@go-to-k/cdkd 0.19.0 → 0.21.0

package/dist/cli.js

@@ -1155,11 +1155,11 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
     return syncResult;
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
-  const { GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
+  const { GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
   const { S3Client: S3Client11 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
-  const identity = await awsClients.sts.send(new GetCallerIdentityCommand9({}));
+  const identity = await awsClients.sts.send(new GetCallerIdentityCommand11({}));
   const accountId = identity.Account;
   const newName = getDefaultStateBucketName(accountId);
   const legacyName = getLegacyStateBucketName(accountId, region);
@@ -1218,9 +1218,9 @@ async function bucketHasAnyState(client, bucketName) {
   }
 }
 async function bucketExists(client, bucketName) {
-  const { HeadBucketCommand: HeadBucketCommand5 } = await import("@aws-sdk/client-s3");
+  const { HeadBucketCommand: HeadBucketCommand6 } = await import("@aws-sdk/client-s3");
   try {
-    await client.send(new HeadBucketCommand5({ Bucket: bucketName }));
+    await client.send(new HeadBucketCommand6({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -3431,9 +3431,9 @@ var AssetPublisher = class {
       const region = options.region || process.env["AWS_REGION"] || "us-east-1";
       let accountId = options.accountId;
       if (!accountId) {
-        const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
-        const stsClient = new STSClient7({ region });
-        const identity = await stsClient.send(new GetCallerIdentityCommand9({}));
+        const { STSClient: STSClient9, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+        const stsClient = new STSClient9({ region });
+        const identity = await stsClient.send(new GetCallerIdentityCommand11({}));
         accountId = identity.Account;
         stsClient.destroy();
       }
@@ -8864,6 +8864,27 @@ var IAMPolicyProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing IAM inline policy into cdkd state.
+   *
+   * **Explicit override only.** `AWS::IAM::Policy` in CloudFormation is an
+   * inline policy attached to roles / groups / users — not a standalone
+   * resource. Inline policies are not taggable and have no global identity,
+   * so tag-based auto-lookup via `aws:cdk:path` is not feasible. Users
+   * adopting inline policies must pass `--resource <logicalId>=<policyName>`
+   * (the physical id is the policy name itself).
+   *
+   * For standalone managed policies (`AWS::IAM::ManagedPolicy`), the
+   * Cloud Control API fallback handles import via the same explicit
+   * override mode.
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/iam-instance-profile-provider.ts
@@ -8871,6 +8892,7 @@ import {
   CreateInstanceProfileCommand,
   DeleteInstanceProfileCommand,
   GetInstanceProfileCommand,
+  ListInstanceProfilesCommand,
   AddRoleToInstanceProfileCommand,
   RemoveRoleFromInstanceProfileCommand as RemoveRoleFromInstanceProfileCommand2,
   NoSuchEntityException as NoSuchEntityException3
@@ -9072,6 +9094,48 @@ var IAMInstanceProfileProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing IAM instance profile into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.InstanceProfileName` → verify
+   *     via `GetInstanceProfile`.
+   *  2. `ListInstanceProfiles` paginator + match `aws:cdk:path` against the
+   *     `InstanceProfile.Tags` array returned inline (no separate
+   *     `ListInstanceProfileTags` call needed).
+   *
+   * IAM is global; this walks every instance profile in the account once.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "InstanceProfileName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetInstanceProfileCommand({ InstanceProfileName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException3)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListInstanceProfilesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const profile of list.InstanceProfiles ?? []) {
+        if (!profile.InstanceProfileName)
+          continue;
+        if (matchesCdkPath(profile.Tags, input.cdkPath)) {
+          return { physicalId: profile.InstanceProfileName, attributes: {} };
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/iam-user-group-provider.ts
@@ -9102,6 +9166,8 @@ import {
   DeleteLoginProfileCommand,
   ListAccessKeysCommand,
   DeleteAccessKeyCommand,
+  ListUsersCommand,
+  ListUserTagsCommand,
   NoSuchEntityException as NoSuchEntityException4,
   TagUserCommand,
   PutUserPermissionsBoundaryCommand,
@@ -10080,6 +10146,92 @@ var IAMUserGroupProvider = class {
       );
     }
   }
+  // ─── Import dispatch ──────────────────────────────────────────────
+  /**
+   * Adopt an existing IAM user / group / user-to-group addition into cdkd state.
+   *
+   *  - **AWS::IAM::User**: tag-based auto-lookup via `ListUsers` +
+   *    `ListUserTags`. Falls back to `--resource` override or
+   *    `Properties.UserName`.
+   *  - **AWS::IAM::Group**: explicit-override only. IAM groups are not
+   *    taggable (no `ListGroupTags` API), so tag-based auto-lookup is not
+   *    possible. Caller can still pass `Properties.GroupName` or
+   *    `--resource` to verify and adopt by name.
+   *  - **AWS::IAM::UserToGroupAddition**: explicit-override only. Has no
+   *    AWS-side identity beyond the (group, users) attachment itself.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::IAM::User":
+        return this.importUser(input);
+      case "AWS::IAM::Group":
+        return this.importGroup(input);
+      case "AWS::IAM::UserToGroupAddition":
+        return this.importUserToGroupAddition(input);
+      default:
+        return null;
+    }
+  }
+  async importUser(input) {
+    const explicit = resolveExplicitPhysicalId(input, "UserName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetUserCommand({ UserName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException4)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListUsersCommand({ ...marker && { Marker: marker } })
+      );
+      for (const user of list.Users ?? []) {
+        if (!user.UserName)
+          continue;
+        try {
+          const tags = await this.iamClient.send(
+            new ListUserTagsCommand({ UserName: user.UserName })
+          );
+          if (matchesCdkPath(tags.Tags, input.cdkPath)) {
+            return { physicalId: user.UserName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof NoSuchEntityException4)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
+  async importGroup(input) {
+    const explicit = resolveExplicitPhysicalId(input, "GroupName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetGroupCommand({ GroupName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException4)
+          return null;
+        throw err;
+      }
+    }
+    return null;
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async importUserToGroupAddition(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/s3-bucket-provider.ts
@@ -13523,6 +13675,9 @@ var LambdaEventSourceMappingProvider = class {
 import {
   PublishLayerVersionCommand,
   DeleteLayerVersionCommand,
+  GetLayerVersionByArnCommand,
+  ListLayersCommand,
+  ListTagsCommand as ListTagsCommand2,
   ResourceNotFoundException as ResourceNotFoundException5
 } from "@aws-sdk/client-lambda";
 init_aws_clients();
@@ -13661,6 +13816,67 @@ var LambdaLayerVersionProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Lambda layer version into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<layerVersionArn>` override → verify with
+   *     `GetLayerVersionByArn`. (Note: there is no `LayerName` field that
+   *     uniquely names a *version*; a layer name resolves to the latest
+   *     version, so an explicit ARN is the only unambiguous override.)
+   *  2. `ListLayers` paginator + `ListTags(Resource: layerArn)` (which
+   *     returns a `Tags: Record<string,string>` map keyed by tag name).
+   *     Match `aws:cdk:path` and adopt `LatestMatchingVersion.LayerVersionArn`.
+   *
+   * **Caveat**: Lambda layer versions are immutable, so auto-lookup adopts
+   * the LATEST version of the named layer that carries the matching CDK
+   * path tag. If the user's CDK app has since published newer versions
+   * outside cdkd's tracking, the adopted physical id may be stale; pass
+   * `--resource <id>=<arn>` to pin a specific version.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.lambdaClient.send(
+          new GetLayerVersionByArnCommand({ Arn: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException5)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.lambdaClient.send(
+        new ListLayersCommand({ ...marker && { Marker: marker } })
+      );
+      for (const layer of list.Layers ?? []) {
+        if (!layer.LayerArn || !layer.LatestMatchingVersion?.LayerVersionArn)
+          continue;
+        try {
+          const tagsResp = await this.lambdaClient.send(
+            new ListTagsCommand2({ Resource: layer.LayerArn })
+          );
+          if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return {
+              physicalId: layer.LatestMatchingVersion.LayerVersionArn,
+              attributes: {}
+            };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException5)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/dynamodb-table-provider.ts
@@ -15109,7 +15325,9 @@ import {
   RemoveTargetsCommand,
   DeleteRuleCommand,
   DescribeRuleCommand,
+  ListRulesCommand,
   ListTargetsByRuleCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand5,
   TagResourceCommand as TagResourceCommand4,
   UntagResourceCommand as UntagResourceCommand4,
   ResourceNotFoundException as ResourceNotFoundException9
@@ -15377,6 +15595,85 @@ var EventBridgeRuleProvider = class {
     }
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::Events::Rule`);
   }
+  /**
+   * Adopt an existing EventBridge rule into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arnOrName>` override → verify with
+   *     `DescribeRule` (scoped to the same `EventBusName` declared in
+   *     the template, if any). The override is honored as-is so users
+   *     can pass either the ARN (cdkd's standard physicalId form for
+   *     this provider) or just the rule name.
+   *  2. If the template carries `Properties.Name` use that as the rule
+   *     name lookup, then verify with `DescribeRule` and return the
+   *     rule's ARN as physicalId.
+   *  3. Walk `ListRules(EventBusName?)` and match `aws:cdk:path` via
+   *     `ListTagsForResource(ResourceARN=rule.Arn)`. Returns the rule
+   *     ARN as physicalId — same shape that `create` returns.
+   *
+   * EventBridge tags use the standard `Tag[]` array shape
+   * (`Key`/`Value`).
+   */
+  async import(input) {
+    const eventBusName = input.properties["EventBusName"];
+    if (input.knownPhysicalId) {
+      try {
+        const ruleName = this.extractRuleNameFromArn(input.knownPhysicalId);
+        const resp = await this.eventBridgeClient.send(
+          new DescribeRuleCommand({
+            Name: ruleName,
+            ...eventBusName && { EventBusName: eventBusName }
+          })
+        );
+        return { physicalId: resp.Arn ?? input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException9)
+          return null;
+        throw err;
+      }
+    }
+    const templateName = input.properties["Name"];
+    if (templateName) {
+      try {
+        const resp = await this.eventBridgeClient.send(
+          new DescribeRuleCommand({
+            Name: templateName,
+            ...eventBusName && { EventBusName: eventBusName }
+          })
+        );
+        if (resp.Arn)
+          return { physicalId: resp.Arn, attributes: {} };
+        return null;
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException9)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.eventBridgeClient.send(
+        new ListRulesCommand({
+          ...eventBusName && { EventBusName: eventBusName },
+          ...nextToken && { NextToken: nextToken }
+        })
+      );
+      for (const rule of list.Rules ?? []) {
+        if (!rule.Arn)
+          continue;
+        const tagsResp = await this.eventBridgeClient.send(
+          new ListTagsForResourceCommand5({ ResourceARN: rule.Arn })
+        );
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: rule.Arn, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
   /**
    * Extract rule name from an ARN
    *
@@ -15399,8 +15696,8 @@ import {
   UpdateEventBusCommand,
   DescribeEventBusCommand,
   ListEventBusesCommand,
-  ListRulesCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand5,
+  ListRulesCommand as ListRulesCommand2,
+  ListTagsForResourceCommand as ListTagsForResourceCommand6,
   RemoveTargetsCommand as RemoveTargetsCommand2,
   DeleteRuleCommand as DeleteRuleCommand2,
   ListTargetsByRuleCommand as ListTargetsByRuleCommand2,
@@ -15595,7 +15892,7 @@ var EventBridgeBusProvider = class {
   async cleanupRulesOnBus(busName) {
     try {
       const rulesResponse = await this.eventBridgeClient.send(
-        new ListRulesCommand({ EventBusName: busName })
+        new ListRulesCommand2({ EventBusName: busName })
       );
       const rules = rulesResponse.Rules ?? [];
       if (rules.length === 0)
@@ -15672,7 +15969,7 @@ var EventBridgeBusProvider = class {
           continue;
         try {
           const tagsResp = await this.eventBridgeClient.send(
-            new ListTagsForResourceCommand5({ ResourceARN: bus.Arn })
+            new ListTagsForResourceCommand6({ ResourceARN: bus.Arn })
           );
           if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
             return { physicalId: bus.Name, attributes: {} };
@@ -19505,7 +19802,7 @@ import {
   GetDistributionCommand,
   GetDistributionConfigCommand,
   ListDistributionsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand6,
+  ListTagsForResourceCommand as ListTagsForResourceCommand7,
   NoSuchDistribution
 } from "@aws-sdk/client-cloudfront";
 init_aws_clients();
@@ -19941,7 +20238,7 @@ var CloudFrontDistributionProvider = class {
           continue;
         try {
           const tagsResp = await this.cloudFrontClient.send(
-            new ListTagsForResourceCommand6({ Resource: d.ARN })
+            new ListTagsForResourceCommand7({ Resource: d.ARN })
           );
           if (matchesCdkPath(tagsResp.Tags?.Items, input.cdkPath)) {
             return { physicalId: d.Id, attributes: {} };
@@ -20227,6 +20524,8 @@ import {
   UpdateStateMachineCommand,
   DeleteStateMachineCommand,
   DescribeStateMachineCommand,
+  ListStateMachinesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand8,
   StateMachineDoesNotExist
 } from "@aws-sdk/client-sfn";
 var StepFunctionsProvider = class {
@@ -20409,6 +20708,67 @@ var StepFunctionsProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Step Functions state machine into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `DescribeStateMachine`.
+   *  2. Walk `ListStateMachines` paginator → `ListTagsForResource(arn)`,
+   *     match the lowercase `key`/`value` `aws:cdk:path` tag (SFN uses
+   *     lowercase tags, so `matchesCdkPath` from import-helpers does not
+   *     apply directly).
+   *
+   * SFN state machines do not expose a template-supplied name field
+   * usable as a stable physicalId — the physicalId is the ARN — so the
+   * fallback to `Properties.<NameField>` in `resolveExplicitPhysicalId`
+   * is skipped here.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(
+          new DescribeStateMachineCommand({ stateMachineArn: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof StateMachineDoesNotExist)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListStateMachinesCommand({ ...nextToken && { nextToken } })
+      );
+      for (const sm of list.stateMachines ?? []) {
+        if (!sm.stateMachineArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand8({ resourceArn: sm.stateMachineArn })
+        );
+        if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
+          return { physicalId: sm.stateMachineArn, attributes: {} };
+        }
+      }
+      nextToken = list.nextToken;
+    } while (nextToken);
+    return null;
+  }
+  /**
+   * Match SFN's lowercase `key`/`value` tag shape against the CDK path.
+   */
+  tagsMatchCdkPath(tags, cdkPath) {
+    if (!tags)
+      return false;
+    for (const t of tags) {
+      if (t.key === CDK_PATH_TAG && t.value === cdkPath)
+        return true;
+    }
+    return false;
+  }
   /**
    * Build definition string from CDK properties.
    * Handles both DefinitionString (string) and DefinitionString (object) forms.
@@ -20448,7 +20808,7 @@ import {
   DescribeServicesCommand,
   ListClustersCommand,
   ListServicesCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand7
+  ListTagsForResourceCommand as ListTagsForResourceCommand9
 } from "@aws-sdk/client-ecs";
 function convertTags(tags) {
   if (!tags || tags.length === 0)
@@ -21226,7 +21586,7 @@ var ECSProvider = class {
       );
       for (const arn of list.clusterArns ?? []) {
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand7({ resourceArn: arn })
+          new ListTagsForResourceCommand9({ resourceArn: arn })
         );
         if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
           const name = arn.substring(arn.lastIndexOf("/") + 1);
@@ -21259,7 +21619,7 @@ var ECSProvider = class {
           );
           for (const svcArn of svcList.serviceArns ?? []) {
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand7({ resourceArn: svcArn })
+              new ListTagsForResourceCommand9({ resourceArn: svcArn })
             );
             if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) {
               const svcName = svcArn.substring(svcArn.lastIndexOf("/") + 1);
@@ -21311,6 +21671,7 @@ import {
   DeleteTargetGroupCommand,
   ModifyTargetGroupCommand,
   DescribeTargetGroupsCommand,
+  DescribeTagsCommand,
   CreateListenerCommand,
   DeleteListenerCommand,
   ModifyListenerCommand
@@ -21807,33 +22168,134 @@ var ELBv2Provider = class {
     return certificates;
   }
   /**
-   * Check if an error indicates the resource was not found
+   * Adopt an existing ELBv2 LoadBalancer or TargetGroup into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `DescribeLoadBalancers`
+   *     or `DescribeTargetGroups`.
+   *  2. Walk `DescribeLoadBalancers` / `DescribeTargetGroups` paginators →
+   *     batch-fetch tags for each ARN with `DescribeTags(ResourceArns)`
+   *     and match `aws:cdk:path` (standard `Key`/`Value` Tag[] shape).
+   *
+   * Listener is not auto-importable (no template-supplied stable
+   * identifier and no convenient tag-by-LB-context shortcut); use
+   * `--resource <listenerId>=<arn>` for those.
    */
-  isNotFoundError(error) {
-    if (!(error instanceof Error))
-      return false;
-    const message = (error.message || "").toLowerCase();
-    const name = error.name ?? "";
-    return message.includes("not found") || message.includes("does not exist") || name === "LoadBalancerNotFoundException" || name === "TargetGroupNotFoundException" || name === "ListenerNotFoundException";
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ElasticLoadBalancingV2::LoadBalancer":
+        return this.importLoadBalancer(input);
+      case "AWS::ElasticLoadBalancingV2::TargetGroup":
+        return this.importTargetGroup(input);
+      case "AWS::ElasticLoadBalancingV2::Listener":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
   }
-};
-
-// src/provisioning/providers/rds-provider.ts
-import {
-  RDSClient,
-  CreateDBClusterCommand,
-  DeleteDBClusterCommand,
-  ModifyDBClusterCommand,
-  DescribeDBClustersCommand,
-  CreateDBInstanceCommand,
-  DeleteDBInstanceCommand,
-  ModifyDBInstanceCommand,
-  DescribeDBInstancesCommand,
-  CreateDBSubnetGroupCommand,
+  async importLoadBalancer(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeLoadBalancersCommand2({ LoadBalancerArns: [input.knownPhysicalId] })
+        );
+        return resp.LoadBalancers?.[0]?.LoadBalancerArn ? { physicalId: resp.LoadBalancers[0].LoadBalancerArn, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeLoadBalancersCommand2({ ...marker && { Marker: marker } })
+      );
+      const arns = (list.LoadBalancers ?? []).map((lb) => lb.LoadBalancerArn).filter((arn) => Boolean(arn));
+      for (let i = 0; i < arns.length; i += 20) {
+        const batch = arns.slice(i, i + 20);
+        const tagsResp = await this.getClient().send(
+          new DescribeTagsCommand({ ResourceArns: batch })
+        );
+        for (const td of tagsResp.TagDescriptions ?? []) {
+          if (td.ResourceArn && matchesCdkPath(td.Tags, input.cdkPath)) {
+            return { physicalId: td.ResourceArn, attributes: {} };
+          }
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
+  async importTargetGroup(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeTargetGroupsCommand({ TargetGroupArns: [input.knownPhysicalId] })
+        );
+        return resp.TargetGroups?.[0]?.TargetGroupArn ? { physicalId: resp.TargetGroups[0].TargetGroupArn, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeTargetGroupsCommand({ ...marker && { Marker: marker } })
+      );
+      const arns = (list.TargetGroups ?? []).map((tg) => tg.TargetGroupArn).filter((arn) => Boolean(arn));
+      for (let i = 0; i < arns.length; i += 20) {
+        const batch = arns.slice(i, i + 20);
+        const tagsResp = await this.getClient().send(
+          new DescribeTagsCommand({ ResourceArns: batch })
+        );
+        for (const td of tagsResp.TagDescriptions ?? []) {
+          if (td.ResourceArn && matchesCdkPath(td.Tags, input.cdkPath)) {
+            return { physicalId: td.ResourceArn, attributes: {} };
+          }
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
+  /**
+   * Check if an error indicates the resource was not found
+   */
+  isNotFoundError(error) {
+    if (!(error instanceof Error))
+      return false;
+    const message = (error.message || "").toLowerCase();
+    const name = error.name ?? "";
+    return message.includes("not found") || message.includes("does not exist") || name === "LoadBalancerNotFoundException" || name === "TargetGroupNotFoundException" || name === "ListenerNotFoundException";
+  }
+};
+
+// src/provisioning/providers/rds-provider.ts
+import {
+  RDSClient,
+  CreateDBClusterCommand,
+  DeleteDBClusterCommand,
+  ModifyDBClusterCommand,
+  DescribeDBClustersCommand,
+  CreateDBInstanceCommand,
+  DeleteDBInstanceCommand,
+  ModifyDBInstanceCommand,
+  DescribeDBInstancesCommand,
+  CreateDBSubnetGroupCommand,
   DeleteDBSubnetGroupCommand,
   DescribeDBSubnetGroupsCommand,
   ModifyDBSubnetGroupCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand8
+  ListTagsForResourceCommand as ListTagsForResourceCommand10
 } from "@aws-sdk/client-rds";
 var RDSProvider = class {
   rdsClient;
@@ -22474,7 +22936,7 @@ var RDSProvider = class {
         if (!inst.DBInstanceIdentifier || !inst.DBInstanceArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand8({ ResourceName: inst.DBInstanceArn })
+          new ListTagsForResourceCommand10({ ResourceName: inst.DBInstanceArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: inst.DBInstanceIdentifier, attributes: {} };
@@ -22509,7 +22971,7 @@ var RDSProvider = class {
         if (!c.DBClusterIdentifier || !c.DBClusterArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand8({ ResourceName: c.DBClusterArn })
+          new ListTagsForResourceCommand10({ ResourceName: c.DBClusterArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: c.DBClusterIdentifier, attributes: {} };
@@ -22544,7 +23006,7 @@ var RDSProvider = class {
         if (!sg.DBSubnetGroupName || !sg.DBSubnetGroupArn)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand8({ ResourceName: sg.DBSubnetGroupArn })
+          new ListTagsForResourceCommand10({ ResourceName: sg.DBSubnetGroupArn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: sg.DBSubnetGroupName, attributes: {} };
@@ -22570,7 +23032,9 @@ import {
   CreateQueryLoggingConfigCommand,
   DeleteQueryLoggingConfigCommand,
   ListQueryLoggingConfigsCommand,
-  ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2
+  ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2,
+  ListHostedZonesCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand11
 } from "@aws-sdk/client-route-53";
 var Route53Provider = class {
   route53Client;
@@ -23217,6 +23681,69 @@ var Route53Provider = class {
       physicalId
     );
   }
+  /**
+   * Adopt an existing Route 53 resource into cdkd state.
+   *
+   * Supported types: `AWS::Route53::HostedZone` (full tag-based
+   * lookup); `AWS::Route53::RecordSet` (override-only — RecordSets are
+   * not taggable, and the composite child-of-zone identity makes auto
+   * lookup impractical).
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.importHostedZone(input);
+      case "AWS::Route53::RecordSet":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  async importHostedZone(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new GetHostedZoneCommand2({ Id: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof Error && err.name === "NoSuchHostedZone")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new ListHostedZonesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const zone of list.HostedZones ?? []) {
+        if (!zone.Id)
+          continue;
+        const zoneId = zone.Id.replace("/hostedzone/", "");
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsForResourceCommand11({
+              ResourceType: "hostedzone",
+              ResourceId: zoneId
+            })
+          );
+          if (matchesCdkPath(tagsResp.ResourceTagSet?.Tags, input.cdkPath)) {
+            return { physicalId: zoneId, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof Error && err.name === "NoSuchHostedZone")
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.NextMarker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/wafv2-provider.ts
@@ -23226,6 +23753,8 @@ import {
   UpdateWebACLCommand,
   DeleteWebACLCommand,
   GetWebACLCommand,
+  ListWebACLsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand12,
   WAFNonexistentItemException
 } from "@aws-sdk/client-wafv2";
 function parseWebACLArn(arn) {
@@ -23440,6 +23969,54 @@ var WAFv2WebACLProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing WAFv2 WebACL into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `GetWebACL` (parses
+   *     Name/Id/Scope back out of the ARN).
+   *  2. Walk `ListWebACLs(Scope)` → match `aws:cdk:path` via
+   *     `ListTagsForResource(ResourceARN)` (returns
+   *     `TagInfoForResource.TagList`, standard `Key`/`Value` shape).
+   *
+   * `Scope` is required by `ListWebACLs` — read from
+   * `Properties.Scope` (`REGIONAL` is the default).
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const { id, name, scope: scope2 } = parseWebACLArn(input.knownPhysicalId);
+        await this.getClient().send(new GetWebACLCommand({ Id: id, Name: name, Scope: scope2 }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof WAFNonexistentItemException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const scope = input.properties["Scope"] || "REGIONAL";
+    let nextMarker;
+    do {
+      const list = await this.getClient().send(
+        new ListWebACLsCommand({ Scope: scope, ...nextMarker && { NextMarker: nextMarker } })
+      );
+      for (const item of list.WebACLs ?? []) {
+        if (!item.ARN)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand12({ ResourceARN: item.ARN })
+        );
+        const tagList = tagsResp.TagInfoForResource?.TagList;
+        if (matchesCdkPath(tagList, input.cdkPath)) {
+          return { physicalId: item.ARN, attributes: {} };
+        }
+      }
+      nextMarker = list.NextMarker;
+    } while (nextMarker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/cognito-provider.ts
@@ -23450,7 +24027,7 @@ import {
   UpdateUserPoolCommand,
   DescribeUserPoolCommand,
   ListUserPoolsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand9,
+  ListTagsForResourceCommand as ListTagsForResourceCommand13,
   ResourceNotFoundException as ResourceNotFoundException12
 } from "@aws-sdk/client-cognito-identity-provider";
 var CognitoUserPoolProvider = class {
@@ -23835,7 +24412,7 @@ var CognitoUserPoolProvider = class {
             if (!arn)
               continue;
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand9({ ResourceArn: arn })
+              new ListTagsForResourceCommand13({ ResourceArn: arn })
             );
             if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
               return { physicalId: pool.Id, attributes: {} };
@@ -23859,13 +24436,18 @@ import {
   CreateCacheClusterCommand,
   DeleteCacheClusterCommand,
   DescribeCacheClustersCommand,
+  DescribeCacheSubnetGroupsCommand,
   CreateCacheSubnetGroupCommand,
   DeleteCacheSubnetGroupCommand,
   ModifyCacheSubnetGroupCommand,
-  ModifyCacheClusterCommand
+  ModifyCacheClusterCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand14
 } from "@aws-sdk/client-elasticache";
+import { STSClient as STSClient5, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
 var ElastiCacheProvider = class {
   client;
+  stsClient;
+  cachedAccountId;
   providerRegion = process.env["AWS_REGION"];
   logger = getLogger().child("ElastiCacheProvider");
   handledProperties = /* @__PURE__ */ new Map([
@@ -24267,6 +24849,132 @@ var ElastiCacheProvider = class {
   sleep(ms) {
     return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
+  /**
+   * Adopt an existing ElastiCache resource into cdkd state.
+   *
+   * Supported types:
+   *  - `AWS::ElastiCache::CacheCluster` — full tag-based lookup via
+   *    `DescribeCacheClusters` + `ListTagsForResource(ResourceName=arn)`.
+   *  - `AWS::ElastiCache::SubnetGroup` — full tag-based lookup via
+   *    `DescribeCacheSubnetGroups` + `ListTagsForResource(ResourceName=arn)`.
+   *
+   * `ListTagsForResource` requires an ARN. Both `CacheCluster.ARN` and
+   * `CacheSubnetGroup.ARN` are returned by the Describe APIs, so no
+   * extra reconstruction is needed in normal flow; for the explicit
+   * override path we build the ARN from `region` + STS account id +
+   * the resource name.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ElastiCache::CacheCluster":
+        return this.importCacheCluster(input);
+      case "AWS::ElastiCache::SubnetGroup":
+        return this.importSubnetGroup(input);
+      default:
+        return null;
+    }
+  }
+  async importCacheCluster(input) {
+    const explicit = resolveExplicitPhysicalId(input, "ClusterName");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeCacheClustersCommand({ CacheClusterId: explicit })
+        );
+        const c = resp.CacheClusters?.[0];
+        return c?.CacheClusterId ? { physicalId: c.CacheClusterId, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err, "CacheClusterNotFoundFault"))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeCacheClustersCommand({ ...marker && { Marker: marker } })
+      );
+      for (const c of list.CacheClusters ?? []) {
+        if (!c.CacheClusterId)
+          continue;
+        const arn = c.ARN ?? await this.buildClusterArn(c.CacheClusterId);
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand14({ ResourceName: arn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: c.CacheClusterId, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importSubnetGroup(input) {
+    const explicit = resolveExplicitPhysicalId(input, "CacheSubnetGroupName");
+    if (explicit) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeCacheSubnetGroupsCommand({ CacheSubnetGroupName: explicit })
+        );
+        const g = resp.CacheSubnetGroups?.[0];
+        return g?.CacheSubnetGroupName ? { physicalId: g.CacheSubnetGroupName, attributes: {} } : null;
+      } catch (err) {
+        if (this.isNotFoundError(err, "CacheSubnetGroupNotFoundFault"))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeCacheSubnetGroupsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const g of list.CacheSubnetGroups ?? []) {
+        if (!g.CacheSubnetGroupName)
+          continue;
+        const arn = g.ARN ?? await this.buildSubnetGroupArn(g.CacheSubnetGroupName);
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand14({ ResourceName: arn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: g.CacheSubnetGroupName, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async buildClusterArn(clusterName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:elasticache:${region}:${account}:cluster:${clusterName}`;
+  }
+  async buildSubnetGroupArn(subnetGroupName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:elasticache:${region}:${account}:subnetgroup:${subnetGroupName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient5(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand6({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
+    }
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
+  }
 };
 
 // src/provisioning/providers/servicediscovery-provider.ts
@@ -24276,11 +24984,16 @@ import {
   DeleteNamespaceCommand,
   CreateServiceCommand as CreateServiceCommand2,
   DeleteServiceCommand as DeleteServiceCommand2,
+  GetNamespaceCommand,
   GetOperationCommand,
+  GetServiceCommand,
+  ListNamespacesCommand,
+  ListServicesCommand as ListServicesCommand2,
+  ListTagsForResourceCommand as ListTagsForResourceCommand15,
   NamespaceNotFound,
   ServiceNotFound
 } from "@aws-sdk/client-servicediscovery";
-import { STSClient as STSClient5, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
+import { STSClient as STSClient6, GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
 var ServiceDiscoveryProvider = class {
   client;
   stsClient;
@@ -24312,7 +25025,7 @@ var ServiceDiscoveryProvider = class {
   }
   getStsClient() {
     if (!this.stsClient) {
-      this.stsClient = new STSClient5(this.providerRegion ? { region: this.providerRegion } : {});
+      this.stsClient = new STSClient6(this.providerRegion ? { region: this.providerRegion } : {});
     }
     return this.stsClient;
   }
@@ -24597,13 +25310,114 @@ var ServiceDiscoveryProvider = class {
       logicalId
     );
   }
+  // ─── Import dispatch ──────────────────────────────────────────────
+  /**
+   * Adopt an existing Cloud Map (Service Discovery) resource into cdkd state.
+   *
+   *  - **AWS::ServiceDiscovery::PrivateDnsNamespace**: tag-based auto-lookup
+   *    via `ListNamespaces` + `ListTagsForResource(ResourceARN)` (Tag[]
+   *    array). Falls back to `--resource` override or matching
+   *    `Properties.Name` against the namespace name.
+   *  - **AWS::ServiceDiscovery::Service**: same shape — `ListServices` +
+   *    `ListTagsForResource`. Both use `Tag[]` arrays.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ServiceDiscovery::PrivateDnsNamespace":
+        return this.importNamespaceResource(input);
+      case "AWS::ServiceDiscovery::Service":
+        return this.importServiceResource(input);
+      default:
+        return null;
+    }
+  }
+  async importNamespaceResource(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new GetNamespaceCommand({ Id: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NamespaceNotFound)
+          return null;
+        throw err;
+      }
+    }
+    const desiredName = typeof input.properties?.["Name"] === "string" ? input.properties["Name"] : void 0;
+    let token;
+    do {
+      const list = await this.getClient().send(
+        new ListNamespacesCommand({ ...token && { NextToken: token } })
+      );
+      for (const ns of list.Namespaces ?? []) {
+        if (!ns.Id || !ns.Arn)
+          continue;
+        if (desiredName && ns.Name === desiredName) {
+          return { physicalId: ns.Id, attributes: {} };
+        }
+        if (input.cdkPath) {
+          try {
+            const tagsResp = await this.getClient().send(
+              new ListTagsForResourceCommand15({ ResourceARN: ns.Arn })
+            );
+            if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+              return { physicalId: ns.Id, attributes: {} };
+            }
+          } catch (err) {
+            if (err instanceof NamespaceNotFound)
+              continue;
+            throw err;
+          }
+        }
+      }
+      token = list.NextToken;
+    } while (token);
+    return null;
+  }
+  async importServiceResource(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new GetServiceCommand({ Id: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof ServiceNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let token;
+    do {
+      const list = await this.getClient().send(
+        new ListServicesCommand2({ ...token && { NextToken: token } })
+      );
+      for (const svc of list.Services ?? []) {
+        if (!svc.Id || !svc.Arn)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsForResourceCommand15({ ResourceARN: svc.Arn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: svc.Id, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ServiceNotFound)
+            continue;
+          throw err;
+        }
+      }
+      token = list.NextToken;
+    } while (token);
+    return null;
+  }
   /**
    * Build a namespace ARN from namespace ID.
    * Format: arn:aws:servicediscovery:{region}:{account}:namespace/{namespaceId}
    */
   async buildNamespaceArn(namespaceId) {
     const stsClient = this.getStsClient();
-    const identity = await stsClient.send(new GetCallerIdentityCommand6({}));
+    const identity = await stsClient.send(new GetCallerIdentityCommand7({}));
     const accountId = identity.Account || "";
     const region = await this.getClient().config.region();
     return `arn:aws:servicediscovery:${region}:${accountId}:namespace/${namespaceId}`;
@@ -25187,10 +26001,18 @@ import {
   CreateTableCommand as CreateTableCommand2,
   UpdateTableCommand,
   DeleteTableCommand as DeleteTableCommand2,
+  GetDatabaseCommand,
+  GetDatabasesCommand,
+  GetTableCommand,
+  GetTablesCommand,
+  GetTagsCommand,
   EntityNotFoundException
 } from "@aws-sdk/client-glue";
+import { STSClient as STSClient7, GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
 var GlueProvider = class {
   client;
+  stsClient;
+  cachedAccountId;
   providerRegion = process.env["AWS_REGION"];
   logger = getLogger().child("GlueProvider");
   handledProperties = /* @__PURE__ */ new Map([
@@ -25561,6 +26383,167 @@ var GlueProvider = class {
     }
     return result;
   }
+  /**
+   * Adopt an existing Glue Database or Table into cdkd state.
+   *
+   * Lookup order (per type):
+   *  1. Explicit override / template name → verify with `GetDatabase`
+   *     or `GetTable`.
+   *  2. Walk `GetDatabases` / `GetTables` paginators and match the
+   *     `aws:cdk:path` tag via `GetTags(ResourceArn)`. Glue tags are
+   *     a `Record<string,string>` map (not a `Tag[]` array), so the
+   *     match is `tags?.[CDK_PATH_TAG] === input.cdkPath`.
+   *
+   * Glue list APIs return only names — ARNs are constructed locally
+   * for the per-item GetTags call.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::Glue::Database":
+        return this.importDatabase(input);
+      case "AWS::Glue::Table":
+        return this.importTable(input);
+      default:
+        return null;
+    }
+  }
+  async importDatabase(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["DatabaseInput"]?.["Name"];
+    const catalogId = input.properties["CatalogId"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(
+          new GetDatabaseCommand({ Name: explicitName, ...catalogId && { CatalogId: catalogId } })
+        );
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new GetDatabasesCommand({
+          ...nextToken && { NextToken: nextToken },
+          ...catalogId && { CatalogId: catalogId }
+        })
+      );
+      for (const db of list.DatabaseList ?? []) {
+        if (!db.Name)
+          continue;
+        const arn = await this.buildDatabaseArn(db.Name, db.CatalogId);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: db.Name, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async importTable(input) {
+    const databaseName = input.properties["DatabaseName"];
+    const tableInput = input.properties["TableInput"];
+    const templateTableName = tableInput?.["Name"];
+    const catalogId = input.properties["CatalogId"];
+    if (input.knownPhysicalId) {
+      const [dbName, tName] = input.knownPhysicalId.split("|");
+      if (!dbName || !tName)
+        return null;
+      try {
+        await this.getClient().send(
+          new GetTableCommand({
+            DatabaseName: dbName,
+            Name: tName,
+            ...catalogId && { CatalogId: catalogId }
+          })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (databaseName && templateTableName) {
+      try {
+        await this.getClient().send(
+          new GetTableCommand({
+            DatabaseName: databaseName,
+            Name: templateTableName,
+            ...catalogId && { CatalogId: catalogId }
+          })
+        );
+        return { physicalId: `${databaseName}|${templateTableName}`, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath || !databaseName)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new GetTablesCommand({
+          DatabaseName: databaseName,
+          ...nextToken && { NextToken: nextToken },
+          ...catalogId && { CatalogId: catalogId }
+        })
+      );
+      for (const t of list.TableList ?? []) {
+        if (!t.Name)
+          continue;
+        const arn = await this.buildTableArn(databaseName, t.Name, catalogId);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: `${databaseName}|${t.Name}`, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async tagsMatchCdkPath(arn, cdkPath) {
+    try {
+      const resp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      return resp.Tags?.[CDK_PATH_TAG] === cdkPath;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return false;
+      throw err;
+    }
+  }
+  async buildDatabaseArn(databaseName, catalogId) {
+    const region = await this.getRegion();
+    const account = catalogId ?? await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:database/${databaseName}`;
+  }
+  async buildTableArn(databaseName, tableName, catalogId) {
+    const region = await this.getRegion();
+    const account = catalogId ?? await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:table/${databaseName}/${tableName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient7(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand8({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
+    }
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
+  }
 };
 
 // src/provisioning/providers/kms-provider.ts
@@ -26042,6 +27025,8 @@ import {
   DecreaseStreamRetentionPeriodCommand,
   StartStreamEncryptionCommand,
   StopStreamEncryptionCommand,
+  ListStreamsCommand,
+  ListTagsForStreamCommand,
   ResourceNotFoundException as ResourceNotFoundException13
 } from "@aws-sdk/client-kinesis";
 var KinesisStreamProvider = class {
@@ -26270,29 +27255,77 @@ var KinesisStreamProvider = class {
           EnforceConsumerDeletion: true
         })
       );
-      this.logger.debug(`Successfully deleted Kinesis stream ${logicalId}`);
-    } catch (error) {
-      if (error instanceof ResourceNotFoundException13) {
-        const clientRegion = await this.getClient().config.region();
-        assertRegionMatch(
-          clientRegion,
-          context?.expectedRegion,
-          resourceType,
-          logicalId,
-          physicalId
+      this.logger.debug(`Successfully deleted Kinesis stream ${logicalId}`);
+    } catch (error) {
+      if (error instanceof ResourceNotFoundException13) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Kinesis stream ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Kinesis stream ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  /**
+   * Adopt an existing Kinesis stream into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.Name` → verify
+   *     with `DescribeStream`.
+   *  2. Walk `ListStreams` (paged via `ExclusiveStartStreamName`) and
+   *     match the `aws:cdk:path` tag via `ListTagsForStream(StreamName)`.
+   *
+   * Kinesis tags use the standard `Tag[]` array shape (`Key`/`Value`),
+   * so `matchesCdkPath` from import-helpers applies directly.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "Name");
+    if (explicit) {
+      try {
+        await this.getClient().send(new DescribeStreamCommand({ StreamName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException13)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartStreamName;
+    while (true) {
+      const list = await this.getClient().send(
+        new ListStreamsCommand({
+          ...exclusiveStartStreamName && { ExclusiveStartStreamName: exclusiveStartStreamName }
+        })
+      );
+      const names = list.StreamNames ?? [];
+      for (const streamName of names) {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForStreamCommand({ StreamName: streamName })
         );
-        this.logger.debug(`Kinesis stream ${physicalId} does not exist, skipping deletion`);
-        return;
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: streamName, attributes: {} };
+        }
       }
-      const cause = error instanceof Error ? error : void 0;
-      throw new ProvisioningError(
-        `Failed to delete Kinesis stream ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
-        resourceType,
-        logicalId,
-        physicalId,
-        cause
-      );
+      if (!list.HasMoreStreams || names.length === 0)
+        break;
+      exclusiveStartStreamName = names[names.length - 1];
     }
+    return null;
   }
   /**
    * Poll DescribeStream until the stream reaches ACTIVE status
@@ -26336,6 +27369,7 @@ import {
   CreateAccessPointCommand,
   DeleteAccessPointCommand,
   DescribeFileSystemsCommand,
+  DescribeAccessPointsCommand,
   FileSystemNotFound,
   MountTargetNotFound,
   AccessPointNotFound
@@ -26737,6 +27771,100 @@ var EFSProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing EFS resource into cdkd state.
+   *
+   * Supported types:
+   *  - `AWS::EFS::FileSystem` — full tag-based lookup via
+   *    `DescribeFileSystems` with `Tags` inline on each item.
+   *  - `AWS::EFS::AccessPoint` — full tag-based lookup via
+   *    `DescribeAccessPoints` with `Tags` inline on each item.
+   *  - `AWS::EFS::MountTarget` — override-only (mount targets are
+   *    not taggable; auto lookup is impractical).
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::EFS::FileSystem":
+        return this.importFileSystem(input);
+      case "AWS::EFS::AccessPoint":
+        return this.importAccessPoint(input);
+      case "AWS::EFS::MountTarget":
+        if (input.knownPhysicalId) {
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  async importFileSystem(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeFileSystemsCommand({ FileSystemId: input.knownPhysicalId })
+        );
+        const fs = resp.FileSystems?.[0];
+        return fs?.FileSystemId ? { physicalId: fs.FileSystemId, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof FileSystemNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeFileSystemsCommand({ ...marker && { Marker: marker } })
+      );
+      for (const fs of list.FileSystems ?? []) {
+        if (!fs.FileSystemId)
+          continue;
+        if (matchesCdkPath(fs.Tags, input.cdkPath)) {
+          return { physicalId: fs.FileSystemId, attributes: {} };
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
+  async importAccessPoint(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const resp = await this.getClient().send(
+          new DescribeAccessPointsCommand({ AccessPointId: input.knownPhysicalId })
+        );
+        const ap = resp.AccessPoints?.[0];
+        return ap?.AccessPointId ? { physicalId: ap.AccessPointId, attributes: {} } : null;
+      } catch (err) {
+        if (err instanceof AccessPointNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const fileSystemId = input.properties["FileSystemId"];
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new DescribeAccessPointsCommand({
+          ...nextToken && { NextToken: nextToken },
+          ...fileSystemId && { FileSystemId: fileSystemId }
+        })
+      );
+      for (const ap of list.AccessPoints ?? []) {
+        if (!ap.AccessPointId)
+          continue;
+        if (matchesCdkPath(ap.Tags, input.cdkPath)) {
+          return { physicalId: ap.AccessPointId, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
 };
 
 // src/provisioning/providers/firehose-provider.ts
@@ -26744,6 +27872,9 @@ import {
   FirehoseClient,
   CreateDeliveryStreamCommand,
   DeleteDeliveryStreamCommand,
+  DescribeDeliveryStreamCommand,
+  ListDeliveryStreamsCommand,
+  ListTagsForDeliveryStreamCommand,
   ResourceNotFoundException as ResourceNotFoundException14
 } from "@aws-sdk/client-firehose";
 var FirehoseProvider = class {
@@ -27080,12 +28211,63 @@ var FirehoseProvider = class {
     }
     return result;
   }
+  /**
+   * Adopt an existing Kinesis Firehose delivery stream into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.DeliveryStreamName`
+   *     → verify with `DescribeDeliveryStream`.
+   *  2. Walk `ListDeliveryStreams` (paged via `ExclusiveStartDeliveryStreamName`)
+   *     and match the `aws:cdk:path` tag via
+   *     `ListTagsForDeliveryStream(DeliveryStreamName)`.
+   *
+   * Firehose tags use the standard `Tag[]` array shape (`Key`/`Value`).
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DeliveryStreamName");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDeliveryStreamCommand({ DeliveryStreamName: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException14)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let exclusiveStartDeliveryStreamName;
+    while (true) {
+      const list = await this.getClient().send(
+        new ListDeliveryStreamsCommand({
+          ...exclusiveStartDeliveryStreamName && {
+            ExclusiveStartDeliveryStreamName: exclusiveStartDeliveryStreamName
+          }
+        })
+      );
+      const names = list.DeliveryStreamNames ?? [];
+      for (const name of names) {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: name })
+        );
+        if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+          return { physicalId: name, attributes: {} };
+        }
+      }
+      if (!list.HasMoreDeliveryStreams || names.length === 0)
+        break;
+      exclusiveStartDeliveryStreamName = names[names.length - 1];
+    }
+    return null;
+  }
   /**
    * Wait for a delivery stream to become ACTIVE.
    * Firehose CreateDeliveryStream returns immediately while the stream is still CREATING.
    */
   async waitForActive(streamName, logicalId) {
-    const { DescribeDeliveryStreamCommand } = await import("@aws-sdk/client-firehose");
     const maxAttempts = 30;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
       const resp = await this.getClient().send(
@@ -27117,7 +28299,7 @@ import {
   PutInsightSelectorsCommand,
   GetTrailCommand,
   ListTrailsCommand,
-  ListTagsCommand as ListTagsCommand2,
+  ListTagsCommand as ListTagsCommand3,
   TrailNotFoundException
 } from "@aws-sdk/client-cloudtrail";
 var CloudTrailProvider = class {
@@ -27381,7 +28563,7 @@ var CloudTrailProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsCommand2({ ResourceIdList: [trail.TrailARN] })
+            new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
           );
           const list2 = tagsResp.ResourceTagList?.[0];
           if (matchesCdkPath(list2?.TagsList, input.cdkPath)) {
@@ -27720,7 +28902,10 @@ import {
   S3VectorsClient,
   CreateVectorBucketCommand,
   DeleteVectorBucketCommand,
+  GetVectorBucketCommand,
   ListIndexesCommand,
+  ListVectorBucketsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand16,
   DeleteIndexCommand
 } from "@aws-sdk/client-s3vectors";
 var S3VectorsProvider = class {
@@ -27877,6 +29062,54 @@ var S3VectorsProvider = class {
       nextToken = listResult.nextToken;
     } while (nextToken);
   }
+  /**
+   * Adopt an existing S3 Vector Bucket into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.VectorBucketName`
+   *     → verify via `GetVectorBucket`. The physical id is the bucket name.
+   *  2. `ListVectorBuckets` paginator + `ListTagsForResource(resourceArn)`
+   *     (tags map keyed by tag name) and match `aws:cdk:path`.
+   */
+  async import(input) {
+    const explicit = input.knownPhysicalId ?? (typeof input.properties?.["VectorBucketName"] === "string" && input.properties["VectorBucketName"].length > 0 ? input.properties["VectorBucketName"] : void 0);
+    if (explicit) {
+      try {
+        await this.getClient().send(new GetVectorBucketCommand({ vectorBucketName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (this.isNotFoundError(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let token;
+    do {
+      const list = await this.getClient().send(
+        new ListVectorBucketsCommand({ ...token && { nextToken: token } })
+      );
+      for (const bucket of list.vectorBuckets ?? []) {
+        if (!bucket.vectorBucketName || !bucket.vectorBucketArn)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsForResourceCommand16({ resourceArn: bucket.vectorBucketArn })
+          );
+          if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return { physicalId: bucket.vectorBucketName, attributes: {} };
+          }
+        } catch (err) {
+          if (this.isNotFoundError(err))
+            continue;
+          throw err;
+        }
+      }
+      token = list.nextToken;
+    } while (token);
+    return null;
+  }
   isNotFoundError(error) {
     if (error instanceof Error) {
       const name = error.name;
@@ -27890,10 +29123,13 @@ var S3VectorsProvider = class {
 import {
   CreateBucketCommand as CreateBucketCommand3,
   DeleteBucketCommand as DeleteBucketCommand2,
+  HeadBucketCommand as HeadBucketCommand4,
+  ListDirectoryBucketsCommand,
+  GetBucketTaggingCommand as GetBucketTaggingCommand2,
   ListObjectsV2Command as ListObjectsV2Command2,
   DeleteObjectsCommand as DeleteObjectsCommand2
 } from "@aws-sdk/client-s3";
-import { GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand9 } from "@aws-sdk/client-sts";
 import { EC2Client as EC2Client8, DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand3 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var S3DirectoryBucketProvider = class {
@@ -27949,7 +29185,7 @@ var S3DirectoryBucketProvider = class {
    * Get the AWS account ID via STS
    */
   async getAccountId() {
-    const identity = await this.stsClient.send(new GetCallerIdentityCommand7({}));
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand9({}));
     return identity.Account;
   }
   /**
@@ -28095,6 +29331,56 @@ var S3DirectoryBucketProvider = class {
       continuationToken = listResponse.IsTruncated ? listResponse.NextContinuationToken : void 0;
     } while (continuationToken);
   }
+  /**
+   * Adopt an existing S3 Express Directory Bucket into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.BucketName` →
+   *     verify via `HeadBucket`.
+   *  2. `ListDirectoryBuckets` paginator + `GetBucketTagging` (TagSet:
+   *     Tag[]) and match `aws:cdk:path`. `GetBucketTagging` may surface
+   *     `NoSuchTagSet` / `AccessDenied` per-bucket — those are skipped
+   *     rather than fatal.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "BucketName");
+    if (explicit) {
+      try {
+        await this.s3Client.send(new HeadBucketCommand4({ Bucket: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        const e = err;
+        if (e.name === "NotFound" || e.name === "NoSuchBucket")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let token;
+    do {
+      const list = await this.s3Client.send(
+        new ListDirectoryBucketsCommand({ ...token && { ContinuationToken: token } })
+      );
+      for (const b of list.Buckets ?? []) {
+        if (!b.Name)
+          continue;
+        try {
+          const tagging = await this.s3Client.send(new GetBucketTaggingCommand2({ Bucket: b.Name }));
+          if (matchesCdkPath(tagging.TagSet, input.cdkPath)) {
+            return { physicalId: b.Name, attributes: {} };
+          }
+        } catch (err) {
+          const e = err;
+          if (e.name === "NoSuchTagSet" || e.name === "AccessDenied")
+            continue;
+          throw err;
+        }
+      }
+      token = list.ContinuationToken;
+    } while (token);
+    return null;
+  }
 };
 
 // src/provisioning/providers/s3-tables-provider.ts
@@ -28106,8 +29392,12 @@ import {
   DeleteNamespaceCommand as DeleteNamespaceCommand2,
   CreateTableCommand as CreateTableCommand3,
   DeleteTableCommand as DeleteTableCommand3,
-  ListNamespacesCommand,
+  GetTableBucketCommand,
+  GetTableCommand as GetTableCommand2,
+  ListNamespacesCommand as ListNamespacesCommand2,
   ListTablesCommand as ListTablesCommand2,
+  ListTableBucketsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand17,
   NotFoundException as NotFoundException6
 } from "@aws-sdk/client-s3tables";
 var S3TablesProvider = class {
@@ -28241,7 +29531,7 @@ var S3TablesProvider = class {
     let namespaceContinuationToken;
     do {
       const namespacesResult = await this.getClient().send(
-        new ListNamespacesCommand({
+        new ListNamespacesCommand2({
           tableBucketARN,
           continuationToken: namespaceContinuationToken
         })
@@ -28445,6 +29735,165 @@ var S3TablesProvider = class {
       );
     }
   }
+  // ─── Import dispatch ──────────────────────────────────────────────
+  /**
+   * Adopt an existing S3 Tables resource into cdkd state.
+   *
+   *  - **AWS::S3Tables::TableBucket**: tag-based auto-lookup via
+   *    `ListTableBuckets` + `ListTagsForResource(resourceArn)` (tags map).
+   *    Falls back to `--resource <id>=<arn>` or `Properties.TableBucketName`
+   *    (resolved by ARN suffix match against `ListTableBuckets`).
+   *  - **AWS::S3Tables::Table**: tag-based auto-lookup walks every
+   *    table bucket → namespace → table and calls `ListTagsForResource`
+   *    on each table ARN; matches `aws:cdk:path`.
+   *  - **AWS::S3Tables::Namespace**: explicit-override only. Namespaces
+   *    are not taggable in S3 Tables (`ListTagsForResource` accepts only
+   *    table-bucket or table ARNs), so auto-lookup is impossible.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::S3Tables::TableBucket":
+        return this.importTableBucket(input);
+      case "AWS::S3Tables::Namespace":
+        return this.importNamespace(input);
+      case "AWS::S3Tables::Table":
+        return this.importTable(input);
+      default:
+        return null;
+    }
+  }
+  async importTableBucket(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(
+          new GetTableBucketCommand({ tableBucketARN: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException6)
+          return null;
+        throw err;
+      }
+    }
+    const desiredName = typeof input.properties?.["TableBucketName"] === "string" ? input.properties["TableBucketName"] : void 0;
+    let token;
+    do {
+      const list = await this.getClient().send(
+        new ListTableBucketsCommand({ ...token && { continuationToken: token } })
+      );
+      for (const bucket of list.tableBuckets ?? []) {
+        if (!bucket.arn)
+          continue;
+        if (desiredName && bucket.name === desiredName) {
+          return { physicalId: bucket.arn, attributes: {} };
+        }
+        if (input.cdkPath) {
+          try {
+            const tagsResp = await this.getClient().send(
+              new ListTagsForResourceCommand17({ resourceArn: bucket.arn })
+            );
+            if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
+              return { physicalId: bucket.arn, attributes: {} };
+            }
+          } catch (err) {
+            if (err instanceof NotFoundException6)
+              continue;
+            throw err;
+          }
+        }
+      }
+      token = list.continuationToken;
+    } while (token);
+    return null;
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async importNamespace(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
+  async importTable(input) {
+    if (input.knownPhysicalId) {
+      const parts = input.knownPhysicalId.split("|");
+      if (parts.length >= 3) {
+        try {
+          await this.getClient().send(
+            new GetTableCommand2({
+              tableBucketARN: parts[0],
+              namespace: parts[1],
+              name: parts[2]
+            })
+          );
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        } catch (err) {
+          if (err instanceof NotFoundException6)
+            return null;
+          throw err;
+        }
+      }
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    if (!input.cdkPath)
+      return null;
+    let bucketToken;
+    do {
+      const buckets = await this.getClient().send(
+        new ListTableBucketsCommand({ ...bucketToken && { continuationToken: bucketToken } })
+      );
+      for (const bucket of buckets.tableBuckets ?? []) {
+        if (!bucket.arn)
+          continue;
+        let nsToken;
+        do {
+          const namespaces = await this.getClient().send(
+            new ListNamespacesCommand2({
+              tableBucketARN: bucket.arn,
+              ...nsToken && { continuationToken: nsToken }
+            })
+          );
+          for (const ns of namespaces.namespaces ?? []) {
+            const namespaceName = ns.namespace?.[0];
+            if (!namespaceName)
+              continue;
+            let tableToken;
+            do {
+              const tables = await this.getClient().send(
+                new ListTablesCommand2({
+                  tableBucketARN: bucket.arn,
+                  namespace: namespaceName,
+                  ...tableToken && { continuationToken: tableToken }
+                })
+              );
+              for (const table of tables.tables ?? []) {
+                if (!table.name || !table.tableARN)
+                  continue;
+                try {
+                  const tagsResp = await this.getClient().send(
+                    new ListTagsForResourceCommand17({ resourceArn: table.tableARN })
+                  );
+                  if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
+                    return {
+                      physicalId: `${bucket.arn}|${namespaceName}|${table.name}`,
+                      attributes: {}
+                    };
+                  }
+                } catch (err) {
+                  if (err instanceof NotFoundException6)
+                    continue;
+                  throw err;
+                }
+              }
+              tableToken = tables.continuationToken;
+            } while (tableToken);
+          }
+          nsToken = namespaces.continuationToken;
+        } while (nsToken);
+      }
+      bucketToken = buckets.continuationToken;
+    } while (bucketToken);
+    return null;
+  }
   async deleteTable(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 Tables Table ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
@@ -28504,7 +29953,7 @@ import {
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
   TagResourceCommand as TagResourceCommand7,
-  ListTagsForResourceCommand as ListTagsForResourceCommand10,
+  ListTagsForResourceCommand as ListTagsForResourceCommand18,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
 var ECRProvider = class {
@@ -28773,7 +30222,7 @@ var ECRProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand10({ resourceArn: repo.repositoryArn })
+            new ListTagsForResourceCommand18({ resourceArn: repo.repositoryArn })
           );
           if (matchesCdkPath(tagsResp.tags, input.cdkPath)) {
             return { physicalId: repo.repositoryName, attributes: {} };
@@ -30301,11 +31750,11 @@ async function deployCommand(stacks, options) {
         addDependencies(stack.stackName);
       }
     }
-    const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
-    const stsClient = new STSClient7({
+    const { STSClient: STSClient9, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+    const stsClient = new STSClient9({
       region: options.region || process.env["AWS_REGION"] || "us-east-1"
     });
-    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand9({}));
+    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand11({}));
     const accountId = callerIdentity.Account;
     stsClient.destroy();
     const assetPublisher = new AssetPublisher();
@@ -31350,7 +32799,7 @@ import {
   CreateBucketCommand as CreateBucketCommand4,
   DeleteBucketCommand as DeleteBucketCommand3,
   DeleteObjectsCommand as DeleteObjectsCommand3,
-  HeadBucketCommand as HeadBucketCommand4,
+  HeadBucketCommand as HeadBucketCommand5,
   ListObjectVersionsCommand as ListObjectVersionsCommand2,
   ListObjectsV2Command as ListObjectsV2Command3,
   PutBucketEncryptionCommand as PutBucketEncryptionCommand3,
@@ -31358,7 +32807,7 @@ import {
   PutBucketVersioningCommand as PutBucketVersioningCommand3,
   S3Client as S3Client10
 } from "@aws-sdk/client-s3";
-import { GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand10 } from "@aws-sdk/client-sts";
 init_aws_clients();
 async function stateMigrateCommand(options) {
   const logger = getLogger();
@@ -31371,7 +32820,7 @@ async function stateMigrateCommand(options) {
   });
   setAwsClients(awsClients);
   try {
-    const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
+    const identity = await awsClients.sts.send(new GetCallerIdentityCommand10({}));
     const accountId = identity.Account;
     if (!accountId) {
       throw new Error("STS GetCallerIdentity returned no Account id.");
@@ -31473,7 +32922,7 @@ async function stateMigrateCommand(options) {
 }
 async function bucketExists2(s3, bucketName) {
   try {
-    await s3.send(new HeadBucketCommand4({ Bucket: bucketName }));
+    await s3.send(new HeadBucketCommand5({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -32699,7 +34148,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.19.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.21.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());