@go-to-k/cdkd 0.50.7 → 0.50.9

package/dist/cli.js

@@ -15477,18 +15477,36 @@ var LambdaUrlProvider = class {
   /**
    * Update a Lambda Function URL
    */
-  async update(logicalId, physicalId, _resourceType, properties, _previousProperties) {
+  async update(logicalId, physicalId, _resourceType, properties, previousProperties) {
     this.logger.debug(`Updating Lambda URL ${logicalId}: ${physicalId}`);
+    const handled = this.handledProperties.get("AWS::Lambda::Url") ?? /* @__PURE__ */ new Set();
+    let changed = false;
+    for (const key of handled) {
+      if (JSON.stringify(properties[key] ?? null) !== JSON.stringify(previousProperties[key] ?? null)) {
+        changed = true;
+        break;
+      }
+    }
+    if (!changed) {
+      return {
+        physicalId,
+        wasReplaced: false,
+        attributes: {}
+      };
+    }
     const authType = properties["AuthType"] || "NONE";
     const cors = properties["Cors"];
     const updateParams = {
       FunctionName: physicalId,
       AuthType: authType
     };
-    if (properties["InvokeMode"])
+    if (properties["InvokeMode"] !== void 0)
       updateParams.InvokeMode = properties["InvokeMode"];
     if (cors) {
-      updateParams.Cors = this.buildCorsConfig(cors);
+      const builtCors = this.buildCorsConfig(cors);
+      if (Object.keys(builtCors).length > 0) {
+        updateParams.Cors = builtCors;
+      }
     }
     const response = await this.lambdaClient.send(new UpdateFunctionUrlConfigCommand(updateParams));
     return {
@@ -15638,19 +15656,36 @@ var LambdaUrlProvider = class {
     return null;
   }
   /**
-   * Build CORS configuration from CDK properties
+   * Build CORS configuration from CDK properties.
+   *
+   * Empty arrays from `readCurrentState`'s always-emit placeholder
+   * (`AllowOrigins: []`, `AllowMethods: []`, `AllowHeaders: []`,
+   * `ExposeHeaders: []`) are intentionally dropped here — emitting them
+   * to AWS would configure CORS with empty allowlists instead of
+   * leaving CORS unset. The caller (`update()` / `create()`) treats an
+   * empty `Cors` object as "no CORS configured" and omits it from the
+   * SDK input. `MaxAge` uses `!== undefined` so the valid AWS input
+   * `MaxAge: 0` (= "do not cache preflight responses") is preserved.
    */
   buildCorsConfig(cors) {
     const config = {};
-    if (cors["AllowOrigins"])
-      config.AllowOrigins = cors["AllowOrigins"];
-    if (cors["AllowMethods"])
-      config.AllowMethods = cors["AllowMethods"];
-    if (cors["AllowHeaders"])
-      config.AllowHeaders = cors["AllowHeaders"];
-    if (cors["ExposeHeaders"])
-      config.ExposeHeaders = cors["ExposeHeaders"];
-    if (cors["MaxAge"])
+    const allowOrigins = cors["AllowOrigins"];
+    if (Array.isArray(allowOrigins) && allowOrigins.length > 0) {
+      config.AllowOrigins = allowOrigins;
+    }
+    const allowMethods = cors["AllowMethods"];
+    if (Array.isArray(allowMethods) && allowMethods.length > 0) {
+      config.AllowMethods = allowMethods;
+    }
+    const allowHeaders = cors["AllowHeaders"];
+    if (Array.isArray(allowHeaders) && allowHeaders.length > 0) {
+      config.AllowHeaders = allowHeaders;
+    }
+    const exposeHeaders = cors["ExposeHeaders"];
+    if (Array.isArray(exposeHeaders) && exposeHeaders.length > 0) {
+      config.ExposeHeaders = exposeHeaders;
+    }
+    if (cors["MaxAge"] !== void 0)
       config.MaxAge = cors["MaxAge"];
     if (cors["AllowCredentials"] !== void 0)
       config.AllowCredentials = cors["AllowCredentials"];
@@ -15669,6 +15704,43 @@ import {
   ResourceNotFoundException as ResourceNotFoundException4
 } from "@aws-sdk/client-lambda";
 init_aws_clients();
+function classifyEventSource(resp) {
+  if (resp.SelfManagedEventSource !== void 0)
+    return "kafka";
+  if (resp.SelfManagedKafkaEventSourceConfig !== void 0)
+    return "kafka";
+  if (resp.AmazonManagedKafkaEventSourceConfig !== void 0)
+    return "kafka";
+  if (resp.DocumentDBEventSourceConfig !== void 0)
+    return "documentdb";
+  const arn = resp.EventSourceArn;
+  if (!arn)
+    return "unknown";
+  if (arn.startsWith("arn:aws:sqs:") || arn.startsWith("arn:aws-cn:sqs:"))
+    return "sqs";
+  if (arn.startsWith("arn:aws:kinesis:") || arn.startsWith("arn:aws-cn:kinesis:"))
+    return "kinesis";
+  if (arn.startsWith("arn:aws:dynamodb:") || arn.startsWith("arn:aws-cn:dynamodb:"))
+    return "dynamodb";
+  if (arn.startsWith("arn:aws:kafka:") || arn.startsWith("arn:aws-cn:kafka:"))
+    return "kafka";
+  if (arn.startsWith("arn:aws:mq:") || arn.startsWith("arn:aws-cn:mq:"))
+    return "mq";
+  if (arn.startsWith("arn:aws:rds:") || arn.startsWith("arn:aws-cn:rds:")) {
+    return "documentdb";
+  }
+  return "unknown";
+}
+var KINDS_WITH_FUNCTION_RESPONSE_TYPES = /* @__PURE__ */ new Set([
+  "sqs",
+  "kinesis",
+  "dynamodb"
+]);
+var KINDS_WITH_SOURCE_ACCESS_CONFIGURATIONS = /* @__PURE__ */ new Set([
+  "kafka",
+  "mq",
+  "documentdb"
+]);
 var LambdaEventSourceMappingProvider = class {
   lambdaClient;
   logger = getLogger().child("LambdaEventSourceMappingProvider");
@@ -15795,33 +15867,33 @@ var LambdaEventSourceMappingProvider = class {
       UUID: physicalId,
       FunctionName: properties["FunctionName"]
     };
-    if (properties["BatchSize"])
+    if (properties["BatchSize"] !== void 0)
       updateParams.BatchSize = properties["BatchSize"];
     if (properties["Enabled"] !== void 0)
       updateParams.Enabled = properties["Enabled"];
-    if (properties["MaximumBatchingWindowInSeconds"])
+    if (properties["MaximumBatchingWindowInSeconds"] !== void 0)
       updateParams.MaximumBatchingWindowInSeconds = properties["MaximumBatchingWindowInSeconds"];
     if (properties["MaximumRetryAttempts"] !== void 0)
       updateParams.MaximumRetryAttempts = properties["MaximumRetryAttempts"];
     if (properties["BisectBatchOnFunctionError"] !== void 0)
       updateParams.BisectBatchOnFunctionError = properties["BisectBatchOnFunctionError"];
-    if (properties["MaximumRecordAgeInSeconds"])
+    if (properties["MaximumRecordAgeInSeconds"] !== void 0)
       updateParams.MaximumRecordAgeInSeconds = properties["MaximumRecordAgeInSeconds"];
-    if (properties["ParallelizationFactor"])
+    if (properties["ParallelizationFactor"] !== void 0)
       updateParams.ParallelizationFactor = properties["ParallelizationFactor"];
-    if (properties["FilterCriteria"])
+    if (properties["FilterCriteria"] !== void 0)
       updateParams.FilterCriteria = properties["FilterCriteria"];
-    if (properties["DestinationConfig"])
+    if (properties["DestinationConfig"] !== void 0)
       updateParams.DestinationConfig = properties["DestinationConfig"];
-    if (properties["TumblingWindowInSeconds"])
+    if (properties["TumblingWindowInSeconds"] !== void 0)
       updateParams.TumblingWindowInSeconds = properties["TumblingWindowInSeconds"];
-    if (properties["FunctionResponseTypes"])
+    if (properties["FunctionResponseTypes"] !== void 0)
       updateParams.FunctionResponseTypes = properties["FunctionResponseTypes"];
-    if (properties["SourceAccessConfigurations"])
+    if (properties["SourceAccessConfigurations"] !== void 0)
       updateParams.SourceAccessConfigurations = properties["SourceAccessConfigurations"];
-    if (properties["ScalingConfig"])
+    if (properties["ScalingConfig"] !== void 0)
       updateParams.ScalingConfig = properties["ScalingConfig"];
-    if (properties["DocumentDBEventSourceConfig"])
+    if (properties["DocumentDBEventSourceConfig"] !== void 0)
       updateParams.DocumentDBEventSourceConfig = properties["DocumentDBEventSourceConfig"];
     const updateResp = await this.lambdaClient.send(
       new UpdateEventSourceMappingCommand(updateParams)
@@ -15995,8 +16067,17 @@ var LambdaEventSourceMappingProvider = class {
     if (resp.TumblingWindowInSeconds !== void 0) {
       result["TumblingWindowInSeconds"] = resp.TumblingWindowInSeconds;
     }
-    result["FunctionResponseTypes"] = resp.FunctionResponseTypes ? [...resp.FunctionResponseTypes] : [];
-    result["SourceAccessConfigurations"] = resp.SourceAccessConfigurations ?? [];
+    const kind = classifyEventSource(resp);
+    if (KINDS_WITH_FUNCTION_RESPONSE_TYPES.has(kind)) {
+      result["FunctionResponseTypes"] = resp.FunctionResponseTypes ? [...resp.FunctionResponseTypes] : [];
+    } else if (resp.FunctionResponseTypes !== void 0) {
+      result["FunctionResponseTypes"] = [...resp.FunctionResponseTypes];
+    }
+    if (KINDS_WITH_SOURCE_ACCESS_CONFIGURATIONS.has(kind)) {
+      result["SourceAccessConfigurations"] = resp.SourceAccessConfigurations ?? [];
+    } else if (resp.SourceAccessConfigurations !== void 0) {
+      result["SourceAccessConfigurations"] = resp.SourceAccessConfigurations;
+    }
     if (resp.SelfManagedEventSource !== void 0) {
       result["SelfManagedEventSource"] = resp.SelfManagedEventSource;
     }
@@ -16124,19 +16205,35 @@ var LambdaLayerVersionProvider = class {
     }
   }
   /**
-   * Update a Lambda layer version
+   * Update a Lambda layer version.
+   *
+   * Lambda layer versions are immutable on AWS — there is no API to mutate
+   * `Content` / `CompatibleRuntimes` / `CompatibleArchitectures` /
+   * `Description` / `LicenseInfo` of an existing version. The only path to
+   * a "new value" is publishing a new version (new LayerVersionArn).
+   *
+   * Why this rejects with `ResourceUpdateNotSupportedError` instead of
+   * silently publishing a new version:
    *
-   * Lambda layer versions are immutable. An update publishes a new version.
-   * The new LayerVersionArn becomes the physical ID.
+   *   - `cdkd drift --revert` calls `update(observed, observed)` to push
+   *     state values back into AWS. For an immutable resource that cannot
+   *     have its in-place value changed, the only AWS-side effect of an
+   *     "update" is leaking a duplicate version of the same content,
+   *     which is never what `--revert` should do.
+   *   - On the deploy path, content / runtime / arch changes flow
+   *     through CDK's hash-based logical naming, which produces a fresh
+   *     logical ID and a CREATE+DELETE in cdkd's diff — `update()` is
+   *     not the path taken in practice. Users who hit this on a non-CDK
+   *     template should re-deploy with `--replace`.
    */
-  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
-    this.logger.debug(`Updating Lambda layer version ${logicalId}: ${physicalId}`);
-    const createResult = await this.create(logicalId, resourceType, properties);
-    return {
-      physicalId: createResult.physicalId,
-      wasReplaced: true,
-      attributes: createResult.attributes ?? {}
-    };
+  async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "Lambda layer versions are immutable on AWS; re-deploy with cdkd deploy --replace, or change the resource definition to publish a new version"
+      )
+    );
   }
   /**
    * Delete a Lambda layer version
@@ -16658,23 +16755,28 @@ var DynamoDBTableProvider = class {
           WriteCapacityUnits: table.ProvisionedThroughput.WriteCapacityUnits
         };
       }
-      if (table.StreamSpecification) {
+      if (table.StreamSpecification?.StreamEnabled && table.StreamSpecification.StreamViewType) {
         result["StreamSpecification"] = {
-          StreamEnabled: table.StreamSpecification.StreamEnabled,
+          StreamEnabled: true,
           StreamViewType: table.StreamSpecification.StreamViewType
         };
       }
-      result["GlobalSecondaryIndexes"] = table.GlobalSecondaryIndexes ?? [];
-      result["LocalSecondaryIndexes"] = table.LocalSecondaryIndexes ?? [];
-      const sse = {
-        SSEEnabled: table.SSEDescription?.Status === "ENABLED"
-      };
-      if (table.SSEDescription?.KMSMasterKeyArn !== void 0) {
-        sse["KMSMasterKeyId"] = table.SSEDescription.KMSMasterKeyArn;
+      if (table.GlobalSecondaryIndexes && table.GlobalSecondaryIndexes.length > 0) {
+        result["GlobalSecondaryIndexes"] = table.GlobalSecondaryIndexes;
+      }
+      if (table.LocalSecondaryIndexes && table.LocalSecondaryIndexes.length > 0) {
+        result["LocalSecondaryIndexes"] = table.LocalSecondaryIndexes;
+      }
+      if (table.SSEDescription?.Status === "ENABLED") {
+        const sse = { SSEEnabled: true };
+        if (table.SSEDescription.KMSMasterKeyArn !== void 0) {
+          sse["KMSMasterKeyId"] = table.SSEDescription.KMSMasterKeyArn;
+        }
+        if (table.SSEDescription.SSEType !== void 0) {
+          sse["SSEType"] = table.SSEDescription.SSEType;
+        }
+        result["SSESpecification"] = sse;
       }
-      if (table.SSEDescription?.SSEType !== void 0)
-        sse["SSEType"] = table.SSEDescription.SSEType;
-      result["SSESpecification"] = sse;
       if (table.DeletionProtectionEnabled !== void 0) {
         result["DeletionProtectionEnabled"] = table.DeletionProtectionEnabled;
       }
@@ -17627,9 +17729,9 @@ var SecretsManagerSecretProvider = class {
       };
       if (secretString)
         updateParams.SecretString = secretString;
-      if (properties["Description"])
+      if (properties["Description"] !== void 0)
         updateParams.Description = properties["Description"];
-      if (properties["KmsKeyId"])
+      if (properties["KmsKeyId"] !== void 0 && properties["KmsKeyId"] !== "")
         updateParams.KmsKeyId = properties["KmsKeyId"];
       await this.smClient.send(new UpdateSecretCommand(updateParams));
       const newTags = properties["Tags"];
@@ -27153,13 +27255,14 @@ var RDSProvider = class {
   async updateDBSubnetGroup(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating DBSubnetGroup ${logicalId}: ${physicalId}`);
     try {
-      await this.getClient().send(
-        new ModifyDBSubnetGroupCommand({
-          DBSubnetGroupName: physicalId,
-          DBSubnetGroupDescription: properties["DBSubnetGroupDescription"],
-          SubnetIds: properties["SubnetIds"]
-        })
-      );
+      const subnetIds = properties["SubnetIds"];
+      const sendSubnetIds = subnetIds !== void 0 && subnetIds.length > 0;
+      const modifyInput = {
+        DBSubnetGroupName: physicalId,
+        DBSubnetGroupDescription: properties["DBSubnetGroupDescription"],
+        ...sendSubnetIds && { SubnetIds: subnetIds }
+      };
+      await this.getClient().send(new ModifyDBSubnetGroupCommand(modifyInput));
       const desc = await this.getClient().send(
         new DescribeDBSubnetGroupsCommand({ DBSubnetGroupName: physicalId })
       );
@@ -27289,16 +27392,19 @@ var RDSProvider = class {
     this.logger.debug(`Updating DBCluster ${logicalId}: ${physicalId}`);
     try {
       const serverlessV2Config = properties["ServerlessV2ScalingConfiguration"];
+      const hasServerlessV2 = serverlessV2Config !== void 0 && (serverlessV2Config.MinCapacity !== void 0 || serverlessV2Config.MaxCapacity !== void 0);
+      const vpcSgIds = properties["VpcSecurityGroupIds"];
+      const sendVpcSgIds = vpcSgIds !== void 0 && vpcSgIds.length > 0;
       await this.getClient().send(
         new ModifyDBClusterCommand({
           DBClusterIdentifier: physicalId,
           EngineVersion: properties["EngineVersion"],
           DeletionProtection: properties["DeletionProtection"],
           BackupRetentionPeriod: properties["BackupRetentionPeriod"] != null ? Number(properties["BackupRetentionPeriod"]) : void 0,
-          VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
+          ...sendVpcSgIds && { VpcSecurityGroupIds: vpcSgIds },
           MasterUserPassword: properties["MasterUserPassword"],
           Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
-          ...serverlessV2Config && {
+          ...hasServerlessV2 && {
             ServerlessV2ScalingConfiguration: {
               MinCapacity: serverlessV2Config.MinCapacity,
               MaxCapacity: serverlessV2Config.MaxCapacity
@@ -27797,7 +27903,7 @@ var RDSProvider = class {
     if (cluster.DeletionProtection !== void 0) {
       result["DeletionProtection"] = cluster.DeletionProtection;
     }
-    {
+    if (cluster.ServerlessV2ScalingConfiguration?.MinCapacity !== void 0 || cluster.ServerlessV2ScalingConfiguration?.MaxCapacity !== void 0) {
       const sc = {};
       if (cluster.ServerlessV2ScalingConfiguration?.MinCapacity !== void 0) {
         sc["MinCapacity"] = cluster.ServerlessV2ScalingConfiguration.MinCapacity;
@@ -29987,11 +30093,13 @@ var ElastiCacheProvider = class {
   async updateCacheCluster(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating CacheCluster ${logicalId}: ${physicalId}`);
     try {
+      const rawSgIds = properties["VpcSecurityGroupIds"];
+      const sgIds = rawSgIds && rawSgIds.length > 0 ? rawSgIds : void 0;
       await this.getClient().send(
         new ModifyCacheClusterCommand({
           CacheClusterId: physicalId,
           NumCacheNodes: properties["NumCacheNodes"] != null ? Number(properties["NumCacheNodes"]) : void 0,
-          SecurityGroupIds: properties["VpcSecurityGroupIds"],
+          SecurityGroupIds: sgIds,
           CacheParameterGroupName: properties["CacheParameterGroupName"],
           EngineVersion: properties["EngineVersion"],
           PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
@@ -30269,7 +30377,7 @@ var ElastiCacheProvider = class {
       result["IpDiscovery"] = cluster.IpDiscovery;
     if (cluster.NetworkType !== void 0)
       result["NetworkType"] = cluster.NetworkType;
-    if (cluster.TransitEncryptionEnabled !== void 0) {
+    if (cluster.Engine === "redis" && cluster.TransitEncryptionEnabled !== void 0) {
       result["TransitEncryptionEnabled"] = cluster.TransitEncryptionEnabled;
     }
     if (cluster.CacheNodes?.[0]?.Endpoint?.Port !== void 0) {
@@ -32911,6 +33019,36 @@ var KMSProvider = class {
     }
     return result;
   }
+  /**
+   * Declare state property paths cdkd cannot round-trip from AWS, so the
+   * drift comparator skips them instead of firing guaranteed false-
+   * positive drift on every clean run.
+   *
+   *  - `KeyPolicy`: cdkd does NOT call `GetKeyPolicy` in `readCurrentState`.
+   *    The policy body needs JSON parsing for comparison and a separate
+   *    SDK call; deferred to a follow-up. Until then, any user who
+   *    templates `KeyPolicy` would see guaranteed drift.
+   *  - `EnableKeyRotation` / `RotationPeriodInDays`: cdkd does NOT call
+   *    `GetKeyRotationStatus`. Same reason — deferred to a follow-up.
+   *    `EnableKeyRotation` is also a Class 1 candidate (only valid for
+   *    `KeySpec=SYMMETRIC_DEFAULT`); when we lift this gap the read side
+   *    must gate the emit on the discriminator.
+   *  - `BypassPolicyLockoutSafetyCheck` / `PendingWindowInDays`: not part
+   *    of the persisted AWS state visible via `DescribeKey` — both are
+   *    create / delete-time-only inputs.
+   */
+  getDriftUnknownPaths(resourceType) {
+    if (resourceType === "AWS::KMS::Key") {
+      return [
+        "KeyPolicy",
+        "EnableKeyRotation",
+        "RotationPeriodInDays",
+        "BypassPolicyLockoutSafetyCheck",
+        "PendingWindowInDays"
+      ];
+    }
+    return [];
+  }
   async readCurrentStateAlias(physicalId) {
     let marker;
     do {
@@ -43531,7 +43669,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.50.7");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.50.9");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());