@go-to-k/cdkd 0.45.0 → 0.46.1

package/dist/index.js

@@ -7679,6 +7679,31 @@ function matchesCdkPath(tags, cdkPath) {
   }
   return false;
 }
+function normalizeAwsTagsToCfn(tags) {
+  if (!tags)
+    return [];
+  const out = [];
+  if (Array.isArray(tags)) {
+    for (const t of tags) {
+      const obj = t;
+      const k = (typeof obj["Key"] === "string" ? obj["Key"] : void 0) ?? (typeof obj["TagKey"] === "string" ? obj["TagKey"] : void 0) ?? (typeof obj["key"] === "string" ? obj["key"] : void 0);
+      const v = (typeof obj["Value"] === "string" ? obj["Value"] : void 0) ?? (typeof obj["TagValue"] === "string" ? obj["TagValue"] : void 0) ?? (typeof obj["value"] === "string" ? obj["value"] : void 0);
+      if (typeof k !== "string" || k.length === 0)
+        continue;
+      if (k.startsWith("aws:"))
+        continue;
+      out.push({ Key: k, Value: typeof v === "string" ? v : "" });
+    }
+  } else {
+    for (const [k, v] of Object.entries(tags)) {
+      if (!k || k.startsWith("aws:"))
+        continue;
+      out.push({ Key: k, Value: typeof v === "string" ? v : "" });
+    }
+  }
+  out.sort((a, b) => a.Key < b.Key ? -1 : a.Key > b.Key ? 1 : 0);
+  return out;
+}
 
 // src/provisioning/providers/iam-role-provider.ts
 var IAMRoleProvider = class {
@@ -8238,9 +8263,10 @@ var IAMRoleProvider = class {
    *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
    *    v1 — drift detection on inline IAM policy bodies can ship in a
    *    follow-up.
-   *  - `Tags` is omitted for the same reason as Lambda's tags handling
-   *    (CDK auto-injects `aws:cdk:path` and the shape decision belongs in a
-   *    dedicated tags PR).
+   *  - `Tags` is surfaced via `ListRoleTags` (paginated). CDK's `aws:*`
+   *    auto-tags are filtered out by `normalizeAwsTagsToCfn` so they don't
+   *    fire false-positive drift; the result key is omitted entirely when
+   *    AWS reports no user tags (matches `create()`'s behavior).
    *
    * Returns `undefined` when the role is gone (`NoSuchEntityException`).
    */
@@ -8290,8 +8316,46 @@ var IAMRoleProvider = class {
       if (!(err instanceof NoSuchEntityException))
         throw err;
     }
+    try {
+      const collected = [];
+      let marker;
+      while (true) {
+        const tagsResp = await this.iamClient.send(
+          new ListRoleTagsCommand({
+            RoleName: physicalId,
+            ...marker ? { Marker: marker } : {}
+          })
+        );
+        if (tagsResp.Tags) {
+          for (const t of tagsResp.Tags) {
+            collected.push({ Key: t.Key, Value: t.Value });
+          }
+        }
+        if (!tagsResp.IsTruncated)
+          break;
+        marker = tagsResp.Marker;
+      }
+      const tags = normalizeAwsTagsToCfn(collected);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
     return result;
   }
+  /**
+   * `Policies` (inline policy bodies) are intentionally omitted from
+   * `readCurrentState`: surfacing the names without bodies would
+   * guarantee a `PolicyDocument`-shaped drift on every role, and
+   * fetching every body costs one extra `GetRolePolicy` per inline
+   * policy. Tell the drift comparator to skip the whole subtree until a
+   * dedicated PR adds proper inline-policy drift via per-name
+   * `GetRolePolicy`.
+   */
+  getDriftUnknownPaths() {
+    return ["Policies"];
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *