@go-to-k/cdkd 0.42.0 → 0.44.0

package/dist/cli.js

@@ -7601,7 +7601,7 @@ Error: ${err.message || "Unknown error"}`,
    * resource type that goes through CC API — the majority of cdkd's surface.
    * SDK Providers add their own `readCurrentState` incrementally (PR D).
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
+  async readCurrentState(physicalId, _logicalId, resourceType, _properties) {
     try {
       const response = await this.cloudControlClient.send(
         new GetResourceCommand2({
@@ -9169,6 +9169,9 @@ import {
   DeleteGroupPolicyCommand,
   PutUserPolicyCommand,
   DeleteUserPolicyCommand,
+  GetRolePolicyCommand,
+  GetGroupPolicyCommand,
+  GetUserPolicyCommand,
   NoSuchEntityException as NoSuchEntityException2
 } from "@aws-sdk/client-iam";
 init_aws_clients();
@@ -9517,6 +9520,93 @@ var IAMPolicyProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current IAM inline policy in CFn-property shape.
+   *
+   * `AWS::IAM::Policy` is an inline policy attached to one or more roles /
+   * groups / users via `PutRolePolicy` / `PutGroupPolicy` / `PutUserPolicy`.
+   * Each attachment is a separate API call, but the same `PolicyDocument`
+   * is replicated across every target.
+   *
+   * Strategy: pick the FIRST target from `properties.Roles` / `Groups` /
+   * `Users` (in that order), call `Get*Policy(target, policyName)`, and
+   * surface the URL-decoded + JSON-parsed `PolicyDocument`. Roles / Groups /
+   * Users are echoed back from state since AWS doesn't return them. This is
+   * defensible because:
+   *   - Drift on `PolicyDocument`: caught — the document is the same on
+   *     every target, so reading any one of them surfaces the divergence.
+   *   - Drift on the target list (a role removed / added out-of-band): NOT
+   *     caught. There's no API to enumerate every role / group / user that
+   *     has an inline policy of a given name; cdkd would need to walk the
+   *     entire account. Out of scope for v1.
+   *
+   * Returns `undefined` when the resolved target has no inline policy of
+   * that name (`NoSuchEntityException`) — signals "drift unknown" rather
+   * than firing a false positive.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
+    if (!properties)
+      return void 0;
+    const policyDocument = properties["PolicyDocument"];
+    if (!policyDocument)
+      return void 0;
+    const policyName = physicalId.includes(":") ? physicalId.split(":")[0] : physicalId;
+    const roles = properties["Roles"];
+    const groups = properties["Groups"];
+    const users = properties["Users"];
+    let liveDocument;
+    try {
+      if (roles && roles.length > 0) {
+        const resp = await this.iamClient.send(
+          new GetRolePolicyCommand({ RoleName: roles[0], PolicyName: policyName })
+        );
+        liveDocument = this.decodePolicyDocument(resp.PolicyDocument);
+      } else if (groups && groups.length > 0) {
+        const resp = await this.iamClient.send(
+          new GetGroupPolicyCommand({ GroupName: groups[0], PolicyName: policyName })
+        );
+        liveDocument = this.decodePolicyDocument(resp.PolicyDocument);
+      } else if (users && users.length > 0) {
+        const resp = await this.iamClient.send(
+          new GetUserPolicyCommand({ UserName: users[0], PolicyName: policyName })
+        );
+        liveDocument = this.decodePolicyDocument(resp.PolicyDocument);
+      } else {
+        return void 0;
+      }
+    } catch (err) {
+      if (err instanceof NoSuchEntityException2)
+        return void 0;
+      throw err;
+    }
+    if (liveDocument === void 0)
+      return void 0;
+    const result = {
+      PolicyName: policyName,
+      PolicyDocument: liveDocument
+    };
+    if (roles)
+      result["Roles"] = roles;
+    if (groups)
+      result["Groups"] = groups;
+    if (users)
+      result["Users"] = users;
+    return result;
+  }
+  /**
+   * IAM Get*Policy returns the policy document as a URL-encoded JSON string
+   * (per RFC 3986). Decode and parse it back into the object shape cdkd
+   * state holds, so the drift comparator sees apples-to-apples.
+   */
+  decodePolicyDocument(raw) {
+    if (!raw)
+      return void 0;
+    try {
+      return JSON.parse(decodeURIComponent(raw));
+    } catch {
+      return raw;
+    }
+  }
   /**
    * Adopt an existing IAM inline policy into cdkd state.
    *
@@ -14710,6 +14800,7 @@ var LambdaFunctionProvider = class {
 // src/provisioning/providers/lambda-permission-provider.ts
 import {
   AddPermissionCommand,
+  GetPolicyCommand,
   RemovePermissionCommand,
   ResourceNotFoundException as ResourceNotFoundException2
 } from "@aws-sdk/client-lambda";
@@ -14900,6 +14991,87 @@ var LambdaPermissionProvider = class {
       );
     }
   }
+  /**
+   * Read the AWS-current Lambda permission in CFn-property shape.
+   *
+   * `AWS::Lambda::Permission` has no per-statement Get API — `GetPolicy` on
+   * the parent function returns the entire resource-based policy as a JSON
+   * string, and we have to scan its `Statement` array for the one with our
+   * `Sid` (cdkd's physicalId).
+   *
+   * Returns `undefined` when:
+   *   - `properties.FunctionName` is missing (sub-resource needs the parent).
+   *   - The function has no policy at all (`ResourceNotFoundException`) or
+   *     the matching `Sid` isn't present.
+   *
+   * The reverse-mapping from policy statement back to CFn shape:
+   *   - `Action` → `Sid`'s `Action` (string or first element if array).
+   *   - `Principal` → `Service` / `AWS` / `*` (CFn flat string form).
+   *   - `Condition.ArnLike.AWS:SourceArn` → `SourceArn`.
+   *   - `Condition.StringEquals.AWS:SourceAccount` → `SourceAccount`.
+   *   - `Condition.StringEquals.aws:PrincipalOrgID` → `PrincipalOrgID`.
+   *   - `Condition.ArnLike.AWS:SourceAccount` is left alone — drift on the
+   *     condition operator key would be confusing here.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
+    const functionName = properties?.["FunctionName"];
+    if (!functionName)
+      return void 0;
+    const statementId = physicalId.includes("|") ? physicalId.split("|").pop() : physicalId;
+    let policyDoc;
+    try {
+      const resp = await this.lambdaClient.send(
+        new GetPolicyCommand({ FunctionName: functionName })
+      );
+      policyDoc = resp.Policy;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException2)
+        return void 0;
+      throw err;
+    }
+    if (!policyDoc)
+      return void 0;
+    let parsed;
+    try {
+      parsed = JSON.parse(policyDoc);
+    } catch {
+      return void 0;
+    }
+    const statement = parsed.Statement?.find((s) => s.Sid === statementId);
+    if (!statement)
+      return void 0;
+    const result = { FunctionName: functionName };
+    if (statement.Action !== void 0) {
+      result["Action"] = Array.isArray(statement.Action) ? statement.Action[0] : statement.Action;
+    }
+    if (statement.Principal !== void 0) {
+      const p = statement.Principal;
+      if (typeof p === "string") {
+        result["Principal"] = p;
+      } else if (typeof p === "object") {
+        const value = p["Service"] ?? p["AWS"] ?? p["Federated"] ?? void 0;
+        if (value !== void 0) {
+          result["Principal"] = Array.isArray(value) ? value[0] : value;
+        }
+      }
+    }
+    const condition = statement.Condition;
+    if (condition) {
+      const sourceArn = condition["ArnLike"]?.["AWS:SourceArn"] ?? condition["StringEquals"]?.["AWS:SourceArn"];
+      if (sourceArn !== void 0) {
+        result["SourceArn"] = Array.isArray(sourceArn) ? sourceArn[0] : sourceArn;
+      }
+      const sourceAccount = condition["StringEquals"]?.["AWS:SourceAccount"];
+      if (sourceAccount !== void 0) {
+        result["SourceAccount"] = Array.isArray(sourceAccount) ? sourceAccount[0] : sourceAccount;
+      }
+      const orgId = condition["StringEquals"]?.["aws:PrincipalOrgID"];
+      if (orgId !== void 0) {
+        result["PrincipalOrgID"] = Array.isArray(orgId) ? orgId[0] : orgId;
+      }
+    }
+    return result;
+  }
   /**
    * Adopt an existing Lambda permission into cdkd state.
    *
@@ -20815,11 +20987,14 @@ import {
   GetAccountCommand,
   CreateResourceCommand as CreateResourceCommand2,
   DeleteResourceCommand as DeleteResourceCommand2,
+  GetResourceCommand as GetResourceCommand3,
   CreateDeploymentCommand,
   DeleteDeploymentCommand,
+  GetDeploymentCommand,
   CreateStageCommand,
   UpdateStageCommand,
   DeleteStageCommand,
+  GetStageCommand,
   PutMethodCommand,
   DeleteMethodCommand,
   GetMethodCommand,
@@ -20827,6 +21002,7 @@ import {
   PutMethodResponseCommand,
   CreateAuthorizerCommand,
   DeleteAuthorizerCommand,
+  GetAuthorizerCommand,
   NotFoundException as NotFoundException3
 } from "@aws-sdk/client-api-gateway";
 init_aws_clients();
@@ -21822,26 +21998,126 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
    *   - `AWS::ApiGateway::Method` → `GetMethod`. PhysicalId is the composite
    *     `restApiId|resourceId|httpMethod`, so we have everything needed
    *     without `Properties`.
-   *
-   * **Out of scope** (returns `undefined`, falls back to "drift unknown"):
    *   - `AWS::ApiGateway::Authorizer` / `Resource` / `Deployment` / `Stage`:
-   *     each needs the parent `RestApiId` to issue a `Get*` call, but cdkd's
-   *     `readCurrentState` interface does not pass `Properties` (only the
-   *     physicalId, which for these types is just the sub-resource id).
-   *     CC API drift detection picks up `AWS::ApiGateway::RestApi` itself
-   *     once the user works through the SDK provider boundary; per-sub
-   *     drift detection here would need a contract change.
+   *     each uses `properties.RestApiId` (passed through PR G's signature
+   *     extension) to issue the appropriate `Get*` call.
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
+  async readCurrentState(physicalId, _logicalId, resourceType, properties) {
     switch (resourceType) {
       case "AWS::ApiGateway::Account":
         return this.readCurrentStateAccount();
       case "AWS::ApiGateway::Method":
         return this.readCurrentStateMethod(physicalId);
+      case "AWS::ApiGateway::Authorizer":
+        return this.readCurrentStateAuthorizer(physicalId, properties);
+      case "AWS::ApiGateway::Resource":
+        return this.readCurrentStateResource(physicalId, properties);
+      case "AWS::ApiGateway::Deployment":
+        return this.readCurrentStateDeployment(physicalId, properties);
+      case "AWS::ApiGateway::Stage":
+        return this.readCurrentStateStage(physicalId, properties);
       default:
         return void 0;
     }
   }
+  async readCurrentStateAuthorizer(physicalId, properties) {
+    const restApiId = properties?.["RestApiId"];
+    if (!restApiId)
+      return void 0;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetAuthorizerCommand({ restApiId, authorizerId: physicalId })
+      );
+      const result = { RestApiId: restApiId };
+      if (resp.name !== void 0)
+        result["Name"] = resp.name;
+      if (resp.type !== void 0)
+        result["Type"] = resp.type;
+      if (resp.providerARNs !== void 0 && resp.providerARNs.length > 0) {
+        result["ProviderARNs"] = [...resp.providerARNs];
+      }
+      if (resp.authorizerUri !== void 0)
+        result["AuthorizerUri"] = resp.authorizerUri;
+      if (resp.authorizerCredentials !== void 0) {
+        result["AuthorizerCredentials"] = resp.authorizerCredentials;
+      }
+      if (resp.identitySource !== void 0)
+        result["IdentitySource"] = resp.identitySource;
+      if (resp.identityValidationExpression !== void 0) {
+        result["IdentityValidationExpression"] = resp.identityValidationExpression;
+      }
+      if (resp.authorizerResultTtlInSeconds !== void 0) {
+        result["AuthorizerResultTtlInSeconds"] = resp.authorizerResultTtlInSeconds;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
+  async readCurrentStateResource(physicalId, properties) {
+    const restApiId = properties?.["RestApiId"];
+    if (!restApiId)
+      return void 0;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetResourceCommand3({ restApiId, resourceId: physicalId })
+      );
+      const result = { RestApiId: restApiId };
+      if (resp.parentId !== void 0)
+        result["ParentId"] = resp.parentId;
+      if (resp.pathPart !== void 0)
+        result["PathPart"] = resp.pathPart;
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
+  async readCurrentStateDeployment(physicalId, properties) {
+    const restApiId = properties?.["RestApiId"];
+    if (!restApiId)
+      return void 0;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetDeploymentCommand({ restApiId, deploymentId: physicalId })
+      );
+      const result = { RestApiId: restApiId };
+      if (resp.description !== void 0 && resp.description !== "") {
+        result["Description"] = resp.description;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
+  async readCurrentStateStage(physicalId, properties) {
+    const restApiId = properties?.["RestApiId"];
+    if (!restApiId)
+      return void 0;
+    try {
+      const resp = await this.apiGatewayClient.send(
+        new GetStageCommand({ restApiId, stageName: physicalId })
+      );
+      const result = { RestApiId: restApiId };
+      if (resp.stageName !== void 0)
+        result["StageName"] = resp.stageName;
+      if (resp.deploymentId !== void 0)
+        result["DeploymentId"] = resp.deploymentId;
+      if (resp.description !== void 0 && resp.description !== "") {
+        result["Description"] = resp.description;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
   async readCurrentStateAccount() {
     try {
       const resp = await this.apiGatewayClient.send(new GetAccountCommand({}));
@@ -21923,12 +22199,16 @@ import {
   DeleteApiCommand,
   CreateStageCommand as CreateStageCommand2,
   DeleteStageCommand as DeleteStageCommand2,
+  GetStageCommand as GetStageCommand2,
   CreateIntegrationCommand,
   DeleteIntegrationCommand,
+  GetIntegrationCommand,
   CreateRouteCommand as CreateRouteCommand2,
   DeleteRouteCommand as DeleteRouteCommand2,
+  GetRouteCommand,
   CreateAuthorizerCommand as CreateAuthorizerCommand2,
   DeleteAuthorizerCommand as DeleteAuthorizerCommand2,
+  GetAuthorizerCommand as GetAuthorizerCommand2,
   GetApiCommand,
   GetApisCommand,
   NotFoundException as NotFoundException4
@@ -22472,18 +22752,27 @@ var ApiGatewayV2Provider = class {
    * **Coverage**:
    *   - `AWS::ApiGatewayV2::Api` → `GetApi`. PhysicalId is the apiId,
    *     self-sufficient.
-   *
-   * **Out of scope** (returns `undefined`, falls back to "drift unknown"):
    *   - `AWS::ApiGatewayV2::Stage` / `Integration` / `Route` / `Authorizer`:
-   *     each needs the parent `ApiId` to issue a `Get*` call, but cdkd's
-   *     `readCurrentState` interface does not pass `Properties` (only the
-   *     physicalId, which for these types is just the sub-resource id).
-   *     Per-sub drift detection here would need a contract change.
+   *     each uses `properties.ApiId` (passed through PR G's signature
+   *     extension) to issue the appropriate `Get*` call.
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
-    if (resourceType !== "AWS::ApiGatewayV2::Api") {
-      return void 0;
+  async readCurrentState(physicalId, _logicalId, resourceType, properties) {
+    switch (resourceType) {
+      case "AWS::ApiGatewayV2::Api":
+        return this.readApi(physicalId);
+      case "AWS::ApiGatewayV2::Stage":
+        return this.readStage(physicalId, properties);
+      case "AWS::ApiGatewayV2::Integration":
+        return this.readIntegration(physicalId, properties);
+      case "AWS::ApiGatewayV2::Route":
+        return this.readRoute(physicalId, properties);
+      case "AWS::ApiGatewayV2::Authorizer":
+        return this.readAuthorizer(physicalId, properties);
+      default:
+        return void 0;
     }
+  }
+  async readApi(physicalId) {
     try {
       const resp = await this.getClient().send(new GetApiCommand({ ApiId: physicalId }));
       const result = {};
@@ -22503,6 +22792,108 @@ var ApiGatewayV2Provider = class {
       throw err;
     }
   }
+  async readStage(physicalId, properties) {
+    const apiId = properties?.["ApiId"];
+    if (!apiId)
+      return void 0;
+    try {
+      const resp = await this.getClient().send(
+        new GetStageCommand2({ ApiId: apiId, StageName: physicalId })
+      );
+      const result = { ApiId: apiId };
+      if (resp.StageName !== void 0)
+        result["StageName"] = resp.StageName;
+      if (resp.AutoDeploy !== void 0)
+        result["AutoDeploy"] = resp.AutoDeploy;
+      if (resp.Description !== void 0 && resp.Description !== "") {
+        result["Description"] = resp.Description;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
+  async readIntegration(physicalId, properties) {
+    const apiId = properties?.["ApiId"];
+    if (!apiId)
+      return void 0;
+    try {
+      const resp = await this.getClient().send(
+        new GetIntegrationCommand({ ApiId: apiId, IntegrationId: physicalId })
+      );
+      const result = { ApiId: apiId };
+      if (resp.IntegrationType !== void 0)
+        result["IntegrationType"] = resp.IntegrationType;
+      if (resp.IntegrationUri !== void 0)
+        result["IntegrationUri"] = resp.IntegrationUri;
+      if (resp.IntegrationMethod !== void 0)
+        result["IntegrationMethod"] = resp.IntegrationMethod;
+      if (resp.PayloadFormatVersion !== void 0) {
+        result["PayloadFormatVersion"] = resp.PayloadFormatVersion;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
+  async readRoute(physicalId, properties) {
+    const apiId = properties?.["ApiId"];
+    if (!apiId)
+      return void 0;
+    try {
+      const resp = await this.getClient().send(
+        new GetRouteCommand({ ApiId: apiId, RouteId: physicalId })
+      );
+      const result = { ApiId: apiId };
+      if (resp.RouteKey !== void 0)
+        result["RouteKey"] = resp.RouteKey;
+      if (resp.Target !== void 0)
+        result["Target"] = resp.Target;
+      if (resp.AuthorizationType !== void 0)
+        result["AuthorizationType"] = resp.AuthorizationType;
+      if (resp.AuthorizerId !== void 0)
+        result["AuthorizerId"] = resp.AuthorizerId;
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
+  async readAuthorizer(physicalId, properties) {
+    const apiId = properties?.["ApiId"];
+    if (!apiId)
+      return void 0;
+    try {
+      const resp = await this.getClient().send(
+        new GetAuthorizerCommand2({ ApiId: apiId, AuthorizerId: physicalId })
+      );
+      const result = { ApiId: apiId };
+      if (resp.AuthorizerType !== void 0)
+        result["AuthorizerType"] = resp.AuthorizerType;
+      if (resp.Name !== void 0)
+        result["Name"] = resp.Name;
+      if (resp.IdentitySource !== void 0 && resp.IdentitySource.length > 0) {
+        result["IdentitySource"] = [...resp.IdentitySource];
+      }
+      if (resp.JwtConfiguration)
+        result["JwtConfiguration"] = resp.JwtConfiguration;
+      if (resp.AuthorizerUri !== void 0)
+        result["AuthorizerUri"] = resp.AuthorizerUri;
+      if (resp.AuthorizerPayloadFormatVersion !== void 0) {
+        result["AuthorizerPayloadFormatVersion"] = resp.AuthorizerPayloadFormatVersion;
+      }
+      return result;
+    } catch (err) {
+      if (err instanceof NotFoundException4)
+        return void 0;
+      throw err;
+    }
+  }
   // ─── Import ───────────────────────────────────────────────────────
   /**
    * Adopt an existing API Gateway V2 resource into cdkd state.
@@ -30120,7 +30511,7 @@ var AppSyncProvider = class {
    *
    * Returns `undefined` when the parent resource is gone (`NotFoundException`).
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
+  async readCurrentState(physicalId, _logicalId, resourceType, _properties) {
     switch (resourceType) {
       case "AWS::AppSync::GraphQLApi":
         return this.readGraphQLApi(physicalId);
@@ -31849,10 +32240,15 @@ var KinesisStreamProvider = class {
    * mode reports an empty list).
    *
    * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
-   * Only `AWS::Kinesis::Stream` is supported (the provider does not handle
-   * `AWS::Kinesis::StreamConsumer`).
+   *
+   * `AWS::Kinesis::StreamConsumer` is intentionally not handled here: this
+   * provider only registers `AWS::Kinesis::Stream`, so consumer resources
+   * route to the CC API fallback for drift detection (CC API's `GetResource`
+   * surfaces every Kinesis consumer attribute the user can configure). A
+   * dedicated SDK impl would require building out create/update/delete first;
+   * out of scope for PR G.
    */
-  async readCurrentState(physicalId, _logicalId, resourceType) {
+  async readCurrentState(physicalId, _logicalId, resourceType, _properties) {
     if (resourceType !== "AWS::Kinesis::Stream")
       return void 0;
     let stream;
@@ -37654,6 +38050,128 @@ function isPlainObject(value) {
   return typeof value === "object" && value !== null;
 }
 
+// src/analyzer/drift-cc-api-deny-list.ts
+var CC_API_FALLBACK_DENY_LIST = {
+  // AWS::IAM::ManagedPolicy: PolicyDocument round-trips through CC API
+  // URL-encoded; cdkd state stores it as a parsed JSON object. Without
+  // a per-type decoder, every comparison sees a string-vs-object
+  // mismatch and fires drift on every run. The IAM Role provider's
+  // first-class readCurrentState handles its inline AssumeRolePolicy
+  // the same way (URL-decode + JSON-parse); the same fix pattern is
+  // needed for ManagedPolicy when an SDK provider is added.
+  "AWS::IAM::ManagedPolicy": "PolicyDocument is URL-encoded JSON in CC API responses, but cdkd state stores it as a parsed object \u2014 needs per-type decode",
+  // AWS::ApiGateway::RestApi: the `Body` property (OpenAPI spec object
+  // when supplied via `Body` rather than `BodyS3Location`) is write-only
+  // — `GetRestApi` does NOT return it, but cdkd state preserves the
+  // object the user passed in. CC API GetResource inherits this — the
+  // returned shape omits `Body`, so every drift run flags it as
+  // missing-on-AWS. Comparison silently dropping it would also be
+  // wrong; the right move is a dedicated SDK provider that knows to
+  // skip `Body` entirely.
+  "AWS::ApiGateway::RestApi": "Body / BodyS3Location are write-only inputs not returned by CC API GetResource; cdkd state preserves them",
+  // AWS::CloudFormation::Stack: nested stacks aren't supported by cdkd's
+  // provider registry at all; the deploy / destroy paths reject them.
+  // Listing here is defense-in-depth — if a user manually crafts state
+  // with one, drift via CC API would compare CFn-template-input
+  // properties against CC API's stack-output shape (CC API's
+  // `AWS::CloudFormation::Stack` reports outputs / status, not the
+  // template parameters cdkd would have stored).
+  "AWS::CloudFormation::Stack": "CC API returns runtime stack state (outputs/status), not the template parameters cdkd state stores",
+  // AWS::EC2::LaunchTemplate: `LaunchTemplateData` ships with deeply
+  // structured sub-objects that CC API normalizes into a versioned shape
+  // — every UpdateLaunchTemplate (and even GetLaunchTemplate) bumps the
+  // returned default version, and CC API attaches a synthetic
+  // `LatestVersionNumber` / `DefaultVersionNumber` next to the template
+  // data that drift would surface as drift on the parent. Until an SDK
+  // provider strips those, deny.
+  "AWS::EC2::LaunchTemplate": "CC API returns version-bumped LaunchTemplateData with synthetic LatestVersionNumber that diverges from the CFn input shape"
+};
+
+// src/analyzer/cc-api-strip.ts
+var ALWAYS_STRIPPED_FIELDS = /* @__PURE__ */ new Set([
+  // Timestamps — AWS-managed, change on every modification. Names are
+  // unambiguous: no CFn template ever exposes a "CreationDate" /
+  // "LastModifiedTime" as a settable input.
+  "CreationDate",
+  "CreationTime",
+  "CreatedTime",
+  "CreatedDate",
+  "CreatedAt",
+  "LastModifiedDate",
+  "LastModifiedTime",
+  "LastModified",
+  "LastUpdatedTime",
+  "LastUpdatedDate",
+  "UpdatedAt",
+  // Owner / account / principal info — derived from the calling
+  // principal, never user-set in a CFn template. `CreatedBy` /
+  // `OwnerArn` are unique enough that no settable CFn property
+  // collides with them.
+  "OwnerId",
+  "OwnerAccountId",
+  "CreatedBy",
+  "OwnerArn",
+  // Lambda-specific generated identifiers. `RevisionId` rotates on
+  // every operation; `LastUpdateStatus*` mirror runtime state. None
+  // are settable in a CFn template.
+  "RevisionId",
+  "LastUpdateStatus",
+  "LastUpdateStatusReason",
+  "LastUpdateStatusReasonCode",
+  // CloudFormation/Cloud Control passthrough metadata — never
+  // appears as a settable input in a CFn template body.
+  "StackId",
+  "PhysicalResourceId",
+  "LogicalResourceId"
+  // Notes on intentional EXCLUSIONS:
+  //
+  // `State` / `Status` / `StateReason` / `StatusReason` — these
+  // names ARE used by some CFn types as settable nested properties
+  // (e.g. `AWS::ECS::CapacityProvider.AutoScalingGroupProvider.ManagedScaling.Status`,
+  // `AWS::S3::Bucket.VersioningConfiguration.Status`). Stripping them
+  // globally would cause false-positive drift on a clean stack.
+  // The comparator already ignores AWS-only top-level `Status` values
+  // because state doesn't carry them; only the nested-name-collision
+  // cases would have leaked through, and excluding them here protects
+  // those.
+  //
+  // `Arn` — many CFn types accept `Arn` as a settable property and
+  // cdkd state may record it at create time. Drift on `Arn` is
+  // genuine drift the user wants to see.
+  //
+  // `VersionId` / `GenerationId` / `ETag` — narrow utility (only S3
+  // / KMS / ImageBuilder use these in their Get* responses), and at
+  // least `VersionId` IS a settable input on `AWS::S3::Bucket`'s
+  // versioning config. Per-provider readCurrentState handles them.
+  //
+  // `AccountId` / `StackName` — also collide with settable inputs
+  // on a few CFn types (`AWS::CloudWatch::CrossAccountSharingRule.AccountId`,
+  // `AWS::CloudFormation::HookDefaultVersion.StackName`).
+  //
+  // `StartTime` / `EndTime` — used as settable inputs in scheduling
+  // shapes (e.g. `AWS::AutoScaling::ScheduledAction.StartTime`).
+]);
+function stripCcApiAwsManagedFields(resourceType, awsProps) {
+  return stripWalk(awsProps);
+}
+function stripWalk(value) {
+  if (value === null || value === void 0)
+    return value;
+  if (Array.isArray(value)) {
+    return value.map(stripWalk);
+  }
+  if (typeof value === "object") {
+    const out = {};
+    for (const [key, child] of Object.entries(value)) {
+      if (ALWAYS_STRIPPED_FIELDS.has(key))
+        continue;
+      out[key] = stripWalk(child);
+    }
+    return out;
+  }
+  return value;
+}
+
 // src/cli/commands/drift.ts
 var DriftDetectedError = class _DriftDetectedError extends CdkdError {
   silent = true;
@@ -37696,6 +38214,7 @@ async function driftCommand(stacks, options) {
     const providerRegistry = new ProviderRegistry();
     registerAllProviders(providerRegistry);
     providerRegistry.setCustomResourceResponseBucket(bucket);
+    const ccApiFallback = new CloudControlProvider();
     const stateRefs = await stateBackend.listStacks();
     const targetRefs = resolveTargetRefs(stacks, stateRefs, options);
     const reports = [];
@@ -37709,7 +38228,8 @@ async function driftCommand(stacks, options) {
         ref.stackName,
         ref.region,
         stateBackend,
-        providerRegistry
+        providerRegistry,
+        ccApiFallback
       );
       reports.push(report);
     }
@@ -37780,7 +38300,7 @@ function resolveTargetRefs(stacks, stateRefs, options) {
   }
   return out;
 }
-async function runDriftForStack(stackName, region, stateBackend, providerRegistry) {
+async function runDriftForStack(stackName, region, stateBackend, providerRegistry, ccApiFallback) {
   const result = await stateBackend.getState(stackName, region);
   if (!result) {
     throw new Error(
@@ -37806,22 +38326,39 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
         });
         continue;
       }
-      let readCurrentState = provider.readCurrentState?.bind(provider);
-      if (!readCurrentState) {
-        const ccApiProvider = providerRegistry.getCloudControlProvider?.();
-        if (ccApiProvider?.readCurrentState) {
-          readCurrentState = ccApiProvider.readCurrentState.bind(ccApiProvider);
+      let aws;
+      if (provider.readCurrentState) {
+        aws = await provider.readCurrentState(
+          resource.physicalId,
+          logicalId,
+          resource.resourceType,
+          resource.properties ?? {}
+        );
+      } else {
+        if (CC_API_FALLBACK_DENY_LIST[resource.resourceType]) {
+          outcomes.push({
+            kind: "unsupported",
+            logicalId,
+            resourceType: resource.resourceType
+          });
+          continue;
         }
-      }
-      if (!readCurrentState) {
-        outcomes.push({
-          kind: "unsupported",
+        const ccApiAws = await ccApiFallback.readCurrentState(
+          resource.physicalId,
           logicalId,
-          resourceType: resource.resourceType
-        });
-        continue;
+          resource.resourceType,
+          resource.properties ?? {}
+        );
+        if (ccApiAws === void 0) {
+          outcomes.push({
+            kind: "unsupported",
+            logicalId,
+            resourceType: resource.resourceType
+          });
+          continue;
+        }
+        aws = stripCcApiAwsManagedFields(resource.resourceType, ccApiAws);
       }
-      const aws = await readCurrentState(resource.physicalId, logicalId, resource.resourceType);
       if (aws === void 0) {
         outcomes.push({
           kind: "unsupported",
@@ -41359,7 +41896,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.42.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.44.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());