@go-to-k/cdkd 0.214.0 → 0.215.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
-import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-DMggQBl4.js";
+import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-C9fD8IOo.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -53,7 +53,7 @@ import { AppSyncClient, CreateApiKeyCommand, CreateDataSourceCommand, CreateGrap
 import { parse, print } from "graphql";
 import { CreateConnectionCommand, CreateCrawlerCommand, CreateDatabaseCommand, CreateJobCommand, CreateSecurityConfigurationCommand, CreateTableCommand as CreateTableCommand$1, CreateTriggerCommand, CreateWorkflowCommand, DeleteConnectionCommand, DeleteCrawlerCommand, DeleteDatabaseCommand, DeleteJobCommand, DeleteSecurityConfigurationCommand, DeleteTableCommand as DeleteTableCommand$1, DeleteTriggerCommand, DeleteWorkflowCommand, EntityNotFoundException, GetConnectionCommand, GetCrawlerCommand, GetDatabaseCommand, GetDatabasesCommand, GetJobCommand, GetSecurityConfigurationCommand, GetSecurityConfigurationsCommand, GetTableCommand, GetTablesCommand, GetTagsCommand, GetTriggerCommand, GetWorkflowCommand, GlueClient, ListWorkflowsCommand, StartCrawlerScheduleCommand, StartTriggerCommand, StopCrawlerScheduleCommand, StopTriggerCommand, UpdateConnectionCommand, UpdateCrawlerCommand, UpdateDatabaseCommand, UpdateJobCommand, UpdateTableCommand as UpdateTableCommand$1, UpdateTriggerCommand, UpdateWorkflowCommand } from "@aws-sdk/client-glue";
 import { AddTagsToStreamCommand, CreateStreamCommand, DecreaseStreamRetentionPeriodCommand, DeleteStreamCommand, DeregisterStreamConsumerCommand, DescribeStreamCommand, DescribeStreamConsumerCommand, IncreaseStreamRetentionPeriodCommand, KinesisClient, ListStreamsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$17, ListTagsForStreamCommand, RegisterStreamConsumerCommand, RemoveTagsFromStreamCommand, ResourceNotFoundException as ResourceNotFoundException$8, StartStreamEncryptionCommand, StopStreamEncryptionCommand, TagResourceCommand as TagResourceCommand$15, UntagResourceCommand as UntagResourceCommand$14, UpdateShardCountCommand } from "@aws-sdk/client-kinesis";
-import { AccessPointNotFound, CreateAccessPointCommand, CreateFileSystemCommand, CreateMountTargetCommand, DeleteAccessPointCommand, DeleteFileSystemCommand, DeleteMountTargetCommand, DescribeAccessPointsCommand, DescribeBackupPolicyCommand, DescribeFileSystemsCommand, DescribeLifecycleConfigurationCommand, DescribeMountTargetSecurityGroupsCommand, DescribeMountTargetsCommand, EFSClient, FileSystemNotFound, ModifyMountTargetSecurityGroupsCommand, MountTargetNotFound, UpdateFileSystemCommand } from "@aws-sdk/client-efs";
+import { AccessPointNotFound, CreateAccessPointCommand, CreateFileSystemCommand, CreateMountTargetCommand, DeleteAccessPointCommand, DeleteFileSystemCommand, DeleteMountTargetCommand, DescribeAccessPointsCommand, DescribeBackupPolicyCommand, DescribeFileSystemPolicyCommand, DescribeFileSystemsCommand, DescribeLifecycleConfigurationCommand, DescribeMountTargetSecurityGroupsCommand, DescribeMountTargetsCommand, EFSClient, FileSystemNotFound, ModifyMountTargetSecurityGroupsCommand, MountTargetNotFound, PutBackupPolicyCommand, PutFileSystemPolicyCommand, PutLifecycleConfigurationCommand, UpdateFileSystemCommand, UpdateFileSystemProtectionCommand } from "@aws-sdk/client-efs";
 import { CreateDeliveryStreamCommand, DeleteDeliveryStreamCommand, DescribeDeliveryStreamCommand, FirehoseClient, ListDeliveryStreamsCommand, ListTagsForDeliveryStreamCommand, ResourceNotFoundException as ResourceNotFoundException$9, TagDeliveryStreamCommand, UntagDeliveryStreamCommand, UpdateDestinationCommand } from "@aws-sdk/client-firehose";
 import { AddTagsCommand as AddTagsCommand$1, CloudTrailClient, CreateTrailCommand, DeleteTrailCommand, GetEventSelectorsCommand, GetInsightSelectorsCommand, GetTrailCommand, GetTrailStatusCommand, ListTagsCommand as ListTagsCommand$1, ListTrailsCommand, PutEventSelectorsCommand, PutInsightSelectorsCommand, RemoveTagsCommand as RemoveTagsCommand$1, StartLoggingCommand, StopLoggingCommand, TrailNotFoundException, UpdateTrailCommand } from "@aws-sdk/client-cloudtrail";
 import { BatchGetProjectsCommand, CodeBuildClient, CreateProjectCommand, DeleteProjectCommand, ListProjectsCommand, ResourceNotFoundException as ResourceNotFoundException$10, UpdateProjectCommand } from "@aws-sdk/client-codebuild";
@@ -29112,7 +29112,13 @@ var EFSProvider = class {
 			"KmsKeyId",
 			"PerformanceMode",
 			"ThroughputMode",
-			"ProvisionedThroughputInMibps"
+			"ProvisionedThroughputInMibps",
+			"AvailabilityZoneName",
+			"LifecyclePolicies",
+			"BackupPolicy",
+			"FileSystemPolicy",
+			"BypassPolicyLockoutSafetyCheck",
+			"FileSystemProtection"
 		])],
 		["AWS::EFS::MountTarget", new Set([
 			"FileSystemId",
@@ -29126,7 +29132,7 @@ var EFSProvider = class {
 			"AccessPointTags"
 		])]
 	]);
-	unhandledByDesign = new Map([["AWS::EFS::AccessPoint", new Map([["ClientToken", "AWS SDK manages this idempotency token internally on CreateAccessPoint; no user-supplied value is honored"]])]]);
+	unhandledByDesign = new Map([["AWS::EFS::FileSystem", new Map([["ReplicationConfiguration", "Cross-region EFS replication (CreateReplicationConfiguration) provisions a separate destination file system in another region with its own lifecycle, KMS key, and availability-zone placement; replicating + then tearing down the destination on destroy is a multi-resource, cross-region orchestration that is out of scope for the single-resource SDK provider. Tracked as a follow-up to issue #609."]])], ["AWS::EFS::AccessPoint", new Map([["ClientToken", "AWS SDK manages this idempotency token internally on CreateAccessPoint; no user-supplied value is honored"]])]]);
 	getClient() {
 		if (!this.client) this.client = new EFSClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.client;
@@ -29165,7 +29171,8 @@ var EFSProvider = class {
 		for (const key of [
 			"Encrypted",
 			"KmsKeyId",
-			"PerformanceMode"
+			"PerformanceMode",
+			"AvailabilityZoneName"
 		]) {
 			const next = properties[key];
 			const prev = previousProperties[key];
@@ -29177,7 +29184,12 @@ var EFSProvider = class {
 		const oldProvisioned = previousProperties["ProvisionedThroughputInMibps"];
 		const throughputModeChanged = newThroughputMode !== void 0 && newThroughputMode !== oldThroughputMode;
 		const provisionedChanged = newProvisioned !== void 0 && newProvisioned !== oldProvisioned;
-		if (!throughputModeChanged && !provisionedChanged) {
+		const changed = (key) => JSON.stringify(properties[key]) !== JSON.stringify(previousProperties[key]);
+		const lifecycleChanged = changed("LifecyclePolicies");
+		const backupChanged = changed("BackupPolicy");
+		const policyChanged = changed("FileSystemPolicy") || changed("BypassPolicyLockoutSafetyCheck");
+		const protectionChanged = changed("FileSystemProtection");
+		if (!throughputModeChanged && !provisionedChanged && !lifecycleChanged && !backupChanged && !policyChanged && !protectionChanged) {
 			this.logger.debug(`No mutable diff for EFS FileSystem ${logicalId}, skipping update`);
 			return {
 				physicalId,
@@ -29186,12 +29198,18 @@ var EFSProvider = class {
 		}
 		this.logger.debug(`Updating EFS FileSystem ${logicalId}: ${physicalId}`);
 		try {
-			await this.getClient().send(new UpdateFileSystemCommand({
-				FileSystemId: physicalId,
-				...throughputModeChanged && { ThroughputMode: newThroughputMode },
-				...provisionedChanged && { ProvisionedThroughputInMibps: newProvisioned }
-			}));
-			await this.waitForFileSystemAvailable(physicalId, logicalId, resourceType);
+			if (throughputModeChanged || provisionedChanged) {
+				await this.getClient().send(new UpdateFileSystemCommand({
+					FileSystemId: physicalId,
+					...throughputModeChanged && { ThroughputMode: newThroughputMode },
+					...provisionedChanged && { ProvisionedThroughputInMibps: newProvisioned }
+				}));
+				await this.waitForFileSystemAvailable(physicalId, logicalId, resourceType);
+			}
+			if (lifecycleChanged) await this.applyLifecyclePolicies(physicalId, properties["LifecyclePolicies"], previousProperties["LifecyclePolicies"]);
+			if (backupChanged) await this.applyBackupPolicy(physicalId, properties["BackupPolicy"]);
+			if (policyChanged) await this.applyFileSystemPolicy(physicalId, properties["FileSystemPolicy"], properties["BypassPolicyLockoutSafetyCheck"]);
+			if (protectionChanged) await this.applyFileSystemProtection(physicalId, properties["FileSystemProtection"]);
 			this.logger.debug(`Successfully updated EFS FileSystem ${logicalId}`);
 			return {
 				physicalId,
@@ -29240,6 +29258,7 @@ var EFSProvider = class {
 		this.logger.debug(`Creating EFS FileSystem ${logicalId}`);
 		const creationToken = `cdkd-${logicalId}`;
 		const tags = properties["FileSystemTags"];
+		let fileSystemId;
 		try {
 			const response = await this.getClient().send(new CreateFileSystemCommand({
 				CreationToken: creationToken,
@@ -29248,14 +29267,19 @@ var EFSProvider = class {
 				PerformanceMode: properties["PerformanceMode"],
 				ThroughputMode: properties["ThroughputMode"],
 				ProvisionedThroughputInMibps: properties["ProvisionedThroughputInMibps"],
+				AvailabilityZoneName: properties["AvailabilityZoneName"],
 				Tags: tags?.map((t) => ({
 					Key: t.Key,
 					Value: t.Value
 				}))
 			}));
-			const fileSystemId = response.FileSystemId;
+			fileSystemId = response.FileSystemId;
 			const arn = response.FileSystemArn;
 			await this.waitForFileSystemAvailable(fileSystemId, logicalId, resourceType);
+			await this.applyLifecyclePolicies(fileSystemId, properties["LifecyclePolicies"]);
+			await this.applyBackupPolicy(fileSystemId, properties["BackupPolicy"]);
+			await this.applyFileSystemPolicy(fileSystemId, properties["FileSystemPolicy"], properties["BypassPolicyLockoutSafetyCheck"]);
+			await this.applyFileSystemProtection(fileSystemId, properties["FileSystemProtection"]);
 			this.logger.debug(`Successfully created EFS FileSystem ${logicalId}: ${fileSystemId}`);
 			return {
 				physicalId: fileSystemId,
@@ -29265,10 +29289,100 @@ var EFSProvider = class {
 				}
 			};
 		} catch (error) {
+			if (fileSystemId !== void 0) try {
+				await this.getClient().send(new DeleteFileSystemCommand({ FileSystemId: fileSystemId }));
+				this.logger.debug(`Rolled back partially-created EFS FileSystem ${fileSystemId}`);
+			} catch (cleanupError) {
+				this.logger.warn(`Failed to roll back partially-created EFS FileSystem ${fileSystemId}: ${cleanupError instanceof Error ? cleanupError.message : String(cleanupError)}`);
+			}
+			if (error instanceof ProvisioningError) throw error;
 			const cause = error instanceof Error ? error : void 0;
 			throw new ProvisioningError(`Failed to create EFS FileSystem ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, void 0, cause);
 		}
 	}
+	/**
+	* Apply `LifecyclePolicies` via `PutLifecycleConfiguration`. CFn shape is an
+	* array of `{ TransitionToIA?, TransitionToPrimaryStorageClass?,
+	* TransitionToArchive? }`. An empty / dropped array clears all lifecycle
+	* policies (PutLifecycleConfiguration with `LifecyclePolicies: []`).
+	*/
+	async applyLifecyclePolicies(fileSystemId, spec, previousSpec) {
+		if (spec === void 0) {
+			if (previousSpec === void 0) return;
+		}
+		const policies = spec ?? [];
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new PutLifecycleConfigurationCommand({
+			FileSystemId: fileSystemId,
+			LifecyclePolicies: policies
+		})), `set LifecyclePolicies on ${fileSystemId}`);
+		this.logger.debug(`Set ${policies.length} LifecyclePolicy entry(ies) on EFS FileSystem ${fileSystemId}`);
+	}
+	/**
+	* Apply `BackupPolicy` via `PutBackupPolicy`. CFn shape is
+	* `{ Status: 'ENABLED' | 'DISABLED' }`.
+	*/
+	async applyBackupPolicy(fileSystemId, spec) {
+		if (spec === void 0 || spec === null) return;
+		const status = spec.Status;
+		if (status === void 0) return;
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new PutBackupPolicyCommand({
+			FileSystemId: fileSystemId,
+			BackupPolicy: { Status: status }
+		})), `set BackupPolicy on ${fileSystemId}`);
+		this.logger.debug(`Set BackupPolicy Status=${status} on EFS FileSystem ${fileSystemId}`);
+	}
+	/**
+	* Apply `FileSystemPolicy` via `PutFileSystemPolicy`. The CFn `FileSystemPolicy`
+	* property is a JSON policy *object* but the SDK's `Policy` field is a JSON
+	* *string*, so an object value is `JSON.stringify`'d. `BypassPolicyLockoutSafetyCheck`
+	* is a field ON `PutFileSystemPolicy` (not a standalone resource property), so
+	* the two wire together.
+	*/
+	async applyFileSystemPolicy(fileSystemId, policy, bypass) {
+		if (policy === void 0 || policy === null) return;
+		const policyString = typeof policy === "string" ? policy : JSON.stringify(policy);
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new PutFileSystemPolicyCommand({
+			FileSystemId: fileSystemId,
+			Policy: policyString,
+			BypassPolicyLockoutSafetyCheck: bypass === void 0 ? void 0 : Boolean(bypass)
+		})), `set FileSystemPolicy on ${fileSystemId}`);
+		this.logger.debug(`Set FileSystemPolicy on EFS FileSystem ${fileSystemId}`);
+	}
+	/**
+	* Apply `FileSystemProtection` via `UpdateFileSystemProtection`. CFn shape is
+	* `{ ReplicationOverwriteProtection: 'ENABLED' | 'DISABLED' | 'REPLICATING' }`.
+	*/
+	async applyFileSystemProtection(fileSystemId, spec) {
+		if (spec === void 0 || spec === null) return;
+		const protection = spec.ReplicationOverwriteProtection;
+		if (protection === void 0) return;
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new UpdateFileSystemProtectionCommand({
+			FileSystemId: fileSystemId,
+			ReplicationOverwriteProtection: protection
+		})), `set FileSystemProtection on ${fileSystemId}`);
+		this.logger.debug(`Set ReplicationOverwriteProtection=${protection} on EFS FileSystem ${fileSystemId}`);
+	}
+	/**
+	* Retry an EFS control-plane call on the transient "settling" errors AWS
+	* returns when two file-system-modifying operations land back-to-back (e.g.
+	* a `PutLifecycleConfiguration` immediately followed by a `PutBackupPolicy`).
+	* `IncorrectFileSystemLifeCycleState` / `ThrottlingException` /
+	* `ConflictException` and the message-pattern set below are the same class.
+	* Backoff: ~2s,4s,8s,16s,30s,30s... bounded to ~2min total.
+	*/
+	async retryOnTransientControlPlane(op, label, maxAttempts = 8) {
+		let delayMs = 2e3;
+		for (let attempt = 1;; attempt++) try {
+			return await op();
+		} catch (error) {
+			const msg = error instanceof Error ? error.message : String(error);
+			const name = error instanceof Error ? error.name : "";
+			if (!(/in progress|please retry|incorrect file system life ?cycle state|being (updated|modified)|try again/i.test(msg) || name === "IncorrectFileSystemLifeCycleState" || name === "ConflictException" || name === "ThrottlingException") || attempt >= maxAttempts) throw error;
+			this.logger.debug(`Transient error on "${label}" (attempt ${attempt}/${maxAttempts}): ${msg} — retrying in ${delayMs}ms`);
+			await new Promise((resolve) => setTimeout(resolve, delayMs));
+			delayMs = Math.min(delayMs * 2, 3e4);
+		}
+	}
 	async deleteFileSystem(logicalId, physicalId, resourceType, context) {
 		this.logger.debug(`Deleting EFS FileSystem ${logicalId}: ${physicalId}`);
 		try {
@@ -29430,10 +29544,11 @@ var EFSProvider = class {
 	*
 	* Dispatch per resource type:
 	*  - `FileSystem` → `DescribeFileSystems` filtered by id (PerformanceMode,
-	*    ThroughputMode, Encrypted, KmsKeyId, ProvisionedThroughputInMibps),
-	*    plus optional `DescribeLifecycleConfiguration` and
-	*    `DescribeBackupPolicy` enrichment. Each enrichment call is wrapped
-	*    in its own try/catch so a "not configured" error on either omits
+	*    ThroughputMode, Encrypted, KmsKeyId, ProvisionedThroughputInMibps,
+	*    AvailabilityZoneName, FileSystemProtection), plus optional
+	*    `DescribeLifecycleConfiguration`, `DescribeBackupPolicy`, and
+	*    `DescribeFileSystemPolicy` enrichment. Each enrichment call is wrapped
+	*    in its own try/catch so a "not configured" error on any of them omits
 	*    the corresponding key without failing the whole snapshot.
 	*  - `AccessPoint` → `DescribeAccessPoints` filtered by id (PosixUser,
 	*    RootDirectory).
@@ -29473,8 +29588,11 @@ var EFSProvider = class {
 		if (fs.Encrypted !== void 0) result["Encrypted"] = fs.Encrypted;
 		if (fs.KmsKeyId !== void 0) result["KmsKeyId"] = fs.KmsKeyId;
 		if (fs.ProvisionedThroughputInMibps !== void 0) result["ProvisionedThroughputInMibps"] = fs.ProvisionedThroughputInMibps;
+		if (fs.AvailabilityZoneName !== void 0) result["AvailabilityZoneName"] = fs.AvailabilityZoneName;
+		if (fs.FileSystemProtection?.ReplicationOverwriteProtection !== void 0) result["FileSystemProtection"] = { ReplicationOverwriteProtection: fs.FileSystemProtection.ReplicationOverwriteProtection };
 		try {
-			result["LifecyclePolicies"] = ((await this.getClient().send(new DescribeLifecycleConfigurationCommand({ FileSystemId: physicalId }))).LifecyclePolicies ?? []).map((p) => {
+			const policies = (await this.getClient().send(new DescribeLifecycleConfigurationCommand({ FileSystemId: physicalId }))).LifecyclePolicies ?? [];
+			if (policies.length > 0) result["LifecyclePolicies"] = policies.map((p) => {
 				const out = {};
 				if (p.TransitionToIA !== void 0) out["TransitionToIA"] = p.TransitionToIA;
 				if (p.TransitionToPrimaryStorageClass !== void 0) out["TransitionToPrimaryStorageClass"] = p.TransitionToPrimaryStorageClass;
@@ -29491,6 +29609,16 @@ var EFSProvider = class {
 		} catch (err) {
 			if (err instanceof FileSystemNotFound) return void 0;
 		}
+		try {
+			const resp = await this.getClient().send(new DescribeFileSystemPolicyCommand({ FileSystemId: physicalId }));
+			if (resp.Policy !== void 0) try {
+				result["FileSystemPolicy"] = JSON.parse(resp.Policy);
+			} catch {
+				result["FileSystemPolicy"] = resp.Policy;
+			}
+		} catch (err) {
+			if (err instanceof FileSystemNotFound) return void 0;
+		}
 		result["FileSystemTags"] = normalizeAwsTagsToCfn(fs.Tags);
 		return result;
 	}
@@ -52905,7 +53033,7 @@ function reorderArgs(argv) {
 async function main() {
 	installPipeCloseHandler();
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.214.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.215.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());