@go-to-k/cdkd 0.50.8 → 0.50.10

package/dist/cli.js

@@ -16755,23 +16755,28 @@ var DynamoDBTableProvider = class {
           WriteCapacityUnits: table.ProvisionedThroughput.WriteCapacityUnits
         };
       }
-      if (table.StreamSpecification) {
+      if (table.StreamSpecification?.StreamEnabled && table.StreamSpecification.StreamViewType) {
         result["StreamSpecification"] = {
-          StreamEnabled: table.StreamSpecification.StreamEnabled,
+          StreamEnabled: true,
           StreamViewType: table.StreamSpecification.StreamViewType
         };
       }
-      result["GlobalSecondaryIndexes"] = table.GlobalSecondaryIndexes ?? [];
-      result["LocalSecondaryIndexes"] = table.LocalSecondaryIndexes ?? [];
-      const sse = {
-        SSEEnabled: table.SSEDescription?.Status === "ENABLED"
-      };
-      if (table.SSEDescription?.KMSMasterKeyArn !== void 0) {
-        sse["KMSMasterKeyId"] = table.SSEDescription.KMSMasterKeyArn;
+      if (table.GlobalSecondaryIndexes && table.GlobalSecondaryIndexes.length > 0) {
+        result["GlobalSecondaryIndexes"] = table.GlobalSecondaryIndexes;
+      }
+      if (table.LocalSecondaryIndexes && table.LocalSecondaryIndexes.length > 0) {
+        result["LocalSecondaryIndexes"] = table.LocalSecondaryIndexes;
+      }
+      if (table.SSEDescription?.Status === "ENABLED") {
+        const sse = { SSEEnabled: true };
+        if (table.SSEDescription.KMSMasterKeyArn !== void 0) {
+          sse["KMSMasterKeyId"] = table.SSEDescription.KMSMasterKeyArn;
+        }
+        if (table.SSEDescription.SSEType !== void 0) {
+          sse["SSEType"] = table.SSEDescription.SSEType;
+        }
+        result["SSESpecification"] = sse;
       }
-      if (table.SSEDescription?.SSEType !== void 0)
-        sse["SSEType"] = table.SSEDescription.SSEType;
-      result["SSESpecification"] = sse;
       if (table.DeletionProtectionEnabled !== void 0) {
         result["DeletionProtectionEnabled"] = table.DeletionProtectionEnabled;
       }
@@ -17724,9 +17729,9 @@ var SecretsManagerSecretProvider = class {
       };
       if (secretString)
         updateParams.SecretString = secretString;
-      if (properties["Description"])
+      if (properties["Description"] !== void 0)
         updateParams.Description = properties["Description"];
-      if (properties["KmsKeyId"])
+      if (properties["KmsKeyId"] !== void 0 && properties["KmsKeyId"] !== "")
         updateParams.KmsKeyId = properties["KmsKeyId"];
       await this.smClient.send(new UpdateSecretCommand(updateParams));
       const newTags = properties["Tags"];
@@ -19407,7 +19412,11 @@ var EC2Provider = class {
       case "AWS::EC2::NetworkAcl":
       case "AWS::EC2::NetworkAclEntry":
       case "AWS::EC2::SubnetNetworkAclAssociation":
-        return { physicalId, wasReplaced: false };
+        throw new ResourceUpdateNotSupportedError(
+          resourceType,
+          logicalId,
+          "destroy + redeploy. The property surface for this resource type is effectively immutable in cdkd today."
+        );
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -19552,21 +19561,28 @@ var EC2Provider = class {
   async updateVpc(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating VPC ${logicalId}: ${physicalId}`);
     try {
-      if (properties["EnableDnsHostnames"] !== void 0) {
-        const value = properties["EnableDnsHostnames"] === true || properties["EnableDnsHostnames"] === "true";
+      const asBool = (v) => {
+        if (v === void 0)
+          return void 0;
+        return v === true || v === "true";
+      };
+      const newDnsHostnames = asBool(properties["EnableDnsHostnames"]);
+      const oldDnsHostnames = asBool(previousProperties["EnableDnsHostnames"]);
+      if (newDnsHostnames !== void 0 && newDnsHostnames !== oldDnsHostnames) {
         await this.ec2Client.send(
           new ModifyVpcAttributeCommand({
             VpcId: physicalId,
-            EnableDnsHostnames: { Value: value }
+            EnableDnsHostnames: { Value: newDnsHostnames }
           })
         );
       }
-      if (properties["EnableDnsSupport"] !== void 0) {
-        const value = properties["EnableDnsSupport"] === true || properties["EnableDnsSupport"] === "true";
+      const newDnsSupport = asBool(properties["EnableDnsSupport"]);
+      const oldDnsSupport = asBool(previousProperties["EnableDnsSupport"]);
+      if (newDnsSupport !== void 0 && newDnsSupport !== oldDnsSupport) {
         await this.ec2Client.send(
           new ModifyVpcAttributeCommand({
             VpcId: physicalId,
-            EnableDnsSupport: { Value: value }
+            EnableDnsSupport: { Value: newDnsSupport }
           })
         );
       }
@@ -19749,8 +19765,13 @@ var EC2Provider = class {
     }
   }
   updateSubnet(logicalId, physicalId) {
-    this.logger.debug(`Updating Subnet ${logicalId}: ${physicalId} (no-op, immutable properties)`);
-    return Promise.resolve({ physicalId, wasReplaced: false });
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::EC2::Subnet",
+        logicalId,
+        "destroy + redeploy the Subnet (and the resources that depend on it). Subnet properties are immutable in AWS."
+      )
+    );
   }
   async deleteSubnet(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Subnet ${logicalId}: ${physicalId}`);
@@ -19885,8 +19906,13 @@ var EC2Provider = class {
     }
   }
   updateInternetGateway(logicalId, physicalId) {
-    this.logger.debug(`Updating InternetGateway ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({ physicalId, wasReplaced: false });
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::EC2::InternetGateway",
+        logicalId,
+        "destroy + redeploy the InternetGateway. IGW properties are immutable in AWS."
+      )
+    );
   }
   async deleteInternetGateway(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting InternetGateway ${logicalId}: ${physicalId}`);
@@ -19955,8 +19981,13 @@ var EC2Provider = class {
     }
   }
   updateVpcGatewayAttachment(logicalId, physicalId) {
-    this.logger.debug(`Updating VPCGatewayAttachment ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({ physicalId, wasReplaced: false });
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::EC2::VPCGatewayAttachment",
+        logicalId,
+        "destroy + redeploy the VPCGatewayAttachment. The (VpcId, InternetGatewayId) pair is immutable."
+      )
+    );
   }
   async deleteVpcGatewayAttachment(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting VPCGatewayAttachment ${logicalId}: ${physicalId}`);
@@ -20071,8 +20102,13 @@ var EC2Provider = class {
     }
   }
   updateNatGateway(logicalId, physicalId) {
-    this.logger.debug(`Updating NatGateway ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({ physicalId, wasReplaced: false });
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::EC2::NatGateway",
+        logicalId,
+        "destroy + redeploy the NatGateway (and the dependent Routes). NAT Gateway properties are immutable in AWS."
+      )
+    );
   }
   async deleteNatGateway(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting NatGateway ${logicalId}: ${physicalId}`);
@@ -20147,8 +20183,13 @@ var EC2Provider = class {
     }
   }
   updateRouteTable(logicalId, physicalId) {
-    this.logger.debug(`Updating RouteTable ${logicalId}: ${physicalId} (no-op)`);
-    return Promise.resolve({ physicalId, wasReplaced: false });
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::EC2::RouteTable",
+        logicalId,
+        "destroy + redeploy the RouteTable (and its associated Routes / SubnetRouteTableAssociations). VpcId is immutable."
+      )
+    );
   }
   async deleteRouteTable(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting RouteTable ${logicalId}: ${physicalId}`);
@@ -20223,8 +20264,11 @@ var EC2Provider = class {
       );
     }
   }
-  async updateRoute(logicalId, physicalId, resourceType, properties, _previousProperties) {
+  async updateRoute(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating Route ${logicalId}: ${physicalId}`);
+    if (JSON.stringify(properties) === JSON.stringify(previousProperties)) {
+      return { physicalId, wasReplaced: false };
+    }
     try {
       await this.deleteRoute(logicalId, physicalId, resourceType);
       const createResult = await this.createRoute(logicalId, resourceType, properties);
@@ -20327,10 +20371,13 @@ var EC2Provider = class {
     }
   }
   updateSubnetRouteTableAssociation(logicalId, physicalId) {
-    this.logger.debug(
-      `Updating SubnetRouteTableAssociation ${logicalId}: ${physicalId} (no-op, requires replacement)`
+    return Promise.reject(
+      new ResourceUpdateNotSupportedError(
+        "AWS::EC2::SubnetRouteTableAssociation",
+        logicalId,
+        "destroy + redeploy the association. (SubnetId, RouteTableId) is immutable."
+      )
     );
-    return Promise.resolve({ physicalId, wasReplaced: false });
   }
   async deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting SubnetRouteTableAssociation ${logicalId}: ${physicalId}`);
@@ -20628,6 +20675,9 @@ var EC2Provider = class {
   }
   async updateSecurityGroupIngress(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating SecurityGroupIngress ${logicalId}: ${physicalId}`);
+    if (JSON.stringify(properties) === JSON.stringify(previousProperties)) {
+      return { physicalId, wasReplaced: false };
+    }
     try {
       await this.deleteSecurityGroupIngress(
         logicalId,
@@ -23901,6 +23951,24 @@ var CloudFrontOAIProvider = class {
       throw err;
     }
   }
+  /**
+   * State property paths the comparator must skip during drift detection.
+   *
+   * `CloudFrontOriginAccessIdentityConfig.CallerReference` is set by cdkd
+   * to `logicalId` at create time regardless of what the CDK template
+   * specified, so it ends up in `state.properties` (from the resolved
+   * template) but is intentionally not surfaced by `readCurrentState`. A
+   * keys-from-state walk would otherwise compare `state.CallerReference`
+   * against `aws=undefined` and fire a guaranteed false positive on every
+   * clean run for any stack whose template templated CallerReference.
+   *
+   * The field is also immutable in AWS — the OAI's CallerReference cannot
+   * change post-create — so omitting it from drift is also semantically
+   * correct.
+   */
+  getDriftUnknownPaths() {
+    return ["CloudFrontOriginAccessIdentityConfig.CallerReference"];
+  }
   /**
    * Adopt an existing CloudFront Origin Access Identity into cdkd state.
    *
@@ -26544,7 +26612,8 @@ var ELBv2Provider = class {
   async updateTargetGroup(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating TargetGroup ${logicalId}: ${physicalId}`);
     try {
-      const matcher = properties["Matcher"];
+      const rawMatcher = properties["Matcher"];
+      const matcher = rawMatcher && (rawMatcher.HttpCode !== void 0 || rawMatcher.GrpcCode !== void 0) ? rawMatcher : void 0;
       await this.getClient().send(
         new ModifyTargetGroupCommand({
           TargetGroupArn: physicalId,
@@ -27250,13 +27319,14 @@ var RDSProvider = class {
   async updateDBSubnetGroup(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating DBSubnetGroup ${logicalId}: ${physicalId}`);
     try {
-      await this.getClient().send(
-        new ModifyDBSubnetGroupCommand({
-          DBSubnetGroupName: physicalId,
-          DBSubnetGroupDescription: properties["DBSubnetGroupDescription"],
-          SubnetIds: properties["SubnetIds"]
-        })
-      );
+      const subnetIds = properties["SubnetIds"];
+      const sendSubnetIds = subnetIds !== void 0 && subnetIds.length > 0;
+      const modifyInput = {
+        DBSubnetGroupName: physicalId,
+        DBSubnetGroupDescription: properties["DBSubnetGroupDescription"],
+        ...sendSubnetIds && { SubnetIds: subnetIds }
+      };
+      await this.getClient().send(new ModifyDBSubnetGroupCommand(modifyInput));
       const desc = await this.getClient().send(
         new DescribeDBSubnetGroupsCommand({ DBSubnetGroupName: physicalId })
       );
@@ -27386,16 +27456,19 @@ var RDSProvider = class {
     this.logger.debug(`Updating DBCluster ${logicalId}: ${physicalId}`);
     try {
       const serverlessV2Config = properties["ServerlessV2ScalingConfiguration"];
+      const hasServerlessV2 = serverlessV2Config !== void 0 && (serverlessV2Config.MinCapacity !== void 0 || serverlessV2Config.MaxCapacity !== void 0);
+      const vpcSgIds = properties["VpcSecurityGroupIds"];
+      const sendVpcSgIds = vpcSgIds !== void 0 && vpcSgIds.length > 0;
       await this.getClient().send(
         new ModifyDBClusterCommand({
           DBClusterIdentifier: physicalId,
           EngineVersion: properties["EngineVersion"],
           DeletionProtection: properties["DeletionProtection"],
           BackupRetentionPeriod: properties["BackupRetentionPeriod"] != null ? Number(properties["BackupRetentionPeriod"]) : void 0,
-          VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
+          ...sendVpcSgIds && { VpcSecurityGroupIds: vpcSgIds },
           MasterUserPassword: properties["MasterUserPassword"],
           Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
-          ...serverlessV2Config && {
+          ...hasServerlessV2 && {
             ServerlessV2ScalingConfiguration: {
               MinCapacity: serverlessV2Config.MinCapacity,
               MaxCapacity: serverlessV2Config.MaxCapacity
@@ -27894,7 +27967,7 @@ var RDSProvider = class {
     if (cluster.DeletionProtection !== void 0) {
       result["DeletionProtection"] = cluster.DeletionProtection;
     }
-    {
+    if (cluster.ServerlessV2ScalingConfiguration?.MinCapacity !== void 0 || cluster.ServerlessV2ScalingConfiguration?.MaxCapacity !== void 0) {
       const sc = {};
       if (cluster.ServerlessV2ScalingConfiguration?.MinCapacity !== void 0) {
         sc["MinCapacity"] = cluster.ServerlessV2ScalingConfiguration.MinCapacity;
@@ -28518,7 +28591,7 @@ var Route53Provider = class {
       }
     }
     const setIdentifier = properties["SetIdentifier"];
-    if (setIdentifier) {
+    if (setIdentifier !== void 0) {
       recordSet.SetIdentifier = setIdentifier;
     }
     const weight = properties["Weight"];
@@ -28526,11 +28599,11 @@ var Route53Provider = class {
       recordSet.Weight = Number(weight);
     }
     const region = properties["Region"];
-    if (region) {
+    if (region !== void 0) {
       recordSet.Region = region;
     }
     const failover = properties["Failover"];
-    if (failover) {
+    if (failover !== void 0) {
       recordSet.Failover = failover;
     }
     const multiValueAnswer = properties["MultiValueAnswer"];
@@ -28538,15 +28611,15 @@ var Route53Provider = class {
       recordSet.MultiValueAnswer = typeof multiValueAnswer === "string" ? multiValueAnswer.toLowerCase() === "true" : multiValueAnswer;
     }
     const healthCheckId = properties["HealthCheckId"];
-    if (healthCheckId) {
+    if (healthCheckId !== void 0) {
       recordSet.HealthCheckId = healthCheckId;
     }
     const geoLocation = properties["GeoLocation"];
     if (geoLocation) {
       recordSet.GeoLocation = {
-        ...geoLocation["ContinentCode"] ? { ContinentCode: geoLocation["ContinentCode"] } : {},
-        ...geoLocation["CountryCode"] ? { CountryCode: geoLocation["CountryCode"] } : {},
-        ...geoLocation["SubdivisionCode"] ? { SubdivisionCode: geoLocation["SubdivisionCode"] } : {}
+        ...geoLocation["ContinentCode"] !== void 0 ? { ContinentCode: geoLocation["ContinentCode"] } : {},
+        ...geoLocation["CountryCode"] !== void 0 ? { CountryCode: geoLocation["CountryCode"] } : {},
+        ...geoLocation["SubdivisionCode"] !== void 0 ? { SubdivisionCode: geoLocation["SubdivisionCode"] } : {}
       };
     }
     return recordSet;
@@ -28776,14 +28849,16 @@ var Route53Provider = class {
       }
       result["HostedZoneConfig"] = cfg;
     }
-    result["VPCs"] = (resp.VPCs ?? []).map((v) => {
-      const out = {};
-      if (v.VPCId !== void 0)
-        out["VPCId"] = v.VPCId;
-      if (v.VPCRegion !== void 0)
-        out["VPCRegion"] = v.VPCRegion;
-      return out;
-    });
+    if (resp.HostedZone.Config?.PrivateZone === true) {
+      result["VPCs"] = (resp.VPCs ?? []).map((v) => {
+        const out = {};
+        if (v.VPCId !== void 0)
+          out["VPCId"] = v.VPCId;
+        if (v.VPCRegion !== void 0)
+          out["VPCRegion"] = v.VPCRegion;
+        return out;
+      });
+    }
     const idTail = physicalId.replace(/^\/hostedzone\//, "");
     try {
       const tagsResp = await this.getClient().send(
@@ -28828,9 +28903,11 @@ var Route53Provider = class {
       Name: name,
       Type: type
     };
-    if (recordSet.TTL !== void 0)
-      result["TTL"] = recordSet.TTL;
-    result["ResourceRecords"] = (recordSet.ResourceRecords ?? []).map((r) => r.Value).filter((v) => typeof v === "string");
+    if (!recordSet.AliasTarget) {
+      if (recordSet.TTL !== void 0)
+        result["TTL"] = recordSet.TTL;
+      result["ResourceRecords"] = (recordSet.ResourceRecords ?? []).map((r) => r.Value).filter((v) => typeof v === "string");
+    }
     if (recordSet.AliasTarget) {
       const at = {};
       if (recordSet.AliasTarget.HostedZoneId !== void 0) {
@@ -30084,11 +30161,13 @@ var ElastiCacheProvider = class {
   async updateCacheCluster(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating CacheCluster ${logicalId}: ${physicalId}`);
     try {
+      const rawSgIds = properties["VpcSecurityGroupIds"];
+      const sgIds = rawSgIds && rawSgIds.length > 0 ? rawSgIds : void 0;
       await this.getClient().send(
         new ModifyCacheClusterCommand({
           CacheClusterId: physicalId,
           NumCacheNodes: properties["NumCacheNodes"] != null ? Number(properties["NumCacheNodes"]) : void 0,
-          SecurityGroupIds: properties["VpcSecurityGroupIds"],
+          SecurityGroupIds: sgIds,
           CacheParameterGroupName: properties["CacheParameterGroupName"],
           EngineVersion: properties["EngineVersion"],
           PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
@@ -30366,7 +30445,7 @@ var ElastiCacheProvider = class {
       result["IpDiscovery"] = cluster.IpDiscovery;
     if (cluster.NetworkType !== void 0)
       result["NetworkType"] = cluster.NetworkType;
-    if (cluster.TransitEncryptionEnabled !== void 0) {
+    if (cluster.Engine === "redis" && cluster.TransitEncryptionEnabled !== void 0) {
       result["TransitEncryptionEnabled"] = cluster.TransitEncryptionEnabled;
     }
     if (cluster.CacheNodes?.[0]?.Endpoint?.Port !== void 0) {
@@ -33008,6 +33087,36 @@ var KMSProvider = class {
     }
     return result;
   }
+  /**
+   * Declare state property paths cdkd cannot round-trip from AWS, so the
+   * drift comparator skips them instead of firing guaranteed false-
+   * positive drift on every clean run.
+   *
+   *  - `KeyPolicy`: cdkd does NOT call `GetKeyPolicy` in `readCurrentState`.
+   *    The policy body needs JSON parsing for comparison and a separate
+   *    SDK call; deferred to a follow-up. Until then, any user who
+   *    templates `KeyPolicy` would see guaranteed drift.
+   *  - `EnableKeyRotation` / `RotationPeriodInDays`: cdkd does NOT call
+   *    `GetKeyRotationStatus`. Same reason — deferred to a follow-up.
+   *    `EnableKeyRotation` is also a Class 1 candidate (only valid for
+   *    `KeySpec=SYMMETRIC_DEFAULT`); when we lift this gap the read side
+   *    must gate the emit on the discriminator.
+   *  - `BypassPolicyLockoutSafetyCheck` / `PendingWindowInDays`: not part
+   *    of the persisted AWS state visible via `DescribeKey` — both are
+   *    create / delete-time-only inputs.
+   */
+  getDriftUnknownPaths(resourceType) {
+    if (resourceType === "AWS::KMS::Key") {
+      return [
+        "KeyPolicy",
+        "EnableKeyRotation",
+        "RotationPeriodInDays",
+        "BypassPolicyLockoutSafetyCheck",
+        "PendingWindowInDays"
+      ];
+    }
+    return [];
+  }
   async readCurrentStateAlias(physicalId) {
     let marker;
     do {
@@ -43628,7 +43737,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.50.8");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.50.10");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());