@go-to-k/cdkd 0.46.0 → 0.47.0

package/dist/cli.js

@@ -629,6 +629,10 @@ var deployOptions = [
   new Option("--dry-run", "Show changes without applying").default(false),
   new Option("--skip-assets", "Skip asset publishing").default(false),
   new Option("--no-rollback", "Skip rollback on deployment failure"),
+  new Option(
+    "--no-capture-observed-state",
+    "Skip capturing AWS-current properties after each create/update (adds a fire-and-forget readCurrentState per resource so cdkd drift can compare against the real deploy-time AWS snapshot instead of the template). On by default. Disable when deploy speed matters more than rich drift detection \u2014 falls back to comparing against template properties (the pre-v3 behavior)."
+  ),
   noWaitOption,
   aggressiveVpcParallelOption,
   new Option(
@@ -1351,6 +1355,16 @@ function resolveApp(cliApp) {
   const cdkJson = loadCdkJson();
   return cdkJson?.app ?? void 0;
 }
+function resolveCaptureObservedState(cliValue) {
+  if (cliValue === false)
+    return false;
+  const cdkJson = loadCdkJson();
+  const cdkdContext = cdkJson?.context?.["cdkd"];
+  const v = cdkdContext?.["captureObservedState"];
+  if (typeof v === "boolean")
+    return v;
+  return true;
+}
 function resolveStateBucketWithSource(cliBucket) {
   if (cliBucket)
     return { bucket: cliBucket, source: "cli-flag" };
@@ -3727,8 +3741,8 @@ import {
 } from "@aws-sdk/client-s3";
 
 // src/types/state.ts
-var STATE_SCHEMA_VERSION_LEGACY = 1;
-var STATE_SCHEMA_VERSION_CURRENT = 2;
+var STATE_SCHEMA_VERSION_CURRENT = 3;
+var STATE_SCHEMA_VERSIONS_READABLE = [1, 2, 3];
 
 // src/utils/aws-region-resolver.ts
 import { GetBucketLocationCommand, S3Client as S3Client3 } from "@aws-sdk/client-s3";
@@ -4237,9 +4251,9 @@ var S3StateBackend = class {
       );
     }
     const v = parsed.version;
-    if (v !== STATE_SCHEMA_VERSION_LEGACY && v !== STATE_SCHEMA_VERSION_CURRENT && v !== void 0) {
+    if (v !== void 0 && !STATE_SCHEMA_VERSIONS_READABLE.includes(v)) {
       throw new StateError(
-        `Unsupported state schema version ${String(v)} for stack '${stackName}'. This cdkd binary supports versions ${String(STATE_SCHEMA_VERSION_LEGACY)} and ${String(STATE_SCHEMA_VERSION_CURRENT)}. Upgrade cdkd to a version that supports schema ${String(v)}.`
+        `Unsupported state schema version ${String(v)} for stack '${stackName}'. This cdkd binary supports versions ${STATE_SCHEMA_VERSIONS_READABLE.join(", ")}. Upgrade cdkd to a version that supports schema ${String(v)}.`
       );
     }
     return parsed;
@@ -9175,6 +9189,18 @@ var IAMRoleProvider = class {
     }
     return result;
   }
+  /**
+   * `Policies` (inline policy bodies) are intentionally omitted from
+   * `readCurrentState`: surfacing the names without bodies would
+   * guarantee a `PolicyDocument`-shaped drift on every role, and
+   * fetching every body costs one extra `GetRolePolicy` per inline
+   * policy. Tell the drift comparator to skip the whole subtree until a
+   * dedicated PR adds proper inline-policy drift via per-name
+   * `GetRolePolicy`.
+   */
+  getDriftUnknownPaths() {
+    return ["Policies"];
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -13568,6 +13594,18 @@ var SNSTopicProvider = class {
     }
     return result;
   }
+  /**
+   * `DeliveryStatusLogging` fans out to per-protocol attributes
+   * (`{Protocol}SuccessFeedbackRoleArn` etc.) whose round-trip back to the
+   * CFn array shape is not yet implemented; `Subscription` is managed via
+   * separate `AWS::SNS::Subscription` resources rather than the Topic
+   * itself. Both are absent from `readCurrentState`, so tell the drift
+   * comparator to skip them and avoid the guaranteed false-positive that
+   * would fire on every clean run when the user did template either.
+   */
+  getDriftUnknownPaths() {
+    return ["DeliveryStatusLogging", "Subscription"];
+  }
   /**
    * Adopt an existing SNS topic into cdkd state.
    *
@@ -14843,6 +14881,17 @@ var LambdaFunctionProvider = class {
       throw err;
     }
   }
+  /**
+   * `Code: { S3Bucket, S3Key }` is set on create / update but `GetFunction`
+   * only returns a pre-signed URL for the deployed code, never the original
+   * asset key — so a state-recorded `Code` value can never match an
+   * AWS-current snapshot. Tell the drift comparator to skip the whole
+   * `Code` subtree to avoid the guaranteed false-positive that would fire
+   * on every clean run.
+   */
+  getDriftUnknownPaths() {
+    return ["Code"];
+  }
   /**
    * Adopt an existing Lambda function into cdkd state.
    *
@@ -15986,6 +16035,16 @@ var LambdaLayerVersionProvider = class {
     }
     return result;
   }
+  /**
+   * `Content: { S3Bucket, S3Key }` is set on create but
+   * `GetLayerVersionByArn` only returns a pre-signed URL for the deployed
+   * content — the original asset key is unrecoverable. Tell the drift
+   * comparator to skip the whole `Content` subtree to avoid the guaranteed
+   * false-positive that would fire on every clean run.
+   */
+  getDriftUnknownPaths() {
+    return ["Content"];
+  }
   /**
    * Adopt an existing Lambda layer version into cdkd state.
    *
@@ -17519,6 +17578,16 @@ var SecretsManagerSecretProvider = class {
       throw err;
     }
   }
+  /**
+   * `SecretString` and `GenerateSecretString` are set on create but
+   * `DescribeSecret` does not return the secret value (that lives behind
+   * `GetSecretValue`, which we deliberately never call to avoid surfacing
+   * plaintext through drift). Tell the drift comparator to skip both keys
+   * so they don't fire guaranteed false-positive drift on every clean run.
+   */
+  getDriftUnknownPaths() {
+    return ["SecretString", "GenerateSecretString"];
+  }
   /**
    * Adopt an existing Secrets Manager secret into cdkd state.
    *
@@ -36892,10 +36961,23 @@ var DeployEngine = class {
     this.options.noRollback = options.noRollback ?? false;
     this.options.resourceWarnAfterMs = options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
     this.options.resourceTimeoutMs = options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    this.options.captureObservedState = options.captureObservedState ?? true;
   }
   logger = getLogger().child("DeployEngine");
   resolver;
   interrupted = false;
+  /**
+   * In-flight `provider.readCurrentState` promises kicked off after a
+   * successful CREATE / UPDATE. The deploy critical path does NOT
+   * `await` these; instead they're drained at the end of `doDeploy`
+   * (success path only) and the resolved values are merged into
+   * `ResourceState.observedProperties` before the final state save.
+   *
+   * Each Promise resolves to the AWS-current snapshot, or `undefined`
+   * if the provider does not implement `readCurrentState` or the call
+   * threw — never rejects, so an unhandled-rejection cannot escape.
+   */
+  observedCaptureTasks = /* @__PURE__ */ new Map();
   /**
    * Target region for this stack. Required — load-bearing for the
    * region-prefixed S3 state key and recorded in state.json for
@@ -36908,6 +36990,61 @@ var DeployEngine = class {
   async deploy(stackName, template) {
     return withStackName(stackName, () => this.doDeploy(stackName, template));
   }
+  /**
+   * Kick off `provider.readCurrentState` for a freshly-created/updated
+   * resource without blocking the deploy critical path. The promise
+   * lands in `observedCaptureTasks` keyed by `logicalId`; the deploy's
+   * success-path drain (`drainObservedCaptures`) awaits the full set
+   * and merges the resolved values into `ResourceState.observedProperties`
+   * before the final state save.
+   *
+   * Errors are swallowed at the Promise level — readCurrentState
+   * failing must not fail the deploy. The map entry resolves to
+   * `undefined` for failures and for providers without
+   * `readCurrentState`; both translate to "no observedProperties" at
+   * the merge step, which is fine: drift falls back to comparing
+   * against `properties`.
+   */
+  kickOffObservedCapture(provider, logicalId, physicalId, resourceType, resolvedProps) {
+    if (this.options.captureObservedState !== true)
+      return;
+    if (!provider.readCurrentState)
+      return;
+    const promise = provider.readCurrentState(physicalId, logicalId, resourceType, resolvedProps).catch((err) => {
+      this.logger.debug(
+        `observedProperties capture for ${logicalId} (${resourceType}) failed: ${err instanceof Error ? err.message : String(err)} \u2014 drift will fall back to template properties for this resource until the next successful deploy.`
+      );
+      return void 0;
+    });
+    this.observedCaptureTasks.set(logicalId, promise);
+  }
+  /**
+   * Wait for every in-flight `readCurrentState` promise from the
+   * deploy's success path, then merge each resolved snapshot into the
+   * matching `ResourceState.observedProperties`. After this runs the
+   * map is drained so a subsequent deploy starts fresh.
+   *
+   * Called from `doDeploy` immediately before the final `saveState`.
+   * The rollback / failure paths intentionally do NOT call this — a
+   * failed deploy's partial state is already inconsistent, and waiting
+   * on potentially many in-flight reads would slow down the rollback
+   * itself.
+   */
+  async drainObservedCaptures(stateResources) {
+    if (this.observedCaptureTasks.size === 0)
+      return;
+    const entries = Array.from(this.observedCaptureTasks.entries());
+    this.observedCaptureTasks.clear();
+    const resolved = await Promise.all(entries.map(([, p]) => p));
+    for (let i = 0; i < entries.length; i++) {
+      const logicalId = entries[i][0];
+      const observed = resolved[i];
+      const target = stateResources[logicalId];
+      if (target && observed !== void 0) {
+        target.observedProperties = observed;
+      }
+    }
+  }
   async doDeploy(stackName, template) {
     const startTime = Date.now();
     this.logger.debug(`Starting deployment for stack: ${stackName}`);
@@ -37024,6 +37161,7 @@ var DeployEngine = class {
         progress,
         migrationPending
       );
+      await this.drainObservedCaptures(newState.resources);
       const newEtag = await this.stateBackend.saveState(stackName, this.stackRegion, newState);
       this.logger.debug(`State saved (ETag: ${newEtag})`);
       const durationMs = Date.now() - startTime;
@@ -37039,6 +37177,7 @@ var DeployEngine = class {
     } finally {
       renderer.stop();
       process.removeListener("SIGINT", sigintHandler);
+      this.observedCaptureTasks.clear();
       try {
         await this.lockManager.releaseLock(stackName, this.stackRegion);
         this.logger.debug("Lock released");
@@ -37592,6 +37731,13 @@ var DeployEngine = class {
           ...result.attributes && { attributes: result.attributes },
           ...dependencies && dependencies.length > 0 && { dependencies }
         };
+        this.kickOffObservedCapture(
+          provider,
+          logicalId,
+          result.physicalId,
+          resourceType,
+          resolvedProps
+        );
         if (counts)
           counts.created++;
         if (progress)
@@ -37670,6 +37816,13 @@ var DeployEngine = class {
             ...createResult.attributes && { attributes: createResult.attributes },
             ...dependencies && dependencies.length > 0 && { dependencies }
           };
+          this.kickOffObservedCapture(
+            provider,
+            logicalId,
+            createResult.physicalId,
+            resourceType,
+            resolvedProps
+          );
           if (counts)
             counts.updated++;
           if (progress)
@@ -37748,6 +37901,13 @@ var DeployEngine = class {
             ...result.attributes && { attributes: result.attributes },
             ...dependencies && dependencies.length > 0 && { dependencies }
           };
+          this.kickOffObservedCapture(
+            provider,
+            logicalId,
+            result.physicalId,
+            resourceType,
+            resolvedProps
+          );
           if (counts)
             counts.updated++;
           if (progress)
@@ -38226,6 +38386,7 @@ Deploying stack: ${stackInfo.stackName}${stackRegion !== baseRegion ? ` (region:
           concurrency: options.concurrency,
           dryRun: options.dryRun,
           noRollback: !options.rollback,
+          captureObservedState: resolveCaptureObservedState(options.captureObservedState),
           ...options.resourceWarnAfter?.globalMs !== void 0 && {
             resourceWarnAfterMs: options.resourceWarnAfter.globalMs
           },
@@ -38531,19 +38692,34 @@ import { Command as Command6, Option as Option3 } from "commander";
 init_aws_clients();
 
 // src/analyzer/drift-calculator.ts
-function calculateResourceDrift(stateProperties, awsProperties) {
+function calculateResourceDrift(stateProperties, awsProperties, options) {
   const drifts = [];
+  const ignore = options?.ignorePaths ?? [];
   for (const key of Object.keys(stateProperties)) {
-    diffAt(key, stateProperties[key], awsProperties[key], drifts);
+    if (isIgnoredPath(key, ignore))
+      continue;
+    diffAt(key, stateProperties[key], awsProperties[key], drifts, ignore);
   }
   return drifts;
 }
-function diffAt(path, stateValue, awsValue, out) {
+function isIgnoredPath(path, ignorePaths) {
+  for (const entry of ignorePaths) {
+    if (path === entry)
+      return true;
+    if (path.startsWith(`${entry}.`))
+      return true;
+  }
+  return false;
+}
+function diffAt(path, stateValue, awsValue, out, ignorePaths) {
   if (deepEqual(stateValue, awsValue))
     return;
   if (isPlainObject(stateValue) && isPlainObject(awsValue) && !Array.isArray(stateValue) && !Array.isArray(awsValue)) {
     for (const key of Object.keys(stateValue)) {
-      diffAt(`${path}.${key}`, stateValue[key], awsValue[key], out);
+      const childPath = `${path}.${key}`;
+      if (isIgnoredPath(childPath, ignorePaths))
+        continue;
+      diffAt(childPath, stateValue[key], awsValue[key], out, ignorePaths);
     }
     return;
   }
@@ -38721,9 +38897,6 @@ async function driftCommand(stacks, options) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
-  if (!options.all && stacks.length === 0) {
-    throw new Error("Stack name is required. Usage: cdkd drift <stack> [<stack>...] | --all");
-  }
   if (options.accept && options.revert) {
     throw new Error(
       "--accept and --revert are mutually exclusive. Use --accept to update cdkd state from AWS, or --revert to push cdkd state values back into AWS."
@@ -38804,6 +38977,21 @@ function resolveTargetRefs(stacks, stateRefs, options) {
     }
     return stateRefs;
   }
+  if (stacks.length === 0) {
+    const candidates = options.stackRegion ? stateRefs.filter((r) => r.region === options.stackRegion) : stateRefs;
+    if (candidates.length === 0) {
+      throw new Error(
+        "No stacks found in state bucket. Run `cdkd deploy` first, or pass --all explicitly."
+      );
+    }
+    if (candidates.length === 1) {
+      return [candidates[0]];
+    }
+    const listing = candidates.map((r) => `${r.stackName}${r.region ? ` (${r.region})` : ""}`).join(", ");
+    throw new Error(
+      `Multiple stacks found in state: ${listing}. Specify stack name(s) or use --all.`
+    );
+  }
   const out = [];
   for (const stackName of stacks) {
     const matches = stateRefs.filter((r) => r.stackName === stackName);
@@ -38901,7 +39089,9 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
         });
         continue;
       }
-      const changes = calculateResourceDrift(resource.properties ?? {}, aws);
+      const ignorePaths = provider.getDriftUnknownPaths ? provider.getDriftUnknownPaths(resource.resourceType) : [];
+      const baseline = resource.observedProperties ?? resource.properties ?? {};
+      const changes = calculateResourceDrift(baseline, aws, { ignorePaths });
       if (changes.length === 0) {
         outcomes.push({ kind: "clean", logicalId, resourceType: resource.resourceType });
       } else {
@@ -38973,14 +39163,13 @@ async function runAccept(reports, stateBackend, stateConfig, awsClients, options
         const existing = resources[outcome.logicalId];
         if (!existing)
           continue;
-        const newProperties = JSON.parse(JSON.stringify(existing.properties ?? {}));
+        const hasObserved = existing.observedProperties !== void 0;
+        const baselineSource = hasObserved ? existing.observedProperties : existing.properties ?? {};
+        const newBaseline = JSON.parse(JSON.stringify(baselineSource));
         for (const change of outcome.changes) {
-          setAtPath(newProperties, change.path, change.awsValue);
+          setAtPath(newBaseline, change.path, change.awsValue);
         }
-        resources[outcome.logicalId] = {
-          ...existing,
-          properties: newProperties
-        };
+        resources[outcome.logicalId] = hasObserved ? { ...existing, observedProperties: newBaseline } : { ...existing, properties: newBaseline };
       }
       const newState = {
         ...report.state,
@@ -39047,13 +39236,14 @@ async function runRevert(reports, providerRegistry, stateConfig, awsClients, opt
           return;
         }
         const provider = providerRegistry.getProvider(outcome.resourceType);
+        const desiredProperties = stateResource.observedProperties ?? stateResource.properties ?? {};
         try {
           await withRetry(
             () => provider.update(
               outcome.logicalId,
               stateResource.physicalId,
               outcome.resourceType,
-              stateResource.properties ?? {},
+              desiredProperties,
               outcome.awsProperties
             ),
             outcome.logicalId,
@@ -42126,6 +42316,7 @@ async function importCommand(stackArg, options) {
         existingState,
         selectiveMode
       );
+      await captureObservedForImportedResources(stackState, providerRegistry, logger);
       const saveOptions = {};
       if (existingEtag) {
         saveOptions.expectedEtag = existingEtag;
@@ -42326,7 +42517,7 @@ function buildStackState(stackName, region, rows, templateParser, template, exis
     };
   }
   return {
-    version: 2,
+    version: STATE_SCHEMA_VERSION_CURRENT,
     stackName,
     region,
     resources,
@@ -42419,6 +42610,33 @@ function createImportCommand() {
 function collectMultiple(value, previous) {
   return [...previous ?? [], value];
 }
+async function captureObservedForImportedResources(stackState, providerRegistry, logger) {
+  const entries = Object.entries(stackState.resources);
+  if (entries.length === 0)
+    return;
+  await Promise.all(
+    entries.map(async ([logicalId, resource]) => {
+      try {
+        const provider = providerRegistry.getProvider(resource.resourceType);
+        if (!provider.readCurrentState)
+          return;
+        const observed = await provider.readCurrentState(
+          resource.physicalId,
+          logicalId,
+          resource.resourceType,
+          resource.properties ?? {}
+        );
+        if (observed !== void 0) {
+          resource.observedProperties = observed;
+        }
+      } catch (err) {
+        logger.debug(
+          `observedProperties capture for imported ${logicalId} (${resource.resourceType}) failed: ${err instanceof Error ? err.message : String(err)} \u2014 drift will fall back to template properties for this resource until the next successful deploy.`
+        );
+      }
+    })
+  );
+}
 
 // src/cli/index.ts
 var SUBCOMMANDS = /* @__PURE__ */ new Set([
@@ -42448,7 +42666,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.46.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.47.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());