npm - @go-to-k/cdkd - Versions diffs - 0.213.0 → 0.215.0 - Mend

@go-to-k/cdkd 0.213.0 → 0.215.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli.js +167 -21
package/dist/cli.js.map +1 -1
package/dist/{deploy-engine-DMggQBl4.js → deploy-engine-C9fD8IOo.js} +8 -10
package/dist/{deploy-engine-DMggQBl4.js.map → deploy-engine-C9fD8IOo.js.map} +1 -1
package/dist/index.js +1 -1
package/package.json +2 -2

package/dist/cli.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
-import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-DMggQBl4.js";
+import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-C9fD8IOo.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -53,7 +53,7 @@ import { AppSyncClient, CreateApiKeyCommand, CreateDataSourceCommand, CreateGrap
 import { parse, print } from "graphql";
 import { CreateConnectionCommand, CreateCrawlerCommand, CreateDatabaseCommand, CreateJobCommand, CreateSecurityConfigurationCommand, CreateTableCommand as CreateTableCommand$1, CreateTriggerCommand, CreateWorkflowCommand, DeleteConnectionCommand, DeleteCrawlerCommand, DeleteDatabaseCommand, DeleteJobCommand, DeleteSecurityConfigurationCommand, DeleteTableCommand as DeleteTableCommand$1, DeleteTriggerCommand, DeleteWorkflowCommand, EntityNotFoundException, GetConnectionCommand, GetCrawlerCommand, GetDatabaseCommand, GetDatabasesCommand, GetJobCommand, GetSecurityConfigurationCommand, GetSecurityConfigurationsCommand, GetTableCommand, GetTablesCommand, GetTagsCommand, GetTriggerCommand, GetWorkflowCommand, GlueClient, ListWorkflowsCommand, StartCrawlerScheduleCommand, StartTriggerCommand, StopCrawlerScheduleCommand, StopTriggerCommand, UpdateConnectionCommand, UpdateCrawlerCommand, UpdateDatabaseCommand, UpdateJobCommand, UpdateTableCommand as UpdateTableCommand$1, UpdateTriggerCommand, UpdateWorkflowCommand } from "@aws-sdk/client-glue";
 import { AddTagsToStreamCommand, CreateStreamCommand, DecreaseStreamRetentionPeriodCommand, DeleteStreamCommand, DeregisterStreamConsumerCommand, DescribeStreamCommand, DescribeStreamConsumerCommand, IncreaseStreamRetentionPeriodCommand, KinesisClient, ListStreamsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$17, ListTagsForStreamCommand, RegisterStreamConsumerCommand, RemoveTagsFromStreamCommand, ResourceNotFoundException as ResourceNotFoundException$8, StartStreamEncryptionCommand, StopStreamEncryptionCommand, TagResourceCommand as TagResourceCommand$15, UntagResourceCommand as UntagResourceCommand$14, UpdateShardCountCommand } from "@aws-sdk/client-kinesis";
-import { AccessPointNotFound, CreateAccessPointCommand, CreateFileSystemCommand, CreateMountTargetCommand, DeleteAccessPointCommand, DeleteFileSystemCommand, DeleteMountTargetCommand, DescribeAccessPointsCommand, DescribeBackupPolicyCommand, DescribeFileSystemsCommand, DescribeLifecycleConfigurationCommand, DescribeMountTargetSecurityGroupsCommand, DescribeMountTargetsCommand, EFSClient, FileSystemNotFound, ModifyMountTargetSecurityGroupsCommand, MountTargetNotFound, UpdateFileSystemCommand } from "@aws-sdk/client-efs";
+import { AccessPointNotFound, CreateAccessPointCommand, CreateFileSystemCommand, CreateMountTargetCommand, DeleteAccessPointCommand, DeleteFileSystemCommand, DeleteMountTargetCommand, DescribeAccessPointsCommand, DescribeBackupPolicyCommand, DescribeFileSystemPolicyCommand, DescribeFileSystemsCommand, DescribeLifecycleConfigurationCommand, DescribeMountTargetSecurityGroupsCommand, DescribeMountTargetsCommand, EFSClient, FileSystemNotFound, ModifyMountTargetSecurityGroupsCommand, MountTargetNotFound, PutBackupPolicyCommand, PutFileSystemPolicyCommand, PutLifecycleConfigurationCommand, UpdateFileSystemCommand, UpdateFileSystemProtectionCommand } from "@aws-sdk/client-efs";
 import { CreateDeliveryStreamCommand, DeleteDeliveryStreamCommand, DescribeDeliveryStreamCommand, FirehoseClient, ListDeliveryStreamsCommand, ListTagsForDeliveryStreamCommand, ResourceNotFoundException as ResourceNotFoundException$9, TagDeliveryStreamCommand, UntagDeliveryStreamCommand, UpdateDestinationCommand } from "@aws-sdk/client-firehose";
 import { AddTagsCommand as AddTagsCommand$1, CloudTrailClient, CreateTrailCommand, DeleteTrailCommand, GetEventSelectorsCommand, GetInsightSelectorsCommand, GetTrailCommand, GetTrailStatusCommand, ListTagsCommand as ListTagsCommand$1, ListTrailsCommand, PutEventSelectorsCommand, PutInsightSelectorsCommand, RemoveTagsCommand as RemoveTagsCommand$1, StartLoggingCommand, StopLoggingCommand, TrailNotFoundException, UpdateTrailCommand } from "@aws-sdk/client-cloudtrail";
 import { BatchGetProjectsCommand, CodeBuildClient, CreateProjectCommand, DeleteProjectCommand, ListProjectsCommand, ResourceNotFoundException as ResourceNotFoundException$10, UpdateProjectCommand } from "@aws-sdk/client-codebuild";
@@ -62,7 +62,7 @@ import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
 import { createLocalStartAgentCoreCommand, createLocalStartCloudFrontCommand, createLocalStateProvider, getEmbedConfig, isCfnFlagPresent, listTargets, rejectExplicitCfnStackWithMultipleStacks, resolveCfnFallbackRegion, setEmbedConfig, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync } from "cdk-local";
-import { A2A_CONTAINER_PORT, A2A_PATH, AGENTCORE_A2A_PROTOCOL, AGENTCORE_AGUI_PROTOCOL, AGENTCORE_MCP_PROTOCOL, ConnectionRegistry, EcsTaskResolutionError, HOST_GATEWAY_MIN_VERSION, LocalInvokeBuildError, MCP_CONTAINER_PORT, MCP_PATH, a2aInvokeOnce, addAlbSpecificOptions, addCommonEcsServiceOptions, addStartServiceSpecificOptions, albStrategy, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildAgentCoreCodeImage, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildJwksUrlFromIssuer, buildMessageEvent, buildMgmtEndpointEnvUrl, buildStageMap, classifySourceChange, createAuthorizerCache, createFileWatcher, createFileWatcher as createFileWatcher$1, createJwksCache, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, downloadAndExtractS3Bundle, filterRoutesByApiIdentifier, groupRoutesByServer, handleConnectionsRequest, invokeAgentCore, invokeAgentCoreWs, materializeLayerFromArn, mcpInvokeOnce, parseConnectionsPath, parseSelectionExpressionPath, pickAgentCoreCandidateStack, pickAgentCoreCandidateStack as pickAgentCoreCandidateStack$1, probeHostGatewaySupport, readMtlsMaterialsFromDisk, resolveAgentCoreTarget, resolveEnvVars, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSingleTarget, resolveWatchConfig, runEcsServiceEmulator, signAgentCoreInvocation, startApiServer, substituteImagePlaceholders, tryResolveImageFnJoin, verifyJwtViaDiscovery, waitForAgentCorePing } from "cdk-local/internal";
+import { A2A_CONTAINER_PORT, A2A_PATH, AGENTCORE_A2A_PROTOCOL, AGENTCORE_AGUI_PROTOCOL, AGENTCORE_MCP_PROTOCOL, ConnectionRegistry, EcsTaskResolutionError, HOST_GATEWAY_MIN_VERSION, LocalInvokeBuildError, MCP_CONTAINER_PORT, MCP_PATH, a2aInvokeOnce, addAlbSpecificOptions, addCommonEcsServiceOptions, addStartServiceSpecificOptions, albStrategy, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildAgentCoreCodeImage, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildJwksUrlFromIssuer, buildMessageEvent, buildMgmtEndpointEnvUrl, buildStageMap, classifySourceChange, createAuthorizerCache, createFileWatcher, createFileWatcher as createFileWatcher$1, createJwksCache, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, downloadAndExtractS3Bundle, filterRoutesByApiIdentifier, groupRoutesByServer, handleConnectionsRequest, invokeAgentCore, invokeAgentCoreWs, materializeLayerFromArn, mcpInvokeOnce, parseConnectionsPath, parseSelectionExpressionPath, pickAgentCoreCandidateStack, pickAgentCoreCandidateStack as pickAgentCoreCandidateStack$1, probeHostGatewaySupport, readMtlsMaterialsFromDisk, resolveAgentCoreTarget, resolveEnvVars, resolveHostGatewayExtraHosts, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSingleTarget, resolveWatchConfig, runEcsServiceEmulator, signAgentCoreInvocation, startApiServer, substituteImagePlaceholders, tryResolveImageFnJoin, verifyJwtViaDiscovery, waitForAgentCorePing } from "cdk-local/internal";
 import { createServer } from "node:net";
 import { promisify } from "node:util";
 import { setTimeout as setTimeout$1 } from "node:timers/promises";
@@ -29112,7 +29112,13 @@ var EFSProvider = class {
 			"KmsKeyId",
 			"PerformanceMode",
 			"ThroughputMode",
-			"ProvisionedThroughputInMibps"
+			"ProvisionedThroughputInMibps",
+			"AvailabilityZoneName",
+			"LifecyclePolicies",
+			"BackupPolicy",
+			"FileSystemPolicy",
+			"BypassPolicyLockoutSafetyCheck",
+			"FileSystemProtection"
 		])],
 		["AWS::EFS::MountTarget", new Set([
 			"FileSystemId",
@@ -29126,7 +29132,7 @@ var EFSProvider = class {
 			"AccessPointTags"
 		])]
 	]);
-	unhandledByDesign = new Map([["AWS::EFS::AccessPoint", new Map([["ClientToken", "AWS SDK manages this idempotency token internally on CreateAccessPoint; no user-supplied value is honored"]])]]);
+	unhandledByDesign = new Map([["AWS::EFS::FileSystem", new Map([["ReplicationConfiguration", "Cross-region EFS replication (CreateReplicationConfiguration) provisions a separate destination file system in another region with its own lifecycle, KMS key, and availability-zone placement; replicating + then tearing down the destination on destroy is a multi-resource, cross-region orchestration that is out of scope for the single-resource SDK provider. Tracked as a follow-up to issue #609."]])], ["AWS::EFS::AccessPoint", new Map([["ClientToken", "AWS SDK manages this idempotency token internally on CreateAccessPoint; no user-supplied value is honored"]])]]);
 	getClient() {
 		if (!this.client) this.client = new EFSClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.client;
@@ -29165,7 +29171,8 @@ var EFSProvider = class {
 		for (const key of [
 			"Encrypted",
 			"KmsKeyId",
-			"PerformanceMode"
+			"PerformanceMode",
+			"AvailabilityZoneName"
 		]) {
 			const next = properties[key];
 			const prev = previousProperties[key];
@@ -29177,7 +29184,12 @@ var EFSProvider = class {
 		const oldProvisioned = previousProperties["ProvisionedThroughputInMibps"];
 		const throughputModeChanged = newThroughputMode !== void 0 && newThroughputMode !== oldThroughputMode;
 		const provisionedChanged = newProvisioned !== void 0 && newProvisioned !== oldProvisioned;
-		if (!throughputModeChanged && !provisionedChanged) {
+		const changed = (key) => JSON.stringify(properties[key]) !== JSON.stringify(previousProperties[key]);
+		const lifecycleChanged = changed("LifecyclePolicies");
+		const backupChanged = changed("BackupPolicy");
+		const policyChanged = changed("FileSystemPolicy") || changed("BypassPolicyLockoutSafetyCheck");
+		const protectionChanged = changed("FileSystemProtection");
+		if (!throughputModeChanged && !provisionedChanged && !lifecycleChanged && !backupChanged && !policyChanged && !protectionChanged) {
 			this.logger.debug(`No mutable diff for EFS FileSystem ${logicalId}, skipping update`);
 			return {
 				physicalId,
@@ -29186,12 +29198,18 @@ var EFSProvider = class {
 		}
 		this.logger.debug(`Updating EFS FileSystem ${logicalId}: ${physicalId}`);
 		try {
-			await this.getClient().send(new UpdateFileSystemCommand({
-				FileSystemId: physicalId,
-				...throughputModeChanged && { ThroughputMode: newThroughputMode },
-				...provisionedChanged && { ProvisionedThroughputInMibps: newProvisioned }
-			}));
-			await this.waitForFileSystemAvailable(physicalId, logicalId, resourceType);
+			if (throughputModeChanged || provisionedChanged) {
+				await this.getClient().send(new UpdateFileSystemCommand({
+					FileSystemId: physicalId,
+					...throughputModeChanged && { ThroughputMode: newThroughputMode },
+					...provisionedChanged && { ProvisionedThroughputInMibps: newProvisioned }
+				}));
+				await this.waitForFileSystemAvailable(physicalId, logicalId, resourceType);
+			}
+			if (lifecycleChanged) await this.applyLifecyclePolicies(physicalId, properties["LifecyclePolicies"], previousProperties["LifecyclePolicies"]);
+			if (backupChanged) await this.applyBackupPolicy(physicalId, properties["BackupPolicy"]);
+			if (policyChanged) await this.applyFileSystemPolicy(physicalId, properties["FileSystemPolicy"], properties["BypassPolicyLockoutSafetyCheck"]);
+			if (protectionChanged) await this.applyFileSystemProtection(physicalId, properties["FileSystemProtection"]);
 			this.logger.debug(`Successfully updated EFS FileSystem ${logicalId}`);
 			return {
 				physicalId,
@@ -29240,6 +29258,7 @@ var EFSProvider = class {
 		this.logger.debug(`Creating EFS FileSystem ${logicalId}`);
 		const creationToken = `cdkd-${logicalId}`;
 		const tags = properties["FileSystemTags"];
+		let fileSystemId;
 		try {
 			const response = await this.getClient().send(new CreateFileSystemCommand({
 				CreationToken: creationToken,
@@ -29248,14 +29267,19 @@ var EFSProvider = class {
 				PerformanceMode: properties["PerformanceMode"],
 				ThroughputMode: properties["ThroughputMode"],
 				ProvisionedThroughputInMibps: properties["ProvisionedThroughputInMibps"],
+				AvailabilityZoneName: properties["AvailabilityZoneName"],
 				Tags: tags?.map((t) => ({
 					Key: t.Key,
 					Value: t.Value
 				}))
 			}));
-			const fileSystemId = response.FileSystemId;
+			fileSystemId = response.FileSystemId;
 			const arn = response.FileSystemArn;
 			await this.waitForFileSystemAvailable(fileSystemId, logicalId, resourceType);
+			await this.applyLifecyclePolicies(fileSystemId, properties["LifecyclePolicies"]);
+			await this.applyBackupPolicy(fileSystemId, properties["BackupPolicy"]);
+			await this.applyFileSystemPolicy(fileSystemId, properties["FileSystemPolicy"], properties["BypassPolicyLockoutSafetyCheck"]);
+			await this.applyFileSystemProtection(fileSystemId, properties["FileSystemProtection"]);
 			this.logger.debug(`Successfully created EFS FileSystem ${logicalId}: ${fileSystemId}`);
 			return {
 				physicalId: fileSystemId,
@@ -29265,10 +29289,100 @@ var EFSProvider = class {
 				}
 			};
 		} catch (error) {
+			if (fileSystemId !== void 0) try {
+				await this.getClient().send(new DeleteFileSystemCommand({ FileSystemId: fileSystemId }));
+				this.logger.debug(`Rolled back partially-created EFS FileSystem ${fileSystemId}`);
+			} catch (cleanupError) {
+				this.logger.warn(`Failed to roll back partially-created EFS FileSystem ${fileSystemId}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`);
+			}
+			if (error instanceof ProvisioningError) throw error;
 			const cause = error instanceof Error ? error : void 0;
 			throw new ProvisioningError(`Failed to create EFS FileSystem ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, void 0, cause);
 		}
 	}
+	/**
+	* Apply `LifecyclePolicies` via `PutLifecycleConfiguration`. CFn shape is an
+	* array of `{ TransitionToIA?, TransitionToPrimaryStorageClass?,
+	* TransitionToArchive? }`. An empty / dropped array clears all lifecycle
+	* policies (PutLifecycleConfiguration with `LifecyclePolicies: []`).
+	*/
+	async applyLifecyclePolicies(fileSystemId, spec, previousSpec) {
+		if (spec === void 0) {
+			if (previousSpec === void 0) return;
+		}
+		const policies = spec ?? [];
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new PutLifecycleConfigurationCommand({
+			FileSystemId: fileSystemId,
+			LifecyclePolicies: policies
+		})), `set LifecyclePolicies on ${fileSystemId}`);
+		this.logger.debug(`Set ${policies.length} LifecyclePolicy entry(ies) on EFS FileSystem ${fileSystemId}`);
+	}
+	/**
+	* Apply `BackupPolicy` via `PutBackupPolicy`. CFn shape is
+	* `{ Status: 'ENABLED' | 'DISABLED' }`.
+	*/
+	async applyBackupPolicy(fileSystemId, spec) {
+		if (spec === void 0 || spec === null) return;
+		const status = spec.Status;
+		if (status === void 0) return;
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new PutBackupPolicyCommand({
+			FileSystemId: fileSystemId,
+			BackupPolicy: { Status: status }
+		})), `set BackupPolicy on ${fileSystemId}`);
+		this.logger.debug(`Set BackupPolicy Status=${status} on EFS FileSystem ${fileSystemId}`);
+	}
+	/**
+	* Apply `FileSystemPolicy` via `PutFileSystemPolicy`. The CFn `FileSystemPolicy`
+	* property is a JSON policy *object* but the SDK's `Policy` field is a JSON
+	* *string*, so an object value is `JSON.stringify`'d. `BypassPolicyLockoutSafetyCheck`
+	* is a field ON `PutFileSystemPolicy` (not a standalone resource property), so
+	* the two wire together.
+	*/
+	async applyFileSystemPolicy(fileSystemId, policy, bypass) {
+		if (policy === void 0 || policy === null) return;
+		const policyString = typeof policy === "string" ? policy : JSON.stringify(policy);
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new PutFileSystemPolicyCommand({
+			FileSystemId: fileSystemId,
+			Policy: policyString,
+			BypassPolicyLockoutSafetyCheck: bypass === void 0 ? void 0 : Boolean(bypass)
+		})), `set FileSystemPolicy on ${fileSystemId}`);
+		this.logger.debug(`Set FileSystemPolicy on EFS FileSystem ${fileSystemId}`);
+	}
+	/**
+	* Apply `FileSystemProtection` via `UpdateFileSystemProtection`. CFn shape is
+	* `{ ReplicationOverwriteProtection: 'ENABLED' | 'DISABLED' | 'REPLICATING' }`.
+	*/
+	async applyFileSystemProtection(fileSystemId, spec) {
+		if (spec === void 0 || spec === null) return;
+		const protection = spec.ReplicationOverwriteProtection;
+		if (protection === void 0) return;
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new UpdateFileSystemProtectionCommand({
+			FileSystemId: fileSystemId,
+			ReplicationOverwriteProtection: protection
+		})), `set FileSystemProtection on ${fileSystemId}`);
+		this.logger.debug(`Set ReplicationOverwriteProtection=${protection} on EFS FileSystem ${fileSystemId}`);
+	}
+	/**
+	* Retry an EFS control-plane call on the transient "settling" errors AWS
+	* returns when two file-system-modifying operations land back-to-back (e.g.
+	* a `PutLifecycleConfiguration` immediately followed by a `PutBackupPolicy`).
+	* `IncorrectFileSystemLifeCycleState` / `ThrottlingException` /
+	* `ConflictException` and the message-pattern set below are the same class.
+	* Backoff: ~2s,4s,8s,16s,30s,30s... bounded to ~2min total.
+	*/
+	async retryOnTransientControlPlane(op, label, maxAttempts = 8) {
+		let delayMs = 2e3;
+		for (let attempt = 1;; attempt++) try {
+			return await op();
+		} catch (error) {
+			const msg = error instanceof Error ? error.message : String(error);
+			const name = error instanceof Error ? error.name : "";
+			if (!(/in progress|please retry|incorrect file system life ?cycle state|being (updated|modified)|try again/i.test(msg) || name === "IncorrectFileSystemLifeCycleState" || name === "ConflictException" || name === "ThrottlingException") || attempt >= maxAttempts) throw error;
+			this.logger.debug(`Transient error on "${label}" (attempt ${attempt}/${maxAttempts}): ${msg} — retrying in ${delayMs}ms`);
+			await new Promise((resolve) => setTimeout(resolve, delayMs));
+			delayMs = Math.min(delayMs * 2, 3e4);
+		}
+	}
 	async deleteFileSystem(logicalId, physicalId, resourceType, context) {
 		this.logger.debug(`Deleting EFS FileSystem ${logicalId}: ${physicalId}`);
 		try {
@@ -29430,10 +29544,11 @@ var EFSProvider = class {
 	*
 	* Dispatch per resource type:
 	*  - `FileSystem` → `DescribeFileSystems` filtered by id (PerformanceMode,
-	*    ThroughputMode, Encrypted, KmsKeyId, ProvisionedThroughputInMibps),
-	*    plus optional `DescribeLifecycleConfiguration` and
-	*    `DescribeBackupPolicy` enrichment. Each enrichment call is wrapped
-	*    in its own try/catch so a "not configured" error on either omits
+	*    ThroughputMode, Encrypted, KmsKeyId, ProvisionedThroughputInMibps,
+	*    AvailabilityZoneName, FileSystemProtection), plus optional
+	*    `DescribeLifecycleConfiguration`, `DescribeBackupPolicy`, and
+	*    `DescribeFileSystemPolicy` enrichment. Each enrichment call is wrapped
+	*    in its own try/catch so a "not configured" error on any of them omits
 	*    the corresponding key without failing the whole snapshot.
 	*  - `AccessPoint` → `DescribeAccessPoints` filtered by id (PosixUser,
 	*    RootDirectory).
@@ -29473,8 +29588,11 @@ var EFSProvider = class {
 		if (fs.Encrypted !== void 0) result["Encrypted"] = fs.Encrypted;
 		if (fs.KmsKeyId !== void 0) result["KmsKeyId"] = fs.KmsKeyId;
 		if (fs.ProvisionedThroughputInMibps !== void 0) result["ProvisionedThroughputInMibps"] = fs.ProvisionedThroughputInMibps;
+		if (fs.AvailabilityZoneName !== void 0) result["AvailabilityZoneName"] = fs.AvailabilityZoneName;
+		if (fs.FileSystemProtection?.ReplicationOverwriteProtection !== void 0) result["FileSystemProtection"] = { ReplicationOverwriteProtection: fs.FileSystemProtection.ReplicationOverwriteProtection };
 		try {
-			result["LifecyclePolicies"] = ((await this.getClient().send(new DescribeLifecycleConfigurationCommand({ FileSystemId: physicalId }))).LifecyclePolicies ?? []).map((p) => {
+			const policies = (await this.getClient().send(new DescribeLifecycleConfigurationCommand({ FileSystemId: physicalId }))).LifecyclePolicies ?? [];
+			if (policies.length > 0) result["LifecyclePolicies"] = policies.map((p) => {
 				const out = {};
 				if (p.TransitionToIA !== void 0) out["TransitionToIA"] = p.TransitionToIA;
 				if (p.TransitionToPrimaryStorageClass !== void 0) out["TransitionToPrimaryStorageClass"] = p.TransitionToPrimaryStorageClass;
@@ -29491,6 +29609,16 @@ var EFSProvider = class {
 		} catch (err) {
 			if (err instanceof FileSystemNotFound) return void 0;
 		}
+		try {
+			const resp = await this.getClient().send(new DescribeFileSystemPolicyCommand({ FileSystemId: physicalId }));
+			if (resp.Policy !== void 0) try {
+				result["FileSystemPolicy"] = JSON.parse(resp.Policy);
+			} catch {
+				result["FileSystemPolicy"] = resp.Policy;
+			}
+		} catch (err) {
+			if (err instanceof FileSystemNotFound) return void 0;
+		}
 		result["FileSystemTags"] = normalizeAwsTagsToCfn(fs.Tags);
 		return result;
 	}
@@ -48672,6 +48800,19 @@ async function cleanupEcsRun(state, options) {
 	state.dockerVolumeNames = [];
 }
 /**
+* Merge the Cloud Map peer-discovery `--add-host` flag pairs
+* ({@link RunEcsTaskOptions.addHostFlags}) with the boot-resolved
+* `host.docker.internal` host-gateway mapping(s)
+* ({@link RunEcsTaskOptions.hostGatewayExtraHosts}) into one verbatim
+* `['--add-host', 'name:ip', ...]` list for `docker run`. The host-gateway
+* entry uses a distinct name, so its position relative to the peer entries is
+* irrelevant (docker's resolver matches by name). Pure — exported for the
+* site-level merge test. Mirrors cdk-local #483.
+*/
+function mergeHostGatewayAddHostFlags(addHostFlags, hostGatewayExtraHosts) {
+	return [...addHostFlags ?? [], ...(hostGatewayExtraHosts ?? []).flatMap((h) => ["--add-host", `${h.host}:${h.ip}`])];
+}
+/**
 * Top-level entry point. Mutates `state` as it makes progress so the
 * caller's `cleanup(state)` can roll back partial side effects on any
 * thrown error.
@@ -48705,6 +48846,7 @@ async function runEcsTask(task, options, state) {
 		state.network = await createTaskNetwork(netCreateOpts);
 	}
 	const volumeByName = await realizeDockerVolumes(task.volumes, state);
+	const mergedAddHostFlags = mergeHostGatewayAddHostFlags(options.addHostFlags, options.hostGatewayExtraHosts);
 	const dockerCmds = /* @__PURE__ */ new Map();
 	for (const container of task.containers) {
 		const image = imagePlan.get(container.name);
@@ -48723,7 +48865,7 @@ async function runEcsTask(task, options, state) {
 			region: options.region,
 			sidecarIp: state.network.sidecarIp,
 			...options.skipHostPortPublish ? { skipHostPortPublish: true } : {},
-			...options.addHostFlags && options.addHostFlags.length > 0 ? { addHostFlags: options.addHostFlags } : {},
+			...mergedAddHostFlags.length > 0 ? { addHostFlags: mergedAddHostFlags } : {},
 			...(options.networkAliasesByContainer?.get(container.name)?.length ?? 0) > 0 ? { networkAliases: options.networkAliasesByContainer.get(container.name) } : {},
 			...options.profileCredentialsFile && { profileCredentialsFile: options.profileCredentialsFile }
 		}));
@@ -49247,6 +49389,8 @@ async function localRunTaskCommand(target, options) {
 			containerPath: profileCredsFile.containerPath,
 			profileName: profileCredsFile.profileName
 		};
+		const hostGatewayExtraHosts = await resolveHostGatewayExtraHosts();
+		if (hostGatewayExtraHosts.length > 0) runOpts.hostGatewayExtraHosts = hostGatewayExtraHosts;
 		const result = await runEcsTask(task, runOpts, state);
 		if (options.detach) {
 			logger.info("Task containers started in detached mode; cdkd is exiting.");
@@ -51173,11 +51317,13 @@ async function localInvokeCommand(target, options) {
 			containerPath: profileCredsFile.containerPath,
 			readOnly: true
 		}] : imagePlan.extraMounts;
+		const hostGatewayExtraHosts = await resolveHostGatewayExtraHosts();
 		containerId = await runDetached({
 			image: imagePlan.image,
 			mounts: imagePlan.mounts,
 			extraMounts: extraMountsWithProfile,
 			env: dockerEnv,
+			...hostGatewayExtraHosts.length > 0 && { extraHosts: hostGatewayExtraHosts },
 			cmd: imagePlan.cmd,
 			hostPort,
 			host: containerHost,
@@ -52887,7 +53033,7 @@ function reorderArgs(argv) {
 async function main() {
 	installPipeCloseHandler();
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.213.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.215.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());