@go-to-k/cdkd 0.19.0 → 0.20.0

package/dist/cli.js

@@ -1155,11 +1155,11 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
     return syncResult;
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
-  const { GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
+  const { GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
   const { S3Client: S3Client11 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
-  const identity = await awsClients.sts.send(new GetCallerIdentityCommand9({}));
+  const identity = await awsClients.sts.send(new GetCallerIdentityCommand11({}));
   const accountId = identity.Account;
   const newName = getDefaultStateBucketName(accountId);
   const legacyName = getLegacyStateBucketName(accountId, region);
@@ -3431,9 +3431,9 @@ var AssetPublisher = class {
       const region = options.region || process.env["AWS_REGION"] || "us-east-1";
       let accountId = options.accountId;
       if (!accountId) {
-        const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
-        const stsClient = new STSClient7({ region });
-        const identity = await stsClient.send(new GetCallerIdentityCommand9({}));
+        const { STSClient: STSClient9, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+        const stsClient = new STSClient9({ region });
+        const identity = await stsClient.send(new GetCallerIdentityCommand11({}));
         accountId = identity.Account;
         stsClient.destroy();
       }
@@ -15109,7 +15109,9 @@ import {
   RemoveTargetsCommand,
   DeleteRuleCommand,
   DescribeRuleCommand,
+  ListRulesCommand,
   ListTargetsByRuleCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand5,
   TagResourceCommand as TagResourceCommand4,
   UntagResourceCommand as UntagResourceCommand4,
   ResourceNotFoundException as ResourceNotFoundException9
@@ -15377,6 +15379,85 @@ var EventBridgeRuleProvider = class {
     }
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::Events::Rule`);
   }
+  /**
+   * Adopt an existing EventBridge rule into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arnOrName>` override → verify with
+   *     `DescribeRule` (scoped to the same `EventBusName` declared in
+   *     the template, if any). The override is honored as-is so users
+   *     can pass either the ARN (cdkd's standard physicalId form for
+   *     this provider) or just the rule name.
+   *  2. If the template carries `Properties.Name` use that as the rule
+   *     name lookup, then verify with `DescribeRule` and return the
+   *     rule's ARN as physicalId.
+   *  3. Walk `ListRules(EventBusName?)` and match `aws:cdk:path` via
+   *     `ListTagsForResource(ResourceARN=rule.Arn)`. Returns the rule
+   *     ARN as physicalId — same shape that `create` returns.
+   *
+   * EventBridge tags use the standard `Tag[]` array shape
+   * (`Key`/`Value`).
+   */
+  async import(input) {
+    const eventBusName = input.properties["EventBusName"];
+    if (input.knownPhysicalId) {
+      try {
+        const ruleName = this.extractRuleNameFromArn(input.knownPhysicalId);
+        const resp = await this.eventBridgeClient.send(
+          new DescribeRuleCommand({
+            Name: ruleName,
+            ...eventBusName && { EventBusName: eventBusName }
+          })
+        );
+        return { physicalId: resp.Arn ?? input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException9)
+          return null;
+        throw err;
+      }
+    }
+    const templateName = input.properties["Name"];
+    if (templateName) {
+      try {
+        const resp = await this.eventBridgeClient.send(
+          new DescribeRuleCommand({
+            Name: templateName,
+            ...eventBusName && { EventBusName: eventBusName }
+          })
+        );
+        if (resp.Arn)
+          return { physicalId: resp.Arn, attributes: {} };
+        return null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException9)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.eventBridgeClient.send(
+        new ListRulesCommand({
+          ...eventBusName && { EventBusName: eventBusName },
+          ...nextToken && { NextToken: nextToken }
+        })
+      );
+      for (const rule of list.Rules ?? []) {
+        if (!rule.Arn)
+          continue;
+        const tagsResp = await this.eventBridgeClient.send(
+          new ListTagsForResourceCommand5({ ResourceARN: rule.Arn })
+        );
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: rule.Arn, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
   /**
    * Extract rule name from an ARN
    *
@@ -15399,8 +15480,8 @@ import {
   UpdateEventBusCommand,
   DescribeEventBusCommand,
   ListEventBusesCommand,
-  ListRulesCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand5,
+  ListRulesCommand as ListRulesCommand2,
+  ListTagsForResourceCommand as ListTagsForResourceCommand6,
   RemoveTargetsCommand as RemoveTargetsCommand2,
   DeleteRuleCommand as DeleteRuleCommand2,
   ListTargetsByRuleCommand as ListTargetsByRuleCommand2,
@@ -15595,7 +15676,7 @@ var EventBridgeBusProvider = class {
   async cleanupRulesOnBus(busName) {
     try {
       const rulesResponse = await this.eventBridgeClient.send(
-        new ListRulesCommand({ EventBusName: busName })
+        new ListRulesCommand2({ EventBusName: busName })
       );
       const rules = rulesResponse.Rules ?? [];
       if (rules.length === 0)
@@ -15672,7 +15753,7 @@ var EventBridgeBusProvider = class {
           continue;
         try {
           const tagsResp = await this.eventBridgeClient.send(
-            new ListTagsForResourceCommand5({ ResourceARN: bus.Arn })
+            new ListTagsForResourceCommand6({ ResourceARN: bus.Arn })
           );
           if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
             return { physicalId: bus.Name, attributes: {} };
@@ -19505,7 +19586,7 @@ import {
   GetDistributionCommand,
   GetDistributionConfigCommand,
   ListDistributionsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand6,
+  ListTagsForResourceCommand as ListTagsForResourceCommand7,
   NoSuchDistribution
 } from "@aws-sdk/client-cloudfront";
 init_aws_clients();
@@ -19941,7 +20022,7 @@ var CloudFrontDistributionProvider = class {
           continue;
         try {
           const tagsResp = await this.cloudFrontClient.send(
-            new ListTagsForResourceCommand6({ Resource: d.ARN })
+            new ListTagsForResourceCommand7({ Resource: d.ARN })
           );
           if (matchesCdkPath(tagsResp.Tags?.Items, input.cdkPath)) {
             return { physicalId: d.Id, attributes: {} };
@@ -20227,6 +20308,8 @@ import {
   UpdateStateMachineCommand,
   DeleteStateMachineCommand,
   DescribeStateMachineCommand,
+  ListStateMachinesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand8,
   StateMachineDoesNotExist
 } from "@aws-sdk/client-sfn";
 var StepFunctionsProvider = class {
@@ -20409,6 +20492,67 @@ var StepFunctionsProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Step Functions state machine into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `DescribeStateMachine`.
+   *  2. Walk `ListStateMachines` paginator → `ListTagsForResource(arn)`,
+   *     match the lowercase `key`/`value` `aws:cdk:path` tag (SFN uses
+   *     lowercase tags, so `matchesCdkPath` from import-helpers does not
+   *     apply directly).
+   *
+   * SFN state machines do not expose a template-supplied name field
+   * usable as a stable physicalId — the physicalId is the ARN — so the
+   * fallback to `Properties.<NameField>` in `resolveExplicitPhysicalId`
+   * is skipped here.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(
+          new DescribeStateMachineCommand({ stateMachineArn: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof StateMachineDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListStateMachinesCommand({ ...nextToken && { nextToken } })
+      );
+      for (const sm of list.stateMachines ?? []) {
+        if (!sm.stateMachineArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand8({ resourceArn: sm.stateMachineArn })
+        );
+        if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
+          return { physicalId: sm.stateMachineArn, attributes: {} };
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
+  /**
+   * Match SFN's lowercase `key`/`value` tag shape against the CDK path.
+   */
+  tagsMatchCdkPath(tags, cdkPath) {
+    if (!tags)
+      return false;
+    for (const t of tags) {
+      if (t.key === CDK_PATH_TAG && t.value === cdkPath)
+        return true;
+    }
+    return false;
+  }
   /**
    * Build definition string from CDK properties.
    * Handles both DefinitionString (string) and DefinitionString (object) forms.
@@ -20448,7 +20592,7 @@ import {
   DescribeServicesCommand,
   ListClustersCommand,
   ListServicesCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand7
+  ListTagsForResourceCommand as ListTagsForResourceCommand9
 } from "@aws-sdk/client-ecs";
 function convertTags(tags) {
   if (!tags || tags.length === 0)
@@ -21226,7 +21370,7 @@ var ECSProvider = class {
       );
       for (const arn of list.clusterArns ?? []) {
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand7({ resourceArn: arn })
+          new ListTagsForResourceCommand9({ resourceArn: arn })
         );
         if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
           const name = arn.substring(arn.lastIndexOf("/") + 1);
@@ -21259,7 +21403,7 @@ var ECSProvider = class {
           );
           for (const svcArn of svcList.serviceArns ?? []) {
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand7({ resourceArn: svcArn })
+              new ListTagsForResourceCommand9({ resourceArn: svcArn })
             );
             if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
               const svcName = svcArn.substring(svcArn.lastIndexOf("/") + 1);
@@ -21311,6 +21455,7 @@ import {
   DeleteTargetGroupCommand,
   ModifyTargetGroupCommand,
   DescribeTargetGroupsCommand,
+  DescribeTagsCommand,
   CreateListenerCommand,
   DeleteListenerCommand,
   ModifyListenerCommand
@@ -21806,6 +21951,107 @@ var ELBv2Provider = class {
       return void 0;
     return certificates;
   }
+  /**
+   * Adopt an existing ELBv2 LoadBalancer or TargetGroup into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `DescribeLoadBalancers`
+   *     or `DescribeTargetGroups`.
+   *  2. Walk `DescribeLoadBalancers` / `DescribeTargetGroups` paginators →
+   *     batch-fetch tags for each ARN with `DescribeTags(ResourceArns)`
+   *     and match `aws:cdk:path` (standard `Key`/`Value` Tag[] shape).
+   *
+   * Listener is not auto-importable (no template-supplied stable
+   * identifier and no convenient tag-by-LB-context shortcut); use
+   * `--resource <listenerId>=<arn>` for those.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ElasticLoadBalancingV2::LoadBalancer":
+        return this.importLoadBalancer(input);
+      case "AWS::ElasticLoadBalancingV2::TargetGroup":
+        return this.importTargetGroup(input);
+      case "AWS::ElasticLoadBalancingV2::Listener":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  async importLoadBalancer(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeLoadBalancersCommand2({ LoadBalancerArns: [input.knownPhysicalId] })
+        );
+        return resp.LoadBalancers?.[0]?.LoadBalancerArn ? { physicalId: resp.LoadBalancers[0].LoadBalancerArn, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeLoadBalancersCommand2({ ...marker && { Marker: marker } })
+      );
+      const arns = (list.LoadBalancers ?? []).map((lb) => lb.LoadBalancerArn).filter((arn) => Boolean(arn));
+      for (let i = 0; i < arns.length; i += 20) {
+        const batch = arns.slice(i, i + 20);
+        const tagsResp = await this.getClient().send(
+          new DescribeTagsCommand({ ResourceArns: batch })
+        );
+        for (const td of tagsResp.TagDescriptions ?? []) {
+          if (td.ResourceArn && matchesCdkPath(td.Tags, input.cdkPath)) {
+            return { physicalId: td.ResourceArn, attributes: {} };
+          }
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
+  async importTargetGroup(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeTargetGroupsCommand({ TargetGroupArns: [input.knownPhysicalId] })
+        );
+        return resp.TargetGroups?.[0]?.TargetGroupArn ? { physicalId: resp.TargetGroups[0].TargetGroupArn, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeTargetGroupsCommand({ ...marker && { Marker: marker } })
+      );
+      const arns = (list.TargetGroups ?? []).map((tg) => tg.TargetGroupArn).filter((arn) => Boolean(arn));
+      for (let i = 0; i < arns.length; i += 20) {
+        const batch = arns.slice(i, i + 20);
+        const tagsResp = await this.getClient().send(
+          new DescribeTagsCommand({ ResourceArns: batch })
+        );
+        for (const td of tagsResp.TagDescriptions ?? []) {
+          if (td.ResourceArn && matchesCdkPath(td.Tags, input.cdkPath)) {
+            return { physicalId: td.ResourceArn, attributes: {} };
+          }
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
   /**
    * Check if an error indicates the resource was not found
    */
@@ -21833,7 +22079,7 @@ import {
   DeleteDBSubnetGroupCommand,
   DescribeDBSubnetGroupsCommand,
   ModifyDBSubnetGroupCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand8
+  ListTagsForResourceCommand as ListTagsForResourceCommand10
 } from "@aws-sdk/client-rds";
 var RDSProvider = class {
   rdsClient;
@@ -22474,7 +22720,7 @@ var RDSProvider = class {
         if (!inst.DBInstanceIdentifier || !inst.DBInstanceArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand8({ ResourceName: inst.DBInstanceArn })
+          new ListTagsForResourceCommand10({ ResourceName: inst.DBInstanceArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: inst.DBInstanceIdentifier, attributes: {} };
@@ -22509,7 +22755,7 @@ var RDSProvider = class {
         if (!c.DBClusterIdentifier || !c.DBClusterArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand8({ ResourceName: c.DBClusterArn })
+          new ListTagsForResourceCommand10({ ResourceName: c.DBClusterArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: c.DBClusterIdentifier, attributes: {} };
@@ -22544,7 +22790,7 @@ var RDSProvider = class {
         if (!sg.DBSubnetGroupName || !sg.DBSubnetGroupArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand8({ ResourceName: sg.DBSubnetGroupArn })
+          new ListTagsForResourceCommand10({ ResourceName: sg.DBSubnetGroupArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: sg.DBSubnetGroupName, attributes: {} };
@@ -22570,7 +22816,9 @@ import {
   CreateQueryLoggingConfigCommand,
   DeleteQueryLoggingConfigCommand,
   ListQueryLoggingConfigsCommand,
-  ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2
+  ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2,
+  ListHostedZonesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand11
 } from "@aws-sdk/client-route-53";
 var Route53Provider = class {
   route53Client;
@@ -23217,6 +23465,69 @@ var Route53Provider = class {
       physicalId
     );
   }
+  /**
+   * Adopt an existing Route 53 resource into cdkd state.
+   *
+   * Supported types: `AWS::Route53::HostedZone` (full tag-based
+   * lookup); `AWS::Route53::RecordSet` (override-only — RecordSets are
+   * not taggable, and the composite child-of-zone identity makes auto
+   * lookup impractical).
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.importHostedZone(input);
+      case "AWS::Route53::RecordSet":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  async importHostedZone(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new GetHostedZoneCommand2({ Id: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof Error && err.name === "NoSuchHostedZone")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new ListHostedZonesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const zone of list.HostedZones ?? []) {
+        if (!zone.Id)
+          continue;
+        const zoneId = zone.Id.replace("/hostedzone/", "");
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsForResourceCommand11({
+              ResourceType: "hostedzone",
+              ResourceId: zoneId
+            })
+          );
+          if (matchesCdkPath(tagsResp.ResourceTagSet?.Tags, input.cdkPath)) {
+            return { physicalId: zoneId, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof Error && err.name === "NoSuchHostedZone")
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.NextMarker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/wafv2-provider.ts
@@ -23226,6 +23537,8 @@ import {
   UpdateWebACLCommand,
   DeleteWebACLCommand,
   GetWebACLCommand,
+  ListWebACLsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand12,
   WAFNonexistentItemException
 } from "@aws-sdk/client-wafv2";
 function parseWebACLArn(arn) {
@@ -23440,6 +23753,54 @@ var WAFv2WebACLProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing WAFv2 WebACL into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `GetWebACL` (parses
+   *     Name/Id/Scope back out of the ARN).
+   *  2. Walk `ListWebACLs(Scope)` → match `aws:cdk:path` via
+   *     `ListTagsForResource(ResourceARN)` (returns
+   *     `TagInfoForResource.TagList`, standard `Key`/`Value` shape).
+   *
+   * `Scope` is required by `ListWebACLs` — read from
+   * `Properties.Scope` (`REGIONAL` is the default).
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const { id, name, scope: scope2 } = parseWebACLArn(input.knownPhysicalId);
+        await this.getClient().send(new GetWebACLCommand({ Id: id, Name: name, Scope: scope2 }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof WAFNonexistentItemException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const scope = input.properties["Scope"] || "REGIONAL";
+    let nextMarker;
+    do {
+      const list = await this.getClient().send(
+        new ListWebACLsCommand({ Scope: scope, ...nextMarker && { NextMarker: nextMarker } })
+      );
+      for (const item of list.WebACLs ?? []) {
+        if (!item.ARN)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand12({ ResourceARN: item.ARN })
+        );
+        const tagList = tagsResp.TagInfoForResource?.TagList;
+        if (matchesCdkPath(tagList, input.cdkPath)) {
+          return { physicalId: item.ARN, attributes: {} };
+        }
+      }
+      nextMarker = list.NextMarker;
+    } while (nextMarker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/cognito-provider.ts
@@ -23450,7 +23811,7 @@ import {
   UpdateUserPoolCommand,
   DescribeUserPoolCommand,
   ListUserPoolsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand9,
+  ListTagsForResourceCommand as ListTagsForResourceCommand13,
   ResourceNotFoundException as ResourceNotFoundException12
 } from "@aws-sdk/client-cognito-identity-provider";
 var CognitoUserPoolProvider = class {
@@ -23835,7 +24196,7 @@ var CognitoUserPoolProvider = class {
             if (!arn)
               continue;
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand9({ ResourceArn: arn })
+              new ListTagsForResourceCommand13({ ResourceArn: arn })
             );
             if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
               return { physicalId: pool.Id, attributes: {} };
@@ -23859,13 +24220,18 @@ import {
   CreateCacheClusterCommand,
   DeleteCacheClusterCommand,
   DescribeCacheClustersCommand,
+  DescribeCacheSubnetGroupsCommand,
   CreateCacheSubnetGroupCommand,
   DeleteCacheSubnetGroupCommand,
   ModifyCacheSubnetGroupCommand,
-  ModifyCacheClusterCommand
+  ModifyCacheClusterCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand14
 } from "@aws-sdk/client-elasticache";
+import { STSClient as STSClient5, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
 var ElastiCacheProvider = class {
   client;
+  stsClient;
+  cachedAccountId;
   providerRegion = process.env["AWS_REGION"];
   logger = getLogger().child("ElastiCacheProvider");
   handledProperties = /* @__PURE__ */ new Map([
@@ -24267,6 +24633,132 @@ var ElastiCacheProvider = class {
   sleep(ms) {
     return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
+  /**
+   * Adopt an existing ElastiCache resource into cdkd state.
+   *
+   * Supported types:
+   *  - `AWS::ElastiCache::CacheCluster` — full tag-based lookup via
+   *    `DescribeCacheClusters` + `ListTagsForResource(ResourceName=arn)`.
+   *  - `AWS::ElastiCache::SubnetGroup` — full tag-based lookup via
+   *    `DescribeCacheSubnetGroups` + `ListTagsForResource(ResourceName=arn)`.
+   *
+   * `ListTagsForResource` requires an ARN. Both `CacheCluster.ARN` and
+   * `CacheSubnetGroup.ARN` are returned by the Describe APIs, so no
+   * extra reconstruction is needed in normal flow; for the explicit
+   * override path we build the ARN from `region` + STS account id +
+   * the resource name.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ElastiCache::CacheCluster":
+        return this.importCacheCluster(input);
+      case "AWS::ElastiCache::SubnetGroup":
+        return this.importSubnetGroup(input);
+      default:
+        return null;
+    }
+  }
+  async importCacheCluster(input) {
+    const explicit = resolveExplicitPhysicalId(input, "ClusterName");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeCacheClustersCommand({ CacheClusterId: explicit })
+        );
+        const c = resp.CacheClusters?.[0];
+        return c?.CacheClusterId ? { physicalId: c.CacheClusterId, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err, "CacheClusterNotFoundFault"))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeCacheClustersCommand({ ...marker && { Marker: marker } })
+      );
+      for (const c of list.CacheClusters ?? []) {
+        if (!c.CacheClusterId)
+          continue;
+        const arn = c.ARN ?? await this.buildClusterArn(c.CacheClusterId);
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand14({ ResourceName: arn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: c.CacheClusterId, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importSubnetGroup(input) {
+    const explicit = resolveExplicitPhysicalId(input, "CacheSubnetGroupName");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeCacheSubnetGroupsCommand({ CacheSubnetGroupName: explicit })
+        );
+        const g = resp.CacheSubnetGroups?.[0];
+        return g?.CacheSubnetGroupName ? { physicalId: g.CacheSubnetGroupName, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err, "CacheSubnetGroupNotFoundFault"))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeCacheSubnetGroupsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const g of list.CacheSubnetGroups ?? []) {
+        if (!g.CacheSubnetGroupName)
+          continue;
+        const arn = g.ARN ?? await this.buildSubnetGroupArn(g.CacheSubnetGroupName);
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand14({ ResourceName: arn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: g.CacheSubnetGroupName, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async buildClusterArn(clusterName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:elasticache:${region}:${account}:cluster:${clusterName}`;
+  }
+  async buildSubnetGroupArn(subnetGroupName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:elasticache:${region}:${account}:subnetgroup:${subnetGroupName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient5(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand6({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
+    }
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
+  }
 };
 
 // src/provisioning/providers/servicediscovery-provider.ts
@@ -24280,7 +24772,7 @@ import {
   NamespaceNotFound,
   ServiceNotFound
 } from "@aws-sdk/client-servicediscovery";
-import { STSClient as STSClient5, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
+import { STSClient as STSClient6, GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
 var ServiceDiscoveryProvider = class {
   client;
   stsClient;
@@ -24312,7 +24804,7 @@ var ServiceDiscoveryProvider = class {
   }
   getStsClient() {
     if (!this.stsClient) {
-      this.stsClient = new STSClient5(this.providerRegion ? { region: this.providerRegion } : {});
+      this.stsClient = new STSClient6(this.providerRegion ? { region: this.providerRegion } : {});
     }
     return this.stsClient;
   }
@@ -24603,7 +25095,7 @@ var ServiceDiscoveryProvider = class {
    */
   async buildNamespaceArn(namespaceId) {
     const stsClient = this.getStsClient();
-    const identity = await stsClient.send(new GetCallerIdentityCommand6({}));
+    const identity = await stsClient.send(new GetCallerIdentityCommand7({}));
     const accountId = identity.Account || "";
     const region = await this.getClient().config.region();
     return `arn:aws:servicediscovery:${region}:${accountId}:namespace/${namespaceId}`;
@@ -25187,10 +25679,18 @@ import {
   CreateTableCommand as CreateTableCommand2,
   UpdateTableCommand,
   DeleteTableCommand as DeleteTableCommand2,
+  GetDatabaseCommand,
+  GetDatabasesCommand,
+  GetTableCommand,
+  GetTablesCommand,
+  GetTagsCommand,
   EntityNotFoundException
 } from "@aws-sdk/client-glue";
+import { STSClient as STSClient7, GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
 var GlueProvider = class {
   client;
+  stsClient;
+  cachedAccountId;
   providerRegion = process.env["AWS_REGION"];
   logger = getLogger().child("GlueProvider");
   handledProperties = /* @__PURE__ */ new Map([
@@ -25561,6 +26061,167 @@ var GlueProvider = class {
     }
     return result;
   }
+  /**
+   * Adopt an existing Glue Database or Table into cdkd state.
+   *
+   * Lookup order (per type):
+   *  1. Explicit override / template name → verify with `GetDatabase`
+   *     or `GetTable`.
+   *  2. Walk `GetDatabases` / `GetTables` paginators and match the
+   *     `aws:cdk:path` tag via `GetTags(ResourceArn)`. Glue tags are
+   *     a `Record<string,string>` map (not a `Tag[]` array), so the
+   *     match is `tags?.[CDK_PATH_TAG] === input.cdkPath`.
+   *
+   * Glue list APIs return only names — ARNs are constructed locally
+   * for the per-item GetTags call.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::Glue::Database":
+        return this.importDatabase(input);
+      case "AWS::Glue::Table":
+        return this.importTable(input);
+      default:
+        return null;
+    }
+  }
+  async importDatabase(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["DatabaseInput"]?.["Name"];
+    const catalogId = input.properties["CatalogId"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(
+          new GetDatabaseCommand({ Name: explicitName, ...catalogId && { CatalogId: catalogId } })
+        );
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new GetDatabasesCommand({
+          ...nextToken && { NextToken: nextToken },
+          ...catalogId && { CatalogId: catalogId }
+        })
+      );
+      for (const db of list.DatabaseList ?? []) {
+        if (!db.Name)
+          continue;
+        const arn = await this.buildDatabaseArn(db.Name, db.CatalogId);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: db.Name, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async importTable(input) {
+    const databaseName = input.properties["DatabaseName"];
+    const tableInput = input.properties["TableInput"];
+    const templateTableName = tableInput?.["Name"];
+    const catalogId = input.properties["CatalogId"];
+    if (input.knownPhysicalId) {
+      const [dbName, tName] = input.knownPhysicalId.split("|");
+      if (!dbName || !tName)
+        return null;
+      try {
+        await this.getClient().send(
+          new GetTableCommand({
+            DatabaseName: dbName,
+            Name: tName,
+            ...catalogId && { CatalogId: catalogId }
+          })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (databaseName && templateTableName) {
+      try {
+        await this.getClient().send(
+          new GetTableCommand({
+            DatabaseName: databaseName,
+            Name: templateTableName,
+            ...catalogId && { CatalogId: catalogId }
+          })
+        );
+        return { physicalId: `${databaseName}|${templateTableName}`, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath || !databaseName)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new GetTablesCommand({
+          DatabaseName: databaseName,
+          ...nextToken && { NextToken: nextToken },
+          ...catalogId && { CatalogId: catalogId }
+        })
+      );
+      for (const t of list.TableList ?? []) {
+        if (!t.Name)
+          continue;
+        const arn = await this.buildTableArn(databaseName, t.Name, catalogId);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: `${databaseName}|${t.Name}`, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async tagsMatchCdkPath(arn, cdkPath) {
+    try {
+      const resp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      return resp.Tags?.[CDK_PATH_TAG] === cdkPath;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return false;
+      throw err;
+    }
+  }
+  async buildDatabaseArn(databaseName, catalogId) {
+    const region = await this.getRegion();
+    const account = catalogId ?? await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:database/${databaseName}`;
+  }
+  async buildTableArn(databaseName, tableName, catalogId) {
+    const region = await this.getRegion();
+    const account = catalogId ?? await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:table/${databaseName}/${tableName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient7(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand8({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
+    }
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
+  }
 };
 
 // src/provisioning/providers/kms-provider.ts
@@ -26042,6 +26703,8 @@ import {
   DecreaseStreamRetentionPeriodCommand,
   StartStreamEncryptionCommand,
   StopStreamEncryptionCommand,
+  ListStreamsCommand,
+  ListTagsForStreamCommand,
   ResourceNotFoundException as ResourceNotFoundException13
 } from "@aws-sdk/client-kinesis";
 var KinesisStreamProvider = class {
@@ -26294,6 +26957,54 @@ var KinesisStreamProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Kinesis stream into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.Name` → verify
+   *     with `DescribeStream`.
+   *  2. Walk `ListStreams` (paged via `ExclusiveStartStreamName`) and
+   *     match the `aws:cdk:path` tag via `ListTagsForStream(StreamName)`.
+   *
+   * Kinesis tags use the standard `Tag[]` array shape (`Key`/`Value`),
+   * so `matchesCdkPath` from import-helpers applies directly.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.getClient().send(new DescribeStreamCommand({ StreamName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException13)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartStreamName;
+    while (true) {
+      const list = await this.getClient().send(
+        new ListStreamsCommand({
+          ...exclusiveStartStreamName && { ExclusiveStartStreamName: exclusiveStartStreamName }
+        })
+      );
+      const names = list.StreamNames ?? [];
+      for (const streamName of names) {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForStreamCommand({ StreamName: streamName })
+        );
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: streamName, attributes: {} };
+        }
+      }
+      if (!list.HasMoreStreams || names.length === 0)
+        break;
+      exclusiveStartStreamName = names[names.length - 1];
+    }
+    return null;
+  }
   /**
    * Poll DescribeStream until the stream reaches ACTIVE status
    *
@@ -26336,6 +27047,7 @@ import {
   CreateAccessPointCommand,
   DeleteAccessPointCommand,
   DescribeFileSystemsCommand,
+  DescribeAccessPointsCommand,
   FileSystemNotFound,
   MountTargetNotFound,
   AccessPointNotFound
@@ -26737,6 +27449,100 @@ var EFSProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing EFS resource into cdkd state.
+   *
+   * Supported types:
+   *  - `AWS::EFS::FileSystem` — full tag-based lookup via
+   *    `DescribeFileSystems` with `Tags` inline on each item.
+   *  - `AWS::EFS::AccessPoint` — full tag-based lookup via
+   *    `DescribeAccessPoints` with `Tags` inline on each item.
+   *  - `AWS::EFS::MountTarget` — override-only (mount targets are
+   *    not taggable; auto lookup is impractical).
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::EFS::FileSystem":
+        return this.importFileSystem(input);
+      case "AWS::EFS::AccessPoint":
+        return this.importAccessPoint(input);
+      case "AWS::EFS::MountTarget":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  async importFileSystem(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeFileSystemsCommand({ FileSystemId: input.knownPhysicalId })
+        );
+        const fs = resp.FileSystems?.[0];
+        return fs?.FileSystemId ? { physicalId: fs.FileSystemId, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof FileSystemNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeFileSystemsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const fs of list.FileSystems ?? []) {
+        if (!fs.FileSystemId)
+          continue;
+        if (matchesCdkPath(fs.Tags, input.cdkPath)) {
+          return { physicalId: fs.FileSystemId, attributes: {} };
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
+  async importAccessPoint(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeAccessPointsCommand({ AccessPointId: input.knownPhysicalId })
+        );
+        const ap = resp.AccessPoints?.[0];
+        return ap?.AccessPointId ? { physicalId: ap.AccessPointId, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof AccessPointNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const fileSystemId = input.properties["FileSystemId"];
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new DescribeAccessPointsCommand({
+          ...nextToken && { NextToken: nextToken },
+          ...fileSystemId && { FileSystemId: fileSystemId }
+        })
+      );
+      for (const ap of list.AccessPoints ?? []) {
+        if (!ap.AccessPointId)
+          continue;
+        if (matchesCdkPath(ap.Tags, input.cdkPath)) {
+          return { physicalId: ap.AccessPointId, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/firehose-provider.ts
@@ -26744,6 +27550,9 @@ import {
   FirehoseClient,
   CreateDeliveryStreamCommand,
   DeleteDeliveryStreamCommand,
+  DescribeDeliveryStreamCommand,
+  ListDeliveryStreamsCommand,
+  ListTagsForDeliveryStreamCommand,
   ResourceNotFoundException as ResourceNotFoundException14
 } from "@aws-sdk/client-firehose";
 var FirehoseProvider = class {
@@ -27080,12 +27889,63 @@ var FirehoseProvider = class {
     }
     return result;
   }
+  /**
+   * Adopt an existing Kinesis Firehose delivery stream into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.DeliveryStreamName`
+   *     → verify with `DescribeDeliveryStream`.
+   *  2. Walk `ListDeliveryStreams` (paged via `ExclusiveStartDeliveryStreamName`)
+   *     and match the `aws:cdk:path` tag via
+   *     `ListTagsForDeliveryStream(DeliveryStreamName)`.
+   *
+   * Firehose tags use the standard `Tag[]` array shape (`Key`/`Value`).
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DeliveryStreamName");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDeliveryStreamCommand({ DeliveryStreamName: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException14)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartDeliveryStreamName;
+    while (true) {
+      const list = await this.getClient().send(
+        new ListDeliveryStreamsCommand({
+          ...exclusiveStartDeliveryStreamName && {
+            ExclusiveStartDeliveryStreamName: exclusiveStartDeliveryStreamName
+          }
+        })
+      );
+      const names = list.DeliveryStreamNames ?? [];
+      for (const name of names) {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: name })
+        );
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: name, attributes: {} };
+        }
+      }
+      if (!list.HasMoreDeliveryStreams || names.length === 0)
+        break;
+      exclusiveStartDeliveryStreamName = names[names.length - 1];
+    }
+    return null;
+  }
   /**
    * Wait for a delivery stream to become ACTIVE.
    * Firehose CreateDeliveryStream returns immediately while the stream is still CREATING.
    */
   async waitForActive(streamName, logicalId) {
-    const { DescribeDeliveryStreamCommand } = await import("@aws-sdk/client-firehose");
     const maxAttempts = 30;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
       const resp = await this.getClient().send(
@@ -27893,7 +28753,7 @@ import {
   ListObjectsV2Command as ListObjectsV2Command2,
   DeleteObjectsCommand as DeleteObjectsCommand2
 } from "@aws-sdk/client-s3";
-import { GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand9 } from "@aws-sdk/client-sts";
 import { EC2Client as EC2Client8, DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand3 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var S3DirectoryBucketProvider = class {
@@ -27949,7 +28809,7 @@ var S3DirectoryBucketProvider = class {
    * Get the AWS account ID via STS
    */
   async getAccountId() {
-    const identity = await this.stsClient.send(new GetCallerIdentityCommand7({}));
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand9({}));
     return identity.Account;
   }
   /**
@@ -28504,7 +29364,7 @@ import {
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
   TagResourceCommand as TagResourceCommand7,
-  ListTagsForResourceCommand as ListTagsForResourceCommand10,
+  ListTagsForResourceCommand as ListTagsForResourceCommand15,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
 var ECRProvider = class {
@@ -28773,7 +29633,7 @@ var ECRProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand10({ resourceArn: repo.repositoryArn })
+            new ListTagsForResourceCommand15({ resourceArn: repo.repositoryArn })
           );
           if (matchesCdkPath(tagsResp.tags, input.cdkPath)) {
             return { physicalId: repo.repositoryName, attributes: {} };
@@ -30301,11 +31161,11 @@ async function deployCommand(stacks, options) {
         addDependencies(stack.stackName);
       }
     }
-    const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
-    const stsClient = new STSClient7({
+    const { STSClient: STSClient9, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+    const stsClient = new STSClient9({
       region: options.region || process.env["AWS_REGION"] || "us-east-1"
     });
-    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand9({}));
+    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand11({}));
     const accountId = callerIdentity.Account;
     stsClient.destroy();
     const assetPublisher = new AssetPublisher();
@@ -31358,7 +32218,7 @@ import {
   PutBucketVersioningCommand as PutBucketVersioningCommand3,
   S3Client as S3Client10
 } from "@aws-sdk/client-s3";
-import { GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand10 } from "@aws-sdk/client-sts";
 init_aws_clients();
 async function stateMigrateCommand(options) {
   const logger = getLogger();
@@ -31371,7 +32231,7 @@ async function stateMigrateCommand(options) {
   });
   setAwsClients(awsClients);
   try {
-    const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
+    const identity = await awsClients.sts.send(new GetCallerIdentityCommand10({}));
     const accountId = identity.Account;
     if (!accountId) {
       throw new Error("STS GetCallerIdentity returned no Account id.");
@@ -32699,7 +33559,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.19.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.20.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());