@go-to-k/cdkd 0.18.1 → 0.20.0

package/dist/cli.js

@@ -1155,11 +1155,11 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
     return syncResult;
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
-  const { GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
+  const { GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
   const { S3Client: S3Client11 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
-  const identity = await awsClients.sts.send(new GetCallerIdentityCommand9({}));
+  const identity = await awsClients.sts.send(new GetCallerIdentityCommand11({}));
   const accountId = identity.Account;
   const newName = getDefaultStateBucketName(accountId);
   const legacyName = getLegacyStateBucketName(accountId, region);
@@ -3431,9 +3431,9 @@ var AssetPublisher = class {
       const region = options.region || process.env["AWS_REGION"] || "us-east-1";
       let accountId = options.accountId;
       if (!accountId) {
-        const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
-        const stsClient = new STSClient7({ region });
-        const identity = await stsClient.send(new GetCallerIdentityCommand9({}));
+        const { STSClient: STSClient9, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+        const stsClient = new STSClient9({ region });
+        const identity = await stsClient.send(new GetCallerIdentityCommand11({}));
         accountId = identity.Account;
         stsClient.destroy();
       }
@@ -14229,7 +14229,8 @@ var LogsLogGroupProvider = class {
 import {
   PutMetricAlarmCommand,
   DeleteAlarmsCommand,
-  DescribeAlarmsCommand
+  DescribeAlarmsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand3
 } from "@aws-sdk/client-cloudwatch";
 init_aws_clients();
 var CloudWatchAlarmProvider = class {
@@ -14447,6 +14448,62 @@ var CloudWatchAlarmProvider = class {
     }
     return params;
   }
+  /**
+   * Adopt an existing CloudWatch alarm into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.AlarmName` → verify via `DescribeAlarms`.
+   *  2. `DescribeAlarms` paginated, then `ListTagsForResource(AlarmArn)` per
+   *     alarm to match `aws:cdk:path`.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "AlarmName");
+    if (explicit) {
+      try {
+        const resp = await this.cloudWatchClient.send(
+          new DescribeAlarmsCommand({ AlarmNames: [explicit] })
+        );
+        return resp.MetricAlarms?.[0] || resp.CompositeAlarms?.[0] ? { physicalId: explicit, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFound(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.cloudWatchClient.send(
+        new DescribeAlarmsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      const all = [...list.MetricAlarms ?? [], ...list.CompositeAlarms ?? []];
+      for (const a of all) {
+        if (!a.AlarmArn || !a.AlarmName)
+          continue;
+        try {
+          const tagsResp = await this.cloudWatchClient.send(
+            new ListTagsForResourceCommand3({ ResourceARN: a.AlarmArn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: a.AlarmName, attributes: {} };
+          }
+        } catch (err) {
+          if (this.isNotFound(err))
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  isNotFound(err) {
+    if (!(err instanceof Error))
+      return false;
+    const name = err.name ?? "";
+    return name === "ResourceNotFoundException" || name === "ResourceNotFound";
+  }
 };
 
 // src/provisioning/providers/secretsmanager-secret-provider.ts
@@ -14780,7 +14837,7 @@ var SecretsManagerSecretProvider = class {
 import {
   DescribeParametersCommand,
   GetParameterCommand as GetParameterCommand3,
-  ListTagsForResourceCommand as ListTagsForResourceCommand3,
+  ListTagsForResourceCommand as ListTagsForResourceCommand4,
   PutParameterCommand,
   DeleteParameterCommand,
   AddTagsToResourceCommand,
@@ -15028,7 +15085,7 @@ var SSMParameterProvider = class {
           continue;
         try {
           const tagsResp = await this.ssmClient.send(
-            new ListTagsForResourceCommand3({ ResourceType: "Parameter", ResourceId: p.Name })
+            new ListTagsForResourceCommand4({ ResourceType: "Parameter", ResourceId: p.Name })
           );
           if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
             return { physicalId: p.Name, attributes: {} };
@@ -15052,7 +15109,9 @@ import {
   RemoveTargetsCommand,
   DeleteRuleCommand,
   DescribeRuleCommand,
+  ListRulesCommand,
   ListTargetsByRuleCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand5,
   TagResourceCommand as TagResourceCommand4,
   UntagResourceCommand as UntagResourceCommand4,
   ResourceNotFoundException as ResourceNotFoundException9
@@ -15320,6 +15379,85 @@ var EventBridgeRuleProvider = class {
     }
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::Events::Rule`);
   }
+  /**
+   * Adopt an existing EventBridge rule into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arnOrName>` override → verify with
+   *     `DescribeRule` (scoped to the same `EventBusName` declared in
+   *     the template, if any). The override is honored as-is so users
+   *     can pass either the ARN (cdkd's standard physicalId form for
+   *     this provider) or just the rule name.
+   *  2. If the template carries `Properties.Name` use that as the rule
+   *     name lookup, then verify with `DescribeRule` and return the
+   *     rule's ARN as physicalId.
+   *  3. Walk `ListRules(EventBusName?)` and match `aws:cdk:path` via
+   *     `ListTagsForResource(ResourceARN=rule.Arn)`. Returns the rule
+   *     ARN as physicalId — same shape that `create` returns.
+   *
+   * EventBridge tags use the standard `Tag[]` array shape
+   * (`Key`/`Value`).
+   */
+  async import(input) {
+    const eventBusName = input.properties["EventBusName"];
+    if (input.knownPhysicalId) {
+      try {
+        const ruleName = this.extractRuleNameFromArn(input.knownPhysicalId);
+        const resp = await this.eventBridgeClient.send(
+          new DescribeRuleCommand({
+            Name: ruleName,
+            ...eventBusName && { EventBusName: eventBusName }
+          })
+        );
+        return { physicalId: resp.Arn ?? input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException9)
+          return null;
+        throw err;
+      }
+    }
+    const templateName = input.properties["Name"];
+    if (templateName) {
+      try {
+        const resp = await this.eventBridgeClient.send(
+          new DescribeRuleCommand({
+            Name: templateName,
+            ...eventBusName && { EventBusName: eventBusName }
+          })
+        );
+        if (resp.Arn)
+          return { physicalId: resp.Arn, attributes: {} };
+        return null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException9)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.eventBridgeClient.send(
+        new ListRulesCommand({
+          ...eventBusName && { EventBusName: eventBusName },
+          ...nextToken && { NextToken: nextToken }
+        })
+      );
+      for (const rule of list.Rules ?? []) {
+        if (!rule.Arn)
+          continue;
+        const tagsResp = await this.eventBridgeClient.send(
+          new ListTagsForResourceCommand5({ ResourceARN: rule.Arn })
+        );
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: rule.Arn, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
   /**
    * Extract rule name from an ARN
    *
@@ -15342,8 +15480,8 @@ import {
   UpdateEventBusCommand,
   DescribeEventBusCommand,
   ListEventBusesCommand,
-  ListRulesCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand4,
+  ListRulesCommand as ListRulesCommand2,
+  ListTagsForResourceCommand as ListTagsForResourceCommand6,
   RemoveTargetsCommand as RemoveTargetsCommand2,
   DeleteRuleCommand as DeleteRuleCommand2,
   ListTargetsByRuleCommand as ListTargetsByRuleCommand2,
@@ -15538,7 +15676,7 @@ var EventBridgeBusProvider = class {
   async cleanupRulesOnBus(busName) {
     try {
       const rulesResponse = await this.eventBridgeClient.send(
-        new ListRulesCommand({ EventBusName: busName })
+        new ListRulesCommand2({ EventBusName: busName })
       );
       const rules = rulesResponse.Rules ?? [];
       if (rules.length === 0)
@@ -15615,7 +15753,7 @@ var EventBridgeBusProvider = class {
           continue;
         try {
           const tagsResp = await this.eventBridgeClient.send(
-            new ListTagsForResourceCommand4({ ResourceARN: bus.Arn })
+            new ListTagsForResourceCommand6({ ResourceARN: bus.Arn })
           );
           if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
             return { physicalId: bus.Name, attributes: {} };
@@ -18690,6 +18828,8 @@ import {
   DeleteRouteCommand as DeleteRouteCommand2,
   CreateAuthorizerCommand as CreateAuthorizerCommand2,
   DeleteAuthorizerCommand as DeleteAuthorizerCommand2,
+  GetApiCommand,
+  GetApisCommand,
   NotFoundException as NotFoundException4
 } from "@aws-sdk/client-apigatewayv2";
 var ApiGatewayV2Provider = class {
@@ -19223,6 +19363,56 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
+  // ─── Import ───────────────────────────────────────────────────────
+  /**
+   * Adopt an existing API Gateway V2 resource into cdkd state.
+   *
+   * `AWS::ApiGatewayV2::Api` supports full tag-based auto-lookup via
+   * `GetApis` (`Tags` is a `Record<string,string>` map on each item).
+   *
+   * Sub-resources (`Stage`, `Integration`, `Route`, `Authorizer`) are
+   * scoped under a parent `ApiId`, and their physical ids are not
+   * globally unique — auto-lookup would need to walk every Api in the
+   * account and every sub-resource within. Explicit-override only;
+   * users adopt an existing HTTP API by passing
+   * `--resource <logicalId>=<physicalId>` for each sub-resource.
+   */
+  async import(input) {
+    if (input.resourceType !== "AWS::ApiGatewayV2::Api") {
+      if (input.knownPhysicalId) {
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      }
+      return null;
+    }
+    const explicit = resolveExplicitPhysicalId(input, null);
+    if (explicit) {
+      try {
+        await this.getClient().send(new GetApiCommand({ ApiId: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException4)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new GetApisCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const api of list.Items ?? []) {
+        if (!api.ApiId)
+          continue;
+        if (api.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+          return { physicalId: api.ApiId, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
   // ─── Helpers ──────────────────────────────────────────────────────
   /**
    * Convert CloudFormation Tags (Array<{Key, Value}>) to SDK Tags (Record<string, string>).
@@ -19396,7 +19586,7 @@ import {
   GetDistributionCommand,
   GetDistributionConfigCommand,
   ListDistributionsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand5,
+  ListTagsForResourceCommand as ListTagsForResourceCommand7,
   NoSuchDistribution
 } from "@aws-sdk/client-cloudfront";
 init_aws_clients();
@@ -19832,7 +20022,7 @@ var CloudFrontDistributionProvider = class {
           continue;
         try {
           const tagsResp = await this.cloudFrontClient.send(
-            new ListTagsForResourceCommand5({ Resource: d.ARN })
+            new ListTagsForResourceCommand7({ Resource: d.ARN })
           );
           if (matchesCdkPath(tagsResp.Tags?.Items, input.cdkPath)) {
             return { physicalId: d.Id, attributes: {} };
@@ -20118,6 +20308,8 @@ import {
   UpdateStateMachineCommand,
   DeleteStateMachineCommand,
   DescribeStateMachineCommand,
+  ListStateMachinesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand8,
   StateMachineDoesNotExist
 } from "@aws-sdk/client-sfn";
 var StepFunctionsProvider = class {
@@ -20300,6 +20492,67 @@ var StepFunctionsProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Step Functions state machine into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `DescribeStateMachine`.
+   *  2. Walk `ListStateMachines` paginator → `ListTagsForResource(arn)`,
+   *     match the lowercase `key`/`value` `aws:cdk:path` tag (SFN uses
+   *     lowercase tags, so `matchesCdkPath` from import-helpers does not
+   *     apply directly).
+   *
+   * SFN state machines do not expose a template-supplied name field
+   * usable as a stable physicalId — the physicalId is the ARN — so the
+   * fallback to `Properties.<NameField>` in `resolveExplicitPhysicalId`
+   * is skipped here.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(
+          new DescribeStateMachineCommand({ stateMachineArn: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof StateMachineDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListStateMachinesCommand({ ...nextToken && { nextToken } })
+      );
+      for (const sm of list.stateMachines ?? []) {
+        if (!sm.stateMachineArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand8({ resourceArn: sm.stateMachineArn })
+        );
+        if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
+          return { physicalId: sm.stateMachineArn, attributes: {} };
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
+  /**
+   * Match SFN's lowercase `key`/`value` tag shape against the CDK path.
+   */
+  tagsMatchCdkPath(tags, cdkPath) {
+    if (!tags)
+      return false;
+    for (const t of tags) {
+      if (t.key === CDK_PATH_TAG && t.value === cdkPath)
+        return true;
+    }
+    return false;
+  }
   /**
    * Build definition string from CDK properties.
    * Handles both DefinitionString (string) and DefinitionString (object) forms.
@@ -20339,7 +20592,7 @@ import {
   DescribeServicesCommand,
   ListClustersCommand,
   ListServicesCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand6
+  ListTagsForResourceCommand as ListTagsForResourceCommand9
 } from "@aws-sdk/client-ecs";
 function convertTags(tags) {
   if (!tags || tags.length === 0)
@@ -21117,7 +21370,7 @@ var ECSProvider = class {
       );
       for (const arn of list.clusterArns ?? []) {
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand6({ resourceArn: arn })
+          new ListTagsForResourceCommand9({ resourceArn: arn })
         );
         if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
           const name = arn.substring(arn.lastIndexOf("/") + 1);
@@ -21150,7 +21403,7 @@ var ECSProvider = class {
           );
           for (const svcArn of svcList.serviceArns ?? []) {
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand6({ resourceArn: svcArn })
+              new ListTagsForResourceCommand9({ resourceArn: svcArn })
             );
             if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
               const svcName = svcArn.substring(svcArn.lastIndexOf("/") + 1);
@@ -21202,6 +21455,7 @@ import {
   DeleteTargetGroupCommand,
   ModifyTargetGroupCommand,
   DescribeTargetGroupsCommand,
+  DescribeTagsCommand,
   CreateListenerCommand,
   DeleteListenerCommand,
   ModifyListenerCommand
@@ -21697,6 +21951,107 @@ var ELBv2Provider = class {
       return void 0;
     return certificates;
   }
+  /**
+   * Adopt an existing ELBv2 LoadBalancer or TargetGroup into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `DescribeLoadBalancers`
+   *     or `DescribeTargetGroups`.
+   *  2. Walk `DescribeLoadBalancers` / `DescribeTargetGroups` paginators →
+   *     batch-fetch tags for each ARN with `DescribeTags(ResourceArns)`
+   *     and match `aws:cdk:path` (standard `Key`/`Value` Tag[] shape).
+   *
+   * Listener is not auto-importable (no template-supplied stable
+   * identifier and no convenient tag-by-LB-context shortcut); use
+   * `--resource <listenerId>=<arn>` for those.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ElasticLoadBalancingV2::LoadBalancer":
+        return this.importLoadBalancer(input);
+      case "AWS::ElasticLoadBalancingV2::TargetGroup":
+        return this.importTargetGroup(input);
+      case "AWS::ElasticLoadBalancingV2::Listener":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  async importLoadBalancer(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeLoadBalancersCommand2({ LoadBalancerArns: [input.knownPhysicalId] })
+        );
+        return resp.LoadBalancers?.[0]?.LoadBalancerArn ? { physicalId: resp.LoadBalancers[0].LoadBalancerArn, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeLoadBalancersCommand2({ ...marker && { Marker: marker } })
+      );
+      const arns = (list.LoadBalancers ?? []).map((lb) => lb.LoadBalancerArn).filter((arn) => Boolean(arn));
+      for (let i = 0; i < arns.length; i += 20) {
+        const batch = arns.slice(i, i + 20);
+        const tagsResp = await this.getClient().send(
+          new DescribeTagsCommand({ ResourceArns: batch })
+        );
+        for (const td of tagsResp.TagDescriptions ?? []) {
+          if (td.ResourceArn && matchesCdkPath(td.Tags, input.cdkPath)) {
+            return { physicalId: td.ResourceArn, attributes: {} };
+          }
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
+  async importTargetGroup(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeTargetGroupsCommand({ TargetGroupArns: [input.knownPhysicalId] })
+        );
+        return resp.TargetGroups?.[0]?.TargetGroupArn ? { physicalId: resp.TargetGroups[0].TargetGroupArn, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeTargetGroupsCommand({ ...marker && { Marker: marker } })
+      );
+      const arns = (list.TargetGroups ?? []).map((tg) => tg.TargetGroupArn).filter((arn) => Boolean(arn));
+      for (let i = 0; i < arns.length; i += 20) {
+        const batch = arns.slice(i, i + 20);
+        const tagsResp = await this.getClient().send(
+          new DescribeTagsCommand({ ResourceArns: batch })
+        );
+        for (const td of tagsResp.TagDescriptions ?? []) {
+          if (td.ResourceArn && matchesCdkPath(td.Tags, input.cdkPath)) {
+            return { physicalId: td.ResourceArn, attributes: {} };
+          }
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
   /**
    * Check if an error indicates the resource was not found
    */
@@ -21724,7 +22079,7 @@ import {
   DeleteDBSubnetGroupCommand,
   DescribeDBSubnetGroupsCommand,
   ModifyDBSubnetGroupCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand7
+  ListTagsForResourceCommand as ListTagsForResourceCommand10
 } from "@aws-sdk/client-rds";
 var RDSProvider = class {
   rdsClient;
@@ -22365,7 +22720,7 @@ var RDSProvider = class {
         if (!inst.DBInstanceIdentifier || !inst.DBInstanceArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand7({ ResourceName: inst.DBInstanceArn })
+          new ListTagsForResourceCommand10({ ResourceName: inst.DBInstanceArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: inst.DBInstanceIdentifier, attributes: {} };
@@ -22400,7 +22755,7 @@ var RDSProvider = class {
         if (!c.DBClusterIdentifier || !c.DBClusterArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand7({ ResourceName: c.DBClusterArn })
+          new ListTagsForResourceCommand10({ ResourceName: c.DBClusterArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: c.DBClusterIdentifier, attributes: {} };
@@ -22435,7 +22790,7 @@ var RDSProvider = class {
         if (!sg.DBSubnetGroupName || !sg.DBSubnetGroupArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand7({ ResourceName: sg.DBSubnetGroupArn })
+          new ListTagsForResourceCommand10({ ResourceName: sg.DBSubnetGroupArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: sg.DBSubnetGroupName, attributes: {} };
@@ -22461,7 +22816,9 @@ import {
   CreateQueryLoggingConfigCommand,
   DeleteQueryLoggingConfigCommand,
   ListQueryLoggingConfigsCommand,
-  ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2
+  ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2,
+  ListHostedZonesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand11
 } from "@aws-sdk/client-route-53";
 var Route53Provider = class {
   route53Client;
@@ -23108,45 +23465,110 @@ var Route53Provider = class {
       physicalId
     );
   }
-};
-
-// src/provisioning/providers/wafv2-provider.ts
-import {
-  WAFV2Client,
-  CreateWebACLCommand,
-  UpdateWebACLCommand,
-  DeleteWebACLCommand,
-  GetWebACLCommand,
-  WAFNonexistentItemException
-} from "@aws-sdk/client-wafv2";
-function parseWebACLArn(arn) {
-  const parts = arn.split(":");
-  const resourcePart = parts.slice(5).join(":");
-  const segments = resourcePart.split("/");
-  const scopeRaw = segments[0];
-  const name = segments[2];
-  const id = segments[3];
-  const scope = scopeRaw === "global" ? "CLOUDFRONT" : "REGIONAL";
-  return { id, name, scope };
-}
-var WAFv2WebACLProvider = class {
-  wafv2Client;
-  providerRegion = process.env["AWS_REGION"];
-  logger = getLogger().child("WAFv2WebACLProvider");
-  handledProperties = /* @__PURE__ */ new Map([
-    [
-      "AWS::WAFv2::WebACL",
-      /* @__PURE__ */ new Set([
-        "Name",
-        "Scope",
-        "Tags",
-        "DefaultAction",
-        "Description",
-        "Rules",
-        "VisibilityConfig",
-        "CustomResponseBodies",
-        "CaptchaConfig",
-        "ChallengeConfig",
+  /**
+   * Adopt an existing Route 53 resource into cdkd state.
+   *
+   * Supported types: `AWS::Route53::HostedZone` (full tag-based
+   * lookup); `AWS::Route53::RecordSet` (override-only — RecordSets are
+   * not taggable, and the composite child-of-zone identity makes auto
+   * lookup impractical).
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.importHostedZone(input);
+      case "AWS::Route53::RecordSet":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  async importHostedZone(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new GetHostedZoneCommand2({ Id: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof Error && err.name === "NoSuchHostedZone")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new ListHostedZonesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const zone of list.HostedZones ?? []) {
+        if (!zone.Id)
+          continue;
+        const zoneId = zone.Id.replace("/hostedzone/", "");
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsForResourceCommand11({
+              ResourceType: "hostedzone",
+              ResourceId: zoneId
+            })
+          );
+          if (matchesCdkPath(tagsResp.ResourceTagSet?.Tags, input.cdkPath)) {
+            return { physicalId: zoneId, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof Error && err.name === "NoSuchHostedZone")
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.NextMarker : void 0;
+    } while (marker);
+    return null;
+  }
+};
+
+// src/provisioning/providers/wafv2-provider.ts
+import {
+  WAFV2Client,
+  CreateWebACLCommand,
+  UpdateWebACLCommand,
+  DeleteWebACLCommand,
+  GetWebACLCommand,
+  ListWebACLsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand12,
+  WAFNonexistentItemException
+} from "@aws-sdk/client-wafv2";
+function parseWebACLArn(arn) {
+  const parts = arn.split(":");
+  const resourcePart = parts.slice(5).join(":");
+  const segments = resourcePart.split("/");
+  const scopeRaw = segments[0];
+  const name = segments[2];
+  const id = segments[3];
+  const scope = scopeRaw === "global" ? "CLOUDFRONT" : "REGIONAL";
+  return { id, name, scope };
+}
+var WAFv2WebACLProvider = class {
+  wafv2Client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("WAFv2WebACLProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::WAFv2::WebACL",
+      /* @__PURE__ */ new Set([
+        "Name",
+        "Scope",
+        "Tags",
+        "DefaultAction",
+        "Description",
+        "Rules",
+        "VisibilityConfig",
+        "CustomResponseBodies",
+        "CaptchaConfig",
+        "ChallengeConfig",
         "TokenDomains",
         "AssociationConfig"
       ])
@@ -23331,6 +23753,54 @@ var WAFv2WebACLProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing WAFv2 WebACL into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `GetWebACL` (parses
+   *     Name/Id/Scope back out of the ARN).
+   *  2. Walk `ListWebACLs(Scope)` → match `aws:cdk:path` via
+   *     `ListTagsForResource(ResourceARN)` (returns
+   *     `TagInfoForResource.TagList`, standard `Key`/`Value` shape).
+   *
+   * `Scope` is required by `ListWebACLs` — read from
+   * `Properties.Scope` (`REGIONAL` is the default).
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const { id, name, scope: scope2 } = parseWebACLArn(input.knownPhysicalId);
+        await this.getClient().send(new GetWebACLCommand({ Id: id, Name: name, Scope: scope2 }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof WAFNonexistentItemException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const scope = input.properties["Scope"] || "REGIONAL";
+    let nextMarker;
+    do {
+      const list = await this.getClient().send(
+        new ListWebACLsCommand({ Scope: scope, ...nextMarker && { NextMarker: nextMarker } })
+      );
+      for (const item of list.WebACLs ?? []) {
+        if (!item.ARN)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand12({ ResourceARN: item.ARN })
+        );
+        const tagList = tagsResp.TagInfoForResource?.TagList;
+        if (matchesCdkPath(tagList, input.cdkPath)) {
+          return { physicalId: item.ARN, attributes: {} };
+        }
+      }
+      nextMarker = list.NextMarker;
+    } while (nextMarker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/cognito-provider.ts
@@ -23341,7 +23811,7 @@ import {
   UpdateUserPoolCommand,
   DescribeUserPoolCommand,
   ListUserPoolsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand8,
+  ListTagsForResourceCommand as ListTagsForResourceCommand13,
   ResourceNotFoundException as ResourceNotFoundException12
 } from "@aws-sdk/client-cognito-identity-provider";
 var CognitoUserPoolProvider = class {
@@ -23726,7 +24196,7 @@ var CognitoUserPoolProvider = class {
             if (!arn)
               continue;
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand8({ ResourceArn: arn })
+              new ListTagsForResourceCommand13({ ResourceArn: arn })
             );
             if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
               return { physicalId: pool.Id, attributes: {} };
@@ -23750,13 +24220,18 @@ import {
   CreateCacheClusterCommand,
   DeleteCacheClusterCommand,
   DescribeCacheClustersCommand,
+  DescribeCacheSubnetGroupsCommand,
   CreateCacheSubnetGroupCommand,
   DeleteCacheSubnetGroupCommand,
   ModifyCacheSubnetGroupCommand,
-  ModifyCacheClusterCommand
+  ModifyCacheClusterCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand14
 } from "@aws-sdk/client-elasticache";
+import { STSClient as STSClient5, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
 var ElastiCacheProvider = class {
   client;
+  stsClient;
+  cachedAccountId;
   providerRegion = process.env["AWS_REGION"];
   logger = getLogger().child("ElastiCacheProvider");
   handledProperties = /* @__PURE__ */ new Map([
@@ -24158,6 +24633,132 @@ var ElastiCacheProvider = class {
   sleep(ms) {
     return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
+  /**
+   * Adopt an existing ElastiCache resource into cdkd state.
+   *
+   * Supported types:
+   *  - `AWS::ElastiCache::CacheCluster` — full tag-based lookup via
+   *    `DescribeCacheClusters` + `ListTagsForResource(ResourceName=arn)`.
+   *  - `AWS::ElastiCache::SubnetGroup` — full tag-based lookup via
+   *    `DescribeCacheSubnetGroups` + `ListTagsForResource(ResourceName=arn)`.
+   *
+   * `ListTagsForResource` requires an ARN. Both `CacheCluster.ARN` and
+   * `CacheSubnetGroup.ARN` are returned by the Describe APIs, so no
+   * extra reconstruction is needed in normal flow; for the explicit
+   * override path we build the ARN from `region` + STS account id +
+   * the resource name.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ElastiCache::CacheCluster":
+        return this.importCacheCluster(input);
+      case "AWS::ElastiCache::SubnetGroup":
+        return this.importSubnetGroup(input);
+      default:
+        return null;
+    }
+  }
+  async importCacheCluster(input) {
+    const explicit = resolveExplicitPhysicalId(input, "ClusterName");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeCacheClustersCommand({ CacheClusterId: explicit })
+        );
+        const c = resp.CacheClusters?.[0];
+        return c?.CacheClusterId ? { physicalId: c.CacheClusterId, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err, "CacheClusterNotFoundFault"))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeCacheClustersCommand({ ...marker && { Marker: marker } })
+      );
+      for (const c of list.CacheClusters ?? []) {
+        if (!c.CacheClusterId)
+          continue;
+        const arn = c.ARN ?? await this.buildClusterArn(c.CacheClusterId);
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand14({ ResourceName: arn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: c.CacheClusterId, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importSubnetGroup(input) {
+    const explicit = resolveExplicitPhysicalId(input, "CacheSubnetGroupName");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeCacheSubnetGroupsCommand({ CacheSubnetGroupName: explicit })
+        );
+        const g = resp.CacheSubnetGroups?.[0];
+        return g?.CacheSubnetGroupName ? { physicalId: g.CacheSubnetGroupName, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err, "CacheSubnetGroupNotFoundFault"))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeCacheSubnetGroupsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const g of list.CacheSubnetGroups ?? []) {
+        if (!g.CacheSubnetGroupName)
+          continue;
+        const arn = g.ARN ?? await this.buildSubnetGroupArn(g.CacheSubnetGroupName);
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand14({ ResourceName: arn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: g.CacheSubnetGroupName, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async buildClusterArn(clusterName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:elasticache:${region}:${account}:cluster:${clusterName}`;
+  }
+  async buildSubnetGroupArn(subnetGroupName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:elasticache:${region}:${account}:subnetgroup:${subnetGroupName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient5(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand6({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
+    }
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
+  }
 };
 
 // src/provisioning/providers/servicediscovery-provider.ts
@@ -24171,7 +24772,7 @@ import {
   NamespaceNotFound,
   ServiceNotFound
 } from "@aws-sdk/client-servicediscovery";
-import { STSClient as STSClient5, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
+import { STSClient as STSClient6, GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
 var ServiceDiscoveryProvider = class {
   client;
   stsClient;
@@ -24203,7 +24804,7 @@ var ServiceDiscoveryProvider = class {
   }
   getStsClient() {
     if (!this.stsClient) {
-      this.stsClient = new STSClient5(this.providerRegion ? { region: this.providerRegion } : {});
+      this.stsClient = new STSClient6(this.providerRegion ? { region: this.providerRegion } : {});
     }
     return this.stsClient;
   }
@@ -24494,7 +25095,7 @@ var ServiceDiscoveryProvider = class {
    */
   async buildNamespaceArn(namespaceId) {
     const stsClient = this.getStsClient();
-    const identity = await stsClient.send(new GetCallerIdentityCommand6({}));
+    const identity = await stsClient.send(new GetCallerIdentityCommand7({}));
     const accountId = identity.Account || "";
     const region = await this.getClient().config.region();
     return `arn:aws:servicediscovery:${region}:${accountId}:namespace/${namespaceId}`;
@@ -24512,7 +25113,10 @@ import {
   DeleteResolverCommand,
   CreateApiKeyCommand,
   DeleteApiKeyCommand,
-  StartSchemaCreationCommand
+  StartSchemaCreationCommand,
+  GetGraphqlApiCommand,
+  ListGraphqlApisCommand,
+  NotFoundException as AppSyncNotFoundException
 } from "@aws-sdk/client-appsync";
 var AppSyncProvider = class {
   client;
@@ -25020,6 +25624,51 @@ var AppSyncProvider = class {
     const name = error.name ?? "";
     return message.includes("not found") || message.includes("does not exist") || name === "NotFoundException";
   }
+  /**
+   * Adopt an existing AppSync resource into cdkd state.
+   *
+   * `AWS::AppSync::GraphQLApi` supports full tag-based auto-lookup via
+   * `ListGraphqlApis` (each item carries a `tags` map). AppSync sub-resources
+   * (`GraphQLSchema`, `DataSource`, `Resolver`, `ApiKey`) are scoped under a
+   * parent `apiId` and cannot be discovered by tag at the account level —
+   * explicit-override only.
+   */
+  async import(input) {
+    if (input.resourceType !== "AWS::AppSync::GraphQLApi") {
+      if (input.knownPhysicalId) {
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      }
+      return null;
+    }
+    const explicit = resolveExplicitPhysicalId(input, null);
+    if (explicit) {
+      try {
+        await this.getClient().send(new GetGraphqlApiCommand({ apiId: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof AppSyncNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListGraphqlApisCommand({ ...nextToken && { nextToken } })
+      );
+      for (const api of list.graphqlApis ?? []) {
+        if (!api.apiId)
+          continue;
+        if (api.tags?.[CDK_PATH_TAG] === input.cdkPath) {
+          return { physicalId: api.apiId, attributes: {} };
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/glue-provider.ts
@@ -25030,10 +25679,18 @@ import {
   CreateTableCommand as CreateTableCommand2,
   UpdateTableCommand,
   DeleteTableCommand as DeleteTableCommand2,
+  GetDatabaseCommand,
+  GetDatabasesCommand,
+  GetTableCommand,
+  GetTablesCommand,
+  GetTagsCommand,
   EntityNotFoundException
 } from "@aws-sdk/client-glue";
+import { STSClient as STSClient7, GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
 var GlueProvider = class {
   client;
+  stsClient;
+  cachedAccountId;
   providerRegion = process.env["AWS_REGION"];
   logger = getLogger().child("GlueProvider");
   handledProperties = /* @__PURE__ */ new Map([
@@ -25388,21 +26045,182 @@ var GlueProvider = class {
         }
         serde["Parameters"] = converted;
       }
-      result.SerdeInfo = serde;
-    }
-    if (sd["BucketColumns"] !== void 0) {
-      result.BucketColumns = sd["BucketColumns"];
+      result.SerdeInfo = serde;
+    }
+    if (sd["BucketColumns"] !== void 0) {
+      result.BucketColumns = sd["BucketColumns"];
+    }
+    if (sd["SortColumns"] !== void 0) {
+      result.SortColumns = sd["SortColumns"];
+    }
+    if (sd["Parameters"] !== void 0) {
+      result.Parameters = sd["Parameters"];
+    }
+    if (sd["StoredAsSubDirectories"] !== void 0) {
+      result.StoredAsSubDirectories = sd["StoredAsSubDirectories"];
+    }
+    return result;
+  }
+  /**
+   * Adopt an existing Glue Database or Table into cdkd state.
+   *
+   * Lookup order (per type):
+   *  1. Explicit override / template name → verify with `GetDatabase`
+   *     or `GetTable`.
+   *  2. Walk `GetDatabases` / `GetTables` paginators and match the
+   *     `aws:cdk:path` tag via `GetTags(ResourceArn)`. Glue tags are
+   *     a `Record<string,string>` map (not a `Tag[]` array), so the
+   *     match is `tags?.[CDK_PATH_TAG] === input.cdkPath`.
+   *
+   * Glue list APIs return only names — ARNs are constructed locally
+   * for the per-item GetTags call.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::Glue::Database":
+        return this.importDatabase(input);
+      case "AWS::Glue::Table":
+        return this.importTable(input);
+      default:
+        return null;
+    }
+  }
+  async importDatabase(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["DatabaseInput"]?.["Name"];
+    const catalogId = input.properties["CatalogId"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(
+          new GetDatabaseCommand({ Name: explicitName, ...catalogId && { CatalogId: catalogId } })
+        );
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new GetDatabasesCommand({
+          ...nextToken && { NextToken: nextToken },
+          ...catalogId && { CatalogId: catalogId }
+        })
+      );
+      for (const db of list.DatabaseList ?? []) {
+        if (!db.Name)
+          continue;
+        const arn = await this.buildDatabaseArn(db.Name, db.CatalogId);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: db.Name, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async importTable(input) {
+    const databaseName = input.properties["DatabaseName"];
+    const tableInput = input.properties["TableInput"];
+    const templateTableName = tableInput?.["Name"];
+    const catalogId = input.properties["CatalogId"];
+    if (input.knownPhysicalId) {
+      const [dbName, tName] = input.knownPhysicalId.split("|");
+      if (!dbName || !tName)
+        return null;
+      try {
+        await this.getClient().send(
+          new GetTableCommand({
+            DatabaseName: dbName,
+            Name: tName,
+            ...catalogId && { CatalogId: catalogId }
+          })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (databaseName && templateTableName) {
+      try {
+        await this.getClient().send(
+          new GetTableCommand({
+            DatabaseName: databaseName,
+            Name: templateTableName,
+            ...catalogId && { CatalogId: catalogId }
+          })
+        );
+        return { physicalId: `${databaseName}|${templateTableName}`, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
     }
-    if (sd["SortColumns"] !== void 0) {
-      result.SortColumns = sd["SortColumns"];
+    if (!input.cdkPath || !databaseName)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new GetTablesCommand({
+          DatabaseName: databaseName,
+          ...nextToken && { NextToken: nextToken },
+          ...catalogId && { CatalogId: catalogId }
+        })
+      );
+      for (const t of list.TableList ?? []) {
+        if (!t.Name)
+          continue;
+        const arn = await this.buildTableArn(databaseName, t.Name, catalogId);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: `${databaseName}|${t.Name}`, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async tagsMatchCdkPath(arn, cdkPath) {
+    try {
+      const resp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      return resp.Tags?.[CDK_PATH_TAG] === cdkPath;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return false;
+      throw err;
     }
-    if (sd["Parameters"] !== void 0) {
-      result.Parameters = sd["Parameters"];
+  }
+  async buildDatabaseArn(databaseName, catalogId) {
+    const region = await this.getRegion();
+    const account = catalogId ?? await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:database/${databaseName}`;
+  }
+  async buildTableArn(databaseName, tableName, catalogId) {
+    const region = await this.getRegion();
+    const account = catalogId ?? await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:table/${databaseName}/${tableName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient7(this.providerRegion ? { region: this.providerRegion } : {});
     }
-    if (sd["StoredAsSubDirectories"] !== void 0) {
-      result.StoredAsSubDirectories = sd["StoredAsSubDirectories"];
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand8({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
     }
-    return result;
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
   }
 };
 
@@ -25885,6 +26703,8 @@ import {
   DecreaseStreamRetentionPeriodCommand,
   StartStreamEncryptionCommand,
   StopStreamEncryptionCommand,
+  ListStreamsCommand,
+  ListTagsForStreamCommand,
   ResourceNotFoundException as ResourceNotFoundException13
 } from "@aws-sdk/client-kinesis";
 var KinesisStreamProvider = class {
@@ -26137,6 +26957,54 @@ var KinesisStreamProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Kinesis stream into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.Name` → verify
+   *     with `DescribeStream`.
+   *  2. Walk `ListStreams` (paged via `ExclusiveStartStreamName`) and
+   *     match the `aws:cdk:path` tag via `ListTagsForStream(StreamName)`.
+   *
+   * Kinesis tags use the standard `Tag[]` array shape (`Key`/`Value`),
+   * so `matchesCdkPath` from import-helpers applies directly.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.getClient().send(new DescribeStreamCommand({ StreamName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException13)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartStreamName;
+    while (true) {
+      const list = await this.getClient().send(
+        new ListStreamsCommand({
+          ...exclusiveStartStreamName && { ExclusiveStartStreamName: exclusiveStartStreamName }
+        })
+      );
+      const names = list.StreamNames ?? [];
+      for (const streamName of names) {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForStreamCommand({ StreamName: streamName })
+        );
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: streamName, attributes: {} };
+        }
+      }
+      if (!list.HasMoreStreams || names.length === 0)
+        break;
+      exclusiveStartStreamName = names[names.length - 1];
+    }
+    return null;
+  }
   /**
    * Poll DescribeStream until the stream reaches ACTIVE status
    *
@@ -26179,6 +27047,7 @@ import {
   CreateAccessPointCommand,
   DeleteAccessPointCommand,
   DescribeFileSystemsCommand,
+  DescribeAccessPointsCommand,
   FileSystemNotFound,
   MountTargetNotFound,
   AccessPointNotFound
@@ -26580,6 +27449,100 @@ var EFSProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing EFS resource into cdkd state.
+   *
+   * Supported types:
+   *  - `AWS::EFS::FileSystem` — full tag-based lookup via
+   *    `DescribeFileSystems` with `Tags` inline on each item.
+   *  - `AWS::EFS::AccessPoint` — full tag-based lookup via
+   *    `DescribeAccessPoints` with `Tags` inline on each item.
+   *  - `AWS::EFS::MountTarget` — override-only (mount targets are
+   *    not taggable; auto lookup is impractical).
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::EFS::FileSystem":
+        return this.importFileSystem(input);
+      case "AWS::EFS::AccessPoint":
+        return this.importAccessPoint(input);
+      case "AWS::EFS::MountTarget":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  async importFileSystem(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeFileSystemsCommand({ FileSystemId: input.knownPhysicalId })
+        );
+        const fs = resp.FileSystems?.[0];
+        return fs?.FileSystemId ? { physicalId: fs.FileSystemId, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof FileSystemNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeFileSystemsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const fs of list.FileSystems ?? []) {
+        if (!fs.FileSystemId)
+          continue;
+        if (matchesCdkPath(fs.Tags, input.cdkPath)) {
+          return { physicalId: fs.FileSystemId, attributes: {} };
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
+  async importAccessPoint(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeAccessPointsCommand({ AccessPointId: input.knownPhysicalId })
+        );
+        const ap = resp.AccessPoints?.[0];
+        return ap?.AccessPointId ? { physicalId: ap.AccessPointId, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof AccessPointNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const fileSystemId = input.properties["FileSystemId"];
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new DescribeAccessPointsCommand({
+          ...nextToken && { NextToken: nextToken },
+          ...fileSystemId && { FileSystemId: fileSystemId }
+        })
+      );
+      for (const ap of list.AccessPoints ?? []) {
+        if (!ap.AccessPointId)
+          continue;
+        if (matchesCdkPath(ap.Tags, input.cdkPath)) {
+          return { physicalId: ap.AccessPointId, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/firehose-provider.ts
@@ -26587,6 +27550,9 @@ import {
   FirehoseClient,
   CreateDeliveryStreamCommand,
   DeleteDeliveryStreamCommand,
+  DescribeDeliveryStreamCommand,
+  ListDeliveryStreamsCommand,
+  ListTagsForDeliveryStreamCommand,
   ResourceNotFoundException as ResourceNotFoundException14
 } from "@aws-sdk/client-firehose";
 var FirehoseProvider = class {
@@ -26923,12 +27889,63 @@ var FirehoseProvider = class {
     }
     return result;
   }
+  /**
+   * Adopt an existing Kinesis Firehose delivery stream into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.DeliveryStreamName`
+   *     → verify with `DescribeDeliveryStream`.
+   *  2. Walk `ListDeliveryStreams` (paged via `ExclusiveStartDeliveryStreamName`)
+   *     and match the `aws:cdk:path` tag via
+   *     `ListTagsForDeliveryStream(DeliveryStreamName)`.
+   *
+   * Firehose tags use the standard `Tag[]` array shape (`Key`/`Value`).
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DeliveryStreamName");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDeliveryStreamCommand({ DeliveryStreamName: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException14)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartDeliveryStreamName;
+    while (true) {
+      const list = await this.getClient().send(
+        new ListDeliveryStreamsCommand({
+          ...exclusiveStartDeliveryStreamName && {
+            ExclusiveStartDeliveryStreamName: exclusiveStartDeliveryStreamName
+          }
+        })
+      );
+      const names = list.DeliveryStreamNames ?? [];
+      for (const name of names) {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: name })
+        );
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: name, attributes: {} };
+        }
+      }
+      if (!list.HasMoreDeliveryStreams || names.length === 0)
+        break;
+      exclusiveStartDeliveryStreamName = names[names.length - 1];
+    }
+    return null;
+  }
   /**
    * Wait for a delivery stream to become ACTIVE.
    * Firehose CreateDeliveryStream returns immediately while the stream is still CREATING.
    */
   async waitForActive(streamName, logicalId) {
-    const { DescribeDeliveryStreamCommand } = await import("@aws-sdk/client-firehose");
     const maxAttempts = 30;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
       const resp = await this.getClient().send(
@@ -26958,6 +27975,9 @@ import {
   StopLoggingCommand,
   PutEventSelectorsCommand,
   PutInsightSelectorsCommand,
+  GetTrailCommand,
+  ListTrailsCommand,
+  ListTagsCommand as ListTagsCommand2,
   TrailNotFoundException
 } from "@aws-sdk/client-cloudtrail";
 var CloudTrailProvider = class {
@@ -27189,6 +28209,54 @@ var CloudTrailProvider = class {
   getAttribute(_physicalId, _resourceType, attributeName) {
     return Promise.resolve(attributeName);
   }
+  /**
+   * Adopt an existing CloudTrail trail into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.TrailName` → verify via `GetTrail`.
+   *  2. `ListTrails` + `ListTags` (CloudTrail uses `Tag[]` arrays per ARN),
+   *     match `aws:cdk:path` tag.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "TrailName");
+    if (explicit) {
+      try {
+        await this.getClient().send(new GetTrailCommand({ Name: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof TrailNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListTrailsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const trail of list.Trails ?? []) {
+        if (!trail.TrailARN || !trail.Name)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsCommand2({ ResourceIdList: [trail.TrailARN] })
+          );
+          const list2 = tagsResp.ResourceTagList?.[0];
+          if (matchesCdkPath(list2?.TagsList, input.cdkPath)) {
+            return { physicalId: trail.Name, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof TrailNotFoundException)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/codebuild-provider.ts
@@ -27197,6 +28265,8 @@ import {
   CreateProjectCommand,
   DeleteProjectCommand,
   UpdateProjectCommand,
+  BatchGetProjectsCommand,
+  ListProjectsCommand,
   ResourceNotFoundException as ResourceNotFoundException15
 } from "@aws-sdk/client-codebuild";
 var CodeBuildProvider = class {
@@ -27455,6 +28525,54 @@ var CodeBuildProvider = class {
   getAttribute(_physicalId, _resourceType, attributeName) {
     return Promise.resolve(attributeName);
   }
+  /**
+   * Adopt an existing CodeBuild project into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.Name` → verify via `BatchGetProjects`.
+   *  2. `ListProjects` + `BatchGetProjects` (CodeBuild uses lowercase
+   *     `key`/`value` tags, not the standard `Key`/`Value`), match
+   *     `aws:cdk:path` tag.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new BatchGetProjectsCommand({ names: [explicit] })
+        );
+        return resp.projects?.[0]?.name ? { physicalId: explicit, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException15)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListProjectsCommand({ ...nextToken && { nextToken } })
+      );
+      const names = (list.projects ?? []).filter((n) => typeof n === "string");
+      if (names.length > 0) {
+        const batch = await this.getClient().send(new BatchGetProjectsCommand({ names }));
+        for (const proj of batch.projects ?? []) {
+          if (!proj.name)
+            continue;
+          const tags = proj.tags ?? [];
+          for (const t of tags) {
+            if (t.key === CDK_PATH_TAG && t.value === input.cdkPath) {
+              return { physicalId: proj.name, attributes: {} };
+            }
+          }
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/s3-vectors-provider.ts
@@ -27635,7 +28753,7 @@ import {
   ListObjectsV2Command as ListObjectsV2Command2,
   DeleteObjectsCommand as DeleteObjectsCommand2
 } from "@aws-sdk/client-s3";
-import { GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand9 } from "@aws-sdk/client-sts";
 import { EC2Client as EC2Client8, DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand3 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var S3DirectoryBucketProvider = class {
@@ -27691,7 +28809,7 @@ var S3DirectoryBucketProvider = class {
    * Get the AWS account ID via STS
    */
   async getAccountId() {
-    const identity = await this.stsClient.send(new GetCallerIdentityCommand7({}));
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand9({}));
     return identity.Account;
   }
   /**
@@ -28246,6 +29364,7 @@ import {
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
   TagResourceCommand as TagResourceCommand7,
+  ListTagsForResourceCommand as ListTagsForResourceCommand15,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
 var ECRProvider = class {
@@ -28479,6 +29598,56 @@ var ECRProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing ECR repository into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.RepositoryName` → verify via
+   *     `DescribeRepositories`.
+   *  2. `DescribeRepositories` paginated, then `ListTagsForResource(arn)`
+   *     per repository to match `aws:cdk:path` (`Tag[]` array shape).
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "RepositoryName");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeRepositoriesCommand({ repositoryNames: [explicit] })
+        );
+        return resp.repositories?.[0]?.repositoryName ? { physicalId: explicit, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof RepositoryNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new DescribeRepositoriesCommand({ ...nextToken && { nextToken } })
+      );
+      for (const repo of list.repositories ?? []) {
+        if (!repo.repositoryArn || !repo.repositoryName)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsForResourceCommand15({ resourceArn: repo.repositoryArn })
+          );
+          if (matchesCdkPath(tagsResp.tags, input.cdkPath)) {
+            return { physicalId: repo.repositoryName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof RepositoryNotFoundException)
+            continue;
+          throw err;
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/register-providers.ts
@@ -29992,11 +31161,11 @@ async function deployCommand(stacks, options) {
         addDependencies(stack.stackName);
       }
     }
-    const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
-    const stsClient = new STSClient7({
+    const { STSClient: STSClient9, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+    const stsClient = new STSClient9({
       region: options.region || process.env["AWS_REGION"] || "us-east-1"
     });
-    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand9({}));
+    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand11({}));
     const accountId = callerIdentity.Account;
     stsClient.destroy();
     const assetPublisher = new AssetPublisher();
@@ -31049,7 +32218,7 @@ import {
   PutBucketVersioningCommand as PutBucketVersioningCommand3,
   S3Client as S3Client10
 } from "@aws-sdk/client-s3";
-import { GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand10 } from "@aws-sdk/client-sts";
 init_aws_clients();
 async function stateMigrateCommand(options) {
   const logger = getLogger();
@@ -31062,7 +32231,7 @@ async function stateMigrateCommand(options) {
   });
   setAwsClients(awsClients);
   try {
-    const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
+    const identity = await awsClients.sts.send(new GetCallerIdentityCommand10({}));
     const accountId = identity.Account;
     if (!accountId) {
       throw new Error("STS GetCallerIdentity returned no Account id.");
@@ -32390,7 +33559,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.18.1");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.20.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());