@go-to-k/cdkd 0.41.0 → 0.43.0

package/dist/cli.js

@@ -7601,7 +7601,7 @@ Error: ${err.message || "Unknown error"}`,
    * resource type that goes through CC API — the majority of cdkd's surface.
    * SDK Providers add their own `readCurrentState` incrementally (PR D).
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
+  async readCurrentState(physicalId, _logicalId, resourceType, _properties) {
     try {
       const response = await this.cloudControlClient.send(
         new GetResourceCommand2({
@@ -9169,6 +9169,9 @@ import {
   DeleteGroupPolicyCommand,
   PutUserPolicyCommand,
   DeleteUserPolicyCommand,
+  GetRolePolicyCommand,
+  GetGroupPolicyCommand,
+  GetUserPolicyCommand,
   NoSuchEntityException as NoSuchEntityException2
 } from "@aws-sdk/client-iam";
 init_aws_clients();
@@ -9517,6 +9520,93 @@ var IAMPolicyProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current IAM inline policy in CFn-property shape.
+   *
+   * `AWS::IAM::Policy` is an inline policy attached to one or more roles /
+   * groups / users via `PutRolePolicy` / `PutGroupPolicy` / `PutUserPolicy`.
+   * Each attachment is a separate API call, but the same `PolicyDocument`
+   * is replicated across every target.
+   *
+   * Strategy: pick the FIRST target from `properties.Roles` / `Groups` /
+   * `Users` (in that order), call `Get*Policy(target, policyName)`, and
+   * surface the URL-decoded + JSON-parsed `PolicyDocument`. Roles / Groups /
+   * Users are echoed back from state since AWS doesn't return them. This is
+   * defensible because:
+   *   - Drift on `PolicyDocument`: caught — the document is the same on
+   *     every target, so reading any one of them surfaces the divergence.
+   *   - Drift on the target list (a role removed / added out-of-band): NOT
+   *     caught. There's no API to enumerate every role / group / user that
+   *     has an inline policy of a given name; cdkd would need to walk the
+   *     entire account. Out of scope for v1.
+   *
+   * Returns `undefined` when the resolved target has no inline policy of
+   * that name (`NoSuchEntityException`) — signals "drift unknown" rather
+   * than firing a false positive.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
+    if (!properties)
+      return void 0;
+    const policyDocument = properties["PolicyDocument"];
+    if (!policyDocument)
+      return void 0;
+    const policyName = physicalId.includes(":") ? physicalId.split(":")[0] : physicalId;
+    const roles = properties["Roles"];
+    const groups = properties["Groups"];
+    const users = properties["Users"];
+    let liveDocument;
+    try {
+      if (roles && roles.length > 0) {
+        const resp = await this.iamClient.send(
+          new GetRolePolicyCommand({ RoleName: roles[0], PolicyName: policyName })
+        );
+        liveDocument = this.decodePolicyDocument(resp.PolicyDocument);
+      } else if (groups && groups.length > 0) {
+        const resp = await this.iamClient.send(
+          new GetGroupPolicyCommand({ GroupName: groups[0], PolicyName: policyName })
+        );
+        liveDocument = this.decodePolicyDocument(resp.PolicyDocument);
+      } else if (users && users.length > 0) {
+        const resp = await this.iamClient.send(
+          new GetUserPolicyCommand({ UserName: users[0], PolicyName: policyName })
+        );
+        liveDocument = this.decodePolicyDocument(resp.PolicyDocument);
+      } else {
+        return void 0;
+      }
+    } catch (err) {
+      if (err instanceof NoSuchEntityException2)
+        return void 0;
+      throw err;
+    }
+    if (liveDocument === void 0)
+      return void 0;
+    const result = {
+      PolicyName: policyName,
+      PolicyDocument: liveDocument
+    };
+    if (roles)
+      result["Roles"] = roles;
+    if (groups)
+      result["Groups"] = groups;
+    if (users)
+      result["Users"] = users;
+    return result;
+  }
+  /**
+   * IAM Get*Policy returns the policy document as a URL-encoded JSON string
+   * (per RFC 3986). Decode and parse it back into the object shape cdkd
+   * state holds, so the drift comparator sees apples-to-apples.
+   */
+  decodePolicyDocument(raw) {
+    if (!raw)
+      return void 0;
+    try {
+      return JSON.parse(decodeURIComponent(raw));
+    } catch {
+      return raw;
+    }
+  }
   /**
    * Adopt an existing IAM inline policy into cdkd state.
    *
@@ -14710,6 +14800,7 @@ var LambdaFunctionProvider = class {
 // src/provisioning/providers/lambda-permission-provider.ts
 import {
   AddPermissionCommand,
+  GetPolicyCommand,
   RemovePermissionCommand,
   ResourceNotFoundException as ResourceNotFoundException2
 } from "@aws-sdk/client-lambda";
@@ -14900,6 +14991,87 @@ var LambdaPermissionProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Lambda permission in CFn-property shape.
+   *
+   * `AWS::Lambda::Permission` has no per-statement Get API — `GetPolicy` on
+   * the parent function returns the entire resource-based policy as a JSON
+   * string, and we have to scan its `Statement` array for the one with our
+   * `Sid` (cdkd's physicalId).
+   *
+   * Returns `undefined` when:
+   *   - `properties.FunctionName` is missing (sub-resource needs the parent).
+   *   - The function has no policy at all (`ResourceNotFoundException`) or
+   *     the matching `Sid` isn't present.
+   *
+   * The reverse-mapping from policy statement back to CFn shape:
+   *   - `Action` → `Sid`'s `Action` (string or first element if array).
+   *   - `Principal` → `Service` / `AWS` / `*` (CFn flat string form).
+   *   - `Condition.ArnLike.AWS:SourceArn` → `SourceArn`.
+   *   - `Condition.StringEquals.AWS:SourceAccount` → `SourceAccount`.
+   *   - `Condition.StringEquals.aws:PrincipalOrgID` → `PrincipalOrgID`.
+   *   - `Condition.ArnLike.AWS:SourceAccount` is left alone — drift on the
+   *     condition operator key would be confusing here.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
+    const functionName = properties?.["FunctionName"];
+    if (!functionName)
+      return void 0;
+    const statementId = physicalId.includes("|") ? physicalId.split("|").pop() : physicalId;
+    let policyDoc;
+    try {
+      const resp = await this.lambdaClient.send(
+        new GetPolicyCommand({ FunctionName: functionName })
+      );
+      policyDoc = resp.Policy;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException2)
+        return void 0;
+      throw err;
+    }
+    if (!policyDoc)
+      return void 0;
+    let parsed;
+    try {
+      parsed = JSON.parse(policyDoc);
+    } catch {
+      return void 0;
+    }
+    const statement = parsed.Statement?.find((s) => s.Sid === statementId);
+    if (!statement)
+      return void 0;
+    const result = { FunctionName: functionName };
+    if (statement.Action !== void 0) {
+      result["Action"] = Array.isArray(statement.Action) ? statement.Action[0] : statement.Action;
+    }
+    if (statement.Principal !== void 0) {
+      const p = statement.Principal;
+      if (typeof p === "string") {
+        result["Principal"] = p;
+      } else if (typeof p === "object") {
+        const value = p["Service"] ?? p["AWS"] ?? p["Federated"] ?? void 0;
+        if (value !== void 0) {
+          result["Principal"] = Array.isArray(value) ? value[0] : value;
+        }
+      }
+    }
+    const condition = statement.Condition;
+    if (condition) {
+      const sourceArn = condition["ArnLike"]?.["AWS:SourceArn"] ?? condition["StringEquals"]?.["AWS:SourceArn"];
+      if (sourceArn !== void 0) {
+        result["SourceArn"] = Array.isArray(sourceArn) ? sourceArn[0] : sourceArn;
+      }
+      const sourceAccount = condition["StringEquals"]?.["AWS:SourceAccount"];
+      if (sourceAccount !== void 0) {
+        result["SourceAccount"] = Array.isArray(sourceAccount) ? sourceAccount[0] : sourceAccount;
+      }
+      const orgId = condition["StringEquals"]?.["aws:PrincipalOrgID"];
+      if (orgId !== void 0) {
+        result["PrincipalOrgID"] = Array.isArray(orgId) ? orgId[0] : orgId;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing Lambda permission into cdkd state.
    *
@@ -20815,11 +20987,14 @@ import {
   GetAccountCommand,
   CreateResourceCommand as CreateResourceCommand2,
   DeleteResourceCommand as DeleteResourceCommand2,
+  GetResourceCommand as GetResourceCommand3,
   CreateDeploymentCommand,
   DeleteDeploymentCommand,
+  GetDeploymentCommand,
   CreateStageCommand,
   UpdateStageCommand,
   DeleteStageCommand,
+  GetStageCommand,
   PutMethodCommand,
   DeleteMethodCommand,
   GetMethodCommand,
@@ -20827,6 +21002,7 @@ import {
   PutMethodResponseCommand,
   CreateAuthorizerCommand,
   DeleteAuthorizerCommand,
+  GetAuthorizerCommand,
   NotFoundException as NotFoundException3
 } from "@aws-sdk/client-api-gateway";
 init_aws_clients();
@@ -21822,26 +21998,126 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
    *   - `AWS::ApiGateway::Method` → `GetMethod`. PhysicalId is the composite
    *     `restApiId|resourceId|httpMethod`, so we have everything needed
    *     without `Properties`.
-   *
-   * **Out of scope** (returns `undefined`, falls back to "drift unknown"):
    *   - `AWS::ApiGateway::Authorizer` / `Resource` / `Deployment` / `Stage`:
-   *     each needs the parent `RestApiId` to issue a `Get*` call, but cdkd's
-   *     `readCurrentState` interface does not pass `Properties` (only the
-   *     physicalId, which for these types is just the sub-resource id).
-   *     CC API drift detection picks up `AWS::ApiGateway::RestApi` itself
-   *     once the user works through the SDK provider boundary; per-sub
-   *     drift detection here would need a contract change.
+   *     each uses `properties.RestApiId` (passed through PR G's signature
+   *     extension) to issue the appropriate `Get*` call.
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
+  async readCurrentState(physicalId, _logicalId, resourceType, properties) {
     switch (resourceType) {
       case "AWS::ApiGateway::Account":
         return this.readCurrentStateAccount();
       case "AWS::ApiGateway::Method":
         return this.readCurrentStateMethod(physicalId);
+      case "AWS::ApiGateway::Authorizer":
+        return this.readCurrentStateAuthorizer(physicalId, properties);
+      case "AWS::ApiGateway::Resource":
+        return this.readCurrentStateResource(physicalId, properties);
+      case "AWS::ApiGateway::Deployment":
+        return this.readCurrentStateDeployment(physicalId, properties);
+      case "AWS::ApiGateway::Stage":
+        return this.readCurrentStateStage(physicalId, properties);
       default:
         return void 0;
     }
   }
+  async readCurrentStateAuthorizer(physicalId, properties) {
+    const restApiId = properties?.["RestApiId"];
+    if (!restApiId)
+      return void 0;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetAuthorizerCommand({ restApiId, authorizerId: physicalId })
+      );
+      const result = { RestApiId: restApiId };
+      if (resp.name !== void 0)
+        result["Name"] = resp.name;
+      if (resp.type !== void 0)
+        result["Type"] = resp.type;
+      if (resp.providerARNs !== void 0 && resp.providerARNs.length > 0) {
+        result["ProviderARNs"] = [...resp.providerARNs];
+      }
+      if (resp.authorizerUri !== void 0)
+        result["AuthorizerUri"] = resp.authorizerUri;
+      if (resp.authorizerCredentials !== void 0) {
+        result["AuthorizerCredentials"] = resp.authorizerCredentials;
+      }
+      if (resp.identitySource !== void 0)
+        result["IdentitySource"] = resp.identitySource;
+      if (resp.identityValidationExpression !== void 0) {
+        result["IdentityValidationExpression"] = resp.identityValidationExpression;
+      }
+      if (resp.authorizerResultTtlInSeconds !== void 0) {
+        result["AuthorizerResultTtlInSeconds"] = resp.authorizerResultTtlInSeconds;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
+  async readCurrentStateResource(physicalId, properties) {
+    const restApiId = properties?.["RestApiId"];
+    if (!restApiId)
+      return void 0;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetResourceCommand3({ restApiId, resourceId: physicalId })
+      );
+      const result = { RestApiId: restApiId };
+      if (resp.parentId !== void 0)
+        result["ParentId"] = resp.parentId;
+      if (resp.pathPart !== void 0)
+        result["PathPart"] = resp.pathPart;
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
+  async readCurrentStateDeployment(physicalId, properties) {
+    const restApiId = properties?.["RestApiId"];
+    if (!restApiId)
+      return void 0;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetDeploymentCommand({ restApiId, deploymentId: physicalId })
+      );
+      const result = { RestApiId: restApiId };
+      if (resp.description !== void 0 && resp.description !== "") {
+        result["Description"] = resp.description;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
+  async readCurrentStateStage(physicalId, properties) {
+    const restApiId = properties?.["RestApiId"];
+    if (!restApiId)
+      return void 0;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetStageCommand({ restApiId, stageName: physicalId })
+      );
+      const result = { RestApiId: restApiId };
+      if (resp.stageName !== void 0)
+        result["StageName"] = resp.stageName;
+      if (resp.deploymentId !== void 0)
+        result["DeploymentId"] = resp.deploymentId;
+      if (resp.description !== void 0 && resp.description !== "") {
+        result["Description"] = resp.description;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
   async readCurrentStateAccount() {
     try {
       const resp = await this.apiGatewayClient.send(new GetAccountCommand({}));
@@ -21923,12 +22199,16 @@ import {
   DeleteApiCommand,
   CreateStageCommand as CreateStageCommand2,
   DeleteStageCommand as DeleteStageCommand2,
+  GetStageCommand as GetStageCommand2,
   CreateIntegrationCommand,
   DeleteIntegrationCommand,
+  GetIntegrationCommand,
   CreateRouteCommand as CreateRouteCommand2,
   DeleteRouteCommand as DeleteRouteCommand2,
+  GetRouteCommand,
   CreateAuthorizerCommand as CreateAuthorizerCommand2,
   DeleteAuthorizerCommand as DeleteAuthorizerCommand2,
+  GetAuthorizerCommand as GetAuthorizerCommand2,
   GetApiCommand,
   GetApisCommand,
   NotFoundException as NotFoundException4
@@ -22472,18 +22752,27 @@ var ApiGatewayV2Provider = class {
    * **Coverage**:
    *   - `AWS::ApiGatewayV2::Api` → `GetApi`. PhysicalId is the apiId,
    *     self-sufficient.
-   *
-   * **Out of scope** (returns `undefined`, falls back to "drift unknown"):
    *   - `AWS::ApiGatewayV2::Stage` / `Integration` / `Route` / `Authorizer`:
-   *     each needs the parent `ApiId` to issue a `Get*` call, but cdkd's
-   *     `readCurrentState` interface does not pass `Properties` (only the
-   *     physicalId, which for these types is just the sub-resource id).
-   *     Per-sub drift detection here would need a contract change.
+   *     each uses `properties.ApiId` (passed through PR G's signature
+   *     extension) to issue the appropriate `Get*` call.
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
-    if (resourceType !== "AWS::ApiGatewayV2::Api") {
-      return void 0;
+  async readCurrentState(physicalId, _logicalId, resourceType, properties) {
+    switch (resourceType) {
+      case "AWS::ApiGatewayV2::Api":
+        return this.readApi(physicalId);
+      case "AWS::ApiGatewayV2::Stage":
+        return this.readStage(physicalId, properties);
+      case "AWS::ApiGatewayV2::Integration":
+        return this.readIntegration(physicalId, properties);
+      case "AWS::ApiGatewayV2::Route":
+        return this.readRoute(physicalId, properties);
+      case "AWS::ApiGatewayV2::Authorizer":
+        return this.readAuthorizer(physicalId, properties);
+      default:
+        return void 0;
     }
+  }
+  async readApi(physicalId) {
     try {
       const resp = await this.getClient().send(new GetApiCommand({ ApiId: physicalId }));
       const result = {};
@@ -22503,6 +22792,108 @@ var ApiGatewayV2Provider = class {
       throw err;
     }
   }
+  async readStage(physicalId, properties) {
+    const apiId = properties?.["ApiId"];
+    if (!apiId)
+      return void 0;
+    try {
+      const resp = await this.getClient().send(
+        new GetStageCommand2({ ApiId: apiId, StageName: physicalId })
+      );
+      const result = { ApiId: apiId };
+      if (resp.StageName !== void 0)
+        result["StageName"] = resp.StageName;
+      if (resp.AutoDeploy !== void 0)
+        result["AutoDeploy"] = resp.AutoDeploy;
+      if (resp.Description !== void 0 && resp.Description !== "") {
+        result["Description"] = resp.Description;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
+  async readIntegration(physicalId, properties) {
+    const apiId = properties?.["ApiId"];
+    if (!apiId)
+      return void 0;
+    try {
+      const resp = await this.getClient().send(
+        new GetIntegrationCommand({ ApiId: apiId, IntegrationId: physicalId })
+      );
+      const result = { ApiId: apiId };
+      if (resp.IntegrationType !== void 0)
+        result["IntegrationType"] = resp.IntegrationType;
+      if (resp.IntegrationUri !== void 0)
+        result["IntegrationUri"] = resp.IntegrationUri;
+      if (resp.IntegrationMethod !== void 0)
+        result["IntegrationMethod"] = resp.IntegrationMethod;
+      if (resp.PayloadFormatVersion !== void 0) {
+        result["PayloadFormatVersion"] = resp.PayloadFormatVersion;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
+  async readRoute(physicalId, properties) {
+    const apiId = properties?.["ApiId"];
+    if (!apiId)
+      return void 0;
+    try {
+      const resp = await this.getClient().send(
+        new GetRouteCommand({ ApiId: apiId, RouteId: physicalId })
+      );
+      const result = { ApiId: apiId };
+      if (resp.RouteKey !== void 0)
+        result["RouteKey"] = resp.RouteKey;
+      if (resp.Target !== void 0)
+        result["Target"] = resp.Target;
+      if (resp.AuthorizationType !== void 0)
+        result["AuthorizationType"] = resp.AuthorizationType;
+      if (resp.AuthorizerId !== void 0)
+        result["AuthorizerId"] = resp.AuthorizerId;
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
+  async readAuthorizer(physicalId, properties) {
+    const apiId = properties?.["ApiId"];
+    if (!apiId)
+      return void 0;
+    try {
+      const resp = await this.getClient().send(
+        new GetAuthorizerCommand2({ ApiId: apiId, AuthorizerId: physicalId })
+      );
+      const result = { ApiId: apiId };
+      if (resp.AuthorizerType !== void 0)
+        result["AuthorizerType"] = resp.AuthorizerType;
+      if (resp.Name !== void 0)
+        result["Name"] = resp.Name;
+      if (resp.IdentitySource !== void 0 && resp.IdentitySource.length > 0) {
+        result["IdentitySource"] = [...resp.IdentitySource];
+      }
+      if (resp.JwtConfiguration)
+        result["JwtConfiguration"] = resp.JwtConfiguration;
+      if (resp.AuthorizerUri !== void 0)
+        result["AuthorizerUri"] = resp.AuthorizerUri;
+      if (resp.AuthorizerPayloadFormatVersion !== void 0) {
+        result["AuthorizerPayloadFormatVersion"] = resp.AuthorizerPayloadFormatVersion;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
   // ─── Import ───────────────────────────────────────────────────────
   /**
    * Adopt an existing API Gateway V2 resource into cdkd state.
@@ -30120,7 +30511,7 @@ var AppSyncProvider = class {
    *
    * Returns `undefined` when the parent resource is gone (`NotFoundException`).
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
+  async readCurrentState(physicalId, _logicalId, resourceType, _properties) {
     switch (resourceType) {
       case "AWS::AppSync::GraphQLApi":
         return this.readGraphQLApi(physicalId);
@@ -31849,10 +32240,15 @@ var KinesisStreamProvider = class {
    * mode reports an empty list).
    *
    * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
-   * Only `AWS::Kinesis::Stream` is supported (the provider does not handle
-   * `AWS::Kinesis::StreamConsumer`).
+   *
+   * `AWS::Kinesis::StreamConsumer` is intentionally not handled here: this
+   * provider only registers `AWS::Kinesis::Stream`, so consumer resources
+   * route to the CC API fallback for drift detection (CC API's `GetResource`
+   * surfaces every Kinesis consumer attribute the user can configure). A
+   * dedicated SDK impl would require building out create/update/delete first;
+   * out of scope for PR G.
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
+  async readCurrentState(physicalId, _logicalId, resourceType, _properties) {
     if (resourceType !== "AWS::Kinesis::Stream")
       return void 0;
     let stream;
@@ -37806,7 +38202,14 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
         });
         continue;
       }
-      if (!provider.readCurrentState) {
+      let readCurrentState = provider.readCurrentState?.bind(provider);
+      if (!readCurrentState) {
+        const ccApiProvider = providerRegistry.getCloudControlProvider?.();
+        if (ccApiProvider?.readCurrentState) {
+          readCurrentState = ccApiProvider.readCurrentState.bind(ccApiProvider);
+        }
+      }
+      if (!readCurrentState) {
         outcomes.push({
           kind: "unsupported",
           logicalId,
@@ -37814,10 +38217,11 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
         });
         continue;
       }
-      const aws = await provider.readCurrentState(
+      const aws = await readCurrentState(
         resource.physicalId,
         logicalId,
-        resource.resourceType
+        resource.resourceType,
+        resource.properties ?? {}
       );
       if (aws === void 0) {
         outcomes.push({
@@ -41356,7 +41760,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.41.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.43.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());