npm - @go-to-k/cdkd - Versions diffs - 0.163.0 → 0.164.1 - Mend

@go-to-k/cdkd 0.163.0 → 0.164.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -37,6 +37,8 @@ import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBCluster
 import { Command, Option } from "commander";
 import { writeFileSync as writeFileSync$1 } from "fs";
 import { join as join$1 } from "path";
+import * as readline$1 from "node:readline/promises";
+import readline from "node:readline/promises";
 import * as zlib from "node:zlib";
 import { ApplicationAutoScalingClient, DeleteScalingPolicyCommand, DeregisterScalableTargetCommand, DescribeScalableTargetsCommand, DescribeScalingPoliciesCommand, PutScalingPolicyCommand, RegisterScalableTargetCommand } from "@aws-sdk/client-application-auto-scaling";
 import { ApiGatewayV2Client, CreateApiCommand, CreateAuthorizerCommand as CreateAuthorizerCommand$1, CreateIntegrationCommand, CreateRouteCommand as CreateRouteCommand$1, CreateStageCommand as CreateStageCommand$1, DeleteApiCommand, DeleteAuthorizerCommand as DeleteAuthorizerCommand$1, DeleteIntegrationCommand, DeleteRouteCommand as DeleteRouteCommand$1, DeleteStageCommand as DeleteStageCommand$1, GetApiCommand, GetApisCommand, GetAuthorizerCommand as GetAuthorizerCommand$1, GetIntegrationCommand, GetRouteCommand, GetStageCommand as GetStageCommand$1, NotFoundException as NotFoundException$3, UpdateApiCommand, UpdateAuthorizerCommand as UpdateAuthorizerCommand$1, UpdateIntegrationCommand, UpdateRouteCommand, UpdateStageCommand as UpdateStageCommand$1 } from "@aws-sdk/client-apigatewayv2";
@@ -59,7 +61,6 @@ import { BatchGetProjectsCommand, CodeBuildClient, CreateProjectCommand, DeleteP
 import { CreateVectorBucketCommand, DeleteIndexCommand, DeleteVectorBucketCommand, GetVectorBucketCommand, ListIndexesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$18, ListVectorBucketsCommand, S3VectorsClient } from "@aws-sdk/client-s3vectors";
 import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient } from "@aws-sdk/client-s3tables";
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
-import * as readline from "node:readline/promises";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
 import { mkdir, mkdtemp } from "node:fs/promises";
 import { Readable } from "node:stream";
@@ -1255,6 +1256,62 @@ async function probeAndRevalidateStateful(input) {
 	};
 }
+//#endregion
+//#region src/cli/commands/recreate-confirm-prompt.ts
+/**
+* Interactive confirmation prompt for `cdkd deploy --recreate-via-cc-api`
+* (issue [#649]).
+*
+* Mirror of {@link ../prefix-migration-check.ts}'s `promptMigrationConfirm`
+* but for the recreate-via-cc-api destroy+recreate cycle:
+*
+*   - `opts.yes` (CDK CLI parity `-y` / `--yes`) skips the prompt and
+*     prints the per-target plan as a `WARN` block (the existing v1
+*     surface). CI use case.
+*   - When `opts.yes` is false, the prompt fires after the per-target
+*     plan. Default is `N` because the side effect is destructive
+*     (a per-resource destroy + recreate cycle).
+*   - Non-TTY guard: if `opts.yes` is false AND stdin is not a TTY,
+*     throws with an actionable message rather than hanging or
+*     silently declining. CI runs without `--yes` would otherwise look
+*     like a successful skipped-deploy.
+*
+* The per-target plan surfaces a **DATA LOSS** prefix for stateful
+* targets (those with a non-null `statefulReason` after the live
+* `s3:ListObjectsV2` probe — see issue [#648]); these reached pre-flight
+* only because the user opted in with `--force-stateful-recreation`,
+* so the prompt's **DATA LOSS** wording is the third "stop and think"
+* moment.
+*/
+async function promptRecreateConfirm(input) {
+	if (input.targets.length === 0) return true;
+	const logger = getLogger();
+	logger.warn("");
+	logger.warn(`--recreate-via-cc-api will destroy + recreate ${input.targets.length} resource(s) via Cloud Control API on stack ${input.stackName}:`);
+	for (const t of input.targets) {
+		const stateful = t.statefulReason !== null;
+		const dataLossPrefix = stateful ? "**DATA LOSS** " : "";
+		const stateNote = stateful ? ` — stateful (${t.statefulReason}); --force-stateful-recreation acknowledged` : "";
+		logger.warn(`  - ${dataLossPrefix}${t.logicalId} (${t.resourceType})${stateNote}`);
+		if (stateful) logger.warn(`    DATA: all data in ${t.logicalId} will be lost (no automatic data migration)`);
+	}
+	logger.warn("  The destroy + recreate cycle is per-resource; sibling resources are unaffected. Downstream consumers of any recreated resource's outputs (Fn::GetStackOutput / Fn::ImportValue) will need a re-deploy to see the new physical id.");
+	if (input.yes) return true;
+	if (process.stdin.isTTY !== true) throw new Error("--recreate-via-cc-api confirm prompt cannot run in a non-interactive environment. Pass --yes / -y to confirm the destroy + recreate cycle, or run the deploy from a real terminal.");
+	const rl = readline.createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	try {
+		const trimmed = (await rl.question("\nContinue? (y/N): ")).trim().toLowerCase();
+		if (trimmed === "y" || trimmed === "yes") return true;
+		logger.info("Deploy cancelled — no resources modified.");
+		return false;
+	} finally {
+		rl.close();
+	}
+}
 //#endregion
 //#region src/state/export-index-store.ts
 /**
@@ -32451,7 +32508,7 @@ async function runDestroyForStack(stackName, state, ctx) {
 	for (const [logicalId, resource] of Object.entries(state.resources)) logger.info(`  - ${logicalId} (${resource.resourceType})`);
 	const protectedCount = ctx.removeProtection ? countProtectedResources(state) : 0;
 	if (!ctx.skipConfirmation) {
-		const rl = readline.createInterface({
+		const rl = readline$1.createInterface({
 			input: process.stdin,
 			output: process.stdout
 		});
@@ -33522,7 +33579,7 @@ async function promptMigrationConfirm(renames, opts) {
 	logger.warn("These resources will be REPLACED because the new naming convention drops the stack-name prefix.");
 	if (opts.yes) return true;
 	if (process.stdin.isTTY !== true) throw new Error("--no-prefix-user-supplied-names migration confirm prompt cannot run in a non-interactive environment. Pass --yes / -y to confirm the REPLACEMENT, or run the deploy from a real terminal.");
-	const rl = readline.createInterface({
+	const rl = readline$1.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
@@ -33736,12 +33793,11 @@ async function deployCommand(stacks, options) {
 					if (errorBlock) throw new CdkdError(errorBlock, "RECREATE_VIA_CC_API_INVALID");
 					recreateViaCcApiTargets = new Set(validation.targets.map((t) => t.logicalId));
 					if (recreateViaCcApiTargets.size > 0) {
-						logger.warn(`--recreate-via-cc-api will destroy + recreate ${recreateViaCcApiTargets.size} resource(s) via Cloud Control API on stack ${stackInfo.stackName}:`);
-						for (const t of validation.targets) {
-							const stateNote = t.statefulReason !== null ? ` ⚠ stateful (${t.statefulReason}) — --force-stateful-recreation acknowledged` : "";
-							logger.warn(`  - ${t.logicalId} (${t.resourceType})${stateNote}`);
-						}
-						logger.warn("  The destroy + recreate cycle is per-resource; sibling resources are unaffected. Downstream consumers of any recreated resource's outputs (Fn::GetStackOutput / Fn::ImportValue) will need a re-deploy to see the new physical id.");
+						if (!await promptRecreateConfirm({
+							stackName: stackInfo.stackName,
+							targets: validation.targets,
+							yes: options.yes ?? false
+						})) return;
 					}
 				}
 				const deployEngineOptions = {
@@ -34634,7 +34690,7 @@ async function walkCfnStackTree(stackName, physicalId, cfnClient) {
 	};
 }
 async function confirmPrompt$5(prompt) {
-	const rl = readline.createInterface({
+	const rl = readline$1.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
@@ -35914,7 +35970,7 @@ async function runWithConcurrency(tasks, concurrency) {
 	await Promise.all(workers);
 }
 async function confirmPrompt$4(prompt) {
-	const rl = readline.createInterface({
+	const rl = readline$1.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
@@ -36883,7 +36939,7 @@ function stringifyForAudit(value) {
 	return JSON.stringify(value);
 }
 async function confirmPrompt$3(prompt) {
-	const rl = readline.createInterface({
+	const rl = readline$1.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
@@ -37372,7 +37428,7 @@ async function emptyBucketAllVersions(s3, bucket) {
 	} while (keyMarker || versionIdMarker);
 }
 async function confirmPrompt$2(prompt) {
-	const rl = readline.createInterface({
+	const rl = readline$1.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
@@ -39789,7 +39845,7 @@ function printNextSteps(args) {
 	logger.info("");
 }
 async function confirmPrompt$1(prompt) {
-	const rl = readline.createInterface({
+	const rl = readline$1.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
@@ -40368,7 +40424,7 @@ async function stateOrphanCommand(stackArgs, options) {
 			if (!options.yes && !options.force) {
 				const targetList = targets.map((t) => formatStackRef(t)).join(", ");
 				process.stdout.write(`\nWARNING: This removes cdkd's state record for [${targetList}] only. AWS resources will NOT be deleted.\nUse 'cdkd destroy ${stackName}' if you want to delete the actual resources.\n\n`);
-				const rl = readline.createInterface({
+				const rl = readline$1.createInterface({
 					input: process.stdin,
 					output: process.stdout
 				});
@@ -40465,7 +40521,7 @@ async function stateDestroyCommand(stackArgs, options) {
 			process.stdout.write(`\nWARNING: This destroys ${stackNames.length} stack(s) and removes their state records:\n`);
 			for (const name of stackNames) process.stdout.write(`  - ${name}\n`);
 			process.stdout.write("\n");
-			const rl = readline.createInterface({
+			const rl = readline$1.createInterface({
 				input: process.stdin,
 				output: process.stdout
 			});
@@ -40928,7 +40984,7 @@ async function refreshObservedForStack(stackName, region, stateBackend, lockMana
 	}
 }
 async function confirmRefresh(prompt) {
-	const rl = readline.createInterface({
+	const rl = readline$1.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
@@ -41544,7 +41600,7 @@ function formatOutcome(outcome) {
 	}
 }
 async function confirmPrompt(prompt) {
-	const rl = readline.createInterface({
+	const rl = readline$1.createInterface({
 		input: process.stdin,
 		output: process.stdout
 	});
@@ -58696,6 +58752,7 @@ async function localInvokeCommand(target, options) {
 			region: options.region
 		});
 		await ensureDockerAvailable();
+		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
 		const appCmd = resolveApp(options.app);
 		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKD_APP, or add \"app\" to cdk.json.");
 		logger.info("Synthesizing CDK app...");
@@ -58793,7 +58850,10 @@ async function localInvokeCommand(target, options) {
 				logger.warn(`--assume-role: STS AssumeRole(${resolvedAssumeRoleArn}) failed: ${reason}. Falling back to the developer's shell credentials.`);
 			}
 		}
-		if (!assumeSucceeded) forwardAwsEnv(dockerEnv);
+		if (!assumeSucceeded) {
+			forwardAwsEnv(dockerEnv);
+			applyProfileCredentialsOverlay(dockerEnv, profileCredentials, false);
+		}
 		let debugPort;
 		if (options.debugPort) {
 			debugPort = Number(options.debugPort);
@@ -59230,6 +59290,44 @@ function forwardAwsEnv(env) {
 	}
 }
 /**
+* Issue #657: overlay `--profile <p>`-resolved credentials onto the
+* Lambda container's env block AFTER `forwardAwsEnv` has copied
+* `process.env.AWS_*`. The overlay covers SSO / IAM Identity Center /
+* fromIni / role-assumption profiles uniformly (resolved via the SDK's
+* default credential chain in `resolveProfileCredentials`). Without
+* this overlay, a dev who runs `cdkd local invoke --profile dev`
+* AND has no `AWS_ACCESS_KEY_ID` env var (the common SSO / Identity
+* Center case) sees the Lambda boot with no creds → handler's AWS SDK
+* call fails with `Could not load credentials from any providers`.
+*
+* Precedence (codifies existing semantics + this new layer):
+*   1. `--assume-role <arn>` (per-Lambda STS creds) — unchanged
+*   2. NEW: `--profile <p>` resolved + cached (this helper)
+*   3. `process.env.AWS_*` forwarded — when `--profile` not set
+*
+* Region from `forwardAwsEnv` is preserved — only the credential
+* triple is overlaid.
+*
+* When the resolved profile is long-lived (no `sessionToken`), any
+* inherited `AWS_SESSION_TOKEN` is stripped — a mismatched (long-
+* lived AKID + foreign session) would otherwise cause an SDK error
+* inside the container.
+*
+* No-op when `profileCreds` is `undefined` (profile not set) or when
+* `assumeRoleActive` is true (assume-role already won; its STS-issued
+* creds must not be clobbered by the profile overlay).
+*
+* Exported for unit-test isolation (see `local-invoke-profile-creds.test.ts`).
+*/
+function applyProfileCredentialsOverlay(env, profileCreds, assumeRoleActive) {
+	if (!profileCreds) return;
+	if (assumeRoleActive) return;
+	env["AWS_ACCESS_KEY_ID"] = profileCreds.accessKeyId;
+	env["AWS_SECRET_ACCESS_KEY"] = profileCreds.secretAccessKey;
+	if (profileCreds.sessionToken) env["AWS_SESSION_TOKEN"] = profileCreds.sessionToken;
+	else delete env["AWS_SESSION_TOKEN"];
+}
+/**
 * Materialize an inline Lambda body (`Code.ZipFile`) to a tmpdir and
 * return the directory the container should mount at /var/task. The
 * filename is derived from the function's Handler property and the
@@ -60449,7 +60547,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.163.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.164.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());