@go-to-k/cdkd 0.201.0 → 0.202.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
-import { $ as uploadCfnTemplate, A as S3StateBackend, At as PATTERN_B_NAME_PROPERTIES, B as Synthesizer, C as assertRegionMatch, Ct as normalizeAwsError, D as DagBuilder, E as DiffCalculator, Et as getLogger, F as buildDockerImage, Ft as withStackName, G as resolveSkipPrefix, H as getLegacyStateBucketName, I as formatDockerLoginError, J as warnDeprecatedNoPrefixCliFlag, K as resolveStateBucketWithDefault, L as getDockerCmd, M as AssetPublisher, Mt as generateResourceName, N as stringifyValue, Nt as generateResourceNameWithFallback, O as TemplateParser, Ot as runStackBuffered, P as WorkGraph, Pt as withSkipPrefix, Q as findLargeInlineResources, R as runDockerForeground, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveApp, V as getDefaultStateBucketName, W as resolveCaptureObservedState, X as CFN_TEMPLATE_URL_LIMIT, Y as CFN_TEMPLATE_BODY_LIMIT, Z as MIGRATE_TMP_PREFIX, _ as matchesCdkPath, _t as StackHasActiveImportsError, a as withRetry, b as ProviderRegistry, c as bold, ct as LocalMigrateError, d as green, dt as MissingCdkCliError, et as AssemblyReader, f as red, ft as NestedStackChildDirectDestroyError, g as CDK_PATH_TAG, gt as ResourceUpdateNotSupportedError, h as collectInlinePolicyNamesManagedBySiblings, ht as ResourceTimeoutError, i as withResourceDeadline, it as CdkdError, j as shouldRetainResource, jt as PATTERN_B_RESOURCE_TYPES, k as LockManager, kt as getLiveRenderer, l as cyan, lt as LocalStartServiceError, m as IAMRoleProvider, mt as ProvisioningError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as resolveBucketRegion, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as PartialFailureError, q as resolveStateBucketWithDefaultAndSource, r as DeployEngine, s as formatResourceLine, st as LocalInvokeBuildError$1, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, v as normalizeAwsTagsToCfn, vt as StackTerminationProtectionError, w as IntrinsicFunctionResolver, wt as withErrorHandling, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, z as runDockerStreaming } from "./deploy-engine-5CVA5VWR.js";
+import { $ as uploadCfnTemplate, A as S3StateBackend, At as PATTERN_B_NAME_PROPERTIES, B as Synthesizer, C as assertRegionMatch, Ct as normalizeAwsError, D as DagBuilder, E as DiffCalculator, Et as getLogger, F as buildDockerImage, Ft as withStackName, G as resolveSkipPrefix, H as getLegacyStateBucketName, I as formatDockerLoginError, J as warnDeprecatedNoPrefixCliFlag, K as resolveStateBucketWithDefault, L as getDockerCmd, M as AssetPublisher, Mt as generateResourceName, N as stringifyValue, Nt as generateResourceNameWithFallback, O as TemplateParser, Ot as runStackBuffered, P as WorkGraph, Pt as withSkipPrefix, Q as findLargeInlineResources, R as runDockerForeground, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveApp, V as getDefaultStateBucketName, W as resolveCaptureObservedState, X as CFN_TEMPLATE_URL_LIMIT, Y as CFN_TEMPLATE_BODY_LIMIT, Z as MIGRATE_TMP_PREFIX, _ as matchesCdkPath, _t as StackHasActiveImportsError, a as withRetry, b as ProviderRegistry, c as bold, ct as LocalMigrateError, d as green, dt as MissingCdkCliError, et as AssemblyReader, f as red, ft as NestedStackChildDirectDestroyError, g as CDK_PATH_TAG, gt as ResourceUpdateNotSupportedError, h as collectInlinePolicyNamesManagedBySiblings, ht as ResourceTimeoutError, i as withResourceDeadline, it as CdkdError, j as shouldRetainResource, jt as PATTERN_B_RESOURCE_TYPES, k as LockManager, kt as getLiveRenderer, l as cyan, lt as LocalStartServiceError, m as IAMRoleProvider, mt as ProvisioningError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as resolveBucketRegion, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as PartialFailureError, q as resolveStateBucketWithDefaultAndSource, r as DeployEngine, s as formatResourceLine, st as LocalInvokeBuildError$1, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, v as normalizeAwsTagsToCfn, vt as StackTerminationProtectionError, w as IntrinsicFunctionResolver, wt as withErrorHandling, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, z as runDockerStreaming } from "./deploy-engine-CuJDHhTs.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -17236,7 +17236,7 @@ var CloudFrontDistributionProvider = class {
 			const getResponse = await this.cloudFrontClient.send(new GetDistributionCommand({ Id: physicalId }));
 			const domainName = getResponse.Distribution?.DomainName ?? "";
 			const arn = getResponse.Distribution?.ARN;
-			await this.tryApplyTagDiff(arn, previousProperties["Tags"], properties["Tags"], physicalId);
+			await this.applyTagDiff(arn, previousProperties["Tags"], properties["Tags"], physicalId, logicalId, resourceType);
 			this.logger.debug(`Updated CloudFront Distribution ${physicalId}`);
 			return {
 				physicalId,
@@ -17489,32 +17489,44 @@ var CloudFrontDistributionProvider = class {
 		};
 	}
 	/**
-	* Apply a tag diff to a distribution, best-effort.
+	* Apply a tag diff to a distribution.
 	*
 	* CloudFront has no atomic overlay API for tags — `TagResource` adds /
 	* overwrites and `UntagResource` removes. Run the removal first, then
 	* the upsert, so a same-key value rewrite (which lands in `upserts`)
 	* is not accidentally cleared by a stale Untag.
 	*
-	* Errors are logged but not rethrown — `update()` already succeeded
-	* the `UpdateDistribution` call before this is invoked, so propagating
-	* a tag-side error would flip a successful config update into a deploy
-	* failure that triggers an idempotent retry. A `warn` surfaces the
-	* unapplied delta to the operator without breaking the deploy.
+	* Errors are RETHROWN as `ProvisioningError` (issue #740 fix) so the
+	* deploy engine sees a failed update() and (a) does NOT write the new
+	* properties.Tags into state — the next deploy retries the tag-diff
+	* against the still-old state, (b) surfaces the failure to the user
+	* via the standard error path. The deploy engine's `withRetry` MAY
+	* pick up some transient AWS errors via the cause-message-pattern
+	* match (`retryable-errors.ts`'s `RETRYABLE_ERROR_MESSAGE_PATTERNS`),
+	* but bare HTTP 429 throttles wrapped by update()'s outer catch reach
+	* the classifier two levels deep and slip past its single-level
+	* `.cause` walk — so the **load-bearing retry guarantee is the
+	* next-deploy retry**, not in-deploy retry. This is acceptable: the
+	* user sees the failure, can react, and the next `cdkd deploy`
+	* re-fires the tag-diff against the still-old state cleanly.
+	*
+	* Trade-off: a tag-side failure flips an otherwise-successful
+	* `UpdateDistribution` into a deploy failure, and the retry will
+	* re-issue UpdateDistribution against the (now-current) config —
+	* AWS accepts the no-op idempotently. The cost of that secondary
+	* noise is much lower than the cost of silent tag drift the pre-#740
+	* swallow caused.
 	*
 	* The ARN is unexpectedly absent only on a hypothetical SDK regression
 	* (`GetDistribution` returns ARN as a required string in every SDK
 	* shape verified so far). When that happens AND a tag delta exists,
-	* log a warn so the silent-drop this PR is closing does not silently
-	* resurface; when no delta exists, return without needing ARN.
+	* THROW so the silent-drop does not silently resurface; when no delta
+	* exists, return without needing ARN.
 	*/
-	async tryApplyTagDiff(arn, previousTags, newTags, physicalId) {
+	async applyTagDiff(arn, previousTags, newTags, physicalId, logicalId, resourceType) {
 		const { removed, upserts } = this.computeTagDiff(previousTags, newTags);
 		if (removed.length === 0 && upserts.length === 0) return;
-		if (!arn) {
-			this.logger.warn(`CloudFront Distribution ${physicalId}: GetDistribution returned no ARN; skipping tag diff (removed=${removed.length}, upserts=${upserts.length}). Tags on AWS may drift from the template.`);
-			return;
-		}
+		if (!arn) throw new ProvisioningError(`CloudFront Distribution ${physicalId}: GetDistribution returned no ARN; cannot apply tag diff (removed=${removed.length}, upserts=${upserts.length}). Refusing to silently drop the tag update — retry on next deploy or check SDK version.`, resourceType, logicalId, physicalId);
 		try {
 			if (removed.length > 0) {
 				this.logger.debug(`Untagging CloudFront Distribution ${arn}: ${removed.join(", ")}`);
@@ -17531,7 +17543,8 @@ var CloudFrontDistributionProvider = class {
 				}));
 			}
 		} catch (err) {
-			this.logger.warn(`CloudFront Distribution ${physicalId}: tag diff failed (removed=${removed.length}, upserts=${upserts.length}): ${err instanceof Error ? err.message : String(err)}. UpdateDistribution itself succeeded; tags on AWS may drift from the template until the next deploy.`);
+			const cause = err instanceof Error ? err : void 0;
+			throw new ProvisioningError(`CloudFront Distribution ${physicalId}: tag diff failed (removed=${removed.length}, upserts=${upserts.length}): ${err instanceof Error ? err.message : String(err)}. UpdateDistribution succeeded but TagResource/UntagResource did not — state has NOT been updated so the next deploy will retry the tag-diff.`, resourceType, logicalId, physicalId, cause);
 		}
 	}
 	/**
@@ -31998,7 +32011,7 @@ var S3TablesProvider = class {
 	providerRegion = process.env["AWS_REGION"];
 	logger = getLogger().child("S3TablesProvider");
 	handledProperties = new Map([
-		["AWS::S3Tables::TableBucket", new Set(["TableBucketName"])],
+		["AWS::S3Tables::TableBucket", new Set(["TableBucketName", "Tags"])],
 		["AWS::S3Tables::Namespace", new Set(["TableBucketARN", "Namespace"])],
 		["AWS::S3Tables::Table", new Set([
 			"TableBucketARN",
@@ -32023,7 +32036,8 @@ var S3TablesProvider = class {
 		}
 	}
 	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
-		if (resourceType === "AWS::S3Tables::Table") await this.applyTableTagsDiff(physicalId, previousProperties["Tags"], properties["Tags"]);
+		if (resourceType === "AWS::S3Tables::Table") await this.applyTableTagsDiff(logicalId, physicalId, resourceType, previousProperties["Tags"], properties["Tags"]);
+		else if (resourceType === "AWS::S3Tables::TableBucket") await this.applyTableBucketTagsDiff(logicalId, physicalId, resourceType, previousProperties["Tags"], properties["Tags"]);
 		else this.logger.debug(`Update is no-op for ${resourceType} ${logicalId}`);
 		return {
 			physicalId,
@@ -32042,8 +32056,12 @@ var S3TablesProvider = class {
 		this.logger.debug(`Creating S3 Table Bucket ${logicalId}`);
 		const tableBucketName = properties["TableBucketName"];
 		if (!tableBucketName) throw new ProvisioningError(`TableBucketName is required for S3 Table Bucket ${logicalId}`, resourceType, logicalId);
+		const tags = this.cfnTagsToSdkMap(properties["Tags"]);
 		try {
-			const tableBucketARN = (await this.getClient().send(new CreateTableBucketCommand({ name: tableBucketName }))).arn;
+			const tableBucketARN = (await this.getClient().send(new CreateTableBucketCommand({
+				name: tableBucketName,
+				...tags !== void 0 && { tags }
+			}))).arn;
 			this.logger.debug(`Successfully created S3 Table Bucket ${logicalId}: ${tableBucketARN}`);
 			return {
 				physicalId: tableBucketARN,
@@ -32235,6 +32253,7 @@ var S3TablesProvider = class {
 		}
 		const result = {};
 		if (bucket.name !== void 0) result["TableBucketName"] = bucket.name;
+		result["Tags"] = await this.readTagsBestEffort(physicalId);
 		return result;
 	}
 	async readNamespaceCurrentState(physicalId) {
@@ -32502,40 +32521,88 @@ var S3TablesProvider = class {
 	* value-only rewrite on key K isn't accidentally cleared by a stale
 	* UntagResource pass (matches the CloudFront / S3Vectors pattern).
 	*
-	* Tag ops are best-effort post-step in update(): a tag-side failure
-	* MUST NOT flip the deploy engine into a retry that would re-issue
-	* the no-op `update()` body. Log at warn instead so the user sees
-	* the unapplied delta but the deploy still progresses.
-	*/
-	async applyTableTagsDiff(physicalId, previousTags, newTags) {
+	* Tag-side failures THROW `ProvisioningError` (issue #740 fix): a
+	* silent swallow would let the deploy engine write the new properties.Tags
+	* to state as if applied, and the next deploy's diff (template Tags
+	* vs new state Tags) sees no change → tag-diff never re-fires → AWS
+	* tags stay stale forever. Throwing means: (a) state is NOT written,
+	* (b) the next deploy retries the tag-diff against the still-old
+	* state. The deploy engine's `withRetry` MAY pick up transient AWS
+	* errors via the cause-message-pattern match in `retryable-errors.ts`,
+	* but bare HTTP 429 throttles can slip past the classifier's
+	* single-level `.cause` walk depending on wrapping — so the
+	* **load-bearing retry guarantee is the next-deploy retry**, not
+	* in-deploy retry. For the S3Tables Table case `update()` is
+	* otherwise a no-op (the Table itself is immutable), so a tag-side
+	* throw cleanly turns the whole update into a retry without
+	* side-effects.
+	*
+	* The malformed-physicalId / GetTable-NotFound branches throw too
+	* — both indicate a state-vs-AWS divergence the user needs to see,
+	* not silently skip past.
+	*/
+	async applyTableTagsDiff(logicalId, physicalId, resourceType, previousTags, newTags) {
+		const prev = this.cfnTagsToSdkMap(previousTags) ?? {};
+		const next = this.cfnTagsToSdkMap(newTags) ?? {};
+		const removedKeys = Object.keys(prev).filter((k) => !(k in next));
+		const upserts = {};
+		for (const [k, v] of Object.entries(next)) if (prev[k] !== v) upserts[k] = v;
+		if (removedKeys.length === 0 && Object.keys(upserts).length === 0) return;
 		const parts = physicalId.split("|");
-		if (parts.length < 3) {
-			this.logger.warn(`applyTableTagsDiff: cannot derive table ARN from physicalId '${physicalId}' — skipping tag-diff`);
-			return;
-		}
+		if (parts.length < 3) throw new ProvisioningError(`applyTableTagsDiff: cannot derive table ARN from physicalId '${physicalId}' (expected '<bucketArn>|<namespace>|<name>') — refusing to silently drop the tag update`, resourceType, logicalId, physicalId);
 		const [tableBucketARN, namespace, name] = parts;
-		if (!tableBucketARN || !namespace || !name) {
-			this.logger.warn(`applyTableTagsDiff: cannot derive table ARN from malformed physicalId '${physicalId}' (empty part after split) — skipping tag-diff`);
-			return;
+		if (!tableBucketARN || !namespace || !name) throw new ProvisioningError(`applyTableTagsDiff: cannot derive table ARN from malformed physicalId '${physicalId}' (empty part after split) — refusing to silently drop the tag update`, resourceType, logicalId, physicalId);
+		const resourceArn = await this.lookupTableArn(tableBucketARN, namespace, name);
+		if (!resourceArn) throw new ProvisioningError(`applyTableTagsDiff: GetTable returned no tableARN for ${physicalId} — table is gone or state is out-of-sync. Refusing to silently drop the tag update (run 'cdkd state orphan ${logicalId}' to clean up if the table was deleted out-of-band).`, resourceType, logicalId, physicalId);
+		if (removedKeys.length > 0) try {
+			await this.getClient().send(new UntagResourceCommand$15({
+				resourceArn,
+				tagKeys: removedKeys
+			}));
+		} catch (err) {
+			const cause = err instanceof Error ? err : void 0;
+			throw new ProvisioningError(`applyTableTagsDiff: UntagResource failed for ${resourceArn} (keys: ${removedKeys.join(", ")}): ${err instanceof Error ? err.message : String(err)}. State has NOT been updated so the next deploy will retry the tag-diff.`, resourceType, logicalId, physicalId, cause);
+		}
+		if (Object.keys(upserts).length > 0) try {
+			await this.getClient().send(new TagResourceCommand$16({
+				resourceArn,
+				tags: upserts
+			}));
+		} catch (err) {
+			const cause = err instanceof Error ? err : void 0;
+			throw new ProvisioningError(`applyTableTagsDiff: TagResource failed for ${resourceArn} (keys: ${Object.keys(upserts).join(", ")}): ${err instanceof Error ? err.message : String(err)}. State has NOT been updated so the next deploy will retry the tag-diff.`, resourceType, logicalId, physicalId, cause);
 		}
+	}
+	/**
+	* Apply a tag-diff against a TableBucket resource ARN. Mirrors
+	* `applyTableTagsDiff` for the Table case, but simpler: TableBucket's
+	* `physicalId` IS the bucket ARN, so no `GetTableBucket` lookup hop
+	* is needed (the Table version needs `GetTable` to recover the real
+	* ARN from the cdkd-compound `<bucketArn>|<namespace>|<name>` physical id).
+	*
+	* Same throw semantics as `applyTableTagsDiff` (per issue #740 / PR
+	* #741): tag-side failures THROW `ProvisioningError` so state is NOT
+	* written, and the next deploy retries against the still-old state.
+	* `update()` for AWS::S3Tables::TableBucket is otherwise a no-op (the
+	* bucket itself is immutable), so a tag-side throw cleanly turns the
+	* whole update into a clean retry with no side-effects.
+	*/
+	async applyTableBucketTagsDiff(logicalId, physicalId, resourceType, previousTags, newTags) {
 		const prev = this.cfnTagsToSdkMap(previousTags) ?? {};
 		const next = this.cfnTagsToSdkMap(newTags) ?? {};
 		const removedKeys = Object.keys(prev).filter((k) => !(k in next));
 		const upserts = {};
 		for (const [k, v] of Object.entries(next)) if (prev[k] !== v) upserts[k] = v;
 		if (removedKeys.length === 0 && Object.keys(upserts).length === 0) return;
-		const resourceArn = await this.lookupTableArn(tableBucketARN, namespace, name);
-		if (!resourceArn) {
-			this.logger.warn(`applyTableTagsDiff: GetTable returned no tableARN for ${physicalId} — skipping tag-diff (table gone? state out-of-sync?)`);
-			return;
-		}
+		const resourceArn = physicalId;
 		if (removedKeys.length > 0) try {
 			await this.getClient().send(new UntagResourceCommand$15({
 				resourceArn,
 				tagKeys: removedKeys
 			}));
 		} catch (err) {
-			this.logger.warn(`applyTableTagsDiff: UntagResource failed for ${resourceArn} (keys: ${removedKeys.join(", ")}): ${err instanceof Error ? err.message : String(err)}`);
+			const cause = err instanceof Error ? err : void 0;
+			throw new ProvisioningError(`applyTableBucketTagsDiff: UntagResource failed for ${resourceArn} (keys: ${removedKeys.join(", ")}): ${err instanceof Error ? err.message : String(err)}. State has NOT been updated so the next deploy will retry the tag-diff.`, resourceType, logicalId, physicalId, cause);
 		}
 		if (Object.keys(upserts).length > 0) try {
 			await this.getClient().send(new TagResourceCommand$16({
@@ -32543,7 +32610,8 @@ var S3TablesProvider = class {
 				tags: upserts
 			}));
 		} catch (err) {
-			this.logger.warn(`applyTableTagsDiff: TagResource failed for ${resourceArn} (keys: ${Object.keys(upserts).join(", ")}): ${err instanceof Error ? err.message : String(err)}`);
+			const cause = err instanceof Error ? err : void 0;
+			throw new ProvisioningError(`applyTableBucketTagsDiff: TagResource failed for ${resourceArn} (keys: ${Object.keys(upserts).join(", ")}): ${err instanceof Error ? err.message : String(err)}. State has NOT been updated so the next deploy will retry the tag-diff.`, resourceType, logicalId, physicalId, cause);
 		}
 	}
 };
@@ -51856,7 +51924,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.201.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.202.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());