@go-to-k/cdkd 0.36.0 → 0.37.0

package/README.md

@@ -208,8 +208,15 @@ alias cdkd="node $(pwd)/dist/cli.js"
 
 ## Quick Start
 
+> **First-time setup**: cdkd requires a one-time `cdkd bootstrap` per AWS
+> account before any other command will work — it creates the S3 state
+> bucket (`cdkd-state-{accountId}`) that cdkd uses to track deployed
+> resources. This is separate from `cdk bootstrap` (which sets up the
+> CDK asset bucket / ECR repo and is also required — see
+> [Prerequisites](#prerequisites)).
+
 ```bash
-# Bootstrap (creates S3 state bucket - only needed once per account/region)
+# Bootstrap (creates S3 state bucket — one-time setup, once per AWS account)
 cdkd bootstrap
 
 # List stacks in the CDK app

package/dist/cli.js

@@ -9028,6 +9028,85 @@ var IAMRoleProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current IAM role configuration in CFn-property shape.
+   *
+   * Issues `GetRole` for the top-level role configuration and
+   * `ListRolePolicies` + `ListAttachedRolePolicies` for inline / managed
+   * policy *names*. AWS URL-decodes `AssumeRolePolicyDocument` for us
+   * when it surfaces — we re-parse it as JSON so the comparator can match
+   * against state's already-parsed object.
+   *
+   * Coverage and shape decisions:
+   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path`,
+   *    `PermissionsBoundary` — straight from `Role.*`.
+   *  - `AssumeRolePolicyDocument` — `Role.AssumeRolePolicyDocument` is a
+   *    URL-encoded JSON string; we URL-decode + JSON-parse so cdkd state's
+   *    object form compares cleanly. (Both shapes — string and object — are
+   *    accepted by `create()`, but state typically stores the parsed object
+   *    after intrinsic resolution.)
+   *  - `ManagedPolicyArns` — array of ARN strings from
+   *    `ListAttachedRolePolicies`.
+   *  - `Policies` (inline policies with `PolicyDocument` bodies) is
+   *    intentionally omitted: surfacing names without bodies guarantees a
+   *    PolicyDocument-shaped drift on every role, and fetching every body
+   *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
+   *    v1 — drift detection on inline IAM policy bodies can ship in a
+   *    follow-up.
+   *  - `Tags` is omitted for the same reason as Lambda's tags handling
+   *    (CDK auto-injects `aws:cdk:path` and the shape decision belongs in a
+   *    dedicated tags PR).
+   *
+   * Returns `undefined` when the role is gone (`NoSuchEntityException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let role;
+    try {
+      const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
+      role = resp.Role;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException)
+        return void 0;
+      throw err;
+    }
+    if (!role)
+      return void 0;
+    const result = {};
+    if (role.RoleName !== void 0)
+      result["RoleName"] = role.RoleName;
+    if (role.Description !== void 0 && role.Description !== "") {
+      result["Description"] = role.Description;
+    }
+    if (role.MaxSessionDuration !== void 0) {
+      result["MaxSessionDuration"] = role.MaxSessionDuration;
+    }
+    if (role.Path !== void 0)
+      result["Path"] = role.Path;
+    if (role.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
+      result["PermissionsBoundary"] = role.PermissionsBoundary.PermissionsBoundaryArn;
+    }
+    if (role.AssumeRolePolicyDocument) {
+      try {
+        result["AssumeRolePolicyDocument"] = JSON.parse(
+          decodeURIComponent(role.AssumeRolePolicyDocument)
+        );
+      } catch {
+        result["AssumeRolePolicyDocument"] = role.AssumeRolePolicyDocument;
+      }
+    }
+    try {
+      const attached = await this.iamClient.send(
+        new ListAttachedRolePoliciesCommand({ RoleName: physicalId })
+      );
+      const arns = (attached.AttachedPolicies ?? []).map((p) => p.PolicyArn).filter((arn) => !!arn);
+      if (arns.length > 0)
+        result["ManagedPolicyArns"] = arns;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
+    return result;
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -10831,7 +10910,10 @@ import {
   PutBucketInventoryConfigurationCommand,
   PutBucketReplicationCommand,
   PutObjectLockConfigurationCommand,
+  GetBucketEncryptionCommand,
   GetBucketTaggingCommand,
+  GetBucketVersioningCommand,
+  GetPublicAccessBlockCommand,
   NoSuchBucket,
   ListObjectVersionsCommand,
   DeleteObjectsCommand
@@ -11688,6 +11770,119 @@ var S3BucketProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current S3 bucket configuration in CFn-property shape.
+   *
+   * Issues a small handful of independent S3 GET calls and stitches them
+   * into a single CFn-shaped object. Each call can throw a "feature not
+   * configured" error (`NoSuchBucketConfiguration`,
+   * `ServerSideEncryptionConfigurationNotFoundError`, `NoSuchTagSet`,
+   * `NoSuchPublicAccessBlockConfiguration`) — those are caught individually
+   * and the corresponding key is omitted from the result, NOT treated as
+   * the bucket being absent.
+   *
+   * Only the bucket-gone case (`NoSuchBucket`, HTTP 404 from `HeadBucket`)
+   * returns `undefined`.
+   *
+   * Coverage: `BucketName`, `VersioningConfiguration`, `BucketEncryption`,
+   * `PublicAccessBlockConfiguration`, `Tags`. Other configuration
+   * properties (Lifecycle, CORS, Website, Logging, Notification,
+   * Replication, ObjectLock, Accelerate, Metrics/Analytics/IntelligentTier/
+   * Inventory) are out of scope for v1 — they each need their own GET +
+   * shape mapping; CC API drift detection picks them up via `GetResource`
+   * once a user works through the SDK provider boundary.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      await this.s3Client.send(new HeadBucketCommand3({ Bucket: physicalId }));
+    } catch (err) {
+      const e = err;
+      if (err instanceof NoSuchBucket || e.name === "NotFound" || e.name === "NoSuchBucket" || e.$metadata?.httpStatusCode === 404) {
+        return void 0;
+      }
+      throw err;
+    }
+    const result = {
+      BucketName: physicalId
+    };
+    {
+      const resp = await this.s3Client.send(new GetBucketVersioningCommand({ Bucket: physicalId }));
+      if (resp.Status) {
+        result["VersioningConfiguration"] = { Status: resp.Status };
+      }
+    }
+    try {
+      const resp = await this.s3Client.send(new GetBucketEncryptionCommand({ Bucket: physicalId }));
+      const rules = resp.ServerSideEncryptionConfiguration?.Rules;
+      if (rules && rules.length > 0) {
+        result["BucketEncryption"] = {
+          ServerSideEncryptionConfiguration: rules.map((rule) => {
+            const out = {};
+            const sse = rule.ApplyServerSideEncryptionByDefault;
+            if (sse) {
+              const sseOut = {};
+              if (sse.SSEAlgorithm !== void 0)
+                sseOut["SSEAlgorithm"] = sse.SSEAlgorithm;
+              if (sse.KMSMasterKeyID !== void 0)
+                sseOut["KMSMasterKeyID"] = sse.KMSMasterKeyID;
+              out["ServerSideEncryptionByDefault"] = sseOut;
+            }
+            if (rule.BucketKeyEnabled !== void 0)
+              out["BucketKeyEnabled"] = rule.BucketKeyEnabled;
+            return out;
+          })
+        };
+      }
+    } catch (err) {
+      const e = err;
+      if (e.name !== "ServerSideEncryptionConfigurationNotFoundError") {
+        throw err;
+      }
+    }
+    try {
+      const resp = await this.s3Client.send(
+        new GetPublicAccessBlockCommand({ Bucket: physicalId })
+      );
+      const cfg = resp.PublicAccessBlockConfiguration;
+      if (cfg) {
+        const out = {};
+        if (cfg.BlockPublicAcls !== void 0)
+          out["BlockPublicAcls"] = cfg.BlockPublicAcls;
+        if (cfg.BlockPublicPolicy !== void 0)
+          out["BlockPublicPolicy"] = cfg.BlockPublicPolicy;
+        if (cfg.IgnorePublicAcls !== void 0)
+          out["IgnorePublicAcls"] = cfg.IgnorePublicAcls;
+        if (cfg.RestrictPublicBuckets !== void 0) {
+          out["RestrictPublicBuckets"] = cfg.RestrictPublicBuckets;
+        }
+        if (Object.keys(out).length > 0) {
+          result["PublicAccessBlockConfiguration"] = out;
+        }
+      }
+    } catch (err) {
+      const e = err;
+      if (e.name !== "NoSuchPublicAccessBlockConfiguration") {
+        throw err;
+      }
+    }
+    try {
+      const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: physicalId }));
+      if (resp.TagSet && resp.TagSet.length > 0) {
+        const tags = resp.TagSet.filter((t) => t.Key && !t.Key.startsWith("aws:")).map((t) => ({
+          Key: t.Key,
+          Value: t.Value
+        }));
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      }
+    } catch (err) {
+      const e = err;
+      if (e.name !== "NoSuchTagSet") {
+        throw err;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing S3 bucket into cdkd state.
    *
@@ -12238,6 +12433,90 @@ var SQSQueueProvider = class {
         return void 0;
     }
   }
+  /**
+   * Read the AWS-current SQS queue configuration in CFn-property shape.
+   *
+   * Issues `GetQueueAttributes` for every attribute that maps back to a
+   * cdkd-managed CFn property. AWS returns ALL attribute values as strings;
+   * we type-coerce numeric attributes back to numbers and parse
+   * `RedrivePolicy` from JSON so the comparator matches cdkd state's
+   * already-typed values.
+   *
+   * `QueueName` is derived from the URL tail (the `physicalId` is the
+   * queue URL), not surfaced by `GetQueueAttributes`.
+   *
+   * `Tags` is omitted: `ListQueueTags` is a separate call and tag drift is
+   * generally less interesting than configuration drift; the `aws:cdk:path`
+   * shape question is also out of scope here.
+   *
+   * Returns `undefined` when the queue is gone (`QueueDoesNotExist`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let attributes;
+    try {
+      const resp = await this.sqsClient.send(
+        new GetQueueAttributesCommand({
+          QueueUrl: physicalId,
+          AttributeNames: ["All"]
+        })
+      );
+      attributes = resp.Attributes;
+    } catch (err) {
+      if (err instanceof QueueDoesNotExist)
+        return void 0;
+      throw err;
+    }
+    if (!attributes)
+      return void 0;
+    const result = {};
+    const tail = physicalId.substring(physicalId.lastIndexOf("/") + 1);
+    if (tail)
+      result["QueueName"] = tail;
+    const numeric = [
+      "VisibilityTimeout",
+      "MaximumMessageSize",
+      "MessageRetentionPeriod",
+      "DelaySeconds",
+      "ReceiveMessageWaitTimeSeconds",
+      "KmsDataKeyReusePeriodSeconds"
+    ];
+    for (const key of numeric) {
+      const v = attributes[key];
+      if (v !== void 0) {
+        const n = Number(v);
+        if (!Number.isNaN(n))
+          result[key] = n;
+      }
+    }
+    const bool = [
+      "FifoQueue",
+      "ContentBasedDeduplication",
+      "SqsManagedSseEnabled"
+    ];
+    for (const key of bool) {
+      const v = attributes[key];
+      if (v !== void 0)
+        result[key] = v === "true";
+    }
+    const str = [
+      "KmsMasterKeyId",
+      "DeduplicationScope",
+      "FifoThroughputLimit"
+    ];
+    for (const key of str) {
+      const v = attributes[key];
+      if (v !== void 0)
+        result[key] = v;
+    }
+    if (attributes["RedrivePolicy"]) {
+      try {
+        result["RedrivePolicy"] = JSON.parse(attributes["RedrivePolicy"]);
+      } catch {
+        result["RedrivePolicy"] = attributes["RedrivePolicy"];
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing SQS queue into cdkd state.
    *
@@ -12795,6 +13074,76 @@ var SNSTopicProvider = class {
         return void 0;
     }
   }
+  /**
+   * Read the AWS-current SNS topic configuration in CFn-property shape.
+   *
+   * Issues `GetTopicAttributes` for the topic-level configuration. AWS
+   * returns ALL attribute values as strings; we type-coerce booleans back
+   * to booleans and parse `ArchivePolicy` / `DataProtectionPolicy` from
+   * JSON strings so the comparator matches cdkd state's typed values.
+   *
+   * `TopicName` is derived from the ARN tail (the `physicalId` is the
+   * topic ARN).
+   *
+   * `Tags` and `DeliveryStatusLogging` are intentionally omitted:
+   * `ListTagsForResource` is a separate call, and `DeliveryStatusLogging`
+   * fans out into per-protocol attributes (`{Protocol}SuccessFeedbackRoleArn`,
+   * etc.) whose round-trip back to the CFn array shape needs more thought
+   * than fits in this PR.
+   *
+   * `Subscription` is omitted because CDK manages it via separate
+   * `AWS::SNS::Subscription` resources, not as a Topic property.
+   *
+   * Returns `undefined` when the topic is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let attrs;
+    try {
+      const resp = await this.snsClient.send(
+        new GetTopicAttributesCommand({ TopicArn: physicalId })
+      );
+      attrs = resp.Attributes;
+    } catch (err) {
+      if (err instanceof NotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!attrs)
+      return void 0;
+    const result = {};
+    const tail = physicalId.substring(physicalId.lastIndexOf(":") + 1);
+    if (tail)
+      result["TopicName"] = tail;
+    const bool = ["FifoTopic", "ContentBasedDeduplication"];
+    for (const key of bool) {
+      const v = attrs[key];
+      if (v !== void 0)
+        result[key] = v === "true";
+    }
+    const str = [
+      "DisplayName",
+      "KmsMasterKeyId",
+      "TracingConfig",
+      "SignatureVersion",
+      "FifoThroughputScope"
+    ];
+    for (const key of str) {
+      const v = attrs[key];
+      if (v !== void 0 && v !== "")
+        result[key] = v;
+    }
+    for (const key of ["ArchivePolicy", "DataProtectionPolicy"]) {
+      const v = attrs[key];
+      if (v) {
+        try {
+          result[key] = JSON.parse(v);
+        } catch {
+          result[key] = v;
+        }
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing SNS topic into cdkd state.
    *
@@ -13880,6 +14229,93 @@ var LambdaFunctionProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current Lambda function configuration in CFn-property shape.
+   *
+   * Issues a single `GetFunction` and surfaces the same property keys
+   * `create()` accepts (`Runtime`, `Handler`, `Role`, `Timeout`, `MemorySize`,
+   * `Description`, `Environment`, `Layers`, `Architectures`, `PackageType`,
+   * `TracingConfig`, `EphemeralStorage`, `VpcConfig`, plus the physical
+   * `FunctionName`). The drift comparator only descends into keys present in
+   * cdkd state, so AWS-managed fields (timestamps, FunctionArn, RevisionId,
+   * etc.) are filtered at compare time — we still avoid serializing them on
+   * the wire.
+   *
+   * `Code` is intentionally omitted: `GetFunction` returns a pre-signed S3
+   * URL for the deployed code, not the asset hash cdkd state holds, so they
+   * could never match. Lambda code drift is best detected separately (the
+   * function's `CodeSha256` does live in `GetFunction` but is not what
+   * cdkd's `Code: { S3Bucket, S3Key }` state property carries).
+   *
+   * `Tags` is omitted as well: `GetFunction` returns Tags as an object map,
+   * while CFn / cdkd state holds them as `[{Key, Value}]`. Re-shaping
+   * accurately requires deciding how to handle the auto-injected
+   * `aws:cdk:path` tag, which is out of scope for this PR. Tag drift is
+   * typically less interesting than configuration drift.
+   *
+   * Returns `undefined` when the function is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.lambdaClient.send(
+        new GetFunctionCommand({ FunctionName: physicalId })
+      );
+      const cfg = resp.Configuration;
+      if (!cfg)
+        return void 0;
+      const result = {};
+      if (cfg.FunctionName !== void 0)
+        result["FunctionName"] = cfg.FunctionName;
+      if (cfg.Runtime !== void 0)
+        result["Runtime"] = cfg.Runtime;
+      if (cfg.Handler !== void 0)
+        result["Handler"] = cfg.Handler;
+      if (cfg.Role !== void 0)
+        result["Role"] = cfg.Role;
+      if (cfg.Timeout !== void 0)
+        result["Timeout"] = cfg.Timeout;
+      if (cfg.MemorySize !== void 0)
+        result["MemorySize"] = cfg.MemorySize;
+      if (cfg.Description !== void 0 && cfg.Description !== "") {
+        result["Description"] = cfg.Description;
+      }
+      if (cfg.Environment?.Variables) {
+        result["Environment"] = { Variables: cfg.Environment.Variables };
+      }
+      if (cfg.Layers && cfg.Layers.length > 0) {
+        result["Layers"] = cfg.Layers.map((l) => l.Arn).filter((arn) => !!arn);
+      }
+      if (cfg.Architectures && cfg.Architectures.length > 0) {
+        result["Architectures"] = [...cfg.Architectures];
+      }
+      if (cfg.PackageType !== void 0)
+        result["PackageType"] = cfg.PackageType;
+      if (cfg.TracingConfig?.Mode !== void 0) {
+        result["TracingConfig"] = { Mode: cfg.TracingConfig.Mode };
+      }
+      if (cfg.EphemeralStorage?.Size !== void 0) {
+        result["EphemeralStorage"] = { Size: cfg.EphemeralStorage.Size };
+      }
+      if (cfg.VpcConfig) {
+        const vpc = {};
+        if (cfg.VpcConfig.SubnetIds)
+          vpc["SubnetIds"] = [...cfg.VpcConfig.SubnetIds];
+        if (cfg.VpcConfig.SecurityGroupIds) {
+          vpc["SecurityGroupIds"] = [...cfg.VpcConfig.SecurityGroupIds];
+        }
+        if (cfg.VpcConfig.Ipv6AllowedForDualStack !== void 0) {
+          vpc["Ipv6AllowedForDualStack"] = cfg.VpcConfig.Ipv6AllowedForDualStack;
+        }
+        if (Object.keys(vpc).length > 0)
+          result["VpcConfig"] = vpc;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing Lambda function into cdkd state.
    *
@@ -15055,6 +15491,90 @@ var DynamoDBTableProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current DynamoDB table configuration in CFn-property shape.
+   *
+   * `DescribeTable` returns every field cdkd manages in one call. AWS uses
+   * the same property names CFn does (KeySchema, AttributeDefinitions,
+   * BillingModeSummary.BillingMode, ProvisionedThroughput, etc.) — the only
+   * shape differences are wrapping:
+   *  - BillingMode lives under `BillingModeSummary.BillingMode` in the API
+   *    response, but the CFn property is a flat `BillingMode` string.
+   *  - StreamSpecification's CFn shape includes only `StreamViewType`; the
+   *    API response carries `StreamEnabled` too. We surface both since the
+   *    drift comparator only descends into keys present in state.
+   *  - GSI / LSI in the API response include `IndexStatus`, `ItemCount` and
+   *    sizing fields that cdkd never sets; the comparator filters them.
+   *
+   * Returns `undefined` when the table is gone (`ResourceNotFoundException`).
+   *
+   * Tags are intentionally omitted: `ListTagsOfResource` is a separate call
+   * and tag drift is generally less interesting than table-config drift;
+   * including it would also force a tag-shape decision on the
+   * `aws:cdk:path` auto-tag, which is out of scope here.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.dynamoDBClient.send(
+        new DescribeTableCommand2({ TableName: physicalId })
+      );
+      const table = resp.Table;
+      if (!table)
+        return void 0;
+      const result = {};
+      if (table.TableName !== void 0)
+        result["TableName"] = table.TableName;
+      if (table.KeySchema)
+        result["KeySchema"] = table.KeySchema;
+      if (table.AttributeDefinitions) {
+        result["AttributeDefinitions"] = table.AttributeDefinitions;
+      }
+      if (table.BillingModeSummary?.BillingMode) {
+        result["BillingMode"] = table.BillingModeSummary.BillingMode;
+      }
+      if (table.ProvisionedThroughput) {
+        result["ProvisionedThroughput"] = {
+          ReadCapacityUnits: table.ProvisionedThroughput.ReadCapacityUnits,
+          WriteCapacityUnits: table.ProvisionedThroughput.WriteCapacityUnits
+        };
+      }
+      if (table.StreamSpecification) {
+        result["StreamSpecification"] = {
+          StreamEnabled: table.StreamSpecification.StreamEnabled,
+          StreamViewType: table.StreamSpecification.StreamViewType
+        };
+      }
+      if (table.GlobalSecondaryIndexes && table.GlobalSecondaryIndexes.length > 0) {
+        result["GlobalSecondaryIndexes"] = table.GlobalSecondaryIndexes;
+      }
+      if (table.LocalSecondaryIndexes && table.LocalSecondaryIndexes.length > 0) {
+        result["LocalSecondaryIndexes"] = table.LocalSecondaryIndexes;
+      }
+      if (table.SSEDescription) {
+        const sse = {};
+        if (table.SSEDescription.Status === "ENABLED")
+          sse["SSEEnabled"] = true;
+        if (table.SSEDescription.KMSMasterKeyArn !== void 0) {
+          sse["KMSMasterKeyId"] = table.SSEDescription.KMSMasterKeyArn;
+        }
+        if (table.SSEDescription.SSEType !== void 0)
+          sse["SSEType"] = table.SSEDescription.SSEType;
+        if (Object.keys(sse).length > 0)
+          result["SSESpecification"] = sse;
+      }
+      if (table.DeletionProtectionEnabled !== void 0) {
+        result["DeletionProtectionEnabled"] = table.DeletionProtectionEnabled;
+      }
+      if (table.TableClassSummary?.TableClass) {
+        result["TableClass"] = table.TableClassSummary.TableClass;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException6)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing DynamoDB table into cdkd state.
    *
@@ -15359,6 +15879,48 @@ var LogsLogGroupProvider = class {
     }
     return this.buildArn(physicalId);
   }
+  /**
+   * Read the AWS-current log group configuration in CFn-property shape.
+   *
+   * Issues `DescribeLogGroups` filtered by exact name and picks the first
+   * (and only) match. AWS uses camelCase field names in the API response
+   * (`logGroupName`, `kmsKeyId`, `retentionInDays`); we map them back to
+   * the CFn-cased keys cdkd state holds (`LogGroupName`, `KmsKeyId`,
+   * `RetentionInDays`).
+   *
+   * Coverage: `LogGroupName`, `KmsKeyId`, `RetentionInDays`,
+   * `LogGroupClass`. Other handledProperties (`DataProtectionPolicy`,
+   * `Tags`, `FieldIndexPolicies`, `ResourcePolicyDocument`,
+   * `DeletionProtectionEnabled`, `BearerTokenAuthenticationEnabled`) need
+   * their own per-property API call and are out of scope for v1.
+   *
+   * Returns `undefined` when the log group is gone.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.logsClient.send(
+        new DescribeLogGroupsCommand({ logGroupNamePrefix: physicalId })
+      );
+      const found = resp.logGroups?.find((g) => g.logGroupName === physicalId);
+      if (!found)
+        return void 0;
+      const result = {};
+      if (found.logGroupName !== void 0)
+        result["LogGroupName"] = found.logGroupName;
+      if (found.kmsKeyId !== void 0)
+        result["KmsKeyId"] = found.kmsKeyId;
+      if (found.retentionInDays !== void 0) {
+        result["RetentionInDays"] = found.retentionInDays;
+      }
+      if (found.logGroupClass !== void 0)
+        result["LogGroupClass"] = found.logGroupClass;
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException7)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing CloudWatch Logs log group into cdkd state.
    *
@@ -36982,7 +37544,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.36.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.37.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());