@go-to-k/cdkd 0.46.1 → 0.47.0

package/dist/cli.js

@@ -629,6 +629,10 @@ var deployOptions = [
   new Option("--dry-run", "Show changes without applying").default(false),
   new Option("--skip-assets", "Skip asset publishing").default(false),
   new Option("--no-rollback", "Skip rollback on deployment failure"),
+  new Option(
+    "--no-capture-observed-state",
+    "Skip capturing AWS-current properties after each create/update (adds a fire-and-forget readCurrentState per resource so cdkd drift can compare against the real deploy-time AWS snapshot instead of the template). On by default. Disable when deploy speed matters more than rich drift detection \u2014 falls back to comparing against template properties (the pre-v3 behavior)."
+  ),
   noWaitOption,
   aggressiveVpcParallelOption,
   new Option(
@@ -1351,6 +1355,16 @@ function resolveApp(cliApp) {
   const cdkJson = loadCdkJson();
   return cdkJson?.app ?? void 0;
 }
+function resolveCaptureObservedState(cliValue) {
+  if (cliValue === false)
+    return false;
+  const cdkJson = loadCdkJson();
+  const cdkdContext = cdkJson?.context?.["cdkd"];
+  const v = cdkdContext?.["captureObservedState"];
+  if (typeof v === "boolean")
+    return v;
+  return true;
+}
 function resolveStateBucketWithSource(cliBucket) {
   if (cliBucket)
     return { bucket: cliBucket, source: "cli-flag" };
@@ -3727,8 +3741,8 @@ import {
 } from "@aws-sdk/client-s3";
 
 // src/types/state.ts
-var STATE_SCHEMA_VERSION_LEGACY = 1;
-var STATE_SCHEMA_VERSION_CURRENT = 2;
+var STATE_SCHEMA_VERSION_CURRENT = 3;
+var STATE_SCHEMA_VERSIONS_READABLE = [1, 2, 3];
 
 // src/utils/aws-region-resolver.ts
 import { GetBucketLocationCommand, S3Client as S3Client3 } from "@aws-sdk/client-s3";
@@ -4237,9 +4251,9 @@ var S3StateBackend = class {
       );
     }
     const v = parsed.version;
-    if (v !== STATE_SCHEMA_VERSION_LEGACY && v !== STATE_SCHEMA_VERSION_CURRENT && v !== void 0) {
+    if (v !== void 0 && !STATE_SCHEMA_VERSIONS_READABLE.includes(v)) {
       throw new StateError(
-        `Unsupported state schema version ${String(v)} for stack '${stackName}'. This cdkd binary supports versions ${String(STATE_SCHEMA_VERSION_LEGACY)} and ${String(STATE_SCHEMA_VERSION_CURRENT)}. Upgrade cdkd to a version that supports schema ${String(v)}.`
+        `Unsupported state schema version ${String(v)} for stack '${stackName}'. This cdkd binary supports versions ${STATE_SCHEMA_VERSIONS_READABLE.join(", ")}. Upgrade cdkd to a version that supports schema ${String(v)}.`
       );
     }
     return parsed;
@@ -36947,10 +36961,23 @@ var DeployEngine = class {
     this.options.noRollback = options.noRollback ?? false;
     this.options.resourceWarnAfterMs = options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
     this.options.resourceTimeoutMs = options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    this.options.captureObservedState = options.captureObservedState ?? true;
   }
   logger = getLogger().child("DeployEngine");
   resolver;
   interrupted = false;
+  /**
+   * In-flight `provider.readCurrentState` promises kicked off after a
+   * successful CREATE / UPDATE. The deploy critical path does NOT
+   * `await` these; instead they're drained at the end of `doDeploy`
+   * (success path only) and the resolved values are merged into
+   * `ResourceState.observedProperties` before the final state save.
+   *
+   * Each Promise resolves to the AWS-current snapshot, or `undefined`
+   * if the provider does not implement `readCurrentState` or the call
+   * threw — never rejects, so an unhandled-rejection cannot escape.
+   */
+  observedCaptureTasks = /* @__PURE__ */ new Map();
   /**
    * Target region for this stack. Required — load-bearing for the
    * region-prefixed S3 state key and recorded in state.json for
@@ -36963,6 +36990,61 @@ var DeployEngine = class {
   async deploy(stackName, template) {
     return withStackName(stackName, () => this.doDeploy(stackName, template));
   }
+  /**
+   * Kick off `provider.readCurrentState` for a freshly-created/updated
+   * resource without blocking the deploy critical path. The promise
+   * lands in `observedCaptureTasks` keyed by `logicalId`; the deploy's
+   * success-path drain (`drainObservedCaptures`) awaits the full set
+   * and merges the resolved values into `ResourceState.observedProperties`
+   * before the final state save.
+   *
+   * Errors are swallowed at the Promise level — readCurrentState
+   * failing must not fail the deploy. The map entry resolves to
+   * `undefined` for failures and for providers without
+   * `readCurrentState`; both translate to "no observedProperties" at
+   * the merge step, which is fine: drift falls back to comparing
+   * against `properties`.
+   */
+  kickOffObservedCapture(provider, logicalId, physicalId, resourceType, resolvedProps) {
+    if (this.options.captureObservedState !== true)
+      return;
+    if (!provider.readCurrentState)
+      return;
+    const promise = provider.readCurrentState(physicalId, logicalId, resourceType, resolvedProps).catch((err) => {
+      this.logger.debug(
+        `observedProperties capture for ${logicalId} (${resourceType}) failed: ${err instanceof Error ? err.message : String(err)} \u2014 drift will fall back to template properties for this resource until the next successful deploy.`
+      );
+      return void 0;
+    });
+    this.observedCaptureTasks.set(logicalId, promise);
+  }
+  /**
+   * Wait for every in-flight `readCurrentState` promise from the
+   * deploy's success path, then merge each resolved snapshot into the
+   * matching `ResourceState.observedProperties`. After this runs the
+   * map is drained so a subsequent deploy starts fresh.
+   *
+   * Called from `doDeploy` immediately before the final `saveState`.
+   * The rollback / failure paths intentionally do NOT call this — a
+   * failed deploy's partial state is already inconsistent, and waiting
+   * on potentially many in-flight reads would slow down the rollback
+   * itself.
+   */
+  async drainObservedCaptures(stateResources) {
+    if (this.observedCaptureTasks.size === 0)
+      return;
+    const entries = Array.from(this.observedCaptureTasks.entries());
+    this.observedCaptureTasks.clear();
+    const resolved = await Promise.all(entries.map(([, p]) => p));
+    for (let i = 0; i < entries.length; i++) {
+      const logicalId = entries[i][0];
+      const observed = resolved[i];
+      const target = stateResources[logicalId];
+      if (target && observed !== void 0) {
+        target.observedProperties = observed;
+      }
+    }
+  }
   async doDeploy(stackName, template) {
     const startTime = Date.now();
     this.logger.debug(`Starting deployment for stack: ${stackName}`);
@@ -37079,6 +37161,7 @@ var DeployEngine = class {
         progress,
         migrationPending
       );
+      await this.drainObservedCaptures(newState.resources);
       const newEtag = await this.stateBackend.saveState(stackName, this.stackRegion, newState);
       this.logger.debug(`State saved (ETag: ${newEtag})`);
       const durationMs = Date.now() - startTime;
@@ -37094,6 +37177,7 @@ var DeployEngine = class {
     } finally {
       renderer.stop();
       process.removeListener("SIGINT", sigintHandler);
+      this.observedCaptureTasks.clear();
       try {
         await this.lockManager.releaseLock(stackName, this.stackRegion);
         this.logger.debug("Lock released");
@@ -37647,6 +37731,13 @@ var DeployEngine = class {
           ...result.attributes && { attributes: result.attributes },
           ...dependencies && dependencies.length > 0 && { dependencies }
         };
+        this.kickOffObservedCapture(
+          provider,
+          logicalId,
+          result.physicalId,
+          resourceType,
+          resolvedProps
+        );
         if (counts)
           counts.created++;
         if (progress)
@@ -37725,6 +37816,13 @@ var DeployEngine = class {
             ...createResult.attributes && { attributes: createResult.attributes },
             ...dependencies && dependencies.length > 0 && { dependencies }
           };
+          this.kickOffObservedCapture(
+            provider,
+            logicalId,
+            createResult.physicalId,
+            resourceType,
+            resolvedProps
+          );
           if (counts)
             counts.updated++;
           if (progress)
@@ -37803,6 +37901,13 @@ var DeployEngine = class {
             ...result.attributes && { attributes: result.attributes },
             ...dependencies && dependencies.length > 0 && { dependencies }
           };
+          this.kickOffObservedCapture(
+            provider,
+            logicalId,
+            result.physicalId,
+            resourceType,
+            resolvedProps
+          );
           if (counts)
             counts.updated++;
           if (progress)
@@ -38281,6 +38386,7 @@ Deploying stack: ${stackInfo.stackName}${stackRegion !== baseRegion ? ` (region:
           concurrency: options.concurrency,
           dryRun: options.dryRun,
           noRollback: !options.rollback,
+          captureObservedState: resolveCaptureObservedState(options.captureObservedState),
           ...options.resourceWarnAfter?.globalMs !== void 0 && {
             resourceWarnAfterMs: options.resourceWarnAfter.globalMs
           },
@@ -38984,7 +39090,8 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
         continue;
       }
       const ignorePaths = provider.getDriftUnknownPaths ? provider.getDriftUnknownPaths(resource.resourceType) : [];
-      const changes = calculateResourceDrift(resource.properties ?? {}, aws, { ignorePaths });
+      const baseline = resource.observedProperties ?? resource.properties ?? {};
+      const changes = calculateResourceDrift(baseline, aws, { ignorePaths });
       if (changes.length === 0) {
         outcomes.push({ kind: "clean", logicalId, resourceType: resource.resourceType });
       } else {
@@ -39056,14 +39163,13 @@ async function runAccept(reports, stateBackend, stateConfig, awsClients, options
         const existing = resources[outcome.logicalId];
         if (!existing)
           continue;
-        const newProperties = JSON.parse(JSON.stringify(existing.properties ?? {}));
+        const hasObserved = existing.observedProperties !== void 0;
+        const baselineSource = hasObserved ? existing.observedProperties : existing.properties ?? {};
+        const newBaseline = JSON.parse(JSON.stringify(baselineSource));
         for (const change of outcome.changes) {
-          setAtPath(newProperties, change.path, change.awsValue);
+          setAtPath(newBaseline, change.path, change.awsValue);
         }
-        resources[outcome.logicalId] = {
-          ...existing,
-          properties: newProperties
-        };
+        resources[outcome.logicalId] = hasObserved ? { ...existing, observedProperties: newBaseline } : { ...existing, properties: newBaseline };
       }
       const newState = {
         ...report.state,
@@ -39130,13 +39236,14 @@ async function runRevert(reports, providerRegistry, stateConfig, awsClients, opt
           return;
         }
         const provider = providerRegistry.getProvider(outcome.resourceType);
+        const desiredProperties = stateResource.observedProperties ?? stateResource.properties ?? {};
         try {
           await withRetry(
             () => provider.update(
               outcome.logicalId,
               stateResource.physicalId,
               outcome.resourceType,
-              stateResource.properties ?? {},
+              desiredProperties,
               outcome.awsProperties
             ),
             outcome.logicalId,
@@ -42209,6 +42316,7 @@ async function importCommand(stackArg, options) {
         existingState,
         selectiveMode
       );
+      await captureObservedForImportedResources(stackState, providerRegistry, logger);
       const saveOptions = {};
       if (existingEtag) {
         saveOptions.expectedEtag = existingEtag;
@@ -42409,7 +42517,7 @@ function buildStackState(stackName, region, rows, templateParser, template, exis
     };
   }
   return {
-    version: 2,
+    version: STATE_SCHEMA_VERSION_CURRENT,
     stackName,
     region,
     resources,
@@ -42502,6 +42610,33 @@ function createImportCommand() {
 function collectMultiple(value, previous) {
   return [...previous ?? [], value];
 }
+async function captureObservedForImportedResources(stackState, providerRegistry, logger) {
+  const entries = Object.entries(stackState.resources);
+  if (entries.length === 0)
+    return;
+  await Promise.all(
+    entries.map(async ([logicalId, resource]) => {
+      try {
+        const provider = providerRegistry.getProvider(resource.resourceType);
+        if (!provider.readCurrentState)
+          return;
+        const observed = await provider.readCurrentState(
+          resource.physicalId,
+          logicalId,
+          resource.resourceType,
+          resource.properties ?? {}
+        );
+        if (observed !== void 0) {
+          resource.observedProperties = observed;
+        }
+      } catch (err) {
+        logger.debug(
+          `observedProperties capture for imported ${logicalId} (${resource.resourceType}) failed: ${err instanceof Error ? err.message : String(err)} \u2014 drift will fall back to template properties for this resource until the next successful deploy.`
+        );
+      }
+    })
+  );
+}
 
 // src/cli/index.ts
 var SUBCOMMANDS = /* @__PURE__ */ new Set([
@@ -42531,7 +42666,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.46.1");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.47.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());