@go-to-k/cdkd 0.28.1 → 0.29.0

package/README.md

@@ -161,6 +161,7 @@ Reproduce with `./tests/benchmark/run-benchmark.sh all`. See [tests/benchmark/RE
 | `Fn::Or` | ✅ Supported | Logical OR (2-10 conditions) |
 | `Fn::Not` | ✅ Supported | Logical NOT |
 | `Fn::ImportValue` | ✅ Supported | Cross-stack references via S3 state |
+| `Fn::GetStackOutput` | ✅ Supported (same-account) | Cross-stack / cross-region output reference via S3 state. Cross-account `RoleArn` is rejected with a clear error (not yet implemented). |
 | `Fn::FindInMap` | ✅ Supported | Mapping lookup |
 | `Fn::GetAZs` | ✅ Supported | Availability Zone list |
 | `Fn::Base64` | ✅ Supported | Base64 encoding |
@@ -283,6 +284,7 @@ Reproduce with `./tests/benchmark/run-benchmark.sh all`. See [tests/benchmark/RE
 | CloudFormation Parameters | ✅ | Default values, type coercion |
 | Conditions | ✅ | With logical operators |
 | Cross-stack references | ✅ | Via `Fn::ImportValue` + S3 state |
+| Cross-region references | ✅ (same-account) | Via `Fn::GetStackOutput` + S3 state. Cross-account `RoleArn` not yet implemented. |
 | JSON Patch updates | ✅ | RFC 6902, minimal patches |
 | Resource replacement detection | ✅ | 10+ resource types |
 | Dynamic References | ✅ | `{{resolve:secretsmanager:...}}`, `{{resolve:ssm:...}}` |
@@ -457,8 +459,10 @@ cdkd state show MyStack --json        # raw {state, lock} JSON
 
 # Orphan one or more RESOURCES from cdkd's state (does NOT delete AWS resources).
 # Per-resource, mirrors aws-cdk-cli's `cdk orphan --unstable=orphan`.
-# Synth-driven — needs --app / cdk.json. Construct paths look like the CDK
-# `aws:cdk:path` tag (`<StackName>/<Path/To/Resource>`).
+# Synth-driven — needs --app / cdk.json. Construct paths use CDK's L2-style form
+# (`<StackName>/<Path/To/Construct>`); the synthesized `/Resource` suffix is
+# matched implicitly. Passing an L2 wrapper that contains multiple CFn resources
+# orphans every child under it (matches upstream's prefix-match semantics).
 cdkd orphan MyStack/MyTable                    # confirmation prompt (y/N)
 cdkd orphan MyStack/MyTable --yes
 cdkd orphan MyStack/MyTable MyStack/MyBucket   # multiple resources, same stack
@@ -708,11 +712,12 @@ the rest by tag automatically.
 
 ### Common flags
 
-| Flag        | Purpose                                                                       |
-| ----------- | ----------------------------------------------------------------------------- |
-| `--dry-run` | Preview what would be imported. State is NOT written.                         |
-| `--yes`     | Skip the confirmation prompt before writing state.                            |
-| `--force`   | Confirm a destructive write to existing state — see below.                    |
+| Flag | Purpose |
+| --- | --- |
+| `--dry-run` | Preview what would be imported. State is NOT written. |
+| `--yes` | Skip the confirmation prompt before writing state (and the CloudFormation retirement prompt under `--migrate-from-cloudformation`). |
+| `--force` | Confirm a destructive write to existing state — see below. |
+| `--migrate-from-cloudformation [name]` | After cdkd state is written, retire the source CloudFormation stack: inject `DeletionPolicy: Retain` + `UpdateReplacePolicy: Retain` on every resource via `UpdateStack`, then `DeleteStack`. AWS resources are NOT deleted. See [Migrating from `cdk deploy` (CloudFormation) to cdkd](#migrating-from-cdk-deploy-cloudformation-to-cdkd) below. |
 
 `--force` is only needed when the import would lose data:
 
@@ -725,6 +730,76 @@ the rest by tag automatically.
   Unlisted state entries are preserved automatically.
 - **No existing state (first-time import)**: not required.
 
+### Migrating from `cdk deploy` (CloudFormation) to cdkd
+
+If a stack was previously deployed via `cdk deploy` (and is therefore
+managed by CloudFormation), `cdkd import --migrate-from-cloudformation` adopts
+the resources into cdkd state AND retires the source CloudFormation
+stack in one go:
+
+```bash
+cdkd import MyStack --migrate-from-cloudformation --yes
+```
+
+No `--resource <id>=<physical>` flags are needed — cdkd recovers each
+resource's physical id directly from CloudFormation via
+`DescribeStackResources`, so it works for both `cdk deploy`-managed and
+`cdkd deploy`-managed stacks. (cdkd's tag-based auto-lookup can't help
+here: upstream `cdk deploy` doesn't propagate the `aws:cdk:path` template
+metadata as a real AWS tag, and AWS reserves the `aws:` tag prefix so
+neither cdkd nor a CFn `UpdateStack` can add it on the way through.)
+
+The flow:
+
+1. `DescribeStackResources` — ask CloudFormation for every
+   `(LogicalResourceId, PhysicalResourceId)` pair in the source stack.
+   These are merged into the import overrides; user-supplied
+   `--resource <id>=<physical>` flags take precedence over CFn's view.
+2. `cdkd import` runs and adopts every resource into cdkd state via
+   each provider's `import()` method, using the CFn-resolved physical
+   ids as direct lookups.
+3. `cdkd` writes state.
+4. `DescribeStacks` + `GetTemplate` + `UpdateStack` to inject
+   `DeletionPolicy: Retain` and `UpdateReplacePolicy: Retain` on every
+   resource — a metadata-only update.
+5. `DeleteStack` — every resource is now `Retain`, so CloudFormation
+   walks the stack and skips every resource. The stack record disappears;
+   the underlying AWS resources are left intact and are now solely
+   managed by cdkd.
+
+Steps 1–5 all run inside the same lock so a concurrent `cdkd deploy`
+cannot race the in-flight migration.
+
+By default the CloudFormation stack name is taken from the cdkd stack
+name (the typical case — CDK uses the synthesized stack name as the CFn
+stack name). Pass an explicit value when the names differ:
+
+```bash
+cdkd import MyStack --migrate-from-cloudformation LegacyCfnStackName --yes
+```
+
+Limitations:
+
+- **JSON-only.** The Retain-policy injection in step 4 targets the CDK-
+  generated JSON template. Hand-written YAML CFn stacks fail with a
+  clear error; retire them manually.
+- **51,200-byte template limit.** The modified template is submitted
+  inline via `TemplateBody`. Stacks whose modified template exceeds
+  this limit fail in step 4 with a clear error pointing to the manual
+  3-step procedure (S3-backed `TemplateURL` fallback is a planned
+  follow-up). cdkd state has already been written at that point, so
+  re-runs and manual cleanup are both supported.
+- **Not compatible with `--dry-run`.** The post-state-write
+  `UpdateStack` + `DeleteStack` are real side-effects and cannot be
+  faithfully simulated. Use plain `cdkd import --dry-run` to preview
+  per-resource import outcomes.
+- **Partial imports leave unmanaged resources.** If a resource cannot
+  be imported (no provider, AWS not-found, etc.), `DeleteStack` skips
+  it (Retain) and cdkd never wrote it into state — so the resource
+  exists in AWS but unmanaged by both CloudFormation and cdkd. cdkd
+  warns loudly when this happens; either re-import the missing
+  resources first or accept the orphaning intentionally.
+
 ### After import
 
 Run `cdkd diff` to see how the imported state lines up with the

package/dist/cli.js

@@ -5736,6 +5736,9 @@ var IntrinsicFunctionResolver = class {
     if ("Fn::ImportValue" in obj) {
       return await this.resolveImportValue(obj["Fn::ImportValue"], context);
     }
+    if ("Fn::GetStackOutput" in obj) {
+      return await this.resolveGetStackOutput(obj["Fn::GetStackOutput"], context);
+    }
     if ("Fn::FindInMap" in obj) {
       return await this.resolveFindInMap(
         obj["Fn::FindInMap"],
@@ -6284,6 +6287,106 @@ var IntrinsicFunctionResolver = class {
       `Fn::ImportValue: export '${exportName}' not found in any stack. Searched ${allStacks.length} state record(s). Make sure the exporting stack has been deployed and the Output has an Export.Name property.`
     );
   }
+  /**
+   * Resolve Fn::GetStackOutput (cross-stack / cross-region output reference)
+   *
+   * Shape: { "Fn::GetStackOutput": { "StackName": "...", "OutputName": "...",
+   *                                   "Region": "...", "RoleArn": "..." } }
+   *
+   * Unlike Fn::ImportValue, the producer stack is named explicitly and no
+   * Export is required. cdkd reads the producer's `outputs` from the
+   * region-scoped state record at
+   * `s3://{bucket}/cdkd/{StackName}/{Region}/state.json`. When `Region` is
+   * omitted, the consumer's deploy region is used.
+   *
+   * RoleArn (cross-account) is intentionally rejected — cdkd uses S3 state,
+   * not CloudFormation DescribeStacks, so a cross-account reference would
+   * require assuming the role and reading the producer's separate state
+   * bucket. That path is not yet implemented; we surface a clear error
+   * instead of silently downgrading.
+   */
+  async resolveGetStackOutput(arg, context) {
+    if (!arg || typeof arg !== "object" || Array.isArray(arg)) {
+      throw new Error(
+        `Fn::GetStackOutput: argument must be an object with StackName/OutputName/Region/RoleArn, got ${arg === null ? "null" : Array.isArray(arg) ? "array" : typeof arg}`
+      );
+    }
+    const args = arg;
+    if (!("StackName" in args)) {
+      throw new Error("Fn::GetStackOutput: StackName is required");
+    }
+    if (!("OutputName" in args)) {
+      throw new Error("Fn::GetStackOutput: OutputName is required");
+    }
+    const stackName = await this.resolveValue(args["StackName"], context);
+    if (typeof stackName !== "string" || stackName === "") {
+      throw new Error(
+        `Fn::GetStackOutput: StackName must resolve to a non-empty string, got ${typeof stackName}`
+      );
+    }
+    const outputName = await this.resolveValue(args["OutputName"], context);
+    if (typeof outputName !== "string" || outputName === "") {
+      throw new Error(
+        `Fn::GetStackOutput: OutputName must resolve to a non-empty string, got ${typeof outputName}`
+      );
+    }
+    let region = this.resolverRegion;
+    if ("Region" in args && args["Region"] !== void 0 && args["Region"] !== null) {
+      const resolvedRegion = await this.resolveValue(args["Region"], context);
+      if (typeof resolvedRegion !== "string" || resolvedRegion === "") {
+        throw new Error(
+          `Fn::GetStackOutput: Region must resolve to a non-empty string, got ${typeof resolvedRegion}`
+        );
+      }
+      region = resolvedRegion;
+    }
+    let roleArn;
+    if ("RoleArn" in args && args["RoleArn"] !== void 0 && args["RoleArn"] !== null) {
+      const resolvedRoleArn = await this.resolveValue(args["RoleArn"], context);
+      if (typeof resolvedRoleArn !== "string" || resolvedRoleArn === "") {
+        throw new Error(
+          `Fn::GetStackOutput: RoleArn must resolve to a non-empty string, got ${typeof resolvedRoleArn}`
+        );
+      }
+      roleArn = resolvedRoleArn;
+    }
+    if (roleArn) {
+      throw new Error(
+        `Fn::GetStackOutput: cross-account references via RoleArn are not yet supported by cdkd (StackName=${stackName}, Region=${region}, RoleArn=${roleArn}). cdkd reads outputs from S3 state instead of CloudFormation DescribeStacks, so cross-account requires assuming the role and reading the producer account's state bucket \u2014 not yet implemented.`
+      );
+    }
+    if (!context.stateBackend) {
+      throw new Error("Fn::GetStackOutput: state backend is required for cross-stack references");
+    }
+    if (context.stackName && context.stackName === stackName && region === this.resolverRegion) {
+      throw new Error(
+        `Fn::GetStackOutput: cannot reference own stack '${stackName}' in the same region '${region}'`
+      );
+    }
+    this.logger.debug(
+      `Resolving Fn::GetStackOutput: StackName=${stackName}, Region=${region}, OutputName=${outputName}`
+    );
+    const stateData = await context.stateBackend.getState(stackName, region);
+    if (!stateData) {
+      throw new Error(
+        `Fn::GetStackOutput: stack '${stackName}' not found in region '${region}'. Make sure the producer stack has been deployed via cdkd.`
+      );
+    }
+    const outputs = stateData.state.outputs ?? {};
+    if (!(outputName in outputs)) {
+      const available = Object.keys(outputs).join(", ") || "(none)";
+      throw new Error(
+        `Fn::GetStackOutput: output '${outputName}' not found in stack '${stackName}' (${region}). Available outputs: ${available}`
+      );
+    }
+    const value = outputs[outputName];
+    this.logger.info(
+      `Resolved Fn::GetStackOutput: StackName=${stackName}, Region=${region}, OutputName=${outputName} -> ${JSON.stringify(
+        value
+      )}`
+    );
+    return value;
+  }
   /**
    * Resolve Fn::FindInMap intrinsic function
    *
@@ -33391,12 +33494,25 @@ function readCdkPath(resource) {
 function buildCdkPathIndex(template) {
   const index = /* @__PURE__ */ new Map();
   for (const [logicalId, resource] of Object.entries(template.Resources)) {
+    if (resource.Type === "AWS::CDK::Metadata")
+      continue;
     const path = readCdkPath(resource);
     if (path)
       index.set(path, logicalId);
   }
   return index;
 }
+function resolveCdkPathToLogicalIds(input, index) {
+  const seen = /* @__PURE__ */ new Map();
+  const prefix = `${input}/`;
+  for (const [path, logicalId] of index) {
+    if (path === input || path.startsWith(prefix)) {
+      if (!seen.has(logicalId))
+        seen.set(logicalId, path);
+    }
+  }
+  return [...seen.entries()].map(([logicalId, cdkPath]) => ({ logicalId, cdkPath }));
+}
 
 // src/analyzer/orphan-rewriter.ts
 var AttributeFetcher = class {
@@ -33952,19 +34068,20 @@ function resolveConstructPaths(paths, stacks) {
         `All construct paths must reference the same stack. Got '${stack.stackName}' and '${candidate.stackName}'. Run 'cdkd orphan' once per stack.`
       );
     }
-    const cdkPath = p;
     const index = buildCdkPathIndex(candidate.template);
-    const logicalId = index.get(cdkPath);
-    if (!logicalId) {
+    const matches = resolveCdkPathToLogicalIds(p, index);
+    if (matches.length === 0) {
       const available = [...index.keys()].sort().join("\n  ");
       throw new Error(
-        `Construct path '${cdkPath}' not found in template for stack '${candidate.stackName}'.
+        `Construct path '${p}' not found in template for stack '${candidate.stackName}'.
 Available paths:
   ${available}`
       );
     }
-    if (!logicalIds.includes(logicalId)) {
-      logicalIds.push(logicalId);
+    for (const { logicalId } of matches) {
+      if (!logicalIds.includes(logicalId)) {
+        logicalIds.push(logicalId);
+      }
     }
   }
   if (!stack) {
@@ -35198,9 +35315,159 @@ function createStateCommand() {
 
 // src/cli/commands/import.ts
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "node:fs";
-import * as readline5 from "node:readline/promises";
+import * as readline6 from "node:readline/promises";
 import { Command as Command12 } from "commander";
 init_aws_clients();
+
+// src/cli/commands/retire-cfn-stack.ts
+import * as readline5 from "node:readline/promises";
+import {
+  DescribeStacksCommand,
+  DescribeStackResourcesCommand,
+  GetTemplateCommand,
+  UpdateStackCommand,
+  DeleteStackCommand,
+  waitUntilStackUpdateComplete,
+  waitUntilStackDeleteComplete
+} from "@aws-sdk/client-cloudformation";
+var STABLE_TERMINAL_STATUSES = /* @__PURE__ */ new Set([
+  "CREATE_COMPLETE",
+  "UPDATE_COMPLETE",
+  "UPDATE_ROLLBACK_COMPLETE",
+  "IMPORT_COMPLETE",
+  "IMPORT_ROLLBACK_COMPLETE"
+]);
+var TEMPLATE_BODY_LIMIT = 51200;
+async function retireCloudFormationStack(options) {
+  const logger = getLogger();
+  const { cfnStackName, cfnClient, yes } = options;
+  logger.info(`[1/4] Inspecting CloudFormation stack '${cfnStackName}'...`);
+  const desc = await cfnClient.send(new DescribeStacksCommand({ StackName: cfnStackName }));
+  const stack = desc.Stacks?.[0];
+  if (!stack) {
+    throw new Error(`CloudFormation stack '${cfnStackName}' not found.`);
+  }
+  const status = stack.StackStatus ?? "";
+  if (!STABLE_TERMINAL_STATUSES.has(status)) {
+    throw new Error(
+      `CloudFormation stack '${cfnStackName}' is in status '${status}', which is not a stable terminal state. Wait for the stack to settle (or roll back) before retiring it.`
+    );
+  }
+  const capabilities = stack.Capabilities ?? [];
+  const tpl = await cfnClient.send(
+    new GetTemplateCommand({ StackName: cfnStackName, TemplateStage: "Original" })
+  );
+  if (!tpl.TemplateBody) {
+    throw new Error(`GetTemplate returned no body for '${cfnStackName}'.`);
+  }
+  const { body: newBody, modified } = injectRetainPolicies(tpl.TemplateBody, cfnStackName);
+  if (!yes) {
+    const ok = await confirmPrompt3(
+      `Set DeletionPolicy=Retain and UpdateReplacePolicy=Retain on every resource in CloudFormation stack '${cfnStackName}', then delete the stack? AWS resources will NOT be deleted (cdkd state has been written).`
+    );
+    if (!ok) {
+      logger.info("CloudFormation stack retirement cancelled. cdkd state is unaffected.");
+      return { outcome: "cancelled" };
+    }
+  }
+  let updateRan = false;
+  if (!modified) {
+    logger.info(`[2/4] Template already has Retain on every resource \u2014 skipping UpdateStack.`);
+  } else {
+    logger.info(`[2/4] Injected DeletionPolicy=Retain and UpdateReplacePolicy=Retain.`);
+    if (newBody.length > TEMPLATE_BODY_LIMIT) {
+      throw new Error(
+        `Modified template is ${newBody.length} bytes, exceeds the inline UpdateStack TemplateBody limit (${TEMPLATE_BODY_LIMIT}). cdkd state has already been written; retire the stack manually with: (1) edit the template to add DeletionPolicy: Retain and UpdateReplacePolicy: Retain to every resource, (2) UpdateStack with the modified template via S3 TemplateURL, (3) DeleteStack. Inline TemplateURL fallback is a planned follow-up.`
+      );
+    }
+    logger.info(`[3/4] Updating CloudFormation stack with Retain policies...`);
+    try {
+      await cfnClient.send(
+        new UpdateStackCommand({
+          StackName: cfnStackName,
+          TemplateBody: newBody,
+          Capabilities: capabilities
+        })
+      );
+      updateRan = true;
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (/No updates are to be performed/i.test(msg)) {
+        logger.info(`  CloudFormation reports no updates needed \u2014 proceeding to delete.`);
+      } else {
+        throw err;
+      }
+    }
+    if (updateRan) {
+      await waitUntilStackUpdateComplete(
+        { client: cfnClient, maxWaitTime: 1800 },
+        { StackName: cfnStackName }
+      );
+    }
+  }
+  logger.info(`[4/4] Deleting CloudFormation stack '${cfnStackName}' (resources retained)...`);
+  await cfnClient.send(new DeleteStackCommand({ StackName: cfnStackName }));
+  await waitUntilStackDeleteComplete(
+    { client: cfnClient, maxWaitTime: 1800 },
+    { StackName: cfnStackName }
+  );
+  logger.info(
+    `\u2713 CloudFormation stack '${cfnStackName}' retired. AWS resources are now solely managed by cdkd.`
+  );
+  return { outcome: modified ? "retired" : "no-template-change" };
+}
+function injectRetainPolicies(templateBody, cfnStackName) {
+  let parsed;
+  try {
+    parsed = JSON.parse(templateBody);
+  } catch (err) {
+    throw new Error(
+      `Template for '${cfnStackName}' is not valid JSON. cdkd's --migrate-from-cloudformation flow only supports CDK-generated (JSON) templates. Cause: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed) || !("Resources" in parsed) || typeof parsed.Resources !== "object" || parsed.Resources === null) {
+    throw new Error(
+      `Template for '${cfnStackName}' has no Resources section \u2014 refusing to retire.`
+    );
+  }
+  let modified = false;
+  const resources = parsed.Resources;
+  for (const [, resource] of Object.entries(resources)) {
+    if (!resource || typeof resource !== "object" || Array.isArray(resource))
+      continue;
+    const r = resource;
+    if (r["DeletionPolicy"] !== "Retain") {
+      r["DeletionPolicy"] = "Retain";
+      modified = true;
+    }
+    if (r["UpdateReplacePolicy"] !== "Retain") {
+      r["UpdateReplacePolicy"] = "Retain";
+      modified = true;
+    }
+  }
+  return { body: JSON.stringify(parsed, null, 2), modified };
+}
+async function getCloudFormationResourceMapping(cfnStackName, cfnClient) {
+  const resp = await cfnClient.send(new DescribeStackResourcesCommand({ StackName: cfnStackName }));
+  const map = /* @__PURE__ */ new Map();
+  for (const r of resp.StackResources ?? []) {
+    if (!r.LogicalResourceId || !r.PhysicalResourceId)
+      continue;
+    map.set(r.LogicalResourceId, r.PhysicalResourceId);
+  }
+  return map;
+}
+async function confirmPrompt3(prompt) {
+  const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+
+// src/cli/commands/import.ts
 async function importCommand(stackArg, options) {
   const logger = getLogger();
   if (options.verbose) {
@@ -35267,7 +35534,46 @@ async function importCommand(stackArg, options) {
     if (overrides.size > 0) {
       logger.debug(`User-supplied physical IDs: ${[...overrides.keys()].join(", ")}`);
     }
-    const selectiveMode = overrides.size > 0 && !options.auto;
+    const migrationCfnStackName = options.migrateFromCloudformation ? typeof options.migrateFromCloudformation === "string" && options.migrateFromCloudformation.length > 0 ? options.migrateFromCloudformation : stackInfo.stackName : void 0;
+    if (options.migrateFromCloudformation && options.dryRun) {
+      throw new Error(
+        "--migrate-from-cloudformation is not compatible with --dry-run: the post-state-write retirement (UpdateStack + DeleteStack) issues real AWS calls. Use plain `cdkd import --dry-run` to preview the import in isolation."
+      );
+    }
+    const template = stackInfo.template;
+    const templateParser = new TemplateParser();
+    const resources = collectImportableResources(template);
+    const templateLogicalIds = new Set(resources.map((r) => r.logicalId));
+    logger.info(`Found ${resources.length} resource(s) in template`);
+    if (migrationCfnStackName) {
+      logger.info(`Resolving physical IDs from CloudFormation stack '${migrationCfnStackName}'...`);
+      const cfnMapping = await getCloudFormationResourceMapping(
+        migrationCfnStackName,
+        awsClients.cloudFormation
+      );
+      let derived = 0;
+      let skippedNonImportable = 0;
+      for (const [logicalId, physicalId] of cfnMapping) {
+        if (!templateLogicalIds.has(logicalId)) {
+          skippedNonImportable++;
+          continue;
+        }
+        if (!overrides.has(logicalId)) {
+          overrides.set(logicalId, physicalId);
+          derived++;
+        }
+      }
+      const overriddenByUser = cfnMapping.size - derived - skippedNonImportable;
+      const detail = [];
+      if (overriddenByUser > 0)
+        detail.push(`${overriddenByUser} already overridden by --resource`);
+      if (skippedNonImportable > 0)
+        detail.push(`${skippedNonImportable} non-importable (e.g. CDKMetadata)`);
+      logger.info(
+        `Resolved ${derived} physical ID(s) from CloudFormation` + (detail.length > 0 ? ` (${detail.join(", ")})` : "")
+      );
+    }
+    const selectiveMode = overrides.size > 0 && !options.auto && !options.migrateFromCloudformation;
     if (selectiveMode) {
       logger.info(
         `Selective mode: only importing the ${overrides.size} resource(s) you listed (${[...overrides.keys()].join(", ")}). Pass --auto to also tag-import the rest.`
@@ -35301,11 +35607,6 @@ async function importCommand(stackArg, options) {
         );
       }
     }
-    const template = stackInfo.template;
-    const templateParser = new TemplateParser();
-    const resources = collectImportableResources(template);
-    logger.info(`Found ${resources.length} resource(s) in template`);
-    const templateLogicalIds = new Set(resources.map((r) => r.logicalId));
     for (const overrideId of overrides.keys()) {
       if (!templateLogicalIds.has(overrideId)) {
         throw new Error(
@@ -35355,7 +35656,7 @@ async function importCommand(stackArg, options) {
         const preservedCount = selectiveMode && existingState ? Object.keys(existingState.resources).filter((id) => !overrides.has(id)).length : 0;
         const totalAfter = importedCount + preservedCount;
         const breakdown = preservedCount > 0 ? ` (${importedCount} new/overwritten + ${preservedCount} preserved)` : "";
-        const ok = await confirmPrompt3(
+        const ok = await confirmPrompt4(
           `Write state for ${stackInfo.stackName} (${targetRegion}) with ${totalAfter} resource(s)${breakdown}?`
         );
         if (!ok) {
@@ -35384,6 +35685,19 @@ async function importCommand(stackArg, options) {
       logger.info(
         `  ${importedRows.length} resource(s) imported. Run 'cdkd diff' to see how the imported state lines up with the template.`
       );
+      if (migrationCfnStackName) {
+        const orphaned = resources.length - importedRows.length;
+        if (orphaned > 0) {
+          logger.warn(
+            `--migrate-from-cloudformation: ${orphaned} of ${resources.length} template resource(s) were NOT imported into cdkd. After the CloudFormation stack is retired, those resources remain in AWS but are unmanaged by both CloudFormation and cdkd.`
+          );
+        }
+        await retireCloudFormationStack({
+          cfnStackName: migrationCfnStackName,
+          cfnClient: awsClients.cloudFormation,
+          yes: options.yes
+        });
+      }
     } finally {
       await lockManager.releaseLock(stackInfo.stackName, targetRegion).catch((err) => {
         logger.warn(`Failed to release lock: ${err instanceof Error ? err.message : String(err)}`);
@@ -35597,8 +35911,8 @@ function formatOutcome(outcome) {
       return "\u2717";
   }
 }
-async function confirmPrompt3(prompt) {
-  const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt4(prompt) {
+  const rl = readline6.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -35634,6 +35948,9 @@ function createImportCommand() {
     "--force",
     "Confirm a destructive write to existing state. Required for auto / whole-stack import when state already exists (rebuilds the entire resource map). Also required in selective mode if a listed override would overwrite a resource already in state. Not needed for a pure selective merge (adding new resources without touching unlisted entries).",
     false
+  ).option(
+    "--migrate-from-cloudformation [cfn-stack-name]",
+    "After cdkd state is written, retire the named CloudFormation stack (deletes the CFn stack record; AWS resources are NOT deleted): inject DeletionPolicy=Retain and UpdateReplacePolicy=Retain on every resource via UpdateStack, then DeleteStack. cdkd takes over management. Pass without a value to use the cdkd stack name as the CFn stack name (the typical case for a CDK app that was previously deployed via `cdk deploy`); pass an explicit value when the CFn stack name differs."
   ).action(withErrorHandling(importCommand));
   [...commonOptions, ...appOptions, ...stateOptions, ...contextOptions].forEach(
     (o) => cmd.addOption(o)
@@ -35671,7 +35988,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.28.1");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.29.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());