@go-to-k/cdkd 0.51.0 → 0.51.2

package/dist/cli.js

@@ -8481,6 +8481,7 @@ import {
   UpdateAssumeRolePolicyCommand,
   DeleteRoleCommand,
   GetRoleCommand,
+  GetRolePolicyCommand,
   PutRolePolicyCommand,
   DeleteRolePolicyCommand,
   ListRolePoliciesCommand,
@@ -9093,8 +9094,14 @@ var IAMRoleProvider = class {
    * against state's already-parsed object.
    *
    * Coverage and shape decisions:
-   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path`,
-   *    `PermissionsBoundary` — straight from `Role.*`.
+   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path` — straight
+   *    from `Role.*`.
+   *  - `PermissionsBoundary` — emitted as `'' ` placeholder when AWS has
+   *    none, so a console-side ADD on a role that was deployed without a
+   *    boundary surfaces as drift. (The drift comparator's top-level walk
+   *    is state-keys-only; without the always-emit placeholder a fresh
+   *    `PermissionsBoundary` on the AWS side would never enter
+   *    `observedProperties` and the comparator would silently ignore it.)
    *  - `AssumeRolePolicyDocument` — `Role.AssumeRolePolicyDocument` is a
    *    URL-encoded JSON string; we URL-decode + JSON-parse so cdkd state's
    *    object form compares cleanly. (Both shapes — string and object — are
@@ -9102,20 +9109,23 @@ var IAMRoleProvider = class {
    *    after intrinsic resolution.)
    *  - `ManagedPolicyArns` — array of ARN strings from
    *    `ListAttachedRolePolicies`.
-   *  - `Policies` (inline policies with `PolicyDocument` bodies) is
-   *    intentionally omitted: surfacing names without bodies guarantees a
-   *    PolicyDocument-shaped drift on every role, and fetching every body
-   *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
-   *    v1 — drift detection on inline IAM policy bodies can ship in a
-   *    follow-up.
+   *  - `Policies` — inline policies surfaced as `[{PolicyName, PolicyDocument}]`.
+   *    `ListRolePolicies` for names + `GetRolePolicy` per name for the
+   *    body (URL-decoded + JSON-parsed). Ordering is reconciled against
+   *    state's `Policies` array (when supplied via the `properties`
+   *    parameter) so a state-vs-AWS positional compare doesn't fire false
+   *    drift purely from `ListRolePolicies` returning lexicographic order;
+   *    AWS-only policies (added via console) are appended at the end so
+   *    they still surface as drift via length / content mismatch.
    *  - `Tags` is surfaced via `ListRoleTags` (paginated). CDK's `aws:*`
    *    auto-tags are filtered out by `normalizeAwsTagsToCfn` so they don't
-   *    fire false-positive drift; the result key is omitted entirely when
-   *    AWS reports no user tags (matches `create()`'s behavior).
+   *    fire false-positive drift; always emitted (even when empty) so a
+   *    console-side tag ADD on an originally-untagged role surfaces as
+   *    drift on the v3 observedProperties baseline.
    *
    * Returns `undefined` when the role is gone (`NoSuchEntityException`).
    */
-  async readCurrentState(physicalId, _logicalId, _resourceType) {
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
     let role;
     try {
       const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
@@ -9136,9 +9146,7 @@ var IAMRoleProvider = class {
     }
     if (role.Path !== void 0)
       result["Path"] = role.Path;
-    if (role.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
-      result["PermissionsBoundary"] = role.PermissionsBoundary.PermissionsBoundaryArn;
-    }
+    result["PermissionsBoundary"] = role.PermissionsBoundary?.PermissionsBoundaryArn ?? "";
     if (role.AssumeRolePolicyDocument) {
       try {
         result["AssumeRolePolicyDocument"] = JSON.parse(
@@ -9158,6 +9166,59 @@ var IAMRoleProvider = class {
       if (!(err instanceof NoSuchEntityException))
         throw err;
     }
+    try {
+      const policyNames = [];
+      let policyMarker;
+      while (true) {
+        const listResp = await this.iamClient.send(
+          new ListRolePoliciesCommand({
+            RoleName: physicalId,
+            ...policyMarker ? { Marker: policyMarker } : {}
+          })
+        );
+        for (const name of listResp.PolicyNames ?? [])
+          policyNames.push(name);
+        if (!listResp.IsTruncated)
+          break;
+        policyMarker = listResp.Marker;
+      }
+      const bodies = /* @__PURE__ */ new Map();
+      await Promise.all(
+        policyNames.map(async (name) => {
+          const resp = await this.iamClient.send(
+            new GetRolePolicyCommand({ RoleName: physicalId, PolicyName: name })
+          );
+          if (!resp.PolicyDocument)
+            return;
+          let parsed;
+          try {
+            parsed = JSON.parse(decodeURIComponent(resp.PolicyDocument));
+          } catch {
+            parsed = resp.PolicyDocument;
+          }
+          bodies.set(name, parsed);
+        })
+      );
+      const statePolicies = properties?.["Policies"] ?? [];
+      const remaining = new Set(bodies.keys());
+      const inline = [];
+      for (const sp of statePolicies) {
+        const name = sp?.PolicyName;
+        if (typeof name !== "string")
+          continue;
+        if (bodies.has(name)) {
+          inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+          remaining.delete(name);
+        }
+      }
+      for (const name of [...remaining].sort()) {
+        inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+      }
+      result["Policies"] = inline;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
     try {
       const collected = [];
       let marker;
@@ -9185,18 +9246,6 @@ var IAMRoleProvider = class {
     }
     return result;
   }
-  /**
-   * `Policies` (inline policy bodies) are intentionally omitted from
-   * `readCurrentState`: surfacing the names without bodies would
-   * guarantee a `PolicyDocument`-shaped drift on every role, and
-   * fetching every body costs one extra `GetRolePolicy` per inline
-   * policy. Tell the drift comparator to skip the whole subtree until a
-   * dedicated PR adds proper inline-policy drift via per-name
-   * `GetRolePolicy`.
-   */
-  getDriftUnknownPaths() {
-    return ["Policies"];
-  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -9259,7 +9308,7 @@ import {
   DeleteGroupPolicyCommand,
   PutUserPolicyCommand,
   DeleteUserPolicyCommand,
-  GetRolePolicyCommand,
+  GetRolePolicyCommand as GetRolePolicyCommand2,
   GetGroupPolicyCommand,
   GetUserPolicyCommand,
   NoSuchEntityException as NoSuchEntityException2
@@ -9648,7 +9697,7 @@ var IAMPolicyProvider = class {
     try {
       if (roles && roles.length > 0) {
         const resp = await this.iamClient.send(
-          new GetRolePolicyCommand({ RoleName: roles[0], PolicyName: policyName })
+          new GetRolePolicyCommand2({ RoleName: roles[0], PolicyName: policyName })
         );
         liveDocument = this.decodePolicyDocument(resp.PolicyDocument);
       } else if (groups && groups.length > 0) {
@@ -10023,9 +10072,11 @@ import {
   PutUserPolicyCommand as PutUserPolicyCommand2,
   DeleteUserPolicyCommand as DeleteUserPolicyCommand2,
   ListUserPoliciesCommand,
+  GetUserPolicyCommand as GetUserPolicyCommand2,
   PutGroupPolicyCommand as PutGroupPolicyCommand2,
   DeleteGroupPolicyCommand as DeleteGroupPolicyCommand2,
   ListGroupPoliciesCommand,
+  GetGroupPolicyCommand as GetGroupPolicyCommand2,
   CreateLoginProfileCommand,
   UpdateLoginProfileCommand,
   AddUserToGroupCommand,
@@ -11052,17 +11103,21 @@ var IAMUserGroupProvider = class {
    * UserToGroupAddition in CFn-property shape.
    *
    *  - **AWS::IAM::User**: `GetUser` for `UserName`, `Path`,
-   *    `PermissionsBoundary` (re-shaped from `PermissionsBoundary.Arn`);
+   *    `PermissionsBoundary` (re-shaped from `PermissionsBoundary.Arn`,
+   *    always-emit `''` placeholder so console-side ADD on a user
+   *    deployed without a boundary surfaces as drift);
    *    `ListAttachedUserPolicies` for `ManagedPolicyArns`;
-   *    `ListGroupsForUser` for `Groups`. `Tags`, `LoginProfile`, and
-   *    `Policies` (inline policy bodies) are intentionally omitted —
-   *    same shape decisions as `iam-role-provider` (LoginProfile contains a
-   *    one-time password and inline policy bodies cost N extra round-trips
-   *    that are out of scope for v1).
+   *    `ListGroupsForUser` for `Groups`; `ListUserPolicies` +
+   *    `GetUserPolicy` per name for inline `Policies` (URL-decoded +
+   *    JSON-parsed, capped at IAM's documented 10-per-user limit, order
+   *    reconciled against state's `Policies` array). `Tags` and
+   *    `LoginProfile` remain omitted — Tags will land in a follow-up,
+   *    LoginProfile contains a one-time password we never want to surface
+   *    through drift.
    *  - **AWS::IAM::Group**: `GetGroup` for `GroupName`, `Path`;
-   *    `ListAttachedGroupPolicies` for `ManagedPolicyArns`. `Policies`
-   *    (inline policy bodies) is omitted for the same reason as User /
-   *    Role.
+   *    `ListAttachedGroupPolicies` for `ManagedPolicyArns`;
+   *    `ListGroupPolicies` + `GetGroupPolicy` per name for inline
+   *    `Policies`.
    *  - **AWS::IAM::UserToGroupAddition**: SKIPPED — returns `undefined`
    *    because the resource is metadata-only (group-membership attachments
    *    written via `AddUserToGroup`). A meaningful drift check would
@@ -11074,12 +11129,12 @@ var IAMUserGroupProvider = class {
    * Returns `undefined` when the user / group is gone
    * (`NoSuchEntityException`).
    */
-  async readCurrentState(physicalId, logicalId, resourceType) {
+  async readCurrentState(physicalId, logicalId, resourceType, properties) {
     switch (resourceType) {
       case "AWS::IAM::User":
-        return this.readUserCurrentState(physicalId);
+        return this.readUserCurrentState(physicalId, properties);
       case "AWS::IAM::Group":
-        return this.readGroupCurrentState(physicalId);
+        return this.readGroupCurrentState(physicalId, properties);
       case "AWS::IAM::UserToGroupAddition":
         return void 0;
       default:
@@ -11089,7 +11144,7 @@ var IAMUserGroupProvider = class {
         return void 0;
     }
   }
-  async readUserCurrentState(physicalId) {
+  async readUserCurrentState(physicalId, properties) {
     let user;
     try {
       const resp = await this.iamClient.send(new GetUserCommand({ UserName: physicalId }));
@@ -11106,9 +11161,7 @@ var IAMUserGroupProvider = class {
       result["UserName"] = user.UserName;
     if (user.Path !== void 0)
       result["Path"] = user.Path;
-    if (user.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
-      result["PermissionsBoundary"] = user.PermissionsBoundary.PermissionsBoundaryArn;
-    }
+    result["PermissionsBoundary"] = user.PermissionsBoundary?.PermissionsBoundaryArn ?? "";
     try {
       const attached = await this.iamClient.send(
         new ListAttachedUserPoliciesCommand({ UserName: physicalId })
@@ -11129,9 +11182,20 @@ var IAMUserGroupProvider = class {
       if (!(err instanceof NoSuchEntityException4))
         throw err;
     }
+    try {
+      const inline = await this.collectInlinePolicies(
+        "user",
+        physicalId,
+        properties?.["Policies"] ?? []
+      );
+      result["Policies"] = inline;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
     return result;
   }
-  async readGroupCurrentState(physicalId) {
+  async readGroupCurrentState(physicalId, properties) {
     let group;
     try {
       const resp = await this.iamClient.send(new GetGroupCommand({ GroupName: physicalId }));
@@ -11158,8 +11222,83 @@ var IAMUserGroupProvider = class {
       if (!(err instanceof NoSuchEntityException4))
         throw err;
     }
+    try {
+      const inline = await this.collectInlinePolicies(
+        "group",
+        physicalId,
+        properties?.["Policies"] ?? []
+      );
+      result["Policies"] = inline;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException4))
+        throw err;
+    }
     return result;
   }
+  /**
+   * Shared inline-policy fetcher for User / Group readCurrentState.
+   * Mirrors `IAMRoleProvider.readCurrentState`'s inline-policy handling:
+   * paginated `List*Policies` for names → parallel `Get*Policy` per name
+   * for bodies (URL-decoded + JSON-parsed) → reconcile order against
+   * `statePolicies` so a positional compare doesn't fire false drift on
+   * the lexicographic order returned by AWS.
+   */
+  async collectInlinePolicies(kind, physicalId, statePolicies) {
+    const policyNames = [];
+    let marker;
+    while (true) {
+      const listResp = kind === "user" ? await this.iamClient.send(
+        new ListUserPoliciesCommand({
+          UserName: physicalId,
+          ...marker ? { Marker: marker } : {}
+        })
+      ) : await this.iamClient.send(
+        new ListGroupPoliciesCommand({
+          GroupName: physicalId,
+          ...marker ? { Marker: marker } : {}
+        })
+      );
+      for (const name of listResp.PolicyNames ?? [])
+        policyNames.push(name);
+      if (!listResp.IsTruncated)
+        break;
+      marker = listResp.Marker;
+    }
+    const bodies = /* @__PURE__ */ new Map();
+    await Promise.all(
+      policyNames.map(async (name) => {
+        const resp = kind === "user" ? await this.iamClient.send(
+          new GetUserPolicyCommand2({ UserName: physicalId, PolicyName: name })
+        ) : await this.iamClient.send(
+          new GetGroupPolicyCommand2({ GroupName: physicalId, PolicyName: name })
+        );
+        if (!resp.PolicyDocument)
+          return;
+        let parsed;
+        try {
+          parsed = JSON.parse(decodeURIComponent(resp.PolicyDocument));
+        } catch {
+          parsed = resp.PolicyDocument;
+        }
+        bodies.set(name, parsed);
+      })
+    );
+    const remaining = new Set(bodies.keys());
+    const inline = [];
+    for (const sp of statePolicies) {
+      const name = sp?.PolicyName;
+      if (typeof name !== "string")
+        continue;
+      if (bodies.has(name)) {
+        inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+        remaining.delete(name);
+      }
+    }
+    for (const name of [...remaining].sort()) {
+      inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+    }
+    return inline;
+  }
   // ─── Import dispatch ──────────────────────────────────────────────
   /**
    * Adopt an existing IAM user / group / user-to-group addition into cdkd state.
@@ -15700,6 +15839,7 @@ import {
   DeleteEventSourceMappingCommand,
   UpdateEventSourceMappingCommand,
   GetEventSourceMappingCommand,
+  ListTagsCommand as ListTagsCommand2,
   TagResourceCommand as TagResourceCommand3,
   UntagResourceCommand as UntagResourceCommand3,
   ResourceNotFoundException as ResourceNotFoundException4
@@ -16013,21 +16153,24 @@ var LambdaEventSourceMappingProvider = class {
    * `LastProcessingResult`, `State`, `StateTransitionReason`,
    * `EventSourceMappingArn`) are filtered at the wire layer.
    *
-   * `FunctionName` is surfaced as the AWS `FunctionArn` (which is what
-   * `GetEventSourceMapping` returns) — cdkd state typically holds this
-   * resolved ARN form already after intrinsic resolution. The drift
-   * comparator can match against both forms when state holds a name vs an
-   * ARN; mismatched-shape false positives are out of scope for v1.
+   * `FunctionName`: AWS's `GetEventSourceMapping` always returns the
+   * resolved ARN. cdkd state typically holds the same ARN after intrinsic
+   * resolution, but a hand-authored state might carry the bare function
+   * name. We surface the form that matches state when possible: if the
+   * `properties?.FunctionName` is the bare name AND the AWS-current
+   * ARN's last segment matches that name, emit the bare name; otherwise
+   * emit the ARN. (The two forms address the same Lambda function — the
+   * shape-mismatch was the only reason a clean run fired drift.)
    *
-   * `Tags` is omitted: cdkd `create()` reshapes CFn tag arrays into a
-   * tags map at create time, but `GetEventSourceMapping` does not return
-   * tags (`ListTags(Resource: arn)` does). Same shape-decision rationale
-   * as Lambda function tags drift — out of scope for v1.
+   * `Tags` are surfaced via a follow-up `ListTags(Resource=<ESM ARN>)`
+   * call. Always-emit `[]` so a console-side tag ADD on a previously-
+   * untagged event source mapping is detectable on the v3
+   * observedProperties baseline.
    *
    * Returns `undefined` when the mapping is gone
    * (`ResourceNotFoundException`).
    */
-  async readCurrentState(physicalId, _logicalId, _resourceType) {
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
     let resp;
     try {
       resp = await this.lambdaClient.send(new GetEventSourceMappingCommand({ UUID: physicalId }));
@@ -16037,8 +16180,15 @@ var LambdaEventSourceMappingProvider = class {
       throw err;
     }
     const result = {};
-    if (resp.FunctionArn !== void 0)
-      result["FunctionName"] = resp.FunctionArn;
+    if (resp.FunctionArn !== void 0) {
+      const stateFn = properties?.["FunctionName"];
+      const arnTail = resp.FunctionArn.split(":").pop();
+      if (typeof stateFn === "string" && !stateFn.includes(":") && stateFn === arnTail) {
+        result["FunctionName"] = stateFn;
+      } else {
+        result["FunctionName"] = resp.FunctionArn;
+      }
+    }
     if (resp.EventSourceArn !== void 0)
       result["EventSourceArn"] = resp.EventSourceArn;
     if (resp.BatchSize !== void 0)
@@ -16097,6 +16247,20 @@ var LambdaEventSourceMappingProvider = class {
       const enabled = resp.State === "Enabled" || resp.State === "Enabling" || resp.State === "Updating";
       result["Enabled"] = enabled;
     }
+    let tags = [];
+    if (resp.EventSourceMappingArn) {
+      try {
+        const tagsResp = await this.lambdaClient.send(
+          new ListTagsCommand2({ Resource: resp.EventSourceMappingArn })
+        );
+        const tagMap = tagsResp.Tags ?? {};
+        tags = Object.entries(tagMap).filter(([k]) => !k.startsWith("aws:")).map(([Key, Value]) => ({ Key, Value })).sort((a, b) => a.Key.localeCompare(b.Key));
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException4)
+          return void 0;
+      }
+    }
+    result["Tags"] = tags;
     return result;
   }
   /**
@@ -16128,7 +16292,7 @@ import {
   DeleteLayerVersionCommand,
   GetLayerVersionByArnCommand,
   ListLayersCommand,
-  ListTagsCommand as ListTagsCommand2,
+  ListTagsCommand as ListTagsCommand3,
   ResourceNotFoundException as ResourceNotFoundException5
 } from "@aws-sdk/client-lambda";
 init_aws_clients();
@@ -16387,7 +16551,7 @@ var LambdaLayerVersionProvider = class {
           continue;
         try {
           const tagsResp = await this.lambdaClient.send(
-            new ListTagsCommand2({ Resource: layer.LayerArn })
+            new ListTagsCommand3({ Resource: layer.LayerArn })
           );
           if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
             return {
@@ -16866,7 +17030,9 @@ var DynamoDBTableProvider = class {
 import {
   CreateLogGroupCommand,
   DeleteLogGroupCommand,
+  DescribeIndexPoliciesCommand,
   DescribeLogGroupsCommand,
+  GetDataProtectionPolicyCommand,
   ListTagsForResourceCommand as ListTagsForResourceCommand2,
   PutRetentionPolicyCommand,
   DeleteRetentionPolicyCommand,
@@ -17108,19 +17274,6 @@ var LogsLogGroupProvider = class {
     }
     return this.buildArn(physicalId);
   }
-  /**
-   * Drift comparator skip-list: properties readCurrentState deliberately
-   * cannot round-trip from AWS yet. `DataProtectionPolicy` lives behind
-   * its own `GetDataProtectionPolicy` API call (not in
-   * `DescribeLogGroups` output) — declaring it here prevents
-   * guaranteed false-positive drift on every clean run for log groups
-   * deployed with a data-protection policy. Lifting this guard requires
-   * a per-group `GetDataProtectionPolicy` round-trip in
-   * `readCurrentState`.
-   */
-  getDriftUnknownPaths() {
-    return ["DataProtectionPolicy"];
-  }
   /**
    * Read the AWS-current log group configuration in CFn-property shape.
    *
@@ -17131,10 +17284,26 @@ var LogsLogGroupProvider = class {
    * `RetentionInDays`).
    *
    * Coverage: `LogGroupName`, `KmsKeyId`, `RetentionInDays`,
-   * `LogGroupClass`, `Tags`. Other handledProperties (`DataProtectionPolicy`,
-   * `FieldIndexPolicies`, `ResourcePolicyDocument`,
-   * `DeletionProtectionEnabled`, `BearerTokenAuthenticationEnabled`) need
-   * their own per-property API call and are out of scope for v1.
+   * `LogGroupClass`, `Tags`, `DataProtectionPolicy` (via
+   * `GetDataProtectionPolicy`, JSON-parsed back to the object form
+   * cdkd state holds), `DeletionProtectionEnabled` and
+   * `BearerTokenAuthenticationEnabled` (both surfaced directly from
+   * `DescribeLogGroups` — the SDK's LogGroup type carries them as
+   * `deletionProtectionEnabled` / `bearerTokenAuthenticationEnabled`),
+   * and `FieldIndexPolicies` (via `DescribeIndexPolicies`, filtered to
+   * log-group-level policies and JSON-parsed). Still out of scope:
+   * `ResourcePolicyDocument` (managed by the separate
+   * `AWS::Logs::ResourcePolicy` resource type — account-wide, not
+   * per-log-group).
+   *
+   * Known limitation: cdkd's `create()` / `update()` flows do NOT yet
+   * apply `FieldIndexPolicies` / `DeletionProtectionEnabled` /
+   * `BearerTokenAuthenticationEnabled` — they're in `handledProperties`
+   * to prevent CC API fallback but no actual `PutIndexPolicy` /
+   * `PutLogGroupDeletionProtection` / `PutBearerTokenAuthentication`
+   * calls fire. Surfacing these in `readCurrentState` means a user
+   * who templates them will see drift on the first run; a follow-up
+   * needs to wire the create/update flow.
    *
    * Tags are read via `ListTagsForResource` (using the log-group ARN from
    * the same `DescribeLogGroups` response). CDK's `aws:*` auto-tags are
@@ -17158,6 +17327,8 @@ var LogsLogGroupProvider = class {
       result["RetentionInDays"] = found.retentionInDays ?? 0;
       if (found.logGroupClass !== void 0)
         result["LogGroupClass"] = found.logGroupClass;
+      result["DeletionProtectionEnabled"] = found.deletionProtectionEnabled ?? false;
+      result["BearerTokenAuthenticationEnabled"] = found.bearerTokenAuthenticationEnabled ?? false;
       let tags = [];
       if (found.arn) {
         const arnForTags = found.arn.replace(/:\*$/, "");
@@ -17173,6 +17344,39 @@ var LogsLogGroupProvider = class {
         }
       }
       result["Tags"] = tags;
+      let dpp = "";
+      try {
+        const dppResp = await this.logsClient.send(
+          new GetDataProtectionPolicyCommand({ logGroupIdentifier: physicalId })
+        );
+        if (dppResp.policyDocument) {
+          try {
+            dpp = JSON.parse(dppResp.policyDocument);
+          } catch {
+            dpp = dppResp.policyDocument;
+          }
+        }
+      } catch {
+      }
+      result["DataProtectionPolicy"] = dpp;
+      let fieldIndexPolicies = [];
+      try {
+        const idxResp = await this.logsClient.send(
+          new DescribeIndexPoliciesCommand({ logGroupIdentifiers: [physicalId] })
+        );
+        const logGroupLevel = (idxResp.indexPolicies ?? []).filter((p) => p.source !== "ACCOUNT");
+        fieldIndexPolicies = logGroupLevel.map((p) => {
+          if (!p.policyDocument)
+            return void 0;
+          try {
+            return JSON.parse(p.policyDocument);
+          } catch {
+            return p.policyDocument;
+          }
+        }).filter((p) => p !== void 0);
+      } catch {
+      }
+      result["FieldIndexPolicies"] = fieldIndexPolicies;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException7)
@@ -18246,10 +18450,21 @@ var SSMParameterProvider = class {
    *
    * `Name` is set to the physical id. `Tags` is surfaced via a follow-up
    * `ListTagsForResource(ResourceType=Parameter)` call, with CDK's `aws:*`
-   * auto-tags filtered out. `Policies` is intentionally out of scope:
-   * `DescribeParameters.Policies` returns a structured array but cdkd state
-   * holds the raw JSON string the user typed — comparing the two accurately
-   * needs more work.
+   * auto-tags filtered out.
+   *
+   * `Policies` is surfaced from the same `DescribeParameters` response.
+   * AWS returns `Parameters[0].Policies` as
+   * `[{PolicyText, PolicyType, PolicyStatus}]`; cdkd state holds a JSON
+   * string of the user-templated policy array (CFn's documented shape).
+   * To compare cleanly we parse each `PolicyText` (itself JSON) into
+   * objects, drop the AWS-managed `PolicyStatus` (Pending / InSync /
+   * Expired), and emit the parsed object array. On the v3
+   * `observedProperties` baseline this matches `observedProperties` (which
+   * stored our parsed output at deploy time) exactly. On the v2 fallback
+   * baseline (state.properties = JSON string) the comparator reports a
+   * one-time drift on first run; users resolve via
+   * `cdkd state refresh-observed`. Always-emit `[]` placeholder for
+   * console-side ADD detection.
    *
    * **Note**: For `SecureString` parameters, AWS returns the encrypted
    * blob in `Value` (we pass `WithDecryption: false`). cdkd state usually
@@ -18281,6 +18496,7 @@ var SSMParameterProvider = class {
       result["Value"] = param.Value;
     if (param.DataType !== void 0)
       result["DataType"] = param.DataType;
+    let policiesEmitted = false;
     try {
       const desc = await this.ssmClient.send(
         new DescribeParametersCommand({
@@ -18293,8 +18509,22 @@ var SSMParameterProvider = class {
       if (meta?.Tier !== void 0) {
         result["Tier"] = meta.Tier;
       }
+      const parsedPolicies = [];
+      for (const p of meta?.Policies ?? []) {
+        if (!p.PolicyText)
+          continue;
+        try {
+          parsedPolicies.push(JSON.parse(p.PolicyText));
+        } catch {
+          parsedPolicies.push(p.PolicyText);
+        }
+      }
+      result["Policies"] = parsedPolicies;
+      policiesEmitted = true;
     } catch {
     }
+    if (!policiesEmitted)
+      result["Policies"] = [];
     try {
       const tagsResp = await this.ssmClient.send(
         new ListTagsForResourceCommand4({
@@ -24782,10 +25012,13 @@ var AgentCoreRuntimeProvider = class {
    *
    * `ProtocolConfiguration` parity: `create()` accepts a CFn-style string
    * (`"HTTP"`) and converts it to `{serverProtocol: "HTTP"}` for the SDK.
-   * The SDK returns the object form. We surface the object form here; if
-   * cdkd state holds the original string the comparator will report drift
-   * — users can inspect and dismiss this case manually. (A more elaborate
-   * shape negotiation belongs in a follow-up that knows about both forms.)
+   * The SDK returns the object form. We surface the **string form** here
+   * (extract `serverProtocol` from the SDK object) since CFn's
+   * `AWS::BedrockAgentCore::Runtime.ProtocolConfiguration` is documented
+   * as a string and that's what cdkd state typically holds after CDK
+   * synth. If state happens to carry the object form (legacy / hand-
+   * authored), the comparator will report a one-time drift the user can
+   * resolve via `cdkd state refresh-observed`.
    *
    * `ClientToken` is omitted: AWS does not surface it back via
    * `GetAgentRuntime` (it's an idempotency token only meaningful at create
@@ -24820,7 +25053,13 @@ var AgentCoreRuntimeProvider = class {
       result["AuthorizerConfiguration"] = camelToPascalCaseKeys(resp.authorizerConfiguration);
     }
     if (resp.protocolConfiguration !== void 0) {
-      result["ProtocolConfiguration"] = camelToPascalCaseKeys(resp.protocolConfiguration);
+      const proto = resp.protocolConfiguration;
+      const keys = Object.keys(proto);
+      if (keys.length === 1 && keys[0] === "serverProtocol" && typeof proto["serverProtocol"] === "string") {
+        result["ProtocolConfiguration"] = proto["serverProtocol"];
+      } else {
+        result["ProtocolConfiguration"] = camelToPascalCaseKeys(resp.protocolConfiguration);
+      }
     }
     if (resp.lifecycleConfiguration !== void 0) {
       result["LifecycleConfiguration"] = camelToPascalCaseKeys(resp.lifecycleConfiguration);
@@ -26406,6 +26645,7 @@ import {
   CreateLoadBalancerCommand,
   DeleteLoadBalancerCommand,
   DescribeLoadBalancersCommand as DescribeLoadBalancersCommand2,
+  DescribeLoadBalancerAttributesCommand,
   CreateTargetGroupCommand,
   DeleteTargetGroupCommand,
   ModifyTargetGroupCommand,
@@ -26498,7 +26738,13 @@ var ELBv2Provider = class {
   async update(logicalId, physicalId, resourceType, properties, previousProperties) {
     switch (resourceType) {
       case "AWS::ElasticLoadBalancingV2::LoadBalancer":
-        return this.updateLoadBalancer(logicalId, physicalId, resourceType, properties);
+        return this.updateLoadBalancer(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
       case "AWS::ElasticLoadBalancingV2::TargetGroup":
         return this.updateTargetGroup(
           logicalId,
@@ -26603,14 +26849,44 @@ var ELBv2Provider = class {
       );
     }
   }
-  updateLoadBalancer(logicalId, _physicalId, _resourceType, _properties) {
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
+  async updateLoadBalancer(logicalId, physicalId, _resourceType, properties, previousProperties) {
+    const newAttrs = properties["LoadBalancerAttributes"] ?? [];
+    const oldAttrs = previousProperties["LoadBalancerAttributes"] ?? [];
+    const stripAttrs = (p) => {
+      const { LoadBalancerAttributes: _, ...rest } = p;
+      return rest;
+    };
+    if (JSON.stringify(stripAttrs(properties)) !== JSON.stringify(stripAttrs(previousProperties))) {
+      throw new ResourceUpdateNotSupportedError(
         "AWS::ElasticLoadBalancingV2::LoadBalancer",
         logicalId,
-        "ELBv2 LoadBalancer in-place updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+        "ELBv2 LoadBalancer in-place updates are only supported for LoadBalancerAttributes; for Name / Type / Scheme / Subnets / SecurityGroups / IpAddressType / Tags, re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+      );
+    }
+    const newMap = new Map(newAttrs.map((a) => [a.Key, a.Value]));
+    const oldMap = new Map(oldAttrs.map((a) => [a.Key, a.Value]));
+    const submitted = [];
+    for (const [k, v] of newMap) {
+      if (oldMap.get(k) !== v)
+        submitted.push({ Key: k, Value: v });
+    }
+    for (const [k] of oldMap) {
+      if (!newMap.has(k))
+        submitted.push({ Key: k, Value: "" });
+    }
+    if (submitted.length > 0) {
+      const { ModifyLoadBalancerAttributesCommand } = await import("@aws-sdk/client-elastic-load-balancing-v2");
+      await this.getClient().send(
+        new ModifyLoadBalancerAttributesCommand({
+          LoadBalancerArn: physicalId,
+          Attributes: submitted
+        })
+      );
+      this.logger.debug(
+        `Applied ${submitted.length} LoadBalancerAttributes change(s) for ${logicalId}`
+      );
+    }
+    return { physicalId, wasReplaced: false };
   }
   async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting LoadBalancer ${logicalId}: ${physicalId}`);
@@ -26956,10 +27232,12 @@ var ELBv2Provider = class {
    * Dispatch per resource type:
    *  - `LoadBalancer` → `DescribeLoadBalancers` (Name, Subnets via
    *    `AvailabilityZones[].SubnetId`, SecurityGroups, Scheme, Type,
-   *    IpAddressType). LoadBalancerAttributes is omitted for v1 — it
-   *    requires a separate `DescribeLoadBalancerAttributes` call and the
-   *    drift comparator only descends into keys present in state, so an
-   *    absent key cannot fire false drift.
+   *    IpAddressType) plus `DescribeLoadBalancerAttributes` for the full
+   *    `LoadBalancerAttributes` `[{Key, Value}]` array (sorted by Key for
+   *    stable positional compare). AWS returns every attribute valid for
+   *    this LB type including defaults the user did not template; on the
+   *    v3 observedProperties baseline that's load-bearing — a console-side
+   *    change to ANY attribute (templated or not) surfaces as drift.
    *  - `TargetGroup` → `DescribeTargetGroups` (Protocol, Port, VpcId,
    *    TargetType, ProtocolVersion, HealthCheck*, Matcher, Name).
    *  - `Listener` → `DescribeListeners` (LoadBalancerArn, Certificates,
@@ -27009,6 +27287,18 @@ var ELBv2Provider = class {
       result["Type"] = lb.Type;
     if (lb.IpAddressType !== void 0)
       result["IpAddressType"] = lb.IpAddressType;
+    try {
+      const attrsResp = await this.getClient().send(
+        new DescribeLoadBalancerAttributesCommand({ LoadBalancerArn: physicalId })
+      );
+      const attrs = (attrsResp.Attributes ?? []).filter(
+        (a) => typeof a.Key === "string" && typeof a.Value === "string"
+      ).map((a) => ({ Key: a.Key, Value: a.Value })).sort((a, b) => a.Key.localeCompare(b.Key));
+      result["LoadBalancerAttributes"] = attrs;
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+    }
     await this.attachTags(result, physicalId);
     return result;
   }
@@ -28889,8 +29179,10 @@ var Route53Provider = class {
    *    PrivateZone}, VPCs from `VPCs[]`, HostedZoneTags via
    *    `ListTagsForResource(ResourceType=hostedzone, ResourceId=<idTail>)`
    *    with `aws:*` filtered out and the key omitted when empty).
-   *    QueryLoggingConfig is skipped because it's a separate
-   *    `ListQueryLoggingConfigs` call and the v1 surface does not surface it.
+   *    QueryLoggingConfig is surfaced via a follow-up
+   *    `ListQueryLoggingConfigs(HostedZoneId)` (filter to the one
+   *    config per zone — CFn enforces 0 or 1 — and reshape
+   *    `CloudWatchLogsLogGroupArn` to match cdkd state).
    *  - `RecordSet` → `ListResourceRecordSets` filtered to the exact
    *    `(name, type)` pair from the composite physicalId
    *    (`{zoneId}|{name}|{type}`). Surfaces TTL, ResourceRecords (with
@@ -28955,6 +29247,24 @@ var Route53Provider = class {
         `Route53 ListTagsForResource(${idTail}) failed: ${err instanceof Error ? err.message : String(err)}`
       );
     }
+    try {
+      const qlcResp = await this.getClient().send(
+        new ListQueryLoggingConfigsCommand({ HostedZoneId: idTail })
+      );
+      const qlc = qlcResp.QueryLoggingConfigs?.[0];
+      if (qlc?.CloudWatchLogsLogGroupArn) {
+        result["QueryLoggingConfig"] = {
+          CloudWatchLogsLogGroupArn: qlc.CloudWatchLogsLogGroupArn
+        };
+      } else {
+        result["QueryLoggingConfig"] = {};
+      }
+    } catch (err) {
+      this.logger.debug(
+        `Route53 ListQueryLoggingConfigs(${idTail}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      result["QueryLoggingConfig"] = {};
+    }
     return result;
   }
   async readRecordSet(physicalId) {
@@ -32726,6 +33036,8 @@ import {
   KMSClient as KMSClient2,
   CreateKeyCommand,
   DescribeKeyCommand,
+  GetKeyPolicyCommand,
+  GetKeyRotationStatusCommand,
   ListAliasesCommand as ListAliasesCommand2,
   ListKeysCommand,
   ListResourceTagsCommand,
@@ -33193,6 +33505,36 @@ var KMSProvider = class {
     if (md.Origin !== void 0)
       result["Origin"] = md.Origin;
     if (md.KeyId) {
+      try {
+        const policyResp = await this.getClient().send(
+          new GetKeyPolicyCommand({ KeyId: md.KeyId, PolicyName: "default" })
+        );
+        if (policyResp.Policy) {
+          try {
+            result["KeyPolicy"] = JSON.parse(policyResp.Policy);
+          } catch {
+            result["KeyPolicy"] = policyResp.Policy;
+          }
+        }
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return void 0;
+      }
+      const isSymmetric = md.KeySpec === void 0 || md.KeySpec === "SYMMETRIC_DEFAULT";
+      if (isSymmetric) {
+        try {
+          const rotationResp = await this.getClient().send(
+            new GetKeyRotationStatusCommand({ KeyId: md.KeyId })
+          );
+          result["EnableKeyRotation"] = rotationResp.KeyRotationEnabled ?? false;
+          if (rotationResp.RotationPeriodInDays !== void 0) {
+            result["RotationPeriodInDays"] = rotationResp.RotationPeriodInDays;
+          }
+        } catch (err) {
+          if (err instanceof NotFoundException5)
+            return void 0;
+        }
+      }
       try {
         const tagsResp = await this.getClient().send(
           new ListResourceTagsCommand({ KeyId: md.KeyId })
@@ -33211,28 +33553,17 @@ var KMSProvider = class {
    * drift comparator skips them instead of firing guaranteed false-
    * positive drift on every clean run.
    *
-   *  - `KeyPolicy`: cdkd does NOT call `GetKeyPolicy` in `readCurrentState`.
-   *    The policy body needs JSON parsing for comparison and a separate
-   *    SDK call; deferred to a follow-up. Until then, any user who
-   *    templates `KeyPolicy` would see guaranteed drift.
-   *  - `EnableKeyRotation` / `RotationPeriodInDays`: cdkd does NOT call
-   *    `GetKeyRotationStatus`. Same reason — deferred to a follow-up.
-   *    `EnableKeyRotation` is also a Class 1 candidate (only valid for
-   *    `KeySpec=SYMMETRIC_DEFAULT`); when we lift this gap the read side
-   *    must gate the emit on the discriminator.
    *  - `BypassPolicyLockoutSafetyCheck` / `PendingWindowInDays`: not part
    *    of the persisted AWS state visible via `DescribeKey` — both are
    *    create / delete-time-only inputs.
+   *
+   * `KeyPolicy`, `EnableKeyRotation`, and `RotationPeriodInDays` are now
+   * read by `readCurrentState` (`GetKeyPolicy` and `GetKeyRotationStatus`
+   * respectively), so they no longer need to be declared here.
    */
   getDriftUnknownPaths(resourceType) {
     if (resourceType === "AWS::KMS::Key") {
-      return [
-        "KeyPolicy",
-        "EnableKeyRotation",
-        "RotationPeriodInDays",
-        "BypassPolicyLockoutSafetyCheck",
-        "PendingWindowInDays"
-      ];
+      return ["BypassPolicyLockoutSafetyCheck", "PendingWindowInDays"];
     }
     return [];
   }
@@ -33821,6 +34152,7 @@ import {
   DescribeAccessPointsCommand,
   DescribeLifecycleConfigurationCommand,
   DescribeBackupPolicyCommand,
+  DescribeMountTargetSecurityGroupsCommand,
   FileSystemNotFound,
   MountTargetNotFound,
   AccessPointNotFound
@@ -34247,8 +34579,10 @@ var EFSProvider = class {
    *    the corresponding key without failing the whole snapshot.
    *  - `AccessPoint` → `DescribeAccessPoints` filtered by id (PosixUser,
    *    RootDirectory).
-   *  - `MountTarget` → `DescribeMountTargets` (FileSystemId, SubnetId).
-   *    SecurityGroups requires a separate call and is omitted for v1.
+   *  - `MountTarget` → `DescribeMountTargets` (FileSystemId, SubnetId)
+   *    plus `DescribeMountTargetSecurityGroups` for the SG list (always-
+   *    emit `[]` when AWS reports none so a console-side ADD on a
+   *    previously-unconfigured mount target is detectable).
    *
    * `FileSystemTags` (the CFn property name on `AWS::EFS::FileSystem`) is
    * surfaced from the same `DescribeFileSystems` response — `aws:*`
@@ -34405,6 +34739,17 @@ var EFSProvider = class {
       result["FileSystemId"] = mt.FileSystemId;
     if (mt.SubnetId !== void 0)
       result["SubnetId"] = mt.SubnetId;
+    let securityGroups = [];
+    try {
+      const sgResp = await this.getClient().send(
+        new DescribeMountTargetSecurityGroupsCommand({ MountTargetId: physicalId })
+      );
+      securityGroups = (sgResp.SecurityGroups ?? []).filter(
+        (s) => typeof s === "string"
+      );
+    } catch {
+    }
+    result["SecurityGroups"] = securityGroups;
     return result;
   }
   /**
@@ -35014,8 +35359,9 @@ import {
   GetTrailCommand,
   GetTrailStatusCommand,
   GetEventSelectorsCommand,
+  GetInsightSelectorsCommand,
   ListTrailsCommand,
-  ListTagsCommand as ListTagsCommand3,
+  ListTagsCommand as ListTagsCommand4,
   AddTagsCommand as AddTagsCommand2,
   RemoveTagsCommand as RemoveTagsCommand2,
   TrailNotFoundException
@@ -35186,15 +35532,13 @@ var CloudTrailProvider = class {
       const newInsightSelectors = properties["InsightSelectors"];
       const oldInsightSelectors = previousProperties["InsightSelectors"];
       if (JSON.stringify(newInsightSelectors) !== JSON.stringify(oldInsightSelectors)) {
-        if (newInsightSelectors && newInsightSelectors.length > 0) {
-          this.logger.debug(`Updating insight selectors for CloudTrail Trail ${logicalId}`);
-          await this.getClient().send(
-            new PutInsightSelectorsCommand({
-              TrailName: physicalId,
-              InsightSelectors: newInsightSelectors
-            })
-          );
-        }
+        this.logger.debug(`Updating insight selectors for CloudTrail Trail ${logicalId}`);
+        await this.getClient().send(
+          new PutInsightSelectorsCommand({
+            TrailName: physicalId,
+            InsightSelectors: newInsightSelectors ?? []
+          })
+        );
       }
       const oldIsLogging = previousProperties["IsLogging"];
       if (isLogging !== oldIsLogging) {
@@ -35327,8 +35671,10 @@ var CloudTrailProvider = class {
    * auto-tags are filtered out and the result key is omitted when AWS
    * reports no user tags.
    *
-   * `InsightSelectors` is skipped for v1 (separate call + shape mapping
-   * still TBD).
+   * `InsightSelectors` is surfaced via a follow-up `GetInsightSelectors`
+   * call — same shape on both sides (`[{InsightType}]`). The key is
+   * always emitted (`[]` when AWS reports none) so a console-side ADD
+   * is detectable on the v3 observedProperties baseline.
    *
    * Returns `undefined` when the trail is gone (`TrailNotFoundException`).
    */
@@ -35377,11 +35723,22 @@ var CloudTrailProvider = class {
       }
     } catch {
     }
+    let insightSelectors = [];
+    try {
+      const insight = await this.getClient().send(
+        new GetInsightSelectorsCommand({ TrailName: physicalId })
+      );
+      insightSelectors = (insight.InsightSelectors ?? []).map((s) => ({
+        ...s.InsightType !== void 0 && { InsightType: s.InsightType }
+      }));
+    } catch {
+    }
+    result["InsightSelectors"] = insightSelectors;
     let tags = [];
     if (trail.TrailARN) {
       try {
         const tagsResp = await this.getClient().send(
-          new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
+          new ListTagsCommand4({ ResourceIdList: [trail.TrailARN] })
         );
         tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagList?.[0]?.TagsList);
       } catch (err) {
@@ -35417,7 +35774,7 @@ var CloudTrailProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
+            new ListTagsCommand4({ ResourceIdList: [trail.TrailARN] })
           );
           const list2 = tagsResp.ResourceTagList?.[0];
           if (matchesCdkPath(list2?.TagsList, input.cdkPath)) {
@@ -35720,12 +36077,21 @@ var CodeBuildProvider = class {
    *
    * Issues `BatchGetProjects` and re-shapes the SDK's camelCase response back
    * to CFn's PascalCase shape (the `mapProperties` helper above goes the
-   * other way at create time). The drift comparator only descends into
-   * keys present in cdkd state, so we focus on the high-value top-level
-   * fields and the most commonly-set `Source` / `Artifacts` /
-   * `Environment` sub-fields. Less common nested config (full
-   * `LogsConfig`, `VpcConfig` rebuild, secondary sources/artifacts, etc.)
-   * is left to a follow-up — surfacing them with a partial shape would
+   * other way at create time). Coverage targets every user-controllable
+   * top-level field via the always-emit pattern (PR #145):
+   *  - `Source` / `Artifacts` / `Environment` (with `EnvironmentVariables`
+   *    sub-array): full reshape to CFn shape.
+   *  - `LogsConfig` (`CloudWatchLogs` + `S3Logs` sub-shapes): always-emit
+   *    placeholder so a console-side enable on a previously-default
+   *    project surfaces as drift.
+   *  - `VpcConfig` (VpcId / Subnets / SecurityGroupIds): always-emit
+   *    placeholder.
+   *  - `Cache` (Type / Location / Modes): always-emit placeholder.
+   *
+   * Still v1-omitted (known gaps, follow-up): `SecondarySources` /
+   * `SecondaryArtifacts` / `SecondarySourceVersions` / `FileSystemLocations` /
+   * `Triggers` / `BuildBatchConfig` / `ResourceAccessRole`. These are
+   * rarely set in practice and surfacing them with partial shape would
    * fire false drift on every project that uses them.
    *
    * Tags are surfaced from the same `BatchGetProjects` response (CodeBuild
@@ -35840,6 +36206,143 @@ var CodeBuildProvider = class {
       });
       result["Environment"] = env;
     }
+    {
+      const logs = {};
+      const cw = {
+        Status: project.logsConfig?.cloudWatchLogs?.status ?? "ENABLED"
+      };
+      if (project.logsConfig?.cloudWatchLogs?.groupName !== void 0) {
+        cw["GroupName"] = project.logsConfig.cloudWatchLogs.groupName;
+      }
+      if (project.logsConfig?.cloudWatchLogs?.streamName !== void 0) {
+        cw["StreamName"] = project.logsConfig.cloudWatchLogs.streamName;
+      }
+      logs["CloudWatchLogs"] = cw;
+      const s3 = {
+        Status: project.logsConfig?.s3Logs?.status ?? "DISABLED"
+      };
+      if (project.logsConfig?.s3Logs?.location !== void 0) {
+        s3["Location"] = project.logsConfig.s3Logs.location;
+      }
+      if (project.logsConfig?.s3Logs?.encryptionDisabled !== void 0) {
+        s3["EncryptionDisabled"] = project.logsConfig.s3Logs.encryptionDisabled;
+      }
+      if (project.logsConfig?.s3Logs?.bucketOwnerAccess !== void 0) {
+        s3["BucketOwnerAccess"] = project.logsConfig.s3Logs.bucketOwnerAccess;
+      }
+      logs["S3Logs"] = s3;
+      result["LogsConfig"] = logs;
+    }
+    if (project.vpcConfig?.vpcId !== void 0) {
+      const vpc = { VpcId: project.vpcConfig.vpcId };
+      vpc["Subnets"] = project.vpcConfig.subnets ?? [];
+      vpc["SecurityGroupIds"] = project.vpcConfig.securityGroupIds ?? [];
+      result["VpcConfig"] = vpc;
+    } else {
+      result["VpcConfig"] = {};
+    }
+    {
+      const cache2 = {
+        Type: project.cache?.type ?? "NO_CACHE"
+      };
+      if (project.cache?.location !== void 0)
+        cache2["Location"] = project.cache.location;
+      if (project.cache?.modes !== void 0)
+        cache2["Modes"] = project.cache.modes;
+      result["Cache"] = cache2;
+    }
+    result["SecondarySources"] = (project.secondarySources ?? []).map((s) => {
+      const out = {};
+      if (s.type !== void 0)
+        out["Type"] = s.type;
+      if (s.location !== void 0)
+        out["Location"] = s.location;
+      if (s.buildspec !== void 0)
+        out["BuildSpec"] = s.buildspec;
+      if (s.gitCloneDepth !== void 0)
+        out["GitCloneDepth"] = s.gitCloneDepth;
+      if (s.insecureSsl !== void 0)
+        out["InsecureSsl"] = s.insecureSsl;
+      if (s.reportBuildStatus !== void 0)
+        out["ReportBuildStatus"] = s.reportBuildStatus;
+      if (s.sourceIdentifier !== void 0)
+        out["SourceIdentifier"] = s.sourceIdentifier;
+      return out;
+    });
+    result["SecondaryArtifacts"] = (project.secondaryArtifacts ?? []).map((a) => {
+      const out = {};
+      if (a.type !== void 0)
+        out["Type"] = a.type;
+      if (a.location !== void 0)
+        out["Location"] = a.location;
+      if (a.path !== void 0)
+        out["Path"] = a.path;
+      if (a.name !== void 0)
+        out["Name"] = a.name;
+      if (a.namespaceType !== void 0)
+        out["NamespaceType"] = a.namespaceType;
+      if (a.packaging !== void 0)
+        out["Packaging"] = a.packaging;
+      if (a.encryptionDisabled !== void 0)
+        out["EncryptionDisabled"] = a.encryptionDisabled;
+      if (a.overrideArtifactName !== void 0) {
+        out["OverrideArtifactName"] = a.overrideArtifactName;
+      }
+      if (a.artifactIdentifier !== void 0)
+        out["ArtifactIdentifier"] = a.artifactIdentifier;
+      return out;
+    });
+    result["SecondarySourceVersions"] = (project.secondarySourceVersions ?? []).map((v) => {
+      const out = {};
+      if (v.sourceIdentifier !== void 0)
+        out["SourceIdentifier"] = v.sourceIdentifier;
+      if (v.sourceVersion !== void 0)
+        out["SourceVersion"] = v.sourceVersion;
+      return out;
+    });
+    result["FileSystemLocations"] = (project.fileSystemLocations ?? []).map((f) => {
+      const out = {};
+      if (f.type !== void 0)
+        out["Type"] = f.type;
+      if (f.location !== void 0)
+        out["Location"] = f.location;
+      if (f.mountPoint !== void 0)
+        out["MountPoint"] = f.mountPoint;
+      if (f.identifier !== void 0)
+        out["Identifier"] = f.identifier;
+      if (f.mountOptions !== void 0)
+        out["MountOptions"] = f.mountOptions;
+      return out;
+    });
+    if (project.buildBatchConfig) {
+      const bbc = {};
+      if (project.buildBatchConfig.serviceRole !== void 0) {
+        bbc["ServiceRole"] = project.buildBatchConfig.serviceRole;
+      }
+      if (project.buildBatchConfig.restrictions !== void 0) {
+        const r = {};
+        if (project.buildBatchConfig.restrictions.maximumBuildsAllowed !== void 0) {
+          r["MaximumBuildsAllowed"] = project.buildBatchConfig.restrictions.maximumBuildsAllowed;
+        }
+        if (project.buildBatchConfig.restrictions.computeTypesAllowed !== void 0) {
+          r["ComputeTypesAllowed"] = project.buildBatchConfig.restrictions.computeTypesAllowed;
+        }
+        bbc["Restrictions"] = r;
+      }
+      if (project.buildBatchConfig.timeoutInMins !== void 0) {
+        bbc["TimeoutInMins"] = project.buildBatchConfig.timeoutInMins;
+      }
+      if (project.buildBatchConfig.batchReportMode !== void 0) {
+        bbc["BatchReportMode"] = project.buildBatchConfig.batchReportMode;
+      }
+      if (project.buildBatchConfig.combineArtifacts !== void 0) {
+        bbc["CombineArtifacts"] = project.buildBatchConfig.combineArtifacts;
+      }
+      result["BuildBatchConfig"] = bbc;
+    } else {
+      result["BuildBatchConfig"] = {};
+    }
+    result["ResourceAccessRole"] = project.resourceAccessRole ?? "";
     const tags = normalizeAwsTagsToCfn(project.tags);
     result["Tags"] = tags;
     return result;
@@ -43979,7 +44482,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.2");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());