@go-to-k/cdkd 0.20.0 → 0.22.0

package/dist/cli.js

@@ -1218,9 +1218,9 @@ async function bucketHasAnyState(client, bucketName) {
   }
 }
 async function bucketExists(client, bucketName) {
-  const { HeadBucketCommand: HeadBucketCommand5 } = await import("@aws-sdk/client-s3");
+  const { HeadBucketCommand: HeadBucketCommand6 } = await import("@aws-sdk/client-s3");
   try {
-    await client.send(new HeadBucketCommand5({ Bucket: bucketName }));
+    await client.send(new HeadBucketCommand6({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -7749,6 +7749,27 @@ var CustomResourceProvider = class _CustomResourceProvider {
   sleep(ms) {
     return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
+  /**
+   * Adopt an existing custom resource into cdkd state.
+   *
+   * **Explicit override only.** A custom resource's identity is the
+   * `PhysicalResourceId` returned by its user-supplied Lambda handler at
+   * Create time — there is no AWS-side resource cdkd can introspect, no
+   * tag API, and no `aws:cdk:path` to look up by. cdkd cannot rediscover
+   * a custom resource without invoking the handler, which would mutate
+   * state.
+   *
+   * Users adopting an existing custom resource should pass
+   * `--resource <logicalId>=<physicalResourceId>` — the same value the
+   * handler returned originally.
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/provider-registry.ts
@@ -8864,6 +8885,27 @@ var IAMPolicyProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing IAM inline policy into cdkd state.
+   *
+   * **Explicit override only.** `AWS::IAM::Policy` in CloudFormation is an
+   * inline policy attached to roles / groups / users — not a standalone
+   * resource. Inline policies are not taggable and have no global identity,
+   * so tag-based auto-lookup via `aws:cdk:path` is not feasible. Users
+   * adopting inline policies must pass `--resource <logicalId>=<policyName>`
+   * (the physical id is the policy name itself).
+   *
+   * For standalone managed policies (`AWS::IAM::ManagedPolicy`), the
+   * Cloud Control API fallback handles import via the same explicit
+   * override mode.
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/iam-instance-profile-provider.ts
@@ -8871,6 +8913,7 @@ import {
   CreateInstanceProfileCommand,
   DeleteInstanceProfileCommand,
   GetInstanceProfileCommand,
+  ListInstanceProfilesCommand,
   AddRoleToInstanceProfileCommand,
   RemoveRoleFromInstanceProfileCommand as RemoveRoleFromInstanceProfileCommand2,
   NoSuchEntityException as NoSuchEntityException3
@@ -9072,6 +9115,48 @@ var IAMInstanceProfileProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing IAM instance profile into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource` override or `Properties.InstanceProfileName` → verify
+   *     via `GetInstanceProfile`.
+   *  2. `ListInstanceProfiles` paginator + match `aws:cdk:path` against the
+   *     `InstanceProfile.Tags` array returned inline (no separate
+   *     `ListInstanceProfileTags` call needed).
+   *
+   * IAM is global; this walks every instance profile in the account once.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "InstanceProfileName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetInstanceProfileCommand({ InstanceProfileName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException3)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListInstanceProfilesCommand({ ...marker && { Marker: marker } })
+      );
+      for (const profile of list.InstanceProfiles ?? []) {
+        if (!profile.InstanceProfileName)
+          continue;
+        if (matchesCdkPath(profile.Tags, input.cdkPath)) {
+          return { physicalId: profile.InstanceProfileName, attributes: {} };
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/iam-user-group-provider.ts
@@ -9102,6 +9187,8 @@ import {
   DeleteLoginProfileCommand,
   ListAccessKeysCommand,
   DeleteAccessKeyCommand,
+  ListUsersCommand,
+  ListUserTagsCommand,
   NoSuchEntityException as NoSuchEntityException4,
   TagUserCommand,
   PutUserPermissionsBoundaryCommand,
@@ -10080,6 +10167,92 @@ var IAMUserGroupProvider = class {
       );
     }
   }
+  // ─── Import dispatch ──────────────────────────────────────────────
+  /**
+   * Adopt an existing IAM user / group / user-to-group addition into cdkd state.
+   *
+   *  - **AWS::IAM::User**: tag-based auto-lookup via `ListUsers` +
+   *    `ListUserTags`. Falls back to `--resource` override or
+   *    `Properties.UserName`.
+   *  - **AWS::IAM::Group**: explicit-override only. IAM groups are not
+   *    taggable (no `ListGroupTags` API), so tag-based auto-lookup is not
+   *    possible. Caller can still pass `Properties.GroupName` or
+   *    `--resource` to verify and adopt by name.
+   *  - **AWS::IAM::UserToGroupAddition**: explicit-override only. Has no
+   *    AWS-side identity beyond the (group, users) attachment itself.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::IAM::User":
+        return this.importUser(input);
+      case "AWS::IAM::Group":
+        return this.importGroup(input);
+      case "AWS::IAM::UserToGroupAddition":
+        return this.importUserToGroupAddition(input);
+      default:
+        return null;
+    }
+  }
+  async importUser(input) {
+    const explicit = resolveExplicitPhysicalId(input, "UserName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetUserCommand({ UserName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException4)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.iamClient.send(
+        new ListUsersCommand({ ...marker && { Marker: marker } })
+      );
+      for (const user of list.Users ?? []) {
+        if (!user.UserName)
+          continue;
+        try {
+          const tags = await this.iamClient.send(
+            new ListUserTagsCommand({ UserName: user.UserName })
+          );
+          if (matchesCdkPath(tags.Tags, input.cdkPath)) {
+            return { physicalId: user.UserName, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof NoSuchEntityException4)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.IsTruncated ? list.Marker : void 0;
+    } while (marker);
+    return null;
+  }
+  async importGroup(input) {
+    const explicit = resolveExplicitPhysicalId(input, "GroupName");
+    if (explicit) {
+      try {
+        await this.iamClient.send(new GetGroupCommand({ GroupName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err instanceof NoSuchEntityException4)
+          return null;
+        throw err;
+      }
+    }
+    return null;
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async importUserToGroupAddition(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/s3-bucket-provider.ts
@@ -11220,6 +11393,25 @@ var S3BucketPolicyProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing S3 bucket policy into cdkd state.
+   *
+   * **Explicit override only.** An `S3::BucketPolicy` is a policy document
+   * attached to a bucket via `PutBucketPolicy` — it has no standalone
+   * identity and is not independently taggable. There is no `aws:cdk:path`
+   * tag to look up by; only the bucket itself is taggable.
+   *
+   * Users adopting an existing bucket policy should pass
+   * `--resource <logicalId>=<bucketName>` (matching the physical id
+   * format returned by `create()`).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/sqs-queue-provider.ts
@@ -11656,6 +11848,25 @@ var SQSQueuePolicyProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing SQS queue policy into cdkd state.
+   *
+   * **Explicit override only.** A `QueuePolicy` is an attachment applied to
+   * a queue via `SetQueueAttributes(Policy=...)` — it has no standalone
+   * identity and is not independently taggable. There is no `aws:cdk:path`
+   * tag to look up by; only the queue itself is taggable.
+   *
+   * Users adopting an existing queue policy should pass
+   * `--resource <logicalId>=<queueUrl>` (matching the physical id format
+   * returned by `create()`, which uses the first queue URL).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/sns-topic-provider.ts
@@ -12148,6 +12359,25 @@ var SNSSubscriptionProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing SNS subscription into cdkd state.
+   *
+   * **Explicit override only.** SNS subscriptions are attached to a parent
+   * topic and identified by their `SubscriptionArn`, but the SubscribeAPI
+   * does not accept tags and the AWS tag APIs do not cover subscriptions
+   * (only Topics are taggable). There is therefore no `aws:cdk:path` tag
+   * we could use for auto-lookup.
+   *
+   * Users adopting an existing subscription should pass
+   * `--resource <logicalId>=<subscriptionArn>`.
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/sns-topic-policy-provider.ts
@@ -12287,6 +12517,26 @@ var SNSTopicPolicyProvider = class {
     }
     this.logger.debug(`Successfully deleted SNS topic policy ${logicalId}`);
   }
+  /**
+   * Adopt an existing SNS topic policy into cdkd state.
+   *
+   * **Explicit override only.** A `TopicPolicy` is an attachment to one or
+   * more SNS topics applied via `SetTopicAttributes(AttributeName=Policy)` —
+   * it has no standalone identity and is not independently taggable. There
+   * is no `aws:cdk:path` tag to look up by, and the policy has no name/ARN
+   * of its own.
+   *
+   * Users adopting an existing topic policy should pass
+   * `--resource <logicalId>=<comma-joined-topic-ARNs>` (matching the
+   * physical id format returned by `create()`).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
   /**
    * Set the policy on a single SNS topic
    */
@@ -13142,6 +13392,26 @@ var LambdaPermissionProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Lambda permission into cdkd state.
+   *
+   * **Explicit override only.** A `Lambda::Permission` is a single statement
+   * within a function's resource-based policy added via `AddPermission`. It
+   * has no independent ARN, no taggable identity, and the only way to find
+   * it is to call `GetPolicy` on the parent function and parse the JSON
+   * statements — which the user knows by `StatementId` already.
+   *
+   * Users adopting an existing permission should pass
+   * `--resource <logicalId>=<statementId>` (matching the physical id
+   * format returned by `create()`).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: { Id: input.knownPhysicalId } };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/lambda-url-provider.ts
@@ -13275,6 +13545,26 @@ var LambdaUrlProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Lambda Function URL into cdkd state.
+   *
+   * **Explicit override only.** A `Lambda::Url` is a configuration attached
+   * to a Lambda function — it has no standalone identity (the natural
+   * physical id is the parent function's ARN/name) and `FunctionUrlConfig`
+   * is not independently taggable. There is no `aws:cdk:path` tag to look
+   * up by; only the parent function carries the CDK path tag.
+   *
+   * Users adopting an existing function URL should pass
+   * `--resource <logicalId>=<functionArnOrName>` (matching the physical id
+   * format returned by `create()`).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
   /**
    * Build CORS configuration from CDK properties
    */
@@ -13517,12 +13807,36 @@ var LambdaEventSourceMappingProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Lambda event source mapping into cdkd state.
+   *
+   * **Explicit override only.** Event source mappings are identified by a
+   * UUID returned at create time. While Lambda event source mappings ARE
+   * taggable since 2020, CDK does NOT propagate the `aws:cdk:path` tag to
+   * them by default (the `Tags` property must be explicitly opted into),
+   * and the natural lookup is by `(FunctionName, EventSourceArn)` — which
+   * the user already knows.
+   *
+   * Users adopting an existing event source mapping should pass
+   * `--resource <logicalId>=<UUID>` (matching the physical id format
+   * returned by `create()`).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: { Id: input.knownPhysicalId } };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/lambda-layer-provider.ts
 import {
   PublishLayerVersionCommand,
   DeleteLayerVersionCommand,
+  GetLayerVersionByArnCommand,
+  ListLayersCommand,
+  ListTagsCommand as ListTagsCommand2,
   ResourceNotFoundException as ResourceNotFoundException5
 } from "@aws-sdk/client-lambda";
 init_aws_clients();
@@ -13661,6 +13975,67 @@ var LambdaLayerVersionProvider = class {
       );
     }
   }
+  /**
+   * Adopt an existing Lambda layer version into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<layerVersionArn>` override → verify with
+   *     `GetLayerVersionByArn`. (Note: there is no `LayerName` field that
+   *     uniquely names a *version*; a layer name resolves to the latest
+   *     version, so an explicit ARN is the only unambiguous override.)
+   *  2. `ListLayers` paginator + `ListTags(Resource: layerArn)` (which
+   *     returns a `Tags: Record<string,string>` map keyed by tag name).
+   *     Match `aws:cdk:path` and adopt `LatestMatchingVersion.LayerVersionArn`.
+   *
+   * **Caveat**: Lambda layer versions are immutable, so auto-lookup adopts
+   * the LATEST version of the named layer that carries the matching CDK
+   * path tag. If the user's CDK app has since published newer versions
+   * outside cdkd's tracking, the adopted physical id may be stale; pass
+   * `--resource <id>=<arn>` to pin a specific version.
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.lambdaClient.send(
+          new GetLayerVersionByArnCommand({ Arn: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException5)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.lambdaClient.send(
+        new ListLayersCommand({ ...marker && { Marker: marker } })
+      );
+      for (const layer of list.Layers ?? []) {
+        if (!layer.LayerArn || !layer.LatestMatchingVersion?.LayerVersionArn)
+          continue;
+        try {
+          const tagsResp = await this.lambdaClient.send(
+            new ListTagsCommand2({ Resource: layer.LayerArn })
+          );
+          if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return {
+              physicalId: layer.LatestMatchingVersion.LayerVersionArn,
+              attributes: {}
+            };
+          }
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException5)
+            continue;
+          throw err;
+        }
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return null;
+  }
 };
 
 // src/provisioning/providers/dynamodb-table-provider.ts
@@ -19576,6 +19951,25 @@ var CloudFrontOAIProvider = class {
       `Unsupported attribute: ${attributeName} for AWS::CloudFront::CloudFrontOriginAccessIdentity`
     );
   }
+  /**
+   * Adopt an existing CloudFront Origin Access Identity into cdkd state.
+   *
+   * **Explicit override only.** OAIs do not support tags — their identity
+   * is the `CallerReference` set at create time, plus the auto-generated
+   * `Id`. There is no `aws:cdk:path` tag API to look up by; CloudFront's
+   * `ListCloudFrontOriginAccessIdentities` returns Id/Comment/CallerReference
+   * but no tags.
+   *
+   * Users adopting an existing OAI should pass
+   * `--resource <logicalId>=<oaiId>` (e.g. `E1ABCDEF123456`).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: { Id: input.knownPhysicalId } };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/cloudfront-distribution-provider.ts
@@ -20299,6 +20693,27 @@ var AgentCoreRuntimeProvider = class {
     }
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::BedrockAgentCore::Runtime`);
   }
+  /**
+   * Adopt an existing BedrockAgentCore Runtime into cdkd state.
+   *
+   * **Explicit override only (for now).** The BedrockAgentCore SDK does
+   * expose `ListTagsForResource`, so a future PR could add full tag-based
+   * auto-lookup. For this batch we keep it override-only to ship
+   * consistently with the other batch-5 attachment-style providers; users
+   * adopting an existing runtime should pass
+   * `--resource <logicalId>=<agentRuntimeId>` (e.g. `runtime-12345`,
+   * matching the physical id format returned by `create()`).
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async import(input) {
+    if (input.knownPhysicalId) {
+      return {
+        physicalId: input.knownPhysicalId,
+        attributes: { AgentRuntimeId: input.knownPhysicalId }
+      };
+    }
+    return null;
+  }
 };
 
 // src/provisioning/providers/stepfunctions-provider.ts
@@ -24768,7 +25183,12 @@ import {
   DeleteNamespaceCommand,
   CreateServiceCommand as CreateServiceCommand2,
   DeleteServiceCommand as DeleteServiceCommand2,
+  GetNamespaceCommand,
   GetOperationCommand,
+  GetServiceCommand,
+  ListNamespacesCommand,
+  ListServicesCommand as ListServicesCommand2,
+  ListTagsForResourceCommand as ListTagsForResourceCommand15,
   NamespaceNotFound,
   ServiceNotFound
 } from "@aws-sdk/client-servicediscovery";
@@ -25089,6 +25509,107 @@ var ServiceDiscoveryProvider = class {
       logicalId
     );
   }
+  // ─── Import dispatch ──────────────────────────────────────────────
+  /**
+   * Adopt an existing Cloud Map (Service Discovery) resource into cdkd state.
+   *
+   *  - **AWS::ServiceDiscovery::PrivateDnsNamespace**: tag-based auto-lookup
+   *    via `ListNamespaces` + `ListTagsForResource(ResourceARN)` (Tag[]
+   *    array). Falls back to `--resource` override or matching
+   *    `Properties.Name` against the namespace name.
+   *  - **AWS::ServiceDiscovery::Service**: same shape — `ListServices` +
+   *    `ListTagsForResource`. Both use `Tag[]` arrays.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ServiceDiscovery::PrivateDnsNamespace":
+        return this.importNamespaceResource(input);
+      case "AWS::ServiceDiscovery::Service":
+        return this.importServiceResource(input);
+      default:
+        return null;
+    }
+  }
+  async importNamespaceResource(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new GetNamespaceCommand({ Id: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NamespaceNotFound)
+          return null;
+        throw err;
+      }
+    }
+    const desiredName = typeof input.properties?.["Name"] === "string" ? input.properties["Name"] : void 0;
+    let token;
+    do {
+      const list = await this.getClient().send(
+        new ListNamespacesCommand({ ...token && { NextToken: token } })
+      );
+      for (const ns of list.Namespaces ?? []) {
+        if (!ns.Id || !ns.Arn)
+          continue;
+        if (desiredName && ns.Name === desiredName) {
+          return { physicalId: ns.Id, attributes: {} };
+        }
+        if (input.cdkPath) {
+          try {
+            const tagsResp = await this.getClient().send(
+              new ListTagsForResourceCommand15({ ResourceARN: ns.Arn })
+            );
+            if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+              return { physicalId: ns.Id, attributes: {} };
+            }
+          } catch (err) {
+            if (err instanceof NamespaceNotFound)
+              continue;
+            throw err;
+          }
+        }
+      }
+      token = list.NextToken;
+    } while (token);
+    return null;
+  }
+  async importServiceResource(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new GetServiceCommand({ Id: input.knownPhysicalId }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof ServiceNotFound)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let token;
+    do {
+      const list = await this.getClient().send(
+        new ListServicesCommand2({ ...token && { NextToken: token } })
+      );
+      for (const svc of list.Services ?? []) {
+        if (!svc.Id || !svc.Arn)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsForResourceCommand15({ ResourceARN: svc.Arn })
+          );
+          if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
+            return { physicalId: svc.Id, attributes: {} };
+          }
+        } catch (err) {
+          if (err instanceof ServiceNotFound)
+            continue;
+          throw err;
+        }
+      }
+      token = list.NextToken;
+    } while (token);
+    return null;
+  }
   /**
    * Build a namespace ARN from namespace ID.
    * Format: arn:aws:servicediscovery:{region}:{account}:namespace/{namespaceId}
@@ -27977,7 +28498,7 @@ import {
   PutInsightSelectorsCommand,
   GetTrailCommand,
   ListTrailsCommand,
-  ListTagsCommand as ListTagsCommand2,
+  ListTagsCommand as ListTagsCommand3,
   TrailNotFoundException
 } from "@aws-sdk/client-cloudtrail";
 var CloudTrailProvider = class {
@@ -28241,7 +28762,7 @@ var CloudTrailProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsCommand2({ ResourceIdList: [trail.TrailARN] })
+            new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
           );
           const list2 = tagsResp.ResourceTagList?.[0];
           if (matchesCdkPath(list2?.TagsList, input.cdkPath)) {
@@ -28580,7 +29101,10 @@ import {
   S3VectorsClient,
   CreateVectorBucketCommand,
   DeleteVectorBucketCommand,
+  GetVectorBucketCommand,
   ListIndexesCommand,
+  ListVectorBucketsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand16,
   DeleteIndexCommand
 } from "@aws-sdk/client-s3vectors";
 var S3VectorsProvider = class {
@@ -28737,6 +29261,54 @@ var S3VectorsProvider = class {
       nextToken = listResult.nextToken;
     } while (nextToken);
   }
+  /**
+   * Adopt an existing S3 Vector Bucket into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.VectorBucketName`
+   *     → verify via `GetVectorBucket`. The physical id is the bucket name.
+   *  2. `ListVectorBuckets` paginator + `ListTagsForResource(resourceArn)`
+   *     (tags map keyed by tag name) and match `aws:cdk:path`.
+   */
+  async import(input) {
+    const explicit = input.knownPhysicalId ?? (typeof input.properties?.["VectorBucketName"] === "string" && input.properties["VectorBucketName"].length > 0 ? input.properties["VectorBucketName"] : void 0);
+    if (explicit) {
+      try {
+        await this.getClient().send(new GetVectorBucketCommand({ vectorBucketName: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (this.isNotFoundError(err))
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let token;
+    do {
+      const list = await this.getClient().send(
+        new ListVectorBucketsCommand({ ...token && { nextToken: token } })
+      );
+      for (const bucket of list.vectorBuckets ?? []) {
+        if (!bucket.vectorBucketName || !bucket.vectorBucketArn)
+          continue;
+        try {
+          const tagsResp = await this.getClient().send(
+            new ListTagsForResourceCommand16({ resourceArn: bucket.vectorBucketArn })
+          );
+          if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
+            return { physicalId: bucket.vectorBucketName, attributes: {} };
+          }
+        } catch (err) {
+          if (this.isNotFoundError(err))
+            continue;
+          throw err;
+        }
+      }
+      token = list.nextToken;
+    } while (token);
+    return null;
+  }
   isNotFoundError(error) {
     if (error instanceof Error) {
       const name = error.name;
@@ -28750,6 +29322,9 @@ var S3VectorsProvider = class {
 import {
   CreateBucketCommand as CreateBucketCommand3,
   DeleteBucketCommand as DeleteBucketCommand2,
+  HeadBucketCommand as HeadBucketCommand4,
+  ListDirectoryBucketsCommand,
+  GetBucketTaggingCommand as GetBucketTaggingCommand2,
   ListObjectsV2Command as ListObjectsV2Command2,
   DeleteObjectsCommand as DeleteObjectsCommand2
 } from "@aws-sdk/client-s3";
@@ -28955,6 +29530,56 @@ var S3DirectoryBucketProvider = class {
       continuationToken = listResponse.IsTruncated ? listResponse.NextContinuationToken : void 0;
     } while (continuationToken);
   }
+  /**
+   * Adopt an existing S3 Express Directory Bucket into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<name>` override or `Properties.BucketName` →
+   *     verify via `HeadBucket`.
+   *  2. `ListDirectoryBuckets` paginator + `GetBucketTagging` (TagSet:
+   *     Tag[]) and match `aws:cdk:path`. `GetBucketTagging` may surface
+   *     `NoSuchTagSet` / `AccessDenied` per-bucket — those are skipped
+   *     rather than fatal.
+   */
+  async import(input) {
+    const explicit = resolveExplicitPhysicalId(input, "BucketName");
+    if (explicit) {
+      try {
+        await this.s3Client.send(new HeadBucketCommand4({ Bucket: explicit }));
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        const e = err;
+        if (e.name === "NotFound" || e.name === "NoSuchBucket")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let token;
+    do {
+      const list = await this.s3Client.send(
+        new ListDirectoryBucketsCommand({ ...token && { ContinuationToken: token } })
+      );
+      for (const b of list.Buckets ?? []) {
+        if (!b.Name)
+          continue;
+        try {
+          const tagging = await this.s3Client.send(new GetBucketTaggingCommand2({ Bucket: b.Name }));
+          if (matchesCdkPath(tagging.TagSet, input.cdkPath)) {
+            return { physicalId: b.Name, attributes: {} };
+          }
+        } catch (err) {
+          const e = err;
+          if (e.name === "NoSuchTagSet" || e.name === "AccessDenied")
+            continue;
+          throw err;
+        }
+      }
+      token = list.ContinuationToken;
+    } while (token);
+    return null;
+  }
 };
 
 // src/provisioning/providers/s3-tables-provider.ts
@@ -28966,8 +29591,12 @@ import {
   DeleteNamespaceCommand as DeleteNamespaceCommand2,
   CreateTableCommand as CreateTableCommand3,
   DeleteTableCommand as DeleteTableCommand3,
-  ListNamespacesCommand,
+  GetTableBucketCommand,
+  GetTableCommand as GetTableCommand2,
+  ListNamespacesCommand as ListNamespacesCommand2,
   ListTablesCommand as ListTablesCommand2,
+  ListTableBucketsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand17,
   NotFoundException as NotFoundException6
 } from "@aws-sdk/client-s3tables";
 var S3TablesProvider = class {
@@ -29101,7 +29730,7 @@ var S3TablesProvider = class {
     let namespaceContinuationToken;
     do {
       const namespacesResult = await this.getClient().send(
-        new ListNamespacesCommand({
+        new ListNamespacesCommand2({
           tableBucketARN,
           continuationToken: namespaceContinuationToken
         })
@@ -29305,6 +29934,165 @@ var S3TablesProvider = class {
       );
     }
   }
+  // ─── Import dispatch ──────────────────────────────────────────────
+  /**
+   * Adopt an existing S3 Tables resource into cdkd state.
+   *
+   *  - **AWS::S3Tables::TableBucket**: tag-based auto-lookup via
+   *    `ListTableBuckets` + `ListTagsForResource(resourceArn)` (tags map).
+   *    Falls back to `--resource <id>=<arn>` or `Properties.TableBucketName`
+   *    (resolved by ARN suffix match against `ListTableBuckets`).
+   *  - **AWS::S3Tables::Table**: tag-based auto-lookup walks every
+   *    table bucket → namespace → table and calls `ListTagsForResource`
+   *    on each table ARN; matches `aws:cdk:path`.
+   *  - **AWS::S3Tables::Namespace**: explicit-override only. Namespaces
+   *    are not taggable in S3 Tables (`ListTagsForResource` accepts only
+   *    table-bucket or table ARNs), so auto-lookup is impossible.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::S3Tables::TableBucket":
+        return this.importTableBucket(input);
+      case "AWS::S3Tables::Namespace":
+        return this.importNamespace(input);
+      case "AWS::S3Tables::Table":
+        return this.importTable(input);
+      default:
+        return null;
+    }
+  }
+  async importTableBucket(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(
+          new GetTableBucketCommand({ tableBucketARN: input.knownPhysicalId })
+        );
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof NotFoundException6)
+          return null;
+        throw err;
+      }
+    }
+    const desiredName = typeof input.properties?.["TableBucketName"] === "string" ? input.properties["TableBucketName"] : void 0;
+    let token;
+    do {
+      const list = await this.getClient().send(
+        new ListTableBucketsCommand({ ...token && { continuationToken: token } })
+      );
+      for (const bucket of list.tableBuckets ?? []) {
+        if (!bucket.arn)
+          continue;
+        if (desiredName && bucket.name === desiredName) {
+          return { physicalId: bucket.arn, attributes: {} };
+        }
+        if (input.cdkPath) {
+          try {
+            const tagsResp = await this.getClient().send(
+              new ListTagsForResourceCommand17({ resourceArn: bucket.arn })
+            );
+            if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
+              return { physicalId: bucket.arn, attributes: {} };
+            }
+          } catch (err) {
+            if (err instanceof NotFoundException6)
+              continue;
+            throw err;
+          }
+        }
+      }
+      token = list.continuationToken;
+    } while (token);
+    return null;
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async importNamespace(input) {
+    if (input.knownPhysicalId) {
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    return null;
+  }
+  async importTable(input) {
+    if (input.knownPhysicalId) {
+      const parts = input.knownPhysicalId.split("|");
+      if (parts.length >= 3) {
+        try {
+          await this.getClient().send(
+            new GetTableCommand2({
+              tableBucketARN: parts[0],
+              namespace: parts[1],
+              name: parts[2]
+            })
+          );
+          return { physicalId: input.knownPhysicalId, attributes: {} };
+        } catch (err) {
+          if (err instanceof NotFoundException6)
+            return null;
+          throw err;
+        }
+      }
+      return { physicalId: input.knownPhysicalId, attributes: {} };
+    }
+    if (!input.cdkPath)
+      return null;
+    let bucketToken;
+    do {
+      const buckets = await this.getClient().send(
+        new ListTableBucketsCommand({ ...bucketToken && { continuationToken: bucketToken } })
+      );
+      for (const bucket of buckets.tableBuckets ?? []) {
+        if (!bucket.arn)
+          continue;
+        let nsToken;
+        do {
+          const namespaces = await this.getClient().send(
+            new ListNamespacesCommand2({
+              tableBucketARN: bucket.arn,
+              ...nsToken && { continuationToken: nsToken }
+            })
+          );
+          for (const ns of namespaces.namespaces ?? []) {
+            const namespaceName = ns.namespace?.[0];
+            if (!namespaceName)
+              continue;
+            let tableToken;
+            do {
+              const tables = await this.getClient().send(
+                new ListTablesCommand2({
+                  tableBucketARN: bucket.arn,
+                  namespace: namespaceName,
+                  ...tableToken && { continuationToken: tableToken }
+                })
+              );
+              for (const table of tables.tables ?? []) {
+                if (!table.name || !table.tableARN)
+                  continue;
+                try {
+                  const tagsResp = await this.getClient().send(
+                    new ListTagsForResourceCommand17({ resourceArn: table.tableARN })
+                  );
+                  if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
+                    return {
+                      physicalId: `${bucket.arn}|${namespaceName}|${table.name}`,
+                      attributes: {}
+                    };
+                  }
+                } catch (err) {
+                  if (err instanceof NotFoundException6)
+                    continue;
+                  throw err;
+                }
+              }
+              tableToken = tables.continuationToken;
+            } while (tableToken);
+          }
+          nsToken = namespaces.continuationToken;
+        } while (nsToken);
+      }
+      bucketToken = buckets.continuationToken;
+    } while (bucketToken);
+    return null;
+  }
   async deleteTable(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 Tables Table ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
@@ -29364,7 +30152,7 @@ import {
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
   TagResourceCommand as TagResourceCommand7,
-  ListTagsForResourceCommand as ListTagsForResourceCommand15,
+  ListTagsForResourceCommand as ListTagsForResourceCommand18,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
 var ECRProvider = class {
@@ -29633,7 +30421,7 @@ var ECRProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand15({ resourceArn: repo.repositoryArn })
+            new ListTagsForResourceCommand18({ resourceArn: repo.repositoryArn })
           );
           if (matchesCdkPath(tagsResp.tags, input.cdkPath)) {
             return { physicalId: repo.repositoryName, attributes: {} };
@@ -32210,7 +32998,7 @@ import {
   CreateBucketCommand as CreateBucketCommand4,
   DeleteBucketCommand as DeleteBucketCommand3,
   DeleteObjectsCommand as DeleteObjectsCommand3,
-  HeadBucketCommand as HeadBucketCommand4,
+  HeadBucketCommand as HeadBucketCommand5,
   ListObjectVersionsCommand as ListObjectVersionsCommand2,
   ListObjectsV2Command as ListObjectsV2Command3,
   PutBucketEncryptionCommand as PutBucketEncryptionCommand3,
@@ -32333,7 +33121,7 @@ async function stateMigrateCommand(options) {
 }
 async function bucketExists2(s3, bucketName) {
   try {
-    await s3.send(new HeadBucketCommand4({ Bucket: bucketName }));
+    await s3.send(new HeadBucketCommand5({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -33559,7 +34347,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.20.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.22.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());