 *
 * Returns the {@link StatefulReason} when the type is stateful (or
 * `null` for non-stateful types).
@@ -1038,11 +1041,47 @@ function renderStatefulReason(reason) {
 //#endregion
 //#region src/deployment/recreate-targets.ts
 /**
+* Pre-flight validation for `--recreate-via-cc-api <LogicalId>` deploy
+* flag (issue [#615]).
+*
+* Three things to validate before the deploy engine acts on the user's
+* recreate list:
+*
+*   1. Every named logical id MUST exist in the synth template. A typo
+*      should fail fast, not silently skip.
+*   2. Every named logical id MUST exist in cdkd state (the recreate
+*      operation requires an existing physical resource to destroy +
+*      recreate). A logical id in the template but absent from state
+*      is a CREATE on the next deploy regardless — recreate is a
+*      no-op for fresh deploys and should error out with a clear
+*      message rather than silently apply.
+*   3. Stateful-resource guard: every named target whose resource type
+*      is in {@link STATEFUL_TYPES} (or conditionally stateful — S3
+*      bucket with objects, LogGroup with retention) MUST be matched
+*      by an explicit `--force-stateful-recreation` flag. The sync
+*      first-cut runs from the recorded properties alone; the live
+*      `s3:ListObjectsV2` probe (issue [#648]) promotes a `null`
+*      reason to `'has-objects'` when a bucket actually contains data.
+*   4. Multi-region refusal: every named target whose resource type
+*      is in {@link MULTI_REGION_RECREATE_BLOCKED_TYPES} (e.g.
+*      `AWS::DynamoDB::GlobalTable`) is refused outright. Out of
+*      scope for v1; no `--force-stateful-recreation` bypass since
+*      this is a structural limitation, not a data-loss footgun.
+*
+* Plus one cross-flag invariant: `--recreate-via-cc-api MyLambda`
+* combined with `--allow-unsupported-properties AWS::Lambda::Function:LoggingConfig`
+* on a resource whose template carries `LoggingConfig` is **ambiguous
+* intent** — does the user want SDK + silent drop, or CC migration?
+* Fail fast and let the user pick one strategy per resource.
+*/
+/**
 * Plan-time validation of the user's recreate-via-cc-api list.
 *
-* Pure with respect to AWS — does NOT probe S3 bucket emptiness. The
-* S3 conditional check is deferred to a follow-up issue (the live
-* `s3:ListObjectsV2` probe is out of scope for v1).
+* Pure with respect to AWS — does NOT probe S3 bucket emptiness. Wrap
+* the result with {@link probeAndRevalidateStateful} to promote S3
+* targets' `statefulReason` via a live `s3:ListObjectsV2` round-trip
+* before rendering errors. The deploy command does this; the validator
+* itself stays sync so unit tests don't need an S3 mock.
 *
 * Input order is preserved; duplicate logical ids in the user's input
 * are deduplicated.
@@ -1137,6 +1176,84 @@ function renderRecreateTargetsErrors(validation) {
 	}
 	return lines.length > 0 ? lines.join("\n") : null;
 }
+/**
+* Async S3 object probe (issue [#648]).
+*
+* For every `AWS::S3::Bucket` target whose sync {@link StatefulReason}
+* is `null` (the sync map defers — see {@link isStatefulRecreateTargetSync}),
+* issues a single-page `ListObjectVersions(MaxKeys=1)` against the
+* bucket's recorded physical id. When the bucket has at least one
+* current object, prior version, OR delete-marker, promotes the
+* target's `statefulReason` to `'has-objects'`.
+*
+* Uses `ListObjectVersions` rather than `ListObjectsV2` so the probe
+* mirrors the s3-bucket-provider's `emptyBucket` view: a versioned
+* bucket whose current keys have all been soft-deleted (so
+* `ListObjectsV2.KeyCount === 0`) still holds prior versions +
+* delete-markers that the destroy + recreate cycle would lose. Using
+* the same listing API as the provider ensures the probe and the
+* destroy path agree on "empty".
+*
+* **Soft-fail on probe errors**: if `ListObjectVersions` throws
+* (permission denied, bucket-not-found mid-flight, transient network
+* error), logs a warn and leaves the target's `statefulReason` at the
+* sync result (`null`). The user can decide to proceed without the
+* probe by passing `--force-stateful-recreation`.
+*
+* Returns a NEW array of targets; the input is not mutated. Non-S3
+* targets and S3 targets whose sync reason is already non-null are
+* passed through unchanged.
+*/
+async function probeStatefulRecreateTargetsAsync(targets, s3Client, logger = getLogger().child("recreate-targets")) {
+	const promoted = [];
+	for (const target of targets) {
+		if (target.resourceType !== "AWS::S3::Bucket" || target.statefulReason !== null) {
+			promoted.push({ ...target });
+			continue;
+		}
+		try {
+			const result = await s3Client.send(new ListObjectVersionsCommand({
+				Bucket: target.physicalId,
+				MaxKeys: 1
+			}));
+			const hasVersions = (result.Versions?.length ?? 0) > 0;
+			const hasDeleteMarkers = (result.DeleteMarkers?.length ?? 0) > 0;
+			if (hasVersions || hasDeleteMarkers) promoted.push({
+				...target,
+				statefulReason: "has-objects"
+			});
+			else promoted.push({ ...target });
+		} catch (e) {
+			logger.warn(`--recreate-via-cc-api: live S3 probe failed for ${target.logicalId} (bucket ${target.physicalId}); leaving stateful guard at the sync result. If the bucket might be non-empty, re-run with --force-stateful-recreation. Underlying error: ${e instanceof Error ? e.message : String(e)}`);
+			promoted.push({ ...target });
+		}
+	}
+	return promoted;
+}
+/**
+* Async re-validation of the stateful-guard slice of a
+* {@link RecreateTargetsValidation}, after promoting S3 bucket reasons
+* via {@link probeStatefulRecreateTargetsAsync}.
+*
+* Skips the probe entirely when `forceStatefulRecreation: true` — the
+* sync validation already omits the blocked list in that case, and
+* skipping avoids an unnecessary AWS round-trip (plus permission-denied
+* warn-and-skip cycle on low-privilege CI roles).
+*
+* Returns a NEW validation; the input is not mutated. Non-stateful
+* categories (`unknownLogicalIds` / `missingFromState` /
+* `ambiguousIntent` / `blockedMultiRegionTargets`) are preserved verbatim.
+*/
+async function probeAndRevalidateStateful(input) {
+	if (input.forceStatefulRecreation) return input.validation;
+	const promoted = await probeStatefulRecreateTargetsAsync(input.validation.targets, input.s3Client);
+	const blockedStatefulTargets = promoted.filter((t) => t.statefulReason !== null);
+	return {
+		...input.validation,
+		targets: promoted,
+		blockedStatefulTargets
+	};
+}
 
 //#endregion
 //#region src/state/export-index-store.ts
@@ -33597,18 +33714,22 @@ async function deployCommand(stacks, options) {
 				let recreateViaCcApiTargets;
 				if (options.recreateViaCcApi?.length) {
 					const stateForRecreateCheck = await stackStateBackend.getState(stackInfo.stackName, stackRegion);
-					const validation = validateRecreateTargets({
-						template: stackInfo.template,
-						state: stateForRecreateCheck?.state ?? {
-							version: 7,
-							stackName: stackInfo.stackName,
-							region: stackRegion,
-							resources: {},
-							outputs: {},
-							lastModified: Date.now()
-						},
-						recreateViaCcApi: options.recreateViaCcApi,
-						allowUnsupportedProperties: new Set(options.allowUnsupportedProperties ?? []),
+					const validation = await probeAndRevalidateStateful({
+						validation: validateRecreateTargets({
+							template: stackInfo.template,
+							state: stateForRecreateCheck?.state ?? {
+								version: 7,
+								stackName: stackInfo.stackName,
+								region: stackRegion,
+								resources: {},
+								outputs: {},
+								lastModified: Date.now()
+							},
+							recreateViaCcApi: options.recreateViaCcApi,
+							allowUnsupportedProperties: new Set(options.allowUnsupportedProperties ?? []),
+							forceStatefulRecreation: options.forceStatefulRecreation ?? false
+						}),
+						s3Client: stackAwsClients.s3,
 						forceStatefulRecreation: options.forceStatefulRecreation ?? false
 					});
 					const errorBlock = renderRecreateTargetsErrors(validation);
@@ -54737,6 +54858,7 @@ async function localStartApiCommand(target, options) {
 			for (const [k, v] of direct) corsConfigByApiId.set(k, v);
 		}
 		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
+		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
 		const specs = /* @__PURE__ */ new Map();
 		for (let i = 0; i < lambdaIds.length; i++) {
@@ -54753,7 +54875,8 @@ async function localStartApiCommand(target, options) {
 				layerTmpDirs,
 				stateByStack,
 				skipPull: options.pull === false,
-				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn }
+				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn },
+				...profileCredentials && { profileCredentials }
 			});
 			specs.set(logicalId, spec);
 		}
@@ -55187,7 +55310,7 @@ function warnIamRoutes(routesWithAuth) {
 * missing, runtime not supported).
 */
 async function buildContainerSpec(args) {
-	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn } = args;
+	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn, profileCredentials } = args;
 	const lambda = resolveLambdaByLogicalId(logicalId, stacks);
 	let codeDir;
 	let optDir;
@@ -55233,7 +55356,15 @@ async function buildContainerSpec(args) {
 		dockerEnv["AWS_SECRET_ACCESS_KEY"] = creds.secretAccessKey;
 		dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
 		if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
-	} else forwardAwsEnv$1(dockerEnv);
+	} else {
+		forwardAwsEnv$1(dockerEnv);
+		if (profileCredentials) {
+			dockerEnv["AWS_ACCESS_KEY_ID"] = profileCredentials.accessKeyId;
+			dockerEnv["AWS_SECRET_ACCESS_KEY"] = profileCredentials.secretAccessKey;
+			if (profileCredentials.sessionToken) dockerEnv["AWS_SESSION_TOKEN"] = profileCredentials.sessionToken;
+			else delete dockerEnv["AWS_SESSION_TOKEN"];
+		}
+	}
 	if (debugPort !== void 0) dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
 	const tmpfs = lambda.ephemeralStorageMb !== void 0 ? {
 		target: "/tmp",
@@ -55596,6 +55727,54 @@ function forwardAwsEnv$1(env) {
 	}
 }
 /**
+* Issue #654: resolve `--profile <p>` to a concrete credential set
+* for forwarding to Lambda containers.
+*
+* The dev's AWS credentials may live in any of:
+*   - `~/.aws/sso/cache/*.json` (AWS IAM Identity Center / legacy SSO)
+*   - `~/.aws/credentials` (regular long-lived access keys)
+*   - `~/.aws/config` profiles with `role_arn` + `source_profile` (chained AssumeRole)
+*   - `credential_process` external resolvers
+*
+* `forwardAwsEnv` only reads `process.env.AWS_*`, which is empty for
+* every shape except "user manually exported the env vars". The
+* Lambda container therefore boots without creds and the handler's
+* AWS SDK call fails with `Could not load credentials from any providers`.
+*
+* This helper constructs a transient `STSClient({ profile })` to drive
+* the SDK's default credential provider chain — same code path cdkd's
+* own CFn / CC API clients use when `--profile` is set, so SSO / IAM
+* Identity Center / role-assumption profiles all resolve the same way
+* they already do for cdkd's outbound calls. We then extract the
+* resolved `AwsCredentialIdentity` via `sts.config.credentials()` and
+* return the underlying `{ accessKeyId, secretAccessKey, sessionToken? }`
+* for env-var injection.
+*
+* Called ONCE at server boot; the resolved creds are reused for every
+* Lambda container's env overlay (when `--assume-role` is not set for
+* that Lambda — assume-role wins per the existing precedence). SSO
+* temp creds typically last 1h+, so a single resolve is fine for the
+* common dev session; long-running `--watch` sessions that outlive
+* the creds need a cdkd restart (deferred refresh out of scope for
+* v1, see issue #654).
+*/
+async function resolveProfileCredentials(profile) {
+	const { STSClient } = await import("@aws-sdk/client-sts");
+	const sts = new STSClient({ profile });
+	try {
+		const credsProvider = sts.config.credentials;
+		const creds = typeof credsProvider === "function" ? await credsProvider() : credsProvider;
+		if (!creds || !creds.accessKeyId || !creds.secretAccessKey) throw new Error(`--profile '${profile}': credential provider chain resolved without usable credentials. Check \`aws sso login --profile ` + profile + "` for SSO profiles, or `~/.aws/credentials` / `~/.aws/config` for regular profiles.");
+		return {
+			accessKeyId: creds.accessKeyId,
+			secretAccessKey: creds.secretAccessKey,
+			...creds.sessionToken && { sessionToken: creds.sessionToken }
+		};
+	} finally {
+		sts.destroy();
+	}
+}
+/**
 * Issue an STS AssumeRole and return temporary credentials. Mirrors
 * `cdkd local invoke`'s helper byte-for-byte; lifted here so the
 * start-api command stays self-contained.
@@ -60270,7 +60449,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.2");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.163.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());