npm - @go-to-k/cdkd - Versions diffs - 0.51.2 → 0.51.4 - Mend

@go-to-k/cdkd 0.51.2 → 0.51.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js +248 -20
package/dist/cli.js.map +2 -2
package/dist/go-to-k-cdkd-0.51.4.tgz +0 -0
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.51.2.tgz +0 -0

package/dist/cli.js CHANGED Viewed

@@ -21733,10 +21733,21 @@ var EC2Provider = class {
    *    `AllocationId`, `ConnectivityType`, `PrivateIpAddress`.
    *  - **AWS::EC2::RouteTable**: `DescribeRouteTables` for `VpcId`.
    *  - **AWS::EC2::SecurityGroup**: `DescribeSecurityGroups` for
-   *    `GroupName`, `GroupDescription`, `VpcId`. Ingress / egress rules
-   *    are NOT surfaced — the CFn shape is rule-list-style, while AWS
-   *    returns IpPermissions in a different normalized form, and a
-   *    faithful reverse-mapping is out of scope for v1.
+   *    `GroupName`, `GroupDescription`, `VpcId`, plus `SecurityGroupIngress`
+   *    and `SecurityGroupEgress` reverse-mapped from AWS's normalized
+   *    `IpPermissions[]` / `IpPermissionsEgress[]` form. Each AWS
+   *    `IpPermission` is flattened into one CFn rule per `IpRanges` /
+   *    `Ipv6Ranges` / `UserIdGroupPairs` / `PrefixListIds` entry; field
+   *    names follow CFn direction conventions (`Source*` for ingress,
+   *    `Destination*` for egress). When state templates ingress/egress
+   *    rules, AWS's response is reordered to match state's positional
+   *    order via `reconcileSgRules` so the comparator's array compare
+   *    doesn't fire false drift on AWS's normalized ordering. The
+   *    AWS-auto-attached "allow-all 0.0.0.0/0" egress rule is filtered
+   *    out of `SecurityGroupEgress` when state did not template egress
+   *    (the auto-default is invisible to drift). Both arrays are
+   *    always emitted (even as `[]`) so the v3 `observedProperties`
+   *    baseline catches console-side rule ADDs to a templated SG.
    *  - **AWS::EC2::Instance**: `DescribeInstances` for `ImageId`,
    *    `InstanceType`, `KeyName`, `SubnetId`. SecurityGroupIds /
    *    BlockDeviceMappings shape-match is out of scope for v1.
@@ -21761,7 +21772,7 @@ var EC2Provider = class {
    * Returns `undefined` when the resource is gone (any `*NotFound` /
    * `Invalid*` error from the EC2 SDK matches `isNotFoundError`).
    */
-  async readCurrentState(physicalId, logicalId, resourceType) {
+  async readCurrentState(physicalId, logicalId, resourceType, properties) {
     try {
       switch (resourceType) {
         case "AWS::EC2::VPC":
@@ -21775,7 +21786,7 @@ var EC2Provider = class {
         case "AWS::EC2::RouteTable":
           return await this.readRouteTableCurrentState(physicalId);
         case "AWS::EC2::SecurityGroup":
-          return await this.readSecurityGroupCurrentState(physicalId);
+          return await this.readSecurityGroupCurrentState(physicalId, properties);
         case "AWS::EC2::Instance":
           return await this.readInstanceCurrentState(physicalId);
         case "AWS::EC2::NetworkAcl":
@@ -21884,7 +21895,7 @@ var EC2Provider = class {
       result["VpcId"] = rt.VpcId;
     return result;
   }
-  async readSecurityGroupCurrentState(physicalId) {
+  async readSecurityGroupCurrentState(physicalId, properties) {
     const resp = await this.ec2Client.send(
       new DescribeSecurityGroupsCommand2({ GroupIds: [physicalId] })
     );
@@ -21898,6 +21909,15 @@ var EC2Provider = class {
       result["GroupDescription"] = sg.Description;
     if (sg.VpcId !== void 0)
       result["VpcId"] = sg.VpcId;
+    const stateIngress = Array.isArray(properties?.["SecurityGroupIngress"]) ? properties["SecurityGroupIngress"] : void 0;
+    const ingressRules = flattenIpPermissions(sg.IpPermissions ?? [], "ingress");
+    result["SecurityGroupIngress"] = reconcileSgRules(ingressRules, stateIngress, "ingress");
+    const stateEgress = Array.isArray(properties?.["SecurityGroupEgress"]) ? properties["SecurityGroupEgress"] : void 0;
+    let egressRules = flattenIpPermissions(sg.IpPermissionsEgress ?? [], "egress");
+    if (stateEgress === void 0) {
+      egressRules = egressRules.filter((r) => !isDefaultEgressRule(r));
+    }
+    result["SecurityGroupEgress"] = reconcileSgRules(egressRules, stateEgress, "egress");
     return result;
   }
   async readInstanceCurrentState(physicalId) {
@@ -21967,6 +21987,115 @@ var EC2Provider = class {
     }
   }
 };
+function flattenIpPermissions(perms, direction) {
+  const out = [];
+  for (const p of perms) {
+    const base = {};
+    if (p.IpProtocol !== void 0)
+      base["IpProtocol"] = p.IpProtocol;
+    if (p.FromPort !== void 0)
+      base["FromPort"] = p.FromPort;
+    if (p.ToPort !== void 0)
+      base["ToPort"] = p.ToPort;
+    for (const ip of p.IpRanges ?? []) {
+      const rule = { ...base };
+      if (ip.CidrIp !== void 0)
+        rule["CidrIp"] = ip.CidrIp;
+      if (ip.Description !== void 0)
+        rule["Description"] = ip.Description;
+      out.push(rule);
+    }
+    for (const ipv6 of p.Ipv6Ranges ?? []) {
+      const rule = { ...base };
+      if (ipv6.CidrIpv6 !== void 0)
+        rule["CidrIpv6"] = ipv6.CidrIpv6;
+      if (ipv6.Description !== void 0)
+        rule["Description"] = ipv6.Description;
+      out.push(rule);
+    }
+    for (const grp of p.UserIdGroupPairs ?? []) {
+      const rule = { ...base };
+      if (direction === "ingress") {
+        if (grp.GroupId !== void 0)
+          rule["SourceSecurityGroupId"] = grp.GroupId;
+        if (grp.UserId !== void 0)
+          rule["SourceSecurityGroupOwnerId"] = grp.UserId;
+      } else {
+        if (grp.GroupId !== void 0)
+          rule["DestinationSecurityGroupId"] = grp.GroupId;
+      }
+      if (grp.Description !== void 0)
+        rule["Description"] = grp.Description;
+      out.push(rule);
+    }
+    for (const pl of p.PrefixListIds ?? []) {
+      const rule = { ...base };
+      if (direction === "ingress") {
+        if (pl.PrefixListId !== void 0)
+          rule["SourcePrefixListId"] = pl.PrefixListId;
+      } else {
+        if (pl.PrefixListId !== void 0)
+          rule["DestinationPrefixListId"] = pl.PrefixListId;
+      }
+      if (pl.Description !== void 0)
+        rule["Description"] = pl.Description;
+      out.push(rule);
+    }
+    if ((p.IpRanges?.length ?? 0) === 0 && (p.Ipv6Ranges?.length ?? 0) === 0 && (p.UserIdGroupPairs?.length ?? 0) === 0 && (p.PrefixListIds?.length ?? 0) === 0) {
+      out.push({ ...base });
+    }
+  }
+  return out;
+}
+function sgRuleKey(rule, direction) {
+  const peerKey = direction === "egress" ? rule["DestinationSecurityGroupId"] : rule["SourceSecurityGroupId"];
+  const prefixKey = direction === "egress" ? rule["DestinationPrefixListId"] : rule["SourcePrefixListId"];
+  const peerOwner = direction === "ingress" ? rule["SourceSecurityGroupOwnerId"] : void 0;
+  return JSON.stringify({
+    p: rule["IpProtocol"] ?? "-1",
+    f: rule["FromPort"] ?? null,
+    t: rule["ToPort"] ?? null,
+    c4: rule["CidrIp"] ?? null,
+    c6: rule["CidrIpv6"] ?? null,
+    peer: peerKey ?? null,
+    peerOwner: peerOwner ?? null,
+    pl: prefixKey ?? null,
+    d: rule["Description"] ?? null
+  });
+}
+function reconcileSgRules(awsRules, stateRules, direction) {
+  if (!stateRules || stateRules.length === 0)
+    return awsRules;
+  const remaining = [...awsRules];
+  const reordered = [];
+  for (const sr of stateRules) {
+    const key = sgRuleKey(sr, direction);
+    const idx = remaining.findIndex((ar) => sgRuleKey(ar, direction) === key);
+    if (idx >= 0) {
+      reordered.push(remaining.splice(idx, 1)[0]);
+    }
+  }
+  return [...reordered, ...remaining];
+}
+function isDefaultEgressRule(rule) {
+  if (rule["IpProtocol"] !== "-1")
+    return false;
+  if (rule["CidrIp"] !== "0.0.0.0/0")
+    return false;
+  if (rule["CidrIpv6"] !== void 0)
+    return false;
+  if (rule["DestinationSecurityGroupId"] !== void 0)
+    return false;
+  if (rule["DestinationPrefixListId"] !== void 0)
+    return false;
+  if (rule["Description"] !== void 0)
+    return false;
+  if (rule["FromPort"] !== void 0 && rule["FromPort"] !== -1)
+    return false;
+  if (rule["ToPort"] !== void 0 && rule["ToPort"] !== -1)
+    return false;
+  return true;
+}
 // src/provisioning/providers/apigateway-provider.ts
 import {
@@ -35218,20 +35347,26 @@ var FirehoseProvider = class {
    * `KinesisStreamSourceConfiguration` parent fields when present (the
    * `DescribeDeliveryStream` response splits source under `Source.KinesisStreamSourceDescription`).
    *
-   * Destination configurations (`*DestinationConfiguration` in CFn vs.
-   * `*DestinationDescription` in `DescribeDeliveryStream`) are intentionally
-   * not re-shaped here. Their nested fields are large and the description
-   * vs. configuration shape divergence (extra metadata, write-only fields
-   * like `Password` redacted) makes a clean comparator surface impossible
-   * for v1. We do surface the destination *kind* under a stable key so
-   * users at least see destination drift across types, but not the inner
-   * fields. Drift on destination contents is best chased manually via
-   * `aws firehose describe-delivery-stream` for now.
+   * **Destination configurations**: partial coverage. AWS returns destination
+   * config under `Destinations[0].*DestinationDescription` (note:
+   * `Description`, not `Configuration`). For S3 / ExtendedS3 destinations
+   * the top-level fields with a clean reverse-mapping are surfaced —
+   * `BucketARN`, `RoleARN`, `Prefix`, `ErrorOutputPrefix`, `BufferingHints`,
+   * `CompressionFormat`, plus `S3BackupMode` for Extended. Inner nested
+   * fields (`EncryptionConfiguration`, `CloudWatchLoggingOptions`,
+   * `ProcessingConfiguration`, `DataFormatConversionConfiguration`,
+   * `DynamicPartitioningConfiguration`, `S3BackupConfiguration`) are not
+   * re-shaped — AWS auto-defaults / extra-metadata / write-only redaction
+   * (`Password`) make the round-trip unsafe; they're declared via
+   * `getDriftUnknownPaths()` so the comparator skips them instead of firing
+   * false drift. Non-S3 destination types
+   * (`Redshift`/`Elasticsearch`/`Amazonopensearchservice`/`Splunk`/`HttpEndpoint`/`AmazonOpenSearchServerless`)
+   * stay drift-unknown for v1 — same shape-divergence problem at scale.
+   * `DeliveryStreamEncryptionConfigurationInput` also drift-unknown.
    *
    * Tags are surfaced via a follow-up `ListTagsForDeliveryStream` call
-   * with `aws:*` filtered out and the result key omitted when empty.
-   * `DeliveryStreamEncryptionConfigurationInput` is still skipped (shape
-   * decision deferred).
+   * with `aws:*` filtered out and always emitted as `[]` placeholder when
+   * no user tags remain.
    *
    * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
    */
@@ -35267,6 +35402,60 @@ var FirehoseProvider = class {
         result["KinesisStreamSourceConfiguration"] = srcOut;
       }
     }
+    const dest = desc.Destinations?.[0];
+    if (dest?.ExtendedS3DestinationDescription) {
+      const ext = dest.ExtendedS3DestinationDescription;
+      const out = {};
+      if (ext.BucketARN !== void 0)
+        out["BucketARN"] = ext.BucketARN;
+      if (ext.RoleARN !== void 0)
+        out["RoleARN"] = ext.RoleARN;
+      if (ext.Prefix !== void 0)
+        out["Prefix"] = ext.Prefix;
+      if (ext.ErrorOutputPrefix !== void 0)
+        out["ErrorOutputPrefix"] = ext.ErrorOutputPrefix;
+      if (ext.CompressionFormat !== void 0)
+        out["CompressionFormat"] = ext.CompressionFormat;
+      if (ext.BufferingHints) {
+        const hints = {};
+        if (ext.BufferingHints.SizeInMBs !== void 0)
+          hints["SizeInMBs"] = ext.BufferingHints.SizeInMBs;
+        if (ext.BufferingHints.IntervalInSeconds !== void 0)
+          hints["IntervalInSeconds"] = ext.BufferingHints.IntervalInSeconds;
+        if (Object.keys(hints).length > 0)
+          out["BufferingHints"] = hints;
+      }
+      if (ext.S3BackupMode !== void 0)
+        out["S3BackupMode"] = ext.S3BackupMode;
+      if (Object.keys(out).length > 0) {
+        result["ExtendedS3DestinationConfiguration"] = out;
+      }
+    } else if (dest?.S3DestinationDescription) {
+      const s3 = dest.S3DestinationDescription;
+      const out = {};
+      if (s3.BucketARN !== void 0)
+        out["BucketARN"] = s3.BucketARN;
+      if (s3.RoleARN !== void 0)
+        out["RoleARN"] = s3.RoleARN;
+      if (s3.Prefix !== void 0)
+        out["Prefix"] = s3.Prefix;
+      if (s3.ErrorOutputPrefix !== void 0)
+        out["ErrorOutputPrefix"] = s3.ErrorOutputPrefix;
+      if (s3.CompressionFormat !== void 0)
+        out["CompressionFormat"] = s3.CompressionFormat;
+      if (s3.BufferingHints) {
+        const hints = {};
+        if (s3.BufferingHints.SizeInMBs !== void 0)
+          hints["SizeInMBs"] = s3.BufferingHints.SizeInMBs;
+        if (s3.BufferingHints.IntervalInSeconds !== void 0)
+          hints["IntervalInSeconds"] = s3.BufferingHints.IntervalInSeconds;
+        if (Object.keys(hints).length > 0)
+          out["BufferingHints"] = hints;
+      }
+      if (Object.keys(out).length > 0) {
+        result["S3DestinationConfiguration"] = out;
+      }
+    }
     try {
       const tagsResp = await this.getClient().send(
         new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId })
@@ -35282,6 +35471,45 @@ var FirehoseProvider = class {
     }
     return result;
   }
+  /**
+   * Drift-unknown paths for `AWS::KinesisFirehose::DeliveryStream`.
+   *
+   * The drift comparator skips these state property paths so they never
+   * fire false-positive drift on every run. See the `readCurrentState`
+   * docstring for the full rationale per category.
+   *
+   * Categories:
+   *  - Inner nested fields under S3 / ExtendedS3 destinations: shape
+   *    divergence between `Configuration` (CFn input) and `Description`
+   *    (AWS read), AWS auto-defaults, write-only fields.
+   *  - Non-S3 destination types: same shape-divergence problem at scale,
+   *    deferred to a follow-up.
+   *  - `DeliveryStreamEncryptionConfigurationInput`: input-only shape
+   *    (`KeyARN` + `KeyType`) vs. read-side `DeliveryStreamEncryptionConfiguration`
+   *    (extra status / failure fields); not yet round-tripped.
+   */
+  getDriftUnknownPaths() {
+    return [
+      // S3 / ExtendedS3 nested fields with shape divergence
+      "S3DestinationConfiguration.EncryptionConfiguration",
+      "S3DestinationConfiguration.CloudWatchLoggingOptions",
+      "ExtendedS3DestinationConfiguration.EncryptionConfiguration",
+      "ExtendedS3DestinationConfiguration.CloudWatchLoggingOptions",
+      "ExtendedS3DestinationConfiguration.ProcessingConfiguration",
+      "ExtendedS3DestinationConfiguration.DataFormatConversionConfiguration",
+      "ExtendedS3DestinationConfiguration.DynamicPartitioningConfiguration",
+      "ExtendedS3DestinationConfiguration.S3BackupConfiguration",
+      // Non-S3 destinations (drift-unknown for v1)
+      "RedshiftDestinationConfiguration",
+      "ElasticsearchDestinationConfiguration",
+      "AmazonopensearchserviceDestinationConfiguration",
+      "SplunkDestinationConfiguration",
+      "HttpEndpointDestinationConfiguration",
+      "AmazonOpenSearchServerlessDestinationConfiguration",
+      // Encryption input shape (deferred)
+      "DeliveryStreamEncryptionConfigurationInput"
+    ];
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "DeliveryStreamName");
     if (explicit) {
@@ -44482,7 +44710,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.2");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.4");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());