@go-to-k/cdkd 0.51.10 → 0.53.0

package/dist/cli.js

@@ -17059,11 +17059,15 @@ var DynamoDBTableProvider = class {
 // src/provisioning/providers/logs-loggroup-provider.ts
 import {
   CreateLogGroupCommand,
+  DeleteIndexPolicyCommand,
   DeleteLogGroupCommand,
   DescribeIndexPoliciesCommand,
   DescribeLogGroupsCommand,
   GetDataProtectionPolicyCommand,
   ListTagsForResourceCommand as ListTagsForResourceCommand2,
+  PutBearerTokenAuthenticationCommand,
+  PutIndexPolicyCommand,
+  PutLogGroupDeletionProtectionCommand,
   PutRetentionPolicyCommand,
   DeleteRetentionPolicyCommand,
   TagResourceCommand as TagResourceCommand5,
@@ -17116,6 +17120,9 @@ var LogsLogGroupProvider = class {
       if (properties["LogGroupClass"]) {
         createParams.logGroupClass = properties["LogGroupClass"];
       }
+      if (properties["DeletionProtectionEnabled"] !== void 0) {
+        createParams.deletionProtectionEnabled = properties["DeletionProtectionEnabled"];
+      }
       if (properties["Tags"]) {
         const cfnTags = properties["Tags"];
         createParams.tags = Object.fromEntries(cfnTags.map((t) => [t.Key, t.Value]));
@@ -17139,6 +17146,30 @@ var LogsLogGroupProvider = class {
           })
         );
       }
+      const fieldIndexPolicies = properties["FieldIndexPolicies"];
+      if (fieldIndexPolicies && fieldIndexPolicies.length > 0) {
+        if (fieldIndexPolicies.length > 1) {
+          this.logger.debug(
+            `Log group ${logicalId} declares ${fieldIndexPolicies.length} FieldIndexPolicies; AWS only supports one log-group-level field index policy. Applying the first.`
+          );
+        }
+        const first = fieldIndexPolicies[0];
+        const policyDocument = typeof first === "string" ? first : JSON.stringify(first);
+        await this.logsClient.send(
+          new PutIndexPolicyCommand({
+            logGroupIdentifier: logGroupName,
+            policyDocument
+          })
+        );
+      }
+      if (properties["BearerTokenAuthenticationEnabled"] !== void 0) {
+        await this.logsClient.send(
+          new PutBearerTokenAuthenticationCommand({
+            logGroupIdentifier: logGroupName,
+            bearerTokenAuthenticationEnabled: properties["BearerTokenAuthenticationEnabled"]
+          })
+        );
+      }
       this.logger.debug(`Successfully created log group ${logicalId}: ${logGroupName}`);
       const arn = await this.buildArn(logGroupName);
       return {
@@ -17171,7 +17202,10 @@ var LogsLogGroupProvider = class {
   /**
    * Update a CloudWatch Logs log group
    *
-   * Only RetentionInDays can be updated. LogGroupName is immutable (requires replacement).
+   * Mutable: `RetentionInDays`, `DataProtectionPolicy`, `Tags`,
+   * `DeletionProtectionEnabled`, `BearerTokenAuthenticationEnabled`,
+   * `FieldIndexPolicies`. `LogGroupName` / `KmsKeyId` / `LogGroupClass`
+   * are immutable on AWS-side and require replacement.
    */
   async update(logicalId, physicalId, _resourceType, properties, previousProperties) {
     this.logger.debug(`Updating log group ${logicalId}: ${physicalId}`);
@@ -17210,6 +17244,70 @@ var LogsLogGroupProvider = class {
         );
       }
     }
+    if (properties["DeletionProtectionEnabled"] !== previousProperties["DeletionProtectionEnabled"]) {
+      const next = properties["DeletionProtectionEnabled"];
+      if (next !== void 0) {
+        await this.logsClient.send(
+          new PutLogGroupDeletionProtectionCommand({
+            logGroupIdentifier: physicalId,
+            deletionProtectionEnabled: next
+          })
+        );
+      } else {
+        await this.logsClient.send(
+          new PutLogGroupDeletionProtectionCommand({
+            logGroupIdentifier: physicalId,
+            deletionProtectionEnabled: false
+          })
+        );
+      }
+    }
+    if (properties["BearerTokenAuthenticationEnabled"] !== previousProperties["BearerTokenAuthenticationEnabled"]) {
+      const next = properties["BearerTokenAuthenticationEnabled"];
+      if (next !== void 0) {
+        await this.logsClient.send(
+          new PutBearerTokenAuthenticationCommand({
+            logGroupIdentifier: physicalId,
+            bearerTokenAuthenticationEnabled: next
+          })
+        );
+      } else {
+        await this.logsClient.send(
+          new PutBearerTokenAuthenticationCommand({
+            logGroupIdentifier: physicalId,
+            bearerTokenAuthenticationEnabled: false
+          })
+        );
+      }
+    }
+    const newFieldIndex = properties["FieldIndexPolicies"];
+    const oldFieldIndex = previousProperties["FieldIndexPolicies"];
+    if (JSON.stringify(newFieldIndex) !== JSON.stringify(oldFieldIndex)) {
+      if (newFieldIndex && newFieldIndex.length > 0) {
+        if (newFieldIndex.length > 1) {
+          this.logger.debug(
+            `Log group ${physicalId} declares ${newFieldIndex.length} FieldIndexPolicies; AWS only supports one log-group-level field index policy. Applying the first.`
+          );
+        }
+        const first = newFieldIndex[0];
+        const policyDocument = typeof first === "string" ? first : JSON.stringify(first);
+        await this.logsClient.send(
+          new PutIndexPolicyCommand({
+            logGroupIdentifier: physicalId,
+            policyDocument
+          })
+        );
+      } else {
+        try {
+          await this.logsClient.send(
+            new DeleteIndexPolicyCommand({ logGroupIdentifier: physicalId })
+          );
+        } catch (err) {
+          if (!(err instanceof ResourceNotFoundException7))
+            throw err;
+        }
+      }
+    }
     const newTags = properties["Tags"];
     const oldTags = previousProperties["Tags"];
     if (JSON.stringify(newTags) !== JSON.stringify(oldTags)) {
@@ -17326,14 +17424,15 @@ var LogsLogGroupProvider = class {
    * `AWS::Logs::ResourcePolicy` resource type — account-wide, not
    * per-log-group).
    *
-   * Known limitation: cdkd's `create()` / `update()` flows do NOT yet
-   * apply `FieldIndexPolicies` / `DeletionProtectionEnabled` /
-   * `BearerTokenAuthenticationEnabled` — they're in `handledProperties`
-   * to prevent CC API fallback but no actual `PutIndexPolicy` /
-   * `PutLogGroupDeletionProtection` / `PutBearerTokenAuthentication`
-   * calls fire. Surfacing these in `readCurrentState` means a user
-   * who templates them will see drift on the first run; a follow-up
-   * needs to wire the create/update flow.
+   * Write-side coverage: `FieldIndexPolicies` is applied via
+   * `PutIndexPolicy` (CloudWatch Logs allows at most one log-group-level
+   * field index policy at a time, so the CFn array is effectively 0-or-1
+   * — the first entry is applied and a debug log notes any additional
+   * entries are ignored). `DeletionProtectionEnabled` is forwarded as
+   * part of `CreateLogGroup` and updated via
+   * `PutLogGroupDeletionProtection`. `BearerTokenAuthenticationEnabled`
+   * is applied via `PutBearerTokenAuthentication` after the log group
+   * exists (it is not part of `CreateLogGroupRequest`).
    *
    * Tags are read via `ListTagsForResource` (using the log-group ARN from
    * the same `DescribeLogGroups` response). CDK's `aws:*` auto-tags are
@@ -31574,8 +31673,10 @@ var ElastiCacheProvider = class {
 import {
   ServiceDiscoveryClient,
   CreatePrivateDnsNamespaceCommand,
+  UpdatePrivateDnsNamespaceCommand,
   DeleteNamespaceCommand,
   CreateServiceCommand as CreateServiceCommand2,
+  UpdateServiceCommand as UpdateServiceCommand2,
   DeleteServiceCommand as DeleteServiceCommand2,
   GetNamespaceCommand,
   GetOperationCommand,
@@ -31637,12 +31738,18 @@ var ServiceDiscoveryProvider = class {
         );
     }
   }
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
+  update(logicalId, physicalId, resourceType, properties, previousProperties) {
     switch (resourceType) {
       case "AWS::ServiceDiscovery::PrivateDnsNamespace":
-        return this.updateNamespace(logicalId, physicalId);
+        return this.updateNamespace(logicalId, physicalId, resourceType, properties);
       case "AWS::ServiceDiscovery::Service":
-        return this.updateService(logicalId, physicalId);
+        return this.updateService(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -31725,14 +31832,66 @@ var ServiceDiscoveryProvider = class {
       );
     }
   }
-  updateNamespace(logicalId, _physicalId) {
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
-        "AWS::ServiceDiscovery::PrivateDnsNamespace",
+  /**
+   * Update a private DNS namespace.
+   *
+   * AWS exposes `UpdatePrivateDnsNamespace` for two mutable surfaces:
+   *  - `Description`
+   *  - `Properties.DnsProperties.SOA.TTL`
+   *
+   * `Name` and `Vpc` are immutable; the deploy engine's
+   * replacement-detection layer routes those through DELETE+CREATE
+   * before this method is ever called, so we do not validate them here.
+   *
+   * Empty-string Description is intentionally allowed through (`!== undefined`
+   * gate, not truthy) so `cdkd drift --revert` can clear a console-side ADD.
+   */
+  async updateNamespace(logicalId, physicalId, resourceType, properties) {
+    this.logger.debug(`Updating private DNS namespace ${logicalId}: ${physicalId}`);
+    const client = this.getClient();
+    const namespaceChange = {};
+    if (properties["Description"] !== void 0) {
+      namespaceChange.Description = properties["Description"];
+    }
+    const propsBag = properties["Properties"];
+    const dnsProps = propsBag?.["DnsProperties"];
+    const soa = dnsProps?.["SOA"];
+    if (soa?.TTL !== void 0) {
+      namespaceChange.Properties = {
+        DnsProperties: {
+          SOA: { TTL: Number(soa.TTL) }
+        }
+      };
+    }
+    if (Object.keys(namespaceChange).length === 0) {
+      this.logger.debug(`No mutable diff for PrivateDnsNamespace ${logicalId}, skipping update`);
+      return { physicalId, wasReplaced: false };
+    }
+    try {
+      const response = await client.send(
+        new UpdatePrivateDnsNamespaceCommand({
+          Id: physicalId,
+          Namespace: namespaceChange
+        })
+      );
+      const operationId = response.OperationId;
+      if (operationId) {
+        await this.pollOperation(operationId, logicalId, resourceType);
+      }
+      this.logger.debug(`Successfully updated private DNS namespace ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update private DNS namespace ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
         logicalId,
-        "PrivateDnsNamespace updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+        physicalId,
+        cause
+      );
+    }
   }
   async deleteNamespace(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting private DNS namespace ${logicalId}: ${physicalId}`);
@@ -31827,14 +31986,69 @@ var ServiceDiscoveryProvider = class {
       );
     }
   }
-  updateService(logicalId, _physicalId) {
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
-        "AWS::ServiceDiscovery::Service",
+  /**
+   * Update a service discovery service.
+   *
+   * Per AWS docs, `UpdateService` accepts a `ServiceChange` body with
+   * `Description`, `DnsConfig.DnsRecords` (TTLs etc. — `NamespaceId` /
+   * `RoutingPolicy` are not part of the change shape and are immutable
+   * here), and `HealthCheckConfig`. `Name` / `NamespaceId` /
+   * `HealthCheckCustomConfig` are immutable on UpdateService — the
+   * replacement-detection layer routes those through DELETE+CREATE.
+   *
+   * Per AWS docs, omitting `DnsRecords` / `HealthCheckConfig` from the
+   * request DELETES that configuration. To preserve fields cdkd is not
+   * actively reverting, we always echo the AWS-current value when the
+   * caller did not supply a change. `cdkd drift --revert` passes the
+   * full AWS-current snapshot as `properties`, so the round-trip is
+   * value-preserving.
+   */
+  async updateService(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    this.logger.debug(`Updating service discovery service ${logicalId}: ${physicalId}`);
+    const client = this.getClient();
+    const serviceChange = {};
+    if (properties["Description"] !== void 0) {
+      serviceChange.Description = properties["Description"];
+    }
+    const dnsConfig = properties["DnsConfig"];
+    if (dnsConfig?.DnsRecords !== void 0) {
+      const change = { DnsRecords: dnsConfig.DnsRecords };
+      serviceChange.DnsConfig = change;
+    }
+    if (properties["HealthCheckConfig"] !== void 0) {
+      serviceChange.HealthCheckConfig = properties["HealthCheckConfig"];
+    }
+    if (Object.keys(serviceChange).length === 0) {
+      this.logger.debug(
+        `No mutable diff for ServiceDiscovery Service ${logicalId}, skipping update`
+      );
+      return { physicalId, wasReplaced: false };
+    }
+    try {
+      const response = await client.send(
+        new UpdateServiceCommand2({
+          Id: physicalId,
+          Service: serviceChange
+        })
+      );
+      const operationId = response.OperationId;
+      if (operationId) {
+        await this.pollOperation(operationId, logicalId, resourceType);
+      }
+      this.logger.debug(`Successfully updated service discovery service ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update service discovery service ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
         logicalId,
-        "ServiceDiscovery Service updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+        physicalId,
+        cause
+      );
+    }
   }
   async deleteService(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting service discovery service ${logicalId}: ${physicalId}`);
@@ -32921,6 +33135,7 @@ var AppSyncProvider = class {
 import {
   GlueClient,
   CreateDatabaseCommand,
+  UpdateDatabaseCommand,
   DeleteDatabaseCommand,
   CreateTableCommand as CreateTableCommand2,
   UpdateTableCommand,
@@ -32967,11 +33182,7 @@ var GlueProvider = class {
   async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
     switch (resourceType) {
       case "AWS::Glue::Database":
-        throw new ResourceUpdateNotSupportedError(
-          resourceType,
-          logicalId,
-          "Glue Database updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-        );
+        return this.updateDatabase(logicalId, physicalId, resourceType, properties);
       case "AWS::Glue::Table":
         return this.updateTable(logicalId, physicalId, resourceType, properties);
       default:
@@ -33022,12 +33233,7 @@ var GlueProvider = class {
       await this.getClient().send(
         new CreateDatabaseCommand({
           CatalogId: catalogId,
-          DatabaseInput: {
-            Name: databaseName,
-            Description: databaseInput["Description"],
-            LocationUri: databaseInput["LocationUri"],
-            Parameters: databaseInput["Parameters"]
-          }
+          DatabaseInput: this.buildDatabaseInput(databaseInput, databaseName)
         })
       );
       this.logger.debug(`Successfully created Glue Database ${logicalId}: ${databaseName}`);
@@ -33046,6 +33252,42 @@ var GlueProvider = class {
       );
     }
   }
+  async updateDatabase(logicalId, physicalId, resourceType, properties) {
+    this.logger.debug(`Updating Glue Database ${logicalId}: ${physicalId}`);
+    const databaseInput = properties["DatabaseInput"];
+    if (!databaseInput) {
+      throw new ProvisioningError(
+        `DatabaseInput is required for Glue Database update ${logicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    const catalogId = properties["CatalogId"];
+    try {
+      await this.getClient().send(
+        new UpdateDatabaseCommand({
+          ...catalogId !== void 0 && { CatalogId: catalogId },
+          Name: physicalId,
+          DatabaseInput: this.buildDatabaseInput(databaseInput, physicalId)
+        })
+      );
+      this.logger.debug(`Successfully updated Glue Database ${logicalId}`);
+      return {
+        physicalId,
+        wasReplaced: false
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Glue Database ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
   async deleteDatabase(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Glue Database ${logicalId}: ${physicalId}`);
     try {
@@ -33217,6 +33459,31 @@ var GlueProvider = class {
     }
   }
   // ─── Helpers ───────────────────────────────────────────────────────
+  /**
+   * Build DatabaseInput for Glue API from CFn template properties.
+   *
+   * Used by both `createDatabase` and `updateDatabase` so the same
+   * field-by-field shape is sent on both paths. Optional fields use
+   * `!== undefined` gates (per `feedback_update_optional_field_undefined_check.md`)
+   * so empty-string Description, empty Parameters map, etc. reach AWS
+   * intact — `cdkd drift --revert` relies on this to clear console-side
+   * additions.
+   */
+  buildDatabaseInput(databaseInput, fallbackName) {
+    const result = {
+      Name: databaseInput["Name"] ?? fallbackName
+    };
+    if (databaseInput["Description"] !== void 0) {
+      result.Description = databaseInput["Description"];
+    }
+    if (databaseInput["LocationUri"] !== void 0) {
+      result.LocationUri = databaseInput["LocationUri"];
+    }
+    if (databaseInput["Parameters"] !== void 0) {
+      result.Parameters = databaseInput["Parameters"];
+    }
+    return result;
+  }
   /**
    * Build TableInput for Glue API from CFn template properties
    */
@@ -33991,10 +34258,10 @@ var KMSProvider = class {
    * Dispatches by resource type:
    *   - `AWS::KMS::Key` → `DescribeKey`. Surfaces `Description`, `KeySpec`,
    *     `KeyUsage`, `Enabled`, `MultiRegion`, `Origin`. `KeyPolicy` is
-   *     intentionally NOT retrieved — `GetKeyPolicy` is a separate call
-   *     and the policy body needs JSON parsing for comparison; deferred
-   *     to a follow-up. `EnableKeyRotation` / `RotationPeriodInDays`
-   *     would require `GetKeyRotationStatus`; also deferred.
+   *     additionally retrieved via `GetKeyPolicy` (URL-decoded JSON-parsed)
+   *     and `EnableKeyRotation` / `RotationPeriodInDays` via
+   *     `GetKeyRotationStatus` (Class 1 discriminator-gated on `KeySpec`
+   *     since asymmetric keys reject the call).
    *   - `AWS::KMS::Alias` → `ListAliases` filtered to the alias name.
    *     Surfaces `AliasName`, `TargetKeyId`. `ListAliases` is paginated
    *     since there's no direct "describe one alias" API.
@@ -34682,10 +34949,12 @@ var KinesisStreamProvider = class {
 import {
   EFSClient,
   CreateFileSystemCommand,
+  UpdateFileSystemCommand,
   DeleteFileSystemCommand,
   CreateMountTargetCommand,
   DeleteMountTargetCommand,
   DescribeMountTargetsCommand,
+  ModifyMountTargetSecurityGroupsCommand,
   CreateAccessPointCommand,
   DeleteAccessPointCommand,
   DescribeFileSystemsCommand,
@@ -34743,29 +35012,122 @@ var EFSProvider = class {
     }
   }
   /**
-   * EFS resources are treated as immutable by cdkd's `update()`. The deploy
-   * engine recreates them on property changes via immutable-property
-   * detection. (AWS does expose `UpdateFileSystem` for ThroughputMode and
-   * `ModifyMountTargetSecurityGroups` for mount-target SGs — those are
-   * deferred to a follow-up PR.) `cdkd drift --revert` surfaces a clear
-   * "use --replace or re-deploy" message instead of silently no-op'ing.
+   * Mutable surfaces by resource type:
+   *  - `AWS::EFS::FileSystem` → `UpdateFileSystem` (ThroughputMode,
+   *    ProvisionedThroughputInMibps). Other property changes
+   *    (Encrypted / KmsKeyId / PerformanceMode / etc.) are routed
+   *    through DELETE+CREATE by the replacement-detection layer; if a
+   *    diff somehow includes them, defensively reject.
+   *  - `AWS::EFS::MountTarget` → `ModifyMountTargetSecurityGroups`
+   *    (SecurityGroups only). IpAddress / SubnetId / FileSystemId are
+   *    immutable.
+   *  - `AWS::EFS::AccessPoint` → no mutable surface; AWS recreates on
+   *    every change. Reject so `cdkd drift --revert` surfaces a clear
+   *    "use --replace" hint.
    */
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    if (resourceType !== "AWS::EFS::FileSystem" && resourceType !== "AWS::EFS::MountTarget" && resourceType !== "AWS::EFS::AccessPoint") {
+  update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    switch (resourceType) {
+      case "AWS::EFS::FileSystem":
+        return this.updateFileSystem(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::EFS::MountTarget":
+        return this.updateMountTarget(logicalId, physicalId, resourceType, properties);
+      case "AWS::EFS::AccessPoint":
+        return Promise.reject(
+          new ResourceUpdateNotSupportedError(
+            resourceType,
+            logicalId,
+            "EFS AccessPoint is recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+          )
+        );
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+    }
+  }
+  async updateFileSystem(logicalId, physicalId, resourceType, properties, previousProperties) {
+    const immutableKeys = ["Encrypted", "KmsKeyId", "PerformanceMode"];
+    for (const key of immutableKeys) {
+      const next = properties[key];
+      const prev = previousProperties[key];
+      if (next !== void 0 && prev !== void 0 && JSON.stringify(next) !== JSON.stringify(prev)) {
+        throw new ResourceUpdateNotSupportedError(
+          resourceType,
+          logicalId,
+          `EFS FileSystem ${key} is immutable; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack`
+        );
+      }
+    }
+    const newThroughputMode = properties["ThroughputMode"];
+    const newProvisioned = properties["ProvisionedThroughputInMibps"];
+    const oldThroughputMode = previousProperties["ThroughputMode"];
+    const oldProvisioned = previousProperties["ProvisionedThroughputInMibps"];
+    const throughputModeChanged = newThroughputMode !== void 0 && newThroughputMode !== oldThroughputMode;
+    const provisionedChanged = newProvisioned !== void 0 && newProvisioned !== oldProvisioned;
+    if (!throughputModeChanged && !provisionedChanged) {
+      this.logger.debug(`No mutable diff for EFS FileSystem ${logicalId}, skipping update`);
+      return { physicalId, wasReplaced: false };
+    }
+    this.logger.debug(`Updating EFS FileSystem ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new UpdateFileSystemCommand({
+          FileSystemId: physicalId,
+          ...throughputModeChanged && { ThroughputMode: newThroughputMode },
+          ...provisionedChanged && { ProvisionedThroughputInMibps: newProvisioned }
+        })
+      );
+      await this.waitForFileSystemAvailable(physicalId, logicalId, resourceType);
+      this.logger.debug(`Successfully updated EFS FileSystem ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Unsupported resource type: ${resourceType}`,
+        `Failed to update EFS FileSystem ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
-        physicalId
+        physicalId,
+        cause
       );
     }
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
+  }
+  async updateMountTarget(logicalId, physicalId, resourceType, properties) {
+    this.logger.debug(`Updating EFS MountTarget ${logicalId}: ${physicalId}`);
+    const securityGroups = properties["SecurityGroups"];
+    if (securityGroups === void 0) {
+      this.logger.debug(`No mutable diff for EFS MountTarget ${logicalId}, skipping update`);
+      return { physicalId, wasReplaced: false };
+    }
+    try {
+      await this.getClient().send(
+        new ModifyMountTargetSecurityGroupsCommand({
+          MountTargetId: physicalId,
+          SecurityGroups: securityGroups
+        })
+      );
+      this.logger.debug(`Successfully updated EFS MountTarget ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update EFS MountTarget ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
-        "EFS resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+        physicalId,
+        cause
+      );
+    }
   }
   async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
@@ -45240,7 +45602,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.10");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.53.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());