@go-to-k/cdkd 0.36.0 → 0.38.0

package/dist/cli.js

@@ -9028,6 +9028,85 @@ var IAMRoleProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current IAM role configuration in CFn-property shape.
+   *
+   * Issues `GetRole` for the top-level role configuration and
+   * `ListRolePolicies` + `ListAttachedRolePolicies` for inline / managed
+   * policy *names*. AWS URL-decodes `AssumeRolePolicyDocument` for us
+   * when it surfaces — we re-parse it as JSON so the comparator can match
+   * against state's already-parsed object.
+   *
+   * Coverage and shape decisions:
+   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path`,
+   *    `PermissionsBoundary` — straight from `Role.*`.
+   *  - `AssumeRolePolicyDocument` — `Role.AssumeRolePolicyDocument` is a
+   *    URL-encoded JSON string; we URL-decode + JSON-parse so cdkd state's
+   *    object form compares cleanly. (Both shapes — string and object — are
+   *    accepted by `create()`, but state typically stores the parsed object
+   *    after intrinsic resolution.)
+   *  - `ManagedPolicyArns` — array of ARN strings from
+   *    `ListAttachedRolePolicies`.
+   *  - `Policies` (inline policies with `PolicyDocument` bodies) is
+   *    intentionally omitted: surfacing names without bodies guarantees a
+   *    PolicyDocument-shaped drift on every role, and fetching every body
+   *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
+   *    v1 — drift detection on inline IAM policy bodies can ship in a
+   *    follow-up.
+   *  - `Tags` is omitted for the same reason as Lambda's tags handling
+   *    (CDK auto-injects `aws:cdk:path` and the shape decision belongs in a
+   *    dedicated tags PR).
+   *
+   * Returns `undefined` when the role is gone (`NoSuchEntityException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let role;
+    try {
+      const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
+      role = resp.Role;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException)
+        return void 0;
+      throw err;
+    }
+    if (!role)
+      return void 0;
+    const result = {};
+    if (role.RoleName !== void 0)
+      result["RoleName"] = role.RoleName;
+    if (role.Description !== void 0 && role.Description !== "") {
+      result["Description"] = role.Description;
+    }
+    if (role.MaxSessionDuration !== void 0) {
+      result["MaxSessionDuration"] = role.MaxSessionDuration;
+    }
+    if (role.Path !== void 0)
+      result["Path"] = role.Path;
+    if (role.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
+      result["PermissionsBoundary"] = role.PermissionsBoundary.PermissionsBoundaryArn;
+    }
+    if (role.AssumeRolePolicyDocument) {
+      try {
+        result["AssumeRolePolicyDocument"] = JSON.parse(
+          decodeURIComponent(role.AssumeRolePolicyDocument)
+        );
+      } catch {
+        result["AssumeRolePolicyDocument"] = role.AssumeRolePolicyDocument;
+      }
+    }
+    try {
+      const attached = await this.iamClient.send(
+        new ListAttachedRolePoliciesCommand({ RoleName: physicalId })
+      );
+      const arns = (attached.AttachedPolicies ?? []).map((p) => p.PolicyArn).filter((arn) => !!arn);
+      if (arns.length > 0)
+        result["ManagedPolicyArns"] = arns;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
+    return result;
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -10831,7 +10910,10 @@ import {
   PutBucketInventoryConfigurationCommand,
   PutBucketReplicationCommand,
   PutObjectLockConfigurationCommand,
+  GetBucketEncryptionCommand,
   GetBucketTaggingCommand,
+  GetBucketVersioningCommand,
+  GetPublicAccessBlockCommand,
   NoSuchBucket,
   ListObjectVersionsCommand,
   DeleteObjectsCommand
@@ -11688,6 +11770,119 @@ var S3BucketProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current S3 bucket configuration in CFn-property shape.
+   *
+   * Issues a small handful of independent S3 GET calls and stitches them
+   * into a single CFn-shaped object. Each call can throw a "feature not
+   * configured" error (`NoSuchBucketConfiguration`,
+   * `ServerSideEncryptionConfigurationNotFoundError`, `NoSuchTagSet`,
+   * `NoSuchPublicAccessBlockConfiguration`) — those are caught individually
+   * and the corresponding key is omitted from the result, NOT treated as
+   * the bucket being absent.
+   *
+   * Only the bucket-gone case (`NoSuchBucket`, HTTP 404 from `HeadBucket`)
+   * returns `undefined`.
+   *
+   * Coverage: `BucketName`, `VersioningConfiguration`, `BucketEncryption`,
+   * `PublicAccessBlockConfiguration`, `Tags`. Other configuration
+   * properties (Lifecycle, CORS, Website, Logging, Notification,
+   * Replication, ObjectLock, Accelerate, Metrics/Analytics/IntelligentTier/
+   * Inventory) are out of scope for v1 — they each need their own GET +
+   * shape mapping; CC API drift detection picks them up via `GetResource`
+   * once a user works through the SDK provider boundary.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      await this.s3Client.send(new HeadBucketCommand3({ Bucket: physicalId }));
+    } catch (err) {
+      const e = err;
+      if (err instanceof NoSuchBucket || e.name === "NotFound" || e.name === "NoSuchBucket" || e.$metadata?.httpStatusCode === 404) {
+        return void 0;
+      }
+      throw err;
+    }
+    const result = {
+      BucketName: physicalId
+    };
+    {
+      const resp = await this.s3Client.send(new GetBucketVersioningCommand({ Bucket: physicalId }));
+      if (resp.Status) {
+        result["VersioningConfiguration"] = { Status: resp.Status };
+      }
+    }
+    try {
+      const resp = await this.s3Client.send(new GetBucketEncryptionCommand({ Bucket: physicalId }));
+      const rules = resp.ServerSideEncryptionConfiguration?.Rules;
+      if (rules && rules.length > 0) {
+        result["BucketEncryption"] = {
+          ServerSideEncryptionConfiguration: rules.map((rule) => {
+            const out = {};
+            const sse = rule.ApplyServerSideEncryptionByDefault;
+            if (sse) {
+              const sseOut = {};
+              if (sse.SSEAlgorithm !== void 0)
+                sseOut["SSEAlgorithm"] = sse.SSEAlgorithm;
+              if (sse.KMSMasterKeyID !== void 0)
+                sseOut["KMSMasterKeyID"] = sse.KMSMasterKeyID;
+              out["ServerSideEncryptionByDefault"] = sseOut;
+            }
+            if (rule.BucketKeyEnabled !== void 0)
+              out["BucketKeyEnabled"] = rule.BucketKeyEnabled;
+            return out;
+          })
+        };
+      }
+    } catch (err) {
+      const e = err;
+      if (e.name !== "ServerSideEncryptionConfigurationNotFoundError") {
+        throw err;
+      }
+    }
+    try {
+      const resp = await this.s3Client.send(
+        new GetPublicAccessBlockCommand({ Bucket: physicalId })
+      );
+      const cfg = resp.PublicAccessBlockConfiguration;
+      if (cfg) {
+        const out = {};
+        if (cfg.BlockPublicAcls !== void 0)
+          out["BlockPublicAcls"] = cfg.BlockPublicAcls;
+        if (cfg.BlockPublicPolicy !== void 0)
+          out["BlockPublicPolicy"] = cfg.BlockPublicPolicy;
+        if (cfg.IgnorePublicAcls !== void 0)
+          out["IgnorePublicAcls"] = cfg.IgnorePublicAcls;
+        if (cfg.RestrictPublicBuckets !== void 0) {
+          out["RestrictPublicBuckets"] = cfg.RestrictPublicBuckets;
+        }
+        if (Object.keys(out).length > 0) {
+          result["PublicAccessBlockConfiguration"] = out;
+        }
+      }
+    } catch (err) {
+      const e = err;
+      if (e.name !== "NoSuchPublicAccessBlockConfiguration") {
+        throw err;
+      }
+    }
+    try {
+      const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: physicalId }));
+      if (resp.TagSet && resp.TagSet.length > 0) {
+        const tags = resp.TagSet.filter((t) => t.Key && !t.Key.startsWith("aws:")).map((t) => ({
+          Key: t.Key,
+          Value: t.Value
+        }));
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      }
+    } catch (err) {
+      const e = err;
+      if (e.name !== "NoSuchTagSet") {
+        throw err;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing S3 bucket into cdkd state.
    *
@@ -12238,6 +12433,90 @@ var SQSQueueProvider = class {
         return void 0;
     }
   }
+  /**
+   * Read the AWS-current SQS queue configuration in CFn-property shape.
+   *
+   * Issues `GetQueueAttributes` for every attribute that maps back to a
+   * cdkd-managed CFn property. AWS returns ALL attribute values as strings;
+   * we type-coerce numeric attributes back to numbers and parse
+   * `RedrivePolicy` from JSON so the comparator matches cdkd state's
+   * already-typed values.
+   *
+   * `QueueName` is derived from the URL tail (the `physicalId` is the
+   * queue URL), not surfaced by `GetQueueAttributes`.
+   *
+   * `Tags` is omitted: `ListQueueTags` is a separate call and tag drift is
+   * generally less interesting than configuration drift; the `aws:cdk:path`
+   * shape question is also out of scope here.
+   *
+   * Returns `undefined` when the queue is gone (`QueueDoesNotExist`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let attributes;
+    try {
+      const resp = await this.sqsClient.send(
+        new GetQueueAttributesCommand({
+          QueueUrl: physicalId,
+          AttributeNames: ["All"]
+        })
+      );
+      attributes = resp.Attributes;
+    } catch (err) {
+      if (err instanceof QueueDoesNotExist)
+        return void 0;
+      throw err;
+    }
+    if (!attributes)
+      return void 0;
+    const result = {};
+    const tail = physicalId.substring(physicalId.lastIndexOf("/") + 1);
+    if (tail)
+      result["QueueName"] = tail;
+    const numeric = [
+      "VisibilityTimeout",
+      "MaximumMessageSize",
+      "MessageRetentionPeriod",
+      "DelaySeconds",
+      "ReceiveMessageWaitTimeSeconds",
+      "KmsDataKeyReusePeriodSeconds"
+    ];
+    for (const key of numeric) {
+      const v = attributes[key];
+      if (v !== void 0) {
+        const n = Number(v);
+        if (!Number.isNaN(n))
+          result[key] = n;
+      }
+    }
+    const bool = [
+      "FifoQueue",
+      "ContentBasedDeduplication",
+      "SqsManagedSseEnabled"
+    ];
+    for (const key of bool) {
+      const v = attributes[key];
+      if (v !== void 0)
+        result[key] = v === "true";
+    }
+    const str = [
+      "KmsMasterKeyId",
+      "DeduplicationScope",
+      "FifoThroughputLimit"
+    ];
+    for (const key of str) {
+      const v = attributes[key];
+      if (v !== void 0)
+        result[key] = v;
+    }
+    if (attributes["RedrivePolicy"]) {
+      try {
+        result["RedrivePolicy"] = JSON.parse(attributes["RedrivePolicy"]);
+      } catch {
+        result["RedrivePolicy"] = attributes["RedrivePolicy"];
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing SQS queue into cdkd state.
    *
@@ -12795,6 +13074,76 @@ var SNSTopicProvider = class {
         return void 0;
     }
   }
+  /**
+   * Read the AWS-current SNS topic configuration in CFn-property shape.
+   *
+   * Issues `GetTopicAttributes` for the topic-level configuration. AWS
+   * returns ALL attribute values as strings; we type-coerce booleans back
+   * to booleans and parse `ArchivePolicy` / `DataProtectionPolicy` from
+   * JSON strings so the comparator matches cdkd state's typed values.
+   *
+   * `TopicName` is derived from the ARN tail (the `physicalId` is the
+   * topic ARN).
+   *
+   * `Tags` and `DeliveryStatusLogging` are intentionally omitted:
+   * `ListTagsForResource` is a separate call, and `DeliveryStatusLogging`
+   * fans out into per-protocol attributes (`{Protocol}SuccessFeedbackRoleArn`,
+   * etc.) whose round-trip back to the CFn array shape needs more thought
+   * than fits in this PR.
+   *
+   * `Subscription` is omitted because CDK manages it via separate
+   * `AWS::SNS::Subscription` resources, not as a Topic property.
+   *
+   * Returns `undefined` when the topic is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let attrs;
+    try {
+      const resp = await this.snsClient.send(
+        new GetTopicAttributesCommand({ TopicArn: physicalId })
+      );
+      attrs = resp.Attributes;
+    } catch (err) {
+      if (err instanceof NotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!attrs)
+      return void 0;
+    const result = {};
+    const tail = physicalId.substring(physicalId.lastIndexOf(":") + 1);
+    if (tail)
+      result["TopicName"] = tail;
+    const bool = ["FifoTopic", "ContentBasedDeduplication"];
+    for (const key of bool) {
+      const v = attrs[key];
+      if (v !== void 0)
+        result[key] = v === "true";
+    }
+    const str = [
+      "DisplayName",
+      "KmsMasterKeyId",
+      "TracingConfig",
+      "SignatureVersion",
+      "FifoThroughputScope"
+    ];
+    for (const key of str) {
+      const v = attrs[key];
+      if (v !== void 0 && v !== "")
+        result[key] = v;
+    }
+    for (const key of ["ArchivePolicy", "DataProtectionPolicy"]) {
+      const v = attrs[key];
+      if (v) {
+        try {
+          result[key] = JSON.parse(v);
+        } catch {
+          result[key] = v;
+        }
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing SNS topic into cdkd state.
    *
@@ -13880,6 +14229,93 @@ var LambdaFunctionProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current Lambda function configuration in CFn-property shape.
+   *
+   * Issues a single `GetFunction` and surfaces the same property keys
+   * `create()` accepts (`Runtime`, `Handler`, `Role`, `Timeout`, `MemorySize`,
+   * `Description`, `Environment`, `Layers`, `Architectures`, `PackageType`,
+   * `TracingConfig`, `EphemeralStorage`, `VpcConfig`, plus the physical
+   * `FunctionName`). The drift comparator only descends into keys present in
+   * cdkd state, so AWS-managed fields (timestamps, FunctionArn, RevisionId,
+   * etc.) are filtered at compare time — we still avoid serializing them on
+   * the wire.
+   *
+   * `Code` is intentionally omitted: `GetFunction` returns a pre-signed S3
+   * URL for the deployed code, not the asset hash cdkd state holds, so they
+   * could never match. Lambda code drift is best detected separately (the
+   * function's `CodeSha256` does live in `GetFunction` but is not what
+   * cdkd's `Code: { S3Bucket, S3Key }` state property carries).
+   *
+   * `Tags` is omitted as well: `GetFunction` returns Tags as an object map,
+   * while CFn / cdkd state holds them as `[{Key, Value}]`. Re-shaping
+   * accurately requires deciding how to handle the auto-injected
+   * `aws:cdk:path` tag, which is out of scope for this PR. Tag drift is
+   * typically less interesting than configuration drift.
+   *
+   * Returns `undefined` when the function is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.lambdaClient.send(
+        new GetFunctionCommand({ FunctionName: physicalId })
+      );
+      const cfg = resp.Configuration;
+      if (!cfg)
+        return void 0;
+      const result = {};
+      if (cfg.FunctionName !== void 0)
+        result["FunctionName"] = cfg.FunctionName;
+      if (cfg.Runtime !== void 0)
+        result["Runtime"] = cfg.Runtime;
+      if (cfg.Handler !== void 0)
+        result["Handler"] = cfg.Handler;
+      if (cfg.Role !== void 0)
+        result["Role"] = cfg.Role;
+      if (cfg.Timeout !== void 0)
+        result["Timeout"] = cfg.Timeout;
+      if (cfg.MemorySize !== void 0)
+        result["MemorySize"] = cfg.MemorySize;
+      if (cfg.Description !== void 0 && cfg.Description !== "") {
+        result["Description"] = cfg.Description;
+      }
+      if (cfg.Environment?.Variables) {
+        result["Environment"] = { Variables: cfg.Environment.Variables };
+      }
+      if (cfg.Layers && cfg.Layers.length > 0) {
+        result["Layers"] = cfg.Layers.map((l) => l.Arn).filter((arn) => !!arn);
+      }
+      if (cfg.Architectures && cfg.Architectures.length > 0) {
+        result["Architectures"] = [...cfg.Architectures];
+      }
+      if (cfg.PackageType !== void 0)
+        result["PackageType"] = cfg.PackageType;
+      if (cfg.TracingConfig?.Mode !== void 0) {
+        result["TracingConfig"] = { Mode: cfg.TracingConfig.Mode };
+      }
+      if (cfg.EphemeralStorage?.Size !== void 0) {
+        result["EphemeralStorage"] = { Size: cfg.EphemeralStorage.Size };
+      }
+      if (cfg.VpcConfig) {
+        const vpc = {};
+        if (cfg.VpcConfig.SubnetIds)
+          vpc["SubnetIds"] = [...cfg.VpcConfig.SubnetIds];
+        if (cfg.VpcConfig.SecurityGroupIds) {
+          vpc["SecurityGroupIds"] = [...cfg.VpcConfig.SecurityGroupIds];
+        }
+        if (cfg.VpcConfig.Ipv6AllowedForDualStack !== void 0) {
+          vpc["Ipv6AllowedForDualStack"] = cfg.VpcConfig.Ipv6AllowedForDualStack;
+        }
+        if (Object.keys(vpc).length > 0)
+          result["VpcConfig"] = vpc;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing Lambda function into cdkd state.
    *
@@ -15055,6 +15491,90 @@ var DynamoDBTableProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current DynamoDB table configuration in CFn-property shape.
+   *
+   * `DescribeTable` returns every field cdkd manages in one call. AWS uses
+   * the same property names CFn does (KeySchema, AttributeDefinitions,
+   * BillingModeSummary.BillingMode, ProvisionedThroughput, etc.) — the only
+   * shape differences are wrapping:
+   *  - BillingMode lives under `BillingModeSummary.BillingMode` in the API
+   *    response, but the CFn property is a flat `BillingMode` string.
+   *  - StreamSpecification's CFn shape includes only `StreamViewType`; the
+   *    API response carries `StreamEnabled` too. We surface both since the
+   *    drift comparator only descends into keys present in state.
+   *  - GSI / LSI in the API response include `IndexStatus`, `ItemCount` and
+   *    sizing fields that cdkd never sets; the comparator filters them.
+   *
+   * Returns `undefined` when the table is gone (`ResourceNotFoundException`).
+   *
+   * Tags are intentionally omitted: `ListTagsOfResource` is a separate call
+   * and tag drift is generally less interesting than table-config drift;
+   * including it would also force a tag-shape decision on the
+   * `aws:cdk:path` auto-tag, which is out of scope here.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.dynamoDBClient.send(
+        new DescribeTableCommand2({ TableName: physicalId })
+      );
+      const table = resp.Table;
+      if (!table)
+        return void 0;
+      const result = {};
+      if (table.TableName !== void 0)
+        result["TableName"] = table.TableName;
+      if (table.KeySchema)
+        result["KeySchema"] = table.KeySchema;
+      if (table.AttributeDefinitions) {
+        result["AttributeDefinitions"] = table.AttributeDefinitions;
+      }
+      if (table.BillingModeSummary?.BillingMode) {
+        result["BillingMode"] = table.BillingModeSummary.BillingMode;
+      }
+      if (table.ProvisionedThroughput) {
+        result["ProvisionedThroughput"] = {
+          ReadCapacityUnits: table.ProvisionedThroughput.ReadCapacityUnits,
+          WriteCapacityUnits: table.ProvisionedThroughput.WriteCapacityUnits
+        };
+      }
+      if (table.StreamSpecification) {
+        result["StreamSpecification"] = {
+          StreamEnabled: table.StreamSpecification.StreamEnabled,
+          StreamViewType: table.StreamSpecification.StreamViewType
+        };
+      }
+      if (table.GlobalSecondaryIndexes && table.GlobalSecondaryIndexes.length > 0) {
+        result["GlobalSecondaryIndexes"] = table.GlobalSecondaryIndexes;
+      }
+      if (table.LocalSecondaryIndexes && table.LocalSecondaryIndexes.length > 0) {
+        result["LocalSecondaryIndexes"] = table.LocalSecondaryIndexes;
+      }
+      if (table.SSEDescription) {
+        const sse = {};
+        if (table.SSEDescription.Status === "ENABLED")
+          sse["SSEEnabled"] = true;
+        if (table.SSEDescription.KMSMasterKeyArn !== void 0) {
+          sse["KMSMasterKeyId"] = table.SSEDescription.KMSMasterKeyArn;
+        }
+        if (table.SSEDescription.SSEType !== void 0)
+          sse["SSEType"] = table.SSEDescription.SSEType;
+        if (Object.keys(sse).length > 0)
+          result["SSESpecification"] = sse;
+      }
+      if (table.DeletionProtectionEnabled !== void 0) {
+        result["DeletionProtectionEnabled"] = table.DeletionProtectionEnabled;
+      }
+      if (table.TableClassSummary?.TableClass) {
+        result["TableClass"] = table.TableClassSummary.TableClass;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException6)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing DynamoDB table into cdkd state.
    *
@@ -15359,6 +15879,48 @@ var LogsLogGroupProvider = class {
     }
     return this.buildArn(physicalId);
   }
+  /**
+   * Read the AWS-current log group configuration in CFn-property shape.
+   *
+   * Issues `DescribeLogGroups` filtered by exact name and picks the first
+   * (and only) match. AWS uses camelCase field names in the API response
+   * (`logGroupName`, `kmsKeyId`, `retentionInDays`); we map them back to
+   * the CFn-cased keys cdkd state holds (`LogGroupName`, `KmsKeyId`,
+   * `RetentionInDays`).
+   *
+   * Coverage: `LogGroupName`, `KmsKeyId`, `RetentionInDays`,
+   * `LogGroupClass`. Other handledProperties (`DataProtectionPolicy`,
+   * `Tags`, `FieldIndexPolicies`, `ResourcePolicyDocument`,
+   * `DeletionProtectionEnabled`, `BearerTokenAuthenticationEnabled`) need
+   * their own per-property API call and are out of scope for v1.
+   *
+   * Returns `undefined` when the log group is gone.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.logsClient.send(
+        new DescribeLogGroupsCommand({ logGroupNamePrefix: physicalId })
+      );
+      const found = resp.logGroups?.find((g) => g.logGroupName === physicalId);
+      if (!found)
+        return void 0;
+      const result = {};
+      if (found.logGroupName !== void 0)
+        result["LogGroupName"] = found.logGroupName;
+      if (found.kmsKeyId !== void 0)
+        result["KmsKeyId"] = found.kmsKeyId;
+      if (found.retentionInDays !== void 0) {
+        result["RetentionInDays"] = found.retentionInDays;
+      }
+      if (found.logGroupClass !== void 0)
+        result["LogGroupClass"] = found.logGroupClass;
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException7)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing CloudWatch Logs log group into cdkd state.
    *
@@ -33504,6 +34066,7 @@ function createDiffCommand() {
 }
 
 // src/cli/commands/drift.ts
+import * as readline from "node:readline/promises";
 import { Command as Command6, Option as Option3 } from "commander";
 init_aws_clients();
 
@@ -33579,6 +34142,11 @@ async function driftCommand(stacks, options) {
   if (!options.all && stacks.length === 0) {
     throw new Error("Stack name is required. Usage: cdkd drift <stack> [<stack>...] | --all");
   }
+  if (options.accept && options.revert) {
+    throw new Error(
+      "--accept and --revert are mutually exclusive. Use --accept to update cdkd state from AWS, or --revert to push cdkd state values back into AWS."
+    );
+  }
   await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const awsClients = new AwsClients({
     ...options.region && { region: options.region },
@@ -33589,14 +34157,11 @@ async function driftCommand(stacks, options) {
     const region = options.region || process.env["AWS_REGION"] || "us-east-1";
     const bucket = await resolveStateBucketWithDefault(options.stateBucket, region);
     const prefix = options.statePrefix;
-    const stateBackend = new S3StateBackend(
-      awsClients.s3,
-      { bucket, prefix },
-      {
-        region,
-        ...options.profile && { profile: options.profile }
-      }
-    );
+    const stateConfig = { bucket, prefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      region,
+      ...options.profile && { profile: options.profile }
+    });
     await stateBackend.verifyBucketExists();
     const providerRegistry = new ProviderRegistry();
     registerAllProviders(providerRegistry);
@@ -33624,8 +34189,22 @@ async function driftCommand(stacks, options) {
       writeHumanReport(reports);
     }
     const drifted = reports.some((r) => r.outcomes.some((o) => o.kind === "drifted"));
-    if (drifted) {
-      throw new DriftDetectedError();
+    if (!options.accept && !options.revert) {
+      if (drifted) {
+        throw new DriftDetectedError();
+      }
+      return;
+    }
+    if (!drifted) {
+      logger.info(
+        options.accept ? "No drift detected \u2014 nothing to accept." : "No drift detected \u2014 nothing to revert."
+      );
+      return;
+    }
+    if (options.accept) {
+      await runAccept(reports, stateBackend, stateConfig, awsClients, options);
+    } else {
+      await runRevert(reports, providerRegistry, stateConfig, awsClients, options);
     }
   } finally {
     awsClients.destroy();
@@ -33726,13 +34305,261 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
           kind: "drifted",
           logicalId,
           resourceType: resource.resourceType,
-          changes
+          changes,
+          awsProperties: aws
         });
       }
     }
-    return { stackName, region, outcomes };
+    return {
+      stackName,
+      region,
+      outcomes,
+      state,
+      etag: result.etag,
+      migrationPending: result.migrationPending ?? false
+    };
   });
 }
+function setAtPath(target, path, value) {
+  if (path.length === 0) {
+    return;
+  }
+  const segments = path.split(".");
+  let cursor = target;
+  for (let i = 0; i < segments.length - 1; i++) {
+    const key = segments[i];
+    const next = cursor[key];
+    if (next === void 0 || next === null || typeof next !== "object" || Array.isArray(next)) {
+      const fresh = {};
+      cursor[key] = fresh;
+      cursor = fresh;
+    } else {
+      cursor = next;
+    }
+  }
+  cursor[segments[segments.length - 1]] = value;
+}
+async function runAccept(reports, stateBackend, stateConfig, awsClients, options) {
+  const logger = getLogger();
+  printAcceptPlan(reports);
+  if (options.dryRun) {
+    logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
+    return;
+  }
+  if (!options.yes) {
+    const ok = await confirmPrompt(`Update cdkd state with the AWS-current values shown above?`);
+    if (!ok) {
+      logger.info("Aborted.");
+      return;
+    }
+  }
+  const lockManager = new LockManager(awsClients.s3, stateConfig);
+  const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+  for (const report of reports) {
+    const driftedOutcomes = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    if (driftedOutcomes.length === 0) {
+      continue;
+    }
+    await lockManager.acquireLock(report.stackName, report.region, owner, "drift-accept");
+    try {
+      const resources = { ...report.state.resources };
+      for (const outcome of driftedOutcomes) {
+        const existing = resources[outcome.logicalId];
+        if (!existing)
+          continue;
+        const newProperties = JSON.parse(JSON.stringify(existing.properties ?? {}));
+        for (const change of outcome.changes) {
+          setAtPath(newProperties, change.path, change.awsValue);
+        }
+        resources[outcome.logicalId] = {
+          ...existing,
+          properties: newProperties
+        };
+      }
+      const newState = {
+        ...report.state,
+        resources,
+        lastModified: Date.now()
+      };
+      const saveOptions = {
+        expectedEtag: report.etag
+      };
+      if (report.migrationPending) {
+        saveOptions.migrateLegacy = true;
+      }
+      await stateBackend.saveState(report.stackName, report.region, newState, saveOptions);
+      logger.info(
+        `\u2713 State updated for ${report.stackName} (${report.region}): accepted drift on ${driftedOutcomes.length} resource(s).`
+      );
+    } finally {
+      await lockManager.releaseLock(report.stackName, report.region).catch((err) => {
+        logger.warn(
+          `Failed to release lock for ${report.stackName} (${report.region}): ` + (err instanceof Error ? err.message : String(err))
+        );
+      });
+    }
+  }
+}
+async function runRevert(reports, providerRegistry, stateConfig, awsClients, options) {
+  const logger = getLogger();
+  printRevertPlan(reports);
+  if (options.dryRun) {
+    logger.info("--dry-run: AWS will NOT be modified. Re-run without --dry-run to apply.");
+    return;
+  }
+  if (!options.yes) {
+    const ok = await confirmPrompt(
+      `Push cdkd state values back into AWS for the resources shown above?`
+    );
+    if (!ok) {
+      logger.info("Aborted.");
+      return;
+    }
+  }
+  const lockManager = new LockManager(awsClients.s3, stateConfig);
+  const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+  const concurrency = Math.max(1, options.concurrency ?? 4);
+  let totalFailed = 0;
+  let totalSucceeded = 0;
+  for (const report of reports) {
+    const driftedOutcomes = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    if (driftedOutcomes.length === 0) {
+      continue;
+    }
+    await lockManager.acquireLock(report.stackName, report.region, owner, "drift-revert");
+    try {
+      const tasks = driftedOutcomes.map((outcome) => async () => {
+        const stateResource = report.state.resources[outcome.logicalId];
+        if (!stateResource) {
+          totalFailed++;
+          logger.error(
+            `  \u2717 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): resource missing from state; skipped.`
+          );
+          return;
+        }
+        const provider = providerRegistry.getProvider(outcome.resourceType);
+        try {
+          await withRetry(
+            () => provider.update(
+              outcome.logicalId,
+              stateResource.physicalId,
+              outcome.resourceType,
+              stateResource.properties ?? {},
+              outcome.awsProperties
+            ),
+            outcome.logicalId,
+            { logger: { debug: (msg) => logger.debug(msg) } }
+          );
+          totalSucceeded++;
+          logger.info(
+            `  \u2713 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): reverted.`
+          );
+        } catch (err) {
+          totalFailed++;
+          const msg = err instanceof Error ? err.message : String(err);
+          logger.error(
+            `  \u2717 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): ${msg}`
+          );
+        }
+      });
+      await runWithConcurrency(tasks, concurrency);
+    } finally {
+      await lockManager.releaseLock(report.stackName, report.region).catch((err) => {
+        logger.warn(
+          `Failed to release lock for ${report.stackName} (${report.region}): ` + (err instanceof Error ? err.message : String(err))
+        );
+      });
+    }
+  }
+  logger.info(`
+Revert summary: ${totalSucceeded} reverted, ${totalFailed} failed.`);
+  if (totalFailed > 0) {
+    throw new PartialFailureError(
+      `Revert completed with ${totalFailed} resource error(s). Re-run 'cdkd drift <stack>' to see the remaining drift, then 'cdkd drift <stack> --revert' to retry.`
+    );
+  }
+}
+function printAcceptPlan(reports) {
+  for (const report of reports) {
+    const drifted = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    if (drifted.length === 0)
+      continue;
+    process.stdout.write(
+      `
+Plan (--accept): update cdkd state for ${report.stackName} (${report.region}):
+`
+    );
+    for (const o of drifted) {
+      process.stdout.write(`  ~ ${o.logicalId} (${o.resourceType})
+`);
+      for (const change of o.changes) {
+        process.stdout.write(
+          `    ${change.path}: ${formatScalar(change.stateValue)} -> ${formatScalar(change.awsValue)}
+`
+        );
+      }
+    }
+  }
+}
+function printRevertPlan(reports) {
+  for (const report of reports) {
+    const drifted = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    if (drifted.length === 0)
+      continue;
+    process.stdout.write(
+      `
+Plan (--revert): push cdkd state values back into AWS for ${report.stackName} (${report.region}):
+`
+    );
+    for (const o of drifted) {
+      const word = o.changes.length === 1 ? "property path" : "property paths";
+      process.stdout.write(
+        `  \u2192 provider.update on ${o.logicalId} (${o.resourceType}): revert ${o.changes.length} ${word}
+`
+      );
+      for (const change of o.changes) {
+        process.stdout.write(
+          `    ${change.path}: ${formatScalar(change.awsValue)} -> ${formatScalar(change.stateValue)}
+`
+        );
+      }
+    }
+  }
+}
+async function runWithConcurrency(tasks, concurrency) {
+  const queue = [...tasks];
+  const workers = [];
+  for (let i = 0; i < Math.min(concurrency, queue.length); i++) {
+    workers.push(
+      (async () => {
+        while (queue.length > 0) {
+          const task = queue.shift();
+          if (!task)
+            break;
+          await task();
+        }
+      })()
+    );
+  }
+  await Promise.all(workers);
+}
+async function confirmPrompt(prompt) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
 function writeJsonReport(reports) {
   const payload = reports.map((r) => {
     const drifted = r.outcomes.filter((o) => o.kind === "drifted").map((o) => ({ logicalId: o.logicalId, type: o.resourceType, changes: o.changes }));
@@ -33809,8 +34636,25 @@ function stackRegionOption() {
 }
 function createDriftCommand() {
   const cmd = new Command6("drift").description(
-    "Detect drift between cdkd state and AWS reality. Exits 0 when no drift, 1 when drift is detected."
-  ).argument("[stacks...]", "Stack name(s) to check (physical CloudFormation names)").option("--all", "Check every stack in the state bucket", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(driftCommand));
+    "Detect drift between cdkd state and AWS reality. Exits 0 when no drift, 1 when drift is detected. Pass --accept to update cdkd state from AWS, or --revert to push cdkd state values back into AWS."
+  ).argument("[stacks...]", "Stack name(s) to check (physical CloudFormation names)").option("--all", "Check every stack in the state bucket", false).option("--json", "Output as JSON", false).option(
+    "--accept",
+    "Update cdkd state with the AWS-current values for every drifted property (state \u2190 AWS). Mutually exclusive with --revert.",
+    false
+  ).option(
+    "--revert",
+    "Push cdkd state values back into AWS via provider.update for every drifted resource (AWS \u2190 state). Mutually exclusive with --accept.",
+    false
+  ).option(
+    "--dry-run",
+    "Print the planned mutations without acquiring a lock or hitting AWS / S3. Honored by --accept and --revert.",
+    false
+  ).option(
+    "--concurrency <number>",
+    "Maximum concurrent provider.update calls during --revert",
+    (value) => parseInt(value, 10),
+    4
+  ).addOption(stackRegionOption()).action(withErrorHandling(driftCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -33821,7 +34665,7 @@ import { Command as Command7 } from "commander";
 init_aws_clients();
 
 // src/cli/commands/destroy-runner.ts
-import * as readline from "node:readline/promises";
+import * as readline2 from "node:readline/promises";
 init_aws_clients();
 async function runDestroyForStack(stackName, state, ctx) {
   const logger = getLogger();
@@ -33847,7 +34691,7 @@ Resources to be deleted (${resourceCount}):`);
     logger.info(`  - ${logicalId} (${resource.resourceType})`);
   }
   if (!ctx.skipConfirmation) {
-    const rl = readline.createInterface({
+    const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout
     });
@@ -34258,7 +35102,7 @@ function createDestroyCommand() {
 }
 
 // src/cli/commands/orphan.ts
-import * as readline2 from "node:readline/promises";
+import * as readline3 from "node:readline/promises";
 import { Command as Command8 } from "commander";
 init_aws_clients();
 
@@ -34791,7 +35635,7 @@ Re-run with --force to fall back to cached attribute values from state, or fix t
         return;
       }
       if (!options.yes && !options.force) {
-        const ok = await confirmPrompt(
+        const ok = await confirmPrompt2(
           `Orphan ${orphanLogicalIds.length} resource(s) from cdkd state for ${stackInfo.stackName} (${targetRegion})? AWS resources will NOT be deleted.`
         );
         if (!ok) {
@@ -34930,8 +35774,8 @@ function stringifyForAudit(value) {
     return JSON.stringify(value);
   return JSON.stringify(value);
 }
-async function confirmPrompt(prompt) {
-  const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt2(prompt) {
+  const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -35206,7 +36050,7 @@ function createForceUnlockCommand() {
 }
 
 // src/cli/commands/state.ts
-import * as readline4 from "node:readline/promises";
+import * as readline5 from "node:readline/promises";
 import { Command as Command12, Option as Option6 } from "commander";
 import {
   GetBucketLocationCommand as GetBucketLocationCommand2,
@@ -35216,7 +36060,7 @@ import {
 init_aws_clients();
 
 // src/cli/commands/state-migrate.ts
-import * as readline3 from "node:readline/promises";
+import * as readline4 from "node:readline/promises";
 import { Command as Command11 } from "commander";
 import {
   CopyObjectCommand,
@@ -35286,7 +36130,7 @@ async function stateMigrateCommand(options) {
       }
       if (!options.yes) {
         const action = options.removeLegacy ? "and DELETE the source bucket" : "(source bucket will be kept)";
-        const ok = await confirmPrompt2(
+        const ok = await confirmPrompt3(
           `Copy ${sourceObjects.length} object(s) from ${legacyBucket} -> ${newBucket} ${action}?`
         );
         if (!ok) {
@@ -35491,8 +36335,8 @@ async function emptyBucketAllVersions(s3, bucket) {
     versionIdMarker = resp.NextVersionIdMarker;
   } while (keyMarker || versionIdMarker);
 }
-async function confirmPrompt2(prompt) {
-  const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt3(prompt) {
+  const rl = readline4.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -35900,7 +36744,7 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
 
 `
         );
-        const rl = readline4.createInterface({
+        const rl = readline5.createInterface({
           input: process.stdin,
           output: process.stdout
         });
@@ -35991,7 +36835,7 @@ WARNING: This destroys ${stackNames.length} stack(s) and removes their state rec
 `);
       }
       process.stdout.write("\n");
-      const rl = readline4.createInterface({
+      const rl = readline5.createInterface({
         input: process.stdin,
         output: process.stdout
       });
@@ -36233,12 +37077,12 @@ function createStateCommand() {
 
 // src/cli/commands/import.ts
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "node:fs";
-import * as readline6 from "node:readline/promises";
+import * as readline7 from "node:readline/promises";
 import { Command as Command13 } from "commander";
 init_aws_clients();
 
 // src/cli/commands/retire-cfn-stack.ts
-import * as readline5 from "node:readline/promises";
+import * as readline6 from "node:readline/promises";
 import {
   DescribeStacksCommand,
   DescribeStackResourcesCommand,
@@ -36283,7 +37127,7 @@ async function retireCloudFormationStack(options) {
   }
   const { body: newBody, modified } = injectRetainPolicies(tpl.TemplateBody, cfnStackName);
   if (!yes) {
-    const ok = await confirmPrompt3(
+    const ok = await confirmPrompt4(
       `Set DeletionPolicy=Retain and UpdateReplacePolicy=Retain on every resource in CloudFormation stack '${cfnStackName}', then delete the stack? AWS resources will NOT be deleted (cdkd state has been written).`
     );
     if (!ok) {
@@ -36443,8 +37287,8 @@ async function getCloudFormationResourceMapping(cfnStackName, cfnClient) {
   }
   return map;
 }
-async function confirmPrompt3(prompt) {
-  const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt4(prompt) {
+  const rl = readline6.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -36643,7 +37487,7 @@ async function importCommand(stackArg, options) {
         const preservedCount = selectiveMode && existingState ? Object.keys(existingState.resources).filter((id) => !overrides.has(id)).length : 0;
         const totalAfter = importedCount + preservedCount;
         const breakdown = preservedCount > 0 ? ` (${importedCount} new/overwritten + ${preservedCount} preserved)` : "";
-        const ok = await confirmPrompt4(
+        const ok = await confirmPrompt5(
           `Write state for ${stackInfo.stackName} (${targetRegion}) with ${totalAfter} resource(s)${breakdown}?`
         );
         if (!ok) {
@@ -36904,8 +37748,8 @@ function formatOutcome(outcome) {
       return "\u2717";
   }
 }
-async function confirmPrompt4(prompt) {
-  const rl = readline6.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt5(prompt) {
+  const rl = readline7.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -36982,7 +37826,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.36.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.38.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());