@go-to-k/cdkd 0.167.1 → 0.167.3

package/dist/cli.js

@@ -62,7 +62,7 @@ import { CreateVectorBucketCommand, DeleteIndexCommand, DeleteVectorBucketComman
 import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient } from "@aws-sdk/client-s3tables";
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
-import { mkdir, mkdtemp } from "node:fs/promises";
+import { mkdir, mkdtemp, rm, writeFile } from "node:fs/promises";
 import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import { createServer } from "node:net";
@@ -46520,6 +46520,62 @@ function singleFlight(fn, onError) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/local-profile-credentials-file.ts
+/**
+* Path inside the container where the credentials file is mounted. Fixed
+* (not user-configurable) so the env-var injection is stable. `/cdkd-aws/`
+* is outside `/var/task` (the Lambda code mount) and outside `/root/`
+* (which the user's handler may bind-mount or modify), so there is no
+* collision risk with the user's payload.
+*/
+const CONTAINER_AWS_CREDENTIALS_PATH = "/cdkd-aws/credentials";
+/**
+* Write a temporary AWS shared-credentials file containing the resolved
+* `--profile <name>` credentials, ready to bind-mount into a Lambda
+* container at {@link CONTAINER_AWS_CREDENTIALS_PATH}.
+*
+* The file content is the standard `[profile-name]` INI shape:
+*
+*   [<profileName>]
+*   aws_access_key_id = <accessKeyId>
+*   aws_secret_access_key = <secretAccessKey>
+*   aws_session_token = <sessionToken>   ← only when present
+*
+* `aws_session_token` is omitted when the resolved profile produced
+* long-lived (non-STS) credentials, mirroring the same logic
+* `applyProfileCredentialsOverlay` uses for env-var injection.
+*
+* Caller is responsible for invoking `dispose()` when the container pool
+* tears down (e.g., on `SIGINT` via `singleFlight` cleanup). Leaving the
+* file behind in `/tmp` is a security smell (temp credentials live on
+* disk).
+*/
+async function writeProfileCredentialsFile(profileName, creds) {
+	if (profileName === "") throw new Error("writeProfileCredentialsFile: profile name must not be empty.");
+	if (/[\r\n[\]]/.test(profileName)) throw new Error(`writeProfileCredentialsFile: profile name '${profileName}' contains a forbidden character (any of CR, LF, '[', ']' would corrupt the INI file or the docker -e env var).`);
+	const dir = await mkdtemp(path.join(tmpdir(), "cdkd-profile-creds-"));
+	const hostPath = path.join(dir, "credentials");
+	const lines = [
+		`[${profileName}]`,
+		`aws_access_key_id = ${creds.accessKeyId}`,
+		`aws_secret_access_key = ${creds.secretAccessKey}`
+	];
+	if (creds.sessionToken) lines.push(`aws_session_token = ${creds.sessionToken}`);
+	await writeFile(hostPath, lines.join("\n") + "\n", { mode: 384 });
+	return {
+		hostPath,
+		containerPath: CONTAINER_AWS_CREDENTIALS_PATH,
+		profileName,
+		dispose: async () => {
+			await rm(dir, {
+				recursive: true,
+				force: true
+			});
+		}
+	};
+}
+
 //#endregion
 //#region src/local/intrinsic-lambda-arn.ts
 /**
@@ -50510,6 +50566,11 @@ function createContainerPool(specs, options) {
 				containerPath: "/opt",
 				readOnly: true
 			}] : [];
+			const extraMounts = spec.profileCredentialsFile ? [...optMount, {
+				hostPath: spec.profileCredentialsFile.hostPath,
+				containerPath: spec.profileCredentialsFile.containerPath,
+				readOnly: true
+			}] : optMount;
 			const containerCodePath = resolveRuntimeCodeMountPath(spec.lambda.runtime);
 			containerId = await runDetached({
 				image: resolveRuntimeImage(spec.lambda.runtime),
@@ -50518,7 +50579,7 @@ function createContainerPool(specs, options) {
 					containerPath: containerCodePath,
 					readOnly: true
 				}],
-				extraMounts: optMount,
+				extraMounts,
 				env: spec.env,
 				cmd: [spec.lambda.handler],
 				hostPort,
@@ -50531,6 +50592,11 @@ function createContainerPool(specs, options) {
 		} else containerId = await runDetached({
 			image: spec.image,
 			mounts: [],
+			...spec.profileCredentialsFile && { extraMounts: [{
+				hostPath: spec.profileCredentialsFile.hostPath,
+				containerPath: spec.profileCredentialsFile.containerPath,
+				readOnly: true
+			}] },
 			env: spec.env,
 			cmd: spec.command,
 			hostPort,
@@ -55023,6 +55089,7 @@ async function localStartApiCommand(target, options) {
 	const perLambdaConcurrency = parsePerLambdaConcurrency(options.perLambdaConcurrency);
 	const inlineTmpDirs = /* @__PURE__ */ new Set();
 	const layerTmpDirs = /* @__PURE__ */ new Set();
+	let profileCredsFile;
 	const lastAssetPaths = { value: [] };
 	const authorizerCache = createAuthorizerCache();
 	const jwksCache = createJwksCache();
@@ -55094,6 +55161,7 @@ async function localStartApiCommand(target, options) {
 		}
 		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
 		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
+		if (options.profile && profileCredentials && !profileCredsFile) profileCredsFile = await writeProfileCredentialsFile(options.profile, profileCredentials);
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
 		const specs = /* @__PURE__ */ new Map();
 		for (let i = 0; i < lambdaIds.length; i++) {
@@ -55111,7 +55179,8 @@ async function localStartApiCommand(target, options) {
 				stateByStack,
 				skipPull: options.pull === false,
 				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn },
-				...profileCredentials && { profileCredentials }
+				...profileCredentials && { profileCredentials },
+				...profileCredsFile && { profileCredsFile }
 			});
 			specs.set(logicalId, spec);
 		}
@@ -55387,6 +55456,11 @@ async function localStartApiCommand(target, options) {
 		} catch (err) {
 			logger.warn(`Failed to remove merged-layers tmpdir ${dir}: ${err instanceof Error ? err.message : String(err)}`);
 		}
+		if (profileCredsFile) try {
+			await profileCredsFile.dispose();
+		} catch (err) {
+			logger.warn(`Failed to remove profile credentials tmpdir ${profileCredsFile.hostPath}: ${err instanceof Error ? err.message : String(err)}`);
+		}
 	});
 	const shutdown = async (signal, exitCode) => {
 		if (shutdownStarted) {
@@ -55545,7 +55619,7 @@ function warnIamRoutes(routesWithAuth) {
 * missing, runtime not supported).
 */
 async function buildContainerSpec(args) {
-	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn, profileCredentials } = args;
+	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn, profileCredentials, profileCredsFile } = args;
 	const lambda = resolveLambdaByLogicalId(logicalId, stacks);
 	let codeDir;
 	let optDir;
@@ -55599,6 +55673,10 @@ async function buildContainerSpec(args) {
 			if (profileCredentials.sessionToken) dockerEnv["AWS_SESSION_TOKEN"] = profileCredentials.sessionToken;
 			else delete dockerEnv["AWS_SESSION_TOKEN"];
 		}
+		if (profileCredsFile) {
+			dockerEnv["AWS_SHARED_CREDENTIALS_FILE"] = profileCredsFile.containerPath;
+			dockerEnv["AWS_PROFILE"] = profileCredsFile.profileName;
+		}
 	}
 	if (debugPort !== void 0) dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
 	const tmpfs = lambda.ephemeralStorageMb !== void 0 ? {
@@ -55613,7 +55691,11 @@ async function buildContainerSpec(args) {
 		containerHost,
 		...optDir !== void 0 && { optDir },
 		...debugPort !== void 0 && { debugPort },
-		...tmpfs !== void 0 && { tmpfs }
+		...tmpfs !== void 0 && { tmpfs },
+		...profileCredsFile && { profileCredentialsFile: {
+			hostPath: profileCredsFile.hostPath,
+			containerPath: profileCredsFile.containerPath
+		} }
 	};
 	return {
 		kind: "image",
@@ -55626,7 +55708,11 @@ async function buildContainerSpec(args) {
 		env: dockerEnv,
 		containerHost,
 		...debugPort !== void 0 && { debugPort },
-		...tmpfs !== void 0 && { tmpfs }
+		...tmpfs !== void 0 && { tmpfs },
+		...profileCredsFile && { profileCredentialsFile: {
+			hostPath: profileCredsFile.hostPath,
+			containerPath: profileCredsFile.containerPath
+		} }
 	};
 }
 /**
@@ -56818,7 +56904,8 @@ async function runEcsTask(task, options, state) {
 			sidecarIp: state.network.sidecarIp,
 			...options.skipHostPortPublish ? { skipHostPortPublish: true } : {},
 			...options.addHostFlags && options.addHostFlags.length > 0 ? { addHostFlags: options.addHostFlags } : {},
-			...(options.networkAliasesByContainer?.get(container.name)?.length ?? 0) > 0 ? { networkAliases: options.networkAliasesByContainer.get(container.name) } : {}
+			...(options.networkAliasesByContainer?.get(container.name)?.length ?? 0) > 0 ? { networkAliases: options.networkAliasesByContainer.get(container.name) } : {},
+			...options.profileCredentialsFile && { profileCredentialsFile: options.profileCredentialsFile }
 		}));
 	}
 	const startedByName = /* @__PURE__ */ new Map();
@@ -57150,6 +57237,7 @@ function buildDockerRunArgs(opts) {
 		const hostPort = pm.hostPort ?? pm.containerPort;
 		args.push("-p", `${containerHost}:${hostPort}:${pm.containerPort}/${pm.protocol}`);
 	}
+	if (opts.profileCredentialsFile) args.push("-v", `${opts.profileCredentialsFile.hostPath}:${opts.profileCredentialsFile.containerPath}:ro`);
 	for (const mp of container.mountPoints) {
 		const v = volumeByName.get(mp.sourceVolume);
 		if (!v) continue;
@@ -57171,6 +57259,10 @@ function buildDockerRunArgs(opts) {
 		...opts.sidecarIp !== void 0 && { sidecarIp: opts.sidecarIp }
 	});
 	Object.assign(finalEnv, metaEnv);
+	if (opts.profileCredentialsFile) {
+		finalEnv["AWS_SHARED_CREDENTIALS_FILE"] = opts.profileCredentialsFile.containerPath;
+		finalEnv["AWS_PROFILE"] = opts.profileCredentialsFile.profileName;
+	}
 	Object.assign(finalEnv, container.environment);
 	for (const s of secrets) finalEnv[s.name] = s.value;
 	const overrides = opts.envOverrides;
@@ -57240,6 +57332,7 @@ async function localRunTaskCommand(target, options) {
 	let sigintHandler;
 	let sigintCount = 0;
 	let stateProvider;
+	let profileCredsFile;
 	let cleanupPromise;
 	const cleanup = async () => {
 		if (!cleanupPromise) cleanupPromise = (async () => {
@@ -57248,6 +57341,11 @@ async function localRunTaskCommand(target, options) {
 			} catch (err) {
 				getLogger().debug(`cleanup failed: ${err instanceof Error ? err.message : String(err)}`);
 			}
+			if (profileCredsFile) try {
+				await profileCredsFile.dispose();
+			} catch (err) {
+				getLogger().debug(`Failed to remove profile credentials tmpdir ${profileCredsFile.hostPath}: ${err instanceof Error ? err.message : String(err)}`);
+			}
 		})();
 		await cleanupPromise;
 	};
@@ -57309,6 +57407,7 @@ async function localRunTaskCommand(target, options) {
 			assumedCredentials = await assumeTaskRole$1(resolvedRoleArn, options.region);
 		}
 		const sidecarCredentials = await resolveSidecarCredentials(options, assumedCredentials);
+		if (options.profile && sidecarCredentials && !assumedCredentials) profileCredsFile = await writeProfileCredentialsFile(options.profile, sidecarCredentials);
 		const envOverrides = readEnvOverridesFile$2(options.envVars);
 		const runOpts = {
 			cluster: options.cluster,
@@ -57323,6 +57422,11 @@ async function localRunTaskCommand(target, options) {
 		if (options.platform) runOpts.platformOverride = options.platform;
 		if (options.region) runOpts.region = options.region;
 		if (options.ecrRoleArn) runOpts.ecrRoleArn = options.ecrRoleArn;
+		if (profileCredsFile) runOpts.profileCredentialsFile = {
+			hostPath: profileCredsFile.hostPath,
+			containerPath: profileCredsFile.containerPath,
+			profileName: profileCredsFile.profileName
+		};
 		const result = await runEcsTask(task, runOpts, state);
 		if (options.detach) {
 			logger.info("Task containers started in detached mode; cdkd is exiting.");
@@ -58573,6 +58677,7 @@ async function localStartServiceCommand(targets, options) {
 	let sigintHandler;
 	let sigintCount = 0;
 	let sharedNetwork;
+	let profileCredsFile;
 	const cleanup = singleFlight(async () => {
 		await Promise.allSettled(perTarget.map(async (pt) => {
 			if (pt.controller) await pt.controller.shutdown();
@@ -58581,6 +58686,14 @@ async function localStartServiceCommand(targets, options) {
 				await Promise.allSettled(pt.runState.replicas.map((r) => cleanupEcsRun(r.state, { keepRunning: false }).catch(() => void 0)));
 			}
 		}));
+		if (profileCredsFile) {
+			try {
+				await profileCredsFile.dispose();
+			} catch (err) {
+				getLogger().warn(`Failed to remove profile credentials tmpdir ${profileCredsFile.hostPath}: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			profileCredsFile = void 0;
+		}
 		if (sharedNetwork) {
 			try {
 				await destroyTaskNetwork(sharedNetwork);
@@ -58629,6 +58742,7 @@ async function localStartServiceCommand(targets, options) {
 		} catch (err) {
 			throw new LocalStartServiceError(`Failed to create shared service network: ${err instanceof Error ? err.message : String(err)}`);
 		}
+		if (options.profile && sidecarCredentials) profileCredsFile = await writeProfileCredentialsFile(options.profile, sidecarCredentials);
 		const discovery = {
 			registry,
 			cloudMapIndexByStack,
@@ -58645,7 +58759,7 @@ async function localStartServiceCommand(targets, options) {
 		};
 		process.on("SIGINT", sigintHandler);
 		process.on("SIGTERM", sigintHandler);
-		for (const pt of perTarget) pt.controller = await bootOneTarget(pt.target, pt.runState, stacks, options, discovery, skipPull);
+		for (const pt of perTarget) pt.controller = await bootOneTarget(pt.target, pt.runState, stacks, options, discovery, skipPull, profileCredsFile);
 		const summary = perTarget.map((pt) => `${pt.controller.service.serviceName} (${pt.controller.activeReplicaCount()} replica(s))`).join(", ");
 		logger.info(`Service(s) running: ${summary}. Press ^C to shut down.`);
 		await Promise.all(perTarget.map((pt) => pt.controller.waitForShutdown()));
@@ -58663,16 +58777,16 @@ async function localStartServiceCommand(targets, options) {
 * options) is scoped locally. Returns the started controller for the
 * outer code to wait + tear down.
 */
-async function bootOneTarget(target, runState, stacks, options, discovery, skipPull) {
+async function bootOneTarget(target, runState, stacks, options, discovery, skipPull, profileCredsFile) {
 	const candidate = pickCandidateStack(parseEcsTarget(target).stackPattern, stacks);
 	const stateProvider = createLocalStateProvider(options, candidate?.stackName ?? "", candidate?.region);
 	try {
-		return await runOneTarget(target, runState, stacks, options, discovery, skipPull, stateProvider);
+		return await runOneTarget(target, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile);
 	} finally {
 		if (stateProvider) stateProvider.dispose();
 	}
 }
-async function runOneTarget(target, runState, stacks, options, discovery, skipPull, stateProvider) {
+async function runOneTarget(target, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile) {
 	const logger = getLogger();
 	const imageContext = await buildEcsImageResolutionContext(target, stacks, options, stateProvider);
 	const service = resolveEcsServiceTarget(target, stacks, imageContext);
@@ -58718,6 +58832,11 @@ async function runOneTarget(target, runState, stacks, options, discovery, skipPu
 	if (options.platform) taskOpts.platformOverride = options.platform;
 	if (options.region) taskOpts.region = options.region;
 	if (options.ecrRoleArn) taskOpts.ecrRoleArn = options.ecrRoleArn;
+	if (profileCredsFile && !assumedCredentials) taskOpts.profileCredentialsFile = {
+		hostPath: profileCredsFile.hostPath,
+		containerPath: profileCredsFile.containerPath,
+		profileName: profileCredsFile.profileName
+	};
 	return startEcsService(service, {
 		maxTasks: options.maxTasks,
 		restartPolicy: options.restartPolicy,
@@ -58928,6 +59047,7 @@ async function localInvokeCommand(target, options) {
 	let containerId;
 	let stopLogs;
 	let sigintHandler;
+	let profileCredsFile;
 	/**
 	* Unified cleanup for both the success / failure unwind path AND the
 	* SIGINT handler. Idempotent — every step guards on its own undefined
@@ -58976,6 +59096,11 @@ async function localInvokeCommand(target, options) {
 		} catch (err) {
 			getLogger().debug(`Failed to remove ARN-layer tmpdir ${dir}: ${err instanceof Error ? err.message : String(err)}`);
 		}
+		if (profileCredsFile) try {
+			await profileCredsFile.dispose();
+		} catch (err) {
+			getLogger().debug(`Failed to remove profile credentials tmpdir ${profileCredsFile.hostPath}: ${err instanceof Error ? err.message : String(err)}`);
+		}
 	}, (err) => {
 		getLogger().debug(`cleanup failed: ${err instanceof Error ? err.message : String(err)}`);
 	});
@@ -58986,6 +59111,7 @@ async function localInvokeCommand(target, options) {
 		});
 		await ensureDockerAvailable();
 		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
+		if (options.profile && profileCredentials) profileCredsFile = await writeProfileCredentialsFile(options.profile, profileCredentials);
 		const appCmd = resolveApp(options.app);
 		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKD_APP, or add \"app\" to cdk.json.");
 		logger.info("Synthesizing CDK app...");
@@ -59086,6 +59212,10 @@ async function localInvokeCommand(target, options) {
 		if (!assumeSucceeded) {
 			forwardAwsEnv(dockerEnv);
 			applyProfileCredentialsOverlay(dockerEnv, profileCredentials, false);
+			if (profileCredsFile) {
+				dockerEnv["AWS_SHARED_CREDENTIALS_FILE"] = profileCredsFile.containerPath;
+				dockerEnv["AWS_PROFILE"] = profileCredsFile.profileName;
+			}
 		}
 		let debugPort;
 		if (options.debugPort) {
@@ -59098,10 +59228,15 @@ async function localInvokeCommand(target, options) {
 		const containerHost = options.containerHost;
 		if (lambda.layers.length > 0) logger.info(`Mounting ${lambda.layers.length} Lambda layer${lambda.layers.length === 1 ? "" : "s"} at /opt`);
 		logger.info(`Starting container (image=${imagePlan.image}, port=${hostPort})...`);
+		const extraMountsWithProfile = profileCredsFile ? [...imagePlan.extraMounts ?? [], {
+			hostPath: profileCredsFile.hostPath,
+			containerPath: profileCredsFile.containerPath,
+			readOnly: true
+		}] : imagePlan.extraMounts;
 		containerId = await runDetached({
 			image: imagePlan.image,
 			mounts: imagePlan.mounts,
-			extraMounts: imagePlan.extraMounts,
+			extraMounts: extraMountsWithProfile,
 			env: dockerEnv,
 			cmd: imagePlan.cmd,
 			hostPort,
@@ -60780,7 +60915,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.167.1");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.167.3");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());