@go-to-k/cdkd 0.43.0 → 0.44.0

package/dist/cli.js

@@ -38050,6 +38050,128 @@ function isPlainObject(value) {
   return typeof value === "object" && value !== null;
 }
 
+// src/analyzer/drift-cc-api-deny-list.ts
+var CC_API_FALLBACK_DENY_LIST = {
+  // AWS::IAM::ManagedPolicy: PolicyDocument round-trips through CC API
+  // URL-encoded; cdkd state stores it as a parsed JSON object. Without
+  // a per-type decoder, every comparison sees a string-vs-object
+  // mismatch and fires drift on every run. The IAM Role provider's
+  // first-class readCurrentState handles its inline AssumeRolePolicy
+  // the same way (URL-decode + JSON-parse); the same fix pattern is
+  // needed for ManagedPolicy when an SDK provider is added.
+  "AWS::IAM::ManagedPolicy": "PolicyDocument is URL-encoded JSON in CC API responses, but cdkd state stores it as a parsed object \u2014 needs per-type decode",
+  // AWS::ApiGateway::RestApi: the `Body` property (OpenAPI spec object
+  // when supplied via `Body` rather than `BodyS3Location`) is write-only
+  // — `GetRestApi` does NOT return it, but cdkd state preserves the
+  // object the user passed in. CC API GetResource inherits this — the
+  // returned shape omits `Body`, so every drift run flags it as
+  // missing-on-AWS. Comparison silently dropping it would also be
+  // wrong; the right move is a dedicated SDK provider that knows to
+  // skip `Body` entirely.
+  "AWS::ApiGateway::RestApi": "Body / BodyS3Location are write-only inputs not returned by CC API GetResource; cdkd state preserves them",
+  // AWS::CloudFormation::Stack: nested stacks aren't supported by cdkd's
+  // provider registry at all; the deploy / destroy paths reject them.
+  // Listing here is defense-in-depth — if a user manually crafts state
+  // with one, drift via CC API would compare CFn-template-input
+  // properties against CC API's stack-output shape (CC API's
+  // `AWS::CloudFormation::Stack` reports outputs / status, not the
+  // template parameters cdkd would have stored).
+  "AWS::CloudFormation::Stack": "CC API returns runtime stack state (outputs/status), not the template parameters cdkd state stores",
+  // AWS::EC2::LaunchTemplate: `LaunchTemplateData` ships with deeply
+  // structured sub-objects that CC API normalizes into a versioned shape
+  // — every UpdateLaunchTemplate (and even GetLaunchTemplate) bumps the
+  // returned default version, and CC API attaches a synthetic
+  // `LatestVersionNumber` / `DefaultVersionNumber` next to the template
+  // data that drift would surface as drift on the parent. Until an SDK
+  // provider strips those, deny.
+  "AWS::EC2::LaunchTemplate": "CC API returns version-bumped LaunchTemplateData with synthetic LatestVersionNumber that diverges from the CFn input shape"
+};
+
+// src/analyzer/cc-api-strip.ts
+var ALWAYS_STRIPPED_FIELDS = /* @__PURE__ */ new Set([
+  // Timestamps — AWS-managed, change on every modification. Names are
+  // unambiguous: no CFn template ever exposes a "CreationDate" /
+  // "LastModifiedTime" as a settable input.
+  "CreationDate",
+  "CreationTime",
+  "CreatedTime",
+  "CreatedDate",
+  "CreatedAt",
+  "LastModifiedDate",
+  "LastModifiedTime",
+  "LastModified",
+  "LastUpdatedTime",
+  "LastUpdatedDate",
+  "UpdatedAt",
+  // Owner / account / principal info — derived from the calling
+  // principal, never user-set in a CFn template. `CreatedBy` /
+  // `OwnerArn` are unique enough that no settable CFn property
+  // collides with them.
+  "OwnerId",
+  "OwnerAccountId",
+  "CreatedBy",
+  "OwnerArn",
+  // Lambda-specific generated identifiers. `RevisionId` rotates on
+  // every operation; `LastUpdateStatus*` mirror runtime state. None
+  // are settable in a CFn template.
+  "RevisionId",
+  "LastUpdateStatus",
+  "LastUpdateStatusReason",
+  "LastUpdateStatusReasonCode",
+  // CloudFormation/Cloud Control passthrough metadata — never
+  // appears as a settable input in a CFn template body.
+  "StackId",
+  "PhysicalResourceId",
+  "LogicalResourceId"
+  // Notes on intentional EXCLUSIONS:
+  //
+  // `State` / `Status` / `StateReason` / `StatusReason` — these
+  // names ARE used by some CFn types as settable nested properties
+  // (e.g. `AWS::ECS::CapacityProvider.AutoScalingGroupProvider.ManagedScaling.Status`,
+  // `AWS::S3::Bucket.VersioningConfiguration.Status`). Stripping them
+  // globally would cause false-positive drift on a clean stack.
+  // The comparator already ignores AWS-only top-level `Status` values
+  // because state doesn't carry them; only the nested-name-collision
+  // cases would have leaked through, and excluding them here protects
+  // those.
+  //
+  // `Arn` — many CFn types accept `Arn` as a settable property and
+  // cdkd state may record it at create time. Drift on `Arn` is
+  // genuine drift the user wants to see.
+  //
+  // `VersionId` / `GenerationId` / `ETag` — narrow utility (only S3
+  // / KMS / ImageBuilder use these in their Get* responses), and at
+  // least `VersionId` IS a settable input on `AWS::S3::Bucket`'s
+  // versioning config. Per-provider readCurrentState handles them.
+  //
+  // `AccountId` / `StackName` — also collide with settable inputs
+  // on a few CFn types (`AWS::CloudWatch::CrossAccountSharingRule.AccountId`,
+  // `AWS::CloudFormation::HookDefaultVersion.StackName`).
+  //
+  // `StartTime` / `EndTime` — used as settable inputs in scheduling
+  // shapes (e.g. `AWS::AutoScaling::ScheduledAction.StartTime`).
+]);
+function stripCcApiAwsManagedFields(resourceType, awsProps) {
+  return stripWalk(awsProps);
+}
+function stripWalk(value) {
+  if (value === null || value === void 0)
+    return value;
+  if (Array.isArray(value)) {
+    return value.map(stripWalk);
+  }
+  if (typeof value === "object") {
+    const out = {};
+    for (const [key, child] of Object.entries(value)) {
+      if (ALWAYS_STRIPPED_FIELDS.has(key))
+        continue;
+      out[key] = stripWalk(child);
+    }
+    return out;
+  }
+  return value;
+}
+
 // src/cli/commands/drift.ts
 var DriftDetectedError = class _DriftDetectedError extends CdkdError {
   silent = true;
@@ -38092,6 +38214,7 @@ async function driftCommand(stacks, options) {
     const providerRegistry = new ProviderRegistry();
     registerAllProviders(providerRegistry);
     providerRegistry.setCustomResourceResponseBucket(bucket);
+    const ccApiFallback = new CloudControlProvider();
     const stateRefs = await stateBackend.listStacks();
     const targetRefs = resolveTargetRefs(stacks, stateRefs, options);
     const reports = [];
@@ -38105,7 +38228,8 @@ async function driftCommand(stacks, options) {
         ref.stackName,
         ref.region,
         stateBackend,
-        providerRegistry
+        providerRegistry,
+        ccApiFallback
       );
       reports.push(report);
     }
@@ -38176,7 +38300,7 @@ function resolveTargetRefs(stacks, stateRefs, options) {
   }
   return out;
 }
-async function runDriftForStack(stackName, region, stateBackend, providerRegistry) {
+async function runDriftForStack(stackName, region, stateBackend, providerRegistry, ccApiFallback) {
   const result = await stateBackend.getState(stackName, region);
   if (!result) {
     throw new Error(
@@ -38202,27 +38326,39 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
         });
         continue;
       }
-      let readCurrentState = provider.readCurrentState?.bind(provider);
-      if (!readCurrentState) {
-        const ccApiProvider = providerRegistry.getCloudControlProvider?.();
-        if (ccApiProvider?.readCurrentState) {
-          readCurrentState = ccApiProvider.readCurrentState.bind(ccApiProvider);
+      let aws;
+      if (provider.readCurrentState) {
+        aws = await provider.readCurrentState(
+          resource.physicalId,
+          logicalId,
+          resource.resourceType,
+          resource.properties ?? {}
+        );
+      } else {
+        if (CC_API_FALLBACK_DENY_LIST[resource.resourceType]) {
+          outcomes.push({
+            kind: "unsupported",
+            logicalId,
+            resourceType: resource.resourceType
+          });
+          continue;
         }
-      }
-      if (!readCurrentState) {
-        outcomes.push({
-          kind: "unsupported",
+        const ccApiAws = await ccApiFallback.readCurrentState(
+          resource.physicalId,
           logicalId,
-          resourceType: resource.resourceType
-        });
-        continue;
+          resource.resourceType,
+          resource.properties ?? {}
+        );
+        if (ccApiAws === void 0) {
+          outcomes.push({
+            kind: "unsupported",
+            logicalId,
+            resourceType: resource.resourceType
+          });
+          continue;
+        }
+        aws = stripCcApiAwsManagedFields(resource.resourceType, ccApiAws);
       }
-      const aws = await readCurrentState(
-        resource.physicalId,
-        logicalId,
-        resource.resourceType,
-        resource.properties ?? {}
-      );
       if (aws === void 0) {
         outcomes.push({
           kind: "unsupported",
@@ -41760,7 +41896,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.43.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.44.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());