@go-to-k/cdkd 0.215.0 → 0.217.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
-import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-C9fD8IOo.js";
+import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-UctzfQ8M.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -10,7 +10,7 @@ import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesComman
 import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionConcurrencyCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionConcurrencyCommand, GetFunctionRecursionConfigCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand as GetPolicyCommand$1, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, PutFunctionConcurrencyCommand, PutFunctionRecursionConfigCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
-import { CreateTableCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateContinuousBackupsCommand, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
+import { CreateTableCommand, DeleteResourcePolicyCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DisableKinesisStreamingDestinationCommand, DynamoDBClient, EnableKinesisStreamingDestinationCommand, GetResourcePolicyCommand, ListTablesCommand, ListTagsOfResourceCommand, PutResourcePolicyCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateContinuousBackupsCommand, UpdateContributorInsightsCommand, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, DescribeStackEventsCommand, DescribeStackResourcesCommand, DescribeStacksCommand, DescribeTypeCommand, ExecuteChangeSetCommand, GetTemplateCommand, UpdateStackCommand, waitUntilChangeSetCreateComplete, waitUntilStackDeleteComplete, waitUntilStackImportComplete, waitUntilStackUpdateComplete } from "@aws-sdk/client-cloudformation";
 import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, CreateResourceCommand, CreateStageCommand, DeleteAuthorizerCommand, DeleteDeploymentCommand, DeleteMethodCommand, DeleteResourceCommand, DeleteStageCommand, GetAccountCommand, GetAuthorizerCommand, GetDeploymentCommand, GetMethodCommand, GetResourceCommand, GetStageCommand, NotFoundException as NotFoundException$1, PutIntegrationCommand, PutIntegrationResponseCommand, PutMethodCommand, PutMethodResponseCommand, TagResourceCommand as TagResourceCommand$3, UntagResourceCommand as UntagResourceCommand$3, UpdateAccountCommand, UpdateAuthorizerCommand, UpdateMethodCommand, UpdateStageCommand } from "@aws-sdk/client-api-gateway";
 import { CreateEventBusCommand, DeleteEventBusCommand, DeleteRuleCommand, DescribeEventBusCommand, DescribeRuleCommand, EventBridgeClient, ListEventBusesCommand, ListRulesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$1, ListTargetsByRuleCommand, PutRuleCommand, PutTargetsCommand, RemoveTargetsCommand, ResourceNotFoundException as ResourceNotFoundException$2, TagResourceCommand as TagResourceCommand$4, UntagResourceCommand as UntagResourceCommand$4, UpdateEventBusCommand } from "@aws-sdk/client-eventbridge";
@@ -46,7 +46,7 @@ import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, Delet
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$2, CreateDBClusterCommand as CreateDBClusterCommand$1, CreateDBInstanceCommand as CreateDBInstanceCommand$1, CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand$1, DeleteDBClusterCommand as DeleteDBClusterCommand$1, DeleteDBInstanceCommand as DeleteDBInstanceCommand$1, DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand$1, DescribeDBClustersCommand as DescribeDBClustersCommand$1, DescribeDBInstancesCommand as DescribeDBInstancesCommand$1, DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand$1, DocDBClient, ListTagsForResourceCommand as ListTagsForResourceCommand$11, ModifyDBClusterCommand as ModifyDBClusterCommand$1, ModifyDBInstanceCommand as ModifyDBInstanceCommand$1, ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand$1, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$2 } from "@aws-sdk/client-docdb";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$3, CreateDBClusterCommand as CreateDBClusterCommand$2, CreateDBInstanceCommand as CreateDBInstanceCommand$2, CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand$2, DeleteDBClusterCommand as DeleteDBClusterCommand$2, DeleteDBInstanceCommand as DeleteDBInstanceCommand$2, DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand$2, DescribeDBClustersCommand as DescribeDBClustersCommand$2, DescribeDBInstancesCommand as DescribeDBInstancesCommand$2, DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand$2, ListTagsForResourceCommand as ListTagsForResourceCommand$12, ModifyDBClusterCommand as ModifyDBClusterCommand$2, ModifyDBInstanceCommand as ModifyDBInstanceCommand$2, ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand$2, NeptuneClient, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$3 } from "@aws-sdk/client-neptune";
 import { CreateWebACLCommand, DeleteWebACLCommand, GetWebACLCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$13, ListWebACLsCommand, TagResourceCommand as TagResourceCommand$13, UntagResourceCommand as UntagResourceCommand$12, UpdateWebACLCommand, WAFNonexistentItemException, WAFV2Client } from "@aws-sdk/client-wafv2";
-import { CognitoIdentityProviderClient, CreateUserPoolCommand, DeleteUserPoolCommand, DescribeUserPoolCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$14, ListUserPoolsCommand, ResourceNotFoundException as ResourceNotFoundException$7, UpdateUserPoolCommand } from "@aws-sdk/client-cognito-identity-provider";
+import { CognitoIdentityProviderClient, CreateUserPoolCommand, DeleteUserPoolCommand, DescribeUserPoolCommand, GetUserPoolMfaConfigCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$14, ListUserPoolsCommand, ResourceNotFoundException as ResourceNotFoundException$7, SetUserPoolMfaConfigCommand, UpdateUserPoolCommand } from "@aws-sdk/client-cognito-identity-provider";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$4, CreateCacheClusterCommand, CreateCacheSubnetGroupCommand, DeleteCacheClusterCommand, DeleteCacheSubnetGroupCommand, DescribeCacheClustersCommand, DescribeCacheSubnetGroupsCommand, ElastiCacheClient, ListTagsForResourceCommand as ListTagsForResourceCommand$15, ModifyCacheClusterCommand, ModifyCacheSubnetGroupCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$4 } from "@aws-sdk/client-elasticache";
 import { CreatePrivateDnsNamespaceCommand, CreateServiceCommand as CreateServiceCommand$1, DeleteNamespaceCommand, DeleteServiceCommand as DeleteServiceCommand$1, GetNamespaceCommand, GetOperationCommand, GetServiceCommand, ListNamespacesCommand, ListServicesCommand as ListServicesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$16, NamespaceNotFound, ServiceDiscoveryClient, ServiceNotFound, UpdatePrivateDnsNamespaceCommand, UpdateServiceCommand as UpdateServiceCommand$1 } from "@aws-sdk/client-servicediscovery";
 import { AppSyncClient, CreateApiKeyCommand, CreateDataSourceCommand, CreateGraphqlApiCommand, CreateResolverCommand, DeleteApiKeyCommand, DeleteDataSourceCommand, DeleteGraphqlApiCommand, DeleteResolverCommand, GetDataSourceCommand, GetGraphqlApiCommand, GetIntrospectionSchemaCommand, GetResolverCommand, ListApiKeysCommand, ListGraphqlApisCommand, NotFoundException as NotFoundException$4, StartSchemaCreationCommand, TagResourceCommand as TagResourceCommand$14, UntagResourceCommand as UntagResourceCommand$13, UpdateApiKeyCommand, UpdateDataSourceCommand, UpdateGraphqlApiCommand, UpdateResolverCommand } from "@aws-sdk/client-appsync";
@@ -8997,8 +8997,12 @@ var DynamoDBTableProvider = class {
 		"DeletionProtectionEnabled",
 		"TableClass",
 		"PointInTimeRecoverySpecification",
-		"TimeToLiveSpecification"
+		"TimeToLiveSpecification",
+		"ResourcePolicy",
+		"KinesisStreamSpecification",
+		"ContributorInsightsSpecification"
 	])]]);
+	unhandledByDesign = new Map([["AWS::DynamoDB::Table", new Map([["ImportSourceSpecification", "S3 import uses the separate ImportTable API (not CreateTable) and is create-only with no readback; deferred to a dedicated import-from-S3 PR"]])]]);
 	constructor() {
 		const awsClients = getAwsClients();
 		this.dynamoDBClient = awsClients.dynamoDB;
@@ -9041,12 +9045,16 @@ var DynamoDBTableProvider = class {
 			if (properties["Tags"]) createParams.Tags = properties["Tags"];
 			if (properties["DeletionProtectionEnabled"] !== void 0) createParams.DeletionProtectionEnabled = properties["DeletionProtectionEnabled"];
 			if (properties["TableClass"]) createParams.TableClass = properties["TableClass"];
+			const createResourcePolicyDoc = this.extractResourcePolicyDocument(properties["ResourcePolicy"]);
+			if (createResourcePolicyDoc !== void 0) createParams.ResourcePolicy = createResourcePolicyDoc;
 			await this.dynamoDBClient.send(new CreateTableCommand(createParams));
 			tableCreated = true;
 			this.logger.debug(`CreateTable initiated for ${tableName}, waiting for ACTIVE status`);
 			const tableInfo = await this.waitForTableActive(tableName);
 			await this.applyPointInTimeRecovery(tableName, properties["PointInTimeRecoverySpecification"]);
 			await this.applyTimeToLive(tableName, properties["TimeToLiveSpecification"]);
+			await this.applyKinesisStreamingDestination(tableName, properties["KinesisStreamSpecification"]);
+			await this.applyContributorInsights(tableName, properties["ContributorInsightsSpecification"]);
 			this.logger.debug(`Successfully created DynamoDB table ${logicalId}: ${tableName}`);
 			return {
 				physicalId: tableName,
@@ -9101,6 +9109,12 @@ var DynamoDBTableProvider = class {
 			}
 			if (JSON.stringify(properties["PointInTimeRecoverySpecification"]) !== JSON.stringify(previousProperties["PointInTimeRecoverySpecification"])) await this.applyPointInTimeRecovery(physicalId, properties["PointInTimeRecoverySpecification"], previousProperties["PointInTimeRecoverySpecification"]);
 			if (JSON.stringify(properties["TimeToLiveSpecification"]) !== JSON.stringify(previousProperties["TimeToLiveSpecification"])) await this.applyTimeToLive(physicalId, properties["TimeToLiveSpecification"], previousProperties["TimeToLiveSpecification"]);
+			if (JSON.stringify(properties["ResourcePolicy"]) !== JSON.stringify(previousProperties["ResourcePolicy"])) {
+				if (!table?.TableArn) throw new ProvisioningError(`Cannot apply ResourcePolicy change for DynamoDB table ${logicalId}: DescribeTable returned no TableArn`, resourceType, logicalId, physicalId);
+				await this.applyResourcePolicy(table.TableArn, properties["ResourcePolicy"], previousProperties["ResourcePolicy"]);
+			}
+			if (JSON.stringify(properties["KinesisStreamSpecification"]) !== JSON.stringify(previousProperties["KinesisStreamSpecification"])) await this.applyKinesisStreamingDestination(physicalId, properties["KinesisStreamSpecification"], previousProperties["KinesisStreamSpecification"]);
+			if (JSON.stringify(properties["ContributorInsightsSpecification"]) !== JSON.stringify(previousProperties["ContributorInsightsSpecification"])) await this.applyContributorInsights(physicalId, properties["ContributorInsightsSpecification"], previousProperties["ContributorInsightsSpecification"]);
 			return {
 				physicalId,
 				wasReplaced: false,
@@ -9275,6 +9289,114 @@ var DynamoDBTableProvider = class {
 		}
 	}
 	/**
+	* Extract the resource-policy document from the CFn `ResourcePolicy`
+	* property and serialize it to the JSON string the DynamoDB APIs expect.
+	*
+	* CFn shape is `{ PolicyDocument: <JSON object | string> }`. Both
+	* `CreateTable.ResourcePolicy` and `PutResourcePolicy.Policy` take a JSON
+	* STRING, so a document already supplied as a string is passed through
+	* verbatim (CDK can emit either an object or, post-intrinsic-resolution, a
+	* string). Returns `undefined` when there is no policy document to apply.
+	*/
+	extractResourcePolicyDocument(spec) {
+		if (spec === void 0 || spec === null) return void 0;
+		const doc = spec["PolicyDocument"];
+		if (doc === void 0 || doc === null) return void 0;
+		return typeof doc === "string" ? doc : JSON.stringify(doc);
+	}
+	/**
+	* Apply the table's `ResourcePolicy` via the separate `PutResourcePolicy` /
+	* `DeleteResourcePolicy` APIs (used by `update()` — `create()` rides the
+	* policy on CreateTable directly). On removal — when the template drops the
+	* block but it was present before — the existing policy is deleted.
+	*/
+	async applyResourcePolicy(tableArn, spec, previousSpec) {
+		const policyDoc = this.extractResourcePolicyDocument(spec);
+		if (policyDoc !== void 0) {
+			await this.retryOnTransientControlPlane(() => this.dynamoDBClient.send(new PutResourcePolicyCommand({
+				ResourceArn: tableArn,
+				Policy: policyDoc
+			})), `put ResourcePolicy on ${tableArn}`);
+			this.logger.debug(`Put ResourcePolicy on DynamoDB table ${tableArn}`);
+			return;
+		}
+		if (previousSpec !== void 0 && previousSpec !== null) try {
+			await this.retryOnTransientControlPlane(() => this.dynamoDBClient.send(new DeleteResourcePolicyCommand({ ResourceArn: tableArn })), `delete ResourcePolicy on ${tableArn}`);
+			this.logger.debug(`Deleted ResourcePolicy on DynamoDB table ${tableArn}`);
+		} catch (error) {
+			if (!(error instanceof ResourceNotFoundException$1)) throw error;
+		}
+	}
+	/**
+	* Apply the table's `KinesisStreamSpecification` via the separate
+	* Enable/Disable/Update `KinesisStreamingDestination` APIs (NOT a field on
+	* CreateTable). CFn shape is
+	* `{ StreamArn: string, ApproximateCreationDateTimePrecision?: 'MICROSECOND' | 'MILLISECOND' }`.
+	*
+	* Called from both `create()` (after the table is ACTIVE) and `update()`
+	* (only when the value changed). On `update()`-side removal — template drops
+	* the block but it was present before — streaming is disabled to the PREVIOUS
+	* stream ARN. A same-ARN change of only the precision is a deliberate no-op
+	* (re-enabling against an already-enabled stream errors), matching the
+	* pre-existing WarmThroughput "no clean remap" stance; precision changes flow
+	* through on the create / first-enable path.
+	*/
+	async applyKinesisStreamingDestination(tableName, spec, previousSpec) {
+		const newArn = this.extractKinesisStreamArn(spec);
+		const prevArn = this.extractKinesisStreamArn(previousSpec);
+		if (newArn === prevArn) {
+			if (newArn && JSON.stringify(spec?.["ApproximateCreationDateTimePrecision"]) !== JSON.stringify(previousSpec?.["ApproximateCreationDateTimePrecision"])) this.logger.warn(`Kinesis streaming ApproximateCreationDateTimePrecision change on ${tableName} was not applied (same stream ARN; precision-only updates are not yet supported)`);
+			return;
+		}
+		if (prevArn) {
+			await this.retryOnTransientControlPlane(() => this.dynamoDBClient.send(new DisableKinesisStreamingDestinationCommand({
+				TableName: tableName,
+				StreamArn: prevArn
+			})), `disable Kinesis streaming on ${tableName}`);
+			this.logger.debug(`Disabled Kinesis streaming destination ${prevArn} on DynamoDB table ${tableName}`);
+		}
+		if (newArn) {
+			const precision = spec["ApproximateCreationDateTimePrecision"];
+			await this.retryOnTransientControlPlane(() => this.dynamoDBClient.send(new EnableKinesisStreamingDestinationCommand({
+				TableName: tableName,
+				StreamArn: newArn,
+				...precision ? { EnableKinesisStreamingConfiguration: { ApproximateCreationDateTimePrecision: precision } } : {}
+			})), `enable Kinesis streaming on ${tableName}`);
+			this.logger.debug(`Enabled Kinesis streaming destination ${newArn} on DynamoDB table ${tableName}`);
+		}
+	}
+	extractKinesisStreamArn(spec) {
+		if (spec === void 0 || spec === null) return void 0;
+		const arn = spec["StreamArn"];
+		return typeof arn === "string" ? arn : void 0;
+	}
+	/**
+	* Apply the table's `ContributorInsightsSpecification` via the separate
+	* `UpdateContributorInsights` API (NOT a field on CreateTable). CFn shape is
+	* `{ Enabled: boolean, Mode?: 'ACCESSED_AND_THROTTLED_KEYS' | 'THROTTLED_KEYS' }`.
+	*
+	* Called from both `create()` (after the table is ACTIVE) and `update()`
+	* (only when the value changed). On `update()`-side removal — template drops
+	* the block but it was present before — insights is disabled.
+	*/
+	async applyContributorInsights(tableName, spec, previousSpec) {
+		let action;
+		let mode;
+		if (spec !== void 0 && spec !== null) {
+			const s = spec;
+			const enabled = Boolean(s["Enabled"]);
+			action = enabled ? "ENABLE" : "DISABLE";
+			if (enabled && s["Mode"] !== void 0) mode = s["Mode"];
+		} else if (previousSpec !== void 0 && previousSpec !== null) action = "DISABLE";
+		if (action === void 0) return;
+		await this.retryOnTransientControlPlane(() => this.dynamoDBClient.send(new UpdateContributorInsightsCommand({
+			TableName: tableName,
+			ContributorInsightsAction: action,
+			...mode ? { ContributorInsightsMode: mode } : {}
+		})), `set ContributorInsights on ${tableName}`);
+		this.logger.debug(`Set ContributorInsightsAction=${action}${mode !== void 0 ? ` Mode=${mode}` : ""} on DynamoDB table ${tableName}`);
+	}
+	/**
 	* Poll DescribeTable until the table reaches ACTIVE status
 	*
 	* Uses a tight polling loop (1s intervals) instead of CC API's exponential
@@ -9425,6 +9547,39 @@ var DynamoDBTableProvider = class {
 			} catch (err) {
 				this.logger.debug(`Could not read TimeToLive for ${physicalId}: ${err instanceof Error ? err.message : String(err)}`);
 			}
+			if (table.TableArn) try {
+				const rpResp = await this.dynamoDBClient.send(new GetResourcePolicyCommand({ ResourceArn: table.TableArn }));
+				if (rpResp.Policy) {
+					let doc = rpResp.Policy;
+					try {
+						doc = JSON.parse(rpResp.Policy);
+					} catch {}
+					result["ResourcePolicy"] = { PolicyDocument: doc };
+				}
+			} catch (err) {
+				if (!(err instanceof ResourceNotFoundException$1)) this.logger.debug(`Could not read ResourcePolicy for ${physicalId}: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			try {
+				const active = ((await this.dynamoDBClient.send(new DescribeKinesisStreamingDestinationCommand({ TableName: physicalId }))).KinesisDataStreamDestinations ?? []).find((d) => d.DestinationStatus === "ACTIVE" || d.DestinationStatus === "ENABLING");
+				if (active?.StreamArn) {
+					const kspec = { StreamArn: active.StreamArn };
+					if (active.ApproximateCreationDateTimePrecision !== void 0) kspec["ApproximateCreationDateTimePrecision"] = active.ApproximateCreationDateTimePrecision;
+					result["KinesisStreamSpecification"] = kspec;
+				}
+			} catch (err) {
+				this.logger.debug(`Could not read KinesisStreamingDestination for ${physicalId}: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			try {
+				const ciResp = await this.dynamoDBClient.send(new DescribeContributorInsightsCommand({ TableName: physicalId }));
+				const status = ciResp.ContributorInsightsStatus;
+				if (status === "ENABLED" || status === "DISABLED") {
+					const cspec = { Enabled: status === "ENABLED" };
+					if (status === "ENABLED" && ciResp.ContributorInsightsMode !== void 0) cspec["Mode"] = ciResp.ContributorInsightsMode;
+					result["ContributorInsightsSpecification"] = cspec;
+				}
+			} catch (err) {
+				this.logger.debug(`Could not read ContributorInsights for ${physicalId}: ${err instanceof Error ? err.message : String(err)}`);
+			}
 			return result;
 		} catch (err) {
 			if (err instanceof ResourceNotFoundException$1) return void 0;
@@ -24112,6 +24267,83 @@ function isEmptyObjectPlaceholder(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value) && Object.keys(value).length === 0;
 }
 /**
+* The CFn `EnabledMfas` factor names AND their MFA-config-API meaning.
+*
+* `EnabledMfas` is a CFn-level `Array of String`, but Cognito has no
+* `EnabledMfas` field on `CreateUserPool` / `UpdateUserPool`. The factors are
+* activated via the separate `SetUserPoolMfaConfig` control-plane API, one
+* sub-block per factor:
+*
+* - `SMS_MFA`            -> `SmsMfaConfiguration` (needs the pool's
+*                           `SmsConfiguration` SNS-caller ARN to be set too)
+* - `SOFTWARE_TOKEN_MFA` -> `SoftwareTokenMfaConfiguration.Enabled = true`
+* - `EMAIL_OTP`          -> `EmailMfaConfiguration` (carries the email-OTP
+*                           message/subject template — i.e. CFn's
+*                           `EmailAuthenticationMessage` / `Subject`)
+*/
+const MFA_FACTOR_SMS = "SMS_MFA";
+const MFA_FACTOR_SOFTWARE_TOKEN = "SOFTWARE_TOKEN_MFA";
+const MFA_FACTOR_EMAIL_OTP = "EMAIL_OTP";
+/**
+* Build the `SetUserPoolMfaConfig` request from the CFn-level MFA properties,
+* or return `undefined` when none of the MFA-config-API-routed properties are
+* present (so the caller skips the extra control-plane call entirely).
+*
+* The properties that route through `SetUserPoolMfaConfig` (NOT CreateUserPool):
+* - `EnabledMfas`               -> per-factor sub-blocks (see constants above)
+* - `EmailAuthenticationMessage`/`EmailAuthenticationSubject` -> the
+*   `EmailMfaConfiguration` message/subject (email-OTP template)
+* - `WebAuthnRelyingPartyID`/`WebAuthnUserVerification` -> `WebAuthnConfiguration`
+*
+* `MfaConfiguration` (ON/OFF/OPTIONAL) MUST be threaded into this request:
+* `SetUserPoolMfaConfig` is a full-replace of the pool's MFA state, and an
+* omitted `MfaConfiguration` defaults to OFF on the wire — which resets the
+* pool to MFA-disabled and makes AWS reject (or silently drop) the per-factor
+* sub-blocks we are trying to enable. Use the template's `MfaConfiguration`
+* when present; default to `OPTIONAL` when factors are present but the template
+* omitted it (factors are meaningless under OFF, and OPTIONAL enables them
+* without forcing MFA on every user).
+*/
+/**
+* True when any MFA-config-API-routed property is present, i.e. a
+* `SetUserPoolMfaConfig` call will run post-create. When true, `create()` must
+* NOT forward `MfaConfiguration` to `CreateUserPool`: AWS rejects
+* `CreateUserPool` with `MfaConfiguration: ON/OPTIONAL` unless the pool already
+* has SMS configured (+ phone_number auto-verification) OR software-token MFA
+* enabled — but software-token / email-OTP MFA can only be enabled via the
+* post-create `SetUserPoolMfaConfig` call, not on `CreateUserPool`. So the
+* correct sequence is: `CreateUserPool` WITHOUT `MfaConfiguration` (defaults
+* OFF) -> `SetUserPoolMfaConfig` sets `MfaConfiguration` + the factor blocks
+* together (the factor satisfies the MFA requirement, no SMS needed). This
+* mirrors how CloudFormation/CDK sequence the two calls.
+*/
+function hasMfaConfigProps(properties) {
+	const enabledMfas = Array.isArray(properties["EnabledMfas"]) ? properties["EnabledMfas"] : void 0;
+	return enabledMfas !== void 0 && enabledMfas.length > 0 || !!properties["EmailAuthenticationMessage"] || !!properties["EmailAuthenticationSubject"] || !!properties["WebAuthnRelyingPartyID"] || !!properties["WebAuthnUserVerification"];
+}
+function buildMfaConfigRequest(physicalId, properties) {
+	const enabledMfas = Array.isArray(properties["EnabledMfas"]) ? properties["EnabledMfas"] : void 0;
+	const emailMessage = properties["EmailAuthenticationMessage"] || void 0;
+	const emailSubject = properties["EmailAuthenticationSubject"] || void 0;
+	const webAuthnRpId = properties["WebAuthnRelyingPartyID"] || void 0;
+	const webAuthnUserVerification = properties["WebAuthnUserVerification"] || void 0;
+	if (!hasMfaConfigProps(properties)) return void 0;
+	const request = { UserPoolId: physicalId };
+	request.MfaConfiguration = properties["MfaConfiguration"] ?? "OPTIONAL";
+	const factors = new Set(enabledMfas ?? []);
+	if (factors.has(MFA_FACTOR_SOFTWARE_TOKEN)) request.SoftwareTokenMfaConfiguration = { Enabled: true };
+	if (factors.has(MFA_FACTOR_SMS)) request.SmsMfaConfiguration = { ...properties["SmsConfiguration"] ? { SmsConfiguration: properties["SmsConfiguration"] } : {} };
+	if (factors.has(MFA_FACTOR_EMAIL_OTP) || emailMessage !== void 0 || emailSubject !== void 0) request.EmailMfaConfiguration = {
+		...emailMessage !== void 0 ? { Message: emailMessage } : {},
+		...emailSubject !== void 0 ? { Subject: emailSubject } : {}
+	};
+	if (webAuthnRpId !== void 0 || webAuthnUserVerification !== void 0) request.WebAuthnConfiguration = {
+		...webAuthnRpId !== void 0 ? { RelyingPartyId: webAuthnRpId } : {},
+		...webAuthnUserVerification !== void 0 ? { UserVerification: webAuthnUserVerification } : {}
+	};
+	return request;
+}
+/**
 * AWS Cognito User Pool Provider
 *
 * Implements resource provisioning for AWS::Cognito::UserPool using the Cognito SDK.
@@ -24146,8 +24378,15 @@ var CognitoUserPoolProvider = class {
 		"EmailVerificationMessage",
 		"EmailVerificationSubject",
 		"SmsAuthenticationMessage",
-		"SmsVerificationMessage"
+		"SmsVerificationMessage",
+		"UserPoolTier",
+		"EnabledMfas",
+		"EmailAuthenticationMessage",
+		"EmailAuthenticationSubject",
+		"WebAuthnRelyingPartyID",
+		"WebAuthnUserVerification"
 	])]]);
+	unhandledByDesign = new Map([["AWS::Cognito::UserPool", new Map([["WebAuthnFactorConfiguration", "No SDK wire path: @aws-sdk/client-cognito-identity-provider has no field accepting SINGLE_FACTOR | MULTI_FACTOR_WITH_USER_VERIFICATION (not on CreateUserPool/UpdateUserPool, nor SetUserPoolMfaConfig.WebAuthnConfiguration which only carries RelyingPartyId/UserVerification); CC-API-registry-only property"]])]]);
 	getClient() {
 		if (!this.cognitoClient) this.cognitoClient = new CognitoIdentityProviderClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.cognitoClient;
@@ -24158,6 +24397,7 @@ var CognitoUserPoolProvider = class {
 	async create(logicalId, resourceType, properties) {
 		this.logger.debug(`Creating Cognito User Pool ${logicalId}`);
 		const poolName = properties["UserPoolName"] || generateResourceName(logicalId, { maxLength: 128 });
+		let createdUserPoolId;
 		try {
 			const createParams = { PoolName: poolName };
 			if (properties["AutoVerifiedAttributes"]) createParams.AutoVerifiedAttributes = properties["AutoVerifiedAttributes"];
@@ -24168,7 +24408,7 @@ var CognitoUserPoolProvider = class {
 			}
 			if (properties["Schema"]) createParams.Schema = properties["Schema"];
 			if (properties["LambdaConfig"]) createParams.LambdaConfig = properties["LambdaConfig"];
-			if (properties["MfaConfiguration"]) createParams.MfaConfiguration = properties["MfaConfiguration"];
+			if (properties["MfaConfiguration"] && !hasMfaConfigProps(properties)) createParams.MfaConfiguration = properties["MfaConfiguration"];
 			if (properties["UserPoolTags"]) createParams.UserPoolTags = properties["UserPoolTags"];
 			if (properties["AdminCreateUserConfig"]) createParams.AdminCreateUserConfig = properties["AdminCreateUserConfig"];
 			if (properties["AccountRecoverySetting"]) createParams.AccountRecoverySetting = properties["AccountRecoverySetting"];
@@ -24185,13 +24425,16 @@ var CognitoUserPoolProvider = class {
 			if (properties["EmailVerificationSubject"]) createParams.EmailVerificationSubject = properties["EmailVerificationSubject"];
 			if (properties["SmsAuthenticationMessage"]) createParams.SmsAuthenticationMessage = properties["SmsAuthenticationMessage"];
 			if (properties["SmsVerificationMessage"]) createParams.SmsVerificationMessage = properties["SmsVerificationMessage"];
+			if (properties["UserPoolTier"]) createParams.UserPoolTier = properties["UserPoolTier"];
 			const userPool = (await this.getClient().send(new CreateUserPoolCommand(createParams))).UserPool;
 			if (!userPool?.Id) throw new Error("CreateUserPool did not return UserPool.Id");
 			const userPoolId = userPool.Id;
+			createdUserPoolId = userPoolId;
 			const userPoolArn = userPool.Arn;
 			const region = await this.getClient().config.region();
 			const providerName = `cognito-idp.${region}.amazonaws.com/${userPoolId}`;
 			const providerUrl = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}`;
+			await this.applyMfaConfig(userPoolId, properties);
 			this.logger.debug(`Successfully created Cognito User Pool ${logicalId}: ${userPoolId}`);
 			return {
 				physicalId: userPoolId,
@@ -24203,11 +24446,46 @@ var CognitoUserPoolProvider = class {
 				}
 			};
 		} catch (error) {
+			if (createdUserPoolId) try {
+				await this.getClient().send(new DeleteUserPoolCommand({ UserPoolId: createdUserPoolId }));
+				this.logger.debug(`Rolled back partially-created Cognito User Pool ${createdUserPoolId}`);
+			} catch (rollbackError) {
+				this.logger.warn(`Failed to roll back partially-created Cognito User Pool ${createdUserPoolId}: ${rollbackError instanceof Error ? rollbackError.message : String(rollbackError)}`);
+			}
 			const cause = error instanceof Error ? error : void 0;
 			throw new ProvisioningError(`Failed to create Cognito User Pool ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, poolName, cause);
 		}
 	}
 	/**
+	* Apply the MFA-config-API-routed properties (EnabledMfas / email-OTP
+	* message+subject / WebAuthn) via SetUserPoolMfaConfig. No-op when none are
+	* present. Wrapped in a transient-error retry because back-to-back
+	* control-plane writes on a freshly-created pool can briefly conflict
+	* (mirrors DynamoDBTableProvider.retryOnTransientControlPlane).
+	*/
+	async applyMfaConfig(physicalId, properties) {
+		const request = buildMfaConfigRequest(physicalId, properties);
+		if (!request) return;
+		await this.retryOnTransientControlPlane(() => this.getClient().send(new SetUserPoolMfaConfigCommand(request)), `SetUserPoolMfaConfig(${physicalId})`);
+	}
+	/**
+	* Retry a Cognito control-plane call on transient "settling" errors. A
+	* SetUserPoolMfaConfig issued immediately after CreateUserPool (or another
+	* control-plane write) can briefly hit `ConcurrentModificationException` /
+	* "please retry". Backoff 1s -> 2s -> 4s, default 3 attempts.
+	*/
+	async retryOnTransientControlPlane(fn, label, maxAttempts = 3) {
+		for (let attempt = 1;; attempt++) try {
+			return await fn();
+		} catch (error) {
+			const msg = error instanceof Error ? error.message : String(error);
+			if (!((error instanceof Error ? error.name : "") === "ConcurrentModificationException" || /concurrent modification|please retry|try again|in progress/i.test(msg)) || attempt >= maxAttempts) throw error;
+			const delayMs = Math.min(1e3 * 2 ** (attempt - 1), 4e3);
+			this.logger.debug(`Transient error on "${label}" (attempt ${attempt}/${maxAttempts}): ${msg} — retrying in ${delayMs}ms`);
+			await new Promise((resolve) => setTimeout(resolve, delayMs));
+		}
+	}
+	/**
 	* Update a Cognito User Pool
 	*
 	* Note: PoolName (UserPoolName) and Schema are immutable and cannot be changed after creation.
@@ -24238,7 +24516,9 @@ var CognitoUserPoolProvider = class {
 			if (properties["EmailVerificationSubject"] !== void 0) updateParams.EmailVerificationSubject = properties["EmailVerificationSubject"];
 			if (properties["SmsAuthenticationMessage"] !== void 0) updateParams.SmsAuthenticationMessage = properties["SmsAuthenticationMessage"];
 			if (properties["SmsVerificationMessage"] !== void 0) updateParams.SmsVerificationMessage = properties["SmsVerificationMessage"];
+			if (properties["UserPoolTier"]) updateParams.UserPoolTier = properties["UserPoolTier"];
 			await this.getClient().send(new UpdateUserPoolCommand(updateParams));
+			await this.applyMfaConfig(physicalId, properties);
 			this.logger.debug(`Successfully updated Cognito User Pool ${logicalId}`);
 			const userPool = (await this.getClient().send(new DescribeUserPoolCommand({ UserPoolId: physicalId }))).UserPool;
 			const region = await this.getClient().config.region();
@@ -24372,6 +24652,21 @@ var CognitoUserPoolProvider = class {
 			for (const [k, v] of Object.entries(pool.UserPoolTags)) if (!k.startsWith("aws:")) userTags[k] = v;
 		}
 		result["UserPoolTags"] = userTags;
+		result["UserPoolTier"] = pool.UserPoolTier ?? "ESSENTIALS";
+		try {
+			const mfa = await this.getClient().send(new GetUserPoolMfaConfigCommand({ UserPoolId: physicalId }));
+			const enabledMfas = [];
+			if (mfa.SmsMfaConfiguration) enabledMfas.push(MFA_FACTOR_SMS);
+			if (mfa.SoftwareTokenMfaConfiguration?.Enabled) enabledMfas.push(MFA_FACTOR_SOFTWARE_TOKEN);
+			if (mfa.EmailMfaConfiguration) enabledMfas.push(MFA_FACTOR_EMAIL_OTP);
+			result["EnabledMfas"] = enabledMfas;
+			result["EmailAuthenticationMessage"] = mfa.EmailMfaConfiguration?.Message ?? "";
+			result["EmailAuthenticationSubject"] = mfa.EmailMfaConfiguration?.Subject ?? "";
+			result["WebAuthnRelyingPartyID"] = mfa.WebAuthnConfiguration?.RelyingPartyId ?? "";
+			result["WebAuthnUserVerification"] = mfa.WebAuthnConfiguration?.UserVerification ?? "";
+		} catch (mfaErr) {
+			this.logger.debug(`GetUserPoolMfaConfig failed for ${physicalId}, skipping MFA-derived drift keys: ${mfaErr instanceof Error ? mfaErr.message : String(mfaErr)}`);
+		}
 		return result;
 	}
 	/**
@@ -53033,7 +53328,7 @@ function reorderArgs(argv) {
 async function main() {
 	installPipeCloseHandler();
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.215.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.217.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());