@go-to-k/cdkd 0.217.0 → 0.219.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
-import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-UctzfQ8M.js";
+import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-39cTZ1WD.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -9,7 +9,7 @@ import { CreateQueueCommand, DeleteQueueCommand, GetQueueAttributesCommand, GetQ
 import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesCommand, GetTopicAttributesCommand, ListTagsForResourceCommand, ListTopicsCommand, NotFoundException, SNSClient, SetTopicAttributesCommand, SubscribeCommand, TagResourceCommand, UnsubscribeCommand, UntagResourceCommand } from "@aws-sdk/client-sns";
 import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionConcurrencyCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionConcurrencyCommand, GetFunctionRecursionConfigCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand as GetPolicyCommand$1, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, PutFunctionConcurrencyCommand, PutFunctionRecursionConfigCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
-import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
+import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstanceCreditSpecificationsCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifyInstanceCreditSpecificationCommand, ModifyInstanceMetadataOptionsCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, MonitorInstancesCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, UnmonitorInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
 import { CreateTableCommand, DeleteResourcePolicyCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DisableKinesisStreamingDestinationCommand, DynamoDBClient, EnableKinesisStreamingDestinationCommand, GetResourcePolicyCommand, ListTablesCommand, ListTagsOfResourceCommand, PutResourcePolicyCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateContinuousBackupsCommand, UpdateContributorInsightsCommand, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, DescribeStackEventsCommand, DescribeStackResourcesCommand, DescribeStacksCommand, DescribeTypeCommand, ExecuteChangeSetCommand, GetTemplateCommand, UpdateStackCommand, waitUntilChangeSetCreateComplete, waitUntilStackDeleteComplete, waitUntilStackImportComplete, waitUntilStackUpdateComplete } from "@aws-sdk/client-cloudformation";
 import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, CreateResourceCommand, CreateStageCommand, DeleteAuthorizerCommand, DeleteDeploymentCommand, DeleteMethodCommand, DeleteResourceCommand, DeleteStageCommand, GetAccountCommand, GetAuthorizerCommand, GetDeploymentCommand, GetMethodCommand, GetResourceCommand, GetStageCommand, NotFoundException as NotFoundException$1, PutIntegrationCommand, PutIntegrationResponseCommand, PutMethodCommand, PutMethodResponseCommand, TagResourceCommand as TagResourceCommand$3, UntagResourceCommand as UntagResourceCommand$3, UpdateAccountCommand, UpdateAuthorizerCommand, UpdateMethodCommand, UpdateStageCommand } from "@aws-sdk/client-api-gateway";
@@ -13035,7 +13035,12 @@ var EC2Provider = class {
 			"IamInstanceProfile",
 			"UserData",
 			"BlockDeviceMappings",
-			"Tags"
+			"Tags",
+			"DisableApiTermination",
+			"MetadataOptions",
+			"Monitoring",
+			"EbsOptimized",
+			"CreditSpecification"
 		])],
 		["AWS::EC2::NetworkAcl", new Set(["VpcId", "Tags"])],
 		["AWS::EC2::NetworkAclEntry", new Set([
@@ -13925,7 +13930,12 @@ var EC2Provider = class {
 					Arn: iamInstanceProfile["Arn"],
 					Name: iamInstanceProfile["Name"]
 				} : void 0,
-				BlockDeviceMappings: this.buildBlockDeviceMappings(properties)
+				BlockDeviceMappings: this.buildBlockDeviceMappings(properties),
+				DisableApiTermination: this.coerceBool(properties["DisableApiTermination"]),
+				EbsOptimized: this.coerceBool(properties["EbsOptimized"]),
+				Monitoring: this.buildRunInstancesMonitoring(properties),
+				MetadataOptions: this.buildMetadataOptions(properties),
+				CreditSpecification: this.buildCreditSpecification(properties)
 			}))).Instances?.[0];
 			if (!instance?.InstanceId) throw new Error("No instance ID returned from RunInstances");
 			const instanceId = instance.InstanceId;
@@ -13969,6 +13979,7 @@ var EC2Provider = class {
 		this.logger.debug(`Updating EC2 Instance ${logicalId}: ${physicalId}`);
 		try {
 			await this.applyTagDiff(physicalId, previousProperties["Tags"], properties["Tags"]);
+			await this.updateInstanceSecurityProps(physicalId, properties, previousProperties);
 			const instance = (await this.ec2Client.send(new DescribeInstancesCommand({ InstanceIds: [physicalId] }))).Reservations?.[0]?.Instances?.[0];
 			return {
 				physicalId,
@@ -13987,6 +13998,57 @@ var EC2Provider = class {
 			throw new ProvisioningError(`Failed to update EC2 Instance ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
 		}
 	}
+	/**
+	* Apply in-place modifications for four of the five security-focused
+	* backfill props (#609). Each is diffed against `previousProperties` so a
+	* no-drift round-trip (`update(state, state)`) issues zero mutating calls
+	* (the `cdkd drift --revert` invariant). Each maps to a distinct EC2
+	* modify API:
+	*   - DisableApiTermination -> ModifyInstanceAttribute
+	*   - Monitoring            -> MonitorInstances / UnmonitorInstances
+	*   - MetadataOptions       -> ModifyInstanceMetadataOptions
+	*   - CreditSpecification   -> ModifyInstanceCreditSpecification
+	* EbsOptimized is NOT here: it can only be changed on a STOPPED instance, so
+	* an EbsOptimized change is routed to replacement (see ReplacementRules).
+	*/
+	async updateInstanceSecurityProps(physicalId, properties, previousProperties) {
+		const newDisableApiTermination = this.coerceBool(properties["DisableApiTermination"]);
+		const oldDisableApiTermination = this.coerceBool(previousProperties["DisableApiTermination"]);
+		if (newDisableApiTermination !== void 0 && newDisableApiTermination !== oldDisableApiTermination) await this.ec2Client.send(new ModifyInstanceAttributeCommand({
+			InstanceId: physicalId,
+			DisableApiTermination: { Value: newDisableApiTermination }
+		}));
+		const newMonitoring = this.coerceBool(properties["Monitoring"]);
+		const oldMonitoring = this.coerceBool(previousProperties["Monitoring"]);
+		if (newMonitoring !== void 0 && newMonitoring !== oldMonitoring) if (newMonitoring) await this.ec2Client.send(new MonitorInstancesCommand({ InstanceIds: [physicalId] }));
+		else await this.ec2Client.send(new UnmonitorInstancesCommand({ InstanceIds: [physicalId] }));
+		const newMetadata = this.buildMetadataOptions(properties);
+		const oldMetadata = this.buildMetadataOptions(previousProperties);
+		if (newMetadata !== void 0 && !this.shallowEqual(newMetadata, oldMetadata)) await this.ec2Client.send(new ModifyInstanceMetadataOptionsCommand({
+			InstanceId: physicalId,
+			...newMetadata
+		}));
+		const newCpuCredits = this.readCpuCredits(properties["CreditSpecification"]);
+		const oldCpuCredits = this.readCpuCredits(previousProperties["CreditSpecification"]);
+		if (newCpuCredits !== void 0 && newCpuCredits !== oldCpuCredits) await this.ec2Client.send(new ModifyInstanceCreditSpecificationCommand({ InstanceCreditSpecifications: [{
+			InstanceId: physicalId,
+			CpuCredits: newCpuCredits
+		}] }));
+	}
+	/**
+	* Shallow value-equality for the small flat MetadataOptions request shape.
+	* Treats `undefined` and an absent object as equal so the no-drift
+	* round-trip produces zero modify calls.
+	*/
+	shallowEqual(a, b) {
+		if (b === void 0) return false;
+		const ra = a;
+		const rb = b;
+		const keysA = Object.keys(ra);
+		const keysB = Object.keys(rb);
+		if (keysA.length !== keysB.length) return false;
+		return keysA.every((k) => ra[k] === rb[k]);
+	}
 	async deleteInstance(logicalId, physicalId, resourceType, context) {
 		this.logger.debug(`Terminating EC2 Instance ${logicalId}: ${physicalId}`);
 		const removeProtection = context?.removeProtection === true;
@@ -14046,6 +14108,73 @@ var EC2Provider = class {
 		});
 	}
 	/**
+	* Coerce a CFn boolean-ish value (`true` | `false` | `"true"` | `"false"`)
+	* into a real boolean, or `undefined` when the property is absent. CFn
+	* templates can carry either the JSON boolean or its string form depending
+	* on how the value was produced (a literal vs an intrinsic-resolved value),
+	* so the wire boundary must normalize both. Returns `undefined` for absent
+	* props so the field is omitted from the SDK input (AWS keeps its default)
+	* rather than being forced to `false`.
+	*/
+	coerceBool(value) {
+		if (value === void 0 || value === null) return void 0;
+		if (typeof value === "boolean") return value;
+		if (value === "true") return true;
+		if (value === "false") return false;
+	}
+	/**
+	* Build the RunInstances `Monitoring` shape from the CFn `Monitoring`
+	* boolean. AWS expects `{ Enabled: boolean }`; CFn carries a flat boolean.
+	* Returns `undefined` when the prop is absent so the field is omitted.
+	*/
+	buildRunInstancesMonitoring(properties) {
+		const enabled = this.coerceBool(properties["Monitoring"]);
+		if (enabled === void 0) return void 0;
+		return { Enabled: enabled };
+	}
+	/**
+	* Build the RunInstances `MetadataOptions` shape from the CFn
+	* `MetadataOptions` object. CFn and the SDK share field names
+	* (HttpTokens / HttpEndpoint / HttpPutResponseHopLimit / HttpProtocolIpv6 /
+	* InstanceMetadataTags). `HttpPutResponseHopLimit` is numeric — CFn may
+	* carry it as a string, so coerce at the wire boundary. Only emits keys the
+	* template actually set so AWS keeps its defaults for the rest.
+	*/
+	buildMetadataOptions(properties) {
+		const opts = properties["MetadataOptions"];
+		if (!opts || typeof opts !== "object") return void 0;
+		const result = {};
+		if (opts["HttpTokens"] !== void 0) result.HttpTokens = opts["HttpTokens"];
+		if (opts["HttpEndpoint"] !== void 0) result.HttpEndpoint = opts["HttpEndpoint"];
+		if (opts["HttpProtocolIpv6"] !== void 0) result.HttpProtocolIpv6 = opts["HttpProtocolIpv6"];
+		if (opts["InstanceMetadataTags"] !== void 0) result.InstanceMetadataTags = opts["InstanceMetadataTags"];
+		const hopLimit = opts["HttpPutResponseHopLimit"];
+		if (hopLimit !== void 0 && hopLimit !== null) result.HttpPutResponseHopLimit = Number(hopLimit);
+		return Object.keys(result).length > 0 ? result : void 0;
+	}
+	/**
+	* Build the RunInstances `CreditSpecification` shape from the CFn
+	* `CreditSpecification` object. CFn uses `CPUCredits` (capital CPU, the
+	* canonical CDK `CfnInstance` emission); accept the SDK-style `CpuCredits`
+	* too for hand-authored templates. Returns `undefined` when absent / empty.
+	*/
+	buildCreditSpecification(properties) {
+		const cpuCredits = this.readCpuCredits(properties["CreditSpecification"]);
+		if (cpuCredits === void 0) return void 0;
+		return { CpuCredits: cpuCredits };
+	}
+	/**
+	* Extract the CpuCredits string from a CFn `CreditSpecification` object,
+	* tolerating both the canonical `CPUCredits` key and the SDK-style
+	* `CpuCredits` key. Shared by create() and update().
+	*/
+	readCpuCredits(spec) {
+		if (!spec || typeof spec !== "object") return void 0;
+		const obj = spec;
+		const raw = obj["CPUCredits"] ?? obj["CpuCredits"];
+		return typeof raw === "string" ? raw : void 0;
+	}
+	/**
 	* Build an IpPermission object from CloudFormation-style properties.
 	*
 	* The EC2 IpPermission shape is identical for ingress and egress; only the
@@ -14720,6 +14849,17 @@ var EC2Provider = class {
 		if (instance.SourceDestCheck !== void 0) result["SourceDestCheck"] = instance.SourceDestCheck;
 		const monitoringState = instance.Monitoring?.State;
 		result["Monitoring"] = monitoringState === "enabled" || monitoringState === "pending";
+		if (instance.EbsOptimized !== void 0) result["EbsOptimized"] = instance.EbsOptimized;
+		const md = instance.MetadataOptions;
+		if (md !== void 0) {
+			const out = {};
+			if (md.HttpTokens !== void 0) out["HttpTokens"] = md.HttpTokens;
+			if (md.HttpPutResponseHopLimit !== void 0) out["HttpPutResponseHopLimit"] = md.HttpPutResponseHopLimit;
+			if (md.HttpEndpoint !== void 0) out["HttpEndpoint"] = md.HttpEndpoint;
+			if (md.HttpProtocolIpv6 !== void 0) out["HttpProtocolIpv6"] = md.HttpProtocolIpv6;
+			if (md.InstanceMetadataTags !== void 0) out["InstanceMetadataTags"] = md.InstanceMetadataTags;
+			if (Object.keys(out).length > 0) result["MetadataOptions"] = out;
+		}
 		if (instance.Placement?.Tenancy !== void 0) result["Tenancy"] = instance.Placement.Tenancy;
 		if (instance.IamInstanceProfile?.Arn !== void 0) result["IamInstanceProfile"] = instance.IamInstanceProfile.Arn;
 		const volumeIds = (instance.BlockDeviceMappings ?? []).filter((m) => m.Ebs?.VolumeId !== void 0).map((m) => m.Ebs.VolumeId);
@@ -14763,6 +14903,12 @@ var EC2Provider = class {
 		} catch (err) {
 			this.logger.debug(`DescribeInstanceAttribute(disableApiTermination, ${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`);
 		}
+		try {
+			const cpuCredits = (await this.ec2Client.send(new DescribeInstanceCreditSpecificationsCommand({ InstanceIds: [physicalId] }))).InstanceCreditSpecifications?.[0]?.CpuCredits;
+			if (cpuCredits !== void 0) result["CreditSpecification"] = { CPUCredits: cpuCredits };
+		} catch (err) {
+			this.logger.debug(`DescribeInstanceCreditSpecifications(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`);
+		}
 		return result;
 	}
 	async readNetworkAclCurrentState(physicalId) {
@@ -20121,7 +20267,13 @@ var RDSProvider = class {
 			"BackupRetentionPeriod",
 			"DeletionProtection",
 			"ServerlessV2ScalingConfiguration",
-			"Tags"
+			"Tags",
+			"ManageMasterUserPassword",
+			"MasterUserSecret",
+			"MonitoringRoleArn",
+			"MonitoringInterval",
+			"EnableIAMDatabaseAuthentication",
+			"PubliclyAccessible"
 		])],
 		["AWS::RDS::DBInstance", new Set([
 			"DBInstanceIdentifier",
@@ -20138,7 +20290,13 @@ var RDSProvider = class {
 			"MasterUserPassword",
 			"Port",
 			"StorageEncrypted",
-			"VPCSecurityGroups"
+			"VPCSecurityGroups",
+			"KmsKeyId",
+			"MasterUserSecret",
+			"ManageMasterUserPassword",
+			"MonitoringRoleArn",
+			"MonitoringInterval",
+			"EnableIAMDatabaseAuthentication"
 		])]
 	]);
 	unhandledByDesign = new Map([["AWS::RDS::DBCluster", new Map([["DeleteAutomatedBackups", "cdkd hardcodes SkipFinalSnapshot=true on destroy; this CFn lifecycle flag has no equivalent on the runtime path"]])], ["AWS::RDS::DBInstance", new Map([
@@ -20246,6 +20404,7 @@ var RDSProvider = class {
 		try {
 			const tags = this.buildTags(properties);
 			const serverlessV2Config = properties["ServerlessV2ScalingConfiguration"];
+			const masterUserSecret = properties["MasterUserSecret"];
 			if (!(await this.getClient().send(new CreateDBClusterCommand({
 				DBClusterIdentifier: dbClusterIdentifier,
 				Engine: properties["Engine"],
@@ -20260,6 +20419,12 @@ var RDSProvider = class {
 				KmsKeyId: properties["KmsKeyId"],
 				BackupRetentionPeriod: properties["BackupRetentionPeriod"] != null ? Number(properties["BackupRetentionPeriod"]) : void 0,
 				DeletionProtection: properties["DeletionProtection"],
+				...properties["ManageMasterUserPassword"] !== void 0 && { ManageMasterUserPassword: properties["ManageMasterUserPassword"] },
+				...masterUserSecret?.KmsKeyId !== void 0 && { MasterUserSecretKmsKeyId: masterUserSecret.KmsKeyId },
+				...properties["MonitoringRoleArn"] !== void 0 && { MonitoringRoleArn: properties["MonitoringRoleArn"] },
+				...properties["MonitoringInterval"] !== void 0 && { MonitoringInterval: Number(properties["MonitoringInterval"]) },
+				...properties["EnableIAMDatabaseAuthentication"] !== void 0 && { EnableIAMDatabaseAuthentication: properties["EnableIAMDatabaseAuthentication"] },
+				...properties["PubliclyAccessible"] !== void 0 && { PubliclyAccessible: properties["PubliclyAccessible"] },
 				...serverlessV2Config && { ServerlessV2ScalingConfiguration: {
 					MinCapacity: serverlessV2Config.MinCapacity,
 					MaxCapacity: serverlessV2Config.MaxCapacity
@@ -20315,6 +20480,7 @@ var RDSProvider = class {
 			const hasServerlessV2 = serverlessV2Config !== void 0 && (serverlessV2Config.MinCapacity !== void 0 || serverlessV2Config.MaxCapacity !== void 0);
 			const vpcSgIds = properties["VpcSecurityGroupIds"];
 			const sendVpcSgIds = vpcSgIds !== void 0 && vpcSgIds.length > 0;
+			const masterUserSecret = properties["MasterUserSecret"];
 			await this.getClient().send(new ModifyDBClusterCommand({
 				DBClusterIdentifier: physicalId,
 				EngineVersion: properties["EngineVersion"],
@@ -20323,6 +20489,11 @@ var RDSProvider = class {
 				...sendVpcSgIds && { VpcSecurityGroupIds: vpcSgIds },
 				MasterUserPassword: properties["MasterUserPassword"],
 				Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
+				...properties["ManageMasterUserPassword"] !== void 0 && { ManageMasterUserPassword: properties["ManageMasterUserPassword"] },
+				...masterUserSecret?.KmsKeyId !== void 0 && { MasterUserSecretKmsKeyId: masterUserSecret.KmsKeyId },
+				...properties["MonitoringRoleArn"] !== void 0 && { MonitoringRoleArn: properties["MonitoringRoleArn"] },
+				...properties["MonitoringInterval"] !== void 0 && { MonitoringInterval: Number(properties["MonitoringInterval"]) },
+				...properties["EnableIAMDatabaseAuthentication"] !== void 0 && { EnableIAMDatabaseAuthentication: properties["EnableIAMDatabaseAuthentication"] },
 				...hasServerlessV2 && { ServerlessV2ScalingConfiguration: {
 					MinCapacity: serverlessV2Config.MinCapacity,
 					MaxCapacity: serverlessV2Config.MaxCapacity
@@ -20385,6 +20556,7 @@ var RDSProvider = class {
 		});
 		try {
 			const tags = this.buildTags(properties);
+			const masterUserSecret = properties["MasterUserSecret"];
 			if (!(await this.getClient().send(new CreateDBInstanceCommand({
 				DBInstanceIdentifier: dbInstanceIdentifier,
 				DBInstanceClass: properties["DBInstanceClass"],
@@ -20400,6 +20572,12 @@ var RDSProvider = class {
 				...properties["MasterUserPassword"] !== void 0 && { MasterUserPassword: properties["MasterUserPassword"] },
 				...properties["StorageEncrypted"] !== void 0 && { StorageEncrypted: properties["StorageEncrypted"] },
 				...properties["VPCSecurityGroups"] !== void 0 && { VpcSecurityGroupIds: properties["VPCSecurityGroups"] },
+				...properties["KmsKeyId"] !== void 0 && { KmsKeyId: properties["KmsKeyId"] },
+				...masterUserSecret?.KmsKeyId !== void 0 && { MasterUserSecretKmsKeyId: masterUserSecret.KmsKeyId },
+				...properties["ManageMasterUserPassword"] !== void 0 && { ManageMasterUserPassword: properties["ManageMasterUserPassword"] },
+				...properties["MonitoringRoleArn"] !== void 0 && { MonitoringRoleArn: properties["MonitoringRoleArn"] },
+				...properties["MonitoringInterval"] !== void 0 && { MonitoringInterval: Number(properties["MonitoringInterval"]) },
+				...properties["EnableIAMDatabaseAuthentication"] !== void 0 && { EnableIAMDatabaseAuthentication: properties["EnableIAMDatabaseAuthentication"] },
 				...tags.length > 0 && { Tags: tags }
 			}))).DBInstance) throw new Error("CreateDBInstance did not return DBInstance");
 			this.logger.debug(`Successfully created DBInstance ${logicalId}: ${dbInstanceIdentifier}`);
@@ -20425,6 +20603,7 @@ var RDSProvider = class {
 			const newEngineVersion = properties["EngineVersion"];
 			const prevEngineVersion = previousProperties["EngineVersion"];
 			const allowMajorVersionUpgrade = newEngineVersion !== void 0 && newEngineVersion !== prevEngineVersion && prevEngineVersion !== void 0 && newEngineVersion.split(".")[0] !== prevEngineVersion.split(".")[0];
+			const masterUserSecret = properties["MasterUserSecret"];
 			await this.getClient().send(new ModifyDBInstanceCommand({
 				DBInstanceIdentifier: physicalId,
 				DBInstanceClass: properties["DBInstanceClass"],
@@ -20438,7 +20617,12 @@ var RDSProvider = class {
 				},
 				...properties["Port"] !== void 0 && { DBPortNumber: Number(properties["Port"]) },
 				...properties["MasterUserPassword"] !== void 0 && { MasterUserPassword: properties["MasterUserPassword"] },
-				...properties["VPCSecurityGroups"] !== void 0 && { VpcSecurityGroupIds: properties["VPCSecurityGroups"] }
+				...properties["VPCSecurityGroups"] !== void 0 && { VpcSecurityGroupIds: properties["VPCSecurityGroups"] },
+				...masterUserSecret?.KmsKeyId !== void 0 && { MasterUserSecretKmsKeyId: masterUserSecret.KmsKeyId },
+				...properties["ManageMasterUserPassword"] !== void 0 && { ManageMasterUserPassword: properties["ManageMasterUserPassword"] },
+				...properties["MonitoringRoleArn"] !== void 0 && { MonitoringRoleArn: properties["MonitoringRoleArn"] },
+				...properties["MonitoringInterval"] !== void 0 && { MonitoringInterval: Number(properties["MonitoringInterval"]) },
+				...properties["EnableIAMDatabaseAuthentication"] !== void 0 && { EnableIAMDatabaseAuthentication: properties["EnableIAMDatabaseAuthentication"] }
 			}));
 			this.logger.debug(`Successfully updated DBInstance ${logicalId}`);
 			const described = await this.describeDBInstance(physicalId);
@@ -20679,6 +20863,11 @@ var RDSProvider = class {
 		if (inst.StorageEncrypted !== void 0) result["StorageEncrypted"] = inst.StorageEncrypted;
 		const sgIds = (inst.VpcSecurityGroups ?? []).map((sg) => sg.VpcSecurityGroupId).filter((id) => !!id);
 		if (sgIds.length > 0) result["VPCSecurityGroups"] = sgIds;
+		if (inst.KmsKeyId !== void 0) result["KmsKeyId"] = inst.KmsKeyId;
+		if (inst.MonitoringRoleArn !== void 0) result["MonitoringRoleArn"] = inst.MonitoringRoleArn;
+		if (inst.MonitoringInterval !== void 0) result["MonitoringInterval"] = inst.MonitoringInterval;
+		if (inst.IAMDatabaseAuthenticationEnabled !== void 0) result["EnableIAMDatabaseAuthentication"] = inst.IAMDatabaseAuthenticationEnabled;
+		if (inst.MasterUserSecret?.KmsKeyId !== void 0) result["MasterUserSecret"] = { KmsKeyId: inst.MasterUserSecret.KmsKeyId };
 		if (inst.DBInstanceArn) await this.attachTags(result, inst.DBInstanceArn);
 		return result;
 	}
@@ -20704,6 +20893,11 @@ var RDSProvider = class {
 		if (cluster.KmsKeyId !== void 0) result["KmsKeyId"] = cluster.KmsKeyId;
 		if (cluster.BackupRetentionPeriod !== void 0) result["BackupRetentionPeriod"] = cluster.BackupRetentionPeriod;
 		if (cluster.DeletionProtection !== void 0) result["DeletionProtection"] = cluster.DeletionProtection;
+		if (cluster.MonitoringRoleArn !== void 0) result["MonitoringRoleArn"] = cluster.MonitoringRoleArn;
+		if (cluster.MonitoringInterval !== void 0) result["MonitoringInterval"] = cluster.MonitoringInterval;
+		if (cluster.IAMDatabaseAuthenticationEnabled !== void 0) result["EnableIAMDatabaseAuthentication"] = cluster.IAMDatabaseAuthenticationEnabled;
+		if (cluster.PubliclyAccessible !== void 0) result["PubliclyAccessible"] = cluster.PubliclyAccessible;
+		if (cluster.MasterUserSecret?.KmsKeyId !== void 0) result["MasterUserSecret"] = { KmsKeyId: cluster.MasterUserSecret.KmsKeyId };
 		if (cluster.ServerlessV2ScalingConfiguration?.MinCapacity !== void 0 || cluster.ServerlessV2ScalingConfiguration?.MaxCapacity !== void 0) {
 			const sc = {};
 			if (cluster.ServerlessV2ScalingConfiguration?.MinCapacity !== void 0) sc["MinCapacity"] = cluster.ServerlessV2ScalingConfiguration.MinCapacity;
@@ -53328,7 +53522,7 @@ function reorderArgs(argv) {
 async function main() {
 	installPipeCloseHandler();
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.217.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.219.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());