@go-to-k/cdkd 0.40.0 → 0.41.0

package/dist/cli.js

@@ -9747,6 +9747,42 @@ var IAMInstanceProfileProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current IAM instance profile configuration in CFn-property
+   * shape.
+   *
+   * Issues a single `GetInstanceProfile` and surfaces the keys `create()`
+   * accepts (`InstanceProfileName`, `Path`, `Roles`). The Roles list maps
+   * the inline `Role[]` (each carrying `{RoleName, Arn, ...}`) back to the
+   * `string[]` of role names that CFn / cdkd state holds.
+   *
+   * Returns `undefined` when the profile is gone (`NoSuchEntityException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let profile;
+    try {
+      const resp = await this.iamClient.send(
+        new GetInstanceProfileCommand({ InstanceProfileName: physicalId })
+      );
+      profile = resp.InstanceProfile;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException3)
+        return void 0;
+      throw err;
+    }
+    if (!profile)
+      return void 0;
+    const result = {};
+    if (profile.InstanceProfileName !== void 0) {
+      result["InstanceProfileName"] = profile.InstanceProfileName;
+    }
+    if (profile.Path !== void 0)
+      result["Path"] = profile.Path;
+    const roleNames = (profile.Roles ?? []).map((r) => r.RoleName).filter((n) => !!n);
+    if (roleNames.length > 0)
+      result["Roles"] = roleNames;
+    return result;
+  }
   /**
    * Adopt an existing IAM instance profile into cdkd state.
    *
@@ -10799,6 +10835,123 @@ var IAMUserGroupProvider = class {
       );
     }
   }
+  // ─── readCurrentState dispatch ───────────────────────────────────
+  /**
+   * Read the AWS-current configuration for an IAM user / group /
+   * UserToGroupAddition in CFn-property shape.
+   *
+   *  - **AWS::IAM::User**: `GetUser` for `UserName`, `Path`,
+   *    `PermissionsBoundary` (re-shaped from `PermissionsBoundary.Arn`);
+   *    `ListAttachedUserPolicies` for `ManagedPolicyArns`;
+   *    `ListGroupsForUser` for `Groups`. `Tags`, `LoginProfile`, and
+   *    `Policies` (inline policy bodies) are intentionally omitted —
+   *    same shape decisions as `iam-role-provider` (LoginProfile contains a
+   *    one-time password and inline policy bodies cost N extra round-trips
+   *    that are out of scope for v1).
+   *  - **AWS::IAM::Group**: `GetGroup` for `GroupName`, `Path`;
+   *    `ListAttachedGroupPolicies` for `ManagedPolicyArns`. `Policies`
+   *    (inline policy bodies) is omitted for the same reason as User /
+   *    Role.
+   *  - **AWS::IAM::UserToGroupAddition**: SKIPPED — returns `undefined`
+   *    because the resource is metadata-only (group-membership attachments
+   *    written via `AddUserToGroup`). A meaningful drift check would
+   *    require both the `GroupName` and the source-of-truth `Users` list
+   *    from state, neither of which `readCurrentState` receives. The
+   *    drift comparator falls back to "drift unknown" and the user can
+   *    inspect the membership manually.
+   *
+   * Returns `undefined` when the user / group is gone
+   * (`NoSuchEntityException`).
+   */
+  async readCurrentState(physicalId, logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::IAM::User":
+        return this.readUserCurrentState(physicalId);
+      case "AWS::IAM::Group":
+        return this.readGroupCurrentState(physicalId);
+      case "AWS::IAM::UserToGroupAddition":
+        return void 0;
+      default:
+        this.logger.debug(
+          `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
+        );
+        return void 0;
+    }
+  }
+  async readUserCurrentState(physicalId) {
+    let user;
+    try {
+      const resp = await this.iamClient.send(new GetUserCommand({ UserName: physicalId }));
+      user = resp.User;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException4)
+        return void 0;
+      throw err;
+    }
+    if (!user)
+      return void 0;
+    const result = {};
+    if (user.UserName !== void 0)
+      result["UserName"] = user.UserName;
+    if (user.Path !== void 0)
+      result["Path"] = user.Path;
+    if (user.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
+      result["PermissionsBoundary"] = user.PermissionsBoundary.PermissionsBoundaryArn;
+    }
+    try {
+      const attached = await this.iamClient.send(
+        new ListAttachedUserPoliciesCommand({ UserName: physicalId })
+      );
+      const arns = (attached.AttachedPolicies ?? []).map((p) => p.PolicyArn).filter((arn) => !!arn);
+      if (arns.length > 0)
+        result["ManagedPolicyArns"] = arns;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
+    try {
+      const groups = await this.iamClient.send(
+        new ListGroupsForUserCommand({ UserName: physicalId })
+      );
+      const names = (groups.Groups ?? []).map((g) => g.GroupName).filter((n) => !!n);
+      if (names.length > 0)
+        result["Groups"] = names;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
+    return result;
+  }
+  async readGroupCurrentState(physicalId) {
+    let group;
+    try {
+      const resp = await this.iamClient.send(new GetGroupCommand({ GroupName: physicalId }));
+      group = resp.Group;
+    } catch (err) {
+      if (err instanceof NoSuchEntityException4)
+        return void 0;
+      throw err;
+    }
+    if (!group)
+      return void 0;
+    const result = {};
+    if (group.GroupName !== void 0)
+      result["GroupName"] = group.GroupName;
+    if (group.Path !== void 0)
+      result["Path"] = group.Path;
+    try {
+      const attached = await this.iamClient.send(
+        new ListAttachedGroupPoliciesCommand({ GroupName: physicalId })
+      );
+      const arns = (attached.AttachedPolicies ?? []).map((p) => p.PolicyArn).filter((arn) => !!arn);
+      if (arns.length > 0)
+        result["ManagedPolicyArns"] = arns;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
+    return result;
+  }
   // ─── Import dispatch ──────────────────────────────────────────────
   /**
    * Adopt an existing IAM user / group / user-to-group addition into cdkd state.
@@ -12002,6 +12155,7 @@ var S3BucketProvider = class {
 import {
   PutBucketPolicyCommand as PutBucketPolicyCommand2,
   DeleteBucketPolicyCommand,
+  GetBucketPolicyCommand,
   NoSuchBucket as NoSuchBucket2
 } from "@aws-sdk/client-s3";
 init_aws_clients();
@@ -12159,6 +12313,43 @@ var S3BucketPolicyProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current S3 bucket policy in CFn-property shape.
+   *
+   * Issues `GetBucketPolicy` against the bucket (physicalId === bucket
+   * name) and surfaces:
+   *   - `Bucket` — derived directly from `physicalId`.
+   *   - `PolicyDocument` — JSON-parsed back to the object form cdkd state
+   *     typically holds.
+   *
+   * Returns `undefined` when the bucket is gone (`NoSuchBucket`) or when
+   * no policy is currently attached (`NoSuchBucketPolicy`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let policyJson;
+    try {
+      const resp = await this.s3Client.send(new GetBucketPolicyCommand({ Bucket: physicalId }));
+      policyJson = resp.Policy;
+    } catch (err) {
+      if (err instanceof NoSuchBucket2)
+        return void 0;
+      const e = err;
+      if (e.name === "NoSuchBucketPolicy")
+        return void 0;
+      throw err;
+    }
+    if (!policyJson)
+      return void 0;
+    const result = {
+      Bucket: physicalId
+    };
+    try {
+      result["PolicyDocument"] = JSON.parse(policyJson);
+    } catch {
+      result["PolicyDocument"] = policyJson;
+    }
+    return result;
+  }
   /**
    * Adopt an existing S3 bucket policy into cdkd state.
    *
@@ -12582,7 +12773,10 @@ var SQSQueueProvider = class {
 };
 
 // src/provisioning/providers/sqs-queue-policy-provider.ts
-import { SetQueueAttributesCommand as SetQueueAttributesCommand2 } from "@aws-sdk/client-sqs";
+import {
+  SetQueueAttributesCommand as SetQueueAttributesCommand2,
+  GetQueueAttributesCommand as GetQueueAttributesCommand2
+} from "@aws-sdk/client-sqs";
 init_aws_clients();
 var SQSQueuePolicyProvider = class {
   sqsClient;
@@ -12735,6 +12929,52 @@ var SQSQueuePolicyProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current SQS queue policy in CFn-property shape.
+   *
+   * The provider's `create()` records `physicalId` as the first queue URL
+   * in the `Queues` array. Drift here surfaces:
+   *   - `Queues` — single-element array containing `physicalId`. The full
+   *     state list of queues isn't recoverable from AWS (no reverse index)
+   *     and the comparator only descends into keys present in state, so a
+   *     state with multiple queues will still surface drift on
+   *     `PolicyDocument` for the first queue (the most common drift case).
+   *   - `PolicyDocument` — fetched via `GetQueueAttributes` for
+   *     `Policy`, JSON-parsed back to the object form cdkd state holds.
+   *
+   * Returns `undefined` when the queue is gone (`QueueDoesNotExist`) or
+   * when no policy is currently attached (the `Policy` attribute is
+   * absent / empty).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let policyAttr;
+    try {
+      const resp = await this.sqsClient.send(
+        new GetQueueAttributesCommand2({
+          QueueUrl: physicalId,
+          AttributeNames: ["Policy"]
+        })
+      );
+      policyAttr = resp.Attributes?.["Policy"];
+    } catch (err) {
+      const e = err;
+      if (e.name === "QueueDoesNotExist" || typeof e.message === "string" && e.message.includes("does not exist")) {
+        return void 0;
+      }
+      throw err;
+    }
+    if (!policyAttr)
+      return void 0;
+    const result = {
+      Queues: [physicalId]
+    };
+    try {
+      result["PolicyDocument"] = JSON.parse(policyAttr);
+    } catch {
+      result["PolicyDocument"] = policyAttr;
+    }
+    return result;
+  }
   /**
    * Adopt an existing SQS queue policy into cdkd state.
    *
@@ -13407,7 +13647,7 @@ var SNSSubscriptionProvider = class {
 };
 
 // src/provisioning/providers/sns-topic-policy-provider.ts
-import { SetTopicAttributesCommand as SetTopicAttributesCommand2 } from "@aws-sdk/client-sns";
+import { SetTopicAttributesCommand as SetTopicAttributesCommand2, GetTopicAttributesCommand as GetTopicAttributesCommand2 } from "@aws-sdk/client-sns";
 init_aws_clients();
 var SNSTopicPolicyProvider = class {
   logger = getLogger().child("SNSTopicPolicyProvider");
@@ -13543,6 +13783,57 @@ var SNSTopicPolicyProvider = class {
     }
     this.logger.debug(`Successfully deleted SNS topic policy ${logicalId}`);
   }
+  /**
+   * Read the AWS-current SNS topic policy in CFn-property shape.
+   *
+   * The provider's `create()` builds `physicalId` as a comma-joined list
+   * of topic ARNs. We:
+   *   1. Split the physical id back into the list of topic ARNs and surface
+   *      them as `Topics` (matching `create()` shape).
+   *   2. Fetch `GetTopicAttributes` on the FIRST topic to retrieve the
+   *      `Policy` attribute and surface it as `PolicyDocument` (JSON-parsed
+   *      to match the object form cdkd state holds).
+   *
+   * Single-topic fetch is intentional: cdkd applies the same policy to
+   * every topic in `Topics`, so the body is the same on each. A future
+   * enhancement could verify per-topic that the policy actually matches
+   * (catches manual divergence between multiple targets), but the bulk of
+   * drift cases involve a single topic and the body content is what users
+   * actually care about.
+   *
+   * Returns `undefined` when no topics are listed in the physical id, or
+   * when the first listed topic is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    const topics = physicalId.split(",").filter((t) => t.length > 0);
+    if (topics.length === 0)
+      return void 0;
+    const firstTopic = topics[0];
+    let policyAttr;
+    try {
+      const resp = await getAwsClients().sns.send(
+        new GetTopicAttributesCommand2({ TopicArn: firstTopic })
+      );
+      policyAttr = resp.Attributes?.["Policy"];
+    } catch (err) {
+      const e = err;
+      if (e.name === "NotFoundException" || e.name === "NotFound" || typeof e.message === "string" && e.message.includes("does not exist")) {
+        return void 0;
+      }
+      throw err;
+    }
+    const result = {
+      Topics: topics
+    };
+    if (policyAttr) {
+      try {
+        result["PolicyDocument"] = JSON.parse(policyAttr);
+      } catch {
+        result["PolicyDocument"] = policyAttr;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing SNS topic policy into cdkd state.
    *
@@ -14793,6 +15084,66 @@ var LambdaUrlProvider = class {
       throw err;
     }
   }
+  /**
+   * Read the AWS-current Lambda Function URL configuration in CFn-property
+   * shape.
+   *
+   * Issues `GetFunctionUrlConfig` with the parent function's ARN/name (the
+   * physical id) and surfaces `AuthType`, `InvokeMode`, and `Cors`.
+   * AWS-managed fields (`FunctionUrl`, `FunctionArn`, `CreationTime`,
+   * `LastModifiedTime`) are filtered at the wire layer.
+   *
+   * `TargetFunctionArn` is surfaced from `physicalId` (the create() flow
+   * stores the parent function's ARN/name there). `Qualifier` is NOT
+   * available from `GetFunctionUrlConfig` (it's only an input on Create);
+   * cdkd state stores it but AWS does not surface it back, so we omit it
+   * from the snapshot — the comparator's "key absent in state never
+   * drifts" rule handles the omission cleanly when state lacks Qualifier
+   * too, and cases where state HAS Qualifier surface as drift only when
+   * the qualifier was changed via Update (which the SDK supports through
+   * `physicalId` rather than the qualifier itself).
+   *
+   * Returns `undefined` when the URL config is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.lambdaClient.send(
+        new GetFunctionUrlConfigCommand2({ FunctionName: physicalId })
+      );
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException3)
+        return void 0;
+      throw err;
+    }
+    const result = {
+      TargetFunctionArn: physicalId
+    };
+    if (resp.AuthType !== void 0)
+      result["AuthType"] = resp.AuthType;
+    if (resp.InvokeMode !== void 0)
+      result["InvokeMode"] = resp.InvokeMode;
+    if (resp.Cors !== void 0) {
+      const cors = {};
+      if (resp.Cors.AllowOrigins)
+        cors["AllowOrigins"] = [...resp.Cors.AllowOrigins];
+      if (resp.Cors.AllowMethods)
+        cors["AllowMethods"] = [...resp.Cors.AllowMethods];
+      if (resp.Cors.AllowHeaders)
+        cors["AllowHeaders"] = [...resp.Cors.AllowHeaders];
+      if (resp.Cors.ExposeHeaders)
+        cors["ExposeHeaders"] = [...resp.Cors.ExposeHeaders];
+      if (resp.Cors.MaxAge !== void 0)
+        cors["MaxAge"] = resp.Cors.MaxAge;
+      if (resp.Cors.AllowCredentials !== void 0) {
+        cors["AllowCredentials"] = resp.Cors.AllowCredentials;
+      }
+      if (Object.keys(cors).length > 0)
+        result["Cors"] = cors;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Lambda Function URL into cdkd state.
    *
@@ -15055,6 +15406,96 @@ var LambdaEventSourceMappingProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Lambda event source mapping configuration in
+   * CFn-property shape.
+   *
+   * Issues `GetEventSourceMapping` for the UUID and surfaces the keys
+   * `create()` accepts. AWS-managed fields (`UUID`, `LastModified`,
+   * `LastProcessingResult`, `State`, `StateTransitionReason`,
+   * `EventSourceMappingArn`) are filtered at the wire layer.
+   *
+   * `FunctionName` is surfaced as the AWS `FunctionArn` (which is what
+   * `GetEventSourceMapping` returns) — cdkd state typically holds this
+   * resolved ARN form already after intrinsic resolution. The drift
+   * comparator can match against both forms when state holds a name vs an
+   * ARN; mismatched-shape false positives are out of scope for v1.
+   *
+   * `Tags` is omitted: cdkd `create()` reshapes CFn tag arrays into a
+   * tags map at create time, but `GetEventSourceMapping` does not return
+   * tags (`ListTags(Resource: arn)` does). Same shape-decision rationale
+   * as Lambda function tags drift — out of scope for v1.
+   *
+   * Returns `undefined` when the mapping is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.lambdaClient.send(new GetEventSourceMappingCommand({ UUID: physicalId }));
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException4)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (resp.FunctionArn !== void 0)
+      result["FunctionName"] = resp.FunctionArn;
+    if (resp.EventSourceArn !== void 0)
+      result["EventSourceArn"] = resp.EventSourceArn;
+    if (resp.BatchSize !== void 0)
+      result["BatchSize"] = resp.BatchSize;
+    if (resp.StartingPosition !== void 0)
+      result["StartingPosition"] = resp.StartingPosition;
+    if (resp.MaximumBatchingWindowInSeconds !== void 0) {
+      result["MaximumBatchingWindowInSeconds"] = resp.MaximumBatchingWindowInSeconds;
+    }
+    if (resp.MaximumRetryAttempts !== void 0) {
+      result["MaximumRetryAttempts"] = resp.MaximumRetryAttempts;
+    }
+    if (resp.BisectBatchOnFunctionError !== void 0) {
+      result["BisectBatchOnFunctionError"] = resp.BisectBatchOnFunctionError;
+    }
+    if (resp.MaximumRecordAgeInSeconds !== void 0) {
+      result["MaximumRecordAgeInSeconds"] = resp.MaximumRecordAgeInSeconds;
+    }
+    if (resp.ParallelizationFactor !== void 0) {
+      result["ParallelizationFactor"] = resp.ParallelizationFactor;
+    }
+    if (resp.FilterCriteria !== void 0)
+      result["FilterCriteria"] = resp.FilterCriteria;
+    if (resp.DestinationConfig !== void 0) {
+      result["DestinationConfig"] = resp.DestinationConfig;
+    }
+    if (resp.TumblingWindowInSeconds !== void 0) {
+      result["TumblingWindowInSeconds"] = resp.TumblingWindowInSeconds;
+    }
+    if (resp.FunctionResponseTypes !== void 0 && resp.FunctionResponseTypes.length > 0) {
+      result["FunctionResponseTypes"] = [...resp.FunctionResponseTypes];
+    }
+    if (resp.SourceAccessConfigurations !== void 0 && resp.SourceAccessConfigurations.length > 0) {
+      result["SourceAccessConfigurations"] = resp.SourceAccessConfigurations;
+    }
+    if (resp.SelfManagedEventSource !== void 0) {
+      result["SelfManagedEventSource"] = resp.SelfManagedEventSource;
+    }
+    if (resp.SelfManagedKafkaEventSourceConfig !== void 0) {
+      result["SelfManagedKafkaEventSourceConfig"] = resp.SelfManagedKafkaEventSourceConfig;
+    }
+    if (resp.AmazonManagedKafkaEventSourceConfig !== void 0) {
+      result["AmazonManagedKafkaEventSourceConfig"] = resp.AmazonManagedKafkaEventSourceConfig;
+    }
+    if (resp.DocumentDBEventSourceConfig !== void 0) {
+      result["DocumentDBEventSourceConfig"] = resp.DocumentDBEventSourceConfig;
+    }
+    if (resp.ScalingConfig !== void 0)
+      result["ScalingConfig"] = resp.ScalingConfig;
+    if (resp.State !== void 0) {
+      const enabled = resp.State === "Enabled" || resp.State === "Enabling" || resp.State === "Updating";
+      result["Enabled"] = enabled;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Lambda event source mapping into cdkd state.
    *
@@ -15223,6 +15664,57 @@ var LambdaLayerVersionProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Lambda layer version configuration in CFn-property
+   * shape.
+   *
+   * Issues `GetLayerVersionByArn` (the physical id is the version ARN) and
+   * surfaces `LayerName`, `Description`, `CompatibleRuntimes`,
+   * `CompatibleArchitectures`, and `LicenseInfo`. AWS-managed fields
+   * (`Version`, `CreatedDate`, `LayerVersionArn`, `LayerArn`,
+   * `Content.CodeSize`, `Content.CodeSha256`) are filtered at the wire
+   * layer.
+   *
+   * `Content` is intentionally omitted: like Lambda function `Code`, the
+   * `GetLayerVersionByArn` response contains a pre-signed S3 URL for the
+   * deployed content, not the asset hash cdkd state stored. The two could
+   * never match, so excluding it avoids a guaranteed false-positive.
+   *
+   * `LayerName` is derived from the ARN tail when not surfaced directly:
+   * the version ARN format is
+   *   `arn:aws:lambda:<region>:<account>:layer:<name>:<version>`.
+   *
+   * Returns `undefined` when the layer version is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.lambdaClient.send(new GetLayerVersionByArnCommand({ Arn: physicalId }));
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException5)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    const arnParts = physicalId.split(":");
+    if (arnParts.length >= 7 && arnParts[6]) {
+      result["LayerName"] = arnParts[6];
+    }
+    if (resp.Description !== void 0 && resp.Description !== "") {
+      result["Description"] = resp.Description;
+    }
+    if (resp.CompatibleRuntimes !== void 0 && resp.CompatibleRuntimes.length > 0) {
+      result["CompatibleRuntimes"] = [...resp.CompatibleRuntimes];
+    }
+    if (resp.CompatibleArchitectures !== void 0 && resp.CompatibleArchitectures.length > 0) {
+      result["CompatibleArchitectures"] = [...resp.CompatibleArchitectures];
+    }
+    if (resp.LicenseInfo !== void 0 && resp.LicenseInfo !== "") {
+      result["LicenseInfo"] = resp.LicenseInfo;
+    }
+    return result;
+  }
   /**
    * Adopt an existing Lambda layer version into cdkd state.
    *
@@ -17900,7 +18392,10 @@ import {
   CreateVpcCommand,
   DeleteVpcCommand,
   ModifyVpcAttributeCommand,
+  DescribeVpcAttributeCommand,
   DescribeVpcsCommand as DescribeVpcsCommand2,
+  DescribeInternetGatewaysCommand,
+  DescribeRouteTablesCommand as DescribeRouteTablesCommand2,
   CreateSubnetCommand,
   DeleteSubnetCommand,
   CreateInternetGatewayCommand,
@@ -20060,6 +20555,223 @@ var EC2Provider = class {
       throw error;
     }
   }
+  /**
+   * Read the AWS-current EC2 networking resource configuration in
+   * CFn-property shape.
+   *
+   * Supported types (highest-value drift coverage):
+   *  - **AWS::EC2::VPC**: `DescribeVpcs` for `CidrBlock` + `InstanceTenancy`;
+   *    `DescribeVpcAttribute(enableDnsHostnames|enableDnsSupport)` for the
+   *    DNS booleans (CFn defaults: hostnames=false, support=true — we only
+   *    surface them if AWS reports them, so the comparator's "key-absent
+   *    never drifts" rule applies cleanly to state without these keys).
+   *  - **AWS::EC2::Subnet**: `DescribeSubnets` for `VpcId`, `CidrBlock`,
+   *    `AvailabilityZone`, `MapPublicIpOnLaunch`.
+   *  - **AWS::EC2::InternetGateway**: `DescribeInternetGateways` for
+   *    existence verification. The provider only handles `Tags`, which is
+   *    out of scope for v1 drift.
+   *  - **AWS::EC2::NatGateway**: `DescribeNatGateways` for `SubnetId`,
+   *    `AllocationId`, `ConnectivityType`, `PrivateIpAddress`.
+   *  - **AWS::EC2::RouteTable**: `DescribeRouteTables` for `VpcId`.
+   *  - **AWS::EC2::SecurityGroup**: `DescribeSecurityGroups` for
+   *    `GroupName`, `GroupDescription`, `VpcId`. Ingress / egress rules
+   *    are NOT surfaced — the CFn shape is rule-list-style, while AWS
+   *    returns IpPermissions in a different normalized form, and a
+   *    faithful reverse-mapping is out of scope for v1.
+   *  - **AWS::EC2::Instance**: `DescribeInstances` for `ImageId`,
+   *    `InstanceType`, `KeyName`, `SubnetId`. SecurityGroupIds /
+   *    BlockDeviceMappings shape-match is out of scope for v1.
+   *  - **AWS::EC2::NetworkAcl**: `DescribeNetworkAcls` for `VpcId`.
+   *
+   * Skipped (return `undefined`, falls through to the comparator's
+   * "unsupported" outcome):
+   *  - **AWS::EC2::VPCGatewayAttachment**: physical id is
+   *    `IGW|VpcId`. The two ids are immutable inputs to the SDK call;
+   *    drift detection on this resource has no useful signal beyond
+   *    existence verification (which the user can do via the parent IGW
+   *    / VPC drift report).
+   *  - **AWS::EC2::Route**, **AWS::EC2::SubnetRouteTableAssociation**,
+   *    **AWS::EC2::SecurityGroupIngress**, **AWS::EC2::NetworkAclEntry**,
+   *    **AWS::EC2::SubnetNetworkAclAssociation**: rule / association
+   *    sub-resources whose AWS API surfaces them inside the parent's
+   *    list, not as standalone Get* responses. v1 drift coverage focuses
+   *    on top-level resources where the property shape comparison is
+   *    cheap and unambiguous; these sub-resources need a more elaborate
+   *    extraction layer that's out of scope for this PR.
+   *
+   * Returns `undefined` when the resource is gone (any `*NotFound` /
+   * `Invalid*` error from the EC2 SDK matches `isNotFoundError`).
+   */
+  async readCurrentState(physicalId, logicalId, resourceType) {
+    try {
+      switch (resourceType) {
+        case "AWS::EC2::VPC":
+          return await this.readVpcCurrentState(physicalId);
+        case "AWS::EC2::Subnet":
+          return await this.readSubnetCurrentState(physicalId);
+        case "AWS::EC2::InternetGateway":
+          return await this.readInternetGatewayCurrentState(physicalId);
+        case "AWS::EC2::NatGateway":
+          return await this.readNatGatewayCurrentState(physicalId);
+        case "AWS::EC2::RouteTable":
+          return await this.readRouteTableCurrentState(physicalId);
+        case "AWS::EC2::SecurityGroup":
+          return await this.readSecurityGroupCurrentState(physicalId);
+        case "AWS::EC2::Instance":
+          return await this.readInstanceCurrentState(physicalId);
+        case "AWS::EC2::NetworkAcl":
+          return await this.readNetworkAclCurrentState(physicalId);
+        default:
+          this.logger.debug(
+            `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
+          );
+          return void 0;
+      }
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+  }
+  async readVpcCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(new DescribeVpcsCommand2({ VpcIds: [physicalId] }));
+    const vpc = resp.Vpcs?.[0];
+    if (!vpc)
+      return void 0;
+    const result = {};
+    if (vpc.CidrBlock !== void 0)
+      result["CidrBlock"] = vpc.CidrBlock;
+    if (vpc.InstanceTenancy !== void 0)
+      result["InstanceTenancy"] = vpc.InstanceTenancy;
+    try {
+      const dnsHost = await this.ec2Client.send(
+        new DescribeVpcAttributeCommand({ VpcId: physicalId, Attribute: "enableDnsHostnames" })
+      );
+      if (dnsHost.EnableDnsHostnames?.Value !== void 0) {
+        result["EnableDnsHostnames"] = dnsHost.EnableDnsHostnames.Value;
+      }
+    } catch (err) {
+      if (!this.isNotFoundError(err))
+        throw err;
+    }
+    try {
+      const dnsSupp = await this.ec2Client.send(
+        new DescribeVpcAttributeCommand({ VpcId: physicalId, Attribute: "enableDnsSupport" })
+      );
+      if (dnsSupp.EnableDnsSupport?.Value !== void 0) {
+        result["EnableDnsSupport"] = dnsSupp.EnableDnsSupport.Value;
+      }
+    } catch (err) {
+      if (!this.isNotFoundError(err))
+        throw err;
+    }
+    return result;
+  }
+  async readSubnetCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(new DescribeSubnetsCommand2({ SubnetIds: [physicalId] }));
+    const subnet = resp.Subnets?.[0];
+    if (!subnet)
+      return void 0;
+    const result = {};
+    if (subnet.VpcId !== void 0)
+      result["VpcId"] = subnet.VpcId;
+    if (subnet.CidrBlock !== void 0)
+      result["CidrBlock"] = subnet.CidrBlock;
+    if (subnet.AvailabilityZone !== void 0) {
+      result["AvailabilityZone"] = subnet.AvailabilityZone;
+    }
+    if (subnet.MapPublicIpOnLaunch !== void 0) {
+      result["MapPublicIpOnLaunch"] = subnet.MapPublicIpOnLaunch;
+    }
+    return result;
+  }
+  async readInternetGatewayCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeInternetGatewaysCommand({ InternetGatewayIds: [physicalId] })
+    );
+    const igw = resp.InternetGateways?.[0];
+    if (!igw)
+      return void 0;
+    return {};
+  }
+  async readNatGatewayCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeNatGatewaysCommand({ NatGatewayIds: [physicalId] })
+    );
+    const gw = resp.NatGateways?.find((g) => g.State !== "deleted" && g.State !== "deleting");
+    if (!gw)
+      return void 0;
+    const result = {};
+    if (gw.SubnetId !== void 0)
+      result["SubnetId"] = gw.SubnetId;
+    if (gw.ConnectivityType !== void 0)
+      result["ConnectivityType"] = gw.ConnectivityType;
+    const primary = gw.NatGatewayAddresses?.[0];
+    if (primary?.AllocationId !== void 0)
+      result["AllocationId"] = primary.AllocationId;
+    if (primary?.PrivateIp !== void 0)
+      result["PrivateIpAddress"] = primary.PrivateIp;
+    return result;
+  }
+  async readRouteTableCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeRouteTablesCommand2({ RouteTableIds: [physicalId] })
+    );
+    const rt = resp.RouteTables?.[0];
+    if (!rt)
+      return void 0;
+    const result = {};
+    if (rt.VpcId !== void 0)
+      result["VpcId"] = rt.VpcId;
+    return result;
+  }
+  async readSecurityGroupCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeSecurityGroupsCommand2({ GroupIds: [physicalId] })
+    );
+    const sg = resp.SecurityGroups?.[0];
+    if (!sg)
+      return void 0;
+    const result = {};
+    if (sg.GroupName !== void 0)
+      result["GroupName"] = sg.GroupName;
+    if (sg.Description !== void 0)
+      result["GroupDescription"] = sg.Description;
+    if (sg.VpcId !== void 0)
+      result["VpcId"] = sg.VpcId;
+    return result;
+  }
+  async readInstanceCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeInstancesCommand({ InstanceIds: [physicalId] })
+    );
+    const instance = resp.Reservations?.[0]?.Instances?.[0];
+    if (!instance || instance.State?.Name === "terminated" || instance.State?.Name === "shutting-down") {
+      return void 0;
+    }
+    const result = {};
+    if (instance.ImageId !== void 0)
+      result["ImageId"] = instance.ImageId;
+    if (instance.InstanceType !== void 0)
+      result["InstanceType"] = instance.InstanceType;
+    if (instance.KeyName !== void 0)
+      result["KeyName"] = instance.KeyName;
+    if (instance.SubnetId !== void 0)
+      result["SubnetId"] = instance.SubnetId;
+    return result;
+  }
+  async readNetworkAclCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeNetworkAclsCommand({ NetworkAclIds: [physicalId] })
+    );
+    const acl = resp.NetworkAcls?.[0];
+    if (!acl)
+      return void 0;
+    const result = {};
+    if (acl.VpcId !== void 0)
+      result["VpcId"] = acl.VpcId;
+    return result;
+  }
   async verifyExplicit(resourceType, physicalId) {
     try {
       switch (resourceType) {
@@ -22542,6 +23254,23 @@ function pascalToCamelCaseKeys(value) {
   }
   return value;
 }
+function camelToPascalCaseKeys(value) {
+  if (value === null || value === void 0) {
+    return value;
+  }
+  if (Array.isArray(value)) {
+    return value.map(camelToPascalCaseKeys);
+  }
+  if (typeof value === "object") {
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      const pascalKey = key.charAt(0).toUpperCase() + key.slice(1);
+      result[pascalKey] = camelToPascalCaseKeys(val);
+    }
+    return result;
+  }
+  return value;
+}
 var AgentCoreRuntimeProvider = class {
   client;
   logger = getLogger().child("AgentCoreRuntimeProvider");
@@ -22776,6 +23505,68 @@ var AgentCoreRuntimeProvider = class {
     }
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::BedrockAgentCore::Runtime`);
   }
+  /**
+   * Read the AWS-current BedrockAgentCore Runtime configuration in
+   * CFn-property shape.
+   *
+   * Issues `GetAgentRuntime` (the physical id is the runtime id) and
+   * surfaces the keys `create()` accepts. The SDK returns camelCase keys
+   * (`agentRuntimeName`, `roleArn`, `agentRuntimeArtifact`, etc.); we
+   * re-shape back to PascalCase via `camelToPascalCaseKeys` so the
+   * comparator matches cdkd state.
+   *
+   * `ProtocolConfiguration` parity: `create()` accepts a CFn-style string
+   * (`"HTTP"`) and converts it to `{serverProtocol: "HTTP"}` for the SDK.
+   * The SDK returns the object form. We surface the object form here; if
+   * cdkd state holds the original string the comparator will report drift
+   * — users can inspect and dismiss this case manually. (A more elaborate
+   * shape negotiation belongs in a follow-up that knows about both forms.)
+   *
+   * `ClientToken` is omitted: AWS does not surface it back via
+   * `GetAgentRuntime` (it's an idempotency token only meaningful at create
+   * time).
+   *
+   * Returns `undefined` when the runtime is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.client.send(new GetAgentRuntimeCommand({ agentRuntimeId: physicalId }));
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException11)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (resp.agentRuntimeName !== void 0) {
+      result["AgentRuntimeName"] = resp.agentRuntimeName;
+    }
+    if (resp.roleArn !== void 0)
+      result["RoleArn"] = resp.roleArn;
+    if (resp.agentRuntimeArtifact !== void 0) {
+      result["AgentRuntimeArtifact"] = camelToPascalCaseKeys(resp.agentRuntimeArtifact);
+    }
+    if (resp.networkConfiguration !== void 0) {
+      result["NetworkConfiguration"] = camelToPascalCaseKeys(resp.networkConfiguration);
+    }
+    if (resp.description !== void 0 && resp.description !== "") {
+      result["Description"] = resp.description;
+    }
+    if (resp.authorizerConfiguration !== void 0) {
+      result["AuthorizerConfiguration"] = camelToPascalCaseKeys(resp.authorizerConfiguration);
+    }
+    if (resp.protocolConfiguration !== void 0) {
+      result["ProtocolConfiguration"] = camelToPascalCaseKeys(resp.protocolConfiguration);
+    }
+    if (resp.lifecycleConfiguration !== void 0) {
+      result["LifecycleConfiguration"] = camelToPascalCaseKeys(resp.lifecycleConfiguration);
+    }
+    if (resp.environmentVariables !== void 0) {
+      result["EnvironmentVariables"] = resp.environmentVariables;
+    }
+    return result;
+  }
   /**
    * Adopt an existing BedrockAgentCore Runtime into cdkd state.
    *
@@ -33311,6 +34102,49 @@ var S3VectorsProvider = class {
       nextToken = listResult.nextToken;
     } while (nextToken);
   }
+  /**
+   * Read the AWS-current S3 Vector Bucket configuration in CFn-property
+   * shape.
+   *
+   * Issues `GetVectorBucket` for the bucket name (the physical id) and
+   * surfaces `VectorBucketName` and `EncryptionConfiguration` (re-shaping
+   * the camelCase SDK response back to PascalCase CFn property names —
+   * `sseType` → `SSEType`, `kmsKeyArn` → `KMSKeyArn`).
+   *
+   * Returns `undefined` when the bucket is gone (`NotFoundException` /
+   * `NoSuchVectorBucket`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new GetVectorBucketCommand({ vectorBucketName: physicalId })
+      );
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    const bucket = resp.vectorBucket;
+    if (bucket?.vectorBucketName !== void 0) {
+      result["VectorBucketName"] = bucket.vectorBucketName;
+    } else {
+      result["VectorBucketName"] = physicalId;
+    }
+    if (bucket?.encryptionConfiguration) {
+      const enc = {};
+      if (bucket.encryptionConfiguration.sseType !== void 0) {
+        enc["SSEType"] = bucket.encryptionConfiguration.sseType;
+      }
+      if (bucket.encryptionConfiguration.kmsKeyArn !== void 0) {
+        enc["KMSKeyArn"] = bucket.encryptionConfiguration.kmsKeyArn;
+      }
+      if (Object.keys(enc).length > 0)
+        result["EncryptionConfiguration"] = enc;
+    }
+    return result;
+  }
   /**
    * Adopt an existing S3 Vector Bucket into cdkd state.
    *
@@ -33580,6 +34414,48 @@ var S3DirectoryBucketProvider = class {
       continuationToken = listResponse.IsTruncated ? listResponse.NextContinuationToken : void 0;
     } while (continuationToken);
   }
+  /**
+   * Read the AWS-current S3 Express Directory Bucket configuration in
+   * CFn-property shape.
+   *
+   * Issues `HeadBucket` to verify existence and surfaces `BucketName`
+   * (the physicalId). `DataRedundancy` and `LocationName` are not exposed
+   * by any cheap S3 Express API — the only way to inspect them is by
+   * parsing the bucket name's `--<az-id>--x-s3` suffix, which is best
+   * effort. We surface them when they are recoverable from the bucket
+   * name to give the comparator a chance to detect mismatches.
+   *
+   * `--<az-id>--x-s3` suffix parsing: directory bucket names follow the
+   * format `<base>--<az-id>--x-s3`, e.g.
+   * `my-bucket--use1-az1--x-s3`. We don't reverse the AZ-ID -> AZ-name
+   * mapping here (that would require a per-call EC2 `DescribeAvailabilityZones`
+   * round-trip); state's `LocationName` is `us-east-1a--x-s3`-style,
+   * while the bucket name carries the AZ-ID `use1-az1`. Cross-region
+   * mapping is too expensive for v1 — we omit `LocationName` from the
+   * snapshot and rely on the comparator's "key absent in state never
+   * drifts" rule to no-op against state.
+   *
+   * Returns `undefined` when the bucket is gone (`HeadBucket` returns
+   * `NotFound` / `NoSuchBucket`).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    try {
+      await this.s3Client.send(new HeadBucketCommand4({ Bucket: physicalId }));
+    } catch (err) {
+      const e = err;
+      if (e.name === "NotFound" || e.name === "NoSuchBucket" || e.name === "BucketNotFound") {
+        return void 0;
+      }
+      throw err;
+    }
+    const result = {
+      BucketName: physicalId
+    };
+    if (physicalId.endsWith("--x-s3")) {
+      result["DataRedundancy"] = "SingleAvailabilityZone";
+    }
+    return result;
+  }
   /**
    * Adopt an existing S3 Express Directory Bucket into cdkd state.
    *
@@ -33984,6 +34860,97 @@ var S3TablesProvider = class {
       );
     }
   }
+  // ─── readCurrentState dispatch ───────────────────────────────────
+  /**
+   * Read the AWS-current S3 Tables resource configuration in CFn-property
+   * shape.
+   *
+   *  - **AWS::S3Tables::TableBucket**: `GetTableBucket` for the ARN; we
+   *    surface `TableBucketName` (the only mutable cdkd-managed property).
+   *  - **AWS::S3Tables::Namespace**: parses `tableBucketARN|namespace`
+   *    from physical id and surfaces `TableBucketARN` and `Namespace`
+   *    (as a `string[]` with one entry, matching `create()`'s shape).
+   *    No GetNamespace call — the physical id IS the source of truth and
+   *    AWS surfaces no additional managed fields cdkd cares about.
+   *  - **AWS::S3Tables::Table**: parses `tableBucketARN|namespace|name`
+   *    from physical id, calls `GetTable` to verify existence and recover
+   *    `format`, surfaces `TableBucketARN`, `Namespace` (string), `Name`,
+   *    `Format`.
+   *
+   * Returns `undefined` when the resource is gone (`NotFoundException`).
+   */
+  async readCurrentState(physicalId, logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::S3Tables::TableBucket":
+        return this.readTableBucketCurrentState(physicalId);
+      case "AWS::S3Tables::Namespace":
+        return this.readNamespaceCurrentState(physicalId);
+      case "AWS::S3Tables::Table":
+        return this.readTableCurrentState(physicalId);
+      default:
+        this.logger.debug(
+          `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
+        );
+        return void 0;
+    }
+  }
+  async readTableBucketCurrentState(physicalId) {
+    let bucket;
+    try {
+      const resp = await this.getClient().send(
+        new GetTableBucketCommand({ tableBucketARN: physicalId })
+      );
+      bucket = resp;
+    } catch (err) {
+      if (err instanceof NotFoundException6)
+        return void 0;
+      throw err;
+    }
+    const result = {};
+    if (bucket.name !== void 0)
+      result["TableBucketName"] = bucket.name;
+    return result;
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- structural; physical id is the source of truth
+  async readNamespaceCurrentState(physicalId) {
+    const [tableBucketARN, namespaceName] = physicalId.split("|");
+    if (!tableBucketARN || !namespaceName)
+      return void 0;
+    return {
+      TableBucketARN: tableBucketARN,
+      Namespace: [namespaceName]
+    };
+  }
+  async readTableCurrentState(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const [tableBucketARN, namespace, name] = parts;
+    if (!tableBucketARN || !namespace || !name)
+      return void 0;
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new GetTableCommand2({
+          tableBucketARN,
+          namespace,
+          name
+        })
+      );
+    } catch (err) {
+      if (err instanceof NotFoundException6)
+        return void 0;
+      throw err;
+    }
+    const result = {
+      TableBucketARN: tableBucketARN,
+      Namespace: namespace,
+      Name: resp.name ?? name
+    };
+    if (resp.format !== void 0)
+      result["Format"] = resp.format;
+    return result;
+  }
   // ─── Import dispatch ──────────────────────────────────────────────
   /**
    * Adopt an existing S3 Tables resource into cdkd state.
@@ -40389,7 +41356,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.40.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.41.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());