@go-to-k/cdkd 0.50.11 → 0.50.13

package/dist/cli.js

@@ -12008,11 +12008,11 @@ var S3BucketProvider = class {
       this.logger.debug(`Applied EventBridge notification to bucket ${bucketName}`);
     }
     const corsConfig = properties["CorsConfiguration"];
-    if (corsConfig?.CorsRules) {
+    if (corsConfig?.CorsRules && Array.isArray(corsConfig.CorsRules) && corsConfig.CorsRules.length > 0) {
       await this.applyCorsConfiguration(bucketName, corsConfig);
     }
     const lifecycleConfig = properties["LifecycleConfiguration"];
-    if (lifecycleConfig?.Rules) {
+    if (lifecycleConfig?.Rules && Array.isArray(lifecycleConfig.Rules) && lifecycleConfig.Rules.length > 0) {
       await this.applyLifecycleConfiguration(bucketName, lifecycleConfig);
     }
     const publicAccessBlock = properties["PublicAccessBlockConfiguration"];
@@ -12020,7 +12020,7 @@ var S3BucketProvider = class {
       await this.applyPublicAccessBlockConfiguration(bucketName, publicAccessBlock);
     }
     const bucketEncryption = properties["BucketEncryption"];
-    if (bucketEncryption?.ServerSideEncryptionConfiguration) {
+    if (bucketEncryption?.ServerSideEncryptionConfiguration && Array.isArray(bucketEncryption.ServerSideEncryptionConfiguration) && bucketEncryption.ServerSideEncryptionConfiguration.length > 0) {
       await this.applyBucketEncryption(bucketName, bucketEncryption);
     }
     const loggingConfig = properties["LoggingConfiguration"];
@@ -12281,11 +12281,12 @@ var S3BucketProvider = class {
     }
     try {
       const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: physicalId }));
-      const tags = normalizeAwsTagsToCfn(resp.TagSet);
-      result["Tags"] = tags;
+      result["Tags"] = normalizeAwsTagsToCfn(resp.TagSet);
     } catch (err) {
       const e = err;
-      if (e.name !== "NoSuchTagSet") {
+      if (e.name === "NoSuchTagSet") {
+        result["Tags"] = [];
+      } else {
         throw err;
       }
     }
@@ -13838,7 +13839,7 @@ var SNSSubscriptionProvider = class {
     try {
       const attributes = {};
       const filterPolicy = properties["FilterPolicy"];
-      if (filterPolicy) {
+      if (filterPolicy !== void 0) {
         attributes["FilterPolicy"] = typeof filterPolicy === "string" ? filterPolicy : JSON.stringify(filterPolicy);
       }
       const response = await this.snsClient.send(
@@ -17107,6 +17108,19 @@ var LogsLogGroupProvider = class {
     }
     return this.buildArn(physicalId);
   }
+  /**
+   * Drift comparator skip-list: properties readCurrentState deliberately
+   * cannot round-trip from AWS yet. `DataProtectionPolicy` lives behind
+   * its own `GetDataProtectionPolicy` API call (not in
+   * `DescribeLogGroups` output) — declaring it here prevents
+   * guaranteed false-positive drift on every clean run for log groups
+   * deployed with a data-protection policy. Lifting this guard requires
+   * a per-group `GetDataProtectionPolicy` round-trip in
+   * `readCurrentState`.
+   */
+  getDriftUnknownPaths() {
+    return ["DataProtectionPolicy"];
+  }
   /**
    * Read the AWS-current log group configuration in CFn-property shape.
    *
@@ -17141,25 +17155,24 @@ var LogsLogGroupProvider = class {
       if (found.logGroupName !== void 0)
         result["LogGroupName"] = found.logGroupName;
       result["KmsKeyId"] = found.kmsKeyId ?? "";
-      if (found.retentionInDays !== void 0) {
-        result["RetentionInDays"] = found.retentionInDays;
-      }
+      result["RetentionInDays"] = found.retentionInDays ?? 0;
       if (found.logGroupClass !== void 0)
         result["LogGroupClass"] = found.logGroupClass;
+      let tags = [];
       if (found.arn) {
         const arnForTags = found.arn.replace(/:\*$/, "");
         try {
           const tagsResp = await this.logsClient.send(
             new ListTagsForResourceCommand2({ resourceArn: arnForTags })
           );
-          const tags = normalizeAwsTagsToCfn(tagsResp.tags);
-          result["Tags"] = tags;
+          tags = normalizeAwsTagsToCfn(tagsResp.tags);
         } catch (err) {
           if (err instanceof ResourceNotFoundException7)
             return void 0;
           throw err;
         }
       }
+      result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException7)
@@ -17439,6 +17452,7 @@ var CloudWatchAlarmProvider = class {
    * Build PutMetricAlarm parameters from CDK properties
    */
   buildAlarmParams(alarmName, properties) {
+    const emptyToUndefined = (v) => typeof v === "string" && v === "" ? void 0 : v;
     const params = {
       AlarmName: alarmName,
       ComparisonOperator: properties["ComparisonOperator"],
@@ -17446,15 +17460,16 @@ var CloudWatchAlarmProvider = class {
       Threshold: properties["Threshold"],
       ActionsEnabled: properties["ActionsEnabled"],
       AlarmActions: properties["AlarmActions"],
-      AlarmDescription: properties["AlarmDescription"],
+      AlarmDescription: emptyToUndefined(properties["AlarmDescription"]),
       DatapointsToAlarm: properties["DatapointsToAlarm"],
       InsufficientDataActions: properties["InsufficientDataActions"],
       OKActions: properties["OKActions"],
-      TreatMissingData: properties["TreatMissingData"],
-      Unit: properties["Unit"]
+      TreatMissingData: emptyToUndefined(properties["TreatMissingData"]),
+      Unit: emptyToUndefined(properties["Unit"])
     };
-    if (properties["Metrics"]) {
-      const metrics = properties["Metrics"];
+    const metricsValue = properties["Metrics"];
+    if (Array.isArray(metricsValue) && metricsValue.length > 0) {
+      const metrics = metricsValue;
       params["Metrics"] = metrics.map((m) => {
         const entry = {
           Id: m["Id"]
@@ -17484,10 +17499,10 @@ var CloudWatchAlarmProvider = class {
         return entry;
       });
     } else {
-      params["MetricName"] = properties["MetricName"];
-      params["Namespace"] = properties["Namespace"];
+      params["MetricName"] = emptyToUndefined(properties["MetricName"]);
+      params["Namespace"] = emptyToUndefined(properties["Namespace"]);
       params["Period"] = properties["Period"];
-      params["Statistic"] = properties["Statistic"];
+      params["Statistic"] = emptyToUndefined(properties["Statistic"]);
       params["Dimensions"] = properties["Dimensions"];
     }
     return params;
@@ -18123,19 +18138,21 @@ var SSMParameterProvider = class {
         Name: physicalId,
         Type: type,
         Value: value,
-        Description: properties["Description"],
         Overwrite: true
       };
-      if (properties["AllowedPattern"]) {
+      if (properties["Description"] !== void 0) {
+        putParams.Description = properties["Description"];
+      }
+      if (properties["AllowedPattern"] !== void 0) {
         putParams.AllowedPattern = properties["AllowedPattern"];
       }
-      if (properties["Tier"]) {
+      if (properties["Tier"] !== void 0) {
         putParams.Tier = properties["Tier"];
       }
-      if (properties["Policies"]) {
+      if (properties["Policies"] !== void 0) {
         putParams.Policies = properties["Policies"];
       }
-      if (properties["DataType"]) {
+      if (properties["DataType"] !== void 0) {
         putParams.DataType = properties["DataType"];
       }
       await this.ssmClient.send(new PutParameterCommand(putParams));
@@ -18829,6 +18846,16 @@ import {
   ResourceNotFoundException as ResourceNotFoundException10
 } from "@aws-sdk/client-eventbridge";
 init_aws_clients();
+function sanitizeDeadLetterConfig(value) {
+  if (value === null || value === void 0)
+    return void 0;
+  if (typeof value !== "object")
+    return void 0;
+  const arn = value["Arn"];
+  if (typeof arn !== "string" || arn.length === 0)
+    return void 0;
+  return { Arn: arn };
+}
 var EventBridgeBusProvider = class {
   eventBridgeClient;
   logger = getLogger().child("EventBridgeBusProvider");
@@ -18875,11 +18902,9 @@ var EventBridgeBusProvider = class {
       if (properties["Tags"]) {
         createParams.Tags = properties["Tags"];
       }
-      if (properties["DeadLetterConfig"]) {
-        const dlcConfig = properties["DeadLetterConfig"];
-        createParams.DeadLetterConfig = {
-          Arn: dlcConfig["Arn"]
-        };
+      const dlcCreate = sanitizeDeadLetterConfig(properties["DeadLetterConfig"]);
+      if (dlcCreate) {
+        createParams.DeadLetterConfig = dlcCreate;
       }
       const response = await this.eventBridgeClient.send(new CreateEventBusCommand(createParams));
       const eventBusArn = response.EventBusArn ?? "";
@@ -18918,11 +18943,11 @@ var EventBridgeBusProvider = class {
       if (properties["KmsKeyIdentifier"] !== void 0) {
         updateParams.KmsKeyIdentifier = properties["KmsKeyIdentifier"];
       }
-      if (properties["DeadLetterConfig"]) {
-        const dlcConfig = properties["DeadLetterConfig"];
-        updateParams.DeadLetterConfig = {
-          Arn: dlcConfig["Arn"]
-        };
+      if (properties["DeadLetterConfig"] !== void 0) {
+        const dlcUpdate = sanitizeDeadLetterConfig(properties["DeadLetterConfig"]);
+        if (dlcUpdate) {
+          updateParams.DeadLetterConfig = dlcUpdate;
+        }
       }
       await this.eventBridgeClient.send(new UpdateEventBusCommand(updateParams));
     }
@@ -24889,22 +24914,18 @@ var StepFunctionsProvider = class {
         const tagList = properties["Tags"];
         tags = tagList.map((tag) => ({ key: tag.Key, value: tag.Value }));
       }
-      const cfnEncConfig = properties["EncryptionConfiguration"];
-      let encryptionConfiguration;
-      if (cfnEncConfig) {
-        encryptionConfiguration = {
-          type: cfnEncConfig["Type"],
-          kmsKeyId: cfnEncConfig["KmsKeyId"],
-          kmsDataKeyReusePeriodSeconds: cfnEncConfig["KmsDataKeyReusePeriodSeconds"]
-        };
-      }
+      const encryptionConfiguration = mapEncryptionConfiguration(
+        properties["EncryptionConfiguration"]
+      );
+      const loggingConfiguration = mapLoggingConfiguration(properties["LoggingConfiguration"]);
+      const tracingConfiguration = mapTracingConfiguration(properties["TracingConfiguration"]);
       const createParams = {
         name: stateMachineName,
         definition: definitionString,
         roleArn,
         type: properties["StateMachineType"],
-        loggingConfiguration: properties["LoggingConfiguration"],
-        tracingConfiguration: properties["TracingConfiguration"],
+        loggingConfiguration,
+        tracingConfiguration,
         tags,
         encryptionConfiguration
       };
@@ -24945,22 +24966,18 @@ var StepFunctionsProvider = class {
     this.logger.debug(`Updating Step Functions state machine ${logicalId}: ${physicalId}`);
     try {
       const definitionString = this.buildDefinitionString(properties);
-      const cfnEncConfig = properties["EncryptionConfiguration"];
-      let encryptionConfiguration;
-      if (cfnEncConfig) {
-        encryptionConfiguration = {
-          type: cfnEncConfig["Type"],
-          kmsKeyId: cfnEncConfig["KmsKeyId"],
-          kmsDataKeyReusePeriodSeconds: cfnEncConfig["KmsDataKeyReusePeriodSeconds"]
-        };
-      }
+      const encryptionConfiguration = mapEncryptionConfiguration(
+        properties["EncryptionConfiguration"]
+      );
+      const loggingConfiguration = mapLoggingConfiguration(properties["LoggingConfiguration"]);
+      const tracingConfiguration = mapTracingConfiguration(properties["TracingConfiguration"]);
       await this.getClient().send(
         new UpdateStateMachineCommand({
           stateMachineArn: physicalId,
           definition: definitionString,
           roleArn: properties["RoleArn"],
-          loggingConfiguration: properties["LoggingConfiguration"],
-          tracingConfiguration: properties["TracingConfiguration"],
+          loggingConfiguration,
+          tracingConfiguration,
           encryptionConfiguration
         })
       );
@@ -25248,6 +25265,57 @@ var StepFunctionsProvider = class {
     return "{}";
   }
 };
+function mapEncryptionConfiguration(value) {
+  if (value === null || value === void 0)
+    return void 0;
+  if (typeof value !== "object")
+    return void 0;
+  const cfg = value;
+  if (cfg["Type"] === void 0)
+    return void 0;
+  return {
+    type: cfg["Type"],
+    kmsKeyId: cfg["KmsKeyId"],
+    kmsDataKeyReusePeriodSeconds: cfg["KmsDataKeyReusePeriodSeconds"]
+  };
+}
+function mapLoggingConfiguration(value) {
+  if (value === null || value === void 0)
+    return void 0;
+  if (typeof value !== "object")
+    return void 0;
+  const cfg = value;
+  if (cfg["Level"] === void 0)
+    return void 0;
+  const result = {
+    level: cfg["Level"]
+  };
+  if (cfg["IncludeExecutionData"] !== void 0) {
+    result.includeExecutionData = cfg["IncludeExecutionData"];
+  }
+  if (Array.isArray(cfg["Destinations"])) {
+    result.destinations = cfg["Destinations"].map((d) => {
+      const cwLogs = d["CloudWatchLogsLogGroup"];
+      if (cwLogs?.["LogGroupArn"] !== void 0) {
+        return {
+          cloudWatchLogsLogGroup: { logGroupArn: cwLogs["LogGroupArn"] }
+        };
+      }
+      return {};
+    });
+  }
+  return result;
+}
+function mapTracingConfiguration(value) {
+  if (value === null || value === void 0)
+    return void 0;
+  if (typeof value !== "object")
+    return void 0;
+  const cfg = value;
+  if (cfg["Enabled"] === void 0)
+    return void 0;
+  return { enabled: cfg["Enabled"] };
+}
 
 // src/provisioning/providers/ecs-provider.ts
 import {
@@ -29043,6 +29111,13 @@ import {
   UntagResourceCommand as UntagResourceCommand13,
   WAFNonexistentItemException
 } from "@aws-sdk/client-wafv2";
+function sanitizeDescription(value) {
+  if (value === void 0 || value === null)
+    return void 0;
+  if (typeof value === "string" && value.length === 0)
+    return void 0;
+  return value;
+}
 function parseWebACLArn(arn) {
   const parts = arn.split(":");
   const resourcePart = parts.slice(5).join(":");
@@ -29104,7 +29179,7 @@ var WAFv2WebACLProvider = class {
           Name: name,
           Scope: scope,
           DefaultAction: properties["DefaultAction"],
-          Description: properties["Description"],
+          Description: sanitizeDescription(properties["Description"]),
           Rules: properties["Rules"] || [],
           VisibilityConfig: properties["VisibilityConfig"],
           ...tags.length > 0 && { Tags: tags },
@@ -29169,7 +29244,7 @@ var WAFv2WebACLProvider = class {
           Id: id,
           LockToken: lockToken,
           DefaultAction: properties["DefaultAction"],
-          Description: properties["Description"],
+          Description: sanitizeDescription(properties["Description"]),
           Rules: properties["Rules"] || [],
           VisibilityConfig: properties["VisibilityConfig"],
           CustomResponseBodies: properties["CustomResponseBodies"],
@@ -29431,6 +29506,9 @@ import {
   ListTagsForResourceCommand as ListTagsForResourceCommand13,
   ResourceNotFoundException as ResourceNotFoundException12
 } from "@aws-sdk/client-cognito-identity-provider";
+function isEmptyObjectPlaceholder(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value) && Object.keys(value).length === 0;
+}
 var CognitoUserPoolProvider = class {
   cognitoClient;
   providerRegion = process.env["AWS_REGION"];
@@ -29632,7 +29710,7 @@ var CognitoUserPoolProvider = class {
       if (properties["EmailConfiguration"]) {
         updateParams.EmailConfiguration = properties["EmailConfiguration"];
       }
-      if (properties["SmsConfiguration"]) {
+      if (properties["SmsConfiguration"] && !isEmptyObjectPlaceholder(properties["SmsConfiguration"])) {
         updateParams.SmsConfiguration = properties["SmsConfiguration"];
       }
       if (properties["VerificationMessageTemplate"]) {
@@ -29641,19 +29719,19 @@ var CognitoUserPoolProvider = class {
       if (properties["DeviceConfiguration"]) {
         updateParams.DeviceConfiguration = properties["DeviceConfiguration"];
       }
-      if (properties["UserPoolAddOns"]) {
+      if (properties["UserPoolAddOns"] && !isEmptyObjectPlaceholder(properties["UserPoolAddOns"])) {
         updateParams.UserPoolAddOns = properties["UserPoolAddOns"];
       }
-      if (properties["EmailVerificationMessage"]) {
+      if (properties["EmailVerificationMessage"] !== void 0) {
         updateParams.EmailVerificationMessage = properties["EmailVerificationMessage"];
       }
-      if (properties["EmailVerificationSubject"]) {
+      if (properties["EmailVerificationSubject"] !== void 0) {
         updateParams.EmailVerificationSubject = properties["EmailVerificationSubject"];
       }
-      if (properties["SmsAuthenticationMessage"]) {
+      if (properties["SmsAuthenticationMessage"] !== void 0) {
         updateParams.SmsAuthenticationMessage = properties["SmsAuthenticationMessage"];
       }
-      if (properties["SmsVerificationMessage"]) {
+      if (properties["SmsVerificationMessage"] !== void 0) {
         updateParams.SmsVerificationMessage = properties["SmsVerificationMessage"];
       }
       await this.getClient().send(new UpdateUserPoolCommand(updateParams));
@@ -31016,6 +31094,24 @@ var ServiceDiscoveryProvider = class {
         return void 0;
     }
   }
+  /**
+   * Declare drift-unreadable property paths.
+   *
+   * - `AWS::ServiceDiscovery::PrivateDnsNamespace.Vpc`: Cloud Map's
+   *   `GetNamespace` does NOT return the VPC ID — it is only consumed at
+   *   create time and surfaced in opaque form via
+   *   `Properties.DnsProperties.HostedZoneId`. Without this declaration
+   *   the comparator would walk into `Vpc` (state has it because cdkd
+   *   stored the user-supplied template value) and report a guaranteed
+   *   false-positive on every clean drift run, since `readCurrentState`
+   *   deliberately omits the key.
+   */
+  getDriftUnknownPaths(resourceType) {
+    if (resourceType === "AWS::ServiceDiscovery::PrivateDnsNamespace") {
+      return ["Vpc"];
+    }
+    return [];
+  }
   async readNamespace(physicalId) {
     let ns;
     try {
@@ -33255,6 +33351,11 @@ import {
   ListTagsForStreamCommand,
   ResourceNotFoundException as ResourceNotFoundException13
 } from "@aws-sdk/client-kinesis";
+function isKmsEncryption(value) {
+  if (!value)
+    return false;
+  return value["EncryptionType"] === "KMS";
+}
 var KinesisStreamProvider = class {
   client;
   providerRegion = process.env["AWS_REGION"];
@@ -33337,14 +33438,13 @@ var KinesisStreamProvider = class {
         await this.waitForStreamActive(streamName);
       }
       const streamEncryption = properties["StreamEncryption"];
-      if (streamEncryption) {
-        const encryptionType = streamEncryption["EncryptionType"] ?? "KMS";
+      if (isKmsEncryption(streamEncryption)) {
         const keyId = streamEncryption["KeyId"];
         this.logger.debug(`Enabling stream encryption for ${streamName}`);
         await this.getClient().send(
           new StartStreamEncryptionCommand({
             StreamName: streamName,
-            EncryptionType: encryptionType,
+            EncryptionType: "KMS",
             KeyId: keyId
           })
         );
@@ -33431,23 +33531,27 @@ var KinesisStreamProvider = class {
       );
       const newEncryption = properties["StreamEncryption"];
       const oldEncryption = previousProperties["StreamEncryption"];
-      if (JSON.stringify(newEncryption) !== JSON.stringify(oldEncryption)) {
-        if (oldEncryption) {
+      const oldIsKms = isKmsEncryption(oldEncryption);
+      const newIsKms = isKmsEncryption(newEncryption);
+      const oldKeyId = oldIsKms ? oldEncryption["KeyId"] : void 0;
+      const newKeyId = newIsKms ? newEncryption["KeyId"] : void 0;
+      if (oldIsKms !== newIsKms || oldIsKms && newIsKms && oldKeyId !== newKeyId) {
+        if (oldIsKms) {
           await this.getClient().send(
             new StopStreamEncryptionCommand({
               StreamName: physicalId,
-              EncryptionType: oldEncryption["EncryptionType"] ?? "KMS",
-              KeyId: oldEncryption["KeyId"]
+              EncryptionType: "KMS",
+              KeyId: oldKeyId
             })
           );
           await this.waitForStreamActive(physicalId);
         }
-        if (newEncryption) {
+        if (newIsKms) {
           await this.getClient().send(
             new StartStreamEncryptionCommand({
               StreamName: physicalId,
-              EncryptionType: newEncryption["EncryptionType"] ?? "KMS",
-              KeyId: newEncryption["KeyId"]
+              EncryptionType: "KMS",
+              KeyId: newKeyId
             })
           );
           await this.waitForStreamActive(physicalId);
@@ -33603,10 +33707,11 @@ var KinesisStreamProvider = class {
     const result = {};
     if (stream.StreamName !== void 0)
       result["Name"] = stream.StreamName;
-    if (stream.StreamModeDetails?.StreamMode !== void 0) {
-      result["StreamModeDetails"] = { StreamMode: stream.StreamModeDetails.StreamMode };
+    const streamMode = stream.StreamModeDetails?.StreamMode;
+    if (streamMode !== void 0) {
+      result["StreamModeDetails"] = { StreamMode: streamMode };
     }
-    if (stream.Shards && stream.Shards.length > 0) {
+    if (streamMode === "PROVISIONED" && stream.Shards && stream.Shards.length > 0) {
       result["ShardCount"] = stream.Shards.length;
     }
     if (stream.RetentionPeriodHours !== void 0) {
@@ -34821,14 +34926,14 @@ var FirehoseProvider = class {
       const tagsResp = await this.getClient().send(
         new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId })
       );
-      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-      result["Tags"] = tags;
+      result["Tags"] = normalizeAwsTagsToCfn(tagsResp.Tags);
     } catch (err) {
       if (err instanceof ResourceNotFoundException14)
         return void 0;
       this.logger.debug(
         `Firehose ListTagsForDeliveryStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
       );
+      result["Tags"] = [];
     }
     return result;
   }
@@ -35033,16 +35138,21 @@ var CloudTrailProvider = class {
   }
   async update(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating CloudTrail Trail ${logicalId}: ${physicalId}`);
+    const sanitizeArn = (v) => {
+      if (v === void 0 || v === null || v === "")
+        return void 0;
+      return v;
+    };
     const s3BucketName = properties["S3BucketName"];
     const s3KeyPrefix = properties["S3KeyPrefix"];
     const isMultiRegionTrail = properties["IsMultiRegionTrail"];
     const includeGlobalServiceEvents = properties["IncludeGlobalServiceEvents"];
     const enableLogFileValidation = properties["EnableLogFileValidation"];
     const isLogging = properties["IsLogging"];
-    const cloudWatchLogsLogGroupArn = properties["CloudWatchLogsLogGroupArn"];
-    const cloudWatchLogsRoleArn = properties["CloudWatchLogsRoleArn"];
-    const kmsKeyId = properties["KMSKeyId"];
-    const snsTopicName = properties["SnsTopicName"];
+    const cloudWatchLogsLogGroupArn = sanitizeArn(properties["CloudWatchLogsLogGroupArn"]);
+    const cloudWatchLogsRoleArn = sanitizeArn(properties["CloudWatchLogsRoleArn"]);
+    const kmsKeyId = sanitizeArn(properties["KMSKeyId"]);
+    const snsTopicName = sanitizeArn(properties["SnsTopicName"]);
     const isOrganizationTrail = properties["IsOrganizationTrail"];
     try {
       await this.getClient().send(
@@ -35239,58 +35349,48 @@ var CloudTrailProvider = class {
       result["TrailName"] = trail.Name;
     if (trail.S3BucketName !== void 0)
       result["S3BucketName"] = trail.S3BucketName;
-    if (trail.S3KeyPrefix !== void 0)
-      result["S3KeyPrefix"] = trail.S3KeyPrefix;
-    if (trail.IsMultiRegionTrail !== void 0) {
-      result["IsMultiRegionTrail"] = trail.IsMultiRegionTrail;
-    }
-    if (trail.IncludeGlobalServiceEvents !== void 0) {
-      result["IncludeGlobalServiceEvents"] = trail.IncludeGlobalServiceEvents;
-    }
-    if (trail.LogFileValidationEnabled !== void 0) {
-      result["EnableLogFileValidation"] = trail.LogFileValidationEnabled;
-    }
-    if (trail.CloudWatchLogsLogGroupArn !== void 0) {
+    result["S3KeyPrefix"] = trail.S3KeyPrefix ?? "";
+    result["IsMultiRegionTrail"] = trail.IsMultiRegionTrail ?? false;
+    result["IncludeGlobalServiceEvents"] = trail.IncludeGlobalServiceEvents ?? true;
+    result["EnableLogFileValidation"] = trail.LogFileValidationEnabled ?? false;
+    if (trail.CloudWatchLogsLogGroupArn && trail.CloudWatchLogsRoleArn) {
       result["CloudWatchLogsLogGroupArn"] = trail.CloudWatchLogsLogGroupArn;
-    }
-    if (trail.CloudWatchLogsRoleArn !== void 0) {
       result["CloudWatchLogsRoleArn"] = trail.CloudWatchLogsRoleArn;
     }
-    if (trail.KmsKeyId !== void 0)
-      result["KMSKeyId"] = trail.KmsKeyId;
-    if (trail.SnsTopicName !== void 0)
-      result["SnsTopicName"] = trail.SnsTopicName;
-    if (trail.IsOrganizationTrail !== void 0) {
-      result["IsOrganizationTrail"] = trail.IsOrganizationTrail;
-    }
+    result["KMSKeyId"] = trail.KmsKeyId ?? "";
+    result["SnsTopicName"] = trail.SnsTopicName ?? "";
+    result["IsOrganizationTrail"] = trail.IsOrganizationTrail ?? false;
     try {
       const status = await this.getClient().send(new GetTrailStatusCommand({ Name: physicalId }));
-      if (status.IsLogging !== void 0)
-        result["IsLogging"] = status.IsLogging;
+      result["IsLogging"] = status.IsLogging ?? false;
     } catch {
     }
     try {
       const sel = await this.getClient().send(
         new GetEventSelectorsCommand({ TrailName: physicalId })
       );
-      result["EventSelectors"] = (sel.EventSelectors ?? []).map(
-        (es) => es
-      );
+      const hasAdvanced = Array.isArray(sel.AdvancedEventSelectors) && sel.AdvancedEventSelectors.length > 0;
+      if (!hasAdvanced) {
+        result["EventSelectors"] = (sel.EventSelectors ?? []).map(
+          (es) => es
+        );
+      }
     } catch {
     }
+    let tags = [];
     if (trail.TrailARN) {
       try {
         const tagsResp = await this.getClient().send(
           new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
         );
-        const tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagList?.[0]?.TagsList);
-        result["Tags"] = tags;
+        tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagList?.[0]?.TagsList);
       } catch (err) {
         this.logger.debug(
           `CloudTrail ListTags(${trail.TrailARN}) failed: ${err instanceof Error ? err.message : String(err)}`
         );
       }
     }
+    result["Tags"] = tags;
     return result;
   }
   async import(input) {
@@ -35421,7 +35521,12 @@ var CodeBuildProvider = class {
     const name = properties["Name"] ?? logicalId;
     const source = properties["Source"];
     const environment = properties["Environment"];
-    const serviceRole = properties["ServiceRole"];
+    const sanitizeOptionalString = (value) => {
+      if (typeof value !== "string")
+        return value;
+      return value === "" ? void 0 : value;
+    };
+    const serviceRole = sanitizeOptionalString(properties["ServiceRole"]);
     const artifacts = properties["Artifacts"];
     const tags = properties["Tags"];
     const envVars = environment?.["EnvironmentVariables"];
@@ -35512,7 +35617,7 @@ var CodeBuildProvider = class {
       description: properties["Description"],
       timeoutInMinutes: properties["TimeoutInMinutes"],
       queuedTimeoutInMinutes: properties["QueuedTimeoutInMinutes"],
-      encryptionKey: properties["EncryptionKey"],
+      encryptionKey: sanitizeOptionalString(properties["EncryptionKey"]),
       cache: cache2,
       vpcConfig,
       logsConfig,
@@ -35523,7 +35628,7 @@ var CodeBuildProvider = class {
       fileSystemLocations,
       buildBatchConfig,
       badgeEnabled: properties["BadgeEnabled"],
-      sourceVersion: properties["SourceVersion"]
+      sourceVersion: sanitizeOptionalString(properties["SourceVersion"])
     };
   }
   async create(logicalId, resourceType, properties) {
@@ -35977,10 +36082,11 @@ var S3VectorsProvider = class {
     }
     if (bucket?.encryptionConfiguration) {
       const enc = {};
-      if (bucket.encryptionConfiguration.sseType !== void 0) {
-        enc["SSEType"] = bucket.encryptionConfiguration.sseType;
+      const sseType = bucket.encryptionConfiguration.sseType;
+      if (sseType !== void 0) {
+        enc["SSEType"] = sseType;
       }
-      if (bucket.encryptionConfiguration.kmsKeyArn !== void 0) {
+      if (sseType === "aws:kms" && bucket.encryptionConfiguration.kmsKeyArn !== void 0) {
         enc["KMSKeyArn"] = bucket.encryptionConfiguration.kmsKeyArn;
       }
       if (Object.keys(enc).length > 0)
@@ -43784,7 +43890,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.50.11");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.50.13");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());