@go-to-k/cdkd 0.164.0 → 0.165.0

package/dist/cli.js

@@ -1256,6 +1256,67 @@ async function probeAndRevalidateStateful(input) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/recreate-downstream-consumers.ts
+/**
+* Walk every stack in the cdkd state bucket and find consumers whose
+* `imports[]` reference the producer `(producerStack, producerRegion)`.
+*
+* Skips the producer itself (self-imports are invalid in CFn / cdkd).
+*
+* Soft-fails per consumer: an unreadable state file is logged at debug
+* and skipped — the warn block falls back to "we couldn't enumerate
+* downstream consumers" rather than blocking the deploy. The caller
+* always proceeds; this is informational only.
+*/
+async function findDownstreamConsumers(input) {
+	const logger = getLogger().child("recreate-downstream");
+	let refs;
+	try {
+		refs = await input.stateBackend.listStacks();
+	} catch (err) {
+		logger.debug(`findDownstreamConsumers: listStacks failed; falling back to empty enumeration. ${err instanceof Error ? err.message : String(err)}`);
+		return [];
+	}
+	return (await Promise.all(refs.map(async (ref) => {
+		const region = ref.region ?? input.baseRegion;
+		if (ref.stackName === input.producerStack && region === input.producerRegion) return null;
+		try {
+			const imports = (await input.stateBackend.getState(ref.stackName, region))?.state.imports;
+			if (!imports || imports.length === 0) return null;
+			const matches = imports.filter((entry) => entry.sourceStack === input.producerStack && entry.sourceRegion === input.producerRegion);
+			if (matches.length === 0) return null;
+			return matches.map((entry) => ({
+				consumerStack: ref.stackName,
+				consumerRegion: region,
+				exportName: entry.exportName,
+				intrinsic: "ImportValue"
+			}));
+		} catch (err) {
+			logger.debug(`findDownstreamConsumers: skip ${ref.stackName} (${region}); ${err instanceof Error ? err.message : String(err)}`);
+			return null;
+		}
+	}))).filter((r) => r !== null).flat();
+}
+/**
+* Render the per-consumer subset of the warn block as a multi-line
+* string suitable for piping into the logger. Returns `null` when the
+* enumeration is empty (caller skips the subsection in that case).
+*
+* Shape:
+* ```
+*   Downstream consumers of <ProducerStack>'s outputs (will need re-deploy):
+*     - StackB (region) reads ExportName via Fn::ImportValue
+*     - StackC (region) reads OtherExport via Fn::ImportValue
+* ```
+*/
+function renderDownstreamConsumers(producerStack, consumers) {
+	if (consumers.length === 0) return null;
+	const lines = [`  Downstream consumers of ${producerStack}'s outputs (will need re-deploy after this run):`];
+	for (const c of consumers) lines.push(`    - ${c.consumerStack} (${c.consumerRegion}) reads ${c.exportName} via Fn::${c.intrinsic}`);
+	return lines.join("\n");
+}
+
 //#endregion
 //#region src/cli/commands/recreate-confirm-prompt.ts
 /**
@@ -1295,6 +1356,10 @@ async function promptRecreateConfirm(input) {
 		logger.warn(`  - ${dataLossPrefix}${t.logicalId} (${t.resourceType})${stateNote}`);
 		if (stateful) logger.warn(`    DATA: all data in ${t.logicalId} will be lost (no automatic data migration)`);
 	}
+	if (input.downstreamConsumers && input.downstreamConsumers.length > 0) {
+		const rendered = renderDownstreamConsumers(input.stackName, input.downstreamConsumers);
+		if (rendered) logger.warn(rendered);
+	}
 	logger.warn("  The destroy + recreate cycle is per-resource; sibling resources are unaffected. Downstream consumers of any recreated resource's outputs (Fn::GetStackOutput / Fn::ImportValue) will need a re-deploy to see the new physical id.");
 	if (input.yes) return true;
 	if (process.stdin.isTTY !== true) throw new Error("--recreate-via-cc-api confirm prompt cannot run in a non-interactive environment. Pass --yes / -y to confirm the destroy + recreate cycle, or run the deploy from a real terminal.");
@@ -33793,10 +33858,17 @@ async function deployCommand(stacks, options) {
 					if (errorBlock) throw new CdkdError(errorBlock, "RECREATE_VIA_CC_API_INVALID");
 					recreateViaCcApiTargets = new Set(validation.targets.map((t) => t.logicalId));
 					if (recreateViaCcApiTargets.size > 0) {
+						const downstreamConsumers = await findDownstreamConsumers({
+							producerStack: stackInfo.stackName,
+							producerRegion: stackRegion,
+							stateBackend: stackStateBackend,
+							baseRegion
+						});
 						if (!await promptRecreateConfirm({
 							stackName: stackInfo.stackName,
 							targets: validation.targets,
-							yes: options.yes ?? false
+							yes: options.yes ?? false,
+							downstreamConsumers
 						})) return;
 					}
 				}
@@ -58752,6 +58824,7 @@ async function localInvokeCommand(target, options) {
 			region: options.region
 		});
 		await ensureDockerAvailable();
+		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
 		const appCmd = resolveApp(options.app);
 		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKD_APP, or add \"app\" to cdk.json.");
 		logger.info("Synthesizing CDK app...");
@@ -58849,7 +58922,10 @@ async function localInvokeCommand(target, options) {
 				logger.warn(`--assume-role: STS AssumeRole(${resolvedAssumeRoleArn}) failed: ${reason}. Falling back to the developer's shell credentials.`);
 			}
 		}
-		if (!assumeSucceeded) forwardAwsEnv(dockerEnv);
+		if (!assumeSucceeded) {
+			forwardAwsEnv(dockerEnv);
+			applyProfileCredentialsOverlay(dockerEnv, profileCredentials, false);
+		}
 		let debugPort;
 		if (options.debugPort) {
 			debugPort = Number(options.debugPort);
@@ -59286,6 +59362,44 @@ function forwardAwsEnv(env) {
 	}
 }
 /**
+* Issue #657: overlay `--profile <p>`-resolved credentials onto the
+* Lambda container's env block AFTER `forwardAwsEnv` has copied
+* `process.env.AWS_*`. The overlay covers SSO / IAM Identity Center /
+* fromIni / role-assumption profiles uniformly (resolved via the SDK's
+* default credential chain in `resolveProfileCredentials`). Without
+* this overlay, a dev who runs `cdkd local invoke --profile dev`
+* AND has no `AWS_ACCESS_KEY_ID` env var (the common SSO / Identity
+* Center case) sees the Lambda boot with no creds → handler's AWS SDK
+* call fails with `Could not load credentials from any providers`.
+*
+* Precedence (codifies existing semantics + this new layer):
+*   1. `--assume-role <arn>` (per-Lambda STS creds) — unchanged
+*   2. NEW: `--profile <p>` resolved + cached (this helper)
+*   3. `process.env.AWS_*` forwarded — when `--profile` not set
+*
+* Region from `forwardAwsEnv` is preserved — only the credential
+* triple is overlaid.
+*
+* When the resolved profile is long-lived (no `sessionToken`), any
+* inherited `AWS_SESSION_TOKEN` is stripped — a mismatched (long-
+* lived AKID + foreign session) would otherwise cause an SDK error
+* inside the container.
+*
+* No-op when `profileCreds` is `undefined` (profile not set) or when
+* `assumeRoleActive` is true (assume-role already won; its STS-issued
+* creds must not be clobbered by the profile overlay).
+*
+* Exported for unit-test isolation (see `local-invoke-profile-creds.test.ts`).
+*/
+function applyProfileCredentialsOverlay(env, profileCreds, assumeRoleActive) {
+	if (!profileCreds) return;
+	if (assumeRoleActive) return;
+	env["AWS_ACCESS_KEY_ID"] = profileCreds.accessKeyId;
+	env["AWS_SECRET_ACCESS_KEY"] = profileCreds.secretAccessKey;
+	if (profileCreds.sessionToken) env["AWS_SESSION_TOKEN"] = profileCreds.sessionToken;
+	else delete env["AWS_SESSION_TOKEN"];
+}
+/**
 * Materialize an inline Lambda body (`Code.ZipFile`) to a tmpdir and
 * return the directory the container should mount at /var/task. The
 * filename is derived from the function's Handler property and the
@@ -60505,7 +60619,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.164.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.165.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());