@go-to-k/cdkd 0.192.0 → 0.194.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as StackHasActiveImportsError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError$1, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveApp } from "./deploy-engine-DbR6HZHx.js";
+import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as StackHasActiveImportsError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError$1, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveApp } from "./deploy-engine-BDmJX4ss.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
@@ -28,7 +28,7 @@ import * as path from "node:path";
 import { dirname, isAbsolute, join, resolve } from "node:path";
 import { execFile, spawn } from "node:child_process";
 import { tmpdir } from "node:os";
-import { AssociateVPCWithHostedZoneCommand, ChangeResourceRecordSetsCommand, ChangeTagsForResourceCommand, CreateHostedZoneCommand, CreateQueryLoggingConfigCommand, DeleteHostedZoneCommand, DeleteQueryLoggingConfigCommand, DisassociateVPCFromHostedZoneCommand, GetHostedZoneCommand, ListHostedZonesByNameCommand, ListHostedZonesCommand, ListQueryLoggingConfigsCommand, ListResourceRecordSetsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$6, Route53Client, UpdateHostedZoneCommentCommand } from "@aws-sdk/client-route-53";
+import { AssociateVPCWithHostedZoneCommand, ChangeResourceRecordSetsCommand, ChangeTagsForResourceCommand, CreateHostedZoneCommand, CreateQueryLoggingConfigCommand, DeleteHostedZoneCommand, DeleteQueryLoggingConfigCommand, DisassociateVPCFromHostedZoneCommand, GetHostedZoneCommand, ListHostedZonesByNameCommand, ListHostedZonesCommand, ListQueryLoggingConfigsCommand, ListResourceRecordSetsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$6, Route53Client, UpdateHostedZoneCommentCommand, UpdateHostedZoneFeaturesCommand } from "@aws-sdk/client-route-53";
 import { AddTagsCommand, CreateListenerCommand, CreateLoadBalancerCommand, CreateTargetGroupCommand, DeleteListenerCommand, DeleteLoadBalancerCommand, DeleteTargetGroupCommand, DescribeListenersCommand, DescribeLoadBalancerAttributesCommand, DescribeLoadBalancersCommand, DescribeTagsCommand, DescribeTargetGroupsCommand, ElasticLoadBalancingV2Client, ModifyListenerCommand, ModifyLoadBalancerAttributesCommand, ModifyTargetGroupCommand, RemoveTagsCommand, SetIpAddressTypeCommand, SetSecurityGroupsCommand, SetSubnetsCommand } from "@aws-sdk/client-elastic-load-balancing-v2";
 import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCommand, DisableKeyCommand, DisableKeyRotationCommand, EnableKeyCommand, EnableKeyRotationCommand, GetKeyPolicyCommand, GetKeyRotationStatusCommand, KMSClient, ListAliasesCommand, ListKeysCommand, ListResourceTagsCommand, NotFoundException as NotFoundException$2, PutKeyPolicyCommand, ScheduleKeyDeletionCommand, TagResourceCommand as TagResourceCommand$8, UntagResourceCommand as UntagResourceCommand$8, UpdateAliasCommand, UpdateKeyDescriptionCommand } from "@aws-sdk/client-kms";
 import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
@@ -18080,6 +18080,7 @@ var ECSProvider = class {
 			"DefaultCapacityProviderStrategy",
 			"Configuration",
 			"ClusterSettings",
+			"ServiceConnectDefaults",
 			"Tags"
 		])],
 		["AWS::ECS::TaskDefinition", new Set([
@@ -18174,6 +18175,7 @@ var ECSProvider = class {
 					name: s["Name"] || s["name"],
 					value: (s["Value"] || s["value"]) ?? void 0
 				})) : void 0,
+				serviceConnectDefaults: properties["ServiceConnectDefaults"] ? { namespace: properties["ServiceConnectDefaults"]["Namespace"] } : void 0,
 				tags: convertTags(properties["Tags"])
 			}))).cluster;
 			if (!cluster || !cluster.clusterArn) throw new Error("CreateCluster did not return cluster ARN");
@@ -18201,17 +18203,20 @@ var ECSProvider = class {
 			}
 			const settingsChanged = JSON.stringify(previousProperties["ClusterSettings"] ?? null) !== JSON.stringify(properties["ClusterSettings"] ?? null);
 			const configChanged = JSON.stringify(previousProperties["Configuration"] ?? null) !== JSON.stringify(properties["Configuration"] ?? null);
-			if (settingsChanged || configChanged) {
+			const svcConnectChanged = JSON.stringify(previousProperties["ServiceConnectDefaults"] ?? null) !== JSON.stringify(properties["ServiceConnectDefaults"] ?? null);
+			if (settingsChanged || configChanged || svcConnectChanged) {
 				const settingsInput = settingsChanged ? (properties["ClusterSettings"] ?? []).map((s) => ({
 					name: s["Name"] || s["name"],
 					value: (s["Value"] || s["value"]) ?? void 0
 				})) : void 0;
+				const svcConnectInput = svcConnectChanged ? properties["ServiceConnectDefaults"] ? { namespace: properties["ServiceConnectDefaults"]["Namespace"] } : { namespace: "" } : void 0;
 				await client.send(new UpdateClusterCommand({
 					cluster: physicalId,
 					...settingsChanged && { settings: settingsInput },
-					...configChanged && { configuration: properties["Configuration"] }
+					...configChanged && { configuration: properties["Configuration"] },
+					...svcConnectChanged && { serviceConnectDefaults: svcConnectInput }
 				}));
-				this.logger.debug(`Updated ECS cluster ${physicalId} (settings=${settingsChanged}, config=${configChanged})`);
+				this.logger.debug(`Updated ECS cluster ${physicalId} (settings=${settingsChanged}, config=${configChanged}, svcConnect=${svcConnectChanged})`);
 			}
 			const cluster = (await client.send(new DescribeClustersCommand({ clusters: [physicalId] }))).clusters?.[0];
 			if (cluster?.clusterArn) await this.applyTagDiff(cluster.clusterArn, previousProperties["Tags"], properties["Tags"]);
@@ -18737,6 +18742,7 @@ var ECSProvider = class {
 			Name: s.name,
 			Value: s.value
 		}));
+		if (c.serviceConnectDefaults?.namespace !== void 0) result["ServiceConnectDefaults"] = { Namespace: c.serviceConnectDefaults.namespace };
 		result["Tags"] = normalizeAwsTagsToCfn(c.tags);
 		return result;
 	}
@@ -22644,7 +22650,8 @@ var Route53Provider = class {
 		"HostedZoneConfig",
 		"HostedZoneTags",
 		"VPCs",
-		"QueryLoggingConfig"
+		"QueryLoggingConfig",
+		"HostedZoneFeatures"
 	])], ["AWS::Route53::RecordSet", new Set([
 		"HostedZoneId",
 		"HostedZoneName",
@@ -22675,9 +22682,9 @@ var Route53Provider = class {
 			default: throw new ProvisioningError(`Unsupported resource type: ${resourceType}`, resourceType, logicalId);
 		}
 	}
-	async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
 		switch (resourceType) {
-			case "AWS::Route53::HostedZone": return this.updateHostedZone(logicalId, physicalId, resourceType, properties);
+			case "AWS::Route53::HostedZone": return this.updateHostedZone(logicalId, physicalId, resourceType, properties, previousProperties);
 			case "AWS::Route53::RecordSet": return this.updateRecordSet(logicalId, physicalId, resourceType, properties);
 			default: throw new ProvisioningError(`Unsupported resource type: ${resourceType}`, resourceType, logicalId, physicalId);
 		}
@@ -22731,6 +22738,22 @@ var Route53Provider = class {
 			}
 			await this.applyHostedZoneTags(zoneId, properties, logicalId);
 			await this.applyQueryLoggingConfig(zoneId, properties, logicalId);
+			if (properties["HostedZoneFeatures"]?.["AcceleratedRecoveryStatus"] === "ENABLED") try {
+				await this.getClient().send(new UpdateHostedZoneFeaturesCommand({
+					HostedZoneId: zoneId,
+					EnableAcceleratedRecovery: true
+				}));
+			} catch (uhfError) {
+				this.logger.error(`UpdateHostedZoneFeatures failed for ${zoneId} after CreateHostedZone — rolling back the hosted zone to keep deploy retry idempotent`);
+				try {
+					await this.deleteQueryLoggingConfigForZone(zoneId, logicalId);
+					await this.getClient().send(new DeleteHostedZoneCommand({ Id: zoneId }));
+				} catch (deleteError) {
+					this.logger.warn(`Best-effort rollback DeleteHostedZone for ${zoneId} also failed: ${deleteError instanceof Error ? deleteError.message : String(deleteError)} — operator may need to clean up the orphan zone`);
+				}
+				const cause = uhfError instanceof Error ? uhfError : void 0;
+				throw new ProvisioningError(`Failed to enable Accelerated Recovery on hosted zone ${logicalId} (${zoneId}): ${uhfError instanceof Error ? uhfError.message : String(uhfError)}`, resourceType, logicalId, zoneId, cause);
+			}
 			const nameServers = response.DelegationSet?.NameServers ?? [];
 			this.logger.debug(`Successfully created hosted zone ${logicalId}: ${zoneId}`);
 			return {
@@ -22746,7 +22769,7 @@ var Route53Provider = class {
 			throw new ProvisioningError(`Failed to create hosted zone ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, void 0, cause);
 		}
 	}
-	async updateHostedZone(logicalId, physicalId, resourceType, properties) {
+	async updateHostedZone(logicalId, physicalId, resourceType, properties, previousProperties) {
 		this.logger.debug(`Updating Route 53 hosted zone ${logicalId}: ${physicalId}`);
 		try {
 			const comment = properties["HostedZoneConfig"]?.["Comment"] ?? "";
@@ -22757,6 +22780,12 @@ var Route53Provider = class {
 			await this.applyHostedZoneTags(physicalId, properties, logicalId);
 			await this.applyQueryLoggingConfig(physicalId, properties, logicalId);
 			await this.syncVPCAssociations(physicalId, properties, logicalId);
+			const prevEnabled = previousProperties["HostedZoneFeatures"]?.["AcceleratedRecoveryStatus"] === "ENABLED";
+			const nextEnabled = properties["HostedZoneFeatures"]?.["AcceleratedRecoveryStatus"] === "ENABLED";
+			if (prevEnabled !== nextEnabled) await this.getClient().send(new UpdateHostedZoneFeaturesCommand({
+				HostedZoneId: physicalId,
+				EnableAcceleratedRecovery: nextEnabled
+			}));
 			const nameServers = (await this.getClient().send(new GetHostedZoneCommand({ Id: physicalId }))).DelegationSet?.NameServers ?? [];
 			this.logger.debug(`Successfully updated hosted zone ${logicalId}`);
 			return {
@@ -22776,6 +22805,7 @@ var Route53Provider = class {
 		this.logger.debug(`Deleting Route 53 hosted zone ${logicalId}: ${physicalId}`);
 		try {
 			await this.deleteQueryLoggingConfigForZone(physicalId, logicalId);
+			await this.ensureAcceleratedRecoveryDisabledForDelete(physicalId, logicalId);
 			await this.getClient().send(new DeleteHostedZoneCommand({ Id: physicalId }));
 			this.logger.debug(`Successfully deleted hosted zone ${logicalId}`);
 		} catch (error) {
@@ -22784,10 +22814,86 @@ var Route53Provider = class {
 				this.logger.debug(`Hosted zone ${physicalId} does not exist, skipping deletion`);
 				return;
 			}
+			if (error instanceof ProvisioningError) throw error;
 			const cause = error instanceof Error ? error : void 0;
 			throw new ProvisioningError(`Failed to delete hosted zone ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
 		}
 	}
+	/**
+	* Pre-delete guard for `AWS::Route53::HostedZone:HostedZoneFeatures`.
+	*
+	* AWS rejects `DeleteHostedZone` while AcceleratedRecovery is anything
+	* other than DISABLED (the feature uses an async control plane API —
+	* `UpdateHostedZoneFeatures` — and AWS won't tear down a zone whose
+	* feature state is still in flight). This helper:
+	*
+	*   1. Reads the current `HostedZone.Features.AcceleratedRecoveryStatus`.
+	*      DISABLED / undefined / NoSuchHostedZone → return early (nothing
+	*      to do, the delete will proceed normally or hit the existing
+	*      NoSuchHostedZone short-circuit).
+	*   2. ENABLING / ENABLED → issue `UpdateHostedZoneFeatures(false)` then
+	*      poll `GetHostedZone` until the status settles to DISABLED.
+	*   3. DISABLING → poll without re-issuing the toggle.
+	*   4. *_FAILED / *_HOSTED_ZONE_LOCKED → surface the AWS error to the
+	*      operator (out of scope for cdkd to recover automatically).
+	*
+	* Poll budget: env-overridable timeout (default 10 min) + interval
+	* (default 15s; tests override via env to keep runs fast). Failure to
+	* settle within the budget throws — the operator can either re-run
+	* `cdkd state destroy` (poll resets) or disable manually.
+	*/
+	async ensureAcceleratedRecoveryDisabledForDelete(physicalId, logicalId) {
+		const client = this.getClient();
+		const pollIntervalMs = Number.parseInt(process.env["CDKD_R53_ACCEL_RECOVERY_POLL_INTERVAL_MS"] ?? "15000", 10);
+		const timeoutMs = Number.parseInt(process.env["CDKD_R53_ACCEL_RECOVERY_POLL_TIMEOUT_MS"] ?? "600000", 10);
+		const readStatus = async () => {
+			try {
+				return (await client.send(new GetHostedZoneCommand({ Id: physicalId }))).HostedZone?.Features?.AcceleratedRecoveryStatus;
+			} catch (err) {
+				if (err instanceof Error && err.name === "NoSuchHostedZone") return void 0;
+				throw err;
+			}
+		};
+		const deadline = Date.now() + timeoutMs;
+		const TERMINAL_FAILED = new Set([
+			"ENABLE_FAILED",
+			"DISABLE_FAILED",
+			"ENABLING_HOSTED_ZONE_LOCKED",
+			"DISABLING_HOSTED_ZONE_LOCKED"
+		]);
+		const waitFor = async (targets, label) => {
+			while (Date.now() < deadline) {
+				const status = await readStatus();
+				if (status === void 0 || targets.has(status)) return status;
+				if (TERMINAL_FAILED.has(status)) throw new ProvisioningError(`Cannot delete hosted zone ${logicalId} (${physicalId}): AcceleratedRecoveryStatus transitioned to '${status}' while waiting for ${label} — operator must resolve before destroy can proceed`, "AWS::Route53::HostedZone", logicalId, physicalId);
+				this.logger.debug(`Polling AcceleratedRecoveryStatus for ${physicalId}: ${status} (waiting for ${label}, will re-poll in ~${pollIntervalMs}ms)`);
+				const sliceEnd = Math.min(Date.now() + pollIntervalMs, deadline);
+				while (Date.now() < sliceEnd) {
+					const tick = Math.min(1e3, sliceEnd - Date.now());
+					if (tick <= 0) break;
+					await new Promise((resolve) => setTimeout(resolve, tick));
+				}
+			}
+			throw new ProvisioningError(`Timed out after ${timeoutMs}ms waiting for AcceleratedRecoveryStatus to reach ${label} on hosted zone ${logicalId} (${physicalId}); re-run \`cdkd state destroy\` or disable manually via \`aws route53 update-hosted-zone-features --hosted-zone-id ${physicalId} --no-enable-accelerated-recovery\``, "AWS::Route53::HostedZone", logicalId, physicalId);
+		};
+		let current = await readStatus();
+		if (current === void 0 || current === "DISABLED") return;
+		if (TERMINAL_FAILED.has(current)) throw new ProvisioningError(`Cannot delete hosted zone ${logicalId} (${physicalId}): AcceleratedRecoveryStatus is '${current}' — operator must resolve before destroy can proceed`, "AWS::Route53::HostedZone", logicalId, physicalId);
+		if (current === "ENABLING") {
+			this.logger.debug(`Hosted zone ${physicalId} is ENABLING; waiting for it to settle before issuing disable`);
+			current = await waitFor(new Set(["ENABLED", "DISABLED"]), "ENABLED or DISABLED");
+			if (current === void 0 || current === "DISABLED") return;
+		}
+		if (current === "ENABLED") {
+			this.logger.debug(`Hosted zone ${physicalId} is ENABLED; issuing UpdateHostedZoneFeatures(false) before delete`);
+			await client.send(new UpdateHostedZoneFeaturesCommand({
+				HostedZoneId: physicalId,
+				EnableAcceleratedRecovery: false
+			}));
+		} else if (current === "DISABLING") this.logger.debug(`Hosted zone ${physicalId} AcceleratedRecovery is already DISABLING; waiting for settle`);
+		const settled = await waitFor(new Set(["DISABLED"]), "DISABLED");
+		this.logger.debug(`Hosted zone ${physicalId} AcceleratedRecoveryStatus settled to ${settled ?? "undefined (zone gone)"}`);
+	}
 	async getHostedZoneAttribute(physicalId, attributeName) {
 		switch (attributeName) {
 			case "Id": return physicalId;
@@ -23125,6 +23231,7 @@ var Route53Provider = class {
 			if (resp.HostedZone.Config?.PrivateZone !== void 0) cfg["PrivateZone"] = resp.HostedZone.Config.PrivateZone;
 			result["HostedZoneConfig"] = cfg;
 		}
+		if (resp.HostedZone.Features?.AcceleratedRecoveryStatus !== void 0) result["HostedZoneFeatures"] = { AcceleratedRecoveryStatus: resp.HostedZone.Features.AcceleratedRecoveryStatus };
 		if (resp.HostedZone.Config?.PrivateZone === true) result["VPCs"] = (resp.VPCs ?? []).map((v) => {
 			const out = {};
 			if (v.VPCId !== void 0) out["VPCId"] = v.VPCId;
@@ -52445,7 +52552,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.192.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.194.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());