@go-to-k/cdkd 0.50.13 → 0.51.1

package/dist/index.js

@@ -7636,6 +7636,7 @@ import {
   UpdateAssumeRolePolicyCommand,
   DeleteRoleCommand,
   GetRoleCommand,
+  GetRolePolicyCommand,
   PutRolePolicyCommand,
   DeleteRolePolicyCommand,
   ListRolePoliciesCommand,
@@ -8248,8 +8249,14 @@ var IAMRoleProvider = class {
    * against state's already-parsed object.
    *
    * Coverage and shape decisions:
-   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path`,
-   *    `PermissionsBoundary` — straight from `Role.*`.
+   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path` — straight
+   *    from `Role.*`.
+   *  - `PermissionsBoundary` — emitted as `'' ` placeholder when AWS has
+   *    none, so a console-side ADD on a role that was deployed without a
+   *    boundary surfaces as drift. (The drift comparator's top-level walk
+   *    is state-keys-only; without the always-emit placeholder a fresh
+   *    `PermissionsBoundary` on the AWS side would never enter
+   *    `observedProperties` and the comparator would silently ignore it.)
    *  - `AssumeRolePolicyDocument` — `Role.AssumeRolePolicyDocument` is a
    *    URL-encoded JSON string; we URL-decode + JSON-parse so cdkd state's
    *    object form compares cleanly. (Both shapes — string and object — are
@@ -8257,20 +8264,23 @@ var IAMRoleProvider = class {
    *    after intrinsic resolution.)
    *  - `ManagedPolicyArns` — array of ARN strings from
    *    `ListAttachedRolePolicies`.
-   *  - `Policies` (inline policies with `PolicyDocument` bodies) is
-   *    intentionally omitted: surfacing names without bodies guarantees a
-   *    PolicyDocument-shaped drift on every role, and fetching every body
-   *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
-   *    v1 — drift detection on inline IAM policy bodies can ship in a
-   *    follow-up.
+   *  - `Policies` — inline policies surfaced as `[{PolicyName, PolicyDocument}]`.
+   *    `ListRolePolicies` for names + `GetRolePolicy` per name for the
+   *    body (URL-decoded + JSON-parsed). Ordering is reconciled against
+   *    state's `Policies` array (when supplied via the `properties`
+   *    parameter) so a state-vs-AWS positional compare doesn't fire false
+   *    drift purely from `ListRolePolicies` returning lexicographic order;
+   *    AWS-only policies (added via console) are appended at the end so
+   *    they still surface as drift via length / content mismatch.
    *  - `Tags` is surfaced via `ListRoleTags` (paginated). CDK's `aws:*`
    *    auto-tags are filtered out by `normalizeAwsTagsToCfn` so they don't
-   *    fire false-positive drift; the result key is omitted entirely when
-   *    AWS reports no user tags (matches `create()`'s behavior).
+   *    fire false-positive drift; always emitted (even when empty) so a
+   *    console-side tag ADD on an originally-untagged role surfaces as
+   *    drift on the v3 observedProperties baseline.
    *
    * Returns `undefined` when the role is gone (`NoSuchEntityException`).
    */
-  async readCurrentState(physicalId, _logicalId, _resourceType) {
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
     let role;
     try {
       const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
@@ -8291,9 +8301,7 @@ var IAMRoleProvider = class {
     }
     if (role.Path !== void 0)
       result["Path"] = role.Path;
-    if (role.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
-      result["PermissionsBoundary"] = role.PermissionsBoundary.PermissionsBoundaryArn;
-    }
+    result["PermissionsBoundary"] = role.PermissionsBoundary?.PermissionsBoundaryArn ?? "";
     if (role.AssumeRolePolicyDocument) {
       try {
         result["AssumeRolePolicyDocument"] = JSON.parse(
@@ -8313,6 +8321,59 @@ var IAMRoleProvider = class {
       if (!(err instanceof NoSuchEntityException))
         throw err;
     }
+    try {
+      const policyNames = [];
+      let policyMarker;
+      while (true) {
+        const listResp = await this.iamClient.send(
+          new ListRolePoliciesCommand({
+            RoleName: physicalId,
+            ...policyMarker ? { Marker: policyMarker } : {}
+          })
+        );
+        for (const name of listResp.PolicyNames ?? [])
+          policyNames.push(name);
+        if (!listResp.IsTruncated)
+          break;
+        policyMarker = listResp.Marker;
+      }
+      const bodies = /* @__PURE__ */ new Map();
+      await Promise.all(
+        policyNames.map(async (name) => {
+          const resp = await this.iamClient.send(
+            new GetRolePolicyCommand({ RoleName: physicalId, PolicyName: name })
+          );
+          if (!resp.PolicyDocument)
+            return;
+          let parsed;
+          try {
+            parsed = JSON.parse(decodeURIComponent(resp.PolicyDocument));
+          } catch {
+            parsed = resp.PolicyDocument;
+          }
+          bodies.set(name, parsed);
+        })
+      );
+      const statePolicies = properties?.["Policies"] ?? [];
+      const remaining = new Set(bodies.keys());
+      const inline = [];
+      for (const sp of statePolicies) {
+        const name = sp?.PolicyName;
+        if (typeof name !== "string")
+          continue;
+        if (bodies.has(name)) {
+          inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+          remaining.delete(name);
+        }
+      }
+      for (const name of [...remaining].sort()) {
+        inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+      }
+      result["Policies"] = inline;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
     try {
       const collected = [];
       let marker;
@@ -8340,18 +8401,6 @@ var IAMRoleProvider = class {
     }
     return result;
   }
-  /**
-   * `Policies` (inline policy bodies) are intentionally omitted from
-   * `readCurrentState`: surfacing the names without bodies would
-   * guarantee a `PolicyDocument`-shaped drift on every role, and
-   * fetching every body costs one extra `GetRolePolicy` per inline
-   * policy. Tell the drift comparator to skip the whole subtree until a
-   * dedicated PR adds proper inline-policy drift via per-name
-   * `GetRolePolicy`.
-   */
-  getDriftUnknownPaths() {
-    return ["Policies"];
-  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -8807,6 +8856,65 @@ var DeployEngine = class {
       }
     }
   }
+  /**
+   * Kick off `provider.readCurrentState` for every resource in the
+   * loaded state that lacks `observedProperties` (e.g. state written
+   * by a pre-v3 binary, or a v3 record where a NO_CHANGE-skipped
+   * resource's baseline never landed). Calls go through
+   * `kickOffObservedCapture`, so they share the same fire-and-forget
+   * pipeline, error swallowing, and final-drain wiring that the
+   * post-CREATE / post-UPDATE captures use.
+   *
+   * The deploy critical path does NOT wait on these; the cost is
+   * bounded by `max(per-resource readCurrentState latency)` (typically
+   * ~200-300ms in practice) once at the end-of-deploy drain. Any
+   * resource that subsequently goes through CREATE / UPDATE in the
+   * same deploy will overwrite this entry via the `Map.set` keyed by
+   * `logicalId` (latest-wins) — so there's no double-write to state,
+   * just a wasted SDK call for the (rare) UPDATE / DELETE intersection.
+   *
+   * Resources whose provider lookup throws (e.g. unsupported type) or
+   * lacks `readCurrentState` are silently skipped — same policy as the
+   * manual `cdkd state refresh-observed` command.
+   */
+  kickOffAutoRefreshObservedProperties(stateResources) {
+    if (this.options.captureObservedState !== true)
+      return;
+    if (this.options.dryRun === true)
+      return;
+    let toRefresh = 0;
+    const candidates = [];
+    for (const [logicalId, resource] of Object.entries(stateResources)) {
+      if (resource.observedProperties !== void 0)
+        continue;
+      candidates.push({ logicalId, resource });
+    }
+    if (candidates.length === 0)
+      return;
+    for (const { logicalId, resource } of candidates) {
+      let provider;
+      try {
+        provider = this.providerRegistry.getProvider(resource.resourceType);
+      } catch {
+        continue;
+      }
+      if (!provider.readCurrentState)
+        continue;
+      this.kickOffObservedCapture(
+        provider,
+        logicalId,
+        resource.physicalId,
+        resource.resourceType,
+        resource.properties ?? {}
+      );
+      toRefresh++;
+    }
+    if (toRefresh > 0) {
+      this.logger.warn(
+        `cdkd state schema upgrade detected \u2014 refreshing observed-properties baseline for ${toRefresh} resource(s) (one-time, runs in parallel with deploy)`
+      );
+    }
+  }
   async doDeploy(stackName, template) {
     const startTime = Date.now();
     this.logger.debug(`Starting deployment for stack: ${stackName}`);
@@ -8838,6 +8946,7 @@ var DeployEngine = class {
       this.logger.debug(
         `Loaded current state: ${Object.keys(currentState.resources).length} resources`
       );
+      this.kickOffAutoRefreshObservedProperties(currentState.resources);
       this.logger.debug(`Template has ${Object.keys(template.Resources || {}).length} resources`);
       const parameterValues = await this.resolver.resolveParameters(
         template,
@@ -8882,6 +8991,35 @@ var DeployEngine = class {
       const hasChanges = this.diffCalculator.hasChanges(changes);
       if (!hasChanges) {
         this.logger.info("No changes detected. Stack is up to date.");
+        if (!this.options.dryRun && this.observedCaptureTasks.size > 0) {
+          await this.drainObservedCaptures(currentState.resources);
+          try {
+            const refreshedState = {
+              version: STATE_SCHEMA_VERSION_CURRENT,
+              region: this.stackRegion,
+              stackName: currentState.stackName,
+              resources: currentState.resources,
+              outputs: currentState.outputs,
+              lastModified: Date.now()
+            };
+            const saveOptions = {};
+            if (currentEtag !== void 0)
+              saveOptions.expectedEtag = currentEtag;
+            if (migrationPending)
+              saveOptions.migrateLegacy = true;
+            await this.stateBackend.saveState(
+              stackName,
+              this.stackRegion,
+              refreshedState,
+              saveOptions
+            );
+            this.logger.debug("Persisted refreshed observedProperties (no-change path)");
+          } catch (saveError) {
+            this.logger.warn(
+              `Failed to persist refreshed observedProperties: ${saveError instanceof Error ? saveError.message : String(saveError)} \u2014 drift baseline will be re-fetched on next deploy.`
+            );
+          }
+        }
         return {
           stackName,
           created: 0,