@go-to-k/cdkd 0.28.2 → 0.30.0

package/dist/cli.js

@@ -1304,14 +1304,14 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
   const { GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
-  const { S3Client: S3Client11 } = await import("@aws-sdk/client-s3");
+  const { S3Client: S3Client12 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
   const identity = await awsClients.sts.send(new GetCallerIdentityCommand11({}));
   const accountId = identity.Account;
   const newName = getDefaultStateBucketName(accountId);
   const legacyName = getLegacyStateBucketName(accountId, region);
-  const probe = new S3Client11({ region: "us-east-1" });
+  const probe = new S3Client12({ region: "us-east-1" });
   try {
     const newExists = await bucketExists(probe, newName);
     const legacyExists = await bucketExists(probe, legacyName);
@@ -5736,6 +5736,9 @@ var IntrinsicFunctionResolver = class {
     if ("Fn::ImportValue" in obj) {
       return await this.resolveImportValue(obj["Fn::ImportValue"], context);
     }
+    if ("Fn::GetStackOutput" in obj) {
+      return await this.resolveGetStackOutput(obj["Fn::GetStackOutput"], context);
+    }
     if ("Fn::FindInMap" in obj) {
       return await this.resolveFindInMap(
         obj["Fn::FindInMap"],
@@ -6284,6 +6287,106 @@ var IntrinsicFunctionResolver = class {
       `Fn::ImportValue: export '${exportName}' not found in any stack. Searched ${allStacks.length} state record(s). Make sure the exporting stack has been deployed and the Output has an Export.Name property.`
     );
   }
+  /**
+   * Resolve Fn::GetStackOutput (cross-stack / cross-region output reference)
+   *
+   * Shape: { "Fn::GetStackOutput": { "StackName": "...", "OutputName": "...",
+   *                                   "Region": "...", "RoleArn": "..." } }
+   *
+   * Unlike Fn::ImportValue, the producer stack is named explicitly and no
+   * Export is required. cdkd reads the producer's `outputs` from the
+   * region-scoped state record at
+   * `s3://{bucket}/cdkd/{StackName}/{Region}/state.json`. When `Region` is
+   * omitted, the consumer's deploy region is used.
+   *
+   * RoleArn (cross-account) is intentionally rejected — cdkd uses S3 state,
+   * not CloudFormation DescribeStacks, so a cross-account reference would
+   * require assuming the role and reading the producer's separate state
+   * bucket. That path is not yet implemented; we surface a clear error
+   * instead of silently downgrading.
+   */
+  async resolveGetStackOutput(arg, context) {
+    if (!arg || typeof arg !== "object" || Array.isArray(arg)) {
+      throw new Error(
+        `Fn::GetStackOutput: argument must be an object with StackName/OutputName/Region/RoleArn, got ${arg === null ? "null" : Array.isArray(arg) ? "array" : typeof arg}`
+      );
+    }
+    const args = arg;
+    if (!("StackName" in args)) {
+      throw new Error("Fn::GetStackOutput: StackName is required");
+    }
+    if (!("OutputName" in args)) {
+      throw new Error("Fn::GetStackOutput: OutputName is required");
+    }
+    const stackName = await this.resolveValue(args["StackName"], context);
+    if (typeof stackName !== "string" || stackName === "") {
+      throw new Error(
+        `Fn::GetStackOutput: StackName must resolve to a non-empty string, got ${typeof stackName}`
+      );
+    }
+    const outputName = await this.resolveValue(args["OutputName"], context);
+    if (typeof outputName !== "string" || outputName === "") {
+      throw new Error(
+        `Fn::GetStackOutput: OutputName must resolve to a non-empty string, got ${typeof outputName}`
+      );
+    }
+    let region = this.resolverRegion;
+    if ("Region" in args && args["Region"] !== void 0 && args["Region"] !== null) {
+      const resolvedRegion = await this.resolveValue(args["Region"], context);
+      if (typeof resolvedRegion !== "string" || resolvedRegion === "") {
+        throw new Error(
+          `Fn::GetStackOutput: Region must resolve to a non-empty string, got ${typeof resolvedRegion}`
+        );
+      }
+      region = resolvedRegion;
+    }
+    let roleArn;
+    if ("RoleArn" in args && args["RoleArn"] !== void 0 && args["RoleArn"] !== null) {
+      const resolvedRoleArn = await this.resolveValue(args["RoleArn"], context);
+      if (typeof resolvedRoleArn !== "string" || resolvedRoleArn === "") {
+        throw new Error(
+          `Fn::GetStackOutput: RoleArn must resolve to a non-empty string, got ${typeof resolvedRoleArn}`
+        );
+      }
+      roleArn = resolvedRoleArn;
+    }
+    if (roleArn) {
+      throw new Error(
+        `Fn::GetStackOutput: cross-account references via RoleArn are not yet supported by cdkd (StackName=${stackName}, Region=${region}, RoleArn=${roleArn}). cdkd reads outputs from S3 state instead of CloudFormation DescribeStacks, so cross-account requires assuming the role and reading the producer account's state bucket \u2014 not yet implemented.`
+      );
+    }
+    if (!context.stateBackend) {
+      throw new Error("Fn::GetStackOutput: state backend is required for cross-stack references");
+    }
+    if (context.stackName && context.stackName === stackName && region === this.resolverRegion) {
+      throw new Error(
+        `Fn::GetStackOutput: cannot reference own stack '${stackName}' in the same region '${region}'`
+      );
+    }
+    this.logger.debug(
+      `Resolving Fn::GetStackOutput: StackName=${stackName}, Region=${region}, OutputName=${outputName}`
+    );
+    const stateData = await context.stateBackend.getState(stackName, region);
+    if (!stateData) {
+      throw new Error(
+        `Fn::GetStackOutput: stack '${stackName}' not found in region '${region}'. Make sure the producer stack has been deployed via cdkd.`
+      );
+    }
+    const outputs = stateData.state.outputs ?? {};
+    if (!(outputName in outputs)) {
+      const available = Object.keys(outputs).join(", ") || "(none)";
+      throw new Error(
+        `Fn::GetStackOutput: output '${outputName}' not found in stack '${stackName}' (${region}). Available outputs: ${available}`
+      );
+    }
+    const value = outputs[outputName];
+    this.logger.info(
+      `Resolved Fn::GetStackOutput: StackName=${stackName}, Region=${region}, OutputName=${outputName} -> ${JSON.stringify(
+        value
+      )}`
+    );
+    return value;
+  }
   /**
    * Resolve Fn::FindInMap intrinsic function
    *
@@ -35212,9 +35315,227 @@ function createStateCommand() {
 
 // src/cli/commands/import.ts
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "node:fs";
-import * as readline5 from "node:readline/promises";
+import * as readline6 from "node:readline/promises";
 import { Command as Command12 } from "commander";
 init_aws_clients();
+
+// src/cli/commands/retire-cfn-stack.ts
+import * as readline5 from "node:readline/promises";
+import {
+  DescribeStacksCommand,
+  DescribeStackResourcesCommand,
+  GetTemplateCommand,
+  UpdateStackCommand,
+  DeleteStackCommand,
+  waitUntilStackUpdateComplete,
+  waitUntilStackDeleteComplete
+} from "@aws-sdk/client-cloudformation";
+import { S3Client as S3Client11, PutObjectCommand as PutObjectCommand5, DeleteObjectCommand as DeleteObjectCommand4 } from "@aws-sdk/client-s3";
+var STABLE_TERMINAL_STATUSES = /* @__PURE__ */ new Set([
+  "CREATE_COMPLETE",
+  "UPDATE_COMPLETE",
+  "UPDATE_ROLLBACK_COMPLETE",
+  "IMPORT_COMPLETE",
+  "IMPORT_ROLLBACK_COMPLETE"
+]);
+var TEMPLATE_BODY_LIMIT = 51200;
+var TEMPLATE_URL_LIMIT = 1048576;
+var MIGRATE_TMP_PREFIX = "cdkd-migrate-tmp";
+async function retireCloudFormationStack(options) {
+  const logger = getLogger();
+  const { cfnStackName, cfnClient, yes, stateBucket, s3ClientOpts } = options;
+  logger.info(`[1/4] Inspecting CloudFormation stack '${cfnStackName}'...`);
+  const desc = await cfnClient.send(new DescribeStacksCommand({ StackName: cfnStackName }));
+  const stack = desc.Stacks?.[0];
+  if (!stack) {
+    throw new Error(`CloudFormation stack '${cfnStackName}' not found.`);
+  }
+  const status = stack.StackStatus ?? "";
+  if (!STABLE_TERMINAL_STATUSES.has(status)) {
+    throw new Error(
+      `CloudFormation stack '${cfnStackName}' is in status '${status}', which is not a stable terminal state. Wait for the stack to settle (or roll back) before retiring it.`
+    );
+  }
+  const capabilities = stack.Capabilities ?? [];
+  const tpl = await cfnClient.send(
+    new GetTemplateCommand({ StackName: cfnStackName, TemplateStage: "Original" })
+  );
+  if (!tpl.TemplateBody) {
+    throw new Error(`GetTemplate returned no body for '${cfnStackName}'.`);
+  }
+  const { body: newBody, modified } = injectRetainPolicies(tpl.TemplateBody, cfnStackName);
+  if (!yes) {
+    const ok = await confirmPrompt3(
+      `Set DeletionPolicy=Retain and UpdateReplacePolicy=Retain on every resource in CloudFormation stack '${cfnStackName}', then delete the stack? AWS resources will NOT be deleted (cdkd state has been written).`
+    );
+    if (!ok) {
+      logger.info("CloudFormation stack retirement cancelled. cdkd state is unaffected.");
+      return { outcome: "cancelled" };
+    }
+  }
+  if (!modified) {
+    logger.info(`[2/4] Template already has Retain on every resource \u2014 skipping UpdateStack.`);
+  } else {
+    logger.info(`[2/4] Injected DeletionPolicy=Retain and UpdateReplacePolicy=Retain.`);
+    if (newBody.length > TEMPLATE_URL_LIMIT) {
+      throw new Error(
+        `Modified template is ${newBody.length} bytes, exceeds the CloudFormation UpdateStack TemplateURL limit (${TEMPLATE_URL_LIMIT}). cdkd state has already been written; retire the stack manually with (1) shrink the template, then (2) UpdateStack with Retain policies, (3) DeleteStack \u2014 or split the stack and retry.`
+      );
+    }
+    let updateInput;
+    let s3Cleanup;
+    if (newBody.length <= TEMPLATE_BODY_LIMIT) {
+      updateInput = { TemplateBody: newBody };
+    } else {
+      logger.info(
+        `  Template is ${newBody.length} bytes (over ${TEMPLATE_BODY_LIMIT} inline limit) \u2014 uploading to state bucket '${stateBucket}'.`
+      );
+      const uploaded = await uploadTemplateForUpdateStack({
+        bucket: stateBucket,
+        body: newBody,
+        cfnStackName,
+        ...s3ClientOpts && { s3ClientOpts }
+      });
+      updateInput = { TemplateURL: uploaded.url };
+      s3Cleanup = uploaded.cleanup;
+    }
+    try {
+      logger.info(`[3/4] Updating CloudFormation stack with Retain policies...`);
+      let updateRan = false;
+      try {
+        await cfnClient.send(
+          new UpdateStackCommand({
+            StackName: cfnStackName,
+            ...updateInput,
+            Capabilities: capabilities
+          })
+        );
+        updateRan = true;
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (/No updates are to be performed/i.test(msg)) {
+          logger.info(`  CloudFormation reports no updates needed \u2014 proceeding to delete.`);
+        } else {
+          throw err;
+        }
+      }
+      if (updateRan) {
+        await waitUntilStackUpdateComplete(
+          { client: cfnClient, maxWaitTime: 1800 },
+          { StackName: cfnStackName }
+        );
+      }
+    } finally {
+      if (s3Cleanup) {
+        try {
+          await s3Cleanup();
+        } catch (cleanupErr) {
+          const msg = cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr);
+          logger.warn(
+            `Failed to delete temporary template upload from '${stateBucket}'. Clean up manually under prefix '${MIGRATE_TMP_PREFIX}/'. Cause: ${msg}`
+          );
+        }
+      }
+    }
+  }
+  logger.info(`[4/4] Deleting CloudFormation stack '${cfnStackName}' (resources retained)...`);
+  await cfnClient.send(new DeleteStackCommand({ StackName: cfnStackName }));
+  await waitUntilStackDeleteComplete(
+    { client: cfnClient, maxWaitTime: 1800 },
+    { StackName: cfnStackName }
+  );
+  logger.info(
+    `\u2713 CloudFormation stack '${cfnStackName}' retired. AWS resources are now solely managed by cdkd.`
+  );
+  return { outcome: modified ? "retired" : "no-template-change" };
+}
+async function uploadTemplateForUpdateStack(args) {
+  const { bucket, body, cfnStackName, s3ClientOpts } = args;
+  const region = await resolveBucketRegion(bucket, {
+    ...s3ClientOpts?.profile && { profile: s3ClientOpts.profile },
+    ...s3ClientOpts?.credentials && { credentials: s3ClientOpts.credentials }
+  });
+  const s3 = new S3Client11({
+    region,
+    ...s3ClientOpts?.profile && { profile: s3ClientOpts.profile },
+    ...s3ClientOpts?.credentials && { credentials: s3ClientOpts.credentials }
+  });
+  const key = `${MIGRATE_TMP_PREFIX}/${cfnStackName}/${Date.now()}.json`;
+  try {
+    await s3.send(
+      new PutObjectCommand5({
+        Bucket: bucket,
+        Key: key,
+        Body: body,
+        ContentType: "application/json"
+      })
+    );
+  } catch (err) {
+    s3.destroy();
+    throw err;
+  }
+  const url = `https://${bucket}.s3.${region}.amazonaws.com/${key}`;
+  const cleanup = async () => {
+    try {
+      await s3.send(new DeleteObjectCommand4({ Bucket: bucket, Key: key }));
+    } finally {
+      s3.destroy();
+    }
+  };
+  return { url, cleanup };
+}
+function injectRetainPolicies(templateBody, cfnStackName) {
+  let parsed;
+  try {
+    parsed = JSON.parse(templateBody);
+  } catch (err) {
+    throw new Error(
+      `Template for '${cfnStackName}' is not valid JSON. cdkd's --migrate-from-cloudformation flow only supports CDK-generated (JSON) templates. Cause: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed) || !("Resources" in parsed) || typeof parsed.Resources !== "object" || parsed.Resources === null) {
+    throw new Error(
+      `Template for '${cfnStackName}' has no Resources section \u2014 refusing to retire.`
+    );
+  }
+  let modified = false;
+  const resources = parsed.Resources;
+  for (const [, resource] of Object.entries(resources)) {
+    if (!resource || typeof resource !== "object" || Array.isArray(resource))
+      continue;
+    const r = resource;
+    if (r["DeletionPolicy"] !== "Retain") {
+      r["DeletionPolicy"] = "Retain";
+      modified = true;
+    }
+    if (r["UpdateReplacePolicy"] !== "Retain") {
+      r["UpdateReplacePolicy"] = "Retain";
+      modified = true;
+    }
+  }
+  return { body: JSON.stringify(parsed, null, 2), modified };
+}
+async function getCloudFormationResourceMapping(cfnStackName, cfnClient) {
+  const resp = await cfnClient.send(new DescribeStackResourcesCommand({ StackName: cfnStackName }));
+  const map = /* @__PURE__ */ new Map();
+  for (const r of resp.StackResources ?? []) {
+    if (!r.LogicalResourceId || !r.PhysicalResourceId)
+      continue;
+    map.set(r.LogicalResourceId, r.PhysicalResourceId);
+  }
+  return map;
+}
+async function confirmPrompt3(prompt) {
+  const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+
+// src/cli/commands/import.ts
 async function importCommand(stackArg, options) {
   const logger = getLogger();
   if (options.verbose) {
@@ -35281,7 +35602,46 @@ async function importCommand(stackArg, options) {
     if (overrides.size > 0) {
       logger.debug(`User-supplied physical IDs: ${[...overrides.keys()].join(", ")}`);
     }
-    const selectiveMode = overrides.size > 0 && !options.auto;
+    const migrationCfnStackName = options.migrateFromCloudformation ? typeof options.migrateFromCloudformation === "string" && options.migrateFromCloudformation.length > 0 ? options.migrateFromCloudformation : stackInfo.stackName : void 0;
+    if (options.migrateFromCloudformation && options.dryRun) {
+      throw new Error(
+        "--migrate-from-cloudformation is not compatible with --dry-run: the post-state-write retirement (UpdateStack + DeleteStack) issues real AWS calls. Use plain `cdkd import --dry-run` to preview the import in isolation."
+      );
+    }
+    const template = stackInfo.template;
+    const templateParser = new TemplateParser();
+    const resources = collectImportableResources(template);
+    const templateLogicalIds = new Set(resources.map((r) => r.logicalId));
+    logger.info(`Found ${resources.length} resource(s) in template`);
+    if (migrationCfnStackName) {
+      logger.info(`Resolving physical IDs from CloudFormation stack '${migrationCfnStackName}'...`);
+      const cfnMapping = await getCloudFormationResourceMapping(
+        migrationCfnStackName,
+        awsClients.cloudFormation
+      );
+      let derived = 0;
+      let skippedNonImportable = 0;
+      for (const [logicalId, physicalId] of cfnMapping) {
+        if (!templateLogicalIds.has(logicalId)) {
+          skippedNonImportable++;
+          continue;
+        }
+        if (!overrides.has(logicalId)) {
+          overrides.set(logicalId, physicalId);
+          derived++;
+        }
+      }
+      const overriddenByUser = cfnMapping.size - derived - skippedNonImportable;
+      const detail = [];
+      if (overriddenByUser > 0)
+        detail.push(`${overriddenByUser} already overridden by --resource`);
+      if (skippedNonImportable > 0)
+        detail.push(`${skippedNonImportable} non-importable (e.g. CDKMetadata)`);
+      logger.info(
+        `Resolved ${derived} physical ID(s) from CloudFormation` + (detail.length > 0 ? ` (${detail.join(", ")})` : "")
+      );
+    }
+    const selectiveMode = overrides.size > 0 && !options.auto && !options.migrateFromCloudformation;
     if (selectiveMode) {
       logger.info(
         `Selective mode: only importing the ${overrides.size} resource(s) you listed (${[...overrides.keys()].join(", ")}). Pass --auto to also tag-import the rest.`
@@ -35315,11 +35675,6 @@ async function importCommand(stackArg, options) {
         );
       }
     }
-    const template = stackInfo.template;
-    const templateParser = new TemplateParser();
-    const resources = collectImportableResources(template);
-    logger.info(`Found ${resources.length} resource(s) in template`);
-    const templateLogicalIds = new Set(resources.map((r) => r.logicalId));
     for (const overrideId of overrides.keys()) {
       if (!templateLogicalIds.has(overrideId)) {
         throw new Error(
@@ -35369,7 +35724,7 @@ async function importCommand(stackArg, options) {
         const preservedCount = selectiveMode && existingState ? Object.keys(existingState.resources).filter((id) => !overrides.has(id)).length : 0;
         const totalAfter = importedCount + preservedCount;
         const breakdown = preservedCount > 0 ? ` (${importedCount} new/overwritten + ${preservedCount} preserved)` : "";
-        const ok = await confirmPrompt3(
+        const ok = await confirmPrompt4(
           `Write state for ${stackInfo.stackName} (${targetRegion}) with ${totalAfter} resource(s)${breakdown}?`
         );
         if (!ok) {
@@ -35398,6 +35753,25 @@ async function importCommand(stackArg, options) {
       logger.info(
         `  ${importedRows.length} resource(s) imported. Run 'cdkd diff' to see how the imported state lines up with the template.`
       );
+      if (migrationCfnStackName) {
+        const orphaned = resources.length - importedRows.length;
+        if (orphaned > 0) {
+          logger.warn(
+            `--migrate-from-cloudformation: ${orphaned} of ${resources.length} template resource(s) were NOT imported into cdkd. After the CloudFormation stack is retired, those resources remain in AWS but are unmanaged by both CloudFormation and cdkd.`
+          );
+        }
+        await retireCloudFormationStack({
+          cfnStackName: migrationCfnStackName,
+          cfnClient: awsClients.cloudFormation,
+          yes: options.yes,
+          // Reuse cdkd's state bucket as transient storage for the
+          // Retain-injected template when it exceeds the 51,200-byte
+          // inline UpdateStack limit. Forward `--profile` so the
+          // upload identity matches the one that just wrote cdkd state.
+          stateBucket,
+          ...options.profile && { s3ClientOpts: { profile: options.profile } }
+        });
+      }
     } finally {
       await lockManager.releaseLock(stackInfo.stackName, targetRegion).catch((err) => {
         logger.warn(`Failed to release lock: ${err instanceof Error ? err.message : String(err)}`);
@@ -35611,8 +35985,8 @@ function formatOutcome(outcome) {
       return "\u2717";
   }
 }
-async function confirmPrompt3(prompt) {
-  const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt4(prompt) {
+  const rl = readline6.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -35648,6 +36022,9 @@ function createImportCommand() {
     "--force",
     "Confirm a destructive write to existing state. Required for auto / whole-stack import when state already exists (rebuilds the entire resource map). Also required in selective mode if a listed override would overwrite a resource already in state. Not needed for a pure selective merge (adding new resources without touching unlisted entries).",
     false
+  ).option(
+    "--migrate-from-cloudformation [cfn-stack-name]",
+    "After cdkd state is written, retire the named CloudFormation stack (deletes the CFn stack record; AWS resources are NOT deleted): inject DeletionPolicy=Retain and UpdateReplacePolicy=Retain on every resource via UpdateStack, then DeleteStack. cdkd takes over management. Pass without a value to use the cdkd stack name as the CFn stack name (the typical case for a CDK app that was previously deployed via `cdk deploy`); pass an explicit value when the CFn stack name differs."
   ).action(withErrorHandling(importCommand));
   [...commonOptions, ...appOptions, ...stateOptions, ...contextOptions].forEach(
     (o) => cmd.addOption(o)
@@ -35685,7 +36062,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.28.2");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.30.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());