@go-to-k/cdkd 0.39.0 → 0.40.0

package/dist/cli.js

@@ -13207,6 +13207,7 @@ var SNSTopicProvider = class {
 import {
   SubscribeCommand,
   UnsubscribeCommand,
+  GetSubscriptionAttributesCommand,
   NotFoundException as NotFoundException2
 } from "@aws-sdk/client-sns";
 init_aws_clients();
@@ -13338,6 +13339,52 @@ var SNSSubscriptionProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current SNS Subscription configuration in CFn-property shape.
+   *
+   * Issues `GetSubscriptionAttributes`. AWS returns ALL attribute values
+   * as strings; we type-coerce `RawMessageDelivery` to a boolean and
+   * JSON-parse `FilterPolicy` so the comparator matches cdkd state's
+   * already-typed values. `TopicArn`, `Protocol`, `Endpoint` pass through
+   * as strings.
+   *
+   * Returns `undefined` when the subscription is gone (`NotFoundException`),
+   * including the special "PendingConfirmation" case where the
+   * `SubscriptionArn` has not yet been confirmed and `Attributes` is null.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let attributes;
+    try {
+      const resp = await this.snsClient.send(
+        new GetSubscriptionAttributesCommand({ SubscriptionArn: physicalId })
+      );
+      attributes = resp.Attributes;
+    } catch (err) {
+      if (err instanceof NotFoundException2)
+        return void 0;
+      throw err;
+    }
+    if (!attributes)
+      return void 0;
+    const result = {};
+    if (attributes["TopicArn"] !== void 0)
+      result["TopicArn"] = attributes["TopicArn"];
+    if (attributes["Protocol"] !== void 0)
+      result["Protocol"] = attributes["Protocol"];
+    if (attributes["Endpoint"] !== void 0)
+      result["Endpoint"] = attributes["Endpoint"];
+    if (attributes["RawMessageDelivery"] !== void 0) {
+      result["RawMessageDelivery"] = attributes["RawMessageDelivery"] === "true";
+    }
+    if (attributes["FilterPolicy"]) {
+      try {
+        result["FilterPolicy"] = JSON.parse(attributes["FilterPolicy"]);
+      } catch {
+        result["FilterPolicy"] = attributes["FilterPolicy"];
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing SNS subscription into cdkd state.
    *
@@ -16209,6 +16256,82 @@ var CloudWatchAlarmProvider = class {
    *  2. `DescribeAlarms` paginated, then `ListTagsForResource(AlarmArn)` per
    *     alarm to match `aws:cdk:path`.
    */
+  /**
+   * Read the AWS-current CloudWatch Alarm configuration in CFn-property shape.
+   *
+   * Issues `DescribeAlarms` filtered by `AlarmNames=[physicalId]` and
+   * surfaces the keys cdkd's `create()` accepts (`AlarmName`,
+   * `AlarmDescription`, `MetricName`, `Namespace`, `Statistic`,
+   * `ComparisonOperator`, `Threshold`, `EvaluationPeriods`, `Period`,
+   * `DatapointsToAlarm`, `ActionsEnabled`, `AlarmActions`,
+   * `OKActions`, `InsufficientDataActions`, `TreatMissingData`, `Unit`,
+   * `Dimensions`, `Metrics`).
+   *
+   * `DescribeAlarms` returns the result via either `MetricAlarms` (single-
+   * metric form) or `CompositeAlarms` (composite form). cdkd's provider
+   * only handles the single-metric form, so we look at `MetricAlarms` only.
+   *
+   * Returns `undefined` when the alarm is gone (no matching `MetricAlarms`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    const resp = await this.cloudWatchClient.send(
+      new DescribeAlarmsCommand({ AlarmNames: [physicalId], AlarmTypes: ["MetricAlarm"] })
+    );
+    const alarm = resp.MetricAlarms?.[0];
+    if (!alarm)
+      return void 0;
+    const result = {};
+    if (alarm.AlarmName !== void 0)
+      result["AlarmName"] = alarm.AlarmName;
+    if (alarm.AlarmDescription !== void 0 && alarm.AlarmDescription !== "") {
+      result["AlarmDescription"] = alarm.AlarmDescription;
+    }
+    if (alarm.MetricName !== void 0)
+      result["MetricName"] = alarm.MetricName;
+    if (alarm.Namespace !== void 0)
+      result["Namespace"] = alarm.Namespace;
+    if (alarm.Statistic !== void 0)
+      result["Statistic"] = alarm.Statistic;
+    if (alarm.ComparisonOperator !== void 0) {
+      result["ComparisonOperator"] = alarm.ComparisonOperator;
+    }
+    if (alarm.Threshold !== void 0)
+      result["Threshold"] = alarm.Threshold;
+    if (alarm.EvaluationPeriods !== void 0) {
+      result["EvaluationPeriods"] = alarm.EvaluationPeriods;
+    }
+    if (alarm.Period !== void 0)
+      result["Period"] = alarm.Period;
+    if (alarm.DatapointsToAlarm !== void 0) {
+      result["DatapointsToAlarm"] = alarm.DatapointsToAlarm;
+    }
+    if (alarm.ActionsEnabled !== void 0)
+      result["ActionsEnabled"] = alarm.ActionsEnabled;
+    if (alarm.AlarmActions && alarm.AlarmActions.length > 0) {
+      result["AlarmActions"] = [...alarm.AlarmActions];
+    }
+    if (alarm.OKActions && alarm.OKActions.length > 0) {
+      result["OKActions"] = [...alarm.OKActions];
+    }
+    if (alarm.InsufficientDataActions && alarm.InsufficientDataActions.length > 0) {
+      result["InsufficientDataActions"] = [...alarm.InsufficientDataActions];
+    }
+    if (alarm.TreatMissingData !== void 0) {
+      result["TreatMissingData"] = alarm.TreatMissingData;
+    }
+    if (alarm.Unit !== void 0)
+      result["Unit"] = alarm.Unit;
+    if (alarm.Dimensions && alarm.Dimensions.length > 0) {
+      result["Dimensions"] = alarm.Dimensions.map((d) => ({
+        ...d.Name !== void 0 ? { Name: d.Name } : {},
+        ...d.Value !== void 0 ? { Value: d.Value } : {}
+      }));
+    }
+    if (alarm.Metrics && alarm.Metrics.length > 0) {
+      result["Metrics"] = alarm.Metrics.map((m) => m);
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "AlarmName");
     if (explicit) {
@@ -24089,7 +24212,8 @@ import {
   DescribeTagsCommand,
   CreateListenerCommand,
   DeleteListenerCommand,
-  ModifyListenerCommand
+  ModifyListenerCommand,
+  DescribeListenersCommand as DescribeListenersCommand2
 } from "@aws-sdk/client-elastic-load-balancing-v2";
 var ELBv2Provider = class {
   elbv2Client;
@@ -24582,6 +24706,170 @@ var ELBv2Provider = class {
       return void 0;
     return certificates;
   }
+  /**
+   * Read the AWS-current ELBv2 resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `LoadBalancer` → `DescribeLoadBalancers` (Name, Subnets via
+   *    `AvailabilityZones[].SubnetId`, SecurityGroups, Scheme, Type,
+   *    IpAddressType). LoadBalancerAttributes is omitted for v1 — it
+   *    requires a separate `DescribeLoadBalancerAttributes` call and the
+   *    drift comparator only descends into keys present in state, so an
+   *    absent key cannot fire false drift.
+   *  - `TargetGroup` → `DescribeTargetGroups` (Protocol, Port, VpcId,
+   *    TargetType, ProtocolVersion, HealthCheck*, Matcher, Name).
+   *  - `Listener` → `DescribeListeners` (LoadBalancerArn, Certificates,
+   *    DefaultActions, Port, Protocol, SslPolicy).
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the resource is gone (`*NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ElasticLoadBalancingV2::LoadBalancer":
+        return this.readLoadBalancer(physicalId);
+      case "AWS::ElasticLoadBalancingV2::TargetGroup":
+        return this.readTargetGroup(physicalId);
+      case "AWS::ElasticLoadBalancingV2::Listener":
+        return this.readListener(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readLoadBalancer(physicalId) {
+    let lb;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeLoadBalancersCommand2({ LoadBalancerArns: [physicalId] })
+      );
+      lb = resp.LoadBalancers?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    if (!lb)
+      return void 0;
+    const result = {};
+    if (lb.LoadBalancerName !== void 0)
+      result["Name"] = lb.LoadBalancerName;
+    if (lb.AvailabilityZones && lb.AvailabilityZones.length > 0) {
+      const subnets = lb.AvailabilityZones.map((az) => az.SubnetId).filter(
+        (id) => !!id
+      );
+      if (subnets.length > 0)
+        result["Subnets"] = subnets;
+    }
+    if (lb.SecurityGroups && lb.SecurityGroups.length > 0) {
+      result["SecurityGroups"] = [...lb.SecurityGroups];
+    }
+    if (lb.Scheme !== void 0)
+      result["Scheme"] = lb.Scheme;
+    if (lb.Type !== void 0)
+      result["Type"] = lb.Type;
+    if (lb.IpAddressType !== void 0)
+      result["IpAddressType"] = lb.IpAddressType;
+    return result;
+  }
+  async readTargetGroup(physicalId) {
+    let tg;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeTargetGroupsCommand({ TargetGroupArns: [physicalId] })
+      );
+      tg = resp.TargetGroups?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    if (!tg)
+      return void 0;
+    const result = {};
+    if (tg.TargetGroupName !== void 0)
+      result["Name"] = tg.TargetGroupName;
+    if (tg.Protocol !== void 0)
+      result["Protocol"] = tg.Protocol;
+    if (tg.Port !== void 0)
+      result["Port"] = tg.Port;
+    if (tg.VpcId !== void 0)
+      result["VpcId"] = tg.VpcId;
+    if (tg.TargetType !== void 0)
+      result["TargetType"] = tg.TargetType;
+    if (tg.ProtocolVersion !== void 0)
+      result["ProtocolVersion"] = tg.ProtocolVersion;
+    if (tg.HealthCheckProtocol !== void 0)
+      result["HealthCheckProtocol"] = tg.HealthCheckProtocol;
+    if (tg.HealthCheckPort !== void 0)
+      result["HealthCheckPort"] = tg.HealthCheckPort;
+    if (tg.HealthCheckPath !== void 0)
+      result["HealthCheckPath"] = tg.HealthCheckPath;
+    if (tg.HealthCheckEnabled !== void 0)
+      result["HealthCheckEnabled"] = tg.HealthCheckEnabled;
+    if (tg.HealthCheckIntervalSeconds !== void 0) {
+      result["HealthCheckIntervalSeconds"] = tg.HealthCheckIntervalSeconds;
+    }
+    if (tg.HealthCheckTimeoutSeconds !== void 0) {
+      result["HealthCheckTimeoutSeconds"] = tg.HealthCheckTimeoutSeconds;
+    }
+    if (tg.HealthyThresholdCount !== void 0) {
+      result["HealthyThresholdCount"] = tg.HealthyThresholdCount;
+    }
+    if (tg.UnhealthyThresholdCount !== void 0) {
+      result["UnhealthyThresholdCount"] = tg.UnhealthyThresholdCount;
+    }
+    if (tg.Matcher) {
+      const matcher = {};
+      if (tg.Matcher.HttpCode !== void 0)
+        matcher["HttpCode"] = tg.Matcher.HttpCode;
+      if (tg.Matcher.GrpcCode !== void 0)
+        matcher["GrpcCode"] = tg.Matcher.GrpcCode;
+      if (Object.keys(matcher).length > 0)
+        result["Matcher"] = matcher;
+    }
+    return result;
+  }
+  async readListener(physicalId) {
+    let listener;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeListenersCommand2({ ListenerArns: [physicalId] })
+      );
+      listener = resp.Listeners?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    if (!listener)
+      return void 0;
+    const result = {};
+    if (listener.LoadBalancerArn !== void 0) {
+      result["LoadBalancerArn"] = listener.LoadBalancerArn;
+    }
+    if (listener.Port !== void 0)
+      result["Port"] = listener.Port;
+    if (listener.Protocol !== void 0)
+      result["Protocol"] = listener.Protocol;
+    if (listener.SslPolicy !== void 0)
+      result["SslPolicy"] = listener.SslPolicy;
+    if (listener.Certificates && listener.Certificates.length > 0) {
+      result["Certificates"] = listener.Certificates.map((c) => {
+        const out = {};
+        if (c.CertificateArn !== void 0)
+          out["CertificateArn"] = c.CertificateArn;
+        if (c.IsDefault !== void 0)
+          out["IsDefault"] = c.IsDefault;
+        return out;
+      });
+    }
+    if (listener.DefaultActions && listener.DefaultActions.length > 0) {
+      result["DefaultActions"] = listener.DefaultActions.map(
+        (a) => a
+      );
+    }
+    return result;
+  }
   /**
    * Adopt an existing ELBv2 LoadBalancer or TargetGroup into cdkd state.
    *
@@ -25589,6 +25877,7 @@ import {
   ListQueryLoggingConfigsCommand,
   ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2,
   ListHostedZonesCommand,
+  ListResourceRecordSetsCommand,
   ListTagsForResourceCommand as ListTagsForResourceCommand11
 } from "@aws-sdk/client-route-53";
 var Route53Provider = class {
@@ -26236,6 +26525,150 @@ var Route53Provider = class {
       physicalId
     );
   }
+  /**
+   * Read the AWS-current Route 53 resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `HostedZone` → `GetHostedZone` (Name, HostedZoneConfig{Comment,
+   *    PrivateZone}, VPCs from `VPCs[]`). Tags are skipped (CDK auto-tag
+   *    handling deferred); QueryLoggingConfig is skipped because it's a
+   *    separate `ListQueryLoggingConfigs` call and the v1 surface does
+   *    not surface it.
+   *  - `RecordSet` → `ListResourceRecordSets` filtered to the exact
+   *    `(name, type)` pair from the composite physicalId
+   *    (`{zoneId}|{name}|{type}`). Surfaces TTL, ResourceRecords (with
+   *    `[{Value}]` -> string[] re-shape to match cdkd state), AliasTarget,
+   *    Weight, Region, Failover, MultiValueAnswer, HealthCheckId,
+   *    GeoLocation, SetIdentifier.
+   *
+   * Returns `undefined` when the parent zone is gone (`NoSuchHostedZone`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.readHostedZone(physicalId);
+      case "AWS::Route53::RecordSet":
+        return this.readRecordSet(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readHostedZone(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(new GetHostedZoneCommand2({ Id: physicalId }));
+    } catch (err) {
+      if (err instanceof Error && err.name === "NoSuchHostedZone")
+        return void 0;
+      throw err;
+    }
+    if (!resp.HostedZone)
+      return void 0;
+    const result = {};
+    if (resp.HostedZone.Name !== void 0)
+      result["Name"] = resp.HostedZone.Name;
+    if (resp.HostedZone.Config) {
+      const cfg = {};
+      if (resp.HostedZone.Config.Comment !== void 0) {
+        cfg["Comment"] = resp.HostedZone.Config.Comment;
+      }
+      if (resp.HostedZone.Config.PrivateZone !== void 0) {
+        cfg["PrivateZone"] = resp.HostedZone.Config.PrivateZone;
+      }
+      if (Object.keys(cfg).length > 0)
+        result["HostedZoneConfig"] = cfg;
+    }
+    if (resp.VPCs && resp.VPCs.length > 0) {
+      result["VPCs"] = resp.VPCs.map((v) => {
+        const out = {};
+        if (v.VPCId !== void 0)
+          out["VPCId"] = v.VPCId;
+        if (v.VPCRegion !== void 0)
+          out["VPCRegion"] = v.VPCRegion;
+        return out;
+      });
+    }
+    return result;
+  }
+  async readRecordSet(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const [hostedZoneId, name, type] = parts;
+    if (!hostedZoneId || !name || !type)
+      return void 0;
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new ListResourceRecordSetsCommand({
+          HostedZoneId: hostedZoneId,
+          StartRecordName: name,
+          StartRecordType: type,
+          MaxItems: 1
+        })
+      );
+    } catch (err) {
+      if (err instanceof Error && err.name === "NoSuchHostedZone")
+        return void 0;
+      throw err;
+    }
+    const recordSet = resp.ResourceRecordSets?.find((r) => r.Name === name && r.Type === type);
+    if (!recordSet)
+      return void 0;
+    const result = {
+      HostedZoneId: hostedZoneId,
+      Name: name,
+      Type: type
+    };
+    if (recordSet.TTL !== void 0)
+      result["TTL"] = recordSet.TTL;
+    if (recordSet.ResourceRecords && recordSet.ResourceRecords.length > 0) {
+      result["ResourceRecords"] = recordSet.ResourceRecords.map((r) => r.Value).filter(
+        (v) => typeof v === "string"
+      );
+    }
+    if (recordSet.AliasTarget) {
+      const at = {};
+      if (recordSet.AliasTarget.HostedZoneId !== void 0) {
+        at["HostedZoneId"] = recordSet.AliasTarget.HostedZoneId;
+      }
+      if (recordSet.AliasTarget.DNSName !== void 0) {
+        at["DNSName"] = recordSet.AliasTarget.DNSName;
+      }
+      if (recordSet.AliasTarget.EvaluateTargetHealth !== void 0) {
+        at["EvaluateTargetHealth"] = recordSet.AliasTarget.EvaluateTargetHealth;
+      }
+      result["AliasTarget"] = at;
+    }
+    if (recordSet.SetIdentifier !== void 0)
+      result["SetIdentifier"] = recordSet.SetIdentifier;
+    if (recordSet.Weight !== void 0)
+      result["Weight"] = recordSet.Weight;
+    if (recordSet.Region !== void 0)
+      result["Region"] = recordSet.Region;
+    if (recordSet.Failover !== void 0)
+      result["Failover"] = recordSet.Failover;
+    if (recordSet.MultiValueAnswer !== void 0) {
+      result["MultiValueAnswer"] = recordSet.MultiValueAnswer;
+    }
+    if (recordSet.HealthCheckId !== void 0)
+      result["HealthCheckId"] = recordSet.HealthCheckId;
+    if (recordSet.GeoLocation) {
+      const geo = {};
+      if (recordSet.GeoLocation.ContinentCode !== void 0) {
+        geo["ContinentCode"] = recordSet.GeoLocation.ContinentCode;
+      }
+      if (recordSet.GeoLocation.CountryCode !== void 0) {
+        geo["CountryCode"] = recordSet.GeoLocation.CountryCode;
+      }
+      if (recordSet.GeoLocation.SubdivisionCode !== void 0) {
+        geo["SubdivisionCode"] = recordSet.GeoLocation.SubdivisionCode;
+      }
+      if (Object.keys(geo).length > 0)
+        result["GeoLocation"] = geo;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Route 53 resource into cdkd state.
    *
@@ -26524,6 +26957,75 @@ var WAFv2WebACLProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current WAFv2 WebACL configuration in CFn-property shape.
+   *
+   * The cdkd physicalId is the WebACL ARN; we parse it back to
+   * `(id, name, scope)` and call `GetWebACL`. The response holds Name,
+   * Description, DefaultAction, Rules, VisibilityConfig,
+   * CustomResponseBodies, CaptchaConfig, ChallengeConfig, TokenDomains,
+   * and AssociationConfig — every key cdkd state declares as
+   * `handledProperties`. `Scope` is recovered from the ARN parse.
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the ARN can't be parsed or the WebACL is gone
+   * (`WAFNonexistentItemException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let id;
+    let name;
+    let scope;
+    try {
+      ({ id, name, scope } = parseWebACLArn(physicalId));
+    } catch {
+      return void 0;
+    }
+    let webACL;
+    try {
+      const resp = await this.getClient().send(
+        new GetWebACLCommand({ Id: id, Name: name, Scope: scope })
+      );
+      webACL = resp.WebACL;
+    } catch (err) {
+      if (err instanceof WAFNonexistentItemException)
+        return void 0;
+      throw err;
+    }
+    if (!webACL)
+      return void 0;
+    const result = {};
+    if (webACL.Name !== void 0)
+      result["Name"] = webACL.Name;
+    result["Scope"] = scope;
+    if (webACL.Description !== void 0 && webACL.Description !== "") {
+      result["Description"] = webACL.Description;
+    }
+    if (webACL.DefaultAction) {
+      result["DefaultAction"] = webACL.DefaultAction;
+    }
+    if (webACL.Rules && webACL.Rules.length > 0) {
+      result["Rules"] = webACL.Rules.map((r) => r);
+    }
+    if (webACL.VisibilityConfig) {
+      result["VisibilityConfig"] = webACL.VisibilityConfig;
+    }
+    if (webACL.CustomResponseBodies && Object.keys(webACL.CustomResponseBodies).length > 0) {
+      result["CustomResponseBodies"] = webACL.CustomResponseBodies;
+    }
+    if (webACL.CaptchaConfig) {
+      result["CaptchaConfig"] = webACL.CaptchaConfig;
+    }
+    if (webACL.ChallengeConfig) {
+      result["ChallengeConfig"] = webACL.ChallengeConfig;
+    }
+    if (webACL.TokenDomains && webACL.TokenDomains.length > 0) {
+      result["TokenDomains"] = [...webACL.TokenDomains];
+    }
+    if (webACL.AssociationConfig) {
+      result["AssociationConfig"] = webACL.AssociationConfig;
+    }
+    return result;
+  }
   /**
    * Adopt an existing WAFv2 WebACL into cdkd state.
    *
@@ -27496,6 +27998,133 @@ var ElastiCacheProvider = class {
   sleep(ms) {
     return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
+  /**
+   * Read the AWS-current ElastiCache resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `CacheCluster` → `DescribeCacheClusters` filtered by `CacheClusterId`,
+   *    surfacing `Engine`, `CacheNodeType`, `NumCacheNodes`,
+   *    `CacheSubnetGroupName`, `Port`, `EngineVersion`,
+   *    `CacheParameterGroupName`, `PreferredMaintenanceWindow`,
+   *    `PreferredAvailabilityZone`, `SnapshotRetentionLimit`,
+   *    `SnapshotWindow`, `AutoMinorVersionUpgrade`, `NotificationTopicArn`,
+   *    `IpDiscovery`, `NetworkType`, `TransitEncryptionEnabled`, plus
+   *    `VpcSecurityGroupIds` derived from the cluster's `SecurityGroups[]`.
+   *  - `SubnetGroup` → `DescribeCacheSubnetGroups` filtered by name,
+   *    surfacing `CacheSubnetGroupName`, `CacheSubnetGroupDescription`,
+   *    and `SubnetIds` derived from `Subnets[].SubnetIdentifier`.
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the resource is gone (`*NotFoundFault`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ElastiCache::CacheCluster":
+        return this.readCacheCluster(physicalId);
+      case "AWS::ElastiCache::SubnetGroup":
+        return this.readSubnetGroup(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCacheCluster(physicalId) {
+    let cluster;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeCacheClustersCommand({
+          CacheClusterId: physicalId,
+          ShowCacheNodeInfo: true
+        })
+      );
+      cluster = resp.CacheClusters?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err, "CacheClusterNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!cluster)
+      return void 0;
+    const result = {};
+    if (cluster.CacheClusterId !== void 0)
+      result["ClusterName"] = cluster.CacheClusterId;
+    if (cluster.Engine !== void 0)
+      result["Engine"] = cluster.Engine;
+    if (cluster.CacheNodeType !== void 0)
+      result["CacheNodeType"] = cluster.CacheNodeType;
+    if (cluster.NumCacheNodes !== void 0)
+      result["NumCacheNodes"] = cluster.NumCacheNodes;
+    if (cluster.CacheSubnetGroupName !== void 0) {
+      result["CacheSubnetGroupName"] = cluster.CacheSubnetGroupName;
+    }
+    if (cluster.EngineVersion !== void 0)
+      result["EngineVersion"] = cluster.EngineVersion;
+    if (cluster.CacheParameterGroup?.CacheParameterGroupName !== void 0) {
+      result["CacheParameterGroupName"] = cluster.CacheParameterGroup.CacheParameterGroupName;
+    }
+    if (cluster.PreferredMaintenanceWindow !== void 0) {
+      result["PreferredMaintenanceWindow"] = cluster.PreferredMaintenanceWindow;
+    }
+    if (cluster.PreferredAvailabilityZone !== void 0) {
+      result["PreferredAvailabilityZone"] = cluster.PreferredAvailabilityZone;
+    }
+    if (cluster.SnapshotRetentionLimit !== void 0) {
+      result["SnapshotRetentionLimit"] = cluster.SnapshotRetentionLimit;
+    }
+    if (cluster.SnapshotWindow !== void 0)
+      result["SnapshotWindow"] = cluster.SnapshotWindow;
+    if (cluster.AutoMinorVersionUpgrade !== void 0) {
+      result["AutoMinorVersionUpgrade"] = cluster.AutoMinorVersionUpgrade;
+    }
+    if (cluster.NotificationConfiguration?.TopicArn !== void 0) {
+      result["NotificationTopicArn"] = cluster.NotificationConfiguration.TopicArn;
+    }
+    if (cluster.IpDiscovery !== void 0)
+      result["IpDiscovery"] = cluster.IpDiscovery;
+    if (cluster.NetworkType !== void 0)
+      result["NetworkType"] = cluster.NetworkType;
+    if (cluster.TransitEncryptionEnabled !== void 0) {
+      result["TransitEncryptionEnabled"] = cluster.TransitEncryptionEnabled;
+    }
+    if (cluster.CacheNodes?.[0]?.Endpoint?.Port !== void 0) {
+      result["Port"] = cluster.CacheNodes[0].Endpoint.Port;
+    }
+    if (cluster.SecurityGroups && cluster.SecurityGroups.length > 0) {
+      const ids = cluster.SecurityGroups.map((sg) => sg.SecurityGroupId).filter(
+        (id) => !!id
+      );
+      if (ids.length > 0)
+        result["VpcSecurityGroupIds"] = ids;
+    }
+    return result;
+  }
+  async readSubnetGroup(physicalId) {
+    let group;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeCacheSubnetGroupsCommand({ CacheSubnetGroupName: physicalId })
+      );
+      group = resp.CacheSubnetGroups?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err, "CacheSubnetGroupNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!group)
+      return void 0;
+    const result = {};
+    if (group.CacheSubnetGroupName !== void 0) {
+      result["CacheSubnetGroupName"] = group.CacheSubnetGroupName;
+    }
+    if (group.CacheSubnetGroupDescription !== void 0) {
+      result["CacheSubnetGroupDescription"] = group.CacheSubnetGroupDescription;
+    }
+    if (group.Subnets && group.Subnets.length > 0) {
+      const ids = group.Subnets.map((s) => s.SubnetIdentifier).filter((id) => !!id);
+      if (ids.length > 0)
+        result["SubnetIds"] = ids;
+    }
+    return result;
+  }
   /**
    * Adopt an existing ElastiCache resource into cdkd state.
    *
@@ -27968,20 +28597,101 @@ var ServiceDiscoveryProvider = class {
    *  - **AWS::ServiceDiscovery::Service**: same shape — `ListServices` +
    *    `ListTagsForResource`. Both use `Tag[]` arrays.
    */
-  async import(input) {
-    switch (input.resourceType) {
+  /**
+   * Read the AWS-current ServiceDiscovery resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `PrivateDnsNamespace` → `GetNamespace` (Name, Description). `Vpc`
+   *    is NOT returned by `GetNamespace` — Cloud Map exposes the VPC only
+   *    at create time and via `ListNamespaces`-side `Properties.DnsProperties.HostedZoneId`,
+   *    not as a directly comparable VPC ID. We skip it; the comparator
+   *    only descends into keys present in cdkd state, so an absent key
+   *    cannot fire false drift, but a `Vpc` change will not be detected
+   *    via this provider's drift surface (use the CFn-side `aws cloudmap`
+   *    CLI for that edge case).
+   *  - `Service` → `GetService` (Name, NamespaceId, Description, Type,
+   *    DnsConfig, HealthCheckConfig, HealthCheckCustomConfig).
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the resource is gone (`NamespaceNotFound` / `ServiceNotFound`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
       case "AWS::ServiceDiscovery::PrivateDnsNamespace":
-        return this.importNamespaceResource(input);
+        return this.readNamespace(physicalId);
       case "AWS::ServiceDiscovery::Service":
-        return this.importServiceResource(input);
+        return this.readService(physicalId);
       default:
-        return null;
+        return void 0;
     }
   }
-  async importNamespaceResource(input) {
-    if (input.knownPhysicalId) {
-      try {
-        await this.getClient().send(new GetNamespaceCommand({ Id: input.knownPhysicalId }));
+  async readNamespace(physicalId) {
+    let ns;
+    try {
+      const resp = await this.getClient().send(new GetNamespaceCommand({ Id: physicalId }));
+      ns = resp.Namespace;
+    } catch (err) {
+      if (err instanceof NamespaceNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!ns)
+      return void 0;
+    const result = {};
+    if (ns.Name !== void 0)
+      result["Name"] = ns.Name;
+    if (ns.Description !== void 0 && ns.Description !== "") {
+      result["Description"] = ns.Description;
+    }
+    return result;
+  }
+  async readService(physicalId) {
+    let svc;
+    try {
+      const resp = await this.getClient().send(new GetServiceCommand({ Id: physicalId }));
+      svc = resp.Service;
+    } catch (err) {
+      if (err instanceof ServiceNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!svc)
+      return void 0;
+    const result = {};
+    if (svc.Name !== void 0)
+      result["Name"] = svc.Name;
+    if (svc.NamespaceId !== void 0)
+      result["NamespaceId"] = svc.NamespaceId;
+    if (svc.Description !== void 0 && svc.Description !== "") {
+      result["Description"] = svc.Description;
+    }
+    if (svc.Type !== void 0)
+      result["Type"] = svc.Type;
+    if (svc.DnsConfig) {
+      result["DnsConfig"] = svc.DnsConfig;
+    }
+    if (svc.HealthCheckConfig) {
+      result["HealthCheckConfig"] = svc.HealthCheckConfig;
+    }
+    if (svc.HealthCheckCustomConfig) {
+      result["HealthCheckCustomConfig"] = svc.HealthCheckCustomConfig;
+    }
+    return result;
+  }
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::ServiceDiscovery::PrivateDnsNamespace":
+        return this.importNamespaceResource(input);
+      case "AWS::ServiceDiscovery::Service":
+        return this.importServiceResource(input);
+      default:
+        return null;
+    }
+  }
+  async importNamespaceResource(input) {
+    if (input.knownPhysicalId) {
+      try {
+        await this.getClient().send(new GetNamespaceCommand({ Id: input.knownPhysicalId }));
         return { physicalId: input.knownPhysicalId, attributes: {} };
       } catch (err) {
         if (err instanceof NamespaceNotFound)
@@ -28084,6 +28794,9 @@ import {
   DeleteApiKeyCommand,
   StartSchemaCreationCommand,
   GetGraphqlApiCommand,
+  GetDataSourceCommand,
+  GetResolverCommand,
+  ListApiKeysCommand,
   ListGraphqlApisCommand,
   NotFoundException as AppSyncNotFoundException
 } from "@aws-sdk/client-appsync";
@@ -28593,6 +29306,209 @@ var AppSyncProvider = class {
     const name = error.name ?? "";
     return message.includes("not found") || message.includes("does not exist") || name === "NotFoundException";
   }
+  /**
+   * Read the AWS-current AppSync resource configuration in CFn-property shape.
+   *
+   * Dispatches per resource type:
+   *  - `GraphQLApi` → `GetGraphqlApi` (Name, AuthenticationType, XrayEnabled,
+   *    LogConfig). Tags are skipped (CDK auto-tag handling deferred).
+   *  - `DataSource` → `GetDataSource` (Name, Type, Description,
+   *    ServiceRoleArn, DynamoDBConfig, LambdaConfig, HttpConfig). The
+   *    `ApiId` cdkd holds is recovered from the `apiId|name` physicalId.
+   *  - `Resolver` → `GetResolver` (TypeName, FieldName, DataSourceName,
+   *    request/response templates, Kind, PipelineConfig, Runtime, Code).
+   *  - `ApiKey` → `ListApiKeys` filtered by id (no `GetApiKey` SDK call;
+   *    AppSync only exposes list-based access). Surfaces Description and
+   *    Expires.
+   *  - `GraphQLSchema` → `GetSchemaCreationStatus` is the closest live
+   *    state, but it returns a status string only (not the full schema
+   *    body). Schema bodies live in cdkd state's `Definition` and would
+   *    need `GetIntrospectionSchema` + reverse-mapping to compare; that's
+   *    a separate task. Returns `undefined` so the comparator marks it
+   *    as "drift unknown" rather than firing a false positive.
+   *
+   * Returns `undefined` when the parent resource is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::AppSync::GraphQLApi":
+        return this.readGraphQLApi(physicalId);
+      case "AWS::AppSync::DataSource":
+        return this.readDataSource(physicalId);
+      case "AWS::AppSync::Resolver":
+        return this.readResolver(physicalId);
+      case "AWS::AppSync::ApiKey":
+        return this.readApiKey(physicalId);
+      case "AWS::AppSync::GraphQLSchema":
+        return void 0;
+      default:
+        return void 0;
+    }
+  }
+  async readGraphQLApi(physicalId) {
+    let api;
+    try {
+      const resp = await this.getClient().send(new GetGraphqlApiCommand({ apiId: physicalId }));
+      api = resp.graphqlApi;
+    } catch (err) {
+      if (err instanceof AppSyncNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!api)
+      return void 0;
+    const result = {};
+    if (api.name !== void 0)
+      result["Name"] = api.name;
+    if (api.authenticationType !== void 0) {
+      result["AuthenticationType"] = api.authenticationType;
+    }
+    if (api.xrayEnabled !== void 0)
+      result["XrayEnabled"] = api.xrayEnabled;
+    if (api.logConfig) {
+      const log = {};
+      if (api.logConfig.cloudWatchLogsRoleArn !== void 0) {
+        log["CloudWatchLogsRoleArn"] = api.logConfig.cloudWatchLogsRoleArn;
+      }
+      if (api.logConfig.fieldLogLevel !== void 0) {
+        log["FieldLogLevel"] = api.logConfig.fieldLogLevel;
+      }
+      if (api.logConfig.excludeVerboseContent !== void 0) {
+        log["ExcludeVerboseContent"] = api.logConfig.excludeVerboseContent;
+      }
+      if (Object.keys(log).length > 0)
+        result["LogConfig"] = log;
+    }
+    return result;
+  }
+  async readDataSource(physicalId) {
+    const [apiId, name] = physicalId.split("|");
+    if (!apiId || !name)
+      return void 0;
+    let ds;
+    try {
+      const resp = await this.getClient().send(new GetDataSourceCommand({ apiId, name }));
+      ds = resp.dataSource;
+    } catch (err) {
+      if (err instanceof AppSyncNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!ds)
+      return void 0;
+    const result = { ApiId: apiId };
+    if (ds.name !== void 0)
+      result["Name"] = ds.name;
+    if (ds.type !== void 0)
+      result["Type"] = ds.type;
+    if (ds.description !== void 0 && ds.description !== "") {
+      result["Description"] = ds.description;
+    }
+    if (ds.serviceRoleArn !== void 0)
+      result["ServiceRoleArn"] = ds.serviceRoleArn;
+    if (ds.dynamodbConfig) {
+      const dynamo = {};
+      if (ds.dynamodbConfig.tableName !== void 0)
+        dynamo["TableName"] = ds.dynamodbConfig.tableName;
+      if (ds.dynamodbConfig.awsRegion !== void 0)
+        dynamo["AwsRegion"] = ds.dynamodbConfig.awsRegion;
+      if (ds.dynamodbConfig.useCallerCredentials !== void 0) {
+        dynamo["UseCallerCredentials"] = ds.dynamodbConfig.useCallerCredentials;
+      }
+      if (Object.keys(dynamo).length > 0)
+        result["DynamoDBConfig"] = dynamo;
+    }
+    if (ds.lambdaConfig?.lambdaFunctionArn !== void 0) {
+      result["LambdaConfig"] = { LambdaFunctionArn: ds.lambdaConfig.lambdaFunctionArn };
+    }
+    if (ds.httpConfig?.endpoint !== void 0) {
+      result["HttpConfig"] = { Endpoint: ds.httpConfig.endpoint };
+    }
+    return result;
+  }
+  async readResolver(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const [apiId, typeName, fieldName] = parts;
+    if (!apiId || !typeName || !fieldName)
+      return void 0;
+    let resolver;
+    try {
+      const resp = await this.getClient().send(
+        new GetResolverCommand({ apiId, typeName, fieldName })
+      );
+      resolver = resp.resolver;
+    } catch (err) {
+      if (err instanceof AppSyncNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!resolver)
+      return void 0;
+    const result = { ApiId: apiId };
+    if (resolver.typeName !== void 0)
+      result["TypeName"] = resolver.typeName;
+    if (resolver.fieldName !== void 0)
+      result["FieldName"] = resolver.fieldName;
+    if (resolver.dataSourceName !== void 0)
+      result["DataSourceName"] = resolver.dataSourceName;
+    if (resolver.requestMappingTemplate !== void 0) {
+      result["RequestMappingTemplate"] = resolver.requestMappingTemplate;
+    }
+    if (resolver.responseMappingTemplate !== void 0) {
+      result["ResponseMappingTemplate"] = resolver.responseMappingTemplate;
+    }
+    if (resolver.kind !== void 0)
+      result["Kind"] = resolver.kind;
+    if (resolver.pipelineConfig?.functions && resolver.pipelineConfig.functions.length > 0) {
+      result["PipelineConfig"] = { Functions: [...resolver.pipelineConfig.functions] };
+    }
+    if (resolver.runtime) {
+      const runtime = {};
+      if (resolver.runtime.name !== void 0)
+        runtime["Name"] = resolver.runtime.name;
+      if (resolver.runtime.runtimeVersion !== void 0) {
+        runtime["RuntimeVersion"] = resolver.runtime.runtimeVersion;
+      }
+      if (Object.keys(runtime).length > 0)
+        result["Runtime"] = runtime;
+    }
+    if (resolver.code !== void 0)
+      result["Code"] = resolver.code;
+    return result;
+  }
+  async readApiKey(physicalId) {
+    const [apiId, apiKeyId] = physicalId.split("|");
+    if (!apiId || !apiKeyId)
+      return void 0;
+    let nextToken;
+    do {
+      let resp;
+      try {
+        resp = await this.getClient().send(
+          new ListApiKeysCommand({ apiId, ...nextToken && { nextToken } })
+        );
+      } catch (err) {
+        if (err instanceof AppSyncNotFoundException)
+          return void 0;
+        throw err;
+      }
+      for (const key of resp.apiKeys ?? []) {
+        if (key.id === apiKeyId) {
+          const result = { ApiId: apiId };
+          if (key.description !== void 0 && key.description !== "") {
+            result["Description"] = key.description;
+          }
+          if (key.expires !== void 0)
+            result["Expires"] = key.expires;
+          return result;
+        }
+      }
+      nextToken = resp.nextToken;
+    } while (nextToken);
+    return void 0;
+  }
   /**
    * Adopt an existing AppSync resource into cdkd state.
    *
@@ -29044,6 +29960,116 @@ var GlueProvider = class {
    * Glue list APIs return only names — ARNs are constructed locally
    * for the per-item GetTags call.
    */
+  /**
+   * Read the AWS-current Glue resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `Database` → `GetDatabase` returning DatabaseInput-shape
+   *    (`Name`, `Description`, `LocationUri`, `Parameters`).
+   *  - `Table` → `GetTable` returning the same-named TableInput-shape
+   *    fields (`Name`, `Description`, `Owner`, `Retention`, `TableType`,
+   *    `PartitionKeys`, `Parameters`, `StorageDescriptor`, `ViewOriginalText`,
+   *    `ViewExpandedText`, `TargetTable`). The table physicalId is
+   *    `databaseName|tableName`; we recover both from the split.
+   *
+   * `CatalogId` is intentionally not surfaced — `GetDatabase` /
+   * `GetTable` do not echo it back, and cdkd state's `CatalogId` is
+   * usually the AWS account id (defaulted by the API). Comparator only
+   * descends into keys present in state, so an absent surface key cannot
+   * fire false drift here.
+   *
+   * Returns `undefined` when the resource is gone (`EntityNotFoundException`).
+   * Other Glue resource types (`Job`, `Crawler`, `Connection`, `Trigger`,
+   * `Workflow`, `SecurityConfiguration`, etc.) are out of scope for v1 —
+   * the provider's `create()` only handles Database/Table; CC API picks
+   * up drift detection for the rest.
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::Glue::Database":
+        return this.readDatabase(physicalId);
+      case "AWS::Glue::Table":
+        return this.readTable(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readDatabase(physicalId) {
+    let db;
+    try {
+      const resp = await this.getClient().send(new GetDatabaseCommand({ Name: physicalId }));
+      db = resp.Database;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!db)
+      return void 0;
+    const dbInput = {};
+    if (db.Name !== void 0)
+      dbInput["Name"] = db.Name;
+    if (db.Description !== void 0 && db.Description !== "") {
+      dbInput["Description"] = db.Description;
+    }
+    if (db.LocationUri !== void 0)
+      dbInput["LocationUri"] = db.LocationUri;
+    if (db.Parameters && Object.keys(db.Parameters).length > 0) {
+      dbInput["Parameters"] = db.Parameters;
+    }
+    return { DatabaseInput: dbInput };
+  }
+  async readTable(physicalId) {
+    const [databaseName, tableName] = physicalId.split("|");
+    if (!databaseName || !tableName)
+      return void 0;
+    let table;
+    try {
+      const resp = await this.getClient().send(
+        new GetTableCommand({ DatabaseName: databaseName, Name: tableName })
+      );
+      table = resp.Table;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!table)
+      return void 0;
+    const tableInput = {};
+    if (table.Name !== void 0)
+      tableInput["Name"] = table.Name;
+    if (table.Description !== void 0 && table.Description !== "") {
+      tableInput["Description"] = table.Description;
+    }
+    if (table.Owner !== void 0)
+      tableInput["Owner"] = table.Owner;
+    if (table.Retention !== void 0)
+      tableInput["Retention"] = table.Retention;
+    if (table.TableType !== void 0)
+      tableInput["TableType"] = table.TableType;
+    if (table.PartitionKeys && table.PartitionKeys.length > 0) {
+      tableInput["PartitionKeys"] = table.PartitionKeys.map(
+        (k) => k
+      );
+    }
+    if (table.Parameters && Object.keys(table.Parameters).length > 0) {
+      tableInput["Parameters"] = table.Parameters;
+    }
+    if (table.StorageDescriptor) {
+      tableInput["StorageDescriptor"] = table.StorageDescriptor;
+    }
+    if (table.ViewOriginalText !== void 0) {
+      tableInput["ViewOriginalText"] = table.ViewOriginalText;
+    }
+    if (table.ViewExpandedText !== void 0) {
+      tableInput["ViewExpandedText"] = table.ViewExpandedText;
+    }
+    if (table.TargetTable) {
+      tableInput["TargetTable"] = table.TargetTable;
+    }
+    return { DatabaseName: databaseName, TableInput: tableInput };
+  }
   async import(input) {
     switch (input.resourceType) {
       case "AWS::Glue::Database":
@@ -30020,6 +31046,57 @@ var KinesisStreamProvider = class {
    * Kinesis tags use the standard `Tag[]` array shape (`Key`/`Value`),
    * so `matchesCdkPath` from import-helpers applies directly.
    */
+  /**
+   * Read the AWS-current Kinesis stream configuration in CFn-property shape.
+   *
+   * Issues `DescribeStream` and surfaces the keys cdkd's `create()`
+   * accepts: `Name`, `StreamModeDetails`, `ShardCount`, `RetentionPeriodHours`,
+   * and `StreamEncryption`. Tags are skipped (CDK auto-tag handling deferred).
+   *
+   * `ShardCount` is reported as the count of `Shards[]` in the stream
+   * description (only present for PROVISIONED-mode streams; ON_DEMAND
+   * mode reports an empty list).
+   *
+   * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
+   * Only `AWS::Kinesis::Stream` is supported (the provider does not handle
+   * `AWS::Kinesis::StreamConsumer`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    if (resourceType !== "AWS::Kinesis::Stream")
+      return void 0;
+    let stream;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeStreamCommand({ StreamName: physicalId })
+      );
+      stream = resp.StreamDescription;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException13)
+        return void 0;
+      throw err;
+    }
+    if (!stream)
+      return void 0;
+    const result = {};
+    if (stream.StreamName !== void 0)
+      result["Name"] = stream.StreamName;
+    if (stream.StreamModeDetails?.StreamMode !== void 0) {
+      result["StreamModeDetails"] = { StreamMode: stream.StreamModeDetails.StreamMode };
+    }
+    if (stream.Shards && stream.Shards.length > 0) {
+      result["ShardCount"] = stream.Shards.length;
+    }
+    if (stream.RetentionPeriodHours !== void 0) {
+      result["RetentionPeriodHours"] = stream.RetentionPeriodHours;
+    }
+    if (stream.EncryptionType !== void 0 && stream.EncryptionType !== "NONE") {
+      const encryption = { EncryptionType: stream.EncryptionType };
+      if (stream.KeyId !== void 0)
+        encryption["KeyId"] = stream.KeyId;
+      result["StreamEncryption"] = encryption;
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "Name");
     if (explicit) {
@@ -30099,6 +31176,8 @@ import {
   DeleteAccessPointCommand,
   DescribeFileSystemsCommand,
   DescribeAccessPointsCommand,
+  DescribeLifecycleConfigurationCommand,
+  DescribeBackupPolicyCommand,
   FileSystemNotFound,
   MountTargetNotFound,
   AccessPointNotFound
@@ -30500,6 +31579,173 @@ var EFSProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current EFS resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `FileSystem` → `DescribeFileSystems` filtered by id (PerformanceMode,
+   *    ThroughputMode, Encrypted, KmsKeyId, ProvisionedThroughputInMibps),
+   *    plus optional `DescribeLifecycleConfiguration` and
+   *    `DescribeBackupPolicy` enrichment. Each enrichment call is wrapped
+   *    in its own try/catch so a "not configured" error on either omits
+   *    the corresponding key without failing the whole snapshot.
+   *  - `AccessPoint` → `DescribeAccessPoints` filtered by id (PosixUser,
+   *    RootDirectory).
+   *  - `MountTarget` → `DescribeMountTargets` (FileSystemId, SubnetId).
+   *    SecurityGroups requires a separate call and is omitted for v1.
+   *
+   * Tags are skipped across all three (CDK auto-tag handling deferred).
+   * Returns `undefined` when the resource is gone (`*NotFound`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::EFS::FileSystem":
+        return this.readFileSystem(physicalId);
+      case "AWS::EFS::AccessPoint":
+        return this.readAccessPoint(physicalId);
+      case "AWS::EFS::MountTarget":
+        return this.readMountTarget(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readFileSystem(physicalId) {
+    let fs;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeFileSystemsCommand({ FileSystemId: physicalId })
+      );
+      fs = resp.FileSystems?.[0];
+    } catch (err) {
+      if (err instanceof FileSystemNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!fs)
+      return void 0;
+    const result = {};
+    if (fs.PerformanceMode !== void 0)
+      result["PerformanceMode"] = fs.PerformanceMode;
+    if (fs.ThroughputMode !== void 0)
+      result["ThroughputMode"] = fs.ThroughputMode;
+    if (fs.Encrypted !== void 0)
+      result["Encrypted"] = fs.Encrypted;
+    if (fs.KmsKeyId !== void 0)
+      result["KmsKeyId"] = fs.KmsKeyId;
+    if (fs.ProvisionedThroughputInMibps !== void 0) {
+      result["ProvisionedThroughputInMibps"] = fs.ProvisionedThroughputInMibps;
+    }
+    try {
+      const resp = await this.getClient().send(
+        new DescribeLifecycleConfigurationCommand({ FileSystemId: physicalId })
+      );
+      const policies = resp.LifecyclePolicies;
+      if (policies && policies.length > 0) {
+        result["LifecyclePolicies"] = policies.map((p) => {
+          const out = {};
+          if (p.TransitionToIA !== void 0)
+            out["TransitionToIA"] = p.TransitionToIA;
+          if (p.TransitionToPrimaryStorageClass !== void 0) {
+            out["TransitionToPrimaryStorageClass"] = p.TransitionToPrimaryStorageClass;
+          }
+          if (p.TransitionToArchive !== void 0)
+            out["TransitionToArchive"] = p.TransitionToArchive;
+          return out;
+        });
+      }
+    } catch (err) {
+      if (err instanceof FileSystemNotFound)
+        return void 0;
+      const e = err;
+      if (e.name !== "PolicyNotFound") {
+      }
+    }
+    try {
+      const resp = await this.getClient().send(
+        new DescribeBackupPolicyCommand({ FileSystemId: physicalId })
+      );
+      if (resp.BackupPolicy?.Status !== void 0) {
+        result["BackupPolicy"] = { Status: resp.BackupPolicy.Status };
+      }
+    } catch (err) {
+      if (err instanceof FileSystemNotFound)
+        return void 0;
+    }
+    return result;
+  }
+  async readAccessPoint(physicalId) {
+    let ap;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeAccessPointsCommand({ AccessPointId: physicalId })
+      );
+      ap = resp.AccessPoints?.[0];
+    } catch (err) {
+      if (err instanceof AccessPointNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!ap)
+      return void 0;
+    const result = {};
+    if (ap.FileSystemId !== void 0)
+      result["FileSystemId"] = ap.FileSystemId;
+    if (ap.PosixUser) {
+      const posix = {};
+      if (ap.PosixUser.Uid !== void 0)
+        posix["Uid"] = ap.PosixUser.Uid;
+      if (ap.PosixUser.Gid !== void 0)
+        posix["Gid"] = ap.PosixUser.Gid;
+      if (ap.PosixUser.SecondaryGids && ap.PosixUser.SecondaryGids.length > 0) {
+        posix["SecondaryGids"] = [...ap.PosixUser.SecondaryGids];
+      }
+      if (Object.keys(posix).length > 0)
+        result["PosixUser"] = posix;
+    }
+    if (ap.RootDirectory) {
+      const root = {};
+      if (ap.RootDirectory.Path !== void 0)
+        root["Path"] = ap.RootDirectory.Path;
+      if (ap.RootDirectory.CreationInfo) {
+        const ci = {};
+        if (ap.RootDirectory.CreationInfo.OwnerUid !== void 0) {
+          ci["OwnerUid"] = ap.RootDirectory.CreationInfo.OwnerUid;
+        }
+        if (ap.RootDirectory.CreationInfo.OwnerGid !== void 0) {
+          ci["OwnerGid"] = ap.RootDirectory.CreationInfo.OwnerGid;
+        }
+        if (ap.RootDirectory.CreationInfo.Permissions !== void 0) {
+          ci["Permissions"] = ap.RootDirectory.CreationInfo.Permissions;
+        }
+        if (Object.keys(ci).length > 0)
+          root["CreationInfo"] = ci;
+      }
+      if (Object.keys(root).length > 0)
+        result["RootDirectory"] = root;
+    }
+    return result;
+  }
+  async readMountTarget(physicalId) {
+    let mt;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeMountTargetsCommand({ MountTargetId: physicalId })
+      );
+      mt = resp.MountTargets?.[0];
+    } catch (err) {
+      if (err instanceof MountTargetNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!mt)
+      return void 0;
+    const result = {};
+    if (mt.FileSystemId !== void 0)
+      result["FileSystemId"] = mt.FileSystemId;
+    if (mt.SubnetId !== void 0)
+      result["SubnetId"] = mt.SubnetId;
+    return result;
+  }
   /**
    * Adopt an existing EFS resource into cdkd state.
    *
@@ -30952,6 +32198,63 @@ var FirehoseProvider = class {
    *
    * Firehose tags use the standard `Tag[]` array shape (`Key`/`Value`).
    */
+  /**
+   * Read the AWS-current Firehose delivery stream configuration in CFn-property shape.
+   *
+   * Surfaces top-level configuration that has a clean 1:1 mapping back to
+   * cdkd state — `DeliveryStreamName`, `DeliveryStreamType`, and the
+   * `KinesisStreamSourceConfiguration` parent fields when present (the
+   * `DescribeDeliveryStream` response splits source under `Source.KinesisStreamSourceDescription`).
+   *
+   * Destination configurations (`*DestinationConfiguration` in CFn vs.
+   * `*DestinationDescription` in `DescribeDeliveryStream`) are intentionally
+   * not re-shaped here. Their nested fields are large and the description
+   * vs. configuration shape divergence (extra metadata, write-only fields
+   * like `Password` redacted) makes a clean comparator surface impossible
+   * for v1. We do surface the destination *kind* under a stable key so
+   * users at least see destination drift across types, but not the inner
+   * fields. Drift on destination contents is best chased manually via
+   * `aws firehose describe-delivery-stream` for now.
+   *
+   * Tags + DeliveryStreamEncryptionConfigurationInput are skipped (they
+   * each need separate calls / shape decisions).
+   *
+   * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let desc;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId })
+      );
+      desc = resp.DeliveryStreamDescription;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException14)
+        return void 0;
+      throw err;
+    }
+    if (!desc)
+      return void 0;
+    const result = {};
+    if (desc.DeliveryStreamName !== void 0) {
+      result["DeliveryStreamName"] = desc.DeliveryStreamName;
+    }
+    if (desc.DeliveryStreamType !== void 0) {
+      result["DeliveryStreamType"] = desc.DeliveryStreamType;
+    }
+    if (desc.Source?.KinesisStreamSourceDescription) {
+      const src = desc.Source.KinesisStreamSourceDescription;
+      const srcOut = {};
+      if (src.KinesisStreamARN !== void 0)
+        srcOut["KinesisStreamARN"] = src.KinesisStreamARN;
+      if (src.RoleARN !== void 0)
+        srcOut["RoleARN"] = src.RoleARN;
+      if (Object.keys(srcOut).length > 0) {
+        result["KinesisStreamSourceConfiguration"] = srcOut;
+      }
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "DeliveryStreamName");
     if (explicit) {
@@ -31027,6 +32330,8 @@ import {
   PutEventSelectorsCommand,
   PutInsightSelectorsCommand,
   GetTrailCommand,
+  GetTrailStatusCommand,
+  GetEventSelectorsCommand,
   ListTrailsCommand,
   ListTagsCommand as ListTagsCommand3,
   TrailNotFoundException
@@ -31268,6 +32573,86 @@ var CloudTrailProvider = class {
    *  2. `ListTrails` + `ListTags` (CloudTrail uses `Tag[]` arrays per ARN),
    *     match `aws:cdk:path` tag.
    */
+  /**
+   * Read the AWS-current CloudTrail Trail configuration in CFn-property shape.
+   *
+   * Issues `GetTrail`, plus best-effort `GetTrailStatus` (for `IsLogging`)
+   * and `GetEventSelectors` (for `EventSelectors`). Each enrichment call is
+   * wrapped in its own try/catch so an "AccessDenied" or other transient
+   * error on the secondary calls omits that key without failing the
+   * whole snapshot — the comparator only descends into keys present in
+   * state.
+   *
+   * Mapping: AWS `GetTrail` returns `KmsKeyId` (lowercase `s`) while CFn
+   * uses `KMSKeyId`; we re-shape the key. SnsTopicARN is the Trail's
+   * derived field; the cdkd state property is `SnsTopicName` so we
+   * surface `SnsTopicName` directly from `GetTrail.SnsTopicName`.
+   *
+   * Tags + InsightSelectors are skipped for v1 (each needs its own
+   * separate call + shape mapping).
+   *
+   * Returns `undefined` when the trail is gone (`TrailNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let trail;
+    try {
+      const resp = await this.getClient().send(new GetTrailCommand({ Name: physicalId }));
+      trail = resp.Trail;
+    } catch (err) {
+      if (err instanceof TrailNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!trail)
+      return void 0;
+    const result = {};
+    if (trail.Name !== void 0)
+      result["TrailName"] = trail.Name;
+    if (trail.S3BucketName !== void 0)
+      result["S3BucketName"] = trail.S3BucketName;
+    if (trail.S3KeyPrefix !== void 0)
+      result["S3KeyPrefix"] = trail.S3KeyPrefix;
+    if (trail.IsMultiRegionTrail !== void 0) {
+      result["IsMultiRegionTrail"] = trail.IsMultiRegionTrail;
+    }
+    if (trail.IncludeGlobalServiceEvents !== void 0) {
+      result["IncludeGlobalServiceEvents"] = trail.IncludeGlobalServiceEvents;
+    }
+    if (trail.LogFileValidationEnabled !== void 0) {
+      result["EnableLogFileValidation"] = trail.LogFileValidationEnabled;
+    }
+    if (trail.CloudWatchLogsLogGroupArn !== void 0) {
+      result["CloudWatchLogsLogGroupArn"] = trail.CloudWatchLogsLogGroupArn;
+    }
+    if (trail.CloudWatchLogsRoleArn !== void 0) {
+      result["CloudWatchLogsRoleArn"] = trail.CloudWatchLogsRoleArn;
+    }
+    if (trail.KmsKeyId !== void 0)
+      result["KMSKeyId"] = trail.KmsKeyId;
+    if (trail.SnsTopicName !== void 0)
+      result["SnsTopicName"] = trail.SnsTopicName;
+    if (trail.IsOrganizationTrail !== void 0) {
+      result["IsOrganizationTrail"] = trail.IsOrganizationTrail;
+    }
+    try {
+      const status = await this.getClient().send(new GetTrailStatusCommand({ Name: physicalId }));
+      if (status.IsLogging !== void 0)
+        result["IsLogging"] = status.IsLogging;
+    } catch {
+    }
+    try {
+      const sel = await this.getClient().send(
+        new GetEventSelectorsCommand({ TrailName: physicalId })
+      );
+      if (sel.EventSelectors && sel.EventSelectors.length > 0) {
+        result["EventSelectors"] = sel.EventSelectors.map(
+          (es) => es
+        );
+      }
+    } catch {
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "TrailName");
     if (explicit) {
@@ -31585,6 +32970,141 @@ var CodeBuildProvider = class {
    *     `key`/`value` tags, not the standard `Key`/`Value`), match
    *     `aws:cdk:path` tag.
    */
+  /**
+   * Read the AWS-current CodeBuild Project configuration in CFn-property shape.
+   *
+   * Issues `BatchGetProjects` and re-shapes the SDK's camelCase response back
+   * to CFn's PascalCase shape (the `mapProperties` helper above goes the
+   * other way at create time). The drift comparator only descends into
+   * keys present in cdkd state, so we focus on the high-value top-level
+   * fields and the most commonly-set `Source` / `Artifacts` /
+   * `Environment` sub-fields. Less common nested config (full
+   * `LogsConfig`, `VpcConfig` rebuild, secondary sources/artifacts, etc.)
+   * is left to a follow-up — surfacing them with a partial shape would
+   * fire false drift on every project that uses them.
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the project is gone (`projects` array empty / `projectsNotFound` set).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let project;
+    try {
+      const resp = await this.getClient().send(
+        new BatchGetProjectsCommand({ names: [physicalId] })
+      );
+      project = resp.projects?.[0];
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException15)
+        return void 0;
+      throw err;
+    }
+    if (!project)
+      return void 0;
+    const result = {};
+    if (project.name !== void 0)
+      result["Name"] = project.name;
+    if (project.description !== void 0 && project.description !== "") {
+      result["Description"] = project.description;
+    }
+    if (project.serviceRole !== void 0)
+      result["ServiceRole"] = project.serviceRole;
+    if (project.timeoutInMinutes !== void 0) {
+      result["TimeoutInMinutes"] = project.timeoutInMinutes;
+    }
+    if (project.queuedTimeoutInMinutes !== void 0) {
+      result["QueuedTimeoutInMinutes"] = project.queuedTimeoutInMinutes;
+    }
+    if (project.encryptionKey !== void 0)
+      result["EncryptionKey"] = project.encryptionKey;
+    if (project.concurrentBuildLimit !== void 0) {
+      result["ConcurrentBuildLimit"] = project.concurrentBuildLimit;
+    }
+    if (project.badge?.badgeEnabled !== void 0) {
+      result["BadgeEnabled"] = project.badge.badgeEnabled;
+    }
+    if (project.sourceVersion !== void 0)
+      result["SourceVersion"] = project.sourceVersion;
+    if (project.source) {
+      const src = {};
+      if (project.source.type !== void 0)
+        src["Type"] = project.source.type;
+      if (project.source.location !== void 0)
+        src["Location"] = project.source.location;
+      if (project.source.buildspec !== void 0)
+        src["BuildSpec"] = project.source.buildspec;
+      if (project.source.gitCloneDepth !== void 0) {
+        src["GitCloneDepth"] = project.source.gitCloneDepth;
+      }
+      if (project.source.insecureSsl !== void 0)
+        src["InsecureSsl"] = project.source.insecureSsl;
+      if (project.source.reportBuildStatus !== void 0) {
+        src["ReportBuildStatus"] = project.source.reportBuildStatus;
+      }
+      if (Object.keys(src).length > 0)
+        result["Source"] = src;
+    }
+    if (project.artifacts) {
+      const art = {};
+      if (project.artifacts.type !== void 0)
+        art["Type"] = project.artifacts.type;
+      if (project.artifacts.location !== void 0)
+        art["Location"] = project.artifacts.location;
+      if (project.artifacts.path !== void 0)
+        art["Path"] = project.artifacts.path;
+      if (project.artifacts.name !== void 0)
+        art["Name"] = project.artifacts.name;
+      if (project.artifacts.namespaceType !== void 0) {
+        art["NamespaceType"] = project.artifacts.namespaceType;
+      }
+      if (project.artifacts.packaging !== void 0)
+        art["Packaging"] = project.artifacts.packaging;
+      if (project.artifacts.encryptionDisabled !== void 0) {
+        art["EncryptionDisabled"] = project.artifacts.encryptionDisabled;
+      }
+      if (project.artifacts.overrideArtifactName !== void 0) {
+        art["OverrideArtifactName"] = project.artifacts.overrideArtifactName;
+      }
+      if (project.artifacts.artifactIdentifier !== void 0) {
+        art["ArtifactIdentifier"] = project.artifacts.artifactIdentifier;
+      }
+      if (Object.keys(art).length > 0)
+        result["Artifacts"] = art;
+    }
+    if (project.environment) {
+      const env = {};
+      if (project.environment.type !== void 0)
+        env["Type"] = project.environment.type;
+      if (project.environment.image !== void 0)
+        env["Image"] = project.environment.image;
+      if (project.environment.computeType !== void 0) {
+        env["ComputeType"] = project.environment.computeType;
+      }
+      if (project.environment.privilegedMode !== void 0) {
+        env["PrivilegedMode"] = project.environment.privilegedMode;
+      }
+      if (project.environment.imagePullCredentialsType !== void 0) {
+        env["ImagePullCredentialsType"] = project.environment.imagePullCredentialsType;
+      }
+      if (project.environment.certificate !== void 0) {
+        env["Certificate"] = project.environment.certificate;
+      }
+      if (project.environment.environmentVariables && project.environment.environmentVariables.length > 0) {
+        env["EnvironmentVariables"] = project.environment.environmentVariables.map((ev) => {
+          const out = {};
+          if (ev.name !== void 0)
+            out["Name"] = ev.name;
+          if (ev.value !== void 0)
+            out["Value"] = ev.value;
+          if (ev.type !== void 0)
+            out["Type"] = ev.type;
+          return out;
+        });
+      }
+      if (Object.keys(env).length > 0)
+        result["Environment"] = env;
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "Name");
     if (explicit) {
@@ -38869,7 +40389,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.39.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.40.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());