@go-to-k/cdkd 0.172.0 → 0.174.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as StackHasActiveImportsError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError$1, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveApp } from "./deploy-engine-ZV67Rszk.js";
+import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as StackHasActiveImportsError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError$1, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveApp } from "./deploy-engine-D5QbP-ot.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
@@ -414,12 +414,12 @@ const RESOURCE_PROPERTY_FORMAT = /^[A-Z][A-Za-z0-9]+(::[A-Z][A-Za-z0-9]+)+:[A-Z]
 function parseAllowUnsupportedPropertiesToken(value, previous) {
 	const parsed = value.split(",").map((s) => s.trim()).filter(Boolean);
 	for (const token of parsed) {
-		if (!RESOURCE_PROPERTY_FORMAT.test(token)) throw new Error(`Invalid --allow-unsupported-properties value "${token}": expected <ResourceType>:<PropertyName> with PascalCase on both halves (e.g. AWS::Lambda::Function:LoggingConfig).`);
+		if (!RESOURCE_PROPERTY_FORMAT.test(token)) throw new Error(`Invalid --allow-unsupported-properties value "${token}": expected <ResourceType>:<PropertyName> with PascalCase on both halves (e.g. AWS::Lambda::Function:RecursiveLoop).`);
 		if (token.startsWith("Custom::")) throw new Error(`Invalid --allow-unsupported-properties value "${token}": Custom:: resources are routed through cfn-response and have no write-side silent drop at cdkd, so the flag would have no effect. Use --allow-unsupported-types for type-level escape hatches instead.`);
 	}
 	return [...previous ?? [], ...parsed];
 }
-const allowUnsupportedPropertiesOption = new Option("--allow-unsupported-properties <entries>", "Comma-separated <ResourceType>:<PropertyName> tokens to accept as silently dropped at deploy time. Escape hatch — the property will NOT be written to AWS, the deployed resource will be missing the field. Example: --allow-unsupported-properties AWS::Lambda::Function:LoggingConfig,AWS::RDS::DBInstance:CACertificateIdentifier").argParser(parseAllowUnsupportedPropertiesToken);
+const allowUnsupportedPropertiesOption = new Option("--allow-unsupported-properties <entries>", "Comma-separated <ResourceType>:<PropertyName> tokens to accept as silently dropped at deploy time. Escape hatch — the property will NOT be written to AWS, the deployed resource will be missing the field. Example: --allow-unsupported-properties AWS::Lambda::Function:RecursiveLoop,AWS::RDS::DBInstance:CACertificateIdentifier").argParser(parseAllowUnsupportedPropertiesToken);
 /**
 * Issue [#615] — `--recreate-via-cc-api <LogicalId>` (repeatable). Each
 * named resource is destroyed + recreated this deploy via Cloud Control
@@ -1088,8 +1088,8 @@ function renderStatefulReason(reason) {
 *      this is a structural limitation, not a data-loss footgun.
 *
 * Plus one cross-flag invariant: `--recreate-via-cc-api MyLambda`
-* combined with `--allow-unsupported-properties AWS::Lambda::Function:LoggingConfig`
-* on a resource whose template carries `LoggingConfig` is **ambiguous
+* combined with `--allow-unsupported-properties AWS::Lambda::Function:RecursiveLoop`
+* on a resource whose template carries `RecursiveLoop` is **ambiguous
 * intent** — does the user want SDK + silent drop, or CC migration?
 * Fail fast and let the user pick one strategy per resource.
 */
@@ -5512,6 +5512,24 @@ function serializeRedrivePolicy(value) {
 	return JSON.stringify(value);
 }
 /**
+* Serialise a CFn-shape `RedriveAllowPolicy` to the string form
+* `SetQueueAttributes` / `CreateQueue` expect.
+*
+* In CloudFormation `RedriveAllowPolicy` is a JSON object (e.g.
+* `{ redrivePermission: 'allowAll' }`); the SQS API expects it as a JSON
+* string, exactly like `RedrivePolicy`. Unlike `serializeRedrivePolicy`,
+* this does NOT collapse an empty object to `""` — that quirk is specific
+* to `RedrivePolicy`, whose empty-object placeholder `readCurrentState`
+* always-emits and which AWS rejects when round-tripped as `"{}"`.
+* `RedriveAllowPolicy` has no such placeholder (it is emitted only when
+* AWS returns it), so an object is JSON-stringified verbatim and a string
+* passes through unchanged.
+*/
+function serializeRedriveAllowPolicy(value) {
+	if (typeof value === "string") return value;
+	return JSON.stringify(value);
+}
+/**
 * CDK property name to SQS attribute name mapping
 */
 const CDK_TO_SQS_ATTRIBUTES = {
@@ -5521,6 +5539,7 @@ const CDK_TO_SQS_ATTRIBUTES = {
 	DelaySeconds: "DelaySeconds",
 	ReceiveMessageWaitTimeSeconds: "ReceiveMessageWaitTimeSeconds",
 	RedrivePolicy: "RedrivePolicy",
+	RedriveAllowPolicy: "RedriveAllowPolicy",
 	FifoQueue: "FifoQueue",
 	ContentBasedDeduplication: "ContentBasedDeduplication",
 	KmsMasterKeyId: "KmsMasterKeyId",
@@ -5549,6 +5568,7 @@ var SQSQueueProvider = class {
 		"DelaySeconds",
 		"ReceiveMessageWaitTimeSeconds",
 		"RedrivePolicy",
+		"RedriveAllowPolicy",
 		"FifoQueue",
 		"ContentBasedDeduplication",
 		"KmsMasterKeyId",
@@ -5574,6 +5594,7 @@ var SQSQueueProvider = class {
 			for (const [cdkKey, sqsKey] of Object.entries(CDK_TO_SQS_ATTRIBUTES)) if (properties[cdkKey] !== void 0) {
 				const value = properties[cdkKey];
 				if (cdkKey === "RedrivePolicy" && typeof value === "object") attributes[sqsKey] = serializeRedrivePolicy(value);
+				else if (cdkKey === "RedriveAllowPolicy") attributes[sqsKey] = serializeRedriveAllowPolicy(value);
 				else attributes[sqsKey] = stringifyValue(value);
 			}
 			const tags = {};
@@ -5613,6 +5634,7 @@ var SQSQueueProvider = class {
 				if (properties[cdkKey] !== void 0) {
 					const value = properties[cdkKey];
 					if (cdkKey === "RedrivePolicy" && typeof value === "object") attributes[sqsKey] = serializeRedrivePolicy(value);
+					else if (cdkKey === "RedriveAllowPolicy") attributes[sqsKey] = serializeRedriveAllowPolicy(value);
 					else attributes[sqsKey] = stringifyValue(value);
 				}
 			}
@@ -5802,6 +5824,11 @@ var SQSQueueProvider = class {
 			result["RedrivePolicy"] = attributes["RedrivePolicy"];
 		}
 		else result["RedrivePolicy"] = {};
+		if (attributes["RedriveAllowPolicy"]) try {
+			result["RedriveAllowPolicy"] = JSON.parse(attributes["RedriveAllowPolicy"]);
+		} catch {
+			result["RedriveAllowPolicy"] = attributes["RedriveAllowPolicy"];
+		}
 		try {
 			result["Tags"] = normalizeAwsTagsToCfn((await this.sqsClient.send(new ListQueueTagsCommand({ QueueUrl: physicalId }))).Tags);
 		} catch (err) {
@@ -6590,7 +6617,13 @@ var SNSSubscriptionProvider = class {
 		"TopicArn",
 		"Protocol",
 		"Endpoint",
-		"FilterPolicy"
+		"FilterPolicy",
+		"FilterPolicyScope",
+		"RawMessageDelivery",
+		"RedrivePolicy",
+		"DeliveryPolicy",
+		"ReplayPolicy",
+		"SubscriptionRoleArn"
 	])]]);
 	unhandledByDesign = new Map([["AWS::SNS::Subscription", new Map([["Region", "CFn-only cross-region subscription hint; cdkd uses the SDK client region directly and has no per-resource region override"]])]]);
 	constructor() {
@@ -6612,6 +6645,18 @@ var SNSSubscriptionProvider = class {
 			const attributes = {};
 			const filterPolicy = properties["FilterPolicy"];
 			if (filterPolicy !== void 0) attributes["FilterPolicy"] = typeof filterPolicy === "string" ? filterPolicy : JSON.stringify(filterPolicy);
+			const filterPolicyScope = properties["FilterPolicyScope"];
+			if (filterPolicyScope !== void 0) attributes["FilterPolicyScope"] = stringifyValue(filterPolicyScope);
+			const rawMessageDelivery = properties["RawMessageDelivery"];
+			if (rawMessageDelivery !== void 0) attributes["RawMessageDelivery"] = stringifyValue(rawMessageDelivery);
+			const redrivePolicy = properties["RedrivePolicy"];
+			if (redrivePolicy !== void 0) attributes["RedrivePolicy"] = typeof redrivePolicy === "string" ? redrivePolicy : JSON.stringify(redrivePolicy);
+			const deliveryPolicy = properties["DeliveryPolicy"];
+			if (deliveryPolicy !== void 0) attributes["DeliveryPolicy"] = typeof deliveryPolicy === "string" ? deliveryPolicy : JSON.stringify(deliveryPolicy);
+			const replayPolicy = properties["ReplayPolicy"];
+			if (replayPolicy !== void 0) attributes["ReplayPolicy"] = typeof replayPolicy === "string" ? replayPolicy : JSON.stringify(replayPolicy);
+			const subscriptionRoleArn = properties["SubscriptionRoleArn"];
+			if (subscriptionRoleArn !== void 0) attributes["SubscriptionRoleArn"] = stringifyValue(subscriptionRoleArn);
 			const subscriptionArn = (await this.snsClient.send(new SubscribeCommand({
 				TopicArn: topicArn,
 				Protocol: protocol,
@@ -6699,6 +6744,20 @@ var SNSSubscriptionProvider = class {
 		} catch {
 			result["FilterPolicy"] = attributes["FilterPolicy"];
 		}
+		if (attributes["FilterPolicyScope"] !== void 0) result["FilterPolicyScope"] = attributes["FilterPolicyScope"];
+		if (attributes["SubscriptionRoleArn"] !== void 0) result["SubscriptionRoleArn"] = attributes["SubscriptionRoleArn"];
+		for (const key of [
+			"RedrivePolicy",
+			"DeliveryPolicy",
+			"ReplayPolicy"
+		]) {
+			const raw = attributes[key];
+			if (raw) try {
+				result[key] = JSON.parse(raw);
+			} catch {
+				result[key] = raw;
+			}
+		}
 		return result;
 	}
 	/**
@@ -6992,7 +7051,8 @@ var LambdaFunctionProvider = class {
 		"KmsKeyArn",
 		"FileSystemConfigs",
 		"ImageConfig",
-		"SnapStart"
+		"SnapStart",
+		"LoggingConfig"
 	])]]);
 	eniWaitTimeoutMs = 600 * 1e3;
 	eniWaitInitialDelayMs = 1e4;
@@ -7044,6 +7104,7 @@ var LambdaFunctionProvider = class {
 				FileSystemConfigs: properties["FileSystemConfigs"],
 				ImageConfig: properties["ImageConfig"],
 				SnapStart: properties["SnapStart"],
+				LoggingConfig: properties["LoggingConfig"],
 				Tags: tags
 			};
 			const response = await this.lambdaClient.send(new CreateFunctionCommand(createParams));
@@ -7082,7 +7143,8 @@ var LambdaFunctionProvider = class {
 				"KmsKeyArn",
 				"FileSystemConfigs",
 				"ImageConfig",
-				"SnapStart"
+				"SnapStart",
+				"LoggingConfig"
 			];
 			let hasConfigChanges = false;
 			for (const field of configFields) if (JSON.stringify(properties[field]) !== JSON.stringify(previousProperties[field])) {
@@ -7107,7 +7169,8 @@ var LambdaFunctionProvider = class {
 					KMSKeyArn: this.clearOnUpdateRemoval(properties["KmsKeyArn"], previousProperties["KmsKeyArn"], ""),
 					FileSystemConfigs: this.clearOnUpdateRemoval(properties["FileSystemConfigs"], previousProperties["FileSystemConfigs"], []),
 					ImageConfig: this.clearOnUpdateRemoval(properties["ImageConfig"], previousProperties["ImageConfig"], {}),
-					SnapStart: this.clearOnUpdateRemoval(properties["SnapStart"], previousProperties["SnapStart"], { ApplyOn: "None" })
+					SnapStart: this.clearOnUpdateRemoval(properties["SnapStart"], previousProperties["SnapStart"], { ApplyOn: "None" }),
+					LoggingConfig: this.clearOnUpdateRemoval(properties["LoggingConfig"], previousProperties["LoggingConfig"], { LogFormat: "Text" })
 				};
 				await this.lambdaClient.send(new UpdateFunctionConfigurationCommand(configParams));
 				this.logger.debug(`Updated configuration for Lambda function ${physicalId}`);
@@ -7573,8 +7636,9 @@ var LambdaFunctionProvider = class {
 	* `create()` accepts (`Runtime`, `Handler`, `Role`, `Timeout`, `MemorySize`,
 	* `Description`, `Environment`, `Layers`, `Architectures`, `PackageType`,
 	* `TracingConfig`, `EphemeralStorage`, `VpcConfig`, `DeadLetterConfig`,
-	* `KmsKeyArn`, `FileSystemConfigs`, `ImageConfig`, `SnapStart`, plus the
-	* physical `FunctionName`). The drift comparator only descends into keys
+	* `KmsKeyArn`, `FileSystemConfigs`, `ImageConfig`, `SnapStart`,
+	* `LoggingConfig`, plus the physical `FunctionName`). The drift comparator
+	* only descends into keys
 	* present in
 	* cdkd state, so AWS-managed fields (timestamps, FunctionArn, RevisionId,
 	* etc.) are filtered at compare time — we still avoid serializing them on
@@ -7639,6 +7703,13 @@ var LambdaFunctionProvider = class {
 				if (Object.keys(ic).length > 0) result["ImageConfig"] = ic;
 			}
 			if (cfg.SnapStart?.ApplyOn !== void 0) result["SnapStart"] = { ApplyOn: cfg.SnapStart.ApplyOn };
+			if (cfg.LoggingConfig?.LogFormat !== void 0) {
+				const lc = { LogFormat: cfg.LoggingConfig.LogFormat };
+				if (cfg.LoggingConfig.ApplicationLogLevel !== void 0) lc["ApplicationLogLevel"] = cfg.LoggingConfig.ApplicationLogLevel;
+				if (cfg.LoggingConfig.SystemLogLevel !== void 0) lc["SystemLogLevel"] = cfg.LoggingConfig.SystemLogLevel;
+				if (cfg.LoggingConfig.LogGroup !== void 0) lc["LogGroup"] = cfg.LoggingConfig.LogGroup;
+				result["LoggingConfig"] = lc;
+			}
 			result["Tags"] = normalizeAwsTagsToCfn(resp.Tags);
 			return result;
 		} catch (err) {
@@ -35270,7 +35341,7 @@ const EMPTY_ALLOW_SET = /* @__PURE__ */ new Set();
 *
 *  - **Fresh hits**: a resource whose template uses one or more
 *    silent-drop top-level CFn properties. Annotation value is the list
-*    of property names (e.g. `LoggingConfig`).
+*    of property names (e.g. `RecursiveLoop`).
 *  - **Sticky hits**: a resource whose deployed state records
 *    `provisionedBy: 'cc-api'` (from a prior deploy) even when the
 *    current template's silent-drop set is empty. Annotation value is
@@ -51250,7 +51321,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.172.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.174.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());