@go-to-k/cdkd 0.44.0 → 0.46.0

package/dist/cli.js

@@ -1187,6 +1187,22 @@ var PartialFailureError = class _PartialFailureError extends CdkdError {
     Object.setPrototypeOf(this, _PartialFailureError.prototype);
   }
 };
+var ResourceUpdateNotSupportedError = class _ResourceUpdateNotSupportedError extends CdkdError {
+  constructor(resourceType, logicalId, suggestion, cause) {
+    const tail = suggestion ? suggestion : "use cdkd deploy with --replace, or change the resource definition to create a new version";
+    super(
+      `${resourceType} (${logicalId}) cannot be updated in place: ${tail}.`,
+      "RESOURCE_UPDATE_NOT_SUPPORTED",
+      cause
+    );
+    this.resourceType = resourceType;
+    this.logicalId = logicalId;
+    this.suggestion = suggestion;
+    this.name = "ResourceUpdateNotSupportedError";
+    Object.setPrototypeOf(this, _ResourceUpdateNotSupportedError.prototype);
+  }
+  exitCode = 2;
+};
 function isCdkdError(error) {
   return error instanceof CdkdError;
 }
@@ -8494,6 +8510,31 @@ function matchesCdkPath(tags, cdkPath) {
   }
   return false;
 }
+function normalizeAwsTagsToCfn(tags) {
+  if (!tags)
+    return [];
+  const out = [];
+  if (Array.isArray(tags)) {
+    for (const t of tags) {
+      const obj = t;
+      const k = (typeof obj["Key"] === "string" ? obj["Key"] : void 0) ?? (typeof obj["TagKey"] === "string" ? obj["TagKey"] : void 0) ?? (typeof obj["key"] === "string" ? obj["key"] : void 0);
+      const v = (typeof obj["Value"] === "string" ? obj["Value"] : void 0) ?? (typeof obj["TagValue"] === "string" ? obj["TagValue"] : void 0) ?? (typeof obj["value"] === "string" ? obj["value"] : void 0);
+      if (typeof k !== "string" || k.length === 0)
+        continue;
+      if (k.startsWith("aws:"))
+        continue;
+      out.push({ Key: k, Value: typeof v === "string" ? v : "" });
+    }
+  } else {
+    for (const [k, v] of Object.entries(tags)) {
+      if (!k || k.startsWith("aws:"))
+        continue;
+      out.push({ Key: k, Value: typeof v === "string" ? v : "" });
+    }
+  }
+  out.sort((a, b) => a.Key < b.Key ? -1 : a.Key > b.Key ? 1 : 0);
+  return out;
+}
 
 // src/provisioning/providers/iam-role-provider.ts
 var IAMRoleProvider = class {
@@ -9053,9 +9094,10 @@ var IAMRoleProvider = class {
    *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
    *    v1 — drift detection on inline IAM policy bodies can ship in a
    *    follow-up.
-   *  - `Tags` is omitted for the same reason as Lambda's tags handling
-   *    (CDK auto-injects `aws:cdk:path` and the shape decision belongs in a
-   *    dedicated tags PR).
+   *  - `Tags` is surfaced via `ListRoleTags` (paginated). CDK's `aws:*`
+   *    auto-tags are filtered out by `normalizeAwsTagsToCfn` so they don't
+   *    fire false-positive drift; the result key is omitted entirely when
+   *    AWS reports no user tags (matches `create()`'s behavior).
    *
    * Returns `undefined` when the role is gone (`NoSuchEntityException`).
    */
@@ -9105,6 +9147,32 @@ var IAMRoleProvider = class {
       if (!(err instanceof NoSuchEntityException))
         throw err;
     }
+    try {
+      const collected = [];
+      let marker;
+      while (true) {
+        const tagsResp = await this.iamClient.send(
+          new ListRoleTagsCommand({
+            RoleName: physicalId,
+            ...marker ? { Marker: marker } : {}
+          })
+        );
+        if (tagsResp.Tags) {
+          for (const t of tagsResp.Tags) {
+            collected.push({ Key: t.Key, Value: t.Value });
+          }
+        }
+        if (!tagsResp.IsTruncated)
+          break;
+        marker = tagsResp.Marker;
+      }
+      const tags = normalizeAwsTagsToCfn(collected);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
     return result;
   }
   /**
@@ -12110,14 +12178,9 @@ var S3BucketProvider = class {
     }
     try {
       const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: physicalId }));
-      if (resp.TagSet && resp.TagSet.length > 0) {
-        const tags = resp.TagSet.filter((t) => t.Key && !t.Key.startsWith("aws:")).map((t) => ({
-          Key: t.Key,
-          Value: t.Value
-        }));
-        if (tags.length > 0)
-          result["Tags"] = tags;
-      }
+      const tags = normalizeAwsTagsToCfn(resp.TagSet);
+      if (tags.length > 0)
+        result["Tags"] = tags;
     } catch (err) {
       const e = err;
       if (e.name !== "NoSuchTagSet") {
@@ -12726,9 +12789,11 @@ var SQSQueueProvider = class {
    * `QueueName` is derived from the URL tail (the `physicalId` is the
    * queue URL), not surfaced by `GetQueueAttributes`.
    *
-   * `Tags` is omitted: `ListQueueTags` is a separate call and tag drift is
-   * generally less interesting than configuration drift; the `aws:cdk:path`
-   * shape question is also out of scope here.
+   * `Tags` is surfaced via `ListQueueTags` (returns a tag-name → value map).
+   * CDK's `aws:*` auto-tags are filtered out by `normalizeAwsTagsToCfn`; the
+   * result key is omitted entirely when AWS reports no user tags (matches
+   * `create()`'s behavior of only sending Tags when the template carries
+   * them).
    *
    * Returns `undefined` when the queue is gone (`QueueDoesNotExist`).
    */
@@ -12796,6 +12861,18 @@ var SQSQueueProvider = class {
         result["RedrivePolicy"] = attributes["RedrivePolicy"];
       }
     }
+    try {
+      const tagsResp = await this.sqsClient.send(
+        new ListQueueTagsCommand({ QueueUrl: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (err instanceof QueueDoesNotExist)
+        return void 0;
+      throw err;
+    }
     return result;
   }
   /**
@@ -13415,11 +13492,16 @@ var SNSTopicProvider = class {
    * `TopicName` is derived from the ARN tail (the `physicalId` is the
    * topic ARN).
    *
-   * `Tags` and `DeliveryStatusLogging` are intentionally omitted:
-   * `ListTagsForResource` is a separate call, and `DeliveryStatusLogging`
-   * fans out into per-protocol attributes (`{Protocol}SuccessFeedbackRoleArn`,
-   * etc.) whose round-trip back to the CFn array shape needs more thought
-   * than fits in this PR.
+   * `Tags` is surfaced via a follow-up `ListTagsForResource` call. CDK's
+   * `aws:*` auto-tags are filtered out by `normalizeAwsTagsToCfn`; the
+   * result key is omitted entirely when AWS reports no user tags (matches
+   * `create()`'s behavior of only sending Tags when the template carries
+   * them).
+   *
+   * `DeliveryStatusLogging` is intentionally omitted: it fans out into
+   * per-protocol attributes (`{Protocol}SuccessFeedbackRoleArn`, etc.) whose
+   * round-trip back to the CFn array shape needs more thought than fits in
+   * this PR.
    *
    * `Subscription` is omitted because CDK manages it via separate
    * `AWS::SNS::Subscription` resources, not as a Topic property.
@@ -13472,6 +13554,18 @@ var SNSTopicProvider = class {
         }
       }
     }
+    try {
+      const tagsResp = await this.snsClient.send(
+        new ListTagsForResourceCommand({ ResourceArn: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (err instanceof NotFoundException)
+        return void 0;
+      throw err;
+    }
     return result;
   }
   /**
@@ -14675,11 +14769,13 @@ var LambdaFunctionProvider = class {
    * function's `CodeSha256` does live in `GetFunction` but is not what
    * cdkd's `Code: { S3Bucket, S3Key }` state property carries).
    *
-   * `Tags` is omitted as well: `GetFunction` returns Tags as an object map,
-   * while CFn / cdkd state holds them as `[{Key, Value}]`. Re-shaping
-   * accurately requires deciding how to handle the auto-injected
-   * `aws:cdk:path` tag, which is out of scope for this PR. Tag drift is
-   * typically less interesting than configuration drift.
+   * `Tags` is surfaced from the `Tags` map on the same `GetFunction`
+   * response. CDK's auto-injected `aws:cdk:*` tags (which AWS happily
+   * returns) are filtered out by `normalizeAwsTagsToCfn` so they don't
+   * fire false-positive drift against state. The result key is omitted
+   * entirely when AWS reports no user tags, matching `create()`'s
+   * behavior of only sending `Tags` when the user explicitly passes
+   * them.
    *
    * Returns `undefined` when the function is gone (`ResourceNotFoundException`).
    */
@@ -14737,6 +14833,9 @@ var LambdaFunctionProvider = class {
         if (Object.keys(vpc).length > 0)
           result["VpcConfig"] = vpc;
       }
+      const tags = normalizeAwsTagsToCfn(resp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException)
@@ -16219,10 +16318,12 @@ var DynamoDBTableProvider = class {
    *
    * Returns `undefined` when the table is gone (`ResourceNotFoundException`).
    *
-   * Tags are intentionally omitted: `ListTagsOfResource` is a separate call
-   * and tag drift is generally less interesting than table-config drift;
-   * including it would also force a tag-shape decision on the
-   * `aws:cdk:path` auto-tag, which is out of scope here.
+   * Tags are surfaced via a follow-up `ListTagsOfResource` call (DynamoDB
+   * doesn't include tags in `DescribeTable`). CDK's `aws:*` auto-tags are
+   * filtered out by `normalizeAwsTagsToCfn` so they don't fire false-positive
+   * drift, and the result key is omitted entirely when AWS reports no user
+   * tags (matches `create()`'s behavior of only sending Tags when the
+   * template carries them).
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
     try {
@@ -16279,6 +16380,20 @@ var DynamoDBTableProvider = class {
       if (table.TableClassSummary?.TableClass) {
         result["TableClass"] = table.TableClassSummary.TableClass;
       }
+      if (table.TableArn) {
+        try {
+          const tagsResp = await this.dynamoDBClient.send(
+            new ListTagsOfResourceCommand({ ResourceArn: table.TableArn })
+          );
+          const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+          if (tags.length > 0)
+            result["Tags"] = tags;
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException6)
+            return void 0;
+          throw err;
+        }
+      }
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException6)
@@ -16600,11 +16715,16 @@ var LogsLogGroupProvider = class {
    * `RetentionInDays`).
    *
    * Coverage: `LogGroupName`, `KmsKeyId`, `RetentionInDays`,
-   * `LogGroupClass`. Other handledProperties (`DataProtectionPolicy`,
-   * `Tags`, `FieldIndexPolicies`, `ResourcePolicyDocument`,
+   * `LogGroupClass`, `Tags`. Other handledProperties (`DataProtectionPolicy`,
+   * `FieldIndexPolicies`, `ResourcePolicyDocument`,
    * `DeletionProtectionEnabled`, `BearerTokenAuthenticationEnabled`) need
    * their own per-property API call and are out of scope for v1.
    *
+   * Tags are read via `ListTagsForResource` (using the log-group ARN from
+   * the same `DescribeLogGroups` response). CDK's `aws:*` auto-tags are
+   * filtered out so they don't fire false-positive drift; the result key is
+   * omitted entirely when AWS reports no user tags.
+   *
    * Returns `undefined` when the log group is gone.
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
@@ -16625,6 +16745,21 @@ var LogsLogGroupProvider = class {
       }
       if (found.logGroupClass !== void 0)
         result["LogGroupClass"] = found.logGroupClass;
+      if (found.arn) {
+        const arnForTags = found.arn.replace(/:\*$/, "");
+        try {
+          const tagsResp = await this.logsClient.send(
+            new ListTagsForResourceCommand2({ resourceArn: arnForTags })
+          );
+          const tags = normalizeAwsTagsToCfn(tagsResp.tags);
+          if (tags.length > 0)
+            result["Tags"] = tags;
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException7)
+            return void 0;
+          throw err;
+        }
+      }
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException7)
@@ -16994,6 +17129,20 @@ var CloudWatchAlarmProvider = class {
     if (alarm.Metrics && alarm.Metrics.length > 0) {
       result["Metrics"] = alarm.Metrics.map((m) => m);
     }
+    if (alarm.AlarmArn) {
+      try {
+        const tagsResp = await this.cloudWatchClient.send(
+          new ListTagsForResourceCommand3({ ResourceARN: alarm.AlarmArn })
+        );
+        const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      } catch (err) {
+        this.logger.debug(
+          `CloudWatch ListTagsForResource(${alarm.AlarmArn}) failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
     return result;
   }
   async import(input) {
@@ -17332,8 +17481,10 @@ var SecretsManagerSecretProvider = class {
    *     call to avoid surfacing plaintext through drift). Cdkd state holds
    *     the user-supplied string verbatim; comparing against AWS would
    *     require pulling the value, so this is deliberately deferred.
-   *   - `Tags`: `DescribeSecret` returns Tags, but the auto-injected
-   *     `aws:cdk:path` tag-shape question is out of scope here.
+   *
+   * `Tags` is surfaced from the same `DescribeSecret` response (no extra
+   * round-trip). CDK's `aws:*` auto-tags are filtered out; the result key
+   * is omitted entirely when AWS reports no user tags.
    *
    * Returns `undefined` when the secret is gone (`ResourceNotFoundException`).
    */
@@ -17358,6 +17509,9 @@ var SecretsManagerSecretProvider = class {
           return out;
         });
       }
+      const tags = normalizeAwsTagsToCfn(resp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException8)
@@ -17644,12 +17798,12 @@ var SSMParameterProvider = class {
    * metadata (`Description`, `AllowedPattern`, `Tier`) that `GetParameter`
    * does not return.
    *
-   * `Name` is set to the physical id. `Tags` and `Policies` are intentionally
-   * out of scope (`Tags` requires a separate `ListTagsForResource` round-trip
-   * and the auto-injected `aws:cdk:path` tag-shape question is unresolved;
-   * `Policies` is returned by `DescribeParameters.Policies` as a structured
-   * array but cdkd state holds the raw JSON string the user typed — comparing
-   * the two accurately needs more work).
+   * `Name` is set to the physical id. `Tags` is surfaced via a follow-up
+   * `ListTagsForResource(ResourceType=Parameter)` call, with CDK's `aws:*`
+   * auto-tags filtered out. `Policies` is intentionally out of scope:
+   * `DescribeParameters.Policies` returns a structured array but cdkd state
+   * holds the raw JSON string the user typed — comparing the two accurately
+   * needs more work.
    *
    * **Note**: For `SecureString` parameters, AWS returns the encrypted
    * blob in `Value` (we pass `WithDecryption: false`). cdkd state usually
@@ -17701,6 +17855,18 @@ var SSMParameterProvider = class {
       }
     } catch {
     }
+    try {
+      const tagsResp = await this.ssmClient.send(
+        new ListTagsForResourceCommand4({
+          ResourceType: "Parameter",
+          ResourceId: physicalId
+        })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch {
+    }
     return result;
   }
   /**
@@ -18044,8 +18210,10 @@ var EventBridgeRuleProvider = class {
    * it as the user typed it, typically an object), `ScheduleExpression`,
    * `State`, `RoleArn`, `Targets` (CFn shape `[{Id, Arn, ...}]`).
    *
-   * `Tags` is omitted (separate `ListTagsForResource` round-trip; auto-injected
-   * `aws:cdk:path` tag-shape question is out of scope here).
+   * `Tags` is surfaced via a follow-up `ListTagsForResource` call (using the
+   * rule ARN — the same `physicalId` cdkd state holds). CDK's `aws:*`
+   * auto-tags are filtered out; the result key is omitted entirely when AWS
+   * reports no user tags.
    *
    * Returns `undefined` when the rule is gone (`ResourceNotFoundException`).
    */
@@ -18103,6 +18271,18 @@ var EventBridgeRuleProvider = class {
         throw err;
       }
     }
+    try {
+      const tagsResp = await this.eventBridgeClient.send(
+        new ListTagsForResourceCommand5({ ResourceARN: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (!(err instanceof ResourceNotFoundException9)) {
+        throw err;
+      }
+    }
     return result;
   }
   /**
@@ -18473,10 +18653,13 @@ var EventBridgeBusProvider = class {
    * the user typed it, which may be either an object or a string — the
    * comparator handles either side).
    *
-   * `Tags` and `EventSourceName` are intentionally omitted: tags require a
-   * separate `ListTagsForResource` round-trip and the auto-injected
-   * `aws:cdk:path` tag-shape question is out of scope; `EventSourceName`
-   * is set at create time only and not surfaced by `DescribeEventBus`.
+   * `Tags` is surfaced via a follow-up `ListTagsForResource` call (using the
+   * bus ARN from the same `DescribeEventBus` response). CDK's `aws:*`
+   * auto-tags are filtered out; the result key is omitted when AWS reports
+   * no user tags.
+   *
+   * `EventSourceName` is intentionally omitted: it is set at create time
+   * only and not surfaced by `DescribeEventBus`.
    *
    * Returns `undefined` when the bus is gone (`ResourceNotFoundException`).
    */
@@ -18504,6 +18687,20 @@ var EventBridgeBusProvider = class {
           result["Policy"] = resp.Policy;
         }
       }
+      if (resp.Arn) {
+        try {
+          const tagsResp = await this.eventBridgeClient.send(
+            new ListTagsForResourceCommand6({ ResourceARN: resp.Arn })
+          );
+          const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+          if (tags.length > 0)
+            result["Tags"] = tags;
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException10)
+            return void 0;
+          throw err;
+        }
+      }
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException10)
@@ -21335,20 +21532,22 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
   }
   /**
-   * Update an API Gateway Authorizer
+   * Update an API Gateway Authorizer.
    *
-   * Authorizer updates are not commonly needed. For now, this is a no-op.
-   * The deployment engine handles replacement for immutable property changes.
+   * AWS exposes `UpdateAuthorizer` (PATCH) but cdkd does not yet plumb the
+   * patch-operations builder through. Authorizers are recreated by the
+   * deploy engine's immutable-property replacement path. `cdkd drift
+   * --revert` surfaces a clear "use --replace or re-deploy" message
+   * instead of silently no-op'ing the revert.
    */
-  updateAuthorizer(logicalId, physicalId, _resourceType) {
-    this.logger.debug(`Updating API Gateway Authorizer ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {
-        AuthorizerId: physicalId
-      }
-    });
+  updateAuthorizer(logicalId, _physicalId, _resourceType) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ApiGateway::Authorizer",
+        logicalId,
+        "API Gateway Authorizer updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   /**
    * Delete an API Gateway Authorizer
@@ -21580,20 +21779,20 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
   }
   /**
-   * Update an API Gateway Deployment
+   * Update an API Gateway Deployment.
    *
-   * Deployments are immutable - updates are not supported.
-   * The deployment engine should handle replacement if needed.
+   * Deployments are immutable — every property change requires a fresh
+   * Deployment. `cdkd drift --revert` therefore throws
+   * `ResourceUpdateNotSupportedError` instead of silently no-op'ing.
    */
-  updateDeployment(logicalId, physicalId, _resourceType) {
-    this.logger.debug(`Updating API Gateway Deployment ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {
-        DeploymentId: physicalId
-      }
-    });
+  updateDeployment(logicalId, _physicalId, _resourceType) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ApiGateway::Deployment",
+        logicalId,
+        "API Gateway Deployment is immutable; re-deploy with cdkd deploy --replace, or change the resource definition to create a new Deployment"
+      )
+    );
   }
   /**
    * Delete an API Gateway Deployment
@@ -21894,17 +22093,22 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
     }
   }
   /**
-   * Update an API Gateway Method
+   * Update an API Gateway Method.
    *
-   * Methods are typically replaced via new deployment, so this is a no-op.
+   * AWS exposes `UpdateMethod` (PATCH) but cdkd does not yet plumb the
+   * patch-operations builder through. Methods are recreated by the deploy
+   * engine's immutable-property replacement path. `cdkd drift --revert`
+   * surfaces a clear "use --replace or re-deploy" message instead of
+   * silently no-op'ing the revert.
    */
-  updateMethod(logicalId, physicalId) {
-    this.logger.debug(`Updating API Gateway Method ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {}
-    });
+  updateMethod(logicalId, _physicalId) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ApiGateway::Method",
+        logicalId,
+        "API Gateway Method updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   /**
    * Delete an API Gateway Method
@@ -22282,13 +22486,23 @@ var ApiGatewayV2Provider = class {
         );
     }
   }
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    this.logger.debug(`Updating ${resourceType} ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {}
-    });
+  /**
+   * HTTP API resources are treated as immutable by cdkd: the deploy engine
+   * recreates them on property changes via the immutable-property
+   * replacement path. AWS does expose `UpdateApi` / `UpdateRoute` /
+   * `UpdateIntegration` / `UpdateStage` / `UpdateAuthorizer`, but cdkd
+   * does not yet plumb them through. `cdkd drift --revert` surfaces a
+   * clear "use --replace or re-deploy" message instead of silently
+   * no-op'ing the revert.
+   */
+  update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "API Gateway V2 (HTTP API) resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
@@ -22785,6 +22999,9 @@ var ApiGatewayV2Provider = class {
       }
       if (resp.CorsConfiguration)
         result["CorsConfiguration"] = resp.CorsConfiguration;
+      const tags = normalizeAwsTagsToCfn(resp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof NotFoundException4)
@@ -22964,6 +23181,7 @@ import {
   CreateCloudFrontOriginAccessIdentityCommand,
   DeleteCloudFrontOriginAccessIdentityCommand,
   GetCloudFrontOriginAccessIdentityCommand as GetCloudFrontOriginAccessIdentityCommand2,
+  UpdateCloudFrontOriginAccessIdentityCommand,
   NoSuchCloudFrontOriginAccessIdentity
 } from "@aws-sdk/client-cloudfront";
 init_aws_clients();
@@ -23019,17 +23237,61 @@ var CloudFrontOAIProvider = class {
     }
   }
   /**
-   * Update a CloudFront Origin Access Identity
+   * Update a CloudFront Origin Access Identity.
+   *
+   * Only the `Comment` field is mutable on an OAI; `CallerReference` is set
+   * by cdkd at create time and cannot be changed. AWS exposes a single
+   * `UpdateCloudFrontOriginAccessIdentity` call that requires the current
+   * `ETag` (fetched via `GetCloudFrontOriginAccessIdentity`) and overwrites
+   * the entire `CloudFrontOriginAccessIdentityConfig`.
    *
-   * OAI config is effectively immutable (only Comment can change, which is cosmetic).
-   * No replacement needed for Comment changes.
+   * Used by `cdkd drift --revert` to push the cdkd-state Comment back into
+   * AWS; on the normal deploy path this is also exercised when a user
+   * tweaks the Comment in their CDK code.
    */
-  update(logicalId, physicalId, _resourceType, _properties, _previousProperties) {
-    this.logger.debug(`Update requested for CloudFront OAI ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false
-    });
+  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    this.logger.debug(`Updating CloudFront OAI ${logicalId}: ${physicalId}`);
+    const config = properties["CloudFrontOriginAccessIdentityConfig"];
+    const comment = config?.["Comment"] ?? "";
+    try {
+      const getResponse = await this.cloudFrontClient.send(
+        new GetCloudFrontOriginAccessIdentityCommand2({ Id: physicalId })
+      );
+      const etag = getResponse.ETag;
+      if (!etag) {
+        throw new Error("GetCloudFrontOriginAccessIdentity did not return ETag");
+      }
+      await this.cloudFrontClient.send(
+        new UpdateCloudFrontOriginAccessIdentityCommand({
+          Id: physicalId,
+          IfMatch: etag,
+          CloudFrontOriginAccessIdentityConfig: {
+            // CallerReference is immutable; preserve whatever the OAI was
+            // created with so AWS does not reject the update.
+            CallerReference: getResponse.CloudFrontOriginAccessIdentity?.CloudFrontOriginAccessIdentityConfig?.CallerReference ?? logicalId,
+            Comment: comment
+          }
+        })
+      );
+      this.logger.debug(`Successfully updated CloudFront OAI ${logicalId}`);
+      return {
+        physicalId,
+        wasReplaced: false,
+        attributes: {
+          Id: physicalId,
+          S3CanonicalUserId: getResponse.CloudFrontOriginAccessIdentity?.S3CanonicalUserId
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update CloudFront OAI ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
   }
   /**
    * Delete a CloudFront Origin Access Identity
@@ -24190,8 +24452,9 @@ var StepFunctionsProvider = class {
    * time and not surfaced by `DescribeStateMachine` (the response carries
    * the already-substituted definition).
    *
-   * `Tags` is omitted (separate `ListTagsForResource` round-trip; auto-injected
-   * `aws:cdk:path` tag-shape question is out of scope here).
+   * `Tags` is surfaced via a follow-up `ListTagsForResource(arn)` call.
+   * CDK's `aws:*` auto-tags are filtered out; the result key is omitted
+   * entirely when AWS reports no user tags.
    *
    * Returns `undefined` when the state machine is gone (`StateMachineDoesNotExist`).
    */
@@ -24259,6 +24522,17 @@ var StepFunctionsProvider = class {
       if (Object.keys(ec).length > 0)
         result["EncryptionConfiguration"] = ec;
     }
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand8({ resourceArn: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (!(err instanceof StateMachineDoesNotExist))
+        throw err;
+    }
     return result;
   }
   /**
@@ -25100,8 +25374,11 @@ var ECSProvider = class {
    *   - `AWS::ECS::TaskDefinition` → `DescribeTaskDefinition`
    *
    * Each branch surfaces only the keys cdkd's `create()` accepts, mapping
-   * the SDK's camelCase to CFn PascalCase. Tags are intentionally omitted
-   * (separate `ListTagsForResource` round-trip).
+   * the SDK's camelCase to CFn PascalCase. Tags are surfaced via
+   * `DescribeClusters/Services(include=[TAGS])` for cluster / service, and
+   * via `DescribeTaskDefinition(include=[TAGS])` for task definitions —
+   * with CDK's `aws:*` auto-tags filtered out. Tag-result keys are omitted
+   * when AWS reports no user tags.
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
     switch (resourceType) {
@@ -25119,7 +25396,7 @@ var ECSProvider = class {
     let resp;
     try {
       resp = await this.getClient().send(
-        new DescribeClustersCommand({ clusters: [physicalId] })
+        new DescribeClustersCommand({ clusters: [physicalId], include: ["TAGS"] })
       );
     } catch {
       return void 0;
@@ -25142,6 +25419,9 @@ var ECSProvider = class {
         Value: s.value
       }));
     }
+    const tags = normalizeAwsTagsToCfn(c.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   async readCurrentStateService(physicalId) {
@@ -25153,7 +25433,11 @@ var ECSProvider = class {
     let resp;
     try {
       resp = await this.getClient().send(
-        new DescribeServicesCommand({ cluster: clusterArn, services: [serviceName] })
+        new DescribeServicesCommand({
+          cluster: clusterArn,
+          services: [serviceName],
+          include: ["TAGS"]
+        })
       );
     } catch {
       return void 0;
@@ -25206,13 +25490,16 @@ var ECSProvider = class {
     if (s.serviceRegistries && s.serviceRegistries.length > 0) {
       result["ServiceRegistries"] = s.serviceRegistries;
     }
+    const tags = normalizeAwsTagsToCfn(s.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   async readCurrentStateTaskDefinition(physicalId) {
     let resp;
     try {
       resp = await this.getClient().send(
-        new DescribeTaskDefinitionCommand({ taskDefinition: physicalId })
+        new DescribeTaskDefinitionCommand({ taskDefinition: physicalId, include: ["TAGS"] })
       );
     } catch {
       return void 0;
@@ -25255,6 +25542,9 @@ var ECSProvider = class {
     if (td.containerDefinitions && td.containerDefinitions.length > 0) {
       result["ContainerDefinitions"] = td.containerDefinitions;
     }
+    const tags = normalizeAwsTagsToCfn(resp.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   /**
@@ -25570,34 +25860,14 @@ var ELBv2Provider = class {
       );
     }
   }
-  async updateLoadBalancer(logicalId, physicalId, resourceType, _properties) {
-    this.logger.debug(`Updating LoadBalancer ${logicalId}: ${physicalId}`);
-    try {
-      const describeResponse = await this.getClient().send(
-        new DescribeLoadBalancersCommand2({ LoadBalancerArns: [physicalId] })
-      );
-      const lb = describeResponse.LoadBalancers?.[0];
-      return {
-        physicalId,
-        wasReplaced: false,
-        attributes: {
-          DNSName: lb?.DNSName,
-          CanonicalHostedZoneID: lb?.CanonicalHostedZoneId,
-          LoadBalancerArn: physicalId,
-          LoadBalancerFullName: physicalId.split("/").slice(1).join("/"),
-          LoadBalancerName: lb?.LoadBalancerName
-        }
-      };
-    } catch (error) {
-      const cause = error instanceof Error ? error : void 0;
-      throw new ProvisioningError(
-        `Failed to update LoadBalancer ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
-        resourceType,
+  updateLoadBalancer(logicalId, _physicalId, _resourceType, _properties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ElasticLoadBalancingV2::LoadBalancer",
         logicalId,
-        physicalId,
-        cause
-      );
-    }
+        "ELBv2 LoadBalancer in-place updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting LoadBalancer ${logicalId}: ${physicalId}`);
@@ -25903,8 +26173,11 @@ var ELBv2Provider = class {
    *  - `Listener` → `DescribeListeners` (LoadBalancerArn, Certificates,
    *    DefaultActions, Port, Protocol, SslPolicy).
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
-   * when the resource is gone (`*NotFoundException`).
+   * Tags are surfaced via a follow-up `DescribeTags(ResourceArns=[arn])`
+   * for all three types (the `physicalId` cdkd state holds is the ARN).
+   * CDK's `aws:*` auto-tags are filtered out and the result key is omitted
+   * when AWS reports no user tags. Returns `undefined` when the resource
+   * is gone (`*NotFoundException`).
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
     switch (resourceType) {
@@ -25951,6 +26224,7 @@ var ELBv2Provider = class {
       result["Type"] = lb.Type;
     if (lb.IpAddressType !== void 0)
       result["IpAddressType"] = lb.IpAddressType;
+    await this.attachTags(result, physicalId);
     return result;
   }
   async readTargetGroup(physicalId) {
@@ -26009,6 +26283,7 @@ var ELBv2Provider = class {
       if (Object.keys(matcher).length > 0)
         result["Matcher"] = matcher;
     }
+    await this.attachTags(result, physicalId);
     return result;
   }
   async readListener(physicalId) {
@@ -26050,8 +26325,23 @@ var ELBv2Provider = class {
         (a) => a
       );
     }
+    await this.attachTags(result, physicalId);
     return result;
   }
+  /** Best-effort tag fetch via `DescribeTags(ResourceArns=[arn])`. */
+  async attachTags(result, arn) {
+    try {
+      const resp = await this.getClient().send(new DescribeTagsCommand({ ResourceArns: [arn] }));
+      const tagDesc = resp.TagDescriptions?.[0];
+      const tags = normalizeAwsTagsToCfn(tagDesc?.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `ELBv2 DescribeTags(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
   /**
    * Adopt an existing ELBv2 LoadBalancer or TargetGroup into cdkd state.
    *
@@ -26806,8 +27096,10 @@ var RDSProvider = class {
    *
    * Each branch surfaces only the keys cdkd's `create()` accepts. Sensitive
    * fields like `MasterUserPassword` are NEVER surfaced (RDS does not return
-   * them in the Describe responses). `Tags` are intentionally omitted
-   * (separate `ListTagsForResource` round-trip).
+   * them in the Describe responses). `Tags` are surfaced via a follow-up
+   * `ListTagsForResource(ResourceName=arn)` call (RDS uses `[{Key, Value}]`
+   * shape). CDK's `aws:*` auto-tags are filtered out; the result key is
+   * omitted entirely when AWS reports no user tags.
    *
    * Returns `undefined` when the resource is gone (`*NotFoundFault`).
    */
@@ -26851,6 +27143,8 @@ var RDSProvider = class {
     if (inst.PubliclyAccessible !== void 0) {
       result["PubliclyAccessible"] = inst.PubliclyAccessible;
     }
+    if (inst.DBInstanceArn)
+      await this.attachTags(result, inst.DBInstanceArn);
     return result;
   }
   async readCurrentStateDBCluster(physicalId) {
@@ -26907,6 +27201,8 @@ var RDSProvider = class {
       if (Object.keys(sc).length > 0)
         result["ServerlessV2ScalingConfiguration"] = sc;
     }
+    if (cluster.DBClusterArn)
+      await this.attachTags(result, cluster.DBClusterArn);
     return result;
   }
   async readCurrentStateDBSubnetGroup(physicalId) {
@@ -26934,8 +27230,31 @@ var RDSProvider = class {
         (id) => !!id
       );
     }
+    if (sg.DBSubnetGroupArn)
+      await this.attachTags(result, sg.DBSubnetGroupArn);
     return result;
   }
+  /**
+   * Fetch tags via `ListTagsForResource(ResourceName=arn)` and merge them
+   * into the result under `Tags` (CFn shape, `aws:*` filtered out, omitted
+   * when empty). Best-effort: tag-fetch failures are logged at debug and
+   * the key is simply left out — drift detection on configuration is more
+   * important than fail-closing on a missing tag permission.
+   */
+  async attachTags(result, arn) {
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand10({ ResourceName: arn })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `RDS ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
   async importDBInstance(input) {
     const explicit = resolveExplicitPhysicalId(input, "DBInstanceIdentifier");
     if (explicit) {
@@ -27712,10 +28031,11 @@ var Route53Provider = class {
    *
    * Dispatch per resource type:
    *  - `HostedZone` → `GetHostedZone` (Name, HostedZoneConfig{Comment,
-   *    PrivateZone}, VPCs from `VPCs[]`). Tags are skipped (CDK auto-tag
-   *    handling deferred); QueryLoggingConfig is skipped because it's a
-   *    separate `ListQueryLoggingConfigs` call and the v1 surface does
-   *    not surface it.
+   *    PrivateZone}, VPCs from `VPCs[]`, HostedZoneTags via
+   *    `ListTagsForResource(ResourceType=hostedzone, ResourceId=<idTail>)`
+   *    with `aws:*` filtered out and the key omitted when empty).
+   *    QueryLoggingConfig is skipped because it's a separate
+   *    `ListQueryLoggingConfigs` call and the v1 surface does not surface it.
    *  - `RecordSet` → `ListResourceRecordSets` filtered to the exact
    *    `(name, type)` pair from the composite physicalId
    *    (`{zoneId}|{name}|{type}`). Surfaces TTL, ResourceRecords (with
@@ -27770,6 +28090,19 @@ var Route53Provider = class {
         return out;
       });
     }
+    const idTail = physicalId.replace(/^\/hostedzone\//, "");
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand11({ ResourceType: "hostedzone", ResourceId: idTail })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagSet?.Tags);
+      if (tags.length > 0)
+        result["HostedZoneTags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `Route53 ListTagsForResource(${idTail}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   async readRecordSet(physicalId) {
@@ -28149,7 +28482,9 @@ var WAFv2WebACLProvider = class {
    * and AssociationConfig — every key cdkd state declares as
    * `handledProperties`. `Scope` is recovered from the ARN parse.
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * Tags are surfaced via a follow-up `ListTagsForResource(ResourceARN)`
+   * call. CDK's `aws:*` auto-tags are filtered out and the result key is
+   * omitted when AWS reports no user tags. Returns `undefined`
    * when the ARN can't be parsed or the WebACL is gone
    * (`WAFNonexistentItemException`).
    */
@@ -28206,6 +28541,18 @@ var WAFv2WebACLProvider = class {
     if (webACL.AssociationConfig) {
       result["AssociationConfig"] = webACL.AssociationConfig;
     }
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand12({ ResourceARN: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagInfoForResource?.TagList);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `WAFv2 ListTagsForResource(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   /**
@@ -28613,9 +28960,10 @@ var CognitoUserPoolProvider = class {
    * `UserPoolClient`, `UserPoolGroup`, and other Cognito sub-resources go
    * through the CC API fallback (which has its own `readCurrentState`).
    *
-   * `UserPoolTags` is intentionally omitted (Cognito returns tags via a
-   * separate `ListTagsForResource` round-trip; auto-injected `aws:cdk:path`
-   * tag-shape question is out of scope here).
+   * `UserPoolTags` is surfaced from the same `DescribeUserPool` response —
+   * Cognito's CFn property is a tag-name → value map (NOT an array of
+   * `{Key, Value}`), so we keep the map shape and just filter out CDK's
+   * `aws:*` auto-tags. The result key is omitted when no user tags remain.
    *
    * Returns `undefined` when the pool is gone (`ResourceNotFoundException`).
    */
@@ -28692,6 +29040,15 @@ var CognitoUserPoolProvider = class {
     if (pool.SmsVerificationMessage !== void 0) {
       result["SmsVerificationMessage"] = pool.SmsVerificationMessage;
     }
+    if (pool.UserPoolTags) {
+      const userTags = {};
+      for (const [k, v] of Object.entries(pool.UserPoolTags)) {
+        if (!k.startsWith("aws:"))
+          userTags[k] = v;
+      }
+      if (Object.keys(userTags).length > 0)
+        result["UserPoolTags"] = userTags;
+    }
     return result;
   }
   /**
@@ -29196,8 +29553,11 @@ var ElastiCacheProvider = class {
    *    surfacing `CacheSubnetGroupName`, `CacheSubnetGroupDescription`,
    *    and `SubnetIds` derived from `Subnets[].SubnetIdentifier`.
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
-   * when the resource is gone (`*NotFoundFault`).
+   * Tags are surfaced via a follow-up `ListTagsForResource(ResourceName=arn)`
+   * for both types (ARN derived from `cluster.ARN` / `group.ARN`). CDK's
+   * `aws:*` auto-tags are filtered out and the result key is omitted when
+   * AWS reports no user tags. Returns `undefined` when the resource is gone
+   * (`*NotFoundFault`).
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
     switch (resourceType) {
@@ -29277,6 +29637,8 @@ var ElastiCacheProvider = class {
       if (ids.length > 0)
         result["VpcSecurityGroupIds"] = ids;
     }
+    if (cluster.ARN)
+      await this.attachTags(result, cluster.ARN);
     return result;
   }
   async readSubnetGroup(physicalId) {
@@ -29305,8 +29667,25 @@ var ElastiCacheProvider = class {
       if (ids.length > 0)
         result["SubnetIds"] = ids;
     }
+    if (group.ARN)
+      await this.attachTags(result, group.ARN);
     return result;
   }
+  /** Best-effort tag fetch — failures omit the key without breaking the read. */
+  async attachTags(result, arn) {
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand14({ ResourceName: arn })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `ElastiCache ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
   /**
    * Adopt an existing ElastiCache resource into cdkd state.
    *
@@ -29590,15 +29969,14 @@ var ServiceDiscoveryProvider = class {
       );
     }
   }
-  updateNamespace(logicalId, physicalId) {
-    this.logger.debug(`Updating private DNS namespace ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {
-        Id: physicalId
-      }
-    });
+  updateNamespace(logicalId, _physicalId) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ServiceDiscovery::PrivateDnsNamespace",
+        logicalId,
+        "PrivateDnsNamespace updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async deleteNamespace(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting private DNS namespace ${logicalId}: ${physicalId}`);
@@ -29693,15 +30071,14 @@ var ServiceDiscoveryProvider = class {
       );
     }
   }
-  updateService(logicalId, physicalId) {
-    this.logger.debug(`Updating service discovery service ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({
-      physicalId,
-      wasReplaced: false,
-      attributes: {
-        Id: physicalId
-      }
-    });
+  updateService(logicalId, _physicalId) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::ServiceDiscovery::Service",
+        logicalId,
+        "ServiceDiscovery Service updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async deleteService(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting service discovery service ${logicalId}: ${physicalId}`);
@@ -29794,8 +30171,12 @@ var ServiceDiscoveryProvider = class {
    *  - `Service` → `GetService` (Name, NamespaceId, Description, Type,
    *    DnsConfig, HealthCheckConfig, HealthCheckCustomConfig).
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
-   * when the resource is gone (`NamespaceNotFound` / `ServiceNotFound`).
+   * Tags are surfaced via a follow-up `ListTagsForResource(ResourceARN)`
+   * call (using the resource ARN from `GetNamespace.Arn` or
+   * `GetService.Arn`). CDK's `aws:*` auto-tags are filtered out and the
+   * result key is omitted when AWS reports no user tags. Returns
+   * `undefined` when the resource is gone (`NamespaceNotFound` /
+   * `ServiceNotFound`).
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
     switch (resourceType) {
@@ -29825,6 +30206,8 @@ var ServiceDiscoveryProvider = class {
     if (ns.Description !== void 0 && ns.Description !== "") {
       result["Description"] = ns.Description;
     }
+    if (ns.Arn)
+      await this.attachTags(result, ns.Arn);
     return result;
   }
   async readService(physicalId) {
@@ -29858,8 +30241,25 @@ var ServiceDiscoveryProvider = class {
     if (svc.HealthCheckCustomConfig) {
       result["HealthCheckCustomConfig"] = svc.HealthCheckCustomConfig;
     }
+    if (svc.Arn)
+      await this.attachTags(result, svc.Arn);
     return result;
   }
+  /** Best-effort tag fetch via `ListTagsForResource(ResourceARN)`. */
+  async attachTags(result, arn) {
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand15({ ResourceARN: arn })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `ServiceDiscovery ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
   async import(input) {
     switch (input.resourceType) {
       case "AWS::ServiceDiscovery::PrivateDnsNamespace":
@@ -30049,9 +30449,22 @@ var AppSyncProvider = class {
         );
     }
   }
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    this.logger.debug(`Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, immutable`);
-    return Promise.resolve({ physicalId, wasReplaced: false });
+  /**
+   * AppSync resources are treated as immutable by cdkd: every supported
+   * type (`GraphQLApi`, `GraphQLSchema`, `DataSource`, `Resolver`,
+   * `ApiKey`) is recreated on property changes via the deploy engine's
+   * immutable-property replacement path. There is no in-place update,
+   * so `cdkd drift --revert` surfaces a clear "use --replace or
+   * re-deploy" message instead of silently no-op'ing the revert.
+   */
+  update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "AppSync resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
@@ -30493,7 +30906,9 @@ var AppSyncProvider = class {
    *
    * Dispatches per resource type:
    *  - `GraphQLApi` → `GetGraphqlApi` (Name, AuthenticationType, XrayEnabled,
-   *    LogConfig). Tags are skipped (CDK auto-tag handling deferred).
+   *    LogConfig, Tags). Tags come from the same response (`tags` map);
+   *    CDK's `aws:*` auto-tags are filtered out and the result key is
+   *    omitted when no user tags remain.
    *  - `DataSource` → `GetDataSource` (Name, Type, Description,
    *    ServiceRoleArn, DynamoDBConfig, LambdaConfig, HttpConfig). The
    *    `ApiId` cdkd holds is recovered from the `apiId|name` physicalId.
@@ -30561,6 +30976,9 @@ var AppSyncProvider = class {
       if (Object.keys(log).length > 0)
         result["LogConfig"] = log;
     }
+    const tags = normalizeAwsTagsToCfn(api.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   async readDataSource(physicalId) {
@@ -30788,10 +31206,11 @@ var GlueProvider = class {
   async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
     switch (resourceType) {
       case "AWS::Glue::Database":
-        this.logger.debug(
-          `Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, immutable`
+        throw new ResourceUpdateNotSupportedError(
+          resourceType,
+          logicalId,
+          "Glue Database updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
         );
-        return { physicalId, wasReplaced: false };
       case "AWS::Glue::Table":
         return this.updateTable(logicalId, physicalId, resourceType, properties);
       default:
@@ -31805,9 +32224,11 @@ var KMSProvider = class {
    *     Surfaces `AliasName`, `TargetKeyId`. `ListAliases` is paginated
    *     since there's no direct "describe one alias" API.
    *
-   * `Tags` is intentionally omitted (separate `ListResourceTags` round-trip
-   * for keys; auto-injected `aws:cdk:path` tag-shape question is out of
-   * scope here). `BypassPolicyLockoutSafetyCheck` and `PendingWindowInDays`
+   * `Tags` is surfaced for `AWS::KMS::Key` via a follow-up
+   * `ListResourceTags(KeyId)` call (KMS uses `[{TagKey, TagValue}]` shape).
+   * CDK's `aws:*` auto-tags are filtered out; the result key is omitted
+   * entirely when AWS reports no user tags. `AWS::KMS::Alias` does not
+   * support tags. `BypassPolicyLockoutSafetyCheck` and `PendingWindowInDays`
    * are not part of the persisted AWS state visible via `DescribeKey`.
    *
    * Returns `undefined` when the resource is gone (`NotFoundException`).
@@ -31850,6 +32271,19 @@ var KMSProvider = class {
       result["MultiRegion"] = md.MultiRegion;
     if (md.Origin !== void 0)
       result["Origin"] = md.Origin;
+    if (md.KeyId) {
+      try {
+        const tagsResp = await this.getClient().send(
+          new ListResourceTagsCommand({ KeyId: md.KeyId })
+        );
+        const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return void 0;
+      }
+    }
     return result;
   }
   async readCurrentStateAlias(physicalId) {
@@ -32233,7 +32667,8 @@ var KinesisStreamProvider = class {
    *
    * Issues `DescribeStream` and surfaces the keys cdkd's `create()`
    * accepts: `Name`, `StreamModeDetails`, `ShardCount`, `RetentionPeriodHours`,
-   * and `StreamEncryption`. Tags are skipped (CDK auto-tag handling deferred).
+   * and `StreamEncryption`. Tags are surfaced via a follow-up
+   * `ListTagsForStream` with `aws:*` filtered out.
    *
    * `ShardCount` is reported as the count of `Shards[]` in the stream
    * description (only present for PROVISIONED-mode streams; ON_DEMAND
@@ -32282,6 +32717,20 @@ var KinesisStreamProvider = class {
         encryption["KeyId"] = stream.KeyId;
       result["StreamEncryption"] = encryption;
     }
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForStreamCommand({ StreamName: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException13)
+        return void 0;
+      this.logger.debug(
+        `Kinesis ListTagsForStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   async import(input) {
@@ -32414,8 +32863,15 @@ var EFSProvider = class {
         );
     }
   }
+  /**
+   * EFS resources are treated as immutable by cdkd's `update()`. The deploy
+   * engine recreates them on property changes via immutable-property
+   * detection. (AWS does expose `UpdateFileSystem` for ThroughputMode and
+   * `ModifyMountTargetSecurityGroups` for mount-target SGs — those are
+   * deferred to a follow-up PR.) `cdkd drift --revert` surfaces a clear
+   * "use --replace or re-deploy" message instead of silently no-op'ing.
+   */
   update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    this.logger.debug(`Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, immutable`);
     if (resourceType !== "AWS::EFS::FileSystem" && resourceType !== "AWS::EFS::MountTarget" && resourceType !== "AWS::EFS::AccessPoint") {
       throw new ProvisioningError(
         `Unsupported resource type: ${resourceType}`,
@@ -32424,7 +32880,13 @@ var EFSProvider = class {
         physicalId
       );
     }
-    return Promise.resolve({ physicalId, wasReplaced: false });
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "EFS resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
+    );
   }
   async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
@@ -32781,7 +33243,12 @@ var EFSProvider = class {
    *  - `MountTarget` → `DescribeMountTargets` (FileSystemId, SubnetId).
    *    SecurityGroups requires a separate call and is omitted for v1.
    *
-   * Tags are skipped across all three (CDK auto-tag handling deferred).
+   * `FileSystemTags` (the CFn property name on `AWS::EFS::FileSystem`) is
+   * surfaced from the same `DescribeFileSystems` response — `aws:*`
+   * auto-tags filtered, key omitted when empty. `AccessPoint` and
+   * `MountTarget` are not surfaced for tags here (`AccessPointTags` would
+   * mirror this approach but the test scope below covers `FileSystem`
+   * only; further coverage can land in a follow-up).
    * Returns `undefined` when the resource is gone (`*NotFound`).
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
@@ -32858,6 +33325,9 @@ var EFSProvider = class {
       if (err instanceof FileSystemNotFound)
         return void 0;
     }
+    const tags = normalizeAwsTagsToCfn(fs.Tags);
+    if (tags.length > 0)
+      result["FileSystemTags"] = tags;
     return result;
   }
   async readAccessPoint(physicalId) {
@@ -33241,15 +33711,21 @@ var FirehoseProvider = class {
     }
   }
   /**
-   * Update a Firehose delivery stream
-   *
-   * Most changes require replacement, so this is a no-op.
+   * Firehose delivery streams are treated as immutable by cdkd. Most
+   * destination-config changes require replacement, and AWS's
+   * `UpdateDestination` API surface is deep enough that the deploy engine's
+   * immutable-property replacement path covers the common cases more
+   * reliably. `cdkd drift --revert` therefore surfaces a clear "use
+   * --replace or re-deploy" message instead of silently no-op'ing.
    */
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    this.logger.debug(
-      `Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, most changes require replacement`
+  update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "Firehose delivery streams are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      )
     );
-    return Promise.resolve({ physicalId, wasReplaced: false });
   }
   /**
    * Delete a Firehose delivery stream
@@ -33403,8 +33879,10 @@ var FirehoseProvider = class {
    * fields. Drift on destination contents is best chased manually via
    * `aws firehose describe-delivery-stream` for now.
    *
-   * Tags + DeliveryStreamEncryptionConfigurationInput are skipped (they
-   * each need separate calls / shape decisions).
+   * Tags are surfaced via a follow-up `ListTagsForDeliveryStream` call
+   * with `aws:*` filtered out and the result key omitted when empty.
+   * `DeliveryStreamEncryptionConfigurationInput` is still skipped (shape
+   * decision deferred).
    *
    * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
    */
@@ -33440,6 +33918,20 @@ var FirehoseProvider = class {
         result["KinesisStreamSourceConfiguration"] = srcOut;
       }
     }
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException14)
+        return void 0;
+      this.logger.debug(
+        `Firehose ListTagsForDeliveryStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   async import(input) {
@@ -33775,8 +34267,13 @@ var CloudTrailProvider = class {
    * derived field; the cdkd state property is `SnsTopicName` so we
    * surface `SnsTopicName` directly from `GetTrail.SnsTopicName`.
    *
-   * Tags + InsightSelectors are skipped for v1 (each needs its own
-   * separate call + shape mapping).
+   * Tags are surfaced via a follow-up `ListTags(ResourceIdList=[arn])` call
+   * (using the trail ARN from the same `GetTrail` response). CDK's `aws:*`
+   * auto-tags are filtered out and the result key is omitted when AWS
+   * reports no user tags.
+   *
+   * `InsightSelectors` is skipped for v1 (separate call + shape mapping
+   * still TBD).
    *
    * Returns `undefined` when the trail is gone (`TrailNotFoundException`).
    */
@@ -33838,6 +34335,20 @@ var CloudTrailProvider = class {
       }
     } catch {
     }
+    if (trail.TrailARN) {
+      try {
+        const tagsResp = await this.getClient().send(
+          new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
+        );
+        const tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagList?.[0]?.TagsList);
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      } catch (err) {
+        this.logger.debug(
+          `CloudTrail ListTags(${trail.TrailARN}) failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
     return result;
   }
   async import(input) {
@@ -34170,8 +34681,12 @@ var CodeBuildProvider = class {
    * is left to a follow-up — surfacing them with a partial shape would
    * fire false drift on every project that uses them.
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
-   * when the project is gone (`projects` array empty / `projectsNotFound` set).
+   * Tags are surfaced from the same `BatchGetProjects` response (CodeBuild
+   * uses lower-case `key`/`value` shape; `normalizeAwsTagsToCfn` re-shapes
+   * to CFn `[{Key, Value}]`). CDK's `aws:*` auto-tags are filtered out
+   * and the result key is omitted when AWS reports no user tags. Returns
+   * `undefined` when the project is gone (`projects` array empty /
+   * `projectsNotFound` set).
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
     let project;
@@ -34290,6 +34805,9 @@ var CodeBuildProvider = class {
       if (Object.keys(env).length > 0)
         result["Environment"] = env;
     }
+    const tags = normalizeAwsTagsToCfn(project.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   async import(input) {
@@ -35818,11 +36336,14 @@ var ECRProvider = class {
    *     round-trip; cdkd state holds the policy as either a string or an
    *     object (depending on user input), and the comparator round-trip
    *     is not yet handled here.
-   *   - `Tags`: requires `ListTagsForResource`; auto-injected
-   *     `aws:cdk:path` tag-shape question is out of scope.
    *   - `EmptyOnDelete` / `ImageTagMutabilityExclusionFilters`: not part
    *     of the persisted AWS state visible via standard Describe.
    *
+   * `Tags` is surfaced via a follow-up `ListTagsForResource(arn)` call
+   * (using the repository ARN that `DescribeRepositories` returns). CDK's
+   * `aws:*` auto-tags are filtered out; the result key is omitted entirely
+   * when AWS reports no user tags.
+   *
    * Returns `undefined` when the repository is gone (`RepositoryNotFoundException`).
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
@@ -35875,6 +36396,19 @@ var ECRProvider = class {
         throw err;
       }
     }
+    if (r.repositoryArn) {
+      try {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand18({ resourceArn: r.repositoryArn })
+        );
+        const tags = normalizeAwsTagsToCfn(tagsResp.tags);
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      } catch (err) {
+        if (!(err instanceof RepositoryNotFoundException))
+          throw err;
+      }
+    }
     return result;
   }
   /**
@@ -38492,6 +39026,7 @@ async function runRevert(reports, providerRegistry, stateConfig, awsClients, opt
   const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
   const concurrency = Math.max(1, options.concurrency ?? 4);
   let totalFailed = 0;
+  let totalUnsupported = 0;
   let totalSucceeded = 0;
   for (const report of reports) {
     const driftedOutcomes = report.outcomes.filter(
@@ -38529,10 +39064,17 @@ async function runRevert(reports, providerRegistry, stateConfig, awsClients, opt
             `  \u2713 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): reverted.`
           );
         } catch (err) {
+          if (err instanceof ResourceUpdateNotSupportedError) {
+            totalUnsupported++;
+            logger.warn(
+              `  \u2298 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): could not revert \u2014 ${err.message}`
+            );
+            return;
+          }
           totalFailed++;
           const msg = err instanceof Error ? err.message : String(err);
           logger.error(
-            `  \u2717 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): ${msg}`
+            `  \u2717 ${report.stackName}/${outcome.logicalId} (${outcome.resourceType}): AWS update failed \u2014 ${msg}`
           );
         }
       });
@@ -38545,11 +39087,21 @@ async function runRevert(reports, providerRegistry, stateConfig, awsClients, opt
       });
     }
   }
+  const summaryParts = [`${totalSucceeded} reverted`];
+  if (totalUnsupported > 0)
+    summaryParts.push(`${totalUnsupported} update-not-supported`);
+  if (totalFailed > 0)
+    summaryParts.push(`${totalFailed} failed`);
   logger.info(`
-Revert summary: ${totalSucceeded} reverted, ${totalFailed} failed.`);
-  if (totalFailed > 0) {
+Revert summary: ${summaryParts.join(", ")}.`);
+  if (totalUnsupported > 0) {
+    logger.warn(
+      `${totalUnsupported} resource(s) cannot be reverted in place \u2014 re-deploy the stack with cdkd deploy --replace, or destroy + redeploy to push the cdkd-state values back into AWS.`
+    );
+  }
+  if (totalFailed > 0 || totalUnsupported > 0) {
     throw new PartialFailureError(
-      `Revert completed with ${totalFailed} resource error(s). Re-run 'cdkd drift <stack>' to see the remaining drift, then 'cdkd drift <stack> --revert' to retry.`
+      `Revert completed with ${totalFailed + totalUnsupported} resource error(s) (${totalFailed} AWS update failure(s), ${totalUnsupported} update-not-supported). Re-run 'cdkd drift <stack>' to see the remaining drift, then 'cdkd drift <stack> --revert' to retry.`
     );
   }
 }
@@ -41896,7 +42448,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.44.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.46.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());