@go-to-k/cdkd 0.43.0 → 0.45.0

package/dist/cli.js

@@ -1187,6 +1187,22 @@ var PartialFailureError = class _PartialFailureError extends CdkdError {
     Object.setPrototypeOf(this, _PartialFailureError.prototype);
   }
 };
+var ResourceUpdateNotSupportedError = class _ResourceUpdateNotSupportedError extends CdkdError {
+  constructor(resourceType, logicalId, suggestion, cause) {
+    const tail = suggestion ? suggestion : "use cdkd deploy with --replace, or change the resource definition to create a new version";
+    super(
+      `${resourceType} (${logicalId}) cannot be updated in place: ${tail}.`,
+      "RESOURCE_UPDATE_NOT_SUPPORTED",
+      cause
+    );
+    this.resourceType = resourceType;
+    this.logicalId = logicalId;
+    this.suggestion = suggestion;
+    this.name = "ResourceUpdateNotSupportedError";
+    Object.setPrototypeOf(this, _ResourceUpdateNotSupportedError.prototype);
+  }
+  exitCode = 2;
+};
 function isCdkdError(error) {
   return error instanceof CdkdError;
 }
@@ -21335,20 +21351,22 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
   }
   /**
-   * Update an API Gateway Authorizer
+   * Update an API Gateway Authorizer.
    *
-   * Authorizer updates are not commonly needed. For now, this is a no-op.
-   * The deployment engine handles replacement for immutable property changes.
+   * AWS exposes `UpdateAuthorizer` (PATCH) but cdkd does not yet plumb the
+   * patch-operations builder through. Authorizers are recreated by the
+   * deploy engine's immutable-property replacement path. `cdkd drift
+   * --revert` surfaces a clear "use --replace or re-deploy" message
+   * instead of silently no-op'ing the revert.
    */
-  updateAuthorizer(logicalId, physicalId, _resourceType) {
-    this.logger.debug(`Updating API Gateway Authorizer ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {
-        AuthorizerId: physicalId
-      }
-    });
+  updateAuthorizer(logicalId, _physicalId, _resourceType) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ApiGateway::Authorizer",
+        logicalId,
+        "API Gateway Authorizer updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   /**
    * Delete an API Gateway Authorizer
@@ -21580,20 +21598,20 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
   }
   /**
-   * Update an API Gateway Deployment
+   * Update an API Gateway Deployment.
    *
-   * Deployments are immutable - updates are not supported.
-   * The deployment engine should handle replacement if needed.
+   * Deployments are immutable — every property change requires a fresh
+   * Deployment. `cdkd drift --revert` therefore throws
+   * `ResourceUpdateNotSupportedError` instead of silently no-op'ing.
    */
-  updateDeployment(logicalId, physicalId, _resourceType) {
-    this.logger.debug(`Updating API Gateway Deployment ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {
-        DeploymentId: physicalId
-      }
-    });
+  updateDeployment(logicalId, _physicalId, _resourceType) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ApiGateway::Deployment",
+        logicalId,
+        "API Gateway Deployment is immutable; re-deploy with cdkd deploy --replace, or change the resource definition to create a new Deployment"
+      )
+    );
   }
   /**
    * Delete an API Gateway Deployment
@@ -21894,17 +21912,22 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
   }
   /**
-   * Update an API Gateway Method
+   * Update an API Gateway Method.
    *
-   * Methods are typically replaced via new deployment, so this is a no-op.
+   * AWS exposes `UpdateMethod` (PATCH) but cdkd does not yet plumb the
+   * patch-operations builder through. Methods are recreated by the deploy
+   * engine's immutable-property replacement path. `cdkd drift --revert`
+   * surfaces a clear "use --replace or re-deploy" message instead of
+   * silently no-op'ing the revert.
    */
-  updateMethod(logicalId, physicalId) {
-    this.logger.debug(`Updating API Gateway Method ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {}
-    });
+  updateMethod(logicalId, _physicalId) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ApiGateway::Method",
+        logicalId,
+        "API Gateway Method updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   /**
    * Delete an API Gateway Method
@@ -22282,13 +22305,23 @@ var ApiGatewayV2Provider = class {
         );
     }
   }
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    this.logger.debug(`Updating ${resourceType} ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {}
-    });
+  /**
+   * HTTP API resources are treated as immutable by cdkd: the deploy engine
+   * recreates them on property changes via the immutable-property
+   * replacement path. AWS does expose `UpdateApi` / `UpdateRoute` /
+   * `UpdateIntegration` / `UpdateStage` / `UpdateAuthorizer`, but cdkd
+   * does not yet plumb them through. `cdkd drift --revert` surfaces a
+   * clear "use --replace or re-deploy" message instead of silently
+   * no-op'ing the revert.
+   */
+  update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "API Gateway V2 (HTTP API) resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
@@ -22964,6 +22997,7 @@ import {
   CreateCloudFrontOriginAccessIdentityCommand,
   DeleteCloudFrontOriginAccessIdentityCommand,
   GetCloudFrontOriginAccessIdentityCommand as GetCloudFrontOriginAccessIdentityCommand2,
+  UpdateCloudFrontOriginAccessIdentityCommand,
   NoSuchCloudFrontOriginAccessIdentity
 } from "@aws-sdk/client-cloudfront";
 init_aws_clients();
@@ -23019,17 +23053,61 @@ var CloudFrontOAIProvider = class {
     }
   }
   /**
-   * Update a CloudFront Origin Access Identity
+   * Update a CloudFront Origin Access Identity.
+   *
+   * Only the `Comment` field is mutable on an OAI; `CallerReference` is set
+   * by cdkd at create time and cannot be changed. AWS exposes a single
+   * `UpdateCloudFrontOriginAccessIdentity` call that requires the current
+   * `ETag` (fetched via `GetCloudFrontOriginAccessIdentity`) and overwrites
+   * the entire `CloudFrontOriginAccessIdentityConfig`.
    *
-   * OAI config is effectively immutable (only Comment can change, which is cosmetic).
-   * No replacement needed for Comment changes.
+   * Used by `cdkd drift --revert` to push the cdkd-state Comment back into
+   * AWS; on the normal deploy path this is also exercised when a user
+   * tweaks the Comment in their CDK code.
    */
-  update(logicalId, physicalId, _resourceType, _properties, _previousProperties) {
-    this.logger.debug(`Update requested for CloudFront OAI ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false
-    });
+  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    this.logger.debug(`Updating CloudFront OAI ${logicalId}: ${physicalId}`);
+    const config = properties["CloudFrontOriginAccessIdentityConfig"];
+    const comment = config?.["Comment"] ?? "";
+    try {
+      const getResponse = await this.cloudFrontClient.send(
+        new GetCloudFrontOriginAccessIdentityCommand2({ Id: physicalId })
+      );
+      const etag = getResponse.ETag;
+      if (!etag) {
+        throw new Error("GetCloudFrontOriginAccessIdentity did not return ETag");
+      }
+      await this.cloudFrontClient.send(
+        new UpdateCloudFrontOriginAccessIdentityCommand({
+          Id: physicalId,
+          IfMatch: etag,
+          CloudFrontOriginAccessIdentityConfig: {
+            // CallerReference is immutable; preserve whatever the OAI was
+            // created with so AWS does not reject the update.
+            CallerReference: getResponse.CloudFrontOriginAccessIdentity?.CloudFrontOriginAccessIdentityConfig?.CallerReference ?? logicalId,
+            Comment: comment
+          }
+        })
+      );
+      this.logger.debug(`Successfully updated CloudFront OAI ${logicalId}`);
+      return {
+        physicalId,
+        wasReplaced: false,
+        attributes: {
+          Id: physicalId,
+          S3CanonicalUserId: getResponse.CloudFrontOriginAccessIdentity?.S3CanonicalUserId
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update CloudFront OAI ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
   }
   /**
    * Delete a CloudFront Origin Access Identity
@@ -25570,34 +25648,14 @@ var ELBv2Provider = class {
       );
     }
   }
-  async updateLoadBalancer(logicalId, physicalId, resourceType, _properties) {
-    this.logger.debug(`Updating LoadBalancer ${logicalId}: ${physicalId}`);
-    try {
-      const describeResponse = await this.getClient().send(
-        new DescribeLoadBalancersCommand2({ LoadBalancerArns: [physicalId] })
-      );
-      const lb = describeResponse.LoadBalancers?.[0];
-      return {
-        physicalId,
-        wasReplaced: false,
-        attributes: {
-          DNSName: lb?.DNSName,
-          CanonicalHostedZoneID: lb?.CanonicalHostedZoneId,
-          LoadBalancerArn: physicalId,
-          LoadBalancerFullName: physicalId.split("/").slice(1).join("/"),
-          LoadBalancerName: lb?.LoadBalancerName
-        }
-      };
-    } catch (error) {
-      const cause = error instanceof Error ? error : void 0;
-      throw new ProvisioningError(
-        `Failed to update LoadBalancer ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
-        resourceType,
+  updateLoadBalancer(logicalId, _physicalId, _resourceType, _properties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ElasticLoadBalancingV2::LoadBalancer",
         logicalId,
-        physicalId,
-        cause
-      );
-    }
+        "ELBv2 LoadBalancer in-place updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting LoadBalancer ${logicalId}: ${physicalId}`);
@@ -29590,15 +29648,14 @@ var ServiceDiscoveryProvider = class {
       );
     }
   }
-  updateNamespace(logicalId, physicalId) {
-    this.logger.debug(`Updating private DNS namespace ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {
-        Id: physicalId
-      }
-    });
+  updateNamespace(logicalId, _physicalId) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ServiceDiscovery::PrivateDnsNamespace",
+        logicalId,
+        "PrivateDnsNamespace updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async deleteNamespace(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting private DNS namespace ${logicalId}: ${physicalId}`);
@@ -29693,15 +29750,14 @@ var ServiceDiscoveryProvider = class {
       );
     }
   }
-  updateService(logicalId, physicalId) {
-    this.logger.debug(`Updating service discovery service ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {
-        Id: physicalId
-      }
-    });
+  updateService(logicalId, _physicalId) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ServiceDiscovery::Service",
+        logicalId,
+        "ServiceDiscovery Service updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async deleteService(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting service discovery service ${logicalId}: ${physicalId}`);
@@ -30049,9 +30105,22 @@ var AppSyncProvider = class {
         );
     }
   }
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    this.logger.debug(`Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, immutable`);
-    return Promise.resolve({ physicalId, wasReplaced: false });
+  /**
+   * AppSync resources are treated as immutable by cdkd: every supported
+   * type (`GraphQLApi`, `GraphQLSchema`, `DataSource`, `Resolver`,
+   * `ApiKey`) is recreated on property changes via the deploy engine's
+   * immutable-property replacement path. There is no in-place update,
+   * so `cdkd drift --revert` surfaces a clear "use --replace or
+   * re-deploy" message instead of silently no-op'ing the revert.
+   */
+  update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "AppSync resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
@@ -30788,10 +30857,11 @@ var GlueProvider = class {
   async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
     switch (resourceType) {
       case "AWS::Glue::Database":
-        this.logger.debug(
-          `Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, immutable`
+        throw new ResourceUpdateNotSupportedError(
+          resourceType,
+          logicalId,
+          "Glue Database updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
         );
-        return { physicalId, wasReplaced: false };
       case "AWS::Glue::Table":
         return this.updateTable(logicalId, physicalId, resourceType, properties);
       default:
@@ -32414,8 +32484,15 @@ var EFSProvider = class {
         );
     }
   }
+  /**
+   * EFS resources are treated as immutable by cdkd's `update()`. The deploy
+   * engine recreates them on property changes via immutable-property
+   * detection. (AWS does expose `UpdateFileSystem` for ThroughputMode and
+   * `ModifyMountTargetSecurityGroups` for mount-target SGs — those are
+   * deferred to a follow-up PR.) `cdkd drift --revert` surfaces a clear
+   * "use --replace or re-deploy" message instead of silently no-op'ing.
+   */
   update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    this.logger.debug(`Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, immutable`);
     if (resourceType !== "AWS::EFS::FileSystem" && resourceType !== "AWS::EFS::MountTarget" && resourceType !== "AWS::EFS::AccessPoint") {
       throw new ProvisioningError(
         `Unsupported resource type: ${resourceType}`,
@@ -32424,7 +32501,13 @@ var EFSProvider = class {
         physicalId
       );
     }
-    return Promise.resolve({ physicalId, wasReplaced: false });
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "EFS resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
@@ -33241,15 +33324,21 @@ var FirehoseProvider = class {
     }
   }
   /**
-   * Update a Firehose delivery stream
-   *
-   * Most changes require replacement, so this is a no-op.
+   * Firehose delivery streams are treated as immutable by cdkd. Most
+   * destination-config changes require replacement, and AWS's
+   * `UpdateDestination` API surface is deep enough that the deploy engine's
+   * immutable-property replacement path covers the common cases more
+   * reliably. `cdkd drift --revert` therefore surfaces a clear "use
+   * --replace or re-deploy" message instead of silently no-op'ing.
    */
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    this.logger.debug(
-      `Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, most changes require replacement`
+  update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "Firehose delivery streams are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
     );
-    return Promise.resolve({ physicalId, wasReplaced: false });
   }
   /**
    * Delete a Firehose delivery stream
@@ -38050,6 +38139,128 @@ function isPlainObject(value) {
   return typeof value === "object" && value !== null;
 }
 
+// src/analyzer/drift-cc-api-deny-list.ts
+var CC_API_FALLBACK_DENY_LIST = {
+  // AWS::IAM::ManagedPolicy: PolicyDocument round-trips through CC API
+  // URL-encoded; cdkd state stores it as a parsed JSON object. Without
+  // a per-type decoder, every comparison sees a string-vs-object
+  // mismatch and fires drift on every run. The IAM Role provider's
+  // first-class readCurrentState handles its inline AssumeRolePolicy
+  // the same way (URL-decode + JSON-parse); the same fix pattern is
+  // needed for ManagedPolicy when an SDK provider is added.
+  "AWS::IAM::ManagedPolicy": "PolicyDocument is URL-encoded JSON in CC API responses, but cdkd state stores it as a parsed object \u2014 needs per-type decode",
+  // AWS::ApiGateway::RestApi: the `Body` property (OpenAPI spec object
+  // when supplied via `Body` rather than `BodyS3Location`) is write-only
+  // — `GetRestApi` does NOT return it, but cdkd state preserves the
+  // object the user passed in. CC API GetResource inherits this — the
+  // returned shape omits `Body`, so every drift run flags it as
+  // missing-on-AWS. Comparison silently dropping it would also be
+  // wrong; the right move is a dedicated SDK provider that knows to
+  // skip `Body` entirely.
+  "AWS::ApiGateway::RestApi": "Body / BodyS3Location are write-only inputs not returned by CC API GetResource; cdkd state preserves them",
+  // AWS::CloudFormation::Stack: nested stacks aren't supported by cdkd's
+  // provider registry at all; the deploy / destroy paths reject them.
+  // Listing here is defense-in-depth — if a user manually crafts state
+  // with one, drift via CC API would compare CFn-template-input
+  // properties against CC API's stack-output shape (CC API's
+  // `AWS::CloudFormation::Stack` reports outputs / status, not the
+  // template parameters cdkd would have stored).
+  "AWS::CloudFormation::Stack": "CC API returns runtime stack state (outputs/status), not the template parameters cdkd state stores",
+  // AWS::EC2::LaunchTemplate: `LaunchTemplateData` ships with deeply
+  // structured sub-objects that CC API normalizes into a versioned shape
+  // — every UpdateLaunchTemplate (and even GetLaunchTemplate) bumps the
+  // returned default version, and CC API attaches a synthetic
+  // `LatestVersionNumber` / `DefaultVersionNumber` next to the template
+  // data that drift would surface as drift on the parent. Until an SDK
+  // provider strips those, deny.
+  "AWS::EC2::LaunchTemplate": "CC API returns version-bumped LaunchTemplateData with synthetic LatestVersionNumber that diverges from the CFn input shape"
+};
+
+// src/analyzer/cc-api-strip.ts
+var ALWAYS_STRIPPED_FIELDS = /* @__PURE__ */ new Set([
+  // Timestamps — AWS-managed, change on every modification. Names are
+  // unambiguous: no CFn template ever exposes a "CreationDate" /
+  // "LastModifiedTime" as a settable input.
+  "CreationDate",
+  "CreationTime",
+  "CreatedTime",
+  "CreatedDate",
+  "CreatedAt",
+  "LastModifiedDate",
+  "LastModifiedTime",
+  "LastModified",
+  "LastUpdatedTime",
+  "LastUpdatedDate",
+  "UpdatedAt",
+  // Owner / account / principal info — derived from the calling
+  // principal, never user-set in a CFn template. `CreatedBy` /
+  // `OwnerArn` are unique enough that no settable CFn property
+  // collides with them.
+  "OwnerId",
+  "OwnerAccountId",
+  "CreatedBy",
+  "OwnerArn",
+  // Lambda-specific generated identifiers. `RevisionId` rotates on
+  // every operation; `LastUpdateStatus*` mirror runtime state. None
+  // are settable in a CFn template.
+  "RevisionId",
+  "LastUpdateStatus",
+  "LastUpdateStatusReason",
+  "LastUpdateStatusReasonCode",
+  // CloudFormation/Cloud Control passthrough metadata — never
+  // appears as a settable input in a CFn template body.
+  "StackId",
+  "PhysicalResourceId",
+  "LogicalResourceId"
+  // Notes on intentional EXCLUSIONS:
+  //
+  // `State` / `Status` / `StateReason` / `StatusReason` — these
+  // names ARE used by some CFn types as settable nested properties
+  // (e.g. `AWS::ECS::CapacityProvider.AutoScalingGroupProvider.ManagedScaling.Status`,
+  // `AWS::S3::Bucket.VersioningConfiguration.Status`). Stripping them
+  // globally would cause false-positive drift on a clean stack.
+  // The comparator already ignores AWS-only top-level `Status` values
+  // because state doesn't carry them; only the nested-name-collision
+  // cases would have leaked through, and excluding them here protects
+  // those.
+  //
+  // `Arn` — many CFn types accept `Arn` as a settable property and
+  // cdkd state may record it at create time. Drift on `Arn` is
+  // genuine drift the user wants to see.
+  //
+  // `VersionId` / `GenerationId` / `ETag` — narrow utility (only S3
+  // / KMS / ImageBuilder use these in their Get* responses), and at
+  // least `VersionId` IS a settable input on `AWS::S3::Bucket`'s
+  // versioning config. Per-provider readCurrentState handles them.
+  //
+  // `AccountId` / `StackName` — also collide with settable inputs
+  // on a few CFn types (`AWS::CloudWatch::CrossAccountSharingRule.AccountId`,
+  // `AWS::CloudFormation::HookDefaultVersion.StackName`).
+  //
+  // `StartTime` / `EndTime` — used as settable inputs in scheduling
+  // shapes (e.g. `AWS::AutoScaling::ScheduledAction.StartTime`).
+]);
+function stripCcApiAwsManagedFields(resourceType, awsProps) {
+  return stripWalk(awsProps);
+}
+function stripWalk(value) {
+  if (value === null || value === void 0)
+    return value;
+  if (Array.isArray(value)) {
+    return value.map(stripWalk);
+  }
+  if (typeof value === "object") {
+    const out = {};
+    for (const [key, child] of Object.entries(value)) {
+      if (ALWAYS_STRIPPED_FIELDS.has(key))
+        continue;
+      out[key] = stripWalk(child);
+    }
+    return out;
+  }
+  return value;
+}
+
 // src/cli/commands/drift.ts
 var DriftDetectedError = class _DriftDetectedError extends CdkdError {
   silent = true;
@@ -38092,6 +38303,7 @@ async function driftCommand(stacks, options) {
     const providerRegistry = new ProviderRegistry();
     registerAllProviders(providerRegistry);
     providerRegistry.setCustomResourceResponseBucket(bucket);
+    const ccApiFallback = new CloudControlProvider();
     const stateRefs = await stateBackend.listStacks();
     const targetRefs = resolveTargetRefs(stacks, stateRefs, options);
     const reports = [];
@@ -38105,7 +38317,8 @@ async function driftCommand(stacks, options) {
         ref.stackName,
         ref.region,
         stateBackend,
-        providerRegistry
+        providerRegistry,
+        ccApiFallback
       );
       reports.push(report);
     }
@@ -38176,7 +38389,7 @@ function resolveTargetRefs(stacks, stateRefs, options) {
   }
   return out;
 }
-async function runDriftForStack(stackName, region, stateBackend, providerRegistry) {
+async function runDriftForStack(stackName, region, stateBackend, providerRegistry, ccApiFallback) {
   const result = await stateBackend.getState(stackName, region);
   if (!result) {
     throw new Error(
@@ -38202,27 +38415,39 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
         });
         continue;
       }
-      let readCurrentState = provider.readCurrentState?.bind(provider);
-      if (!readCurrentState) {
-        const ccApiProvider = providerRegistry.getCloudControlProvider?.();
-        if (ccApiProvider?.readCurrentState) {
-          readCurrentState = ccApiProvider.readCurrentState.bind(ccApiProvider);
+      let aws;
+      if (provider.readCurrentState) {
+        aws = await provider.readCurrentState(
+          resource.physicalId,
+          logicalId,
+          resource.resourceType,
+          resource.properties ?? {}
+        );
+      } else {
+        if (CC_API_FALLBACK_DENY_LIST[resource.resourceType]) {
+          outcomes.push({
+            kind: "unsupported",
+            logicalId,
+            resourceType: resource.resourceType
+          });
+          continue;
         }
-      }
-      if (!readCurrentState) {
-        outcomes.push({
-          kind: "unsupported",
+        const ccApiAws = await ccApiFallback.readCurrentState(
+          resource.physicalId,
           logicalId,
-          resourceType: resource.resourceType
-        });
-        continue;
+          resource.resourceType,
+          resource.properties ?? {}
+        );
+        if (ccApiAws === void 0) {
+          outcomes.push({
+            kind: "unsupported",
+            logicalId,
+            resourceType: resource.resourceType
+          });
+          continue;
+        }
+        aws = stripCcApiAwsManagedFields(resource.resourceType, ccApiAws);
       }
-      const aws = await readCurrentState(
-        resource.physicalId,
-        logicalId,
-        resource.resourceType,
-        resource.properties ?? {}
-      );
       if (aws === void 0) {
         outcomes.push({
           kind: "unsupported",
@@ -38356,6 +38581,7 @@ async function runRevert(reports, providerRegistry, stateConfig, awsClients, opt
   const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
   const concurrency = Math.max(1, options.concurrency ?? 4);
   let totalFailed = 0;
+  let totalUnsupported = 0;
   let totalSucceeded = 0;
   for (const report of reports) {
     const driftedOutcomes = report.outcomes.filter(
@@ -38393,10 +38619,17 @@ async function runRevert(reports, providerRegistry, stateConfig, awsClients, opt
             `  \u2713 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): reverted.`
           );
         } catch (err) {
+          if (err instanceof ResourceUpdateNotSupportedError) {
+            totalUnsupported++;
+            logger.warn(
+              `  \u2298 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): could not revert \u2014 ${err.message}`
+            );
+            return;
+          }
           totalFailed++;
           const msg = err instanceof Error ? err.message : String(err);
           logger.error(
-            `  \u2717 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): ${msg}`
+            `  \u2717 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): AWS update failed \u2014 ${msg}`
           );
         }
       });
@@ -38409,11 +38642,21 @@ async function runRevert(reports, providerRegistry, stateConfig, awsClients, opt
       });
     }
   }
+  const summaryParts = [`${totalSucceeded} reverted`];
+  if (totalUnsupported > 0)
+    summaryParts.push(`${totalUnsupported} update-not-supported`);
+  if (totalFailed > 0)
+    summaryParts.push(`${totalFailed} failed`);
   logger.info(`
-Revert summary: ${totalSucceeded} reverted, ${totalFailed} failed.`);
-  if (totalFailed > 0) {
+Revert summary: ${summaryParts.join(", ")}.`);
+  if (totalUnsupported > 0) {
+    logger.warn(
+      `${totalUnsupported} resource(s) cannot be reverted in place \u2014 re-deploy the stack with cdkd deploy --replace, or destroy + redeploy to push the cdkd-state values back into AWS.`
+    );
+  }
+  if (totalFailed > 0 || totalUnsupported > 0) {
     throw new PartialFailureError(
-      `Revert completed with ${totalFailed} resource error(s). Re-run 'cdkd drift <stack>' to see the remaining drift, then 'cdkd drift <stack> --revert' to retry.`
+      `Revert completed with ${totalFailed + totalUnsupported} resource error(s) (${totalFailed} AWS update failure(s), ${totalUnsupported} update-not-supported). Re-run 'cdkd drift <stack>' to see the remaining drift, then 'cdkd drift <stack> --revert' to retry.`
     );
   }
 }
@@ -41760,7 +42003,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.43.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.45.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());