@go-to-k/cdkd 0.51.0 → 0.51.1

package/dist/cli.js

@@ -8481,6 +8481,7 @@ import {
   UpdateAssumeRolePolicyCommand,
   DeleteRoleCommand,
   GetRoleCommand,
+  GetRolePolicyCommand,
   PutRolePolicyCommand,
   DeleteRolePolicyCommand,
   ListRolePoliciesCommand,
@@ -9093,8 +9094,14 @@ var IAMRoleProvider = class {
    * against state's already-parsed object.
    *
    * Coverage and shape decisions:
-   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path`,
-   *    `PermissionsBoundary` — straight from `Role.*`.
+   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path` — straight
+   *    from `Role.*`.
+   *  - `PermissionsBoundary` — emitted as `'' ` placeholder when AWS has
+   *    none, so a console-side ADD on a role that was deployed without a
+   *    boundary surfaces as drift. (The drift comparator's top-level walk
+   *    is state-keys-only; without the always-emit placeholder a fresh
+   *    `PermissionsBoundary` on the AWS side would never enter
+   *    `observedProperties` and the comparator would silently ignore it.)
    *  - `AssumeRolePolicyDocument` — `Role.AssumeRolePolicyDocument` is a
    *    URL-encoded JSON string; we URL-decode + JSON-parse so cdkd state's
    *    object form compares cleanly. (Both shapes — string and object — are
@@ -9102,20 +9109,23 @@ var IAMRoleProvider = class {
    *    after intrinsic resolution.)
    *  - `ManagedPolicyArns` — array of ARN strings from
    *    `ListAttachedRolePolicies`.
-   *  - `Policies` (inline policies with `PolicyDocument` bodies) is
-   *    intentionally omitted: surfacing names without bodies guarantees a
-   *    PolicyDocument-shaped drift on every role, and fetching every body
-   *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
-   *    v1 — drift detection on inline IAM policy bodies can ship in a
-   *    follow-up.
+   *  - `Policies` — inline policies surfaced as `[{PolicyName, PolicyDocument}]`.
+   *    `ListRolePolicies` for names + `GetRolePolicy` per name for the
+   *    body (URL-decoded + JSON-parsed). Ordering is reconciled against
+   *    state's `Policies` array (when supplied via the `properties`
+   *    parameter) so a state-vs-AWS positional compare doesn't fire false
+   *    drift purely from `ListRolePolicies` returning lexicographic order;
+   *    AWS-only policies (added via console) are appended at the end so
+   *    they still surface as drift via length / content mismatch.
    *  - `Tags` is surfaced via `ListRoleTags` (paginated). CDK's `aws:*`
    *    auto-tags are filtered out by `normalizeAwsTagsToCfn` so they don't
-   *    fire false-positive drift; the result key is omitted entirely when
-   *    AWS reports no user tags (matches `create()`'s behavior).
+   *    fire false-positive drift; always emitted (even when empty) so a
+   *    console-side tag ADD on an originally-untagged role surfaces as
+   *    drift on the v3 observedProperties baseline.
    *
    * Returns `undefined` when the role is gone (`NoSuchEntityException`).
    */
-  async readCurrentState(physicalId, _logicalId, _resourceType) {
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
     let role;
     try {
       const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
@@ -9136,9 +9146,7 @@ var IAMRoleProvider = class {
     }
     if (role.Path !== void 0)
       result["Path"] = role.Path;
-    if (role.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
-      result["PermissionsBoundary"] = role.PermissionsBoundary.PermissionsBoundaryArn;
-    }
+    result["PermissionsBoundary"] = role.PermissionsBoundary?.PermissionsBoundaryArn ?? "";
     if (role.AssumeRolePolicyDocument) {
       try {
         result["AssumeRolePolicyDocument"] = JSON.parse(
@@ -9158,6 +9166,59 @@ var IAMRoleProvider = class {
       if (!(err instanceof NoSuchEntityException))
         throw err;
     }
+    try {
+      const policyNames = [];
+      let policyMarker;
+      while (true) {
+        const listResp = await this.iamClient.send(
+          new ListRolePoliciesCommand({
+            RoleName: physicalId,
+            ...policyMarker ? { Marker: policyMarker } : {}
+          })
+        );
+        for (const name of listResp.PolicyNames ?? [])
+          policyNames.push(name);
+        if (!listResp.IsTruncated)
+          break;
+        policyMarker = listResp.Marker;
+      }
+      const bodies = /* @__PURE__ */ new Map();
+      await Promise.all(
+        policyNames.map(async (name) => {
+          const resp = await this.iamClient.send(
+            new GetRolePolicyCommand({ RoleName: physicalId, PolicyName: name })
+          );
+          if (!resp.PolicyDocument)
+            return;
+          let parsed;
+          try {
+            parsed = JSON.parse(decodeURIComponent(resp.PolicyDocument));
+          } catch {
+            parsed = resp.PolicyDocument;
+          }
+          bodies.set(name, parsed);
+        })
+      );
+      const statePolicies = properties?.["Policies"] ?? [];
+      const remaining = new Set(bodies.keys());
+      const inline = [];
+      for (const sp of statePolicies) {
+        const name = sp?.PolicyName;
+        if (typeof name !== "string")
+          continue;
+        if (bodies.has(name)) {
+          inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+          remaining.delete(name);
+        }
+      }
+      for (const name of [...remaining].sort()) {
+        inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+      }
+      result["Policies"] = inline;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
     try {
       const collected = [];
       let marker;
@@ -9185,18 +9246,6 @@ var IAMRoleProvider = class {
     }
     return result;
   }
-  /**
-   * `Policies` (inline policy bodies) are intentionally omitted from
-   * `readCurrentState`: surfacing the names without bodies would
-   * guarantee a `PolicyDocument`-shaped drift on every role, and
-   * fetching every body costs one extra `GetRolePolicy` per inline
-   * policy. Tell the drift comparator to skip the whole subtree until a
-   * dedicated PR adds proper inline-policy drift via per-name
-   * `GetRolePolicy`.
-   */
-  getDriftUnknownPaths() {
-    return ["Policies"];
-  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -9259,7 +9308,7 @@ import {
   DeleteGroupPolicyCommand,
   PutUserPolicyCommand,
   DeleteUserPolicyCommand,
-  GetRolePolicyCommand,
+  GetRolePolicyCommand as GetRolePolicyCommand2,
   GetGroupPolicyCommand,
   GetUserPolicyCommand,
   NoSuchEntityException as NoSuchEntityException2
@@ -9648,7 +9697,7 @@ var IAMPolicyProvider = class {
     try {
       if (roles && roles.length > 0) {
         const resp = await this.iamClient.send(
-          new GetRolePolicyCommand({ RoleName: roles[0], PolicyName: policyName })
+          new GetRolePolicyCommand2({ RoleName: roles[0], PolicyName: policyName })
         );
         liveDocument = this.decodePolicyDocument(resp.PolicyDocument);
       } else if (groups && groups.length > 0) {
@@ -10023,9 +10072,11 @@ import {
   PutUserPolicyCommand as PutUserPolicyCommand2,
   DeleteUserPolicyCommand as DeleteUserPolicyCommand2,
   ListUserPoliciesCommand,
+  GetUserPolicyCommand as GetUserPolicyCommand2,
   PutGroupPolicyCommand as PutGroupPolicyCommand2,
   DeleteGroupPolicyCommand as DeleteGroupPolicyCommand2,
   ListGroupPoliciesCommand,
+  GetGroupPolicyCommand as GetGroupPolicyCommand2,
   CreateLoginProfileCommand,
   UpdateLoginProfileCommand,
   AddUserToGroupCommand,
@@ -11052,17 +11103,21 @@ var IAMUserGroupProvider = class {
    * UserToGroupAddition in CFn-property shape.
    *
    *  - **AWS::IAM::User**: `GetUser` for `UserName`, `Path`,
-   *    `PermissionsBoundary` (re-shaped from `PermissionsBoundary.Arn`);
+   *    `PermissionsBoundary` (re-shaped from `PermissionsBoundary.Arn`,
+   *    always-emit `''` placeholder so console-side ADD on a user
+   *    deployed without a boundary surfaces as drift);
    *    `ListAttachedUserPolicies` for `ManagedPolicyArns`;
-   *    `ListGroupsForUser` for `Groups`. `Tags`, `LoginProfile`, and
-   *    `Policies` (inline policy bodies) are intentionally omitted —
-   *    same shape decisions as `iam-role-provider` (LoginProfile contains a
-   *    one-time password and inline policy bodies cost N extra round-trips
-   *    that are out of scope for v1).
+   *    `ListGroupsForUser` for `Groups`; `ListUserPolicies` +
+   *    `GetUserPolicy` per name for inline `Policies` (URL-decoded +
+   *    JSON-parsed, capped at IAM's documented 10-per-user limit, order
+   *    reconciled against state's `Policies` array). `Tags` and
+   *    `LoginProfile` remain omitted — Tags will land in a follow-up,
+   *    LoginProfile contains a one-time password we never want to surface
+   *    through drift.
    *  - **AWS::IAM::Group**: `GetGroup` for `GroupName`, `Path`;
-   *    `ListAttachedGroupPolicies` for `ManagedPolicyArns`. `Policies`
-   *    (inline policy bodies) is omitted for the same reason as User /
-   *    Role.
+   *    `ListAttachedGroupPolicies` for `ManagedPolicyArns`;
+   *    `ListGroupPolicies` + `GetGroupPolicy` per name for inline
+   *    `Policies`.
    *  - **AWS::IAM::UserToGroupAddition**: SKIPPED — returns `undefined`
    *    because the resource is metadata-only (group-membership attachments
    *    written via `AddUserToGroup`). A meaningful drift check would
@@ -11074,12 +11129,12 @@ var IAMUserGroupProvider = class {
    * Returns `undefined` when the user / group is gone
    * (`NoSuchEntityException`).
    */
-  async readCurrentState(physicalId, logicalId, resourceType) {
+  async readCurrentState(physicalId, logicalId, resourceType, properties) {
     switch (resourceType) {
       case "AWS::IAM::User":
-        return this.readUserCurrentState(physicalId);
+        return this.readUserCurrentState(physicalId, properties);
       case "AWS::IAM::Group":
-        return this.readGroupCurrentState(physicalId);
+        return this.readGroupCurrentState(physicalId, properties);
       case "AWS::IAM::UserToGroupAddition":
         return void 0;
       default:
@@ -11089,7 +11144,7 @@ var IAMUserGroupProvider = class {
         return void 0;
     }
   }
-  async readUserCurrentState(physicalId) {
+  async readUserCurrentState(physicalId, properties) {
     let user;
     try {
       const resp = await this.iamClient.send(new GetUserCommand({ UserName: physicalId }));
@@ -11106,9 +11161,7 @@ var IAMUserGroupProvider = class {
       result["UserName"] = user.UserName;
     if (user.Path !== void 0)
       result["Path"] = user.Path;
-    if (user.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
-      result["PermissionsBoundary"] = user.PermissionsBoundary.PermissionsBoundaryArn;
-    }
+    result["PermissionsBoundary"] = user.PermissionsBoundary?.PermissionsBoundaryArn ?? "";
     try {
       const attached = await this.iamClient.send(
         new ListAttachedUserPoliciesCommand({ UserName: physicalId })
@@ -11129,9 +11182,20 @@ var IAMUserGroupProvider = class {
       if (!(err instanceof NoSuchEntityException4))
         throw err;
     }
+    try {
+      const inline = await this.collectInlinePolicies(
+        "user",
+        physicalId,
+        properties?.["Policies"] ?? []
+      );
+      result["Policies"] = inline;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
     return result;
   }
-  async readGroupCurrentState(physicalId) {
+  async readGroupCurrentState(physicalId, properties) {
     let group;
     try {
       const resp = await this.iamClient.send(new GetGroupCommand({ GroupName: physicalId }));
@@ -11158,8 +11222,83 @@ var IAMUserGroupProvider = class {
       if (!(err instanceof NoSuchEntityException4))
         throw err;
     }
+    try {
+      const inline = await this.collectInlinePolicies(
+        "group",
+        physicalId,
+        properties?.["Policies"] ?? []
+      );
+      result["Policies"] = inline;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
     return result;
   }
+  /**
+   * Shared inline-policy fetcher for User / Group readCurrentState.
+   * Mirrors `IAMRoleProvider.readCurrentState`'s inline-policy handling:
+   * paginated `List*Policies` for names → parallel `Get*Policy` per name
+   * for bodies (URL-decoded + JSON-parsed) → reconcile order against
+   * `statePolicies` so a positional compare doesn't fire false drift on
+   * the lexicographic order returned by AWS.
+   */
+  async collectInlinePolicies(kind, physicalId, statePolicies) {
+    const policyNames = [];
+    let marker;
+    while (true) {
+      const listResp = kind === "user" ? await this.iamClient.send(
+        new ListUserPoliciesCommand({
+          UserName: physicalId,
+          ...marker ? { Marker: marker } : {}
+        })
+      ) : await this.iamClient.send(
+        new ListGroupPoliciesCommand({
+          GroupName: physicalId,
+          ...marker ? { Marker: marker } : {}
+        })
+      );
+      for (const name of listResp.PolicyNames ?? [])
+        policyNames.push(name);
+      if (!listResp.IsTruncated)
+        break;
+      marker = listResp.Marker;
+    }
+    const bodies = /* @__PURE__ */ new Map();
+    await Promise.all(
+      policyNames.map(async (name) => {
+        const resp = kind === "user" ? await this.iamClient.send(
+          new GetUserPolicyCommand2({ UserName: physicalId, PolicyName: name })
+        ) : await this.iamClient.send(
+          new GetGroupPolicyCommand2({ GroupName: physicalId, PolicyName: name })
+        );
+        if (!resp.PolicyDocument)
+          return;
+        let parsed;
+        try {
+          parsed = JSON.parse(decodeURIComponent(resp.PolicyDocument));
+        } catch {
+          parsed = resp.PolicyDocument;
+        }
+        bodies.set(name, parsed);
+      })
+    );
+    const remaining = new Set(bodies.keys());
+    const inline = [];
+    for (const sp of statePolicies) {
+      const name = sp?.PolicyName;
+      if (typeof name !== "string")
+        continue;
+      if (bodies.has(name)) {
+        inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+        remaining.delete(name);
+      }
+    }
+    for (const name of [...remaining].sort()) {
+      inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+    }
+    return inline;
+  }
   // ─── Import dispatch ──────────────────────────────────────────────
   /**
    * Adopt an existing IAM user / group / user-to-group addition into cdkd state.
@@ -16867,6 +17006,7 @@ import {
   CreateLogGroupCommand,
   DeleteLogGroupCommand,
   DescribeLogGroupsCommand,
+  GetDataProtectionPolicyCommand,
   ListTagsForResourceCommand as ListTagsForResourceCommand2,
   PutRetentionPolicyCommand,
   DeleteRetentionPolicyCommand,
@@ -17108,19 +17248,6 @@ var LogsLogGroupProvider = class {
     }
     return this.buildArn(physicalId);
   }
-  /**
-   * Drift comparator skip-list: properties readCurrentState deliberately
-   * cannot round-trip from AWS yet. `DataProtectionPolicy` lives behind
-   * its own `GetDataProtectionPolicy` API call (not in
-   * `DescribeLogGroups` output) — declaring it here prevents
-   * guaranteed false-positive drift on every clean run for log groups
-   * deployed with a data-protection policy. Lifting this guard requires
-   * a per-group `GetDataProtectionPolicy` round-trip in
-   * `readCurrentState`.
-   */
-  getDriftUnknownPaths() {
-    return ["DataProtectionPolicy"];
-  }
   /**
    * Read the AWS-current log group configuration in CFn-property shape.
    *
@@ -17131,10 +17258,16 @@ var LogsLogGroupProvider = class {
    * `RetentionInDays`).
    *
    * Coverage: `LogGroupName`, `KmsKeyId`, `RetentionInDays`,
-   * `LogGroupClass`, `Tags`. Other handledProperties (`DataProtectionPolicy`,
-   * `FieldIndexPolicies`, `ResourcePolicyDocument`,
-   * `DeletionProtectionEnabled`, `BearerTokenAuthenticationEnabled`) need
-   * their own per-property API call and are out of scope for v1.
+   * `LogGroupClass`, `Tags`, plus `DataProtectionPolicy` (via
+   * `GetDataProtectionPolicy`, JSON-parsed back to the object form
+   * cdkd state holds). Still out of scope: `FieldIndexPolicies`
+   * (separate `DescribeFieldIndexPolicies` call, follow-up),
+   * `ResourcePolicyDocument` (managed by the separate
+   * `AWS::Logs::ResourcePolicy` resource type — account-wide, not
+   * per-log-group), `DeletionProtectionEnabled` (not surfaced by
+   * `DescribeLogGroups`; would need a yet-undocumented separate API),
+   * `BearerTokenAuthenticationEnabled` (specialized X-Ray / service-log
+   * endpoint feature, also not in `DescribeLogGroups`).
    *
    * Tags are read via `ListTagsForResource` (using the log-group ARN from
    * the same `DescribeLogGroups` response). CDK's `aws:*` auto-tags are
@@ -17173,6 +17306,21 @@ var LogsLogGroupProvider = class {
         }
       }
       result["Tags"] = tags;
+      let dpp = "";
+      try {
+        const dppResp = await this.logsClient.send(
+          new GetDataProtectionPolicyCommand({ logGroupIdentifier: physicalId })
+        );
+        if (dppResp.policyDocument) {
+          try {
+            dpp = JSON.parse(dppResp.policyDocument);
+          } catch {
+            dpp = dppResp.policyDocument;
+          }
+        }
+      } catch {
+      }
+      result["DataProtectionPolicy"] = dpp;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException7)
@@ -26406,6 +26554,7 @@ import {
   CreateLoadBalancerCommand,
   DeleteLoadBalancerCommand,
   DescribeLoadBalancersCommand as DescribeLoadBalancersCommand2,
+  DescribeLoadBalancerAttributesCommand,
   CreateTargetGroupCommand,
   DeleteTargetGroupCommand,
   ModifyTargetGroupCommand,
@@ -26498,7 +26647,13 @@ var ELBv2Provider = class {
   async update(logicalId, physicalId, resourceType, properties, previousProperties) {
     switch (resourceType) {
       case "AWS::ElasticLoadBalancingV2::LoadBalancer":
-        return this.updateLoadBalancer(logicalId, physicalId, resourceType, properties);
+        return this.updateLoadBalancer(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
       case "AWS::ElasticLoadBalancingV2::TargetGroup":
         return this.updateTargetGroup(
           logicalId,
@@ -26603,14 +26758,44 @@ var ELBv2Provider = class {
       );
     }
   }
-  updateLoadBalancer(logicalId, _physicalId, _resourceType, _properties) {
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
+  async updateLoadBalancer(logicalId, physicalId, _resourceType, properties, previousProperties) {
+    const newAttrs = properties["LoadBalancerAttributes"] ?? [];
+    const oldAttrs = previousProperties["LoadBalancerAttributes"] ?? [];
+    const stripAttrs = (p) => {
+      const { LoadBalancerAttributes: _, ...rest } = p;
+      return rest;
+    };
+    if (JSON.stringify(stripAttrs(properties)) !== JSON.stringify(stripAttrs(previousProperties))) {
+      throw new ResourceUpdateNotSupportedError(
         "AWS::ElasticLoadBalancingV2::LoadBalancer",
         logicalId,
-        "ELBv2 LoadBalancer in-place updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+        "ELBv2 LoadBalancer in-place updates are only supported for LoadBalancerAttributes; for Name / Type / Scheme / Subnets / SecurityGroups / IpAddressType / Tags, re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      );
+    }
+    const newMap = new Map(newAttrs.map((a) => [a.Key, a.Value]));
+    const oldMap = new Map(oldAttrs.map((a) => [a.Key, a.Value]));
+    const submitted = [];
+    for (const [k, v] of newMap) {
+      if (oldMap.get(k) !== v)
+        submitted.push({ Key: k, Value: v });
+    }
+    for (const [k] of oldMap) {
+      if (!newMap.has(k))
+        submitted.push({ Key: k, Value: "" });
+    }
+    if (submitted.length > 0) {
+      const { ModifyLoadBalancerAttributesCommand } = await import("@aws-sdk/client-elastic-load-balancing-v2");
+      await this.getClient().send(
+        new ModifyLoadBalancerAttributesCommand({
+          LoadBalancerArn: physicalId,
+          Attributes: submitted
+        })
+      );
+      this.logger.debug(
+        `Applied ${submitted.length} LoadBalancerAttributes change(s) for ${logicalId}`
+      );
+    }
+    return { physicalId, wasReplaced: false };
   }
   async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting LoadBalancer ${logicalId}: ${physicalId}`);
@@ -26956,10 +27141,12 @@ var ELBv2Provider = class {
    * Dispatch per resource type:
    *  - `LoadBalancer` → `DescribeLoadBalancers` (Name, Subnets via
    *    `AvailabilityZones[].SubnetId`, SecurityGroups, Scheme, Type,
-   *    IpAddressType). LoadBalancerAttributes is omitted for v1 — it
-   *    requires a separate `DescribeLoadBalancerAttributes` call and the
-   *    drift comparator only descends into keys present in state, so an
-   *    absent key cannot fire false drift.
+   *    IpAddressType) plus `DescribeLoadBalancerAttributes` for the full
+   *    `LoadBalancerAttributes` `[{Key, Value}]` array (sorted by Key for
+   *    stable positional compare). AWS returns every attribute valid for
+   *    this LB type including defaults the user did not template; on the
+   *    v3 observedProperties baseline that's load-bearing — a console-side
+   *    change to ANY attribute (templated or not) surfaces as drift.
    *  - `TargetGroup` → `DescribeTargetGroups` (Protocol, Port, VpcId,
    *    TargetType, ProtocolVersion, HealthCheck*, Matcher, Name).
    *  - `Listener` → `DescribeListeners` (LoadBalancerArn, Certificates,
@@ -27009,6 +27196,18 @@ var ELBv2Provider = class {
       result["Type"] = lb.Type;
     if (lb.IpAddressType !== void 0)
       result["IpAddressType"] = lb.IpAddressType;
+    try {
+      const attrsResp = await this.getClient().send(
+        new DescribeLoadBalancerAttributesCommand({ LoadBalancerArn: physicalId })
+      );
+      const attrs = (attrsResp.Attributes ?? []).filter(
+        (a) => typeof a.Key === "string" && typeof a.Value === "string"
+      ).map((a) => ({ Key: a.Key, Value: a.Value })).sort((a, b) => a.Key.localeCompare(b.Key));
+      result["LoadBalancerAttributes"] = attrs;
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+    }
     await this.attachTags(result, physicalId);
     return result;
   }
@@ -28889,8 +29088,10 @@ var Route53Provider = class {
    *    PrivateZone}, VPCs from `VPCs[]`, HostedZoneTags via
    *    `ListTagsForResource(ResourceType=hostedzone, ResourceId=<idTail>)`
    *    with `aws:*` filtered out and the key omitted when empty).
-   *    QueryLoggingConfig is skipped because it's a separate
-   *    `ListQueryLoggingConfigs` call and the v1 surface does not surface it.
+   *    QueryLoggingConfig is surfaced via a follow-up
+   *    `ListQueryLoggingConfigs(HostedZoneId)` (filter to the one
+   *    config per zone — CFn enforces 0 or 1 — and reshape
+   *    `CloudWatchLogsLogGroupArn` to match cdkd state).
    *  - `RecordSet` → `ListResourceRecordSets` filtered to the exact
    *    `(name, type)` pair from the composite physicalId
    *    (`{zoneId}|{name}|{type}`). Surfaces TTL, ResourceRecords (with
@@ -28955,6 +29156,24 @@ var Route53Provider = class {
         `Route53 ListTagsForResource(${idTail}) failed: ${err instanceof Error ? err.message : String(err)}`
       );
     }
+    try {
+      const qlcResp = await this.getClient().send(
+        new ListQueryLoggingConfigsCommand({ HostedZoneId: idTail })
+      );
+      const qlc = qlcResp.QueryLoggingConfigs?.[0];
+      if (qlc?.CloudWatchLogsLogGroupArn) {
+        result["QueryLoggingConfig"] = {
+          CloudWatchLogsLogGroupArn: qlc.CloudWatchLogsLogGroupArn
+        };
+      } else {
+        result["QueryLoggingConfig"] = {};
+      }
+    } catch (err) {
+      this.logger.debug(
+        `Route53 ListQueryLoggingConfigs(${idTail}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      result["QueryLoggingConfig"] = {};
+    }
     return result;
   }
   async readRecordSet(physicalId) {
@@ -32726,6 +32945,8 @@ import {
   KMSClient as KMSClient2,
   CreateKeyCommand,
   DescribeKeyCommand,
+  GetKeyPolicyCommand,
+  GetKeyRotationStatusCommand,
   ListAliasesCommand as ListAliasesCommand2,
   ListKeysCommand,
   ListResourceTagsCommand,
@@ -33193,6 +33414,36 @@ var KMSProvider = class {
     if (md.Origin !== void 0)
       result["Origin"] = md.Origin;
     if (md.KeyId) {
+      try {
+        const policyResp = await this.getClient().send(
+          new GetKeyPolicyCommand({ KeyId: md.KeyId, PolicyName: "default" })
+        );
+        if (policyResp.Policy) {
+          try {
+            result["KeyPolicy"] = JSON.parse(policyResp.Policy);
+          } catch {
+            result["KeyPolicy"] = policyResp.Policy;
+          }
+        }
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return void 0;
+      }
+      const isSymmetric = md.KeySpec === void 0 || md.KeySpec === "SYMMETRIC_DEFAULT";
+      if (isSymmetric) {
+        try {
+          const rotationResp = await this.getClient().send(
+            new GetKeyRotationStatusCommand({ KeyId: md.KeyId })
+          );
+          result["EnableKeyRotation"] = rotationResp.KeyRotationEnabled ?? false;
+          if (rotationResp.RotationPeriodInDays !== void 0) {
+            result["RotationPeriodInDays"] = rotationResp.RotationPeriodInDays;
+          }
+        } catch (err) {
+          if (err instanceof NotFoundException5)
+            return void 0;
+        }
+      }
       try {
         const tagsResp = await this.getClient().send(
           new ListResourceTagsCommand({ KeyId: md.KeyId })
@@ -33211,28 +33462,17 @@ var KMSProvider = class {
    * drift comparator skips them instead of firing guaranteed false-
    * positive drift on every clean run.
    *
-   *  - `KeyPolicy`: cdkd does NOT call `GetKeyPolicy` in `readCurrentState`.
-   *    The policy body needs JSON parsing for comparison and a separate
-   *    SDK call; deferred to a follow-up. Until then, any user who
-   *    templates `KeyPolicy` would see guaranteed drift.
-   *  - `EnableKeyRotation` / `RotationPeriodInDays`: cdkd does NOT call
-   *    `GetKeyRotationStatus`. Same reason — deferred to a follow-up.
-   *    `EnableKeyRotation` is also a Class 1 candidate (only valid for
-   *    `KeySpec=SYMMETRIC_DEFAULT`); when we lift this gap the read side
-   *    must gate the emit on the discriminator.
    *  - `BypassPolicyLockoutSafetyCheck` / `PendingWindowInDays`: not part
    *    of the persisted AWS state visible via `DescribeKey` — both are
    *    create / delete-time-only inputs.
+   *
+   * `KeyPolicy`, `EnableKeyRotation`, and `RotationPeriodInDays` are now
+   * read by `readCurrentState` (`GetKeyPolicy` and `GetKeyRotationStatus`
+   * respectively), so they no longer need to be declared here.
    */
   getDriftUnknownPaths(resourceType) {
     if (resourceType === "AWS::KMS::Key") {
-      return [
-        "KeyPolicy",
-        "EnableKeyRotation",
-        "RotationPeriodInDays",
-        "BypassPolicyLockoutSafetyCheck",
-        "PendingWindowInDays"
-      ];
+      return ["BypassPolicyLockoutSafetyCheck", "PendingWindowInDays"];
     }
     return [];
   }
@@ -33821,6 +34061,7 @@ import {
   DescribeAccessPointsCommand,
   DescribeLifecycleConfigurationCommand,
   DescribeBackupPolicyCommand,
+  DescribeMountTargetSecurityGroupsCommand,
   FileSystemNotFound,
   MountTargetNotFound,
   AccessPointNotFound
@@ -34247,8 +34488,10 @@ var EFSProvider = class {
    *    the corresponding key without failing the whole snapshot.
    *  - `AccessPoint` → `DescribeAccessPoints` filtered by id (PosixUser,
    *    RootDirectory).
-   *  - `MountTarget` → `DescribeMountTargets` (FileSystemId, SubnetId).
-   *    SecurityGroups requires a separate call and is omitted for v1.
+   *  - `MountTarget` → `DescribeMountTargets` (FileSystemId, SubnetId)
+   *    plus `DescribeMountTargetSecurityGroups` for the SG list (always-
+   *    emit `[]` when AWS reports none so a console-side ADD on a
+   *    previously-unconfigured mount target is detectable).
    *
    * `FileSystemTags` (the CFn property name on `AWS::EFS::FileSystem`) is
    * surfaced from the same `DescribeFileSystems` response — `aws:*`
@@ -34405,6 +34648,17 @@ var EFSProvider = class {
       result["FileSystemId"] = mt.FileSystemId;
     if (mt.SubnetId !== void 0)
       result["SubnetId"] = mt.SubnetId;
+    let securityGroups = [];
+    try {
+      const sgResp = await this.getClient().send(
+        new DescribeMountTargetSecurityGroupsCommand({ MountTargetId: physicalId })
+      );
+      securityGroups = (sgResp.SecurityGroups ?? []).filter(
+        (s) => typeof s === "string"
+      );
+    } catch {
+    }
+    result["SecurityGroups"] = securityGroups;
     return result;
   }
   /**
@@ -35014,6 +35268,7 @@ import {
   GetTrailCommand,
   GetTrailStatusCommand,
   GetEventSelectorsCommand,
+  GetInsightSelectorsCommand,
   ListTrailsCommand,
   ListTagsCommand as ListTagsCommand3,
   AddTagsCommand as AddTagsCommand2,
@@ -35186,15 +35441,13 @@ var CloudTrailProvider = class {
       const newInsightSelectors = properties["InsightSelectors"];
       const oldInsightSelectors = previousProperties["InsightSelectors"];
       if (JSON.stringify(newInsightSelectors) !== JSON.stringify(oldInsightSelectors)) {
-        if (newInsightSelectors && newInsightSelectors.length > 0) {
-          this.logger.debug(`Updating insight selectors for CloudTrail Trail ${logicalId}`);
-          await this.getClient().send(
-            new PutInsightSelectorsCommand({
-              TrailName: physicalId,
-              InsightSelectors: newInsightSelectors
-            })
-          );
-        }
+        this.logger.debug(`Updating insight selectors for CloudTrail Trail ${logicalId}`);
+        await this.getClient().send(
+          new PutInsightSelectorsCommand({
+            TrailName: physicalId,
+            InsightSelectors: newInsightSelectors ?? []
+          })
+        );
       }
       const oldIsLogging = previousProperties["IsLogging"];
       if (isLogging !== oldIsLogging) {
@@ -35327,8 +35580,10 @@ var CloudTrailProvider = class {
    * auto-tags are filtered out and the result key is omitted when AWS
    * reports no user tags.
    *
-   * `InsightSelectors` is skipped for v1 (separate call + shape mapping
-   * still TBD).
+   * `InsightSelectors` is surfaced via a follow-up `GetInsightSelectors`
+   * call — same shape on both sides (`[{InsightType}]`). The key is
+   * always emitted (`[]` when AWS reports none) so a console-side ADD
+   * is detectable on the v3 observedProperties baseline.
    *
    * Returns `undefined` when the trail is gone (`TrailNotFoundException`).
    */
@@ -35377,6 +35632,17 @@ var CloudTrailProvider = class {
       }
     } catch {
     }
+    let insightSelectors = [];
+    try {
+      const insight = await this.getClient().send(
+        new GetInsightSelectorsCommand({ TrailName: physicalId })
+      );
+      insightSelectors = (insight.InsightSelectors ?? []).map((s) => ({
+        ...s.InsightType !== void 0 && { InsightType: s.InsightType }
+      }));
+    } catch {
+    }
+    result["InsightSelectors"] = insightSelectors;
     let tags = [];
     if (trail.TrailARN) {
       try {
@@ -35720,12 +35986,21 @@ var CodeBuildProvider = class {
    *
    * Issues `BatchGetProjects` and re-shapes the SDK's camelCase response back
    * to CFn's PascalCase shape (the `mapProperties` helper above goes the
-   * other way at create time). The drift comparator only descends into
-   * keys present in cdkd state, so we focus on the high-value top-level
-   * fields and the most commonly-set `Source` / `Artifacts` /
-   * `Environment` sub-fields. Less common nested config (full
-   * `LogsConfig`, `VpcConfig` rebuild, secondary sources/artifacts, etc.)
-   * is left to a follow-up — surfacing them with a partial shape would
+   * other way at create time). Coverage targets every user-controllable
+   * top-level field via the always-emit pattern (PR #145):
+   *  - `Source` / `Artifacts` / `Environment` (with `EnvironmentVariables`
+   *    sub-array): full reshape to CFn shape.
+   *  - `LogsConfig` (`CloudWatchLogs` + `S3Logs` sub-shapes): always-emit
+   *    placeholder so a console-side enable on a previously-default
+   *    project surfaces as drift.
+   *  - `VpcConfig` (VpcId / Subnets / SecurityGroupIds): always-emit
+   *    placeholder.
+   *  - `Cache` (Type / Location / Modes): always-emit placeholder.
+   *
+   * Still v1-omitted (known gaps, follow-up): `SecondarySources` /
+   * `SecondaryArtifacts` / `SecondarySourceVersions` / `FileSystemLocations` /
+   * `Triggers` / `BuildBatchConfig` / `ResourceAccessRole`. These are
+   * rarely set in practice and surfacing them with partial shape would
    * fire false drift on every project that uses them.
    *
    * Tags are surfaced from the same `BatchGetProjects` response (CodeBuild
@@ -35840,6 +36115,51 @@ var CodeBuildProvider = class {
       });
       result["Environment"] = env;
     }
+    {
+      const logs = {};
+      const cw = {
+        Status: project.logsConfig?.cloudWatchLogs?.status ?? "ENABLED"
+      };
+      if (project.logsConfig?.cloudWatchLogs?.groupName !== void 0) {
+        cw["GroupName"] = project.logsConfig.cloudWatchLogs.groupName;
+      }
+      if (project.logsConfig?.cloudWatchLogs?.streamName !== void 0) {
+        cw["StreamName"] = project.logsConfig.cloudWatchLogs.streamName;
+      }
+      logs["CloudWatchLogs"] = cw;
+      const s3 = {
+        Status: project.logsConfig?.s3Logs?.status ?? "DISABLED"
+      };
+      if (project.logsConfig?.s3Logs?.location !== void 0) {
+        s3["Location"] = project.logsConfig.s3Logs.location;
+      }
+      if (project.logsConfig?.s3Logs?.encryptionDisabled !== void 0) {
+        s3["EncryptionDisabled"] = project.logsConfig.s3Logs.encryptionDisabled;
+      }
+      if (project.logsConfig?.s3Logs?.bucketOwnerAccess !== void 0) {
+        s3["BucketOwnerAccess"] = project.logsConfig.s3Logs.bucketOwnerAccess;
+      }
+      logs["S3Logs"] = s3;
+      result["LogsConfig"] = logs;
+    }
+    if (project.vpcConfig?.vpcId !== void 0) {
+      const vpc = { VpcId: project.vpcConfig.vpcId };
+      vpc["Subnets"] = project.vpcConfig.subnets ?? [];
+      vpc["SecurityGroupIds"] = project.vpcConfig.securityGroupIds ?? [];
+      result["VpcConfig"] = vpc;
+    } else {
+      result["VpcConfig"] = {};
+    }
+    {
+      const cache2 = {
+        Type: project.cache?.type ?? "NO_CACHE"
+      };
+      if (project.cache?.location !== void 0)
+        cache2["Location"] = project.cache.location;
+      if (project.cache?.modes !== void 0)
+        cache2["Modes"] = project.cache.modes;
+      result["Cache"] = cache2;
+    }
     const tags = normalizeAwsTagsToCfn(project.tags);
     result["Tags"] = tags;
     return result;
@@ -43979,7 +44299,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.1");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());