@go-to-k/cdkd 0.171.0 → 0.173.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as StackHasActiveImportsError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError$1, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveApp } from "./deploy-engine-BqNTKqFf.js";
+import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as StackHasActiveImportsError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError$1, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveApp } from "./deploy-engine-BfRlYX17.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
@@ -11,7 +11,7 @@ import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesComman
 import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand as GetPolicyCommand$1, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
-import { CreateTableCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
+import { CreateTableCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateContinuousBackupsCommand, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, DescribeStackEventsCommand, DescribeStackResourcesCommand, DescribeStacksCommand, DescribeTypeCommand, ExecuteChangeSetCommand, GetTemplateCommand, UpdateStackCommand, waitUntilChangeSetCreateComplete, waitUntilStackDeleteComplete, waitUntilStackImportComplete, waitUntilStackUpdateComplete } from "@aws-sdk/client-cloudformation";
 import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, CreateResourceCommand, CreateStageCommand, DeleteAuthorizerCommand, DeleteDeploymentCommand, DeleteMethodCommand, DeleteResourceCommand, DeleteStageCommand, GetAccountCommand, GetAuthorizerCommand, GetDeploymentCommand, GetMethodCommand, GetResourceCommand, GetStageCommand, NotFoundException as NotFoundException$1, PutIntegrationCommand, PutIntegrationResponseCommand, PutMethodCommand, PutMethodResponseCommand, TagResourceCommand as TagResourceCommand$3, UntagResourceCommand as UntagResourceCommand$3, UpdateAccountCommand, UpdateAuthorizerCommand, UpdateMethodCommand, UpdateStageCommand } from "@aws-sdk/client-api-gateway";
 import { CreateEventBusCommand, DeleteEventBusCommand, DeleteRuleCommand, DescribeEventBusCommand, DescribeRuleCommand, EventBridgeClient, ListEventBusesCommand, ListRulesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$1, ListTargetsByRuleCommand, PutRuleCommand, PutTargetsCommand, RemoveTargetsCommand, ResourceNotFoundException as ResourceNotFoundException$2, TagResourceCommand as TagResourceCommand$4, UntagResourceCommand as UntagResourceCommand$4, UpdateEventBusCommand } from "@aws-sdk/client-eventbridge";
@@ -414,12 +414,12 @@ const RESOURCE_PROPERTY_FORMAT = /^[A-Z][A-Za-z0-9]+(::[A-Z][A-Za-z0-9]+)+:[A-Z]
 function parseAllowUnsupportedPropertiesToken(value, previous) {
 	const parsed = value.split(",").map((s) => s.trim()).filter(Boolean);
 	for (const token of parsed) {
-		if (!RESOURCE_PROPERTY_FORMAT.test(token)) throw new Error(`Invalid --allow-unsupported-properties value "${token}": expected <ResourceType>:<PropertyName> with PascalCase on both halves (e.g. AWS::Lambda::Function:LoggingConfig).`);
+		if (!RESOURCE_PROPERTY_FORMAT.test(token)) throw new Error(`Invalid --allow-unsupported-properties value "${token}": expected <ResourceType>:<PropertyName> with PascalCase on both halves (e.g. AWS::Lambda::Function:RecursiveLoop).`);
 		if (token.startsWith("Custom::")) throw new Error(`Invalid --allow-unsupported-properties value "${token}": Custom:: resources are routed through cfn-response and have no write-side silent drop at cdkd, so the flag would have no effect. Use --allow-unsupported-types for type-level escape hatches instead.`);
 	}
 	return [...previous ?? [], ...parsed];
 }
-const allowUnsupportedPropertiesOption = new Option("--allow-unsupported-properties <entries>", "Comma-separated <ResourceType>:<PropertyName> tokens to accept as silently dropped at deploy time. Escape hatch — the property will NOT be written to AWS, the deployed resource will be missing the field. Example: --allow-unsupported-properties AWS::Lambda::Function:LoggingConfig,AWS::RDS::DBInstance:CACertificateIdentifier").argParser(parseAllowUnsupportedPropertiesToken);
+const allowUnsupportedPropertiesOption = new Option("--allow-unsupported-properties <entries>", "Comma-separated <ResourceType>:<PropertyName> tokens to accept as silently dropped at deploy time. Escape hatch — the property will NOT be written to AWS, the deployed resource will be missing the field. Example: --allow-unsupported-properties AWS::Lambda::Function:RecursiveLoop,AWS::RDS::DBInstance:CACertificateIdentifier").argParser(parseAllowUnsupportedPropertiesToken);
 /**
 * Issue [#615] — `--recreate-via-cc-api <LogicalId>` (repeatable). Each
 * named resource is destroyed + recreated this deploy via Cloud Control
@@ -1088,8 +1088,8 @@ function renderStatefulReason(reason) {
 *      this is a structural limitation, not a data-loss footgun.
 *
 * Plus one cross-flag invariant: `--recreate-via-cc-api MyLambda`
-* combined with `--allow-unsupported-properties AWS::Lambda::Function:LoggingConfig`
-* on a resource whose template carries `LoggingConfig` is **ambiguous
+* combined with `--allow-unsupported-properties AWS::Lambda::Function:RecursiveLoop`
+* on a resource whose template carries `RecursiveLoop` is **ambiguous
 * intent** — does the user want SDK + silent drop, or CC migration?
 * Fail fast and let the user pick one strategy per resource.
 */
@@ -6992,7 +6992,8 @@ var LambdaFunctionProvider = class {
 		"KmsKeyArn",
 		"FileSystemConfigs",
 		"ImageConfig",
-		"SnapStart"
+		"SnapStart",
+		"LoggingConfig"
 	])]]);
 	eniWaitTimeoutMs = 600 * 1e3;
 	eniWaitInitialDelayMs = 1e4;
@@ -7044,6 +7045,7 @@ var LambdaFunctionProvider = class {
 				FileSystemConfigs: properties["FileSystemConfigs"],
 				ImageConfig: properties["ImageConfig"],
 				SnapStart: properties["SnapStart"],
+				LoggingConfig: properties["LoggingConfig"],
 				Tags: tags
 			};
 			const response = await this.lambdaClient.send(new CreateFunctionCommand(createParams));
@@ -7082,7 +7084,8 @@ var LambdaFunctionProvider = class {
 				"KmsKeyArn",
 				"FileSystemConfigs",
 				"ImageConfig",
-				"SnapStart"
+				"SnapStart",
+				"LoggingConfig"
 			];
 			let hasConfigChanges = false;
 			for (const field of configFields) if (JSON.stringify(properties[field]) !== JSON.stringify(previousProperties[field])) {
@@ -7107,7 +7110,8 @@ var LambdaFunctionProvider = class {
 					KMSKeyArn: this.clearOnUpdateRemoval(properties["KmsKeyArn"], previousProperties["KmsKeyArn"], ""),
 					FileSystemConfigs: this.clearOnUpdateRemoval(properties["FileSystemConfigs"], previousProperties["FileSystemConfigs"], []),
 					ImageConfig: this.clearOnUpdateRemoval(properties["ImageConfig"], previousProperties["ImageConfig"], {}),
-					SnapStart: this.clearOnUpdateRemoval(properties["SnapStart"], previousProperties["SnapStart"], { ApplyOn: "None" })
+					SnapStart: this.clearOnUpdateRemoval(properties["SnapStart"], previousProperties["SnapStart"], { ApplyOn: "None" }),
+					LoggingConfig: this.clearOnUpdateRemoval(properties["LoggingConfig"], previousProperties["LoggingConfig"], { LogFormat: "Text" })
 				};
 				await this.lambdaClient.send(new UpdateFunctionConfigurationCommand(configParams));
 				this.logger.debug(`Updated configuration for Lambda function ${physicalId}`);
@@ -7573,8 +7577,9 @@ var LambdaFunctionProvider = class {
 	* `create()` accepts (`Runtime`, `Handler`, `Role`, `Timeout`, `MemorySize`,
 	* `Description`, `Environment`, `Layers`, `Architectures`, `PackageType`,
 	* `TracingConfig`, `EphemeralStorage`, `VpcConfig`, `DeadLetterConfig`,
-	* `KmsKeyArn`, `FileSystemConfigs`, `ImageConfig`, `SnapStart`, plus the
-	* physical `FunctionName`). The drift comparator only descends into keys
+	* `KmsKeyArn`, `FileSystemConfigs`, `ImageConfig`, `SnapStart`,
+	* `LoggingConfig`, plus the physical `FunctionName`). The drift comparator
+	* only descends into keys
 	* present in
 	* cdkd state, so AWS-managed fields (timestamps, FunctionArn, RevisionId,
 	* etc.) are filtered at compare time — we still avoid serializing them on
@@ -7639,6 +7644,13 @@ var LambdaFunctionProvider = class {
 				if (Object.keys(ic).length > 0) result["ImageConfig"] = ic;
 			}
 			if (cfg.SnapStart?.ApplyOn !== void 0) result["SnapStart"] = { ApplyOn: cfg.SnapStart.ApplyOn };
+			if (cfg.LoggingConfig?.LogFormat !== void 0) {
+				const lc = { LogFormat: cfg.LoggingConfig.LogFormat };
+				if (cfg.LoggingConfig.ApplicationLogLevel !== void 0) lc["ApplicationLogLevel"] = cfg.LoggingConfig.ApplicationLogLevel;
+				if (cfg.LoggingConfig.SystemLogLevel !== void 0) lc["SystemLogLevel"] = cfg.LoggingConfig.SystemLogLevel;
+				if (cfg.LoggingConfig.LogGroup !== void 0) lc["LogGroup"] = cfg.LoggingConfig.LogGroup;
+				result["LoggingConfig"] = lc;
+			}
 			result["Tags"] = normalizeAwsTagsToCfn(resp.Tags);
 			return result;
 		} catch (err) {
@@ -8697,7 +8709,9 @@ var DynamoDBTableProvider = class {
 		"SSESpecification",
 		"Tags",
 		"DeletionProtectionEnabled",
-		"TableClass"
+		"TableClass",
+		"PointInTimeRecoverySpecification",
+		"TimeToLiveSpecification"
 	])]]);
 	constructor() {
 		const awsClients = getAwsClients();
@@ -8713,6 +8727,7 @@ var DynamoDBTableProvider = class {
 		const attributeDefinitions = properties["AttributeDefinitions"];
 		if (!keySchema) throw new ProvisioningError(`KeySchema is required for DynamoDB table ${logicalId}`, resourceType, logicalId);
 		if (!attributeDefinitions) throw new ProvisioningError(`AttributeDefinitions is required for DynamoDB table ${logicalId}`, resourceType, logicalId);
+		let tableCreated = false;
 		try {
 			const billingMode = properties["BillingMode"] || "PROVISIONED";
 			const createParams = {
@@ -8739,8 +8754,11 @@ var DynamoDBTableProvider = class {
 			if (properties["DeletionProtectionEnabled"] !== void 0) createParams.DeletionProtectionEnabled = properties["DeletionProtectionEnabled"];
 			if (properties["TableClass"]) createParams.TableClass = properties["TableClass"];
 			await this.dynamoDBClient.send(new CreateTableCommand(createParams));
+			tableCreated = true;
 			this.logger.debug(`CreateTable initiated for ${tableName}, waiting for ACTIVE status`);
 			const tableInfo = await this.waitForTableActive(tableName);
+			await this.applyPointInTimeRecovery(tableName, properties["PointInTimeRecoverySpecification"]);
+			await this.applyTimeToLive(tableName, properties["TimeToLiveSpecification"]);
 			this.logger.debug(`Successfully created DynamoDB table ${logicalId}: ${tableName}`);
 			return {
 				physicalId: tableName,
@@ -8752,6 +8770,12 @@ var DynamoDBTableProvider = class {
 				}
 			};
 		} catch (error) {
+			if (tableCreated) try {
+				await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: tableName }));
+				this.logger.debug(`Rolled back partially-created DynamoDB table ${tableName}`);
+			} catch (cleanupError) {
+				this.logger.warn(`Failed to roll back partially-created DynamoDB table ${tableName}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`);
+			}
 			if (error instanceof ProvisioningError) throw error;
 			const cause = error instanceof Error ? error : void 0;
 			throw new ProvisioningError(`Failed to create DynamoDB table ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, tableName, cause);
@@ -8769,6 +8793,8 @@ var DynamoDBTableProvider = class {
 		try {
 			const table = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }))).Table;
 			if (table?.TableArn) await this.applyTagDiff(table.TableArn, previousProperties["Tags"], properties["Tags"]);
+			if (JSON.stringify(properties["PointInTimeRecoverySpecification"]) !== JSON.stringify(previousProperties["PointInTimeRecoverySpecification"])) await this.applyPointInTimeRecovery(physicalId, properties["PointInTimeRecoverySpecification"], previousProperties["PointInTimeRecoverySpecification"]);
+			if (JSON.stringify(properties["TimeToLiveSpecification"]) !== JSON.stringify(previousProperties["TimeToLiveSpecification"])) await this.applyTimeToLive(physicalId, properties["TimeToLiveSpecification"], previousProperties["TimeToLiveSpecification"]);
 			return {
 				physicalId,
 				wasReplaced: false,
@@ -8852,6 +8878,97 @@ var DynamoDBTableProvider = class {
 		}
 	}
 	/**
+	* Apply the table's `PointInTimeRecoverySpecification` via the separate
+	* `UpdateContinuousBackups` API (PITR does NOT ride on CreateTable).
+	*
+	* CFn shape is `{ PointInTimeRecoveryEnabled: boolean, RecoveryPeriodInDays?: number }`.
+	* Called from both `create()` (after the table is ACTIVE) and `update()`
+	* (only when the value changed). On `update()`-side removal — when the
+	* template drops the block but it was present before — we explicitly
+	* disable PITR (`UpdateContinuousBackups` treats an absent spec as "no
+	* change", so a dropped block must be turned into an explicit
+	* `PointInTimeRecoveryEnabled: false`).
+	*/
+	async applyPointInTimeRecovery(tableName, spec, previousSpec) {
+		let enabled;
+		let recoveryPeriodInDays;
+		if (spec !== void 0 && spec !== null) {
+			const s = spec;
+			enabled = Boolean(s["PointInTimeRecoveryEnabled"]);
+			if (enabled && s["RecoveryPeriodInDays"] !== void 0) recoveryPeriodInDays = Number(s["RecoveryPeriodInDays"]);
+		} else if (previousSpec !== void 0 && previousSpec !== null) enabled = false;
+		if (enabled === void 0) return;
+		const pitrSpec = { PointInTimeRecoveryEnabled: enabled };
+		if (recoveryPeriodInDays !== void 0) pitrSpec.RecoveryPeriodInDays = recoveryPeriodInDays;
+		await this.retryOnTransientControlPlane(() => this.dynamoDBClient.send(new UpdateContinuousBackupsCommand({
+			TableName: tableName,
+			PointInTimeRecoverySpecification: pitrSpec
+		})), `enable PITR on ${tableName}`);
+		this.logger.debug(`Set PointInTimeRecoveryEnabled=${enabled}${recoveryPeriodInDays !== void 0 ? ` RecoveryPeriodInDays=${recoveryPeriodInDays}` : ""} on DynamoDB table ${tableName}`);
+	}
+	/**
+	* Retry a DynamoDB control-plane call on the transient "settling" errors AWS
+	* returns when two table-modifying operations land back-to-back. Enabling
+	* PITR (`UpdateContinuousBackups`) puts the table in a transient state, and a
+	* subsequent `UpdateTimeToLive` is then rejected with "Backups are being
+	* enabled for the table ... Please retry later". `ResourceInUseException`
+	* ("table is being updated") and `LimitExceededException` are the same class.
+	* Backoff: ~2s,4s,8s,16s,30s,30s... bounded to ~2min total, which comfortably
+	* covers the few-second PITR-enable window.
+	*/
+	async retryOnTransientControlPlane(op, label, maxAttempts = 8) {
+		let delayMs = 2e3;
+		for (let attempt = 1;; attempt++) try {
+			return await op();
+		} catch (error) {
+			const msg = error instanceof Error ? error.message : String(error);
+			const name = error instanceof Error ? error.name : "";
+			if (!(/being enabled|being updated|please retry later|backups are being/i.test(msg) || name === "ResourceInUseException" || name === "LimitExceededException") || attempt >= maxAttempts) throw error;
+			this.logger.debug(`Transient error on "${label}" (attempt ${attempt}/${maxAttempts}): ${msg} — retrying in ${delayMs}ms`);
+			await new Promise((resolve) => setTimeout(resolve, delayMs));
+			delayMs = Math.min(delayMs * 2, 3e4);
+		}
+	}
+	/**
+	* Apply the table's `TimeToLiveSpecification` via the separate
+	* `UpdateTimeToLive` API (TTL does NOT ride on CreateTable).
+	*
+	* CFn shape is `{ AttributeName: string, Enabled: boolean }`. Called from
+	* both `create()` (after the table is ACTIVE) and `update()` (only when the
+	* value changed). On `update()`-side removal — when the template drops the
+	* block but it was present before — we disable TTL using the PREVIOUS
+	* `AttributeName` (AWS requires the attribute name even to disable TTL).
+	*/
+	async applyTimeToLive(tableName, spec, previousSpec) {
+		if (spec !== void 0 && spec !== null) {
+			const s = spec;
+			const attributeName = s["AttributeName"];
+			if (!attributeName) return;
+			const enabled = s["Enabled"] !== void 0 ? Boolean(s["Enabled"]) : true;
+			await this.retryOnTransientControlPlane(() => this.dynamoDBClient.send(new UpdateTimeToLiveCommand({
+				TableName: tableName,
+				TimeToLiveSpecification: {
+					Enabled: enabled,
+					AttributeName: attributeName
+				}
+			})), `set TTL on ${tableName}`);
+			this.logger.debug(`Set TimeToLive Enabled=${enabled} AttributeName=${attributeName} on DynamoDB table ${tableName}`);
+			return;
+		}
+		if (previousSpec !== void 0 && previousSpec !== null) {
+			const prevAttributeName = previousSpec["AttributeName"];
+			if (!prevAttributeName) return;
+			await this.retryOnTransientControlPlane(() => this.dynamoDBClient.send(new UpdateTimeToLiveCommand({
+				TableName: tableName,
+				TimeToLiveSpecification: {
+					Enabled: false,
+					AttributeName: prevAttributeName
+				}
+			})), `disable TTL on ${tableName}`);
+			this.logger.debug(`Disabled TimeToLive (AttributeName=${prevAttributeName}) on DynamoDB table ${tableName}`);
+		}
+	}
+	/**
 	* Poll DescribeTable until the table reaches ACTIVE status
 	*
 	* Uses a tight polling loop (1s intervals) instead of CC API's exponential
@@ -8970,6 +9087,26 @@ var DynamoDBTableProvider = class {
 				if (err instanceof ResourceNotFoundException$1) return void 0;
 				throw err;
 			}
+			try {
+				const pitrDesc = (await this.dynamoDBClient.send(new DescribeContinuousBackupsCommand({ TableName: physicalId }))).ContinuousBackupsDescription?.PointInTimeRecoveryDescription;
+				const pitrStatus = pitrDesc?.PointInTimeRecoveryStatus;
+				if (pitrStatus) {
+					const pitr = { PointInTimeRecoveryEnabled: pitrStatus === "ENABLED" };
+					if (pitrStatus === "ENABLED" && pitrDesc?.RecoveryPeriodInDays !== void 0) pitr["RecoveryPeriodInDays"] = pitrDesc.RecoveryPeriodInDays;
+					result["PointInTimeRecoverySpecification"] = pitr;
+				}
+			} catch (err) {
+				this.logger.debug(`Could not read PointInTimeRecovery for ${physicalId}: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			try {
+				const ttlDesc = (await this.dynamoDBClient.send(new DescribeTimeToLiveCommand({ TableName: physicalId }))).TimeToLiveDescription;
+				if (ttlDesc?.TimeToLiveStatus === "ENABLED" && ttlDesc.AttributeName) result["TimeToLiveSpecification"] = {
+					AttributeName: ttlDesc.AttributeName,
+					Enabled: true
+				};
+			} catch (err) {
+				this.logger.debug(`Could not read TimeToLive for ${physicalId}: ${err instanceof Error ? err.message : String(err)}`);
+			}
 			return result;
 		} catch (err) {
 			if (err instanceof ResourceNotFoundException$1) return void 0;
@@ -35145,7 +35282,7 @@ const EMPTY_ALLOW_SET = /* @__PURE__ */ new Set();
 *
 *  - **Fresh hits**: a resource whose template uses one or more
 *    silent-drop top-level CFn properties. Annotation value is the list
-*    of property names (e.g. `LoggingConfig`).
+*    of property names (e.g. `RecursiveLoop`).
 *  - **Sticky hits**: a resource whose deployed state records
 *    `provisionedBy: 'cc-api'` (from a prior deploy) even when the
 *    current template's silent-drop set is empty. Annotation value is
@@ -51125,7 +51262,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.171.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.173.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());