@go-to-k/cdkd 0.51.0 → 0.51.2

package/dist/index.js

@@ -7636,6 +7636,7 @@ import {
   UpdateAssumeRolePolicyCommand,
   DeleteRoleCommand,
   GetRoleCommand,
+  GetRolePolicyCommand,
   PutRolePolicyCommand,
   DeleteRolePolicyCommand,
   ListRolePoliciesCommand,
@@ -8248,8 +8249,14 @@ var IAMRoleProvider = class {
    * against state's already-parsed object.
    *
    * Coverage and shape decisions:
-   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path`,
-   *    `PermissionsBoundary` — straight from `Role.*`.
+   *  - `RoleName`, `Description`, `MaxSessionDuration`, `Path` — straight
+   *    from `Role.*`.
+   *  - `PermissionsBoundary` — emitted as `'' ` placeholder when AWS has
+   *    none, so a console-side ADD on a role that was deployed without a
+   *    boundary surfaces as drift. (The drift comparator's top-level walk
+   *    is state-keys-only; without the always-emit placeholder a fresh
+   *    `PermissionsBoundary` on the AWS side would never enter
+   *    `observedProperties` and the comparator would silently ignore it.)
    *  - `AssumeRolePolicyDocument` — `Role.AssumeRolePolicyDocument` is a
    *    URL-encoded JSON string; we URL-decode + JSON-parse so cdkd state's
    *    object form compares cleanly. (Both shapes — string and object — are
@@ -8257,20 +8264,23 @@ var IAMRoleProvider = class {
    *    after intrinsic resolution.)
    *  - `ManagedPolicyArns` — array of ARN strings from
    *    `ListAttachedRolePolicies`.
-   *  - `Policies` (inline policies with `PolicyDocument` bodies) is
-   *    intentionally omitted: surfacing names without bodies guarantees a
-   *    PolicyDocument-shaped drift on every role, and fetching every body
-   *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
-   *    v1 — drift detection on inline IAM policy bodies can ship in a
-   *    follow-up.
+   *  - `Policies` — inline policies surfaced as `[{PolicyName, PolicyDocument}]`.
+   *    `ListRolePolicies` for names + `GetRolePolicy` per name for the
+   *    body (URL-decoded + JSON-parsed). Ordering is reconciled against
+   *    state's `Policies` array (when supplied via the `properties`
+   *    parameter) so a state-vs-AWS positional compare doesn't fire false
+   *    drift purely from `ListRolePolicies` returning lexicographic order;
+   *    AWS-only policies (added via console) are appended at the end so
+   *    they still surface as drift via length / content mismatch.
    *  - `Tags` is surfaced via `ListRoleTags` (paginated). CDK's `aws:*`
    *    auto-tags are filtered out by `normalizeAwsTagsToCfn` so they don't
-   *    fire false-positive drift; the result key is omitted entirely when
-   *    AWS reports no user tags (matches `create()`'s behavior).
+   *    fire false-positive drift; always emitted (even when empty) so a
+   *    console-side tag ADD on an originally-untagged role surfaces as
+   *    drift on the v3 observedProperties baseline.
    *
    * Returns `undefined` when the role is gone (`NoSuchEntityException`).
    */
-  async readCurrentState(physicalId, _logicalId, _resourceType) {
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
     let role;
     try {
       const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
@@ -8291,9 +8301,7 @@ var IAMRoleProvider = class {
     }
     if (role.Path !== void 0)
       result["Path"] = role.Path;
-    if (role.PermissionsBoundary?.PermissionsBoundaryArn !== void 0) {
-      result["PermissionsBoundary"] = role.PermissionsBoundary.PermissionsBoundaryArn;
-    }
+    result["PermissionsBoundary"] = role.PermissionsBoundary?.PermissionsBoundaryArn ?? "";
     if (role.AssumeRolePolicyDocument) {
       try {
         result["AssumeRolePolicyDocument"] = JSON.parse(
@@ -8313,6 +8321,59 @@ var IAMRoleProvider = class {
       if (!(err instanceof NoSuchEntityException))
         throw err;
     }
+    try {
+      const policyNames = [];
+      let policyMarker;
+      while (true) {
+        const listResp = await this.iamClient.send(
+          new ListRolePoliciesCommand({
+            RoleName: physicalId,
+            ...policyMarker ? { Marker: policyMarker } : {}
+          })
+        );
+        for (const name of listResp.PolicyNames ?? [])
+          policyNames.push(name);
+        if (!listResp.IsTruncated)
+          break;
+        policyMarker = listResp.Marker;
+      }
+      const bodies = /* @__PURE__ */ new Map();
+      await Promise.all(
+        policyNames.map(async (name) => {
+          const resp = await this.iamClient.send(
+            new GetRolePolicyCommand({ RoleName: physicalId, PolicyName: name })
+          );
+          if (!resp.PolicyDocument)
+            return;
+          let parsed;
+          try {
+            parsed = JSON.parse(decodeURIComponent(resp.PolicyDocument));
+          } catch {
+            parsed = resp.PolicyDocument;
+          }
+          bodies.set(name, parsed);
+        })
+      );
+      const statePolicies = properties?.["Policies"] ?? [];
+      const remaining = new Set(bodies.keys());
+      const inline = [];
+      for (const sp of statePolicies) {
+        const name = sp?.PolicyName;
+        if (typeof name !== "string")
+          continue;
+        if (bodies.has(name)) {
+          inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+          remaining.delete(name);
+        }
+      }
+      for (const name of [...remaining].sort()) {
+        inline.push({ PolicyName: name, PolicyDocument: bodies.get(name) });
+      }
+      result["Policies"] = inline;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
     try {
       const collected = [];
       let marker;
@@ -8340,18 +8401,6 @@ var IAMRoleProvider = class {
     }
     return result;
   }
-  /**
-   * `Policies` (inline policy bodies) are intentionally omitted from
-   * `readCurrentState`: surfacing the names without bodies would
-   * guarantee a `PolicyDocument`-shaped drift on every role, and
-   * fetching every body costs one extra `GetRolePolicy` per inline
-   * policy. Tell the drift comparator to skip the whole subtree until a
-   * dedicated PR adds proper inline-policy drift via per-name
-   * `GetRolePolicy`.
-   */
-  getDriftUnknownPaths() {
-    return ["Policies"];
-  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *