@go-to-k/cdkd 0.36.0 → 0.38.0

package/dist/index.js

@@ -8213,6 +8213,85 @@ var IAMRoleProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current IAM role configuration in CFn-property shape.
+   *
+   * Issues `GetRole` for the top-level role configuration and
+   * `ListRolePolicies` + `ListAttachedRolePolicies` for inline / managed
+   * policy *names*. AWS URL-decodes `AssumeRolePolicyDocument` for us
+   * when it surfaces — we re-parse it as JSON so the comparator can match
+   * against state's already-parsed object.
+   *
+   * Coverage and shape decisions:
+   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path`,
+   *    `PermissionsBoundary` — straight from `Role.*`.
+   *  - `AssumeRolePolicyDocument` — `Role.AssumeRolePolicyDocument` is a
+   *    URL-encoded JSON string; we URL-decode + JSON-parse so cdkd state's
+   *    object form compares cleanly. (Both shapes — string and object — are
+   *    accepted by `create()`, but state typically stores the parsed object
+   *    after intrinsic resolution.)
+   *  - `ManagedPolicyArns` — array of ARN strings from
+   *    `ListAttachedRolePolicies`.
+   *  - `Policies` (inline policies with `PolicyDocument` bodies) is
+   *    intentionally omitted: surfacing names without bodies guarantees a
+   *    PolicyDocument-shaped drift on every role, and fetching every body
+   *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
+   *    v1 — drift detection on inline IAM policy bodies can ship in a
+   *    follow-up.
+   *  - `Tags` is omitted for the same reason as Lambda's tags handling
+   *    (CDK auto-injects `aws:cdk:path` and the shape decision belongs in a
+   *    dedicated tags PR).
+   *
+   * Returns `undefined` when the role is gone (`NoSuchEntityException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let role;
+    try {
+      const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
+      role = resp.Role;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException)
+        return void 0;
+      throw err;
+    }
+    if (!role)
+      return void 0;
+    const result = {};
+    if (role.RoleName !== void 0)
+      result["RoleName"] = role.RoleName;
+    if (role.Description !== void 0 && role.Description !== "") {
+      result["Description"] = role.Description;
+    }
+    if (role.MaxSessionDuration !== void 0) {
+      result["MaxSessionDuration"] = role.MaxSessionDuration;
+    }
+    if (role.Path !== void 0)
+      result["Path"] = role.Path;
+    if (role.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
+      result["PermissionsBoundary"] = role.PermissionsBoundary.PermissionsBoundaryArn;
+    }
+    if (role.AssumeRolePolicyDocument) {
+      try {
+        result["AssumeRolePolicyDocument"] = JSON.parse(
+          decodeURIComponent(role.AssumeRolePolicyDocument)
+        );
+      } catch {
+        result["AssumeRolePolicyDocument"] = role.AssumeRolePolicyDocument;
+      }
+    }
+    try {
+      const attached = await this.iamClient.send(
+        new ListAttachedRolePoliciesCommand({ RoleName: physicalId })
+      );
+      const arns = (attached.AttachedPolicies ?? []).map((p) => p.PolicyArn).filter((arn) => !!arn);
+      if (arns.length > 0)
+        result["ManagedPolicyArns"] = arns;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
+    return result;
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *