@go-to-k/cdkd 0.39.0 → 0.41.0

package/dist/cli.js

@@ -9747,6 +9747,42 @@ var IAMInstanceProfileProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current IAM instance profile configuration in CFn-property
+   * shape.
+   *
+   * Issues a single `GetInstanceProfile` and surfaces the keys `create()`
+   * accepts (`InstanceProfileName`, `Path`, `Roles`). The Roles list maps
+   * the inline `Role[]` (each carrying `{RoleName, Arn, ...}`) back to the
+   * `string[]` of role names that CFn / cdkd state holds.
+   *
+   * Returns `undefined` when the profile is gone (`NoSuchEntityException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let profile;
+    try {
+      const resp = await this.iamClient.send(
+        new GetInstanceProfileCommand({ InstanceProfileName: physicalId })
+      );
+      profile = resp.InstanceProfile;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException3)
+        return void 0;
+      throw err;
+    }
+    if (!profile)
+      return void 0;
+    const result = {};
+    if (profile.InstanceProfileName !== void 0) {
+      result["InstanceProfileName"] = profile.InstanceProfileName;
+    }
+    if (profile.Path !== void 0)
+      result["Path"] = profile.Path;
+    const roleNames = (profile.Roles ?? []).map((r) => r.RoleName).filter((n) => !!n);
+    if (roleNames.length > 0)
+      result["Roles"] = roleNames;
+    return result;
+  }
   /**
    * Adopt an existing IAM instance profile into cdkd state.
    *
@@ -10799,6 +10835,123 @@ var IAMUserGroupProvider = class {
       );
     }
   }
+  // ─── readCurrentState dispatch ───────────────────────────────────
+  /**
+   * Read the AWS-current configuration for an IAM user / group /
+   * UserToGroupAddition in CFn-property shape.
+   *
+   *  - **AWS::IAM::User**: `GetUser` for `UserName`, `Path`,
+   *    `PermissionsBoundary` (re-shaped from `PermissionsBoundary.Arn`);
+   *    `ListAttachedUserPolicies` for `ManagedPolicyArns`;
+   *    `ListGroupsForUser` for `Groups`. `Tags`, `LoginProfile`, and
+   *    `Policies` (inline policy bodies) are intentionally omitted —
+   *    same shape decisions as `iam-role-provider` (LoginProfile contains a
+   *    one-time password and inline policy bodies cost N extra round-trips
+   *    that are out of scope for v1).
+   *  - **AWS::IAM::Group**: `GetGroup` for `GroupName`, `Path`;
+   *    `ListAttachedGroupPolicies` for `ManagedPolicyArns`. `Policies`
+   *    (inline policy bodies) is omitted for the same reason as User /
+   *    Role.
+   *  - **AWS::IAM::UserToGroupAddition**: SKIPPED — returns `undefined`
+   *    because the resource is metadata-only (group-membership attachments
+   *    written via `AddUserToGroup`). A meaningful drift check would
+   *    require both the `GroupName` and the source-of-truth `Users` list
+   *    from state, neither of which `readCurrentState` receives. The
+   *    drift comparator falls back to "drift unknown" and the user can
+   *    inspect the membership manually.
+   *
+   * Returns `undefined` when the user / group is gone
+   * (`NoSuchEntityException`).
+   */
+  async readCurrentState(physicalId, logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::IAM::User":
+        return this.readUserCurrentState(physicalId);
+      case "AWS::IAM::Group":
+        return this.readGroupCurrentState(physicalId);
+      case "AWS::IAM::UserToGroupAddition":
+        return void 0;
+      default:
+        this.logger.debug(
+          `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
+        );
+        return void 0;
+    }
+  }
+  async readUserCurrentState(physicalId) {
+    let user;
+    try {
+      const resp = await this.iamClient.send(new GetUserCommand({ UserName: physicalId }));
+      user = resp.User;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException4)
+        return void 0;
+      throw err;
+    }
+    if (!user)
+      return void 0;
+    const result = {};
+    if (user.UserName !== void 0)
+      result["UserName"] = user.UserName;
+    if (user.Path !== void 0)
+      result["Path"] = user.Path;
+    if (user.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
+      result["PermissionsBoundary"] = user.PermissionsBoundary.PermissionsBoundaryArn;
+    }
+    try {
+      const attached = await this.iamClient.send(
+        new ListAttachedUserPoliciesCommand({ UserName: physicalId })
+      );
+      const arns = (attached.AttachedPolicies ?? []).map((p) => p.PolicyArn).filter((arn) => !!arn);
+      if (arns.length > 0)
+        result["ManagedPolicyArns"] = arns;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
+    try {
+      const groups = await this.iamClient.send(
+        new ListGroupsForUserCommand({ UserName: physicalId })
+      );
+      const names = (groups.Groups ?? []).map((g) => g.GroupName).filter((n) => !!n);
+      if (names.length > 0)
+        result["Groups"] = names;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
+    return result;
+  }
+  async readGroupCurrentState(physicalId) {
+    let group;
+    try {
+      const resp = await this.iamClient.send(new GetGroupCommand({ GroupName: physicalId }));
+      group = resp.Group;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException4)
+        return void 0;
+      throw err;
+    }
+    if (!group)
+      return void 0;
+    const result = {};
+    if (group.GroupName !== void 0)
+      result["GroupName"] = group.GroupName;
+    if (group.Path !== void 0)
+      result["Path"] = group.Path;
+    try {
+      const attached = await this.iamClient.send(
+        new ListAttachedGroupPoliciesCommand({ GroupName: physicalId })
+      );
+      const arns = (attached.AttachedPolicies ?? []).map((p) => p.PolicyArn).filter((arn) => !!arn);
+      if (arns.length > 0)
+        result["ManagedPolicyArns"] = arns;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
+    return result;
+  }
   // ─── Import dispatch ──────────────────────────────────────────────
   /**
    * Adopt an existing IAM user / group / user-to-group addition into cdkd state.
@@ -12002,6 +12155,7 @@ var S3BucketProvider = class {
 import {
   PutBucketPolicyCommand as PutBucketPolicyCommand2,
   DeleteBucketPolicyCommand,
+  GetBucketPolicyCommand,
   NoSuchBucket as NoSuchBucket2
 } from "@aws-sdk/client-s3";
 init_aws_clients();
@@ -12159,6 +12313,43 @@ var S3BucketPolicyProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current S3 bucket policy in CFn-property shape.
+   *
+   * Issues `GetBucketPolicy` against the bucket (physicalId === bucket
+   * name) and surfaces:
+   *   - `Bucket` — derived directly from `physicalId`.
+   *   - `PolicyDocument` — JSON-parsed back to the object form cdkd state
+   *     typically holds.
+   *
+   * Returns `undefined` when the bucket is gone (`NoSuchBucket`) or when
+   * no policy is currently attached (`NoSuchBucketPolicy`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let policyJson;
+    try {
+      const resp = await this.s3Client.send(new GetBucketPolicyCommand({ Bucket: physicalId }));
+      policyJson = resp.Policy;
+    } catch (err) {
+      if (err instanceof NoSuchBucket2)
+        return void 0;
+      const e = err;
+      if (e.name === "NoSuchBucketPolicy")
+        return void 0;
+      throw err;
+    }
+    if (!policyJson)
+      return void 0;
+    const result = {
+      Bucket: physicalId
+    };
+    try {
+      result["PolicyDocument"] = JSON.parse(policyJson);
+    } catch {
+      result["PolicyDocument"] = policyJson;
+    }
+    return result;
+  }
   /**
    * Adopt an existing S3 bucket policy into cdkd state.
    *
@@ -12582,7 +12773,10 @@ var SQSQueueProvider = class {
 };
 
 // src/provisioning/providers/sqs-queue-policy-provider.ts
-import { SetQueueAttributesCommand as SetQueueAttributesCommand2 } from "@aws-sdk/client-sqs";
+import {
+  SetQueueAttributesCommand as SetQueueAttributesCommand2,
+  GetQueueAttributesCommand as GetQueueAttributesCommand2
+} from "@aws-sdk/client-sqs";
 init_aws_clients();
 var SQSQueuePolicyProvider = class {
   sqsClient;
@@ -12735,6 +12929,52 @@ var SQSQueuePolicyProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current SQS queue policy in CFn-property shape.
+   *
+   * The provider's `create()` records `physicalId` as the first queue URL
+   * in the `Queues` array. Drift here surfaces:
+   *   - `Queues` — single-element array containing `physicalId`. The full
+   *     state list of queues isn't recoverable from AWS (no reverse index)
+   *     and the comparator only descends into keys present in state, so a
+   *     state with multiple queues will still surface drift on
+   *     `PolicyDocument` for the first queue (the most common drift case).
+   *   - `PolicyDocument` — fetched via `GetQueueAttributes` for
+   *     `Policy`, JSON-parsed back to the object form cdkd state holds.
+   *
+   * Returns `undefined` when the queue is gone (`QueueDoesNotExist`) or
+   * when no policy is currently attached (the `Policy` attribute is
+   * absent / empty).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let policyAttr;
+    try {
+      const resp = await this.sqsClient.send(
+        new GetQueueAttributesCommand2({
+          QueueUrl: physicalId,
+          AttributeNames: ["Policy"]
+        })
+      );
+      policyAttr = resp.Attributes?.["Policy"];
+    } catch (err) {
+      const e = err;
+      if (e.name === "QueueDoesNotExist" || typeof e.message === "string" && e.message.includes("does not exist")) {
+        return void 0;
+      }
+      throw err;
+    }
+    if (!policyAttr)
+      return void 0;
+    const result = {
+      Queues: [physicalId]
+    };
+    try {
+      result["PolicyDocument"] = JSON.parse(policyAttr);
+    } catch {
+      result["PolicyDocument"] = policyAttr;
+    }
+    return result;
+  }
   /**
    * Adopt an existing SQS queue policy into cdkd state.
    *
@@ -13207,6 +13447,7 @@ var SNSTopicProvider = class {
 import {
   SubscribeCommand,
   UnsubscribeCommand,
+  GetSubscriptionAttributesCommand,
   NotFoundException as NotFoundException2
 } from "@aws-sdk/client-sns";
 init_aws_clients();
@@ -13338,6 +13579,52 @@ var SNSSubscriptionProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current SNS Subscription configuration in CFn-property shape.
+   *
+   * Issues `GetSubscriptionAttributes`. AWS returns ALL attribute values
+   * as strings; we type-coerce `RawMessageDelivery` to a boolean and
+   * JSON-parse `FilterPolicy` so the comparator matches cdkd state's
+   * already-typed values. `TopicArn`, `Protocol`, `Endpoint` pass through
+   * as strings.
+   *
+   * Returns `undefined` when the subscription is gone (`NotFoundException`),
+   * including the special "PendingConfirmation" case where the
+   * `SubscriptionArn` has not yet been confirmed and `Attributes` is null.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let attributes;
+    try {
+      const resp = await this.snsClient.send(
+        new GetSubscriptionAttributesCommand({ SubscriptionArn: physicalId })
+      );
+      attributes = resp.Attributes;
+    } catch (err) {
+      if (err instanceof NotFoundException2)
+        return void 0;
+      throw err;
+    }
+    if (!attributes)
+      return void 0;
+    const result = {};
+    if (attributes["TopicArn"] !== void 0)
+      result["TopicArn"] = attributes["TopicArn"];
+    if (attributes["Protocol"] !== void 0)
+      result["Protocol"] = attributes["Protocol"];
+    if (attributes["Endpoint"] !== void 0)
+      result["Endpoint"] = attributes["Endpoint"];
+    if (attributes["RawMessageDelivery"] !== void 0) {
+      result["RawMessageDelivery"] = attributes["RawMessageDelivery"] === "true";
+    }
+    if (attributes["FilterPolicy"]) {
+      try {
+        result["FilterPolicy"] = JSON.parse(attributes["FilterPolicy"]);
+      } catch {
+        result["FilterPolicy"] = attributes["FilterPolicy"];
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing SNS subscription into cdkd state.
    *
@@ -13360,7 +13647,7 @@ var SNSSubscriptionProvider = class {
 };
 
 // src/provisioning/providers/sns-topic-policy-provider.ts
-import { SetTopicAttributesCommand as SetTopicAttributesCommand2 } from "@aws-sdk/client-sns";
+import { SetTopicAttributesCommand as SetTopicAttributesCommand2, GetTopicAttributesCommand as GetTopicAttributesCommand2 } from "@aws-sdk/client-sns";
 init_aws_clients();
 var SNSTopicPolicyProvider = class {
   logger = getLogger().child("SNSTopicPolicyProvider");
@@ -13496,6 +13783,57 @@ var SNSTopicPolicyProvider = class {
     }
     this.logger.debug(`Successfully deleted SNS topic policy ${logicalId}`);
   }
+  /**
+   * Read the AWS-current SNS topic policy in CFn-property shape.
+   *
+   * The provider's `create()` builds `physicalId` as a comma-joined list
+   * of topic ARNs. We:
+   *   1. Split the physical id back into the list of topic ARNs and surface
+   *      them as `Topics` (matching `create()` shape).
+   *   2. Fetch `GetTopicAttributes` on the FIRST topic to retrieve the
+   *      `Policy` attribute and surface it as `PolicyDocument` (JSON-parsed
+   *      to match the object form cdkd state holds).
+   *
+   * Single-topic fetch is intentional: cdkd applies the same policy to
+   * every topic in `Topics`, so the body is the same on each. A future
+   * enhancement could verify per-topic that the policy actually matches
+   * (catches manual divergence between multiple targets), but the bulk of
+   * drift cases involve a single topic and the body content is what users
+   * actually care about.
+   *
+   * Returns `undefined` when no topics are listed in the physical id, or
+   * when the first listed topic is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    const topics = physicalId.split(",").filter((t) => t.length > 0);
+    if (topics.length === 0)
+      return void 0;
+    const firstTopic = topics[0];
+    let policyAttr;
+    try {
+      const resp = await getAwsClients().sns.send(
+        new GetTopicAttributesCommand2({ TopicArn: firstTopic })
+      );
+      policyAttr = resp.Attributes?.["Policy"];
+    } catch (err) {
+      const e = err;
+      if (e.name === "NotFoundException" || e.name === "NotFound" || typeof e.message === "string" && e.message.includes("does not exist")) {
+        return void 0;
+      }
+      throw err;
+    }
+    const result = {
+      Topics: topics
+    };
+    if (policyAttr) {
+      try {
+        result["PolicyDocument"] = JSON.parse(policyAttr);
+      } catch {
+        result["PolicyDocument"] = policyAttr;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing SNS topic policy into cdkd state.
    *
@@ -14746,6 +15084,66 @@ var LambdaUrlProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current Lambda Function URL configuration in CFn-property
+   * shape.
+   *
+   * Issues `GetFunctionUrlConfig` with the parent function's ARN/name (the
+   * physical id) and surfaces `AuthType`, `InvokeMode`, and `Cors`.
+   * AWS-managed fields (`FunctionUrl`, `FunctionArn`, `CreationTime`,
+   * `LastModifiedTime`) are filtered at the wire layer.
+   *
+   * `TargetFunctionArn` is surfaced from `physicalId` (the create() flow
+   * stores the parent function's ARN/name there). `Qualifier` is NOT
+   * available from `GetFunctionUrlConfig` (it's only an input on Create);
+   * cdkd state stores it but AWS does not surface it back, so we omit it
+   * from the snapshot — the comparator's "key absent in state never
+   * drifts" rule handles the omission cleanly when state lacks Qualifier
+   * too, and cases where state HAS Qualifier surface as drift only when
+   * the qualifier was changed via Update (which the SDK supports through
+   * `physicalId` rather than the qualifier itself).
+   *
+   * Returns `undefined` when the URL config is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.lambdaClient.send(
+        new GetFunctionUrlConfigCommand2({ FunctionName: physicalId })
+      );
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException3)
+        return void 0;
+      throw err;
+    }
+    const result = {
+      TargetFunctionArn: physicalId
+    };
+    if (resp.AuthType !== void 0)
+      result["AuthType"] = resp.AuthType;
+    if (resp.InvokeMode !== void 0)
+      result["InvokeMode"] = resp.InvokeMode;
+    if (resp.Cors !== void 0) {
+      const cors = {};
+      if (resp.Cors.AllowOrigins)
+        cors["AllowOrigins"] = [...resp.Cors.AllowOrigins];
+      if (resp.Cors.AllowMethods)
+        cors["AllowMethods"] = [...resp.Cors.AllowMethods];
+      if (resp.Cors.AllowHeaders)
+        cors["AllowHeaders"] = [...resp.Cors.AllowHeaders];
+      if (resp.Cors.ExposeHeaders)
+        cors["ExposeHeaders"] = [...resp.Cors.ExposeHeaders];
+      if (resp.Cors.MaxAge !== void 0)
+        cors["MaxAge"] = resp.Cors.MaxAge;
+      if (resp.Cors.AllowCredentials !== void 0) {
+        cors["AllowCredentials"] = resp.Cors.AllowCredentials;
+      }
+      if (Object.keys(cors).length > 0)
+        result["Cors"] = cors;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Lambda Function URL into cdkd state.
    *
@@ -15008,6 +15406,96 @@ var LambdaEventSourceMappingProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Lambda event source mapping configuration in
+   * CFn-property shape.
+   *
+   * Issues `GetEventSourceMapping` for the UUID and surfaces the keys
+   * `create()` accepts. AWS-managed fields (`UUID`, `LastModified`,
+   * `LastProcessingResult`, `State`, `StateTransitionReason`,
+   * `EventSourceMappingArn`) are filtered at the wire layer.
+   *
+   * `FunctionName` is surfaced as the AWS `FunctionArn` (which is what
+   * `GetEventSourceMapping` returns) — cdkd state typically holds this
+   * resolved ARN form already after intrinsic resolution. The drift
+   * comparator can match against both forms when state holds a name vs an
+   * ARN; mismatched-shape false positives are out of scope for v1.
+   *
+   * `Tags` is omitted: cdkd `create()` reshapes CFn tag arrays into a
+   * tags map at create time, but `GetEventSourceMapping` does not return
+   * tags (`ListTags(Resource: arn)` does). Same shape-decision rationale
+   * as Lambda function tags drift — out of scope for v1.
+   *
+   * Returns `undefined` when the mapping is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.lambdaClient.send(new GetEventSourceMappingCommand({ UUID: physicalId }));
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException4)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (resp.FunctionArn !== void 0)
+      result["FunctionName"] = resp.FunctionArn;
+    if (resp.EventSourceArn !== void 0)
+      result["EventSourceArn"] = resp.EventSourceArn;
+    if (resp.BatchSize !== void 0)
+      result["BatchSize"] = resp.BatchSize;
+    if (resp.StartingPosition !== void 0)
+      result["StartingPosition"] = resp.StartingPosition;
+    if (resp.MaximumBatchingWindowInSeconds !== void 0) {
+      result["MaximumBatchingWindowInSeconds"] = resp.MaximumBatchingWindowInSeconds;
+    }
+    if (resp.MaximumRetryAttempts !== void 0) {
+      result["MaximumRetryAttempts"] = resp.MaximumRetryAttempts;
+    }
+    if (resp.BisectBatchOnFunctionError !== void 0) {
+      result["BisectBatchOnFunctionError"] = resp.BisectBatchOnFunctionError;
+    }
+    if (resp.MaximumRecordAgeInSeconds !== void 0) {
+      result["MaximumRecordAgeInSeconds"] = resp.MaximumRecordAgeInSeconds;
+    }
+    if (resp.ParallelizationFactor !== void 0) {
+      result["ParallelizationFactor"] = resp.ParallelizationFactor;
+    }
+    if (resp.FilterCriteria !== void 0)
+      result["FilterCriteria"] = resp.FilterCriteria;
+    if (resp.DestinationConfig !== void 0) {
+      result["DestinationConfig"] = resp.DestinationConfig;
+    }
+    if (resp.TumblingWindowInSeconds !== void 0) {
+      result["TumblingWindowInSeconds"] = resp.TumblingWindowInSeconds;
+    }
+    if (resp.FunctionResponseTypes !== void 0 && resp.FunctionResponseTypes.length > 0) {
+      result["FunctionResponseTypes"] = [...resp.FunctionResponseTypes];
+    }
+    if (resp.SourceAccessConfigurations !== void 0 && resp.SourceAccessConfigurations.length > 0) {
+      result["SourceAccessConfigurations"] = resp.SourceAccessConfigurations;
+    }
+    if (resp.SelfManagedEventSource !== void 0) {
+      result["SelfManagedEventSource"] = resp.SelfManagedEventSource;
+    }
+    if (resp.SelfManagedKafkaEventSourceConfig !== void 0) {
+      result["SelfManagedKafkaEventSourceConfig"] = resp.SelfManagedKafkaEventSourceConfig;
+    }
+    if (resp.AmazonManagedKafkaEventSourceConfig !== void 0) {
+      result["AmazonManagedKafkaEventSourceConfig"] = resp.AmazonManagedKafkaEventSourceConfig;
+    }
+    if (resp.DocumentDBEventSourceConfig !== void 0) {
+      result["DocumentDBEventSourceConfig"] = resp.DocumentDBEventSourceConfig;
+    }
+    if (resp.ScalingConfig !== void 0)
+      result["ScalingConfig"] = resp.ScalingConfig;
+    if (resp.State !== void 0) {
+      const enabled = resp.State === "Enabled" || resp.State === "Enabling" || resp.State === "Updating";
+      result["Enabled"] = enabled;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Lambda event source mapping into cdkd state.
    *
@@ -15176,6 +15664,57 @@ var LambdaLayerVersionProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Lambda layer version configuration in CFn-property
+   * shape.
+   *
+   * Issues `GetLayerVersionByArn` (the physical id is the version ARN) and
+   * surfaces `LayerName`, `Description`, `CompatibleRuntimes`,
+   * `CompatibleArchitectures`, and `LicenseInfo`. AWS-managed fields
+   * (`Version`, `CreatedDate`, `LayerVersionArn`, `LayerArn`,
+   * `Content.CodeSize`, `Content.CodeSha256`) are filtered at the wire
+   * layer.
+   *
+   * `Content` is intentionally omitted: like Lambda function `Code`, the
+   * `GetLayerVersionByArn` response contains a pre-signed S3 URL for the
+   * deployed content, not the asset hash cdkd state stored. The two could
+   * never match, so excluding it avoids a guaranteed false-positive.
+   *
+   * `LayerName` is derived from the ARN tail when not surfaced directly:
+   * the version ARN format is
+   *   `arn:aws:lambda:<region>:<account>:layer:<name>:<version>`.
+   *
+   * Returns `undefined` when the layer version is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.lambdaClient.send(new GetLayerVersionByArnCommand({ Arn: physicalId }));
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException5)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    const arnParts = physicalId.split(":");
+    if (arnParts.length >= 7 && arnParts[6]) {
+      result["LayerName"] = arnParts[6];
+    }
+    if (resp.Description !== void 0 && resp.Description !== "") {
+      result["Description"] = resp.Description;
+    }
+    if (resp.CompatibleRuntimes !== void 0 && resp.CompatibleRuntimes.length > 0) {
+      result["CompatibleRuntimes"] = [...resp.CompatibleRuntimes];
+    }
+    if (resp.CompatibleArchitectures !== void 0 && resp.CompatibleArchitectures.length > 0) {
+      result["CompatibleArchitectures"] = [...resp.CompatibleArchitectures];
+    }
+    if (resp.LicenseInfo !== void 0 && resp.LicenseInfo !== "") {
+      result["LicenseInfo"] = resp.LicenseInfo;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Lambda layer version into cdkd state.
    *
@@ -16209,6 +16748,82 @@ var CloudWatchAlarmProvider = class {
    *  2. `DescribeAlarms` paginated, then `ListTagsForResource(AlarmArn)` per
    *     alarm to match `aws:cdk:path`.
    */
+  /**
+   * Read the AWS-current CloudWatch Alarm configuration in CFn-property shape.
+   *
+   * Issues `DescribeAlarms` filtered by `AlarmNames=[physicalId]` and
+   * surfaces the keys cdkd's `create()` accepts (`AlarmName`,
+   * `AlarmDescription`, `MetricName`, `Namespace`, `Statistic`,
+   * `ComparisonOperator`, `Threshold`, `EvaluationPeriods`, `Period`,
+   * `DatapointsToAlarm`, `ActionsEnabled`, `AlarmActions`,
+   * `OKActions`, `InsufficientDataActions`, `TreatMissingData`, `Unit`,
+   * `Dimensions`, `Metrics`).
+   *
+   * `DescribeAlarms` returns the result via either `MetricAlarms` (single-
+   * metric form) or `CompositeAlarms` (composite form). cdkd's provider
+   * only handles the single-metric form, so we look at `MetricAlarms` only.
+   *
+   * Returns `undefined` when the alarm is gone (no matching `MetricAlarms`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    const resp = await this.cloudWatchClient.send(
+      new DescribeAlarmsCommand({ AlarmNames: [physicalId], AlarmTypes: ["MetricAlarm"] })
+    );
+    const alarm = resp.MetricAlarms?.[0];
+    if (!alarm)
+      return void 0;
+    const result = {};
+    if (alarm.AlarmName !== void 0)
+      result["AlarmName"] = alarm.AlarmName;
+    if (alarm.AlarmDescription !== void 0 && alarm.AlarmDescription !== "") {
+      result["AlarmDescription"] = alarm.AlarmDescription;
+    }
+    if (alarm.MetricName !== void 0)
+      result["MetricName"] = alarm.MetricName;
+    if (alarm.Namespace !== void 0)
+      result["Namespace"] = alarm.Namespace;
+    if (alarm.Statistic !== void 0)
+      result["Statistic"] = alarm.Statistic;
+    if (alarm.ComparisonOperator !== void 0) {
+      result["ComparisonOperator"] = alarm.ComparisonOperator;
+    }
+    if (alarm.Threshold !== void 0)
+      result["Threshold"] = alarm.Threshold;
+    if (alarm.EvaluationPeriods !== void 0) {
+      result["EvaluationPeriods"] = alarm.EvaluationPeriods;
+    }
+    if (alarm.Period !== void 0)
+      result["Period"] = alarm.Period;
+    if (alarm.DatapointsToAlarm !== void 0) {
+      result["DatapointsToAlarm"] = alarm.DatapointsToAlarm;
+    }
+    if (alarm.ActionsEnabled !== void 0)
+      result["ActionsEnabled"] = alarm.ActionsEnabled;
+    if (alarm.AlarmActions && alarm.AlarmActions.length > 0) {
+      result["AlarmActions"] = [...alarm.AlarmActions];
+    }
+    if (alarm.OKActions && alarm.OKActions.length > 0) {
+      result["OKActions"] = [...alarm.OKActions];
+    }
+    if (alarm.InsufficientDataActions && alarm.InsufficientDataActions.length > 0) {
+      result["InsufficientDataActions"] = [...alarm.InsufficientDataActions];
+    }
+    if (alarm.TreatMissingData !== void 0) {
+      result["TreatMissingData"] = alarm.TreatMissingData;
+    }
+    if (alarm.Unit !== void 0)
+      result["Unit"] = alarm.Unit;
+    if (alarm.Dimensions && alarm.Dimensions.length > 0) {
+      result["Dimensions"] = alarm.Dimensions.map((d) => ({
+        ...d.Name !== void 0 ? { Name: d.Name } : {},
+        ...d.Value !== void 0 ? { Value: d.Value } : {}
+      }));
+    }
+    if (alarm.Metrics && alarm.Metrics.length > 0) {
+      result["Metrics"] = alarm.Metrics.map((m) => m);
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "AlarmName");
     if (explicit) {
@@ -17777,7 +18392,10 @@ import {
   CreateVpcCommand,
   DeleteVpcCommand,
   ModifyVpcAttributeCommand,
+  DescribeVpcAttributeCommand,
   DescribeVpcsCommand as DescribeVpcsCommand2,
+  DescribeInternetGatewaysCommand,
+  DescribeRouteTablesCommand as DescribeRouteTablesCommand2,
   CreateSubnetCommand,
   DeleteSubnetCommand,
   CreateInternetGatewayCommand,
@@ -19937,9 +20555,226 @@ var EC2Provider = class {
       throw error;
     }
   }
-  async verifyExplicit(resourceType, physicalId) {
-    try {
-      switch (resourceType) {
+  /**
+   * Read the AWS-current EC2 networking resource configuration in
+   * CFn-property shape.
+   *
+   * Supported types (highest-value drift coverage):
+   *  - **AWS::EC2::VPC**: `DescribeVpcs` for `CidrBlock` + `InstanceTenancy`;
+   *    `DescribeVpcAttribute(enableDnsHostnames|enableDnsSupport)` for the
+   *    DNS booleans (CFn defaults: hostnames=false, support=true — we only
+   *    surface them if AWS reports them, so the comparator's "key-absent
+   *    never drifts" rule applies cleanly to state without these keys).
+   *  - **AWS::EC2::Subnet**: `DescribeSubnets` for `VpcId`, `CidrBlock`,
+   *    `AvailabilityZone`, `MapPublicIpOnLaunch`.
+   *  - **AWS::EC2::InternetGateway**: `DescribeInternetGateways` for
+   *    existence verification. The provider only handles `Tags`, which is
+   *    out of scope for v1 drift.
+   *  - **AWS::EC2::NatGateway**: `DescribeNatGateways` for `SubnetId`,
+   *    `AllocationId`, `ConnectivityType`, `PrivateIpAddress`.
+   *  - **AWS::EC2::RouteTable**: `DescribeRouteTables` for `VpcId`.
+   *  - **AWS::EC2::SecurityGroup**: `DescribeSecurityGroups` for
+   *    `GroupName`, `GroupDescription`, `VpcId`. Ingress / egress rules
+   *    are NOT surfaced — the CFn shape is rule-list-style, while AWS
+   *    returns IpPermissions in a different normalized form, and a
+   *    faithful reverse-mapping is out of scope for v1.
+   *  - **AWS::EC2::Instance**: `DescribeInstances` for `ImageId`,
+   *    `InstanceType`, `KeyName`, `SubnetId`. SecurityGroupIds /
+   *    BlockDeviceMappings shape-match is out of scope for v1.
+   *  - **AWS::EC2::NetworkAcl**: `DescribeNetworkAcls` for `VpcId`.
+   *
+   * Skipped (return `undefined`, falls through to the comparator's
+   * "unsupported" outcome):
+   *  - **AWS::EC2::VPCGatewayAttachment**: physical id is
+   *    `IGW|VpcId`. The two ids are immutable inputs to the SDK call;
+   *    drift detection on this resource has no useful signal beyond
+   *    existence verification (which the user can do via the parent IGW
+   *    / VPC drift report).
+   *  - **AWS::EC2::Route**, **AWS::EC2::SubnetRouteTableAssociation**,
+   *    **AWS::EC2::SecurityGroupIngress**, **AWS::EC2::NetworkAclEntry**,
+   *    **AWS::EC2::SubnetNetworkAclAssociation**: rule / association
+   *    sub-resources whose AWS API surfaces them inside the parent's
+   *    list, not as standalone Get* responses. v1 drift coverage focuses
+   *    on top-level resources where the property shape comparison is
+   *    cheap and unambiguous; these sub-resources need a more elaborate
+   *    extraction layer that's out of scope for this PR.
+   *
+   * Returns `undefined` when the resource is gone (any `*NotFound` /
+   * `Invalid*` error from the EC2 SDK matches `isNotFoundError`).
+   */
+  async readCurrentState(physicalId, logicalId, resourceType) {
+    try {
+      switch (resourceType) {
+        case "AWS::EC2::VPC":
+          return await this.readVpcCurrentState(physicalId);
+        case "AWS::EC2::Subnet":
+          return await this.readSubnetCurrentState(physicalId);
+        case "AWS::EC2::InternetGateway":
+          return await this.readInternetGatewayCurrentState(physicalId);
+        case "AWS::EC2::NatGateway":
+          return await this.readNatGatewayCurrentState(physicalId);
+        case "AWS::EC2::RouteTable":
+          return await this.readRouteTableCurrentState(physicalId);
+        case "AWS::EC2::SecurityGroup":
+          return await this.readSecurityGroupCurrentState(physicalId);
+        case "AWS::EC2::Instance":
+          return await this.readInstanceCurrentState(physicalId);
+        case "AWS::EC2::NetworkAcl":
+          return await this.readNetworkAclCurrentState(physicalId);
+        default:
+          this.logger.debug(
+            `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
+          );
+          return void 0;
+      }
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+  }
+  async readVpcCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(new DescribeVpcsCommand2({ VpcIds: [physicalId] }));
+    const vpc = resp.Vpcs?.[0];
+    if (!vpc)
+      return void 0;
+    const result = {};
+    if (vpc.CidrBlock !== void 0)
+      result["CidrBlock"] = vpc.CidrBlock;
+    if (vpc.InstanceTenancy !== void 0)
+      result["InstanceTenancy"] = vpc.InstanceTenancy;
+    try {
+      const dnsHost = await this.ec2Client.send(
+        new DescribeVpcAttributeCommand({ VpcId: physicalId, Attribute: "enableDnsHostnames" })
+      );
+      if (dnsHost.EnableDnsHostnames?.Value !== void 0) {
+        result["EnableDnsHostnames"] = dnsHost.EnableDnsHostnames.Value;
+      }
+    } catch (err) {
+      if (!this.isNotFoundError(err))
+        throw err;
+    }
+    try {
+      const dnsSupp = await this.ec2Client.send(
+        new DescribeVpcAttributeCommand({ VpcId: physicalId, Attribute: "enableDnsSupport" })
+      );
+      if (dnsSupp.EnableDnsSupport?.Value !== void 0) {
+        result["EnableDnsSupport"] = dnsSupp.EnableDnsSupport.Value;
+      }
+    } catch (err) {
+      if (!this.isNotFoundError(err))
+        throw err;
+    }
+    return result;
+  }
+  async readSubnetCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(new DescribeSubnetsCommand2({ SubnetIds: [physicalId] }));
+    const subnet = resp.Subnets?.[0];
+    if (!subnet)
+      return void 0;
+    const result = {};
+    if (subnet.VpcId !== void 0)
+      result["VpcId"] = subnet.VpcId;
+    if (subnet.CidrBlock !== void 0)
+      result["CidrBlock"] = subnet.CidrBlock;
+    if (subnet.AvailabilityZone !== void 0) {
+      result["AvailabilityZone"] = subnet.AvailabilityZone;
+    }
+    if (subnet.MapPublicIpOnLaunch !== void 0) {
+      result["MapPublicIpOnLaunch"] = subnet.MapPublicIpOnLaunch;
+    }
+    return result;
+  }
+  async readInternetGatewayCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeInternetGatewaysCommand({ InternetGatewayIds: [physicalId] })
+    );
+    const igw = resp.InternetGateways?.[0];
+    if (!igw)
+      return void 0;
+    return {};
+  }
+  async readNatGatewayCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeNatGatewaysCommand({ NatGatewayIds: [physicalId] })
+    );
+    const gw = resp.NatGateways?.find((g) => g.State !== "deleted" && g.State !== "deleting");
+    if (!gw)
+      return void 0;
+    const result = {};
+    if (gw.SubnetId !== void 0)
+      result["SubnetId"] = gw.SubnetId;
+    if (gw.ConnectivityType !== void 0)
+      result["ConnectivityType"] = gw.ConnectivityType;
+    const primary = gw.NatGatewayAddresses?.[0];
+    if (primary?.AllocationId !== void 0)
+      result["AllocationId"] = primary.AllocationId;
+    if (primary?.PrivateIp !== void 0)
+      result["PrivateIpAddress"] = primary.PrivateIp;
+    return result;
+  }
+  async readRouteTableCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeRouteTablesCommand2({ RouteTableIds: [physicalId] })
+    );
+    const rt = resp.RouteTables?.[0];
+    if (!rt)
+      return void 0;
+    const result = {};
+    if (rt.VpcId !== void 0)
+      result["VpcId"] = rt.VpcId;
+    return result;
+  }
+  async readSecurityGroupCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeSecurityGroupsCommand2({ GroupIds: [physicalId] })
+    );
+    const sg = resp.SecurityGroups?.[0];
+    if (!sg)
+      return void 0;
+    const result = {};
+    if (sg.GroupName !== void 0)
+      result["GroupName"] = sg.GroupName;
+    if (sg.Description !== void 0)
+      result["GroupDescription"] = sg.Description;
+    if (sg.VpcId !== void 0)
+      result["VpcId"] = sg.VpcId;
+    return result;
+  }
+  async readInstanceCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeInstancesCommand({ InstanceIds: [physicalId] })
+    );
+    const instance = resp.Reservations?.[0]?.Instances?.[0];
+    if (!instance || instance.State?.Name === "terminated" || instance.State?.Name === "shutting-down") {
+      return void 0;
+    }
+    const result = {};
+    if (instance.ImageId !== void 0)
+      result["ImageId"] = instance.ImageId;
+    if (instance.InstanceType !== void 0)
+      result["InstanceType"] = instance.InstanceType;
+    if (instance.KeyName !== void 0)
+      result["KeyName"] = instance.KeyName;
+    if (instance.SubnetId !== void 0)
+      result["SubnetId"] = instance.SubnetId;
+    return result;
+  }
+  async readNetworkAclCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeNetworkAclsCommand({ NetworkAclIds: [physicalId] })
+    );
+    const acl = resp.NetworkAcls?.[0];
+    if (!acl)
+      return void 0;
+    const result = {};
+    if (acl.VpcId !== void 0)
+      result["VpcId"] = acl.VpcId;
+    return result;
+  }
+  async verifyExplicit(resourceType, physicalId) {
+    try {
+      switch (resourceType) {
         case "AWS::EC2::VPC": {
           const resp = await this.ec2Client.send(new DescribeVpcsCommand2({ VpcIds: [physicalId] }));
           return resp.Vpcs?.[0] ? { physicalId, attributes: {} } : null;
@@ -22419,6 +23254,23 @@ function pascalToCamelCaseKeys(value) {
   }
   return value;
 }
+function camelToPascalCaseKeys(value) {
+  if (value === null || value === void 0) {
+    return value;
+  }
+  if (Array.isArray(value)) {
+    return value.map(camelToPascalCaseKeys);
+  }
+  if (typeof value === "object") {
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      const pascalKey = key.charAt(0).toUpperCase() + key.slice(1);
+      result[pascalKey] = camelToPascalCaseKeys(val);
+    }
+    return result;
+  }
+  return value;
+}
 var AgentCoreRuntimeProvider = class {
   client;
   logger = getLogger().child("AgentCoreRuntimeProvider");
@@ -22653,6 +23505,68 @@ var AgentCoreRuntimeProvider = class {
     }
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::BedrockAgentCore::Runtime`);
   }
+  /**
+   * Read the AWS-current BedrockAgentCore Runtime configuration in
+   * CFn-property shape.
+   *
+   * Issues `GetAgentRuntime` (the physical id is the runtime id) and
+   * surfaces the keys `create()` accepts. The SDK returns camelCase keys
+   * (`agentRuntimeName`, `roleArn`, `agentRuntimeArtifact`, etc.); we
+   * re-shape back to PascalCase via `camelToPascalCaseKeys` so the
+   * comparator matches cdkd state.
+   *
+   * `ProtocolConfiguration` parity: `create()` accepts a CFn-style string
+   * (`"HTTP"`) and converts it to `{serverProtocol: "HTTP"}` for the SDK.
+   * The SDK returns the object form. We surface the object form here; if
+   * cdkd state holds the original string the comparator will report drift
+   * — users can inspect and dismiss this case manually. (A more elaborate
+   * shape negotiation belongs in a follow-up that knows about both forms.)
+   *
+   * `ClientToken` is omitted: AWS does not surface it back via
+   * `GetAgentRuntime` (it's an idempotency token only meaningful at create
+   * time).
+   *
+   * Returns `undefined` when the runtime is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.client.send(new GetAgentRuntimeCommand({ agentRuntimeId: physicalId }));
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException11)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (resp.agentRuntimeName !== void 0) {
+      result["AgentRuntimeName"] = resp.agentRuntimeName;
+    }
+    if (resp.roleArn !== void 0)
+      result["RoleArn"] = resp.roleArn;
+    if (resp.agentRuntimeArtifact !== void 0) {
+      result["AgentRuntimeArtifact"] = camelToPascalCaseKeys(resp.agentRuntimeArtifact);
+    }
+    if (resp.networkConfiguration !== void 0) {
+      result["NetworkConfiguration"] = camelToPascalCaseKeys(resp.networkConfiguration);
+    }
+    if (resp.description !== void 0 && resp.description !== "") {
+      result["Description"] = resp.description;
+    }
+    if (resp.authorizerConfiguration !== void 0) {
+      result["AuthorizerConfiguration"] = camelToPascalCaseKeys(resp.authorizerConfiguration);
+    }
+    if (resp.protocolConfiguration !== void 0) {
+      result["ProtocolConfiguration"] = camelToPascalCaseKeys(resp.protocolConfiguration);
+    }
+    if (resp.lifecycleConfiguration !== void 0) {
+      result["LifecycleConfiguration"] = camelToPascalCaseKeys(resp.lifecycleConfiguration);
+    }
+    if (resp.environmentVariables !== void 0) {
+      result["EnvironmentVariables"] = resp.environmentVariables;
+    }
+    return result;
+  }
   /**
    * Adopt an existing BedrockAgentCore Runtime into cdkd state.
    *
@@ -24089,7 +25003,8 @@ import {
   DescribeTagsCommand,
   CreateListenerCommand,
   DeleteListenerCommand,
-  ModifyListenerCommand
+  ModifyListenerCommand,
+  DescribeListenersCommand as DescribeListenersCommand2
 } from "@aws-sdk/client-elastic-load-balancing-v2";
 var ELBv2Provider = class {
   elbv2Client;
@@ -24582,6 +25497,170 @@ var ELBv2Provider = class {
       return void 0;
     return certificates;
   }
+  /**
+   * Read the AWS-current ELBv2 resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `LoadBalancer` → `DescribeLoadBalancers` (Name, Subnets via
+   *    `AvailabilityZones[].SubnetId`, SecurityGroups, Scheme, Type,
+   *    IpAddressType). LoadBalancerAttributes is omitted for v1 — it
+   *    requires a separate `DescribeLoadBalancerAttributes` call and the
+   *    drift comparator only descends into keys present in state, so an
+   *    absent key cannot fire false drift.
+   *  - `TargetGroup` → `DescribeTargetGroups` (Protocol, Port, VpcId,
+   *    TargetType, ProtocolVersion, HealthCheck*, Matcher, Name).
+   *  - `Listener` → `DescribeListeners` (LoadBalancerArn, Certificates,
+   *    DefaultActions, Port, Protocol, SslPolicy).
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the resource is gone (`*NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ElasticLoadBalancingV2::LoadBalancer":
+        return this.readLoadBalancer(physicalId);
+      case "AWS::ElasticLoadBalancingV2::TargetGroup":
+        return this.readTargetGroup(physicalId);
+      case "AWS::ElasticLoadBalancingV2::Listener":
+        return this.readListener(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readLoadBalancer(physicalId) {
+    let lb;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeLoadBalancersCommand2({ LoadBalancerArns: [physicalId] })
+      );
+      lb = resp.LoadBalancers?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    if (!lb)
+      return void 0;
+    const result = {};
+    if (lb.LoadBalancerName !== void 0)
+      result["Name"] = lb.LoadBalancerName;
+    if (lb.AvailabilityZones && lb.AvailabilityZones.length > 0) {
+      const subnets = lb.AvailabilityZones.map((az) => az.SubnetId).filter(
+        (id) => !!id
+      );
+      if (subnets.length > 0)
+        result["Subnets"] = subnets;
+    }
+    if (lb.SecurityGroups && lb.SecurityGroups.length > 0) {
+      result["SecurityGroups"] = [...lb.SecurityGroups];
+    }
+    if (lb.Scheme !== void 0)
+      result["Scheme"] = lb.Scheme;
+    if (lb.Type !== void 0)
+      result["Type"] = lb.Type;
+    if (lb.IpAddressType !== void 0)
+      result["IpAddressType"] = lb.IpAddressType;
+    return result;
+  }
+  async readTargetGroup(physicalId) {
+    let tg;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeTargetGroupsCommand({ TargetGroupArns: [physicalId] })
+      );
+      tg = resp.TargetGroups?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    if (!tg)
+      return void 0;
+    const result = {};
+    if (tg.TargetGroupName !== void 0)
+      result["Name"] = tg.TargetGroupName;
+    if (tg.Protocol !== void 0)
+      result["Protocol"] = tg.Protocol;
+    if (tg.Port !== void 0)
+      result["Port"] = tg.Port;
+    if (tg.VpcId !== void 0)
+      result["VpcId"] = tg.VpcId;
+    if (tg.TargetType !== void 0)
+      result["TargetType"] = tg.TargetType;
+    if (tg.ProtocolVersion !== void 0)
+      result["ProtocolVersion"] = tg.ProtocolVersion;
+    if (tg.HealthCheckProtocol !== void 0)
+      result["HealthCheckProtocol"] = tg.HealthCheckProtocol;
+    if (tg.HealthCheckPort !== void 0)
+      result["HealthCheckPort"] = tg.HealthCheckPort;
+    if (tg.HealthCheckPath !== void 0)
+      result["HealthCheckPath"] = tg.HealthCheckPath;
+    if (tg.HealthCheckEnabled !== void 0)
+      result["HealthCheckEnabled"] = tg.HealthCheckEnabled;
+    if (tg.HealthCheckIntervalSeconds !== void 0) {
+      result["HealthCheckIntervalSeconds"] = tg.HealthCheckIntervalSeconds;
+    }
+    if (tg.HealthCheckTimeoutSeconds !== void 0) {
+      result["HealthCheckTimeoutSeconds"] = tg.HealthCheckTimeoutSeconds;
+    }
+    if (tg.HealthyThresholdCount !== void 0) {
+      result["HealthyThresholdCount"] = tg.HealthyThresholdCount;
+    }
+    if (tg.UnhealthyThresholdCount !== void 0) {
+      result["UnhealthyThresholdCount"] = tg.UnhealthyThresholdCount;
+    }
+    if (tg.Matcher) {
+      const matcher = {};
+      if (tg.Matcher.HttpCode !== void 0)
+        matcher["HttpCode"] = tg.Matcher.HttpCode;
+      if (tg.Matcher.GrpcCode !== void 0)
+        matcher["GrpcCode"] = tg.Matcher.GrpcCode;
+      if (Object.keys(matcher).length > 0)
+        result["Matcher"] = matcher;
+    }
+    return result;
+  }
+  async readListener(physicalId) {
+    let listener;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeListenersCommand2({ ListenerArns: [physicalId] })
+      );
+      listener = resp.Listeners?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    if (!listener)
+      return void 0;
+    const result = {};
+    if (listener.LoadBalancerArn !== void 0) {
+      result["LoadBalancerArn"] = listener.LoadBalancerArn;
+    }
+    if (listener.Port !== void 0)
+      result["Port"] = listener.Port;
+    if (listener.Protocol !== void 0)
+      result["Protocol"] = listener.Protocol;
+    if (listener.SslPolicy !== void 0)
+      result["SslPolicy"] = listener.SslPolicy;
+    if (listener.Certificates && listener.Certificates.length > 0) {
+      result["Certificates"] = listener.Certificates.map((c) => {
+        const out = {};
+        if (c.CertificateArn !== void 0)
+          out["CertificateArn"] = c.CertificateArn;
+        if (c.IsDefault !== void 0)
+          out["IsDefault"] = c.IsDefault;
+        return out;
+      });
+    }
+    if (listener.DefaultActions && listener.DefaultActions.length > 0) {
+      result["DefaultActions"] = listener.DefaultActions.map(
+        (a) => a
+      );
+    }
+    return result;
+  }
   /**
    * Adopt an existing ELBv2 LoadBalancer or TargetGroup into cdkd state.
    *
@@ -25589,6 +26668,7 @@ import {
   ListQueryLoggingConfigsCommand,
   ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2,
   ListHostedZonesCommand,
+  ListResourceRecordSetsCommand,
   ListTagsForResourceCommand as ListTagsForResourceCommand11
 } from "@aws-sdk/client-route-53";
 var Route53Provider = class {
@@ -26236,6 +27316,150 @@ var Route53Provider = class {
       physicalId
     );
   }
+  /**
+   * Read the AWS-current Route 53 resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `HostedZone` → `GetHostedZone` (Name, HostedZoneConfig{Comment,
+   *    PrivateZone}, VPCs from `VPCs[]`). Tags are skipped (CDK auto-tag
+   *    handling deferred); QueryLoggingConfig is skipped because it's a
+   *    separate `ListQueryLoggingConfigs` call and the v1 surface does
+   *    not surface it.
+   *  - `RecordSet` → `ListResourceRecordSets` filtered to the exact
+   *    `(name, type)` pair from the composite physicalId
+   *    (`{zoneId}|{name}|{type}`). Surfaces TTL, ResourceRecords (with
+   *    `[{Value}]` -> string[] re-shape to match cdkd state), AliasTarget,
+   *    Weight, Region, Failover, MultiValueAnswer, HealthCheckId,
+   *    GeoLocation, SetIdentifier.
+   *
+   * Returns `undefined` when the parent zone is gone (`NoSuchHostedZone`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.readHostedZone(physicalId);
+      case "AWS::Route53::RecordSet":
+        return this.readRecordSet(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readHostedZone(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(new GetHostedZoneCommand2({ Id: physicalId }));
+    } catch (err) {
+      if (err instanceof Error && err.name === "NoSuchHostedZone")
+        return void 0;
+      throw err;
+    }
+    if (!resp.HostedZone)
+      return void 0;
+    const result = {};
+    if (resp.HostedZone.Name !== void 0)
+      result["Name"] = resp.HostedZone.Name;
+    if (resp.HostedZone.Config) {
+      const cfg = {};
+      if (resp.HostedZone.Config.Comment !== void 0) {
+        cfg["Comment"] = resp.HostedZone.Config.Comment;
+      }
+      if (resp.HostedZone.Config.PrivateZone !== void 0) {
+        cfg["PrivateZone"] = resp.HostedZone.Config.PrivateZone;
+      }
+      if (Object.keys(cfg).length > 0)
+        result["HostedZoneConfig"] = cfg;
+    }
+    if (resp.VPCs && resp.VPCs.length > 0) {
+      result["VPCs"] = resp.VPCs.map((v) => {
+        const out = {};
+        if (v.VPCId !== void 0)
+          out["VPCId"] = v.VPCId;
+        if (v.VPCRegion !== void 0)
+          out["VPCRegion"] = v.VPCRegion;
+        return out;
+      });
+    }
+    return result;
+  }
+  async readRecordSet(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const [hostedZoneId, name, type] = parts;
+    if (!hostedZoneId || !name || !type)
+      return void 0;
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new ListResourceRecordSetsCommand({
+          HostedZoneId: hostedZoneId,
+          StartRecordName: name,
+          StartRecordType: type,
+          MaxItems: 1
+        })
+      );
+    } catch (err) {
+      if (err instanceof Error && err.name === "NoSuchHostedZone")
+        return void 0;
+      throw err;
+    }
+    const recordSet = resp.ResourceRecordSets?.find((r) => r.Name === name && r.Type === type);
+    if (!recordSet)
+      return void 0;
+    const result = {
+      HostedZoneId: hostedZoneId,
+      Name: name,
+      Type: type
+    };
+    if (recordSet.TTL !== void 0)
+      result["TTL"] = recordSet.TTL;
+    if (recordSet.ResourceRecords && recordSet.ResourceRecords.length > 0) {
+      result["ResourceRecords"] = recordSet.ResourceRecords.map((r) => r.Value).filter(
+        (v) => typeof v === "string"
+      );
+    }
+    if (recordSet.AliasTarget) {
+      const at = {};
+      if (recordSet.AliasTarget.HostedZoneId !== void 0) {
+        at["HostedZoneId"] = recordSet.AliasTarget.HostedZoneId;
+      }
+      if (recordSet.AliasTarget.DNSName !== void 0) {
+        at["DNSName"] = recordSet.AliasTarget.DNSName;
+      }
+      if (recordSet.AliasTarget.EvaluateTargetHealth !== void 0) {
+        at["EvaluateTargetHealth"] = recordSet.AliasTarget.EvaluateTargetHealth;
+      }
+      result["AliasTarget"] = at;
+    }
+    if (recordSet.SetIdentifier !== void 0)
+      result["SetIdentifier"] = recordSet.SetIdentifier;
+    if (recordSet.Weight !== void 0)
+      result["Weight"] = recordSet.Weight;
+    if (recordSet.Region !== void 0)
+      result["Region"] = recordSet.Region;
+    if (recordSet.Failover !== void 0)
+      result["Failover"] = recordSet.Failover;
+    if (recordSet.MultiValueAnswer !== void 0) {
+      result["MultiValueAnswer"] = recordSet.MultiValueAnswer;
+    }
+    if (recordSet.HealthCheckId !== void 0)
+      result["HealthCheckId"] = recordSet.HealthCheckId;
+    if (recordSet.GeoLocation) {
+      const geo = {};
+      if (recordSet.GeoLocation.ContinentCode !== void 0) {
+        geo["ContinentCode"] = recordSet.GeoLocation.ContinentCode;
+      }
+      if (recordSet.GeoLocation.CountryCode !== void 0) {
+        geo["CountryCode"] = recordSet.GeoLocation.CountryCode;
+      }
+      if (recordSet.GeoLocation.SubdivisionCode !== void 0) {
+        geo["SubdivisionCode"] = recordSet.GeoLocation.SubdivisionCode;
+      }
+      if (Object.keys(geo).length > 0)
+        result["GeoLocation"] = geo;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Route 53 resource into cdkd state.
    *
@@ -26525,33 +27749,102 @@ var WAFv2WebACLProvider = class {
     }
   }
   /**
-   * Adopt an existing WAFv2 WebACL into cdkd state.
+   * Read the AWS-current WAFv2 WebACL configuration in CFn-property shape.
    *
-   * Lookup order:
-   *  1. `--resource <id>=<arn>` override → verify with `GetWebACL` (parses
-   *     Name/Id/Scope back out of the ARN).
-   *  2. Walk `ListWebACLs(Scope)` → match `aws:cdk:path` via
-   *     `ListTagsForResource(ResourceARN)` (returns
-   *     `TagInfoForResource.TagList`, standard `Key`/`Value` shape).
+   * The cdkd physicalId is the WebACL ARN; we parse it back to
+   * `(id, name, scope)` and call `GetWebACL`. The response holds Name,
+   * Description, DefaultAction, Rules, VisibilityConfig,
+   * CustomResponseBodies, CaptchaConfig, ChallengeConfig, TokenDomains,
+   * and AssociationConfig — every key cdkd state declares as
+   * `handledProperties`. `Scope` is recovered from the ARN parse.
    *
-   * `Scope` is required by `ListWebACLs` — read from
-   * `Properties.Scope` (`REGIONAL` is the default).
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the ARN can't be parsed or the WebACL is gone
+   * (`WAFNonexistentItemException`).
    */
-  async import(input) {
-    if (input.knownPhysicalId) {
-      try {
-        const { id, name, scope: scope2 } = parseWebACLArn(input.knownPhysicalId);
-        await this.getClient().send(new GetWebACLCommand({ Id: id, Name: name, Scope: scope2 }));
-        return { physicalId: input.knownPhysicalId, attributes: {} };
-      } catch (err) {
-        if (err instanceof WAFNonexistentItemException)
-          return null;
-        throw err;
-      }
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let id;
+    let name;
+    let scope;
+    try {
+      ({ id, name, scope } = parseWebACLArn(physicalId));
+    } catch {
+      return void 0;
     }
-    if (!input.cdkPath)
-      return null;
-    const scope = input.properties["Scope"] || "REGIONAL";
+    let webACL;
+    try {
+      const resp = await this.getClient().send(
+        new GetWebACLCommand({ Id: id, Name: name, Scope: scope })
+      );
+      webACL = resp.WebACL;
+    } catch (err) {
+      if (err instanceof WAFNonexistentItemException)
+        return void 0;
+      throw err;
+    }
+    if (!webACL)
+      return void 0;
+    const result = {};
+    if (webACL.Name !== void 0)
+      result["Name"] = webACL.Name;
+    result["Scope"] = scope;
+    if (webACL.Description !== void 0 && webACL.Description !== "") {
+      result["Description"] = webACL.Description;
+    }
+    if (webACL.DefaultAction) {
+      result["DefaultAction"] = webACL.DefaultAction;
+    }
+    if (webACL.Rules && webACL.Rules.length > 0) {
+      result["Rules"] = webACL.Rules.map((r) => r);
+    }
+    if (webACL.VisibilityConfig) {
+      result["VisibilityConfig"] = webACL.VisibilityConfig;
+    }
+    if (webACL.CustomResponseBodies && Object.keys(webACL.CustomResponseBodies).length > 0) {
+      result["CustomResponseBodies"] = webACL.CustomResponseBodies;
+    }
+    if (webACL.CaptchaConfig) {
+      result["CaptchaConfig"] = webACL.CaptchaConfig;
+    }
+    if (webACL.ChallengeConfig) {
+      result["ChallengeConfig"] = webACL.ChallengeConfig;
+    }
+    if (webACL.TokenDomains && webACL.TokenDomains.length > 0) {
+      result["TokenDomains"] = [...webACL.TokenDomains];
+    }
+    if (webACL.AssociationConfig) {
+      result["AssociationConfig"] = webACL.AssociationConfig;
+    }
+    return result;
+  }
+  /**
+   * Adopt an existing WAFv2 WebACL into cdkd state.
+   *
+   * Lookup order:
+   *  1. `--resource <id>=<arn>` override → verify with `GetWebACL` (parses
+   *     Name/Id/Scope back out of the ARN).
+   *  2. Walk `ListWebACLs(Scope)` → match `aws:cdk:path` via
+   *     `ListTagsForResource(ResourceARN)` (returns
+   *     `TagInfoForResource.TagList`, standard `Key`/`Value` shape).
+   *
+   * `Scope` is required by `ListWebACLs` — read from
+   * `Properties.Scope` (`REGIONAL` is the default).
+   */
+  async import(input) {
+    if (input.knownPhysicalId) {
+      try {
+        const { id, name, scope: scope2 } = parseWebACLArn(input.knownPhysicalId);
+        await this.getClient().send(new GetWebACLCommand({ Id: id, Name: name, Scope: scope2 }));
+        return { physicalId: input.knownPhysicalId, attributes: {} };
+      } catch (err) {
+        if (err instanceof WAFNonexistentItemException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    const scope = input.properties["Scope"] || "REGIONAL";
     let nextMarker;
     do {
       const list = await this.getClient().send(
@@ -27496,6 +28789,133 @@ var ElastiCacheProvider = class {
   sleep(ms) {
     return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
+  /**
+   * Read the AWS-current ElastiCache resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `CacheCluster` → `DescribeCacheClusters` filtered by `CacheClusterId`,
+   *    surfacing `Engine`, `CacheNodeType`, `NumCacheNodes`,
+   *    `CacheSubnetGroupName`, `Port`, `EngineVersion`,
+   *    `CacheParameterGroupName`, `PreferredMaintenanceWindow`,
+   *    `PreferredAvailabilityZone`, `SnapshotRetentionLimit`,
+   *    `SnapshotWindow`, `AutoMinorVersionUpgrade`, `NotificationTopicArn`,
+   *    `IpDiscovery`, `NetworkType`, `TransitEncryptionEnabled`, plus
+   *    `VpcSecurityGroupIds` derived from the cluster's `SecurityGroups[]`.
+   *  - `SubnetGroup` → `DescribeCacheSubnetGroups` filtered by name,
+   *    surfacing `CacheSubnetGroupName`, `CacheSubnetGroupDescription`,
+   *    and `SubnetIds` derived from `Subnets[].SubnetIdentifier`.
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the resource is gone (`*NotFoundFault`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ElastiCache::CacheCluster":
+        return this.readCacheCluster(physicalId);
+      case "AWS::ElastiCache::SubnetGroup":
+        return this.readSubnetGroup(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCacheCluster(physicalId) {
+    let cluster;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeCacheClustersCommand({
+          CacheClusterId: physicalId,
+          ShowCacheNodeInfo: true
+        })
+      );
+      cluster = resp.CacheClusters?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err, "CacheClusterNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!cluster)
+      return void 0;
+    const result = {};
+    if (cluster.CacheClusterId !== void 0)
+      result["ClusterName"] = cluster.CacheClusterId;
+    if (cluster.Engine !== void 0)
+      result["Engine"] = cluster.Engine;
+    if (cluster.CacheNodeType !== void 0)
+      result["CacheNodeType"] = cluster.CacheNodeType;
+    if (cluster.NumCacheNodes !== void 0)
+      result["NumCacheNodes"] = cluster.NumCacheNodes;
+    if (cluster.CacheSubnetGroupName !== void 0) {
+      result["CacheSubnetGroupName"] = cluster.CacheSubnetGroupName;
+    }
+    if (cluster.EngineVersion !== void 0)
+      result["EngineVersion"] = cluster.EngineVersion;
+    if (cluster.CacheParameterGroup?.CacheParameterGroupName !== void 0) {
+      result["CacheParameterGroupName"] = cluster.CacheParameterGroup.CacheParameterGroupName;
+    }
+    if (cluster.PreferredMaintenanceWindow !== void 0) {
+      result["PreferredMaintenanceWindow"] = cluster.PreferredMaintenanceWindow;
+    }
+    if (cluster.PreferredAvailabilityZone !== void 0) {
+      result["PreferredAvailabilityZone"] = cluster.PreferredAvailabilityZone;
+    }
+    if (cluster.SnapshotRetentionLimit !== void 0) {
+      result["SnapshotRetentionLimit"] = cluster.SnapshotRetentionLimit;
+    }
+    if (cluster.SnapshotWindow !== void 0)
+      result["SnapshotWindow"] = cluster.SnapshotWindow;
+    if (cluster.AutoMinorVersionUpgrade !== void 0) {
+      result["AutoMinorVersionUpgrade"] = cluster.AutoMinorVersionUpgrade;
+    }
+    if (cluster.NotificationConfiguration?.TopicArn !== void 0) {
+      result["NotificationTopicArn"] = cluster.NotificationConfiguration.TopicArn;
+    }
+    if (cluster.IpDiscovery !== void 0)
+      result["IpDiscovery"] = cluster.IpDiscovery;
+    if (cluster.NetworkType !== void 0)
+      result["NetworkType"] = cluster.NetworkType;
+    if (cluster.TransitEncryptionEnabled !== void 0) {
+      result["TransitEncryptionEnabled"] = cluster.TransitEncryptionEnabled;
+    }
+    if (cluster.CacheNodes?.[0]?.Endpoint?.Port !== void 0) {
+      result["Port"] = cluster.CacheNodes[0].Endpoint.Port;
+    }
+    if (cluster.SecurityGroups && cluster.SecurityGroups.length > 0) {
+      const ids = cluster.SecurityGroups.map((sg) => sg.SecurityGroupId).filter(
+        (id) => !!id
+      );
+      if (ids.length > 0)
+        result["VpcSecurityGroupIds"] = ids;
+    }
+    return result;
+  }
+  async readSubnetGroup(physicalId) {
+    let group;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeCacheSubnetGroupsCommand({ CacheSubnetGroupName: physicalId })
+      );
+      group = resp.CacheSubnetGroups?.[0];
+    } catch (err) {
+      if (this.isNotFoundError(err, "CacheSubnetGroupNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!group)
+      return void 0;
+    const result = {};
+    if (group.CacheSubnetGroupName !== void 0) {
+      result["CacheSubnetGroupName"] = group.CacheSubnetGroupName;
+    }
+    if (group.CacheSubnetGroupDescription !== void 0) {
+      result["CacheSubnetGroupDescription"] = group.CacheSubnetGroupDescription;
+    }
+    if (group.Subnets && group.Subnets.length > 0) {
+      const ids = group.Subnets.map((s) => s.SubnetIdentifier).filter((id) => !!id);
+      if (ids.length > 0)
+        result["SubnetIds"] = ids;
+    }
+    return result;
+  }
   /**
    * Adopt an existing ElastiCache resource into cdkd state.
    *
@@ -27968,6 +29388,87 @@ var ServiceDiscoveryProvider = class {
    *  - **AWS::ServiceDiscovery::Service**: same shape — `ListServices` +
    *    `ListTagsForResource`. Both use `Tag[]` arrays.
    */
+  /**
+   * Read the AWS-current ServiceDiscovery resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `PrivateDnsNamespace` → `GetNamespace` (Name, Description). `Vpc`
+   *    is NOT returned by `GetNamespace` — Cloud Map exposes the VPC only
+   *    at create time and via `ListNamespaces`-side `Properties.DnsProperties.HostedZoneId`,
+   *    not as a directly comparable VPC ID. We skip it; the comparator
+   *    only descends into keys present in cdkd state, so an absent key
+   *    cannot fire false drift, but a `Vpc` change will not be detected
+   *    via this provider's drift surface (use the CFn-side `aws cloudmap`
+   *    CLI for that edge case).
+   *  - `Service` → `GetService` (Name, NamespaceId, Description, Type,
+   *    DnsConfig, HealthCheckConfig, HealthCheckCustomConfig).
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the resource is gone (`NamespaceNotFound` / `ServiceNotFound`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::ServiceDiscovery::PrivateDnsNamespace":
+        return this.readNamespace(physicalId);
+      case "AWS::ServiceDiscovery::Service":
+        return this.readService(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readNamespace(physicalId) {
+    let ns;
+    try {
+      const resp = await this.getClient().send(new GetNamespaceCommand({ Id: physicalId }));
+      ns = resp.Namespace;
+    } catch (err) {
+      if (err instanceof NamespaceNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!ns)
+      return void 0;
+    const result = {};
+    if (ns.Name !== void 0)
+      result["Name"] = ns.Name;
+    if (ns.Description !== void 0 && ns.Description !== "") {
+      result["Description"] = ns.Description;
+    }
+    return result;
+  }
+  async readService(physicalId) {
+    let svc;
+    try {
+      const resp = await this.getClient().send(new GetServiceCommand({ Id: physicalId }));
+      svc = resp.Service;
+    } catch (err) {
+      if (err instanceof ServiceNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!svc)
+      return void 0;
+    const result = {};
+    if (svc.Name !== void 0)
+      result["Name"] = svc.Name;
+    if (svc.NamespaceId !== void 0)
+      result["NamespaceId"] = svc.NamespaceId;
+    if (svc.Description !== void 0 && svc.Description !== "") {
+      result["Description"] = svc.Description;
+    }
+    if (svc.Type !== void 0)
+      result["Type"] = svc.Type;
+    if (svc.DnsConfig) {
+      result["DnsConfig"] = svc.DnsConfig;
+    }
+    if (svc.HealthCheckConfig) {
+      result["HealthCheckConfig"] = svc.HealthCheckConfig;
+    }
+    if (svc.HealthCheckCustomConfig) {
+      result["HealthCheckCustomConfig"] = svc.HealthCheckCustomConfig;
+    }
+    return result;
+  }
   async import(input) {
     switch (input.resourceType) {
       case "AWS::ServiceDiscovery::PrivateDnsNamespace":
@@ -28084,6 +29585,9 @@ import {
   DeleteApiKeyCommand,
   StartSchemaCreationCommand,
   GetGraphqlApiCommand,
+  GetDataSourceCommand,
+  GetResolverCommand,
+  ListApiKeysCommand,
   ListGraphqlApisCommand,
   NotFoundException as AppSyncNotFoundException
 } from "@aws-sdk/client-appsync";
@@ -28593,6 +30097,209 @@ var AppSyncProvider = class {
     const name = error.name ?? "";
     return message.includes("not found") || message.includes("does not exist") || name === "NotFoundException";
   }
+  /**
+   * Read the AWS-current AppSync resource configuration in CFn-property shape.
+   *
+   * Dispatches per resource type:
+   *  - `GraphQLApi` → `GetGraphqlApi` (Name, AuthenticationType, XrayEnabled,
+   *    LogConfig). Tags are skipped (CDK auto-tag handling deferred).
+   *  - `DataSource` → `GetDataSource` (Name, Type, Description,
+   *    ServiceRoleArn, DynamoDBConfig, LambdaConfig, HttpConfig). The
+   *    `ApiId` cdkd holds is recovered from the `apiId|name` physicalId.
+   *  - `Resolver` → `GetResolver` (TypeName, FieldName, DataSourceName,
+   *    request/response templates, Kind, PipelineConfig, Runtime, Code).
+   *  - `ApiKey` → `ListApiKeys` filtered by id (no `GetApiKey` SDK call;
+   *    AppSync only exposes list-based access). Surfaces Description and
+   *    Expires.
+   *  - `GraphQLSchema` → `GetSchemaCreationStatus` is the closest live
+   *    state, but it returns a status string only (not the full schema
+   *    body). Schema bodies live in cdkd state's `Definition` and would
+   *    need `GetIntrospectionSchema` + reverse-mapping to compare; that's
+   *    a separate task. Returns `undefined` so the comparator marks it
+   *    as "drift unknown" rather than firing a false positive.
+   *
+   * Returns `undefined` when the parent resource is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::AppSync::GraphQLApi":
+        return this.readGraphQLApi(physicalId);
+      case "AWS::AppSync::DataSource":
+        return this.readDataSource(physicalId);
+      case "AWS::AppSync::Resolver":
+        return this.readResolver(physicalId);
+      case "AWS::AppSync::ApiKey":
+        return this.readApiKey(physicalId);
+      case "AWS::AppSync::GraphQLSchema":
+        return void 0;
+      default:
+        return void 0;
+    }
+  }
+  async readGraphQLApi(physicalId) {
+    let api;
+    try {
+      const resp = await this.getClient().send(new GetGraphqlApiCommand({ apiId: physicalId }));
+      api = resp.graphqlApi;
+    } catch (err) {
+      if (err instanceof AppSyncNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!api)
+      return void 0;
+    const result = {};
+    if (api.name !== void 0)
+      result["Name"] = api.name;
+    if (api.authenticationType !== void 0) {
+      result["AuthenticationType"] = api.authenticationType;
+    }
+    if (api.xrayEnabled !== void 0)
+      result["XrayEnabled"] = api.xrayEnabled;
+    if (api.logConfig) {
+      const log = {};
+      if (api.logConfig.cloudWatchLogsRoleArn !== void 0) {
+        log["CloudWatchLogsRoleArn"] = api.logConfig.cloudWatchLogsRoleArn;
+      }
+      if (api.logConfig.fieldLogLevel !== void 0) {
+        log["FieldLogLevel"] = api.logConfig.fieldLogLevel;
+      }
+      if (api.logConfig.excludeVerboseContent !== void 0) {
+        log["ExcludeVerboseContent"] = api.logConfig.excludeVerboseContent;
+      }
+      if (Object.keys(log).length > 0)
+        result["LogConfig"] = log;
+    }
+    return result;
+  }
+  async readDataSource(physicalId) {
+    const [apiId, name] = physicalId.split("|");
+    if (!apiId || !name)
+      return void 0;
+    let ds;
+    try {
+      const resp = await this.getClient().send(new GetDataSourceCommand({ apiId, name }));
+      ds = resp.dataSource;
+    } catch (err) {
+      if (err instanceof AppSyncNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!ds)
+      return void 0;
+    const result = { ApiId: apiId };
+    if (ds.name !== void 0)
+      result["Name"] = ds.name;
+    if (ds.type !== void 0)
+      result["Type"] = ds.type;
+    if (ds.description !== void 0 && ds.description !== "") {
+      result["Description"] = ds.description;
+    }
+    if (ds.serviceRoleArn !== void 0)
+      result["ServiceRoleArn"] = ds.serviceRoleArn;
+    if (ds.dynamodbConfig) {
+      const dynamo = {};
+      if (ds.dynamodbConfig.tableName !== void 0)
+        dynamo["TableName"] = ds.dynamodbConfig.tableName;
+      if (ds.dynamodbConfig.awsRegion !== void 0)
+        dynamo["AwsRegion"] = ds.dynamodbConfig.awsRegion;
+      if (ds.dynamodbConfig.useCallerCredentials !== void 0) {
+        dynamo["UseCallerCredentials"] = ds.dynamodbConfig.useCallerCredentials;
+      }
+      if (Object.keys(dynamo).length > 0)
+        result["DynamoDBConfig"] = dynamo;
+    }
+    if (ds.lambdaConfig?.lambdaFunctionArn !== void 0) {
+      result["LambdaConfig"] = { LambdaFunctionArn: ds.lambdaConfig.lambdaFunctionArn };
+    }
+    if (ds.httpConfig?.endpoint !== void 0) {
+      result["HttpConfig"] = { Endpoint: ds.httpConfig.endpoint };
+    }
+    return result;
+  }
+  async readResolver(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const [apiId, typeName, fieldName] = parts;
+    if (!apiId || !typeName || !fieldName)
+      return void 0;
+    let resolver;
+    try {
+      const resp = await this.getClient().send(
+        new GetResolverCommand({ apiId, typeName, fieldName })
+      );
+      resolver = resp.resolver;
+    } catch (err) {
+      if (err instanceof AppSyncNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!resolver)
+      return void 0;
+    const result = { ApiId: apiId };
+    if (resolver.typeName !== void 0)
+      result["TypeName"] = resolver.typeName;
+    if (resolver.fieldName !== void 0)
+      result["FieldName"] = resolver.fieldName;
+    if (resolver.dataSourceName !== void 0)
+      result["DataSourceName"] = resolver.dataSourceName;
+    if (resolver.requestMappingTemplate !== void 0) {
+      result["RequestMappingTemplate"] = resolver.requestMappingTemplate;
+    }
+    if (resolver.responseMappingTemplate !== void 0) {
+      result["ResponseMappingTemplate"] = resolver.responseMappingTemplate;
+    }
+    if (resolver.kind !== void 0)
+      result["Kind"] = resolver.kind;
+    if (resolver.pipelineConfig?.functions && resolver.pipelineConfig.functions.length > 0) {
+      result["PipelineConfig"] = { Functions: [...resolver.pipelineConfig.functions] };
+    }
+    if (resolver.runtime) {
+      const runtime = {};
+      if (resolver.runtime.name !== void 0)
+        runtime["Name"] = resolver.runtime.name;
+      if (resolver.runtime.runtimeVersion !== void 0) {
+        runtime["RuntimeVersion"] = resolver.runtime.runtimeVersion;
+      }
+      if (Object.keys(runtime).length > 0)
+        result["Runtime"] = runtime;
+    }
+    if (resolver.code !== void 0)
+      result["Code"] = resolver.code;
+    return result;
+  }
+  async readApiKey(physicalId) {
+    const [apiId, apiKeyId] = physicalId.split("|");
+    if (!apiId || !apiKeyId)
+      return void 0;
+    let nextToken;
+    do {
+      let resp;
+      try {
+        resp = await this.getClient().send(
+          new ListApiKeysCommand({ apiId, ...nextToken && { nextToken } })
+        );
+      } catch (err) {
+        if (err instanceof AppSyncNotFoundException)
+          return void 0;
+        throw err;
+      }
+      for (const key of resp.apiKeys ?? []) {
+        if (key.id === apiKeyId) {
+          const result = { ApiId: apiId };
+          if (key.description !== void 0 && key.description !== "") {
+            result["Description"] = key.description;
+          }
+          if (key.expires !== void 0)
+            result["Expires"] = key.expires;
+          return result;
+        }
+      }
+      nextToken = resp.nextToken;
+    } while (nextToken);
+    return void 0;
+  }
   /**
    * Adopt an existing AppSync resource into cdkd state.
    *
@@ -29044,6 +30751,116 @@ var GlueProvider = class {
    * Glue list APIs return only names — ARNs are constructed locally
    * for the per-item GetTags call.
    */
+  /**
+   * Read the AWS-current Glue resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `Database` → `GetDatabase` returning DatabaseInput-shape
+   *    (`Name`, `Description`, `LocationUri`, `Parameters`).
+   *  - `Table` → `GetTable` returning the same-named TableInput-shape
+   *    fields (`Name`, `Description`, `Owner`, `Retention`, `TableType`,
+   *    `PartitionKeys`, `Parameters`, `StorageDescriptor`, `ViewOriginalText`,
+   *    `ViewExpandedText`, `TargetTable`). The table physicalId is
+   *    `databaseName|tableName`; we recover both from the split.
+   *
+   * `CatalogId` is intentionally not surfaced — `GetDatabase` /
+   * `GetTable` do not echo it back, and cdkd state's `CatalogId` is
+   * usually the AWS account id (defaulted by the API). Comparator only
+   * descends into keys present in state, so an absent surface key cannot
+   * fire false drift here.
+   *
+   * Returns `undefined` when the resource is gone (`EntityNotFoundException`).
+   * Other Glue resource types (`Job`, `Crawler`, `Connection`, `Trigger`,
+   * `Workflow`, `SecurityConfiguration`, etc.) are out of scope for v1 —
+   * the provider's `create()` only handles Database/Table; CC API picks
+   * up drift detection for the rest.
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::Glue::Database":
+        return this.readDatabase(physicalId);
+      case "AWS::Glue::Table":
+        return this.readTable(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readDatabase(physicalId) {
+    let db;
+    try {
+      const resp = await this.getClient().send(new GetDatabaseCommand({ Name: physicalId }));
+      db = resp.Database;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!db)
+      return void 0;
+    const dbInput = {};
+    if (db.Name !== void 0)
+      dbInput["Name"] = db.Name;
+    if (db.Description !== void 0 && db.Description !== "") {
+      dbInput["Description"] = db.Description;
+    }
+    if (db.LocationUri !== void 0)
+      dbInput["LocationUri"] = db.LocationUri;
+    if (db.Parameters && Object.keys(db.Parameters).length > 0) {
+      dbInput["Parameters"] = db.Parameters;
+    }
+    return { DatabaseInput: dbInput };
+  }
+  async readTable(physicalId) {
+    const [databaseName, tableName] = physicalId.split("|");
+    if (!databaseName || !tableName)
+      return void 0;
+    let table;
+    try {
+      const resp = await this.getClient().send(
+        new GetTableCommand({ DatabaseName: databaseName, Name: tableName })
+      );
+      table = resp.Table;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!table)
+      return void 0;
+    const tableInput = {};
+    if (table.Name !== void 0)
+      tableInput["Name"] = table.Name;
+    if (table.Description !== void 0 && table.Description !== "") {
+      tableInput["Description"] = table.Description;
+    }
+    if (table.Owner !== void 0)
+      tableInput["Owner"] = table.Owner;
+    if (table.Retention !== void 0)
+      tableInput["Retention"] = table.Retention;
+    if (table.TableType !== void 0)
+      tableInput["TableType"] = table.TableType;
+    if (table.PartitionKeys && table.PartitionKeys.length > 0) {
+      tableInput["PartitionKeys"] = table.PartitionKeys.map(
+        (k) => k
+      );
+    }
+    if (table.Parameters && Object.keys(table.Parameters).length > 0) {
+      tableInput["Parameters"] = table.Parameters;
+    }
+    if (table.StorageDescriptor) {
+      tableInput["StorageDescriptor"] = table.StorageDescriptor;
+    }
+    if (table.ViewOriginalText !== void 0) {
+      tableInput["ViewOriginalText"] = table.ViewOriginalText;
+    }
+    if (table.ViewExpandedText !== void 0) {
+      tableInput["ViewExpandedText"] = table.ViewExpandedText;
+    }
+    if (table.TargetTable) {
+      tableInput["TargetTable"] = table.TargetTable;
+    }
+    return { DatabaseName: databaseName, TableInput: tableInput };
+  }
   async import(input) {
     switch (input.resourceType) {
       case "AWS::Glue::Database":
@@ -30020,6 +31837,57 @@ var KinesisStreamProvider = class {
    * Kinesis tags use the standard `Tag[]` array shape (`Key`/`Value`),
    * so `matchesCdkPath` from import-helpers applies directly.
    */
+  /**
+   * Read the AWS-current Kinesis stream configuration in CFn-property shape.
+   *
+   * Issues `DescribeStream` and surfaces the keys cdkd's `create()`
+   * accepts: `Name`, `StreamModeDetails`, `ShardCount`, `RetentionPeriodHours`,
+   * and `StreamEncryption`. Tags are skipped (CDK auto-tag handling deferred).
+   *
+   * `ShardCount` is reported as the count of `Shards[]` in the stream
+   * description (only present for PROVISIONED-mode streams; ON_DEMAND
+   * mode reports an empty list).
+   *
+   * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
+   * Only `AWS::Kinesis::Stream` is supported (the provider does not handle
+   * `AWS::Kinesis::StreamConsumer`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    if (resourceType !== "AWS::Kinesis::Stream")
+      return void 0;
+    let stream;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeStreamCommand({ StreamName: physicalId })
+      );
+      stream = resp.StreamDescription;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException13)
+        return void 0;
+      throw err;
+    }
+    if (!stream)
+      return void 0;
+    const result = {};
+    if (stream.StreamName !== void 0)
+      result["Name"] = stream.StreamName;
+    if (stream.StreamModeDetails?.StreamMode !== void 0) {
+      result["StreamModeDetails"] = { StreamMode: stream.StreamModeDetails.StreamMode };
+    }
+    if (stream.Shards && stream.Shards.length > 0) {
+      result["ShardCount"] = stream.Shards.length;
+    }
+    if (stream.RetentionPeriodHours !== void 0) {
+      result["RetentionPeriodHours"] = stream.RetentionPeriodHours;
+    }
+    if (stream.EncryptionType !== void 0 && stream.EncryptionType !== "NONE") {
+      const encryption = { EncryptionType: stream.EncryptionType };
+      if (stream.KeyId !== void 0)
+        encryption["KeyId"] = stream.KeyId;
+      result["StreamEncryption"] = encryption;
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "Name");
     if (explicit) {
@@ -30099,6 +31967,8 @@ import {
   DeleteAccessPointCommand,
   DescribeFileSystemsCommand,
   DescribeAccessPointsCommand,
+  DescribeLifecycleConfigurationCommand,
+  DescribeBackupPolicyCommand,
   FileSystemNotFound,
   MountTargetNotFound,
   AccessPointNotFound
@@ -30500,6 +32370,173 @@ var EFSProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current EFS resource configuration in CFn-property shape.
+   *
+   * Dispatch per resource type:
+   *  - `FileSystem` → `DescribeFileSystems` filtered by id (PerformanceMode,
+   *    ThroughputMode, Encrypted, KmsKeyId, ProvisionedThroughputInMibps),
+   *    plus optional `DescribeLifecycleConfiguration` and
+   *    `DescribeBackupPolicy` enrichment. Each enrichment call is wrapped
+   *    in its own try/catch so a "not configured" error on either omits
+   *    the corresponding key without failing the whole snapshot.
+   *  - `AccessPoint` → `DescribeAccessPoints` filtered by id (PosixUser,
+   *    RootDirectory).
+   *  - `MountTarget` → `DescribeMountTargets` (FileSystemId, SubnetId).
+   *    SecurityGroups requires a separate call and is omitted for v1.
+   *
+   * Tags are skipped across all three (CDK auto-tag handling deferred).
+   * Returns `undefined` when the resource is gone (`*NotFound`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::EFS::FileSystem":
+        return this.readFileSystem(physicalId);
+      case "AWS::EFS::AccessPoint":
+        return this.readAccessPoint(physicalId);
+      case "AWS::EFS::MountTarget":
+        return this.readMountTarget(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readFileSystem(physicalId) {
+    let fs;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeFileSystemsCommand({ FileSystemId: physicalId })
+      );
+      fs = resp.FileSystems?.[0];
+    } catch (err) {
+      if (err instanceof FileSystemNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!fs)
+      return void 0;
+    const result = {};
+    if (fs.PerformanceMode !== void 0)
+      result["PerformanceMode"] = fs.PerformanceMode;
+    if (fs.ThroughputMode !== void 0)
+      result["ThroughputMode"] = fs.ThroughputMode;
+    if (fs.Encrypted !== void 0)
+      result["Encrypted"] = fs.Encrypted;
+    if (fs.KmsKeyId !== void 0)
+      result["KmsKeyId"] = fs.KmsKeyId;
+    if (fs.ProvisionedThroughputInMibps !== void 0) {
+      result["ProvisionedThroughputInMibps"] = fs.ProvisionedThroughputInMibps;
+    }
+    try {
+      const resp = await this.getClient().send(
+        new DescribeLifecycleConfigurationCommand({ FileSystemId: physicalId })
+      );
+      const policies = resp.LifecyclePolicies;
+      if (policies && policies.length > 0) {
+        result["LifecyclePolicies"] = policies.map((p) => {
+          const out = {};
+          if (p.TransitionToIA !== void 0)
+            out["TransitionToIA"] = p.TransitionToIA;
+          if (p.TransitionToPrimaryStorageClass !== void 0) {
+            out["TransitionToPrimaryStorageClass"] = p.TransitionToPrimaryStorageClass;
+          }
+          if (p.TransitionToArchive !== void 0)
+            out["TransitionToArchive"] = p.TransitionToArchive;
+          return out;
+        });
+      }
+    } catch (err) {
+      if (err instanceof FileSystemNotFound)
+        return void 0;
+      const e = err;
+      if (e.name !== "PolicyNotFound") {
+      }
+    }
+    try {
+      const resp = await this.getClient().send(
+        new DescribeBackupPolicyCommand({ FileSystemId: physicalId })
+      );
+      if (resp.BackupPolicy?.Status !== void 0) {
+        result["BackupPolicy"] = { Status: resp.BackupPolicy.Status };
+      }
+    } catch (err) {
+      if (err instanceof FileSystemNotFound)
+        return void 0;
+    }
+    return result;
+  }
+  async readAccessPoint(physicalId) {
+    let ap;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeAccessPointsCommand({ AccessPointId: physicalId })
+      );
+      ap = resp.AccessPoints?.[0];
+    } catch (err) {
+      if (err instanceof AccessPointNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!ap)
+      return void 0;
+    const result = {};
+    if (ap.FileSystemId !== void 0)
+      result["FileSystemId"] = ap.FileSystemId;
+    if (ap.PosixUser) {
+      const posix = {};
+      if (ap.PosixUser.Uid !== void 0)
+        posix["Uid"] = ap.PosixUser.Uid;
+      if (ap.PosixUser.Gid !== void 0)
+        posix["Gid"] = ap.PosixUser.Gid;
+      if (ap.PosixUser.SecondaryGids && ap.PosixUser.SecondaryGids.length > 0) {
+        posix["SecondaryGids"] = [...ap.PosixUser.SecondaryGids];
+      }
+      if (Object.keys(posix).length > 0)
+        result["PosixUser"] = posix;
+    }
+    if (ap.RootDirectory) {
+      const root = {};
+      if (ap.RootDirectory.Path !== void 0)
+        root["Path"] = ap.RootDirectory.Path;
+      if (ap.RootDirectory.CreationInfo) {
+        const ci = {};
+        if (ap.RootDirectory.CreationInfo.OwnerUid !== void 0) {
+          ci["OwnerUid"] = ap.RootDirectory.CreationInfo.OwnerUid;
+        }
+        if (ap.RootDirectory.CreationInfo.OwnerGid !== void 0) {
+          ci["OwnerGid"] = ap.RootDirectory.CreationInfo.OwnerGid;
+        }
+        if (ap.RootDirectory.CreationInfo.Permissions !== void 0) {
+          ci["Permissions"] = ap.RootDirectory.CreationInfo.Permissions;
+        }
+        if (Object.keys(ci).length > 0)
+          root["CreationInfo"] = ci;
+      }
+      if (Object.keys(root).length > 0)
+        result["RootDirectory"] = root;
+    }
+    return result;
+  }
+  async readMountTarget(physicalId) {
+    let mt;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeMountTargetsCommand({ MountTargetId: physicalId })
+      );
+      mt = resp.MountTargets?.[0];
+    } catch (err) {
+      if (err instanceof MountTargetNotFound)
+        return void 0;
+      throw err;
+    }
+    if (!mt)
+      return void 0;
+    const result = {};
+    if (mt.FileSystemId !== void 0)
+      result["FileSystemId"] = mt.FileSystemId;
+    if (mt.SubnetId !== void 0)
+      result["SubnetId"] = mt.SubnetId;
+    return result;
+  }
   /**
    * Adopt an existing EFS resource into cdkd state.
    *
@@ -30952,6 +32989,63 @@ var FirehoseProvider = class {
    *
    * Firehose tags use the standard `Tag[]` array shape (`Key`/`Value`).
    */
+  /**
+   * Read the AWS-current Firehose delivery stream configuration in CFn-property shape.
+   *
+   * Surfaces top-level configuration that has a clean 1:1 mapping back to
+   * cdkd state — `DeliveryStreamName`, `DeliveryStreamType`, and the
+   * `KinesisStreamSourceConfiguration` parent fields when present (the
+   * `DescribeDeliveryStream` response splits source under `Source.KinesisStreamSourceDescription`).
+   *
+   * Destination configurations (`*DestinationConfiguration` in CFn vs.
+   * `*DestinationDescription` in `DescribeDeliveryStream`) are intentionally
+   * not re-shaped here. Their nested fields are large and the description
+   * vs. configuration shape divergence (extra metadata, write-only fields
+   * like `Password` redacted) makes a clean comparator surface impossible
+   * for v1. We do surface the destination *kind* under a stable key so
+   * users at least see destination drift across types, but not the inner
+   * fields. Drift on destination contents is best chased manually via
+   * `aws firehose describe-delivery-stream` for now.
+   *
+   * Tags + DeliveryStreamEncryptionConfigurationInput are skipped (they
+   * each need separate calls / shape decisions).
+   *
+   * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let desc;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId })
+      );
+      desc = resp.DeliveryStreamDescription;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException14)
+        return void 0;
+      throw err;
+    }
+    if (!desc)
+      return void 0;
+    const result = {};
+    if (desc.DeliveryStreamName !== void 0) {
+      result["DeliveryStreamName"] = desc.DeliveryStreamName;
+    }
+    if (desc.DeliveryStreamType !== void 0) {
+      result["DeliveryStreamType"] = desc.DeliveryStreamType;
+    }
+    if (desc.Source?.KinesisStreamSourceDescription) {
+      const src = desc.Source.KinesisStreamSourceDescription;
+      const srcOut = {};
+      if (src.KinesisStreamARN !== void 0)
+        srcOut["KinesisStreamARN"] = src.KinesisStreamARN;
+      if (src.RoleARN !== void 0)
+        srcOut["RoleARN"] = src.RoleARN;
+      if (Object.keys(srcOut).length > 0) {
+        result["KinesisStreamSourceConfiguration"] = srcOut;
+      }
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "DeliveryStreamName");
     if (explicit) {
@@ -31027,6 +33121,8 @@ import {
   PutEventSelectorsCommand,
   PutInsightSelectorsCommand,
   GetTrailCommand,
+  GetTrailStatusCommand,
+  GetEventSelectorsCommand,
   ListTrailsCommand,
   ListTagsCommand as ListTagsCommand3,
   TrailNotFoundException
@@ -31268,6 +33364,86 @@ var CloudTrailProvider = class {
    *  2. `ListTrails` + `ListTags` (CloudTrail uses `Tag[]` arrays per ARN),
    *     match `aws:cdk:path` tag.
    */
+  /**
+   * Read the AWS-current CloudTrail Trail configuration in CFn-property shape.
+   *
+   * Issues `GetTrail`, plus best-effort `GetTrailStatus` (for `IsLogging`)
+   * and `GetEventSelectors` (for `EventSelectors`). Each enrichment call is
+   * wrapped in its own try/catch so an "AccessDenied" or other transient
+   * error on the secondary calls omits that key without failing the
+   * whole snapshot — the comparator only descends into keys present in
+   * state.
+   *
+   * Mapping: AWS `GetTrail` returns `KmsKeyId` (lowercase `s`) while CFn
+   * uses `KMSKeyId`; we re-shape the key. SnsTopicARN is the Trail's
+   * derived field; the cdkd state property is `SnsTopicName` so we
+   * surface `SnsTopicName` directly from `GetTrail.SnsTopicName`.
+   *
+   * Tags + InsightSelectors are skipped for v1 (each needs its own
+   * separate call + shape mapping).
+   *
+   * Returns `undefined` when the trail is gone (`TrailNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let trail;
+    try {
+      const resp = await this.getClient().send(new GetTrailCommand({ Name: physicalId }));
+      trail = resp.Trail;
+    } catch (err) {
+      if (err instanceof TrailNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!trail)
+      return void 0;
+    const result = {};
+    if (trail.Name !== void 0)
+      result["TrailName"] = trail.Name;
+    if (trail.S3BucketName !== void 0)
+      result["S3BucketName"] = trail.S3BucketName;
+    if (trail.S3KeyPrefix !== void 0)
+      result["S3KeyPrefix"] = trail.S3KeyPrefix;
+    if (trail.IsMultiRegionTrail !== void 0) {
+      result["IsMultiRegionTrail"] = trail.IsMultiRegionTrail;
+    }
+    if (trail.IncludeGlobalServiceEvents !== void 0) {
+      result["IncludeGlobalServiceEvents"] = trail.IncludeGlobalServiceEvents;
+    }
+    if (trail.LogFileValidationEnabled !== void 0) {
+      result["EnableLogFileValidation"] = trail.LogFileValidationEnabled;
+    }
+    if (trail.CloudWatchLogsLogGroupArn !== void 0) {
+      result["CloudWatchLogsLogGroupArn"] = trail.CloudWatchLogsLogGroupArn;
+    }
+    if (trail.CloudWatchLogsRoleArn !== void 0) {
+      result["CloudWatchLogsRoleArn"] = trail.CloudWatchLogsRoleArn;
+    }
+    if (trail.KmsKeyId !== void 0)
+      result["KMSKeyId"] = trail.KmsKeyId;
+    if (trail.SnsTopicName !== void 0)
+      result["SnsTopicName"] = trail.SnsTopicName;
+    if (trail.IsOrganizationTrail !== void 0) {
+      result["IsOrganizationTrail"] = trail.IsOrganizationTrail;
+    }
+    try {
+      const status = await this.getClient().send(new GetTrailStatusCommand({ Name: physicalId }));
+      if (status.IsLogging !== void 0)
+        result["IsLogging"] = status.IsLogging;
+    } catch {
+    }
+    try {
+      const sel = await this.getClient().send(
+        new GetEventSelectorsCommand({ TrailName: physicalId })
+      );
+      if (sel.EventSelectors && sel.EventSelectors.length > 0) {
+        result["EventSelectors"] = sel.EventSelectors.map(
+          (es) => es
+        );
+      }
+    } catch {
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "TrailName");
     if (explicit) {
@@ -31585,6 +33761,141 @@ var CodeBuildProvider = class {
    *     `key`/`value` tags, not the standard `Key`/`Value`), match
    *     `aws:cdk:path` tag.
    */
+  /**
+   * Read the AWS-current CodeBuild Project configuration in CFn-property shape.
+   *
+   * Issues `BatchGetProjects` and re-shapes the SDK's camelCase response back
+   * to CFn's PascalCase shape (the `mapProperties` helper above goes the
+   * other way at create time). The drift comparator only descends into
+   * keys present in cdkd state, so we focus on the high-value top-level
+   * fields and the most commonly-set `Source` / `Artifacts` /
+   * `Environment` sub-fields. Less common nested config (full
+   * `LogsConfig`, `VpcConfig` rebuild, secondary sources/artifacts, etc.)
+   * is left to a follow-up — surfacing them with a partial shape would
+   * fire false drift on every project that uses them.
+   *
+   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * when the project is gone (`projects` array empty / `projectsNotFound` set).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let project;
+    try {
+      const resp = await this.getClient().send(
+        new BatchGetProjectsCommand({ names: [physicalId] })
+      );
+      project = resp.projects?.[0];
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException15)
+        return void 0;
+      throw err;
+    }
+    if (!project)
+      return void 0;
+    const result = {};
+    if (project.name !== void 0)
+      result["Name"] = project.name;
+    if (project.description !== void 0 && project.description !== "") {
+      result["Description"] = project.description;
+    }
+    if (project.serviceRole !== void 0)
+      result["ServiceRole"] = project.serviceRole;
+    if (project.timeoutInMinutes !== void 0) {
+      result["TimeoutInMinutes"] = project.timeoutInMinutes;
+    }
+    if (project.queuedTimeoutInMinutes !== void 0) {
+      result["QueuedTimeoutInMinutes"] = project.queuedTimeoutInMinutes;
+    }
+    if (project.encryptionKey !== void 0)
+      result["EncryptionKey"] = project.encryptionKey;
+    if (project.concurrentBuildLimit !== void 0) {
+      result["ConcurrentBuildLimit"] = project.concurrentBuildLimit;
+    }
+    if (project.badge?.badgeEnabled !== void 0) {
+      result["BadgeEnabled"] = project.badge.badgeEnabled;
+    }
+    if (project.sourceVersion !== void 0)
+      result["SourceVersion"] = project.sourceVersion;
+    if (project.source) {
+      const src = {};
+      if (project.source.type !== void 0)
+        src["Type"] = project.source.type;
+      if (project.source.location !== void 0)
+        src["Location"] = project.source.location;
+      if (project.source.buildspec !== void 0)
+        src["BuildSpec"] = project.source.buildspec;
+      if (project.source.gitCloneDepth !== void 0) {
+        src["GitCloneDepth"] = project.source.gitCloneDepth;
+      }
+      if (project.source.insecureSsl !== void 0)
+        src["InsecureSsl"] = project.source.insecureSsl;
+      if (project.source.reportBuildStatus !== void 0) {
+        src["ReportBuildStatus"] = project.source.reportBuildStatus;
+      }
+      if (Object.keys(src).length > 0)
+        result["Source"] = src;
+    }
+    if (project.artifacts) {
+      const art = {};
+      if (project.artifacts.type !== void 0)
+        art["Type"] = project.artifacts.type;
+      if (project.artifacts.location !== void 0)
+        art["Location"] = project.artifacts.location;
+      if (project.artifacts.path !== void 0)
+        art["Path"] = project.artifacts.path;
+      if (project.artifacts.name !== void 0)
+        art["Name"] = project.artifacts.name;
+      if (project.artifacts.namespaceType !== void 0) {
+        art["NamespaceType"] = project.artifacts.namespaceType;
+      }
+      if (project.artifacts.packaging !== void 0)
+        art["Packaging"] = project.artifacts.packaging;
+      if (project.artifacts.encryptionDisabled !== void 0) {
+        art["EncryptionDisabled"] = project.artifacts.encryptionDisabled;
+      }
+      if (project.artifacts.overrideArtifactName !== void 0) {
+        art["OverrideArtifactName"] = project.artifacts.overrideArtifactName;
+      }
+      if (project.artifacts.artifactIdentifier !== void 0) {
+        art["ArtifactIdentifier"] = project.artifacts.artifactIdentifier;
+      }
+      if (Object.keys(art).length > 0)
+        result["Artifacts"] = art;
+    }
+    if (project.environment) {
+      const env = {};
+      if (project.environment.type !== void 0)
+        env["Type"] = project.environment.type;
+      if (project.environment.image !== void 0)
+        env["Image"] = project.environment.image;
+      if (project.environment.computeType !== void 0) {
+        env["ComputeType"] = project.environment.computeType;
+      }
+      if (project.environment.privilegedMode !== void 0) {
+        env["PrivilegedMode"] = project.environment.privilegedMode;
+      }
+      if (project.environment.imagePullCredentialsType !== void 0) {
+        env["ImagePullCredentialsType"] = project.environment.imagePullCredentialsType;
+      }
+      if (project.environment.certificate !== void 0) {
+        env["Certificate"] = project.environment.certificate;
+      }
+      if (project.environment.environmentVariables && project.environment.environmentVariables.length > 0) {
+        env["EnvironmentVariables"] = project.environment.environmentVariables.map((ev) => {
+          const out = {};
+          if (ev.name !== void 0)
+            out["Name"] = ev.name;
+          if (ev.value !== void 0)
+            out["Value"] = ev.value;
+          if (ev.type !== void 0)
+            out["Type"] = ev.type;
+          return out;
+        });
+      }
+      if (Object.keys(env).length > 0)
+        result["Environment"] = env;
+    }
+    return result;
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "Name");
     if (explicit) {
@@ -31791,6 +34102,49 @@ var S3VectorsProvider = class {
       nextToken = listResult.nextToken;
     } while (nextToken);
   }
+  /**
+   * Read the AWS-current S3 Vector Bucket configuration in CFn-property
+   * shape.
+   *
+   * Issues `GetVectorBucket` for the bucket name (the physical id) and
+   * surfaces `VectorBucketName` and `EncryptionConfiguration` (re-shaping
+   * the camelCase SDK response back to PascalCase CFn property names —
+   * `sseType` → `SSEType`, `kmsKeyArn` → `KMSKeyArn`).
+   *
+   * Returns `undefined` when the bucket is gone (`NotFoundException` /
+   * `NoSuchVectorBucket`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new GetVectorBucketCommand({ vectorBucketName: physicalId })
+      );
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    const bucket = resp.vectorBucket;
+    if (bucket?.vectorBucketName !== void 0) {
+      result["VectorBucketName"] = bucket.vectorBucketName;
+    } else {
+      result["VectorBucketName"] = physicalId;
+    }
+    if (bucket?.encryptionConfiguration) {
+      const enc = {};
+      if (bucket.encryptionConfiguration.sseType !== void 0) {
+        enc["SSEType"] = bucket.encryptionConfiguration.sseType;
+      }
+      if (bucket.encryptionConfiguration.kmsKeyArn !== void 0) {
+        enc["KMSKeyArn"] = bucket.encryptionConfiguration.kmsKeyArn;
+      }
+      if (Object.keys(enc).length > 0)
+        result["EncryptionConfiguration"] = enc;
+    }
+    return result;
+  }
   /**
    * Adopt an existing S3 Vector Bucket into cdkd state.
    *
@@ -32060,6 +34414,48 @@ var S3DirectoryBucketProvider = class {
       continuationToken = listResponse.IsTruncated ? listResponse.NextContinuationToken : void 0;
     } while (continuationToken);
   }
+  /**
+   * Read the AWS-current S3 Express Directory Bucket configuration in
+   * CFn-property shape.
+   *
+   * Issues `HeadBucket` to verify existence and surfaces `BucketName`
+   * (the physicalId). `DataRedundancy` and `LocationName` are not exposed
+   * by any cheap S3 Express API — the only way to inspect them is by
+   * parsing the bucket name's `--<az-id>--x-s3` suffix, which is best
+   * effort. We surface them when they are recoverable from the bucket
+   * name to give the comparator a chance to detect mismatches.
+   *
+   * `--<az-id>--x-s3` suffix parsing: directory bucket names follow the
+   * format `<base>--<az-id>--x-s3`, e.g.
+   * `my-bucket--use1-az1--x-s3`. We don't reverse the AZ-ID -> AZ-name
+   * mapping here (that would require a per-call EC2 `DescribeAvailabilityZones`
+   * round-trip); state's `LocationName` is `us-east-1a--x-s3`-style,
+   * while the bucket name carries the AZ-ID `use1-az1`. Cross-region
+   * mapping is too expensive for v1 — we omit `LocationName` from the
+   * snapshot and rely on the comparator's "key absent in state never
+   * drifts" rule to no-op against state.
+   *
+   * Returns `undefined` when the bucket is gone (`HeadBucket` returns
+   * `NotFound` / `NoSuchBucket`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      await this.s3Client.send(new HeadBucketCommand4({ Bucket: physicalId }));
+    } catch (err) {
+      const e = err;
+      if (e.name === "NotFound" || e.name === "NoSuchBucket" || e.name === "BucketNotFound") {
+        return void 0;
+      }
+      throw err;
+    }
+    const result = {
+      BucketName: physicalId
+    };
+    if (physicalId.endsWith("--x-s3")) {
+      result["DataRedundancy"] = "SingleAvailabilityZone";
+    }
+    return result;
+  }
   /**
    * Adopt an existing S3 Express Directory Bucket into cdkd state.
    *
@@ -32464,6 +34860,97 @@ var S3TablesProvider = class {
       );
     }
   }
+  // ─── readCurrentState dispatch ───────────────────────────────────
+  /**
+   * Read the AWS-current S3 Tables resource configuration in CFn-property
+   * shape.
+   *
+   *  - **AWS::S3Tables::TableBucket**: `GetTableBucket` for the ARN; we
+   *    surface `TableBucketName` (the only mutable cdkd-managed property).
+   *  - **AWS::S3Tables::Namespace**: parses `tableBucketARN|namespace`
+   *    from physical id and surfaces `TableBucketARN` and `Namespace`
+   *    (as a `string[]` with one entry, matching `create()`'s shape).
+   *    No GetNamespace call — the physical id IS the source of truth and
+   *    AWS surfaces no additional managed fields cdkd cares about.
+   *  - **AWS::S3Tables::Table**: parses `tableBucketARN|namespace|name`
+   *    from physical id, calls `GetTable` to verify existence and recover
+   *    `format`, surfaces `TableBucketARN`, `Namespace` (string), `Name`,
+   *    `Format`.
+   *
+   * Returns `undefined` when the resource is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::S3Tables::TableBucket":
+        return this.readTableBucketCurrentState(physicalId);
+      case "AWS::S3Tables::Namespace":
+        return this.readNamespaceCurrentState(physicalId);
+      case "AWS::S3Tables::Table":
+        return this.readTableCurrentState(physicalId);
+      default:
+        this.logger.debug(
+          `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
+        );
+        return void 0;
+    }
+  }
+  async readTableBucketCurrentState(physicalId) {
+    let bucket;
+    try {
+      const resp = await this.getClient().send(
+        new GetTableBucketCommand({ tableBucketARN: physicalId })
+      );
+      bucket = resp;
+    } catch (err) {
+      if (err instanceof NotFoundException6)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (bucket.name !== void 0)
+      result["TableBucketName"] = bucket.name;
+    return result;
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- structural; physical id is the source of truth
+  async readNamespaceCurrentState(physicalId) {
+    const [tableBucketARN, namespaceName] = physicalId.split("|");
+    if (!tableBucketARN || !namespaceName)
+      return void 0;
+    return {
+      TableBucketARN: tableBucketARN,
+      Namespace: [namespaceName]
+    };
+  }
+  async readTableCurrentState(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const [tableBucketARN, namespace, name] = parts;
+    if (!tableBucketARN || !namespace || !name)
+      return void 0;
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new GetTableCommand2({
+          tableBucketARN,
+          namespace,
+          name
+        })
+      );
+    } catch (err) {
+      if (err instanceof NotFoundException6)
+        return void 0;
+      throw err;
+    }
+    const result = {
+      TableBucketARN: tableBucketARN,
+      Namespace: namespace,
+      Name: resp.name ?? name
+    };
+    if (resp.format !== void 0)
+      result["Format"] = resp.format;
+    return result;
+  }
   // ─── Import dispatch ──────────────────────────────────────────────
   /**
    * Adopt an existing S3 Tables resource into cdkd state.
@@ -38869,7 +41356,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.39.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.41.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());