npm - @go-to-k/cdkd - Versions diffs - 0.166.0 → 0.167.0 - Mend

@go-to-k/cdkd 0.166.0 → 0.167.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -1123,6 +1123,7 @@ function validateRecreateTargets(input) {
 	const blockedStatefulTargets = [];
 	const blockedMultiRegionTargets = [];
 	const blockedAlreadySdk = [];
+	const blockedAlreadyCcApi = [];
 	const blockedNoSdkProvider = [];
 	const conflictSet = new Set(conflictingDirections);
 	const namedTargets = [...input.recreateViaCcApi.map((id) => ({
@@ -1166,6 +1167,7 @@ function validateRecreateTargets(input) {
 					property
 				});
 			}
+			if (recordedResource.provisionedBy === "cc-api") blockedAlreadyCcApi.push(target);
 		} else {
 			const actionableDrops = findActionableSilentDrops(resourceType, templateResource.Properties, input.allowUnsupportedProperties);
 			for (const { property } of actionableDrops) ambiguousIntentSdk.push({
@@ -1187,6 +1189,7 @@ function validateRecreateTargets(input) {
 		blockedStatefulTargets,
 		blockedMultiRegionTargets,
 		blockedAlreadySdk,
+		blockedAlreadyCcApi,
 		blockedNoSdkProvider,
 		conflictingDirections
 	};
@@ -1241,6 +1244,12 @@ function renderRecreateTargetsErrors(validation) {
 		for (const blocked of validation.blockedAlreadySdk) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType})`);
 		lines.push("  Fix: remove --recreate-via-sdk-provider <id> for these resources. They are already SDK-managed (or pre-v7 legacy state, treated as SDK).");
 	}
+	if (validation.blockedAlreadyCcApi.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-cc-api named ${validation.blockedAlreadyCcApi.length} resource(s) that are ALREADY sticky on Cloud Control API (the migration is a no-op):`);
+		for (const blocked of validation.blockedAlreadyCcApi) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType})`);
+		lines.push("  Fix: remove --recreate-via-cc-api <id> for these resources. They are already CC-managed; a destroy + recreate cycle would produce the same end state at the cost of unnecessary downtime.");
+	}
 	if (validation.blockedNoSdkProvider.length > 0) {
 		if (lines.length > 0) lines.push("");
 		lines.push(`--recreate-via-sdk-provider named ${validation.blockedNoSdkProvider.length} resource(s) of types cdkd has no SDK provider for (Tier 2 CC-only):`);
@@ -57289,6 +57298,7 @@ async function localRunTaskCommand(target, options) {
 			resolvedRoleArn = options.assumeTaskRole;
 			assumedCredentials = await assumeTaskRole$1(resolvedRoleArn, options.region);
 		}
+		const sidecarCredentials = await resolveSidecarCredentials(options, assumedCredentials);
 		const envOverrides = readEnvOverridesFile$2(options.envVars);
 		const runOpts = {
 			cluster: options.cluster,
@@ -57298,7 +57308,7 @@ async function localRunTaskCommand(target, options) {
 			detach: options.detach
 		};
 		if (envOverrides) runOpts.envOverrides = envOverrides;
-		if (assumedCredentials) runOpts.taskCredentials = assumedCredentials;
+		if (sidecarCredentials) runOpts.taskCredentials = sidecarCredentials;
 		if (resolvedRoleArn) runOpts.taskRoleArn = resolvedRoleArn;
 		if (options.platform) runOpts.platformOverride = options.platform;
 		if (options.region) runOpts.region = options.region;
@@ -57445,6 +57455,29 @@ function readEnvOverridesFile$2(filePath) {
 	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`--env-vars file '${filePath}' must contain a JSON object at the top level.`);
 	return parsed;
 }
+/**
+* Issue #658: pick the credentials forwarded to the AWS-published
+* `amazon-ecs-local-container-endpoints` sidecar. Precedence:
+*   1. `--assume-task-role <arn>` (or bare `--assume-task-role` against
+*      a resolvable `TaskRoleArn`) → STS-assumed temp creds. Highest
+*      priority — when the user opted in to IAM emulation, those creds
+*      drive the sidecar regardless of `--profile`.
+*   2. `--profile <p>` → resolved via {@link resolveProfileCredentials}
+*      (the SDK's default credential provider chain — SSO / IAM
+*      Identity Center / fromIni / role-assumption). NEW in this PR.
+*   3. Neither set → `undefined`; the sidecar runs with its own
+*      default credential chain (typically empty inside a fresh
+*      container — user containers will get 4xx from the credentials
+*      endpoint, mimicking IAM-misconfigured prod).
+*
+* Extracted as an exported helper so a unit test can exercise every
+* branch without having to mock the full Synth + Docker + AWS pipeline
+* (the strategy PR #655 used for the Lambda container path).
+*/
+async function resolveSidecarCredentials(options, assumedCredentials) {
+	if (assumedCredentials) return assumedCredentials;
+	if (options.profile) return resolveProfileCredentials(options.profile);
+}
 function createLocalRunTaskCommand() {
 	const cmd = new Command("run-task").description("Run an AWS::ECS::TaskDefinition locally — pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries (#455). Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt references to same-stack AWS::ECR::Repository resources with the deployed URI. Off by default — only the AWS pseudo-parameter tier (${AWS::AccountId} / ${AWS::Region}) is resolved without this flag.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkd stack name; pass an explicit value when the CFn stack name differs. Mutually exclusive with --from-state. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-state when the same stack name has state in multiple regions, and with --from-cfn-stack as the CFn client region (cdkd does not have a separate --cfn-stack-region flag).")).action(withErrorHandling(localRunTaskCommand));
 	[
@@ -58575,11 +58608,13 @@ async function localStartServiceCommand(targets, options) {
 			for (const w of index.warnings) logger.warn(w);
 		}
 		const registry = new CloudMapRegistry();
+		const sidecarCredentials = await resolveSharedSidecarCredentials(options);
 		try {
 			sharedNetwork = await createSharedSvcNetwork({
 				prefix: options.cluster,
 				skipPull,
-				cluster: options.cluster
+				cluster: options.cluster,
+				...sidecarCredentials !== void 0 && { credentials: sidecarCredentials }
 			});
 		} catch (err) {
 			throw new LocalStartServiceError(`Failed to create shared service network: ${err instanceof Error ? err.message : String(err)}`);
@@ -58819,6 +58854,34 @@ function parseRestartPolicy(raw) {
 	if (raw === "on-failure" || raw === "always" || raw === "none") return raw;
 	throw new LocalStartServiceError(`--restart-policy must be one of 'on-failure', 'always', or 'none' (got '${raw}').`);
 }
+/**
+* Issue #658: pick the credentials forwarded to the AWS-published
+* `amazon-ecs-local-container-endpoints` sidecar. `cdkd local
+* start-service`'s sidecar is SHARED across every replica boot in one
+* CLI invocation (design § 5 Option A), so this resolves ONCE at
+* startup. Precedence:
+*   1. `--profile <p>` → resolved via {@link resolveProfileCredentials}
+*      (the SDK's default credential provider chain — SSO / IAM
+*      Identity Center / fromIni / role-assumption). NEW in this PR.
+*   2. Not set → `undefined`; the sidecar runs with its own default
+*      credential chain (typically empty inside a fresh container —
+*      user containers will get 4xx from the credentials endpoint).
+*
+* Note: per-service `--assume-task-role <Service>=<arn>` overrides are
+* INTENTIONALLY NOT consulted here. The shared sidecar has no concept
+* of per-service IAM — per-service `TaskRoleArn` flows into each
+* container's env via `buildMetadataEnv` at boot time, where the
+* sidecar's `/role/<role-arn>` path resolves per-request. The shared
+* sidecar's OWN startup credentials govern only the fallback path
+* (containers that did not bind a `TaskRoleArn`).
+*
+* Extracted as an exported helper so a unit test can exercise both
+* branches without having to mock the full Synth + Docker + AWS
+* pipeline (the strategy PR #655 used for the Lambda container path).
+*/
+async function resolveSharedSidecarCredentials(options) {
+	if (options.profile) return resolveProfileCredentials(options.profile);
+}
 function createLocalStartServiceCommand() {
 	const cmd = new Command("start-service").description("Run one or more AWS::ECS::Service resources locally as a long-running emulator. Spins up DesiredCount task replicas per service (clamped by --max-tasks) using the same per-task docker network + metadata sidecar pattern as `cdkd local run-task`, then keeps each replica running and restarts it on exit per --restart-policy. ^C tears every replica + sidecar + network down. Each <target> accepts a CDK display path (MyStack/MyService) or stack-qualified logical ID (MyStack:MyServiceXYZ); single-stack apps may omit the stack prefix. When two or more <target>s are supplied, every service is booted into a shared Cloud Map / Service Connect registry so peer services discover each other via docker --add-host overlay (Issue #460).").argument("<targets...>", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ECS::Service resources to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt / Fn::ImportValue / Fn::GetStackOutput intrinsics in container images, environment variables, secrets, role ARNs, and volumes.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkd stack name; pass an explicit value when the CFn stack name differs. Mutually exclusive with --from-state. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-state when the same stack name has state in multiple regions, and with --from-cfn-stack as the CFn client region (cdkd does not have a separate --cfn-stack-region flag).")).action(withErrorHandling(localStartServiceCommand));
 	[
@@ -60707,7 +60770,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.166.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.167.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());