@go-to-k/cdkd 0.38.0 → 0.39.0

package/dist/cli.js

@@ -16532,6 +16532,52 @@ var SecretsManagerSecretProvider = class {
     }
     return password;
   }
+  /**
+   * Read the AWS-current secret configuration in CFn-property shape.
+   *
+   * Issues `DescribeSecret` and surfaces `Name`, `Description`, `KmsKeyId`,
+   * and `ReplicaRegions` (re-shaping `ReplicationStatus[]` to CFn's
+   * `[{Region, KmsKeyId}]`).
+   *
+   * Intentionally omitted:
+   *   - `SecretString` / `GenerateSecretString`: `DescribeSecret` does not
+   *     return the secret value (that's `GetSecretValue`, which we never
+   *     call to avoid surfacing plaintext through drift). Cdkd state holds
+   *     the user-supplied string verbatim; comparing against AWS would
+   *     require pulling the value, so this is deliberately deferred.
+   *   - `Tags`: `DescribeSecret` returns Tags, but the auto-injected
+   *     `aws:cdk:path` tag-shape question is out of scope here.
+   *
+   * Returns `undefined` when the secret is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.smClient.send(new DescribeSecretCommand({ SecretId: physicalId }));
+      const result = {};
+      if (resp.Name !== void 0)
+        result["Name"] = resp.Name;
+      if (resp.Description !== void 0 && resp.Description !== "") {
+        result["Description"] = resp.Description;
+      }
+      if (resp.KmsKeyId !== void 0)
+        result["KmsKeyId"] = resp.KmsKeyId;
+      if (resp.ReplicationStatus && resp.ReplicationStatus.length > 0) {
+        result["ReplicaRegions"] = resp.ReplicationStatus.map((r) => {
+          const out = {};
+          if (r.Region)
+            out["Region"] = r.Region;
+          if (r.KmsKeyId)
+            out["KmsKeyId"] = r.KmsKeyId;
+          return out;
+        });
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException8)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing Secrets Manager secret into cdkd state.
    *
@@ -16802,6 +16848,74 @@ var SSMParameterProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current SSM parameter configuration in CFn-property shape.
+   *
+   * Issues `GetParameter` (with `WithDecryption: false` so SecureString
+   * values stay encrypted on the wire) for `Type` / `Value` / `DataType`,
+   * then `DescribeParameters` filtered on the parameter name to fetch
+   * metadata (`Description`, `AllowedPattern`, `Tier`) that `GetParameter`
+   * does not return.
+   *
+   * `Name` is set to the physical id. `Tags` and `Policies` are intentionally
+   * out of scope (`Tags` requires a separate `ListTagsForResource` round-trip
+   * and the auto-injected `aws:cdk:path` tag-shape question is unresolved;
+   * `Policies` is returned by `DescribeParameters.Policies` as a structured
+   * array but cdkd state holds the raw JSON string the user typed — comparing
+   * the two accurately needs more work).
+   *
+   * **Note**: For `SecureString` parameters, AWS returns the encrypted
+   * blob in `Value` (we pass `WithDecryption: false`). cdkd state usually
+   * holds the plaintext value the user typed in their CDK app, so a
+   * SecureString parameter will surface as `Value` drift on every run.
+   * That's the correct conservative behavior — surfacing the discrepancy
+   * is more useful than silently masking it.
+   *
+   * Returns `undefined` when the parameter is gone (`ParameterNotFound`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let getResp;
+    try {
+      getResp = await this.ssmClient.send(
+        new GetParameterCommand3({ Name: physicalId, WithDecryption: false })
+      );
+    } catch (err) {
+      if (err instanceof ParameterNotFound)
+        return void 0;
+      throw err;
+    }
+    const param = getResp.Parameter;
+    if (!param)
+      return void 0;
+    const result = { Name: physicalId };
+    if (param.Type !== void 0)
+      result["Type"] = param.Type;
+    if (param.Value !== void 0)
+      result["Value"] = param.Value;
+    if (param.DataType !== void 0)
+      result["DataType"] = param.DataType;
+    try {
+      const desc = await this.ssmClient.send(
+        new DescribeParametersCommand({
+          ParameterFilters: [{ Key: "Name", Values: [physicalId] }]
+        })
+      );
+      const meta = desc.Parameters?.[0];
+      if (meta) {
+        if (meta.Description !== void 0 && meta.Description !== "") {
+          result["Description"] = meta.Description;
+        }
+        if (meta.AllowedPattern !== void 0 && meta.AllowedPattern !== "") {
+          result["AllowedPattern"] = meta.AllowedPattern;
+        }
+        if (meta.Tier !== void 0) {
+          result["Tier"] = meta.Tier;
+        }
+      }
+    } catch {
+    }
+    return result;
+  }
   /**
    * Adopt an existing SSM parameter into cdkd state.
    *
@@ -17132,6 +17246,78 @@ var EventBridgeRuleProvider = class {
     }
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::Events::Rule`);
   }
+  /**
+   * Read the AWS-current EventBridge rule configuration in CFn-property shape.
+   *
+   * Issues `DescribeRule` for the rule's main config, then a separate
+   * `ListTargetsByRule` for `Targets`.
+   *
+   * Surfaced keys (when present): `Name`, `Description`, `EventBusName`,
+   * `EventPattern` (parsed from JSON string back to object — cdkd state holds
+   * it as the user typed it, typically an object), `ScheduleExpression`,
+   * `State`, `RoleArn`, `Targets` (CFn shape `[{Id, Arn, ...}]`).
+   *
+   * `Tags` is omitted (separate `ListTagsForResource` round-trip; auto-injected
+   * `aws:cdk:path` tag-shape question is out of scope here).
+   *
+   * Returns `undefined` when the rule is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    const ruleName = this.extractRuleNameFromArn(physicalId);
+    const eventBusName = this.extractBusNameFromArn(physicalId);
+    let resp;
+    try {
+      resp = await this.eventBridgeClient.send(
+        new DescribeRuleCommand({
+          Name: ruleName,
+          ...eventBusName && eventBusName !== "default" ? { EventBusName: eventBusName } : {}
+        })
+      );
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException9)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (resp.Name !== void 0)
+      result["Name"] = resp.Name;
+    if (resp.Description !== void 0 && resp.Description !== "") {
+      result["Description"] = resp.Description;
+    }
+    if (resp.EventBusName !== void 0 && resp.EventBusName !== "default") {
+      result["EventBusName"] = resp.EventBusName;
+    }
+    if (resp.EventPattern !== void 0) {
+      try {
+        result["EventPattern"] = JSON.parse(resp.EventPattern);
+      } catch {
+        result["EventPattern"] = resp.EventPattern;
+      }
+    }
+    if (resp.ScheduleExpression !== void 0) {
+      result["ScheduleExpression"] = resp.ScheduleExpression;
+    }
+    if (resp.State !== void 0)
+      result["State"] = resp.State;
+    if (resp.RoleArn !== void 0)
+      result["RoleArn"] = resp.RoleArn;
+    try {
+      const targetsResp = await this.eventBridgeClient.send(
+        new ListTargetsByRuleCommand({
+          Rule: ruleName,
+          ...eventBusName && eventBusName !== "default" ? { EventBusName: eventBusName } : {}
+        })
+      );
+      if (targetsResp.Targets && targetsResp.Targets.length > 0) {
+        result["Targets"] = targetsResp.Targets;
+      }
+    } catch (err) {
+      if (!(err instanceof ResourceNotFoundException9)) {
+        throw err;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing EventBridge rule into cdkd state.
    *
@@ -17224,6 +17410,22 @@ var EventBridgeRuleProvider = class {
     const parts = arn.split("/");
     return parts[parts.length - 1] ?? arn;
   }
+  /**
+   * Extract the event bus name from a rule ARN.
+   *
+   * ARN format: `arn:aws:events:region:account:rule/rule-name` (default bus, returns 'default')
+   *          or `arn:aws:events:region:account:rule/bus-name/rule-name` (custom bus).
+   *
+   * Returns `undefined` when the input is not an ARN (we can't tell which bus).
+   */
+  extractBusNameFromArn(arn) {
+    if (!arn.startsWith("arn:"))
+      return void 0;
+    const parts = arn.split("/");
+    if (parts.length === 3)
+      return parts[1];
+    return "default";
+  }
 };
 
 // src/provisioning/providers/eventbridge-bus-provider.ts
@@ -17475,6 +17677,53 @@ var EventBridgeBusProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current EventBus configuration in CFn-property shape.
+   *
+   * Issues `DescribeEventBus` and surfaces `Name`, `Description`,
+   * `KmsKeyIdentifier`, `DeadLetterConfig`, and `Policy` (the latter is a
+   * JSON string in `DescribeEventBus.Policy`; cdkd state holds it the way
+   * the user typed it, which may be either an object or a string — the
+   * comparator handles either side).
+   *
+   * `Tags` and `EventSourceName` are intentionally omitted: tags require a
+   * separate `ListTagsForResource` round-trip and the auto-injected
+   * `aws:cdk:path` tag-shape question is out of scope; `EventSourceName`
+   * is set at create time only and not surfaced by `DescribeEventBus`.
+   *
+   * Returns `undefined` when the bus is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.eventBridgeClient.send(
+        new DescribeEventBusCommand({ Name: physicalId })
+      );
+      const result = {};
+      if (resp.Name !== void 0)
+        result["Name"] = resp.Name;
+      if (resp.Description !== void 0 && resp.Description !== "") {
+        result["Description"] = resp.Description;
+      }
+      if (resp.KmsKeyIdentifier !== void 0) {
+        result["KmsKeyIdentifier"] = resp.KmsKeyIdentifier;
+      }
+      if (resp.DeadLetterConfig?.Arn) {
+        result["DeadLetterConfig"] = { Arn: resp.DeadLetterConfig.Arn };
+      }
+      if (resp.Policy) {
+        try {
+          result["Policy"] = JSON.parse(resp.Policy);
+        } catch {
+          result["Policy"] = resp.Policy;
+        }
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException10)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing EventBridge event bus into cdkd state.
    *
@@ -19728,6 +19977,7 @@ var EC2Provider = class {
 // src/provisioning/providers/apigateway-provider.ts
 import {
   UpdateAccountCommand,
+  GetAccountCommand,
   CreateResourceCommand as CreateResourceCommand2,
   DeleteResourceCommand as DeleteResourceCommand2,
   CreateDeploymentCommand,
@@ -19737,6 +19987,7 @@ import {
   DeleteStageCommand,
   PutMethodCommand,
   DeleteMethodCommand,
+  GetMethodCommand,
   PutIntegrationCommand,
   PutMethodResponseCommand,
   CreateAuthorizerCommand,
@@ -20727,6 +20978,81 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
     return result;
   }
+  /**
+   * Read the AWS-current API Gateway resource configuration in CFn-property
+   * shape.
+   *
+   * **Coverage**:
+   *   - `AWS::ApiGateway::Account` → `GetAccount` for `CloudWatchRoleArn`.
+   *   - `AWS::ApiGateway::Method` → `GetMethod`. PhysicalId is the composite
+   *     `restApiId|resourceId|httpMethod`, so we have everything needed
+   *     without `Properties`.
+   *
+   * **Out of scope** (returns `undefined`, falls back to "drift unknown"):
+   *   - `AWS::ApiGateway::Authorizer` / `Resource` / `Deployment` / `Stage`:
+   *     each needs the parent `RestApiId` to issue a `Get*` call, but cdkd's
+   *     `readCurrentState` interface does not pass `Properties` (only the
+   *     physicalId, which for these types is just the sub-resource id).
+   *     CC API drift detection picks up `AWS::ApiGateway::RestApi` itself
+   *     once the user works through the SDK provider boundary; per-sub
+   *     drift detection here would need a contract change.
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ApiGateway::Account":
+        return this.readCurrentStateAccount();
+      case "AWS::ApiGateway::Method":
+        return this.readCurrentStateMethod(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateAccount() {
+    try {
+      const resp = await this.apiGatewayClient.send(new GetAccountCommand({}));
+      const result = {};
+      if (resp.cloudwatchRoleArn !== void 0) {
+        result["CloudWatchRoleArn"] = resp.cloudwatchRoleArn;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
+  async readCurrentStateMethod(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length !== 3)
+      return void 0;
+    const [restApiId, resourceId, httpMethod] = parts;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetMethodCommand({ restApiId, resourceId, httpMethod })
+      );
+      const result = {};
+      if (restApiId !== void 0)
+        result["RestApiId"] = restApiId;
+      if (resourceId !== void 0)
+        result["ResourceId"] = resourceId;
+      if (resp.httpMethod !== void 0)
+        result["HttpMethod"] = resp.httpMethod;
+      if (resp.authorizationType !== void 0) {
+        result["AuthorizationType"] = resp.authorizationType;
+      }
+      if (resp.authorizerId !== void 0)
+        result["AuthorizerId"] = resp.authorizerId;
+      if (resp.methodIntegration)
+        result["Integration"] = resp.methodIntegration;
+      if (resp.methodResponses)
+        result["MethodResponses"] = resp.methodResponses;
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing API Gateway sub-resource into cdkd state.
    *
@@ -21303,6 +21629,45 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
+  // ─── Drift detection ──────────────────────────────────────────────
+  /**
+   * Read the AWS-current API Gateway V2 resource configuration in
+   * CFn-property shape.
+   *
+   * **Coverage**:
+   *   - `AWS::ApiGatewayV2::Api` → `GetApi`. PhysicalId is the apiId,
+   *     self-sufficient.
+   *
+   * **Out of scope** (returns `undefined`, falls back to "drift unknown"):
+   *   - `AWS::ApiGatewayV2::Stage` / `Integration` / `Route` / `Authorizer`:
+   *     each needs the parent `ApiId` to issue a `Get*` call, but cdkd's
+   *     `readCurrentState` interface does not pass `Properties` (only the
+   *     physicalId, which for these types is just the sub-resource id).
+   *     Per-sub drift detection here would need a contract change.
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    if (resourceType !== "AWS::ApiGatewayV2::Api") {
+      return void 0;
+    }
+    try {
+      const resp = await this.getClient().send(new GetApiCommand({ ApiId: physicalId }));
+      const result = {};
+      if (resp.Name !== void 0)
+        result["Name"] = resp.Name;
+      if (resp.ProtocolType !== void 0)
+        result["ProtocolType"] = resp.ProtocolType;
+      if (resp.Description !== void 0 && resp.Description !== "") {
+        result["Description"] = resp.Description;
+      }
+      if (resp.CorsConfiguration)
+        result["CorsConfiguration"] = resp.CorsConfiguration;
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
   // ─── Import ───────────────────────────────────────────────────────
   /**
    * Adopt an existing API Gateway V2 resource into cdkd state.
@@ -21516,6 +21881,36 @@ var CloudFrontOAIProvider = class {
       `Unsupported attribute: ${attributeName} for AWS::CloudFront::CloudFrontOriginAccessIdentity`
     );
   }
+  /**
+   * Read the AWS-current OAI configuration in CFn-property shape.
+   *
+   * Issues a single `GetCloudFrontOriginAccessIdentity` and surfaces the
+   * `CloudFrontOriginAccessIdentityConfig.Comment` key — the only
+   * cdkd-managed property (CallerReference is set by cdkd itself and is
+   * not part of the user-configurable surface).
+   *
+   * Returns `undefined` when the OAI is gone (`NoSuchCloudFrontOriginAccessIdentity`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      const resp = await this.cloudFrontClient.send(
+        new GetCloudFrontOriginAccessIdentityCommand2({ Id: physicalId })
+      );
+      const config = resp.CloudFrontOriginAccessIdentity?.CloudFrontOriginAccessIdentityConfig;
+      if (!config)
+        return void 0;
+      const inner = {};
+      if (config.Comment !== void 0)
+        inner["Comment"] = config.Comment;
+      return {
+        CloudFrontOriginAccessIdentityConfig: inner
+      };
+    } catch (err) {
+      if (err instanceof NoSuchCloudFrontOriginAccessIdentity)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing CloudFront Origin Access Identity into cdkd state.
    *
@@ -22472,6 +22867,95 @@ var StepFunctionsProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Step Functions state machine config in CFn-property
+   * shape.
+   *
+   * Issues a single `DescribeStateMachine` and surfaces:
+   *   - `StateMachineName` (`name`)
+   *   - `RoleArn` (`roleArn`)
+   *   - `StateMachineType` (`type`)
+   *   - `LoggingConfiguration` / `TracingConfiguration` / `EncryptionConfiguration`
+   *     (re-mapped to CFn PascalCase)
+   *   - `Definition` (parsed from JSON; cdkd state may hold either the
+   *     stringified `DefinitionString` or the object `Definition`, so we
+   *     surface as the object form — the comparator handles either side).
+   *
+   * `DefinitionSubstitutions` is omitted because they are applied at create
+   * time and not surfaced by `DescribeStateMachine` (the response carries
+   * the already-substituted definition).
+   *
+   * `Tags` is omitted (separate `ListTagsForResource` round-trip; auto-injected
+   * `aws:cdk:path` tag-shape question is out of scope here).
+   *
+   * Returns `undefined` when the state machine is gone (`StateMachineDoesNotExist`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeStateMachineCommand({ stateMachineArn: physicalId })
+      );
+    } catch (err) {
+      if (err instanceof StateMachineDoesNotExist)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (resp.name !== void 0)
+      result["StateMachineName"] = resp.name;
+    if (resp.roleArn !== void 0)
+      result["RoleArn"] = resp.roleArn;
+    if (resp.type !== void 0)
+      result["StateMachineType"] = resp.type;
+    if (resp.definition !== void 0) {
+      try {
+        result["Definition"] = JSON.parse(resp.definition);
+      } catch {
+        result["Definition"] = resp.definition;
+      }
+    }
+    if (resp.loggingConfiguration) {
+      const lc = {};
+      if (resp.loggingConfiguration.level !== void 0) {
+        lc["Level"] = resp.loggingConfiguration.level;
+      }
+      if (resp.loggingConfiguration.includeExecutionData !== void 0) {
+        lc["IncludeExecutionData"] = resp.loggingConfiguration.includeExecutionData;
+      }
+      if (resp.loggingConfiguration.destinations) {
+        lc["Destinations"] = resp.loggingConfiguration.destinations.map((d) => {
+          const inner = {};
+          if (d.cloudWatchLogsLogGroup?.logGroupArn) {
+            inner["CloudWatchLogsLogGroup"] = {
+              LogGroupArn: d.cloudWatchLogsLogGroup.logGroupArn
+            };
+          }
+          return inner;
+        });
+      }
+      if (Object.keys(lc).length > 0)
+        result["LoggingConfiguration"] = lc;
+    }
+    if (resp.tracingConfiguration?.enabled !== void 0) {
+      result["TracingConfiguration"] = { Enabled: resp.tracingConfiguration.enabled };
+    }
+    if (resp.encryptionConfiguration) {
+      const ec = {};
+      if (resp.encryptionConfiguration.type !== void 0) {
+        ec["Type"] = resp.encryptionConfiguration.type;
+      }
+      if (resp.encryptionConfiguration.kmsKeyId !== void 0) {
+        ec["KmsKeyId"] = resp.encryptionConfiguration.kmsKeyId;
+      }
+      if (resp.encryptionConfiguration.kmsDataKeyReusePeriodSeconds !== void 0) {
+        ec["KmsDataKeyReusePeriodSeconds"] = resp.encryptionConfiguration.kmsDataKeyReusePeriodSeconds;
+      }
+      if (Object.keys(ec).length > 0)
+        result["EncryptionConfiguration"] = ec;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Step Functions state machine into cdkd state.
    *
@@ -23301,6 +23785,173 @@ var ECSProvider = class {
     }
     return false;
   }
+  /**
+   * Read the AWS-current ECS resource configuration in CFn-property shape.
+   *
+   * Dispatches by resource type:
+   *   - `AWS::ECS::Cluster` → `DescribeClusters`
+   *   - `AWS::ECS::Service` → `DescribeServices`. Service physicalIds use
+   *     the composite form `<clusterArn>|<serviceName>`; we split on `|`.
+   *   - `AWS::ECS::TaskDefinition` → `DescribeTaskDefinition`
+   *
+   * Each branch surfaces only the keys cdkd's `create()` accepts, mapping
+   * the SDK's camelCase to CFn PascalCase. Tags are intentionally omitted
+   * (separate `ListTagsForResource` round-trip).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ECS::Cluster":
+        return this.readCurrentStateCluster(physicalId);
+      case "AWS::ECS::Service":
+        return this.readCurrentStateService(physicalId);
+      case "AWS::ECS::TaskDefinition":
+        return this.readCurrentStateTaskDefinition(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateCluster(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeClustersCommand({ clusters: [physicalId] })
+      );
+    } catch {
+      return void 0;
+    }
+    const c = resp.clusters?.[0];
+    if (!c || !c.clusterName)
+      return void 0;
+    const result = { ClusterName: c.clusterName };
+    if (c.capacityProviders && c.capacityProviders.length > 0) {
+      result["CapacityProviders"] = [...c.capacityProviders];
+    }
+    if (c.defaultCapacityProviderStrategy && c.defaultCapacityProviderStrategy.length > 0) {
+      result["DefaultCapacityProviderStrategy"] = c.defaultCapacityProviderStrategy;
+    }
+    if (c.configuration)
+      result["Configuration"] = c.configuration;
+    if (c.settings && c.settings.length > 0) {
+      result["ClusterSettings"] = c.settings.map((s) => ({
+        Name: s.name,
+        Value: s.value
+      }));
+    }
+    return result;
+  }
+  async readCurrentStateService(physicalId) {
+    const sep = physicalId.indexOf("|");
+    if (sep < 0)
+      return void 0;
+    const clusterArn = physicalId.substring(0, sep);
+    const serviceName = physicalId.substring(sep + 1);
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeServicesCommand({ cluster: clusterArn, services: [serviceName] })
+      );
+    } catch {
+      return void 0;
+    }
+    const s = resp.services?.[0];
+    if (!s || !s.serviceName)
+      return void 0;
+    const result = {};
+    if (s.serviceName !== void 0)
+      result["ServiceName"] = s.serviceName;
+    if (s.clusterArn !== void 0)
+      result["Cluster"] = s.clusterArn;
+    if (s.taskDefinition !== void 0)
+      result["TaskDefinition"] = s.taskDefinition;
+    if (s.desiredCount !== void 0)
+      result["DesiredCount"] = s.desiredCount;
+    if (s.launchType !== void 0)
+      result["LaunchType"] = s.launchType;
+    if (s.platformVersion !== void 0)
+      result["PlatformVersion"] = s.platformVersion;
+    if (s.schedulingStrategy !== void 0)
+      result["SchedulingStrategy"] = s.schedulingStrategy;
+    if (s.propagateTags !== void 0)
+      result["PropagateTags"] = s.propagateTags;
+    if (s.enableECSManagedTags !== void 0) {
+      result["EnableECSManagedTags"] = s.enableECSManagedTags;
+    }
+    if (s.enableExecuteCommand !== void 0) {
+      result["EnableExecuteCommand"] = s.enableExecuteCommand;
+    }
+    if (s.healthCheckGracePeriodSeconds !== void 0) {
+      result["HealthCheckGracePeriodSeconds"] = s.healthCheckGracePeriodSeconds;
+    }
+    if (s.networkConfiguration)
+      result["NetworkConfiguration"] = s.networkConfiguration;
+    if (s.loadBalancers && s.loadBalancers.length > 0) {
+      result["LoadBalancers"] = s.loadBalancers;
+    }
+    if (s.capacityProviderStrategy && s.capacityProviderStrategy.length > 0) {
+      result["CapacityProviderStrategy"] = s.capacityProviderStrategy;
+    }
+    if (s.deploymentConfiguration)
+      result["DeploymentConfiguration"] = s.deploymentConfiguration;
+    if (s.placementConstraints && s.placementConstraints.length > 0) {
+      result["PlacementConstraints"] = s.placementConstraints;
+    }
+    if (s.placementStrategy && s.placementStrategy.length > 0) {
+      result["PlacementStrategy"] = s.placementStrategy;
+    }
+    if (s.serviceRegistries && s.serviceRegistries.length > 0) {
+      result["ServiceRegistries"] = s.serviceRegistries;
+    }
+    return result;
+  }
+  async readCurrentStateTaskDefinition(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeTaskDefinitionCommand({ taskDefinition: physicalId })
+      );
+    } catch {
+      return void 0;
+    }
+    const td = resp.taskDefinition;
+    if (!td)
+      return void 0;
+    const result = {};
+    if (td.family !== void 0)
+      result["Family"] = td.family;
+    if (td.cpu !== void 0)
+      result["Cpu"] = td.cpu;
+    if (td.memory !== void 0)
+      result["Memory"] = td.memory;
+    if (td.networkMode !== void 0)
+      result["NetworkMode"] = td.networkMode;
+    if (td.requiresCompatibilities && td.requiresCompatibilities.length > 0) {
+      result["RequiresCompatibilities"] = [...td.requiresCompatibilities];
+    }
+    if (td.executionRoleArn !== void 0)
+      result["ExecutionRoleArn"] = td.executionRoleArn;
+    if (td.taskRoleArn !== void 0)
+      result["TaskRoleArn"] = td.taskRoleArn;
+    if (td.volumes && td.volumes.length > 0)
+      result["Volumes"] = td.volumes;
+    if (td.placementConstraints && td.placementConstraints.length > 0) {
+      result["PlacementConstraints"] = td.placementConstraints;
+    }
+    if (td.runtimePlatform)
+      result["RuntimePlatform"] = td.runtimePlatform;
+    if (td.proxyConfiguration)
+      result["ProxyConfiguration"] = td.proxyConfiguration;
+    if (td.pidMode !== void 0)
+      result["PidMode"] = td.pidMode;
+    if (td.ipcMode !== void 0)
+      result["IpcMode"] = td.ipcMode;
+    if (td.ephemeralStorage?.sizeInGiB !== void 0) {
+      result["EphemeralStorage"] = { SizeInGiB: td.ephemeralStorage.sizeInGiB };
+    }
+    if (td.containerDefinitions && td.containerDefinitions.length > 0) {
+      result["ContainerDefinitions"] = td.containerDefinitions;
+    }
+    return result;
+  }
   /**
    * Adopt an existing ECS resource into cdkd state.
    *
@@ -24675,6 +25326,146 @@ var RDSProvider = class {
         return null;
     }
   }
+  /**
+   * Read the AWS-current RDS resource configuration in CFn-property shape.
+   *
+   * Dispatches by resource type:
+   *   - `AWS::RDS::DBInstance` → `DescribeDBInstances`
+   *   - `AWS::RDS::DBCluster` → `DescribeDBClusters`
+   *   - `AWS::RDS::DBSubnetGroup` → `DescribeDBSubnetGroups`
+   *
+   * Each branch surfaces only the keys cdkd's `create()` accepts. Sensitive
+   * fields like `MasterUserPassword` are NEVER surfaced (RDS does not return
+   * them in the Describe responses). `Tags` are intentionally omitted
+   * (separate `ListTagsForResource` round-trip).
+   *
+   * Returns `undefined` when the resource is gone (`*NotFoundFault`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::RDS::DBInstance":
+        return this.readCurrentStateDBInstance(physicalId);
+      case "AWS::RDS::DBCluster":
+        return this.readCurrentStateDBCluster(physicalId);
+      case "AWS::RDS::DBSubnetGroup":
+        return this.readCurrentStateDBSubnetGroup(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateDBInstance(physicalId) {
+    let inst;
+    try {
+      inst = await this.describeDBInstance(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBInstanceNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!inst)
+      return void 0;
+    const result = {};
+    if (inst.DBInstanceIdentifier !== void 0) {
+      result["DBInstanceIdentifier"] = inst.DBInstanceIdentifier;
+    }
+    if (inst.DBInstanceClass !== void 0)
+      result["DBInstanceClass"] = inst.DBInstanceClass;
+    if (inst.Engine !== void 0)
+      result["Engine"] = inst.Engine;
+    if (inst.DBClusterIdentifier !== void 0) {
+      result["DBClusterIdentifier"] = inst.DBClusterIdentifier;
+    }
+    if (inst.DBSubnetGroup?.DBSubnetGroupName !== void 0) {
+      result["DBSubnetGroupName"] = inst.DBSubnetGroup.DBSubnetGroupName;
+    }
+    if (inst.PubliclyAccessible !== void 0) {
+      result["PubliclyAccessible"] = inst.PubliclyAccessible;
+    }
+    return result;
+  }
+  async readCurrentStateDBCluster(physicalId) {
+    let cluster;
+    try {
+      cluster = await this.describeDBCluster(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBClusterNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!cluster)
+      return void 0;
+    const result = {};
+    if (cluster.DBClusterIdentifier !== void 0) {
+      result["DBClusterIdentifier"] = cluster.DBClusterIdentifier;
+    }
+    if (cluster.Engine !== void 0)
+      result["Engine"] = cluster.Engine;
+    if (cluster.EngineVersion !== void 0)
+      result["EngineVersion"] = cluster.EngineVersion;
+    if (cluster.MasterUsername !== void 0)
+      result["MasterUsername"] = cluster.MasterUsername;
+    if (cluster.DatabaseName !== void 0)
+      result["DatabaseName"] = cluster.DatabaseName;
+    if (cluster.Port !== void 0)
+      result["Port"] = cluster.Port;
+    if (cluster.VpcSecurityGroups && cluster.VpcSecurityGroups.length > 0) {
+      result["VpcSecurityGroupIds"] = cluster.VpcSecurityGroups.map(
+        (sg) => sg.VpcSecurityGroupId
+      ).filter((id) => !!id);
+    }
+    if (cluster.DBSubnetGroup !== void 0)
+      result["DBSubnetGroupName"] = cluster.DBSubnetGroup;
+    if (cluster.StorageEncrypted !== void 0) {
+      result["StorageEncrypted"] = cluster.StorageEncrypted;
+    }
+    if (cluster.KmsKeyId !== void 0)
+      result["KmsKeyId"] = cluster.KmsKeyId;
+    if (cluster.BackupRetentionPeriod !== void 0) {
+      result["BackupRetentionPeriod"] = cluster.BackupRetentionPeriod;
+    }
+    if (cluster.DeletionProtection !== void 0) {
+      result["DeletionProtection"] = cluster.DeletionProtection;
+    }
+    if (cluster.ServerlessV2ScalingConfiguration) {
+      const sc = {};
+      if (cluster.ServerlessV2ScalingConfiguration.MinCapacity !== void 0) {
+        sc["MinCapacity"] = cluster.ServerlessV2ScalingConfiguration.MinCapacity;
+      }
+      if (cluster.ServerlessV2ScalingConfiguration.MaxCapacity !== void 0) {
+        sc["MaxCapacity"] = cluster.ServerlessV2ScalingConfiguration.MaxCapacity;
+      }
+      if (Object.keys(sc).length > 0)
+        result["ServerlessV2ScalingConfiguration"] = sc;
+    }
+    return result;
+  }
+  async readCurrentStateDBSubnetGroup(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand({ DBSubnetGroupName: physicalId })
+      );
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBSubnetGroupNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    const sg = resp.DBSubnetGroups?.[0];
+    if (!sg)
+      return void 0;
+    const result = {};
+    if (sg.DBSubnetGroupName !== void 0)
+      result["DBSubnetGroupName"] = sg.DBSubnetGroupName;
+    if (sg.DBSubnetGroupDescription !== void 0) {
+      result["DBSubnetGroupDescription"] = sg.DBSubnetGroupDescription;
+    }
+    if (sg.Subnets && sg.Subnets.length > 0) {
+      result["SubnetIds"] = sg.Subnets.map((s) => s.SubnetIdentifier).filter(
+        (id) => !!id
+      );
+    }
+    return result;
+  }
   async importDBInstance(input) {
     const explicit = resolveExplicitPhysicalId(input, "DBInstanceIdentifier");
     if (explicit) {
@@ -26127,6 +26918,98 @@ var CognitoUserPoolProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Cognito User Pool configuration in CFn-property shape.
+   *
+   * Issues `DescribeUserPool` and surfaces the keys cdkd's `create()` accepts.
+   * AWS-managed fields (Arn, Id, CreationDate, LastModifiedDate, EstimatedNumberOfUsers,
+   * etc.) are filtered at the wire layer.
+   *
+   * **Note**: Cognito only supports `AWS::Cognito::UserPool` in this provider;
+   * `UserPoolClient`, `UserPoolGroup`, and other Cognito sub-resources go
+   * through the CC API fallback (which has its own `readCurrentState`).
+   *
+   * `UserPoolTags` is intentionally omitted (Cognito returns tags via a
+   * separate `ListTagsForResource` round-trip; auto-injected `aws:cdk:path`
+   * tag-shape question is out of scope here).
+   *
+   * Returns `undefined` when the pool is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    if (resourceType !== "AWS::Cognito::UserPool")
+      return void 0;
+    let resp;
+    try {
+      resp = await this.getClient().send(new DescribeUserPoolCommand({ UserPoolId: physicalId }));
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException12)
+        return void 0;
+      throw err;
+    }
+    const pool = resp.UserPool;
+    if (!pool)
+      return void 0;
+    const result = {};
+    if (pool.Name !== void 0)
+      result["UserPoolName"] = pool.Name;
+    if (pool.AutoVerifiedAttributes && pool.AutoVerifiedAttributes.length > 0) {
+      result["AutoVerifiedAttributes"] = [...pool.AutoVerifiedAttributes];
+    }
+    if (pool.UsernameAttributes && pool.UsernameAttributes.length > 0) {
+      result["UsernameAttributes"] = [...pool.UsernameAttributes];
+    }
+    if (pool.AliasAttributes && pool.AliasAttributes.length > 0) {
+      result["AliasAttributes"] = [...pool.AliasAttributes];
+    }
+    if (pool.Policies)
+      result["Policies"] = pool.Policies;
+    if (pool.SchemaAttributes && pool.SchemaAttributes.length > 0) {
+      result["Schema"] = pool.SchemaAttributes;
+    }
+    if (pool.LambdaConfig && Object.keys(pool.LambdaConfig).length > 0) {
+      result["LambdaConfig"] = pool.LambdaConfig;
+    }
+    if (pool.MfaConfiguration !== void 0)
+      result["MfaConfiguration"] = pool.MfaConfiguration;
+    if (pool.AdminCreateUserConfig)
+      result["AdminCreateUserConfig"] = pool.AdminCreateUserConfig;
+    if (pool.AccountRecoverySetting) {
+      result["AccountRecoverySetting"] = pool.AccountRecoverySetting;
+    }
+    if (pool.UserAttributeUpdateSettings) {
+      result["UserAttributeUpdateSettings"] = pool.UserAttributeUpdateSettings;
+    }
+    if (pool.DeletionProtection !== void 0) {
+      result["DeletionProtection"] = pool.DeletionProtection;
+    }
+    if (pool.EmailConfiguration)
+      result["EmailConfiguration"] = pool.EmailConfiguration;
+    if (pool.SmsConfiguration)
+      result["SmsConfiguration"] = pool.SmsConfiguration;
+    if (pool.VerificationMessageTemplate) {
+      result["VerificationMessageTemplate"] = pool.VerificationMessageTemplate;
+    }
+    if (pool.UsernameConfiguration) {
+      result["UsernameConfiguration"] = pool.UsernameConfiguration;
+    }
+    if (pool.DeviceConfiguration)
+      result["DeviceConfiguration"] = pool.DeviceConfiguration;
+    if (pool.UserPoolAddOns)
+      result["UserPoolAddOns"] = pool.UserPoolAddOns;
+    if (pool.EmailVerificationMessage !== void 0) {
+      result["EmailVerificationMessage"] = pool.EmailVerificationMessage;
+    }
+    if (pool.EmailVerificationSubject !== void 0) {
+      result["EmailVerificationSubject"] = pool.EmailVerificationSubject;
+    }
+    if (pool.SmsAuthenticationMessage !== void 0) {
+      result["SmsAuthenticationMessage"] = pool.SmsAuthenticationMessage;
+    }
+    if (pool.SmsVerificationMessage !== void 0) {
+      result["SmsVerificationMessage"] = pool.SmsVerificationMessage;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Cognito User Pool into cdkd state.
    *
@@ -28700,6 +29583,88 @@ var KMSProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current KMS resource configuration in CFn-property shape.
+   *
+   * Dispatches by resource type:
+   *   - `AWS::KMS::Key` → `DescribeKey`. Surfaces `Description`, `KeySpec`,
+   *     `KeyUsage`, `Enabled`, `MultiRegion`, `Origin`. `KeyPolicy` is
+   *     intentionally NOT retrieved — `GetKeyPolicy` is a separate call
+   *     and the policy body needs JSON parsing for comparison; deferred
+   *     to a follow-up. `EnableKeyRotation` / `RotationPeriodInDays`
+   *     would require `GetKeyRotationStatus`; also deferred.
+   *   - `AWS::KMS::Alias` → `ListAliases` filtered to the alias name.
+   *     Surfaces `AliasName`, `TargetKeyId`. `ListAliases` is paginated
+   *     since there's no direct "describe one alias" API.
+   *
+   * `Tags` is intentionally omitted (separate `ListResourceTags` round-trip
+   * for keys; auto-injected `aws:cdk:path` tag-shape question is out of
+   * scope here). `BypassPolicyLockoutSafetyCheck` and `PendingWindowInDays`
+   * are not part of the persisted AWS state visible via `DescribeKey`.
+   *
+   * Returns `undefined` when the resource is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::KMS::Key":
+        return this.readCurrentStateKey(physicalId);
+      case "AWS::KMS::Alias":
+        return this.readCurrentStateAlias(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateKey(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeKeyCommand({ KeyId: physicalId })
+      );
+    } catch (err) {
+      if (err instanceof NotFoundException5)
+        return void 0;
+      throw err;
+    }
+    const md = resp.KeyMetadata;
+    if (!md)
+      return void 0;
+    const result = {};
+    if (md.Description !== void 0 && md.Description !== "") {
+      result["Description"] = md.Description;
+    }
+    if (md.KeySpec !== void 0)
+      result["KeySpec"] = md.KeySpec;
+    if (md.KeyUsage !== void 0)
+      result["KeyUsage"] = md.KeyUsage;
+    if (md.Enabled !== void 0)
+      result["Enabled"] = md.Enabled;
+    if (md.MultiRegion !== void 0)
+      result["MultiRegion"] = md.MultiRegion;
+    if (md.Origin !== void 0)
+      result["Origin"] = md.Origin;
+    return result;
+  }
+  async readCurrentStateAlias(physicalId) {
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new ListAliasesCommand2({ ...marker && { Marker: marker } })
+      );
+      const found = list.Aliases?.find(
+        (a) => a.AliasName === physicalId
+      );
+      if (found) {
+        const result = {};
+        if (found.AliasName)
+          result["AliasName"] = found.AliasName;
+        if (found.TargetKeyId)
+          result["TargetKeyId"] = found.TargetKeyId;
+        return result;
+      }
+      marker = list.NextMarker;
+    } while (marker);
+    return void 0;
+  }
   /**
    * Adopt an existing KMS key or alias into cdkd state.
    *
@@ -31712,12 +32677,14 @@ import {
   CreateRepositoryCommand,
   DeleteRepositoryCommand,
   DescribeRepositoriesCommand,
+  GetLifecyclePolicyCommand,
   PutLifecyclePolicyCommand,
   SetRepositoryPolicyCommand,
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
   TagResourceCommand as TagResourceCommand7,
   ListTagsForResourceCommand as ListTagsForResourceCommand18,
+  LifecyclePolicyNotFoundException,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
 var ECRProvider = class {
@@ -31951,6 +32918,82 @@ var ECRProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current ECR repository configuration in CFn-property shape.
+   *
+   * Issues `DescribeRepositories(filtered=[name])` for the repository's
+   * configuration, then a separate `GetLifecyclePolicy` for `LifecyclePolicy`
+   * (which `DescribeRepositories` doesn't return).
+   *
+   * Surfaced keys: `RepositoryName`, `ImageTagMutability`,
+   * `ImageScanningConfiguration`, `EncryptionConfiguration`, `LifecyclePolicy`
+   * (when configured — `LifecyclePolicyNotFoundException` is caught and the
+   * key omitted, NOT propagated as repo-gone).
+   *
+   * Intentionally omitted:
+   *   - `RepositoryPolicyText`: requires a separate `GetRepositoryPolicy`
+   *     round-trip; cdkd state holds the policy as either a string or an
+   *     object (depending on user input), and the comparator round-trip
+   *     is not yet handled here.
+   *   - `Tags`: requires `ListTagsForResource`; auto-injected
+   *     `aws:cdk:path` tag-shape question is out of scope.
+   *   - `EmptyOnDelete` / `ImageTagMutabilityExclusionFilters`: not part
+   *     of the persisted AWS state visible via standard Describe.
+   *
+   * Returns `undefined` when the repository is gone (`RepositoryNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let repo;
+    try {
+      repo = await this.getClient().send(
+        new DescribeRepositoriesCommand({ repositoryNames: [physicalId] })
+      );
+    } catch (err) {
+      if (err instanceof RepositoryNotFoundException)
+        return void 0;
+      throw err;
+    }
+    const r = repo.repositories?.[0];
+    if (!r)
+      return void 0;
+    const result = {};
+    if (r.repositoryName !== void 0)
+      result["RepositoryName"] = r.repositoryName;
+    if (r.imageTagMutability !== void 0)
+      result["ImageTagMutability"] = r.imageTagMutability;
+    if (r.imageScanningConfiguration) {
+      const inner = {};
+      if (r.imageScanningConfiguration.scanOnPush !== void 0) {
+        inner["ScanOnPush"] = r.imageScanningConfiguration.scanOnPush;
+      }
+      if (Object.keys(inner).length > 0)
+        result["ImageScanningConfiguration"] = inner;
+    }
+    if (r.encryptionConfiguration) {
+      const inner = {};
+      if (r.encryptionConfiguration.encryptionType !== void 0) {
+        inner["EncryptionType"] = r.encryptionConfiguration.encryptionType;
+      }
+      if (r.encryptionConfiguration.kmsKey !== void 0) {
+        inner["KmsKey"] = r.encryptionConfiguration.kmsKey;
+      }
+      if (Object.keys(inner).length > 0)
+        result["EncryptionConfiguration"] = inner;
+    }
+    try {
+      const lp = await this.getClient().send(
+        new GetLifecyclePolicyCommand({ repositoryName: physicalId })
+      );
+      if (lp.lifecyclePolicyText) {
+        result["LifecyclePolicy"] = { LifecyclePolicyText: lp.lifecyclePolicyText };
+      }
+    } catch (err) {
+      if (!(err instanceof LifecyclePolicyNotFoundException)) {
+        throw err;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing ECR repository into cdkd state.
    *
@@ -37826,7 +38869,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.38.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.39.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());