@go-to-k/cdkd 0.46.0 → 0.47.0

package/dist/index.js

@@ -2922,8 +2922,8 @@ import {
 } from "@aws-sdk/client-s3";
 
 // src/types/state.ts
-var STATE_SCHEMA_VERSION_LEGACY = 1;
-var STATE_SCHEMA_VERSION_CURRENT = 2;
+var STATE_SCHEMA_VERSION_CURRENT = 3;
+var STATE_SCHEMA_VERSIONS_READABLE = [1, 2, 3];
 
 // src/state/s3-state-backend.ts
 var LEGACY_KEY_DEPTH = 2;
@@ -3406,9 +3406,9 @@ var S3StateBackend = class {
       );
     }
     const v = parsed.version;
-    if (v !== STATE_SCHEMA_VERSION_LEGACY && v !== STATE_SCHEMA_VERSION_CURRENT && v !== void 0) {
+    if (v !== void 0 && !STATE_SCHEMA_VERSIONS_READABLE.includes(v)) {
       throw new StateError(
-        `Unsupported state schema version ${String(v)} for stack '${stackName}'. This cdkd binary supports versions ${String(STATE_SCHEMA_VERSION_LEGACY)} and ${String(STATE_SCHEMA_VERSION_CURRENT)}. Upgrade cdkd to a version that supports schema ${String(v)}.`
+        `Unsupported state schema version ${String(v)} for stack '${stackName}'. This cdkd binary supports versions ${STATE_SCHEMA_VERSIONS_READABLE.join(", ")}. Upgrade cdkd to a version that supports schema ${String(v)}.`
       );
     }
     return parsed;
@@ -8344,6 +8344,18 @@ var IAMRoleProvider = class {
     }
     return result;
   }
+  /**
+   * `Policies` (inline policy bodies) are intentionally omitted from
+   * `readCurrentState`: surfacing the names without bodies would
+   * guarantee a `PolicyDocument`-shaped drift on every role, and
+   * fetching every body costs one extra `GetRolePolicy` per inline
+   * policy. Tell the drift comparator to skip the whole subtree until a
+   * dedicated PR adds proper inline-policy drift via per-name
+   * `GetRolePolicy`.
+   */
+  getDriftUnknownPaths() {
+    return ["Policies"];
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -8715,10 +8727,23 @@ var DeployEngine = class {
     this.options.noRollback = options.noRollback ?? false;
     this.options.resourceWarnAfterMs = options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
     this.options.resourceTimeoutMs = options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    this.options.captureObservedState = options.captureObservedState ?? true;
   }
   logger = getLogger().child("DeployEngine");
   resolver;
   interrupted = false;
+  /**
+   * In-flight `provider.readCurrentState` promises kicked off after a
+   * successful CREATE / UPDATE. The deploy critical path does NOT
+   * `await` these; instead they're drained at the end of `doDeploy`
+   * (success path only) and the resolved values are merged into
+   * `ResourceState.observedProperties` before the final state save.
+   *
+   * Each Promise resolves to the AWS-current snapshot, or `undefined`
+   * if the provider does not implement `readCurrentState` or the call
+   * threw — never rejects, so an unhandled-rejection cannot escape.
+   */
+  observedCaptureTasks = /* @__PURE__ */ new Map();
   /**
    * Target region for this stack. Required — load-bearing for the
    * region-prefixed S3 state key and recorded in state.json for
@@ -8731,6 +8756,61 @@ var DeployEngine = class {
   async deploy(stackName, template) {
     return withStackName(stackName, () => this.doDeploy(stackName, template));
   }
+  /**
+   * Kick off `provider.readCurrentState` for a freshly-created/updated
+   * resource without blocking the deploy critical path. The promise
+   * lands in `observedCaptureTasks` keyed by `logicalId`; the deploy's
+   * success-path drain (`drainObservedCaptures`) awaits the full set
+   * and merges the resolved values into `ResourceState.observedProperties`
+   * before the final state save.
+   *
+   * Errors are swallowed at the Promise level — readCurrentState
+   * failing must not fail the deploy. The map entry resolves to
+   * `undefined` for failures and for providers without
+   * `readCurrentState`; both translate to "no observedProperties" at
+   * the merge step, which is fine: drift falls back to comparing
+   * against `properties`.
+   */
+  kickOffObservedCapture(provider, logicalId, physicalId, resourceType, resolvedProps) {
+    if (this.options.captureObservedState !== true)
+      return;
+    if (!provider.readCurrentState)
+      return;
+    const promise = provider.readCurrentState(physicalId, logicalId, resourceType, resolvedProps).catch((err) => {
+      this.logger.debug(
+        `observedProperties capture for ${logicalId} (${resourceType}) failed: ${err instanceof Error ? err.message : String(err)} \u2014 drift will fall back to template properties for this resource until the next successful deploy.`
+      );
+      return void 0;
+    });
+    this.observedCaptureTasks.set(logicalId, promise);
+  }
+  /**
+   * Wait for every in-flight `readCurrentState` promise from the
+   * deploy's success path, then merge each resolved snapshot into the
+   * matching `ResourceState.observedProperties`. After this runs the
+   * map is drained so a subsequent deploy starts fresh.
+   *
+   * Called from `doDeploy` immediately before the final `saveState`.
+   * The rollback / failure paths intentionally do NOT call this — a
+   * failed deploy's partial state is already inconsistent, and waiting
+   * on potentially many in-flight reads would slow down the rollback
+   * itself.
+   */
+  async drainObservedCaptures(stateResources) {
+    if (this.observedCaptureTasks.size === 0)
+      return;
+    const entries = Array.from(this.observedCaptureTasks.entries());
+    this.observedCaptureTasks.clear();
+    const resolved = await Promise.all(entries.map(([, p]) => p));
+    for (let i = 0; i < entries.length; i++) {
+      const logicalId = entries[i][0];
+      const observed = resolved[i];
+      const target = stateResources[logicalId];
+      if (target && observed !== void 0) {
+        target.observedProperties = observed;
+      }
+    }
+  }
   async doDeploy(stackName, template) {
     const startTime = Date.now();
     this.logger.debug(`Starting deployment for stack: ${stackName}`);
@@ -8847,6 +8927,7 @@ var DeployEngine = class {
         progress,
         migrationPending
       );
+      await this.drainObservedCaptures(newState.resources);
       const newEtag = await this.stateBackend.saveState(stackName, this.stackRegion, newState);
       this.logger.debug(`State saved (ETag: ${newEtag})`);
       const durationMs = Date.now() - startTime;
@@ -8862,6 +8943,7 @@ var DeployEngine = class {
     } finally {
       renderer.stop();
       process.removeListener("SIGINT", sigintHandler);
+      this.observedCaptureTasks.clear();
       try {
         await this.lockManager.releaseLock(stackName, this.stackRegion);
         this.logger.debug("Lock released");
@@ -9415,6 +9497,13 @@ var DeployEngine = class {
           ...result.attributes && { attributes: result.attributes },
           ...dependencies && dependencies.length > 0 && { dependencies }
         };
+        this.kickOffObservedCapture(
+          provider,
+          logicalId,
+          result.physicalId,
+          resourceType,
+          resolvedProps
+        );
         if (counts)
           counts.created++;
         if (progress)
@@ -9493,6 +9582,13 @@ var DeployEngine = class {
             ...createResult.attributes && { attributes: createResult.attributes },
             ...dependencies && dependencies.length > 0 && { dependencies }
           };
+          this.kickOffObservedCapture(
+            provider,
+            logicalId,
+            createResult.physicalId,
+            resourceType,
+            resolvedProps
+          );
           if (counts)
             counts.updated++;
           if (progress)
@@ -9571,6 +9667,13 @@ var DeployEngine = class {
             ...result.attributes && { attributes: result.attributes },
             ...dependencies && dependencies.length > 0 && { dependencies }
           };
+          this.kickOffObservedCapture(
+            provider,
+            logicalId,
+            result.physicalId,
+            resourceType,
+            resolvedProps
+          );
           if (counts)
             counts.updated++;
           if (progress)