@go-to-k/cdkd 0.37.0 → 0.39.0

package/dist/cli.js

@@ -16532,6 +16532,52 @@ var SecretsManagerSecretProvider = class {
     }
     return password;
   }
+  /**
+   * Read the AWS-current secret configuration in CFn-property shape.
+   *
+   * Issues `DescribeSecret` and surfaces `Name`, `Description`, `KmsKeyId`,
+   * and `ReplicaRegions` (re-shaping `ReplicationStatus[]` to CFn's
+   * `[{Region, KmsKeyId}]`).
+   *
+   * Intentionally omitted:
+   *   - `SecretString` / `GenerateSecretString`: `DescribeSecret` does not
+   *     return the secret value (that's `GetSecretValue`, which we never
+   *     call to avoid surfacing plaintext through drift). Cdkd state holds
+   *     the user-supplied string verbatim; comparing against AWS would
+   *     require pulling the value, so this is deliberately deferred.
+   *   - `Tags`: `DescribeSecret` returns Tags, but the auto-injected
+   *     `aws:cdk:path` tag-shape question is out of scope here.
+   *
+   * Returns `undefined` when the secret is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.smClient.send(new DescribeSecretCommand({ SecretId: physicalId }));
+      const result = {};
+      if (resp.Name !== void 0)
+        result["Name"] = resp.Name;
+      if (resp.Description !== void 0 && resp.Description !== "") {
+        result["Description"] = resp.Description;
+      }
+      if (resp.KmsKeyId !== void 0)
+        result["KmsKeyId"] = resp.KmsKeyId;
+      if (resp.ReplicationStatus && resp.ReplicationStatus.length > 0) {
+        result["ReplicaRegions"] = resp.ReplicationStatus.map((r) => {
+          const out = {};
+          if (r.Region)
+            out["Region"] = r.Region;
+          if (r.KmsKeyId)
+            out["KmsKeyId"] = r.KmsKeyId;
+          return out;
+        });
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException8)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing Secrets Manager secret into cdkd state.
    *
@@ -16802,6 +16848,74 @@ var SSMParameterProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current SSM parameter configuration in CFn-property shape.
+   *
+   * Issues `GetParameter` (with `WithDecryption: false` so SecureString
+   * values stay encrypted on the wire) for `Type` / `Value` / `DataType`,
+   * then `DescribeParameters` filtered on the parameter name to fetch
+   * metadata (`Description`, `AllowedPattern`, `Tier`) that `GetParameter`
+   * does not return.
+   *
+   * `Name` is set to the physical id. `Tags` and `Policies` are intentionally
+   * out of scope (`Tags` requires a separate `ListTagsForResource` round-trip
+   * and the auto-injected `aws:cdk:path` tag-shape question is unresolved;
+   * `Policies` is returned by `DescribeParameters.Policies` as a structured
+   * array but cdkd state holds the raw JSON string the user typed — comparing
+   * the two accurately needs more work).
+   *
+   * **Note**: For `SecureString` parameters, AWS returns the encrypted
+   * blob in `Value` (we pass `WithDecryption: false`). cdkd state usually
+   * holds the plaintext value the user typed in their CDK app, so a
+   * SecureString parameter will surface as `Value` drift on every run.
+   * That's the correct conservative behavior — surfacing the discrepancy
+   * is more useful than silently masking it.
+   *
+   * Returns `undefined` when the parameter is gone (`ParameterNotFound`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let getResp;
+    try {
+      getResp = await this.ssmClient.send(
+        new GetParameterCommand3({ Name: physicalId, WithDecryption: false })
+      );
+    } catch (err) {
+      if (err instanceof ParameterNotFound)
+        return void 0;
+      throw err;
+    }
+    const param = getResp.Parameter;
+    if (!param)
+      return void 0;
+    const result = { Name: physicalId };
+    if (param.Type !== void 0)
+      result["Type"] = param.Type;
+    if (param.Value !== void 0)
+      result["Value"] = param.Value;
+    if (param.DataType !== void 0)
+      result["DataType"] = param.DataType;
+    try {
+      const desc = await this.ssmClient.send(
+        new DescribeParametersCommand({
+          ParameterFilters: [{ Key: "Name", Values: [physicalId] }]
+        })
+      );
+      const meta = desc.Parameters?.[0];
+      if (meta) {
+        if (meta.Description !== void 0 && meta.Description !== "") {
+          result["Description"] = meta.Description;
+        }
+        if (meta.AllowedPattern !== void 0 && meta.AllowedPattern !== "") {
+          result["AllowedPattern"] = meta.AllowedPattern;
+        }
+        if (meta.Tier !== void 0) {
+          result["Tier"] = meta.Tier;
+        }
+      }
+    } catch {
+    }
+    return result;
+  }
   /**
    * Adopt an existing SSM parameter into cdkd state.
    *
@@ -17132,6 +17246,78 @@ var EventBridgeRuleProvider = class {
     }
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::Events::Rule`);
   }
+  /**
+   * Read the AWS-current EventBridge rule configuration in CFn-property shape.
+   *
+   * Issues `DescribeRule` for the rule's main config, then a separate
+   * `ListTargetsByRule` for `Targets`.
+   *
+   * Surfaced keys (when present): `Name`, `Description`, `EventBusName`,
+   * `EventPattern` (parsed from JSON string back to object — cdkd state holds
+   * it as the user typed it, typically an object), `ScheduleExpression`,
+   * `State`, `RoleArn`, `Targets` (CFn shape `[{Id, Arn, ...}]`).
+   *
+   * `Tags` is omitted (separate `ListTagsForResource` round-trip; auto-injected
+   * `aws:cdk:path` tag-shape question is out of scope here).
+   *
+   * Returns `undefined` when the rule is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    const ruleName = this.extractRuleNameFromArn(physicalId);
+    const eventBusName = this.extractBusNameFromArn(physicalId);
+    let resp;
+    try {
+      resp = await this.eventBridgeClient.send(
+        new DescribeRuleCommand({
+          Name: ruleName,
+          ...eventBusName && eventBusName !== "default" ? { EventBusName: eventBusName } : {}
+        })
+      );
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException9)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (resp.Name !== void 0)
+      result["Name"] = resp.Name;
+    if (resp.Description !== void 0 && resp.Description !== "") {
+      result["Description"] = resp.Description;
+    }
+    if (resp.EventBusName !== void 0 && resp.EventBusName !== "default") {
+      result["EventBusName"] = resp.EventBusName;
+    }
+    if (resp.EventPattern !== void 0) {
+      try {
+        result["EventPattern"] = JSON.parse(resp.EventPattern);
+      } catch {
+        result["EventPattern"] = resp.EventPattern;
+      }
+    }
+    if (resp.ScheduleExpression !== void 0) {
+      result["ScheduleExpression"] = resp.ScheduleExpression;
+    }
+    if (resp.State !== void 0)
+      result["State"] = resp.State;
+    if (resp.RoleArn !== void 0)
+      result["RoleArn"] = resp.RoleArn;
+    try {
+      const targetsResp = await this.eventBridgeClient.send(
+        new ListTargetsByRuleCommand({
+          Rule: ruleName,
+          ...eventBusName && eventBusName !== "default" ? { EventBusName: eventBusName } : {}
+        })
+      );
+      if (targetsResp.Targets && targetsResp.Targets.length > 0) {
+        result["Targets"] = targetsResp.Targets;
+      }
+    } catch (err) {
+      if (!(err instanceof ResourceNotFoundException9)) {
+        throw err;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing EventBridge rule into cdkd state.
    *
@@ -17224,6 +17410,22 @@ var EventBridgeRuleProvider = class {
     const parts = arn.split("/");
     return parts[parts.length - 1] ?? arn;
   }
+  /**
+   * Extract the event bus name from a rule ARN.
+   *
+   * ARN format: `arn:aws:events:region:account:rule/rule-name` (default bus, returns 'default')
+   *          or `arn:aws:events:region:account:rule/bus-name/rule-name` (custom bus).
+   *
+   * Returns `undefined` when the input is not an ARN (we can't tell which bus).
+   */
+  extractBusNameFromArn(arn) {
+    if (!arn.startsWith("arn:"))
+      return void 0;
+    const parts = arn.split("/");
+    if (parts.length === 3)
+      return parts[1];
+    return "default";
+  }
 };
 
 // src/provisioning/providers/eventbridge-bus-provider.ts
@@ -17475,6 +17677,53 @@ var EventBridgeBusProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current EventBus configuration in CFn-property shape.
+   *
+   * Issues `DescribeEventBus` and surfaces `Name`, `Description`,
+   * `KmsKeyIdentifier`, `DeadLetterConfig`, and `Policy` (the latter is a
+   * JSON string in `DescribeEventBus.Policy`; cdkd state holds it the way
+   * the user typed it, which may be either an object or a string — the
+   * comparator handles either side).
+   *
+   * `Tags` and `EventSourceName` are intentionally omitted: tags require a
+   * separate `ListTagsForResource` round-trip and the auto-injected
+   * `aws:cdk:path` tag-shape question is out of scope; `EventSourceName`
+   * is set at create time only and not surfaced by `DescribeEventBus`.
+   *
+   * Returns `undefined` when the bus is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.eventBridgeClient.send(
+        new DescribeEventBusCommand({ Name: physicalId })
+      );
+      const result = {};
+      if (resp.Name !== void 0)
+        result["Name"] = resp.Name;
+      if (resp.Description !== void 0 && resp.Description !== "") {
+        result["Description"] = resp.Description;
+      }
+      if (resp.KmsKeyIdentifier !== void 0) {
+        result["KmsKeyIdentifier"] = resp.KmsKeyIdentifier;
+      }
+      if (resp.DeadLetterConfig?.Arn) {
+        result["DeadLetterConfig"] = { Arn: resp.DeadLetterConfig.Arn };
+      }
+      if (resp.Policy) {
+        try {
+          result["Policy"] = JSON.parse(resp.Policy);
+        } catch {
+          result["Policy"] = resp.Policy;
+        }
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException10)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing EventBridge event bus into cdkd state.
    *
@@ -19728,6 +19977,7 @@ var EC2Provider = class {
 // src/provisioning/providers/apigateway-provider.ts
 import {
   UpdateAccountCommand,
+  GetAccountCommand,
   CreateResourceCommand as CreateResourceCommand2,
   DeleteResourceCommand as DeleteResourceCommand2,
   CreateDeploymentCommand,
@@ -19737,6 +19987,7 @@ import {
   DeleteStageCommand,
   PutMethodCommand,
   DeleteMethodCommand,
+  GetMethodCommand,
   PutIntegrationCommand,
   PutMethodResponseCommand,
   CreateAuthorizerCommand,
@@ -20727,6 +20978,81 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
     return result;
   }
+  /**
+   * Read the AWS-current API Gateway resource configuration in CFn-property
+   * shape.
+   *
+   * **Coverage**:
+   *   - `AWS::ApiGateway::Account` → `GetAccount` for `CloudWatchRoleArn`.
+   *   - `AWS::ApiGateway::Method` → `GetMethod`. PhysicalId is the composite
+   *     `restApiId|resourceId|httpMethod`, so we have everything needed
+   *     without `Properties`.
+   *
+   * **Out of scope** (returns `undefined`, falls back to "drift unknown"):
+   *   - `AWS::ApiGateway::Authorizer` / `Resource` / `Deployment` / `Stage`:
+   *     each needs the parent `RestApiId` to issue a `Get*` call, but cdkd's
+   *     `readCurrentState` interface does not pass `Properties` (only the
+   *     physicalId, which for these types is just the sub-resource id).
+   *     CC API drift detection picks up `AWS::ApiGateway::RestApi` itself
+   *     once the user works through the SDK provider boundary; per-sub
+   *     drift detection here would need a contract change.
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ApiGateway::Account":
+        return this.readCurrentStateAccount();
+      case "AWS::ApiGateway::Method":
+        return this.readCurrentStateMethod(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateAccount() {
+    try {
+      const resp = await this.apiGatewayClient.send(new GetAccountCommand({}));
+      const result = {};
+      if (resp.cloudwatchRoleArn !== void 0) {
+        result["CloudWatchRoleArn"] = resp.cloudwatchRoleArn;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
+  async readCurrentStateMethod(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length !== 3)
+      return void 0;
+    const [restApiId, resourceId, httpMethod] = parts;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetMethodCommand({ restApiId, resourceId, httpMethod })
+      );
+      const result = {};
+      if (restApiId !== void 0)
+        result["RestApiId"] = restApiId;
+      if (resourceId !== void 0)
+        result["ResourceId"] = resourceId;
+      if (resp.httpMethod !== void 0)
+        result["HttpMethod"] = resp.httpMethod;
+      if (resp.authorizationType !== void 0) {
+        result["AuthorizationType"] = resp.authorizationType;
+      }
+      if (resp.authorizerId !== void 0)
+        result["AuthorizerId"] = resp.authorizerId;
+      if (resp.methodIntegration)
+        result["Integration"] = resp.methodIntegration;
+      if (resp.methodResponses)
+        result["MethodResponses"] = resp.methodResponses;
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing API Gateway sub-resource into cdkd state.
    *
@@ -21303,6 +21629,45 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
+  // ─── Drift detection ──────────────────────────────────────────────
+  /**
+   * Read the AWS-current API Gateway V2 resource configuration in
+   * CFn-property shape.
+   *
+   * **Coverage**:
+   *   - `AWS::ApiGatewayV2::Api` → `GetApi`. PhysicalId is the apiId,
+   *     self-sufficient.
+   *
+   * **Out of scope** (returns `undefined`, falls back to "drift unknown"):
+   *   - `AWS::ApiGatewayV2::Stage` / `Integration` / `Route` / `Authorizer`:
+   *     each needs the parent `ApiId` to issue a `Get*` call, but cdkd's
+   *     `readCurrentState` interface does not pass `Properties` (only the
+   *     physicalId, which for these types is just the sub-resource id).
+   *     Per-sub drift detection here would need a contract change.
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    if (resourceType !== "AWS::ApiGatewayV2::Api") {
+      return void 0;
+    }
+    try {
+      const resp = await this.getClient().send(new GetApiCommand({ ApiId: physicalId }));
+      const result = {};
+      if (resp.Name !== void 0)
+        result["Name"] = resp.Name;
+      if (resp.ProtocolType !== void 0)
+        result["ProtocolType"] = resp.ProtocolType;
+      if (resp.Description !== void 0 && resp.Description !== "") {
+        result["Description"] = resp.Description;
+      }
+      if (resp.CorsConfiguration)
+        result["CorsConfiguration"] = resp.CorsConfiguration;
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
   // ─── Import ───────────────────────────────────────────────────────
   /**
    * Adopt an existing API Gateway V2 resource into cdkd state.
@@ -21516,6 +21881,36 @@ var CloudFrontOAIProvider = class {
       `Unsupported attribute: ${attributeName} for AWS::CloudFront::CloudFrontOriginAccessIdentity`
     );
   }
+  /**
+   * Read the AWS-current OAI configuration in CFn-property shape.
+   *
+   * Issues a single `GetCloudFrontOriginAccessIdentity` and surfaces the
+   * `CloudFrontOriginAccessIdentityConfig.Comment` key — the only
+   * cdkd-managed property (CallerReference is set by cdkd itself and is
+   * not part of the user-configurable surface).
+   *
+   * Returns `undefined` when the OAI is gone (`NoSuchCloudFrontOriginAccessIdentity`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.cloudFrontClient.send(
+        new GetCloudFrontOriginAccessIdentityCommand2({ Id: physicalId })
+      );
+      const config = resp.CloudFrontOriginAccessIdentity?.CloudFrontOriginAccessIdentityConfig;
+      if (!config)
+        return void 0;
+      const inner = {};
+      if (config.Comment !== void 0)
+        inner["Comment"] = config.Comment;
+      return {
+        CloudFrontOriginAccessIdentityConfig: inner
+      };
+    } catch (err) {
+      if (err instanceof NoSuchCloudFrontOriginAccessIdentity)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing CloudFront Origin Access Identity into cdkd state.
    *
@@ -22472,6 +22867,95 @@ var StepFunctionsProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Step Functions state machine config in CFn-property
+   * shape.
+   *
+   * Issues a single `DescribeStateMachine` and surfaces:
+   *   - `StateMachineName` (`name`)
+   *   - `RoleArn` (`roleArn`)
+   *   - `StateMachineType` (`type`)
+   *   - `LoggingConfiguration` / `TracingConfiguration` / `EncryptionConfiguration`
+   *     (re-mapped to CFn PascalCase)
+   *   - `Definition` (parsed from JSON; cdkd state may hold either the
+   *     stringified `DefinitionString` or the object `Definition`, so we
+   *     surface as the object form — the comparator handles either side).
+   *
+   * `DefinitionSubstitutions` is omitted because they are applied at create
+   * time and not surfaced by `DescribeStateMachine` (the response carries
+   * the already-substituted definition).
+   *
+   * `Tags` is omitted (separate `ListTagsForResource` round-trip; auto-injected
+   * `aws:cdk:path` tag-shape question is out of scope here).
+   *
+   * Returns `undefined` when the state machine is gone (`StateMachineDoesNotExist`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeStateMachineCommand({ stateMachineArn: physicalId })
+      );
+    } catch (err) {
+      if (err instanceof StateMachineDoesNotExist)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (resp.name !== void 0)
+      result["StateMachineName"] = resp.name;
+    if (resp.roleArn !== void 0)
+      result["RoleArn"] = resp.roleArn;
+    if (resp.type !== void 0)
+      result["StateMachineType"] = resp.type;
+    if (resp.definition !== void 0) {
+      try {
+        result["Definition"] = JSON.parse(resp.definition);
+      } catch {
+        result["Definition"] = resp.definition;
+      }
+    }
+    if (resp.loggingConfiguration) {
+      const lc = {};
+      if (resp.loggingConfiguration.level !== void 0) {
+        lc["Level"] = resp.loggingConfiguration.level;
+      }
+      if (resp.loggingConfiguration.includeExecutionData !== void 0) {
+        lc["IncludeExecutionData"] = resp.loggingConfiguration.includeExecutionData;
+      }
+      if (resp.loggingConfiguration.destinations) {
+        lc["Destinations"] = resp.loggingConfiguration.destinations.map((d) => {
+          const inner = {};
+          if (d.cloudWatchLogsLogGroup?.logGroupArn) {
+            inner["CloudWatchLogsLogGroup"] = {
+              LogGroupArn: d.cloudWatchLogsLogGroup.logGroupArn
+            };
+          }
+          return inner;
+        });
+      }
+      if (Object.keys(lc).length > 0)
+        result["LoggingConfiguration"] = lc;
+    }
+    if (resp.tracingConfiguration?.enabled !== void 0) {
+      result["TracingConfiguration"] = { Enabled: resp.tracingConfiguration.enabled };
+    }
+    if (resp.encryptionConfiguration) {
+      const ec = {};
+      if (resp.encryptionConfiguration.type !== void 0) {
+        ec["Type"] = resp.encryptionConfiguration.type;
+      }
+      if (resp.encryptionConfiguration.kmsKeyId !== void 0) {
+        ec["KmsKeyId"] = resp.encryptionConfiguration.kmsKeyId;
+      }
+      if (resp.encryptionConfiguration.kmsDataKeyReusePeriodSeconds !== void 0) {
+        ec["KmsDataKeyReusePeriodSeconds"] = resp.encryptionConfiguration.kmsDataKeyReusePeriodSeconds;
+      }
+      if (Object.keys(ec).length > 0)
+        result["EncryptionConfiguration"] = ec;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Step Functions state machine into cdkd state.
    *
@@ -23301,6 +23785,173 @@ var ECSProvider = class {
     }
     return false;
   }
+  /**
+   * Read the AWS-current ECS resource configuration in CFn-property shape.
+   *
+   * Dispatches by resource type:
+   *   - `AWS::ECS::Cluster` → `DescribeClusters`
+   *   - `AWS::ECS::Service` → `DescribeServices`. Service physicalIds use
+   *     the composite form `<clusterArn>|<serviceName>`; we split on `|`.
+   *   - `AWS::ECS::TaskDefinition` → `DescribeTaskDefinition`
+   *
+   * Each branch surfaces only the keys cdkd's `create()` accepts, mapping
+   * the SDK's camelCase to CFn PascalCase. Tags are intentionally omitted
+   * (separate `ListTagsForResource` round-trip).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ECS::Cluster":
+        return this.readCurrentStateCluster(physicalId);
+      case "AWS::ECS::Service":
+        return this.readCurrentStateService(physicalId);
+      case "AWS::ECS::TaskDefinition":
+        return this.readCurrentStateTaskDefinition(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateCluster(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeClustersCommand({ clusters: [physicalId] })
+      );
+    } catch {
+      return void 0;
+    }
+    const c = resp.clusters?.[0];
+    if (!c || !c.clusterName)
+      return void 0;
+    const result = { ClusterName: c.clusterName };
+    if (c.capacityProviders && c.capacityProviders.length > 0) {
+      result["CapacityProviders"] = [...c.capacityProviders];
+    }
+    if (c.defaultCapacityProviderStrategy && c.defaultCapacityProviderStrategy.length > 0) {
+      result["DefaultCapacityProviderStrategy"] = c.defaultCapacityProviderStrategy;
+    }
+    if (c.configuration)
+      result["Configuration"] = c.configuration;
+    if (c.settings && c.settings.length > 0) {
+      result["ClusterSettings"] = c.settings.map((s) => ({
+        Name: s.name,
+        Value: s.value
+      }));
+    }
+    return result;
+  }
+  async readCurrentStateService(physicalId) {
+    const sep = physicalId.indexOf("|");
+    if (sep < 0)
+      return void 0;
+    const clusterArn = physicalId.substring(0, sep);
+    const serviceName = physicalId.substring(sep + 1);
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeServicesCommand({ cluster: clusterArn, services: [serviceName] })
+      );
+    } catch {
+      return void 0;
+    }
+    const s = resp.services?.[0];
+    if (!s || !s.serviceName)
+      return void 0;
+    const result = {};
+    if (s.serviceName !== void 0)
+      result["ServiceName"] = s.serviceName;
+    if (s.clusterArn !== void 0)
+      result["Cluster"] = s.clusterArn;
+    if (s.taskDefinition !== void 0)
+      result["TaskDefinition"] = s.taskDefinition;
+    if (s.desiredCount !== void 0)
+      result["DesiredCount"] = s.desiredCount;
+    if (s.launchType !== void 0)
+      result["LaunchType"] = s.launchType;
+    if (s.platformVersion !== void 0)
+      result["PlatformVersion"] = s.platformVersion;
+    if (s.schedulingStrategy !== void 0)
+      result["SchedulingStrategy"] = s.schedulingStrategy;
+    if (s.propagateTags !== void 0)
+      result["PropagateTags"] = s.propagateTags;
+    if (s.enableECSManagedTags !== void 0) {
+      result["EnableECSManagedTags"] = s.enableECSManagedTags;
+    }
+    if (s.enableExecuteCommand !== void 0) {
+      result["EnableExecuteCommand"] = s.enableExecuteCommand;
+    }
+    if (s.healthCheckGracePeriodSeconds !== void 0) {
+      result["HealthCheckGracePeriodSeconds"] = s.healthCheckGracePeriodSeconds;
+    }
+    if (s.networkConfiguration)
+      result["NetworkConfiguration"] = s.networkConfiguration;
+    if (s.loadBalancers && s.loadBalancers.length > 0) {
+      result["LoadBalancers"] = s.loadBalancers;
+    }
+    if (s.capacityProviderStrategy && s.capacityProviderStrategy.length > 0) {
+      result["CapacityProviderStrategy"] = s.capacityProviderStrategy;
+    }
+    if (s.deploymentConfiguration)
+      result["DeploymentConfiguration"] = s.deploymentConfiguration;
+    if (s.placementConstraints && s.placementConstraints.length > 0) {
+      result["PlacementConstraints"] = s.placementConstraints;
+    }
+    if (s.placementStrategy && s.placementStrategy.length > 0) {
+      result["PlacementStrategy"] = s.placementStrategy;
+    }
+    if (s.serviceRegistries && s.serviceRegistries.length > 0) {
+      result["ServiceRegistries"] = s.serviceRegistries;
+    }
+    return result;
+  }
+  async readCurrentStateTaskDefinition(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeTaskDefinitionCommand({ taskDefinition: physicalId })
+      );
+    } catch {
+      return void 0;
+    }
+    const td = resp.taskDefinition;
+    if (!td)
+      return void 0;
+    const result = {};
+    if (td.family !== void 0)
+      result["Family"] = td.family;
+    if (td.cpu !== void 0)
+      result["Cpu"] = td.cpu;
+    if (td.memory !== void 0)
+      result["Memory"] = td.memory;
+    if (td.networkMode !== void 0)
+      result["NetworkMode"] = td.networkMode;
+    if (td.requiresCompatibilities && td.requiresCompatibilities.length > 0) {
+      result["RequiresCompatibilities"] = [...td.requiresCompatibilities];
+    }
+    if (td.executionRoleArn !== void 0)
+      result["ExecutionRoleArn"] = td.executionRoleArn;
+    if (td.taskRoleArn !== void 0)
+      result["TaskRoleArn"] = td.taskRoleArn;
+    if (td.volumes && td.volumes.length > 0)
+      result["Volumes"] = td.volumes;
+    if (td.placementConstraints && td.placementConstraints.length > 0) {
+      result["PlacementConstraints"] = td.placementConstraints;
+    }
+    if (td.runtimePlatform)
+      result["RuntimePlatform"] = td.runtimePlatform;
+    if (td.proxyConfiguration)
+      result["ProxyConfiguration"] = td.proxyConfiguration;
+    if (td.pidMode !== void 0)
+      result["PidMode"] = td.pidMode;
+    if (td.ipcMode !== void 0)
+      result["IpcMode"] = td.ipcMode;
+    if (td.ephemeralStorage?.sizeInGiB !== void 0) {
+      result["EphemeralStorage"] = { SizeInGiB: td.ephemeralStorage.sizeInGiB };
+    }
+    if (td.containerDefinitions && td.containerDefinitions.length > 0) {
+      result["ContainerDefinitions"] = td.containerDefinitions;
+    }
+    return result;
+  }
   /**
    * Adopt an existing ECS resource into cdkd state.
    *
@@ -24675,6 +25326,146 @@ var RDSProvider = class {
         return null;
     }
   }
+  /**
+   * Read the AWS-current RDS resource configuration in CFn-property shape.
+   *
+   * Dispatches by resource type:
+   *   - `AWS::RDS::DBInstance` → `DescribeDBInstances`
+   *   - `AWS::RDS::DBCluster` → `DescribeDBClusters`
+   *   - `AWS::RDS::DBSubnetGroup` → `DescribeDBSubnetGroups`
+   *
+   * Each branch surfaces only the keys cdkd's `create()` accepts. Sensitive
+   * fields like `MasterUserPassword` are NEVER surfaced (RDS does not return
+   * them in the Describe responses). `Tags` are intentionally omitted
+   * (separate `ListTagsForResource` round-trip).
+   *
+   * Returns `undefined` when the resource is gone (`*NotFoundFault`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::RDS::DBInstance":
+        return this.readCurrentStateDBInstance(physicalId);
+      case "AWS::RDS::DBCluster":
+        return this.readCurrentStateDBCluster(physicalId);
+      case "AWS::RDS::DBSubnetGroup":
+        return this.readCurrentStateDBSubnetGroup(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateDBInstance(physicalId) {
+    let inst;
+    try {
+      inst = await this.describeDBInstance(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBInstanceNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!inst)
+      return void 0;
+    const result = {};
+    if (inst.DBInstanceIdentifier !== void 0) {
+      result["DBInstanceIdentifier"] = inst.DBInstanceIdentifier;
+    }
+    if (inst.DBInstanceClass !== void 0)
+      result["DBInstanceClass"] = inst.DBInstanceClass;
+    if (inst.Engine !== void 0)
+      result["Engine"] = inst.Engine;
+    if (inst.DBClusterIdentifier !== void 0) {
+      result["DBClusterIdentifier"] = inst.DBClusterIdentifier;
+    }
+    if (inst.DBSubnetGroup?.DBSubnetGroupName !== void 0) {
+      result["DBSubnetGroupName"] = inst.DBSubnetGroup.DBSubnetGroupName;
+    }
+    if (inst.PubliclyAccessible !== void 0) {
+      result["PubliclyAccessible"] = inst.PubliclyAccessible;
+    }
+    return result;
+  }
+  async readCurrentStateDBCluster(physicalId) {
+    let cluster;
+    try {
+      cluster = await this.describeDBCluster(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBClusterNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!cluster)
+      return void 0;
+    const result = {};
+    if (cluster.DBClusterIdentifier !== void 0) {
+      result["DBClusterIdentifier"] = cluster.DBClusterIdentifier;
+    }
+    if (cluster.Engine !== void 0)
+      result["Engine"] = cluster.Engine;
+    if (cluster.EngineVersion !== void 0)
+      result["EngineVersion"] = cluster.EngineVersion;
+    if (cluster.MasterUsername !== void 0)
+      result["MasterUsername"] = cluster.MasterUsername;
+    if (cluster.DatabaseName !== void 0)
+      result["DatabaseName"] = cluster.DatabaseName;
+    if (cluster.Port !== void 0)
+      result["Port"] = cluster.Port;
+    if (cluster.VpcSecurityGroups && cluster.VpcSecurityGroups.length > 0) {
+      result["VpcSecurityGroupIds"] = cluster.VpcSecurityGroups.map(
+        (sg) => sg.VpcSecurityGroupId
+      ).filter((id) => !!id);
+    }
+    if (cluster.DBSubnetGroup !== void 0)
+      result["DBSubnetGroupName"] = cluster.DBSubnetGroup;
+    if (cluster.StorageEncrypted !== void 0) {
+      result["StorageEncrypted"] = cluster.StorageEncrypted;
+    }
+    if (cluster.KmsKeyId !== void 0)
+      result["KmsKeyId"] = cluster.KmsKeyId;
+    if (cluster.BackupRetentionPeriod !== void 0) {
+      result["BackupRetentionPeriod"] = cluster.BackupRetentionPeriod;
+    }
+    if (cluster.DeletionProtection !== void 0) {
+      result["DeletionProtection"] = cluster.DeletionProtection;
+    }
+    if (cluster.ServerlessV2ScalingConfiguration) {
+      const sc = {};
+      if (cluster.ServerlessV2ScalingConfiguration.MinCapacity !== void 0) {
+        sc["MinCapacity"] = cluster.ServerlessV2ScalingConfiguration.MinCapacity;
+      }
+      if (cluster.ServerlessV2ScalingConfiguration.MaxCapacity !== void 0) {
+        sc["MaxCapacity"] = cluster.ServerlessV2ScalingConfiguration.MaxCapacity;
+      }
+      if (Object.keys(sc).length > 0)
+        result["ServerlessV2ScalingConfiguration"] = sc;
+    }
+    return result;
+  }
+  async readCurrentStateDBSubnetGroup(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand({ DBSubnetGroupName: physicalId })
+      );
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBSubnetGroupNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    const sg = resp.DBSubnetGroups?.[0];
+    if (!sg)
+      return void 0;
+    const result = {};
+    if (sg.DBSubnetGroupName !== void 0)
+      result["DBSubnetGroupName"] = sg.DBSubnetGroupName;
+    if (sg.DBSubnetGroupDescription !== void 0) {
+      result["DBSubnetGroupDescription"] = sg.DBSubnetGroupDescription;
+    }
+    if (sg.Subnets && sg.Subnets.length > 0) {
+      result["SubnetIds"] = sg.Subnets.map((s) => s.SubnetIdentifier).filter(
+        (id) => !!id
+      );
+    }
+    return result;
+  }
   async importDBInstance(input) {
     const explicit = resolveExplicitPhysicalId(input, "DBInstanceIdentifier");
     if (explicit) {
@@ -26127,6 +26918,98 @@ var CognitoUserPoolProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Cognito User Pool configuration in CFn-property shape.
+   *
+   * Issues `DescribeUserPool` and surfaces the keys cdkd's `create()` accepts.
+   * AWS-managed fields (Arn, Id, CreationDate, LastModifiedDate, EstimatedNumberOfUsers,
+   * etc.) are filtered at the wire layer.
+   *
+   * **Note**: Cognito only supports `AWS::Cognito::UserPool` in this provider;
+   * `UserPoolClient`, `UserPoolGroup`, and other Cognito sub-resources go
+   * through the CC API fallback (which has its own `readCurrentState`).
+   *
+   * `UserPoolTags` is intentionally omitted (Cognito returns tags via a
+   * separate `ListTagsForResource` round-trip; auto-injected `aws:cdk:path`
+   * tag-shape question is out of scope here).
+   *
+   * Returns `undefined` when the pool is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    if (resourceType !== "AWS::Cognito::UserPool")
+      return void 0;
+    let resp;
+    try {
+      resp = await this.getClient().send(new DescribeUserPoolCommand({ UserPoolId: physicalId }));
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException12)
+        return void 0;
+      throw err;
+    }
+    const pool = resp.UserPool;
+    if (!pool)
+      return void 0;
+    const result = {};
+    if (pool.Name !== void 0)
+      result["UserPoolName"] = pool.Name;
+    if (pool.AutoVerifiedAttributes && pool.AutoVerifiedAttributes.length > 0) {
+      result["AutoVerifiedAttributes"] = [...pool.AutoVerifiedAttributes];
+    }
+    if (pool.UsernameAttributes && pool.UsernameAttributes.length > 0) {
+      result["UsernameAttributes"] = [...pool.UsernameAttributes];
+    }
+    if (pool.AliasAttributes && pool.AliasAttributes.length > 0) {
+      result["AliasAttributes"] = [...pool.AliasAttributes];
+    }
+    if (pool.Policies)
+      result["Policies"] = pool.Policies;
+    if (pool.SchemaAttributes && pool.SchemaAttributes.length > 0) {
+      result["Schema"] = pool.SchemaAttributes;
+    }
+    if (pool.LambdaConfig && Object.keys(pool.LambdaConfig).length > 0) {
+      result["LambdaConfig"] = pool.LambdaConfig;
+    }
+    if (pool.MfaConfiguration !== void 0)
+      result["MfaConfiguration"] = pool.MfaConfiguration;
+    if (pool.AdminCreateUserConfig)
+      result["AdminCreateUserConfig"] = pool.AdminCreateUserConfig;
+    if (pool.AccountRecoverySetting) {
+      result["AccountRecoverySetting"] = pool.AccountRecoverySetting;
+    }
+    if (pool.UserAttributeUpdateSettings) {
+      result["UserAttributeUpdateSettings"] = pool.UserAttributeUpdateSettings;
+    }
+    if (pool.DeletionProtection !== void 0) {
+      result["DeletionProtection"] = pool.DeletionProtection;
+    }
+    if (pool.EmailConfiguration)
+      result["EmailConfiguration"] = pool.EmailConfiguration;
+    if (pool.SmsConfiguration)
+      result["SmsConfiguration"] = pool.SmsConfiguration;
+    if (pool.VerificationMessageTemplate) {
+      result["VerificationMessageTemplate"] = pool.VerificationMessageTemplate;
+    }
+    if (pool.UsernameConfiguration) {
+      result["UsernameConfiguration"] = pool.UsernameConfiguration;
+    }
+    if (pool.DeviceConfiguration)
+      result["DeviceConfiguration"] = pool.DeviceConfiguration;
+    if (pool.UserPoolAddOns)
+      result["UserPoolAddOns"] = pool.UserPoolAddOns;
+    if (pool.EmailVerificationMessage !== void 0) {
+      result["EmailVerificationMessage"] = pool.EmailVerificationMessage;
+    }
+    if (pool.EmailVerificationSubject !== void 0) {
+      result["EmailVerificationSubject"] = pool.EmailVerificationSubject;
+    }
+    if (pool.SmsAuthenticationMessage !== void 0) {
+      result["SmsAuthenticationMessage"] = pool.SmsAuthenticationMessage;
+    }
+    if (pool.SmsVerificationMessage !== void 0) {
+      result["SmsVerificationMessage"] = pool.SmsVerificationMessage;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Cognito User Pool into cdkd state.
    *
@@ -28700,6 +29583,88 @@ var KMSProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current KMS resource configuration in CFn-property shape.
+   *
+   * Dispatches by resource type:
+   *   - `AWS::KMS::Key` → `DescribeKey`. Surfaces `Description`, `KeySpec`,
+   *     `KeyUsage`, `Enabled`, `MultiRegion`, `Origin`. `KeyPolicy` is
+   *     intentionally NOT retrieved — `GetKeyPolicy` is a separate call
+   *     and the policy body needs JSON parsing for comparison; deferred
+   *     to a follow-up. `EnableKeyRotation` / `RotationPeriodInDays`
+   *     would require `GetKeyRotationStatus`; also deferred.
+   *   - `AWS::KMS::Alias` → `ListAliases` filtered to the alias name.
+   *     Surfaces `AliasName`, `TargetKeyId`. `ListAliases` is paginated
+   *     since there's no direct "describe one alias" API.
+   *
+   * `Tags` is intentionally omitted (separate `ListResourceTags` round-trip
+   * for keys; auto-injected `aws:cdk:path` tag-shape question is out of
+   * scope here). `BypassPolicyLockoutSafetyCheck` and `PendingWindowInDays`
+   * are not part of the persisted AWS state visible via `DescribeKey`.
+   *
+   * Returns `undefined` when the resource is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::KMS::Key":
+        return this.readCurrentStateKey(physicalId);
+      case "AWS::KMS::Alias":
+        return this.readCurrentStateAlias(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateKey(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeKeyCommand({ KeyId: physicalId })
+      );
+    } catch (err) {
+      if (err instanceof NotFoundException5)
+        return void 0;
+      throw err;
+    }
+    const md = resp.KeyMetadata;
+    if (!md)
+      return void 0;
+    const result = {};
+    if (md.Description !== void 0 && md.Description !== "") {
+      result["Description"] = md.Description;
+    }
+    if (md.KeySpec !== void 0)
+      result["KeySpec"] = md.KeySpec;
+    if (md.KeyUsage !== void 0)
+      result["KeyUsage"] = md.KeyUsage;
+    if (md.Enabled !== void 0)
+      result["Enabled"] = md.Enabled;
+    if (md.MultiRegion !== void 0)
+      result["MultiRegion"] = md.MultiRegion;
+    if (md.Origin !== void 0)
+      result["Origin"] = md.Origin;
+    return result;
+  }
+  async readCurrentStateAlias(physicalId) {
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new ListAliasesCommand2({ ...marker && { Marker: marker } })
+      );
+      const found = list.Aliases?.find(
+        (a) => a.AliasName === physicalId
+      );
+      if (found) {
+        const result = {};
+        if (found.AliasName)
+          result["AliasName"] = found.AliasName;
+        if (found.TargetKeyId)
+          result["TargetKeyId"] = found.TargetKeyId;
+        return result;
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return void 0;
+  }
   /**
    * Adopt an existing KMS key or alias into cdkd state.
    *
@@ -31712,12 +32677,14 @@ import {
   CreateRepositoryCommand,
   DeleteRepositoryCommand,
   DescribeRepositoriesCommand,
+  GetLifecyclePolicyCommand,
   PutLifecyclePolicyCommand,
   SetRepositoryPolicyCommand,
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
   TagResourceCommand as TagResourceCommand7,
   ListTagsForResourceCommand as ListTagsForResourceCommand18,
+  LifecyclePolicyNotFoundException,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
 var ECRProvider = class {
@@ -31951,6 +32918,82 @@ var ECRProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current ECR repository configuration in CFn-property shape.
+   *
+   * Issues `DescribeRepositories(filtered=[name])` for the repository's
+   * configuration, then a separate `GetLifecyclePolicy` for `LifecyclePolicy`
+   * (which `DescribeRepositories` doesn't return).
+   *
+   * Surfaced keys: `RepositoryName`, `ImageTagMutability`,
+   * `ImageScanningConfiguration`, `EncryptionConfiguration`, `LifecyclePolicy`
+   * (when configured — `LifecyclePolicyNotFoundException` is caught and the
+   * key omitted, NOT propagated as repo-gone).
+   *
+   * Intentionally omitted:
+   *   - `RepositoryPolicyText`: requires a separate `GetRepositoryPolicy`
+   *     round-trip; cdkd state holds the policy as either a string or an
+   *     object (depending on user input), and the comparator round-trip
+   *     is not yet handled here.
+   *   - `Tags`: requires `ListTagsForResource`; auto-injected
+   *     `aws:cdk:path` tag-shape question is out of scope.
+   *   - `EmptyOnDelete` / `ImageTagMutabilityExclusionFilters`: not part
+   *     of the persisted AWS state visible via standard Describe.
+   *
+   * Returns `undefined` when the repository is gone (`RepositoryNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let repo;
+    try {
+      repo = await this.getClient().send(
+        new DescribeRepositoriesCommand({ repositoryNames: [physicalId] })
+      );
+    } catch (err) {
+      if (err instanceof RepositoryNotFoundException)
+        return void 0;
+      throw err;
+    }
+    const r = repo.repositories?.[0];
+    if (!r)
+      return void 0;
+    const result = {};
+    if (r.repositoryName !== void 0)
+      result["RepositoryName"] = r.repositoryName;
+    if (r.imageTagMutability !== void 0)
+      result["ImageTagMutability"] = r.imageTagMutability;
+    if (r.imageScanningConfiguration) {
+      const inner = {};
+      if (r.imageScanningConfiguration.scanOnPush !== void 0) {
+        inner["ScanOnPush"] = r.imageScanningConfiguration.scanOnPush;
+      }
+      if (Object.keys(inner).length > 0)
+        result["ImageScanningConfiguration"] = inner;
+    }
+    if (r.encryptionConfiguration) {
+      const inner = {};
+      if (r.encryptionConfiguration.encryptionType !== void 0) {
+        inner["EncryptionType"] = r.encryptionConfiguration.encryptionType;
+      }
+      if (r.encryptionConfiguration.kmsKey !== void 0) {
+        inner["KmsKey"] = r.encryptionConfiguration.kmsKey;
+      }
+      if (Object.keys(inner).length > 0)
+        result["EncryptionConfiguration"] = inner;
+    }
+    try {
+      const lp = await this.getClient().send(
+        new GetLifecyclePolicyCommand({ repositoryName: physicalId })
+      );
+      if (lp.lifecyclePolicyText) {
+        result["LifecyclePolicy"] = { LifecyclePolicyText: lp.lifecyclePolicyText };
+      }
+    } catch (err) {
+      if (!(err instanceof LifecyclePolicyNotFoundException)) {
+        throw err;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing ECR repository into cdkd state.
    *
@@ -34066,6 +35109,7 @@ function createDiffCommand() {
 }
 
 // src/cli/commands/drift.ts
+import * as readline from "node:readline/promises";
 import { Command as Command6, Option as Option3 } from "commander";
 init_aws_clients();
 
@@ -34141,6 +35185,11 @@ async function driftCommand(stacks, options) {
   if (!options.all && stacks.length === 0) {
     throw new Error("Stack name is required. Usage: cdkd drift <stack> [<stack>...] | --all");
   }
+  if (options.accept && options.revert) {
+    throw new Error(
+      "--accept and --revert are mutually exclusive. Use --accept to update cdkd state from AWS, or --revert to push cdkd state values back into AWS."
+    );
+  }
   await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const awsClients = new AwsClients({
     ...options.region && { region: options.region },
@@ -34151,14 +35200,11 @@ async function driftCommand(stacks, options) {
     const region = options.region || process.env["AWS_REGION"] || "us-east-1";
     const bucket = await resolveStateBucketWithDefault(options.stateBucket, region);
     const prefix = options.statePrefix;
-    const stateBackend = new S3StateBackend(
-      awsClients.s3,
-      { bucket, prefix },
-      {
-        region,
-        ...options.profile && { profile: options.profile }
-      }
-    );
+    const stateConfig = { bucket, prefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      region,
+      ...options.profile && { profile: options.profile }
+    });
     await stateBackend.verifyBucketExists();
     const providerRegistry = new ProviderRegistry();
     registerAllProviders(providerRegistry);
@@ -34186,8 +35232,22 @@ async function driftCommand(stacks, options) {
       writeHumanReport(reports);
     }
     const drifted = reports.some((r) => r.outcomes.some((o) => o.kind === "drifted"));
-    if (drifted) {
-      throw new DriftDetectedError();
+    if (!options.accept && !options.revert) {
+      if (drifted) {
+        throw new DriftDetectedError();
+      }
+      return;
+    }
+    if (!drifted) {
+      logger.info(
+        options.accept ? "No drift detected \u2014 nothing to accept." : "No drift detected \u2014 nothing to revert."
+      );
+      return;
+    }
+    if (options.accept) {
+      await runAccept(reports, stateBackend, stateConfig, awsClients, options);
+    } else {
+      await runRevert(reports, providerRegistry, stateConfig, awsClients, options);
     }
   } finally {
     awsClients.destroy();
@@ -34288,13 +35348,261 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
           kind: "drifted",
           logicalId,
           resourceType: resource.resourceType,
-          changes
+          changes,
+          awsProperties: aws
         });
       }
     }
-    return { stackName, region, outcomes };
+    return {
+      stackName,
+      region,
+      outcomes,
+      state,
+      etag: result.etag,
+      migrationPending: result.migrationPending ?? false
+    };
   });
 }
+function setAtPath(target, path, value) {
+  if (path.length === 0) {
+    return;
+  }
+  const segments = path.split(".");
+  let cursor = target;
+  for (let i = 0; i < segments.length - 1; i++) {
+    const key = segments[i];
+    const next = cursor[key];
+    if (next === void 0 || next === null || typeof next !== "object" || Array.isArray(next)) {
+      const fresh = {};
+      cursor[key] = fresh;
+      cursor = fresh;
+    } else {
+      cursor = next;
+    }
+  }
+  cursor[segments[segments.length - 1]] = value;
+}
+async function runAccept(reports, stateBackend, stateConfig, awsClients, options) {
+  const logger = getLogger();
+  printAcceptPlan(reports);
+  if (options.dryRun) {
+    logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
+    return;
+  }
+  if (!options.yes) {
+    const ok = await confirmPrompt(`Update cdkd state with the AWS-current values shown above?`);
+    if (!ok) {
+      logger.info("Aborted.");
+      return;
+    }
+  }
+  const lockManager = new LockManager(awsClients.s3, stateConfig);
+  const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+  for (const report of reports) {
+    const driftedOutcomes = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    if (driftedOutcomes.length === 0) {
+      continue;
+    }
+    await lockManager.acquireLock(report.stackName, report.region, owner, "drift-accept");
+    try {
+      const resources = { ...report.state.resources };
+      for (const outcome of driftedOutcomes) {
+        const existing = resources[outcome.logicalId];
+        if (!existing)
+          continue;
+        const newProperties = JSON.parse(JSON.stringify(existing.properties ?? {}));
+        for (const change of outcome.changes) {
+          setAtPath(newProperties, change.path, change.awsValue);
+        }
+        resources[outcome.logicalId] = {
+          ...existing,
+          properties: newProperties
+        };
+      }
+      const newState = {
+        ...report.state,
+        resources,
+        lastModified: Date.now()
+      };
+      const saveOptions = {
+        expectedEtag: report.etag
+      };
+      if (report.migrationPending) {
+        saveOptions.migrateLegacy = true;
+      }
+      await stateBackend.saveState(report.stackName, report.region, newState, saveOptions);
+      logger.info(
+        `\u2713 State updated for ${report.stackName} (${report.region}): accepted drift on ${driftedOutcomes.length} resource(s).`
+      );
+    } finally {
+      await lockManager.releaseLock(report.stackName, report.region).catch((err) => {
+        logger.warn(
+          `Failed to release lock for ${report.stackName} (${report.region}): ` + (err instanceof Error ? err.message : String(err))
+        );
+      });
+    }
+  }
+}
+async function runRevert(reports, providerRegistry, stateConfig, awsClients, options) {
+  const logger = getLogger();
+  printRevertPlan(reports);
+  if (options.dryRun) {
+    logger.info("--dry-run: AWS will NOT be modified. Re-run without --dry-run to apply.");
+    return;
+  }
+  if (!options.yes) {
+    const ok = await confirmPrompt(
+      `Push cdkd state values back into AWS for the resources shown above?`
+    );
+    if (!ok) {
+      logger.info("Aborted.");
+      return;
+    }
+  }
+  const lockManager = new LockManager(awsClients.s3, stateConfig);
+  const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+  const concurrency = Math.max(1, options.concurrency ?? 4);
+  let totalFailed = 0;
+  let totalSucceeded = 0;
+  for (const report of reports) {
+    const driftedOutcomes = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    if (driftedOutcomes.length === 0) {
+      continue;
+    }
+    await lockManager.acquireLock(report.stackName, report.region, owner, "drift-revert");
+    try {
+      const tasks = driftedOutcomes.map((outcome) => async () => {
+        const stateResource = report.state.resources[outcome.logicalId];
+        if (!stateResource) {
+          totalFailed++;
+          logger.error(
+            `  \u2717 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): resource missing from state; skipped.`
+          );
+          return;
+        }
+        const provider = providerRegistry.getProvider(outcome.resourceType);
+        try {
+          await withRetry(
+            () => provider.update(
+              outcome.logicalId,
+              stateResource.physicalId,
+              outcome.resourceType,
+              stateResource.properties ?? {},
+              outcome.awsProperties
+            ),
+            outcome.logicalId,
+            { logger: { debug: (msg) => logger.debug(msg) } }
+          );
+          totalSucceeded++;
+          logger.info(
+            `  \u2713 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): reverted.`
+          );
+        } catch (err) {
+          totalFailed++;
+          const msg = err instanceof Error ? err.message : String(err);
+          logger.error(
+            `  \u2717 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): ${msg}`
+          );
+        }
+      });
+      await runWithConcurrency(tasks, concurrency);
+    } finally {
+      await lockManager.releaseLock(report.stackName, report.region).catch((err) => {
+        logger.warn(
+          `Failed to release lock for ${report.stackName} (${report.region}): ` + (err instanceof Error ? err.message : String(err))
+        );
+      });
+    }
+  }
+  logger.info(`
+Revert summary: ${totalSucceeded} reverted, ${totalFailed} failed.`);
+  if (totalFailed > 0) {
+    throw new PartialFailureError(
+      `Revert completed with ${totalFailed} resource error(s). Re-run 'cdkd drift <stack>' to see the remaining drift, then 'cdkd drift <stack> --revert' to retry.`
+    );
+  }
+}
+function printAcceptPlan(reports) {
+  for (const report of reports) {
+    const drifted = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    if (drifted.length === 0)
+      continue;
+    process.stdout.write(
+      `
+Plan (--accept): update cdkd state for ${report.stackName} (${report.region}):
+`
+    );
+    for (const o of drifted) {
+      process.stdout.write(`  ~ ${o.logicalId} (${o.resourceType})
+`);
+      for (const change of o.changes) {
+        process.stdout.write(
+          `    ${change.path}: ${formatScalar(change.stateValue)} -> ${formatScalar(change.awsValue)}
+`
+        );
+      }
+    }
+  }
+}
+function printRevertPlan(reports) {
+  for (const report of reports) {
+    const drifted = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    if (drifted.length === 0)
+      continue;
+    process.stdout.write(
+      `
+Plan (--revert): push cdkd state values back into AWS for ${report.stackName} (${report.region}):
+`
+    );
+    for (const o of drifted) {
+      const word = o.changes.length === 1 ? "property path" : "property paths";
+      process.stdout.write(
+        `  \u2192 provider.update on ${o.logicalId} (${o.resourceType}): revert ${o.changes.length} ${word}
+`
+      );
+      for (const change of o.changes) {
+        process.stdout.write(
+          `    ${change.path}: ${formatScalar(change.awsValue)} -> ${formatScalar(change.stateValue)}
+`
+        );
+      }
+    }
+  }
+}
+async function runWithConcurrency(tasks, concurrency) {
+  const queue = [...tasks];
+  const workers = [];
+  for (let i = 0; i < Math.min(concurrency, queue.length); i++) {
+    workers.push(
+      (async () => {
+        while (queue.length > 0) {
+          const task = queue.shift();
+          if (!task)
+            break;
+          await task();
+        }
+      })()
+    );
+  }
+  await Promise.all(workers);
+}
+async function confirmPrompt(prompt) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
 function writeJsonReport(reports) {
   const payload = reports.map((r) => {
     const drifted = r.outcomes.filter((o) => o.kind === "drifted").map((o) => ({ logicalId: o.logicalId, type: o.resourceType, changes: o.changes }));
@@ -34371,8 +35679,25 @@ function stackRegionOption() {
 }
 function createDriftCommand() {
   const cmd = new Command6("drift").description(
-    "Detect drift between cdkd state and AWS reality. Exits 0 when no drift, 1 when drift is detected."
-  ).argument("[stacks...]", "Stack name(s) to check (physical CloudFormation names)").option("--all", "Check every stack in the state bucket", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(driftCommand));
+    "Detect drift between cdkd state and AWS reality. Exits 0 when no drift, 1 when drift is detected. Pass --accept to update cdkd state from AWS, or --revert to push cdkd state values back into AWS."
+  ).argument("[stacks...]", "Stack name(s) to check (physical CloudFormation names)").option("--all", "Check every stack in the state bucket", false).option("--json", "Output as JSON", false).option(
+    "--accept",
+    "Update cdkd state with the AWS-current values for every drifted property (state \u2190 AWS). Mutually exclusive with --revert.",
+    false
+  ).option(
+    "--revert",
+    "Push cdkd state values back into AWS via provider.update for every drifted resource (AWS \u2190 state). Mutually exclusive with --accept.",
+    false
+  ).option(
+    "--dry-run",
+    "Print the planned mutations without acquiring a lock or hitting AWS / S3. Honored by --accept and --revert.",
+    false
+  ).option(
+    "--concurrency <number>",
+    "Maximum concurrent provider.update calls during --revert",
+    (value) => parseInt(value, 10),
+    4
+  ).addOption(stackRegionOption()).action(withErrorHandling(driftCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -34383,7 +35708,7 @@ import { Command as Command7 } from "commander";
 init_aws_clients();
 
 // src/cli/commands/destroy-runner.ts
-import * as readline from "node:readline/promises";
+import * as readline2 from "node:readline/promises";
 init_aws_clients();
 async function runDestroyForStack(stackName, state, ctx) {
   const logger = getLogger();
@@ -34409,7 +35734,7 @@ Resources to be deleted (${resourceCount}):`);
     logger.info(`  - ${logicalId} (${resource.resourceType})`);
   }
   if (!ctx.skipConfirmation) {
-    const rl = readline.createInterface({
+    const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout
     });
@@ -34820,7 +36145,7 @@ function createDestroyCommand() {
 }
 
 // src/cli/commands/orphan.ts
-import * as readline2 from "node:readline/promises";
+import * as readline3 from "node:readline/promises";
 import { Command as Command8 } from "commander";
 init_aws_clients();
 
@@ -35353,7 +36678,7 @@ Re-run with --force to fall back to cached attribute values from state, or fix t
         return;
       }
       if (!options.yes && !options.force) {
-        const ok = await confirmPrompt(
+        const ok = await confirmPrompt2(
           `Orphan ${orphanLogicalIds.length} resource(s) from cdkd state for ${stackInfo.stackName} (${targetRegion})? AWS resources will NOT be deleted.`
         );
         if (!ok) {
@@ -35492,8 +36817,8 @@ function stringifyForAudit(value) {
     return JSON.stringify(value);
   return JSON.stringify(value);
 }
-async function confirmPrompt(prompt) {
-  const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt2(prompt) {
+  const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -35768,7 +37093,7 @@ function createForceUnlockCommand() {
 }
 
 // src/cli/commands/state.ts
-import * as readline4 from "node:readline/promises";
+import * as readline5 from "node:readline/promises";
 import { Command as Command12, Option as Option6 } from "commander";
 import {
   GetBucketLocationCommand as GetBucketLocationCommand2,
@@ -35778,7 +37103,7 @@ import {
 init_aws_clients();
 
 // src/cli/commands/state-migrate.ts
-import * as readline3 from "node:readline/promises";
+import * as readline4 from "node:readline/promises";
 import { Command as Command11 } from "commander";
 import {
   CopyObjectCommand,
@@ -35848,7 +37173,7 @@ async function stateMigrateCommand(options) {
       }
       if (!options.yes) {
         const action = options.removeLegacy ? "and DELETE the source bucket" : "(source bucket will be kept)";
-        const ok = await confirmPrompt2(
+        const ok = await confirmPrompt3(
           `Copy ${sourceObjects.length} object(s) from ${legacyBucket} -> ${newBucket} ${action}?`
         );
         if (!ok) {
@@ -36053,8 +37378,8 @@ async function emptyBucketAllVersions(s3, bucket) {
     versionIdMarker = resp.NextVersionIdMarker;
   } while (keyMarker || versionIdMarker);
 }
-async function confirmPrompt2(prompt) {
-  const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt3(prompt) {
+  const rl = readline4.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -36462,7 +37787,7 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
 
 `
         );
-        const rl = readline4.createInterface({
+        const rl = readline5.createInterface({
           input: process.stdin,
           output: process.stdout
         });
@@ -36553,7 +37878,7 @@ WARNING: This destroys ${stackNames.length} stack(s) and removes their state rec
 `);
       }
       process.stdout.write("\n");
-      const rl = readline4.createInterface({
+      const rl = readline5.createInterface({
         input: process.stdin,
         output: process.stdout
       });
@@ -36795,12 +38120,12 @@ function createStateCommand() {
 
 // src/cli/commands/import.ts
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "node:fs";
-import * as readline6 from "node:readline/promises";
+import * as readline7 from "node:readline/promises";
 import { Command as Command13 } from "commander";
 init_aws_clients();
 
 // src/cli/commands/retire-cfn-stack.ts
-import * as readline5 from "node:readline/promises";
+import * as readline6 from "node:readline/promises";
 import {
   DescribeStacksCommand,
   DescribeStackResourcesCommand,
@@ -36845,7 +38170,7 @@ async function retireCloudFormationStack(options) {
   }
   const { body: newBody, modified } = injectRetainPolicies(tpl.TemplateBody, cfnStackName);
   if (!yes) {
-    const ok = await confirmPrompt3(
+    const ok = await confirmPrompt4(
       `Set DeletionPolicy=Retain and UpdateReplacePolicy=Retain on every resource in CloudFormation stack '${cfnStackName}', then delete the stack? AWS resources will NOT be deleted (cdkd state has been written).`
     );
     if (!ok) {
@@ -37005,8 +38330,8 @@ async function getCloudFormationResourceMapping(cfnStackName, cfnClient) {
   }
   return map;
 }
-async function confirmPrompt3(prompt) {
-  const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt4(prompt) {
+  const rl = readline6.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -37205,7 +38530,7 @@ async function importCommand(stackArg, options) {
         const preservedCount = selectiveMode && existingState ? Object.keys(existingState.resources).filter((id) => !overrides.has(id)).length : 0;
         const totalAfter = importedCount + preservedCount;
         const breakdown = preservedCount > 0 ? ` (${importedCount} new/overwritten + ${preservedCount} preserved)` : "";
-        const ok = await confirmPrompt4(
+        const ok = await confirmPrompt5(
           `Write state for ${stackInfo.stackName} (${targetRegion}) with ${totalAfter} resource(s)${breakdown}?`
         );
         if (!ok) {
@@ -37466,8 +38791,8 @@ function formatOutcome(outcome) {
       return "\u2717";
   }
 }
-async function confirmPrompt4(prompt) {
-  const rl = readline6.createInterface({ input: process.stdin, output: process.stdout });
+async function confirmPrompt5(prompt) {
+  const rl = readline7.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
     return /^y(es)?$/i.test(ans.trim());
@@ -37544,7 +38869,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.37.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.39.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());