@go-to-k/cdkd 0.51.3 → 0.51.5

package/dist/cli.js

@@ -19470,7 +19470,8 @@ import {
   ReplaceNetworkAclAssociationCommand,
   DescribeNetworkAclsCommand,
   DescribeNetworkInterfacesCommand as DescribeNetworkInterfacesCommand2,
-  DeleteNetworkInterfaceCommand as DeleteNetworkInterfaceCommand2
+  DeleteNetworkInterfaceCommand as DeleteNetworkInterfaceCommand2,
+  DescribeVolumesCommand
 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var EC2Provider = class {
@@ -21733,13 +21734,39 @@ var EC2Provider = class {
    *    `AllocationId`, `ConnectivityType`, `PrivateIpAddress`.
    *  - **AWS::EC2::RouteTable**: `DescribeRouteTables` for `VpcId`.
    *  - **AWS::EC2::SecurityGroup**: `DescribeSecurityGroups` for
-   *    `GroupName`, `GroupDescription`, `VpcId`. Ingress / egress rules
-   *    are NOT surfaced — the CFn shape is rule-list-style, while AWS
-   *    returns IpPermissions in a different normalized form, and a
-   *    faithful reverse-mapping is out of scope for v1.
+   *    `GroupName`, `GroupDescription`, `VpcId`, plus `SecurityGroupIngress`
+   *    and `SecurityGroupEgress` reverse-mapped from AWS's normalized
+   *    `IpPermissions[]` / `IpPermissionsEgress[]` form. Each AWS
+   *    `IpPermission` is flattened into one CFn rule per `IpRanges` /
+   *    `Ipv6Ranges` / `UserIdGroupPairs` / `PrefixListIds` entry; field
+   *    names follow CFn direction conventions (`Source*` for ingress,
+   *    `Destination*` for egress). When state templates ingress/egress
+   *    rules, AWS's response is reordered to match state's positional
+   *    order via `reconcileSgRules` so the comparator's array compare
+   *    doesn't fire false drift on AWS's normalized ordering. The
+   *    AWS-auto-attached "allow-all 0.0.0.0/0" egress rule is filtered
+   *    out of `SecurityGroupEgress` when state did not template egress
+   *    (the auto-default is invisible to drift). Both arrays are
+   *    always emitted (even as `[]`) so the v3 `observedProperties`
+   *    baseline catches console-side rule ADDs to a templated SG.
    *  - **AWS::EC2::Instance**: `DescribeInstances` for `ImageId`,
-   *    `InstanceType`, `KeyName`, `SubnetId`. SecurityGroupIds /
-   *    BlockDeviceMappings shape-match is out of scope for v1.
+   *    `InstanceType`, `KeyName`, `SubnetId`, `SecurityGroupIds` (sorted
+   *    list of `SecurityGroups[].GroupId` for stable positional compare),
+   *    `PrivateIpAddress`, `SourceDestCheck`, `Monitoring` (mapped from
+   *    AWS `Monitoring.State` to CFn boolean), `Tenancy` (from
+   *    `Placement.Tenancy`), `IamInstanceProfile` (ARN form — v2 fallback
+   *    state holding a name will fire one-time drift, resolved via
+   *    `cdkd state refresh-observed`), `Tags` (filtered `aws:*`). For
+   *    `BlockDeviceMappings`, `DescribeInstances` only returns
+   *    `(DeviceName, Ebs.VolumeId, Ebs.DeleteOnTermination)`; cdkd
+   *    additionally calls `DescribeVolumes` on the attached volume ids to
+   *    surface `VolumeType` / `VolumeSize` / `Iops` / `Throughput` /
+   *    `Encrypted` / `KmsKeyId` / `SnapshotId`. The DescribeVolumes call
+   *    is best-effort — a permissions gap or other failure falls back to
+   *    the partial shape (DeleteOnTermination only). All arrays / scalars
+   *    that map to user-controllable CFn properties are always emitted
+   *    (even as `[]` or default scalar) so the v3 `observedProperties`
+   *    baseline catches console-side ADDs.
    *  - **AWS::EC2::NetworkAcl**: `DescribeNetworkAcls` for `VpcId`.
    *
    * Skipped (return `undefined`, falls through to the comparator's
@@ -21761,7 +21788,7 @@ var EC2Provider = class {
    * Returns `undefined` when the resource is gone (any `*NotFound` /
    * `Invalid*` error from the EC2 SDK matches `isNotFoundError`).
    */
-  async readCurrentState(physicalId, logicalId, resourceType) {
+  async readCurrentState(physicalId, logicalId, resourceType, properties) {
     try {
       switch (resourceType) {
         case "AWS::EC2::VPC":
@@ -21775,7 +21802,7 @@ var EC2Provider = class {
         case "AWS::EC2::RouteTable":
           return await this.readRouteTableCurrentState(physicalId);
         case "AWS::EC2::SecurityGroup":
-          return await this.readSecurityGroupCurrentState(physicalId);
+          return await this.readSecurityGroupCurrentState(physicalId, properties);
         case "AWS::EC2::Instance":
           return await this.readInstanceCurrentState(physicalId);
         case "AWS::EC2::NetworkAcl":
@@ -21884,7 +21911,7 @@ var EC2Provider = class {
       result["VpcId"] = rt.VpcId;
     return result;
   }
-  async readSecurityGroupCurrentState(physicalId) {
+  async readSecurityGroupCurrentState(physicalId, properties) {
     const resp = await this.ec2Client.send(
       new DescribeSecurityGroupsCommand2({ GroupIds: [physicalId] })
     );
@@ -21898,6 +21925,15 @@ var EC2Provider = class {
       result["GroupDescription"] = sg.Description;
     if (sg.VpcId !== void 0)
       result["VpcId"] = sg.VpcId;
+    const stateIngress = Array.isArray(properties?.["SecurityGroupIngress"]) ? properties["SecurityGroupIngress"] : void 0;
+    const ingressRules = flattenIpPermissions(sg.IpPermissions ?? [], "ingress");
+    result["SecurityGroupIngress"] = reconcileSgRules(ingressRules, stateIngress, "ingress");
+    const stateEgress = Array.isArray(properties?.["SecurityGroupEgress"]) ? properties["SecurityGroupEgress"] : void 0;
+    let egressRules = flattenIpPermissions(sg.IpPermissionsEgress ?? [], "egress");
+    if (stateEgress === void 0) {
+      egressRules = egressRules.filter((r) => !isDefaultEgressRule(r));
+    }
+    result["SecurityGroupEgress"] = reconcileSgRules(egressRules, stateEgress, "egress");
     return result;
   }
   async readInstanceCurrentState(physicalId) {
@@ -21917,6 +21953,75 @@ var EC2Provider = class {
       result["KeyName"] = instance.KeyName;
     if (instance.SubnetId !== void 0)
       result["SubnetId"] = instance.SubnetId;
+    result["SecurityGroupIds"] = (instance.SecurityGroups ?? []).map((g) => g.GroupId).filter((id) => typeof id === "string").sort();
+    if (instance.PrivateIpAddress !== void 0) {
+      result["PrivateIpAddress"] = instance.PrivateIpAddress;
+    }
+    if (instance.SourceDestCheck !== void 0) {
+      result["SourceDestCheck"] = instance.SourceDestCheck;
+    }
+    const monitoringState = instance.Monitoring?.State;
+    result["Monitoring"] = monitoringState === "enabled" || monitoringState === "pending";
+    if (instance.Placement?.Tenancy !== void 0) {
+      result["Tenancy"] = instance.Placement.Tenancy;
+    }
+    if (instance.IamInstanceProfile?.Arn !== void 0) {
+      result["IamInstanceProfile"] = instance.IamInstanceProfile.Arn;
+    }
+    const ebsMappings = (instance.BlockDeviceMappings ?? []).filter(
+      (m) => m.Ebs?.VolumeId !== void 0
+    );
+    const volumeIds = ebsMappings.map((m) => m.Ebs.VolumeId);
+    let volumesById = /* @__PURE__ */ new Map();
+    if (volumeIds.length > 0) {
+      try {
+        const volResp = await this.ec2Client.send(
+          new DescribeVolumesCommand({ VolumeIds: volumeIds })
+        );
+        for (const v of volResp.Volumes ?? []) {
+          if (v.VolumeId !== void 0)
+            volumesById.set(v.VolumeId, v);
+        }
+      } catch (err) {
+        this.logger.debug(
+          `DescribeVolumes(${volumeIds.join(",")}) failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+        volumesById = /* @__PURE__ */ new Map();
+      }
+    }
+    const blockMappings = [];
+    for (const m of instance.BlockDeviceMappings ?? []) {
+      const out = {};
+      if (m.DeviceName !== void 0)
+        out["DeviceName"] = m.DeviceName;
+      if (m.Ebs?.VolumeId !== void 0) {
+        const ebs = {};
+        if (m.Ebs.DeleteOnTermination !== void 0) {
+          ebs["DeleteOnTermination"] = m.Ebs.DeleteOnTermination;
+        }
+        const vol = volumesById.get(m.Ebs.VolumeId);
+        if (vol !== void 0) {
+          if (vol.VolumeType !== void 0)
+            ebs["VolumeType"] = vol.VolumeType;
+          if (vol.Size !== void 0)
+            ebs["VolumeSize"] = vol.Size;
+          if (vol.Iops !== void 0)
+            ebs["Iops"] = vol.Iops;
+          if (vol.Throughput !== void 0)
+            ebs["Throughput"] = vol.Throughput;
+          if (vol.Encrypted !== void 0)
+            ebs["Encrypted"] = vol.Encrypted;
+          if (vol.KmsKeyId !== void 0)
+            ebs["KmsKeyId"] = vol.KmsKeyId;
+          if (vol.SnapshotId !== void 0)
+            ebs["SnapshotId"] = vol.SnapshotId;
+        }
+        out["Ebs"] = ebs;
+      }
+      blockMappings.push(out);
+    }
+    result["BlockDeviceMappings"] = blockMappings;
+    result["Tags"] = normalizeAwsTagsToCfn(instance.Tags);
     return result;
   }
   async readNetworkAclCurrentState(physicalId) {
@@ -21967,6 +22072,115 @@ var EC2Provider = class {
     }
   }
 };
+function flattenIpPermissions(perms, direction) {
+  const out = [];
+  for (const p of perms) {
+    const base = {};
+    if (p.IpProtocol !== void 0)
+      base["IpProtocol"] = p.IpProtocol;
+    if (p.FromPort !== void 0)
+      base["FromPort"] = p.FromPort;
+    if (p.ToPort !== void 0)
+      base["ToPort"] = p.ToPort;
+    for (const ip of p.IpRanges ?? []) {
+      const rule = { ...base };
+      if (ip.CidrIp !== void 0)
+        rule["CidrIp"] = ip.CidrIp;
+      if (ip.Description !== void 0)
+        rule["Description"] = ip.Description;
+      out.push(rule);
+    }
+    for (const ipv6 of p.Ipv6Ranges ?? []) {
+      const rule = { ...base };
+      if (ipv6.CidrIpv6 !== void 0)
+        rule["CidrIpv6"] = ipv6.CidrIpv6;
+      if (ipv6.Description !== void 0)
+        rule["Description"] = ipv6.Description;
+      out.push(rule);
+    }
+    for (const grp of p.UserIdGroupPairs ?? []) {
+      const rule = { ...base };
+      if (direction === "ingress") {
+        if (grp.GroupId !== void 0)
+          rule["SourceSecurityGroupId"] = grp.GroupId;
+        if (grp.UserId !== void 0)
+          rule["SourceSecurityGroupOwnerId"] = grp.UserId;
+      } else {
+        if (grp.GroupId !== void 0)
+          rule["DestinationSecurityGroupId"] = grp.GroupId;
+      }
+      if (grp.Description !== void 0)
+        rule["Description"] = grp.Description;
+      out.push(rule);
+    }
+    for (const pl of p.PrefixListIds ?? []) {
+      const rule = { ...base };
+      if (direction === "ingress") {
+        if (pl.PrefixListId !== void 0)
+          rule["SourcePrefixListId"] = pl.PrefixListId;
+      } else {
+        if (pl.PrefixListId !== void 0)
+          rule["DestinationPrefixListId"] = pl.PrefixListId;
+      }
+      if (pl.Description !== void 0)
+        rule["Description"] = pl.Description;
+      out.push(rule);
+    }
+    if ((p.IpRanges?.length ?? 0) === 0 && (p.Ipv6Ranges?.length ?? 0) === 0 && (p.UserIdGroupPairs?.length ?? 0) === 0 && (p.PrefixListIds?.length ?? 0) === 0) {
+      out.push({ ...base });
+    }
+  }
+  return out;
+}
+function sgRuleKey(rule, direction) {
+  const peerKey = direction === "egress" ? rule["DestinationSecurityGroupId"] : rule["SourceSecurityGroupId"];
+  const prefixKey = direction === "egress" ? rule["DestinationPrefixListId"] : rule["SourcePrefixListId"];
+  const peerOwner = direction === "ingress" ? rule["SourceSecurityGroupOwnerId"] : void 0;
+  return JSON.stringify({
+    p: rule["IpProtocol"] ?? "-1",
+    f: rule["FromPort"] ?? null,
+    t: rule["ToPort"] ?? null,
+    c4: rule["CidrIp"] ?? null,
+    c6: rule["CidrIpv6"] ?? null,
+    peer: peerKey ?? null,
+    peerOwner: peerOwner ?? null,
+    pl: prefixKey ?? null,
+    d: rule["Description"] ?? null
+  });
+}
+function reconcileSgRules(awsRules, stateRules, direction) {
+  if (!stateRules || stateRules.length === 0)
+    return awsRules;
+  const remaining = [...awsRules];
+  const reordered = [];
+  for (const sr of stateRules) {
+    const key = sgRuleKey(sr, direction);
+    const idx = remaining.findIndex((ar) => sgRuleKey(ar, direction) === key);
+    if (idx >= 0) {
+      reordered.push(remaining.splice(idx, 1)[0]);
+    }
+  }
+  return [...reordered, ...remaining];
+}
+function isDefaultEgressRule(rule) {
+  if (rule["IpProtocol"] !== "-1")
+    return false;
+  if (rule["CidrIp"] !== "0.0.0.0/0")
+    return false;
+  if (rule["CidrIpv6"] !== void 0)
+    return false;
+  if (rule["DestinationSecurityGroupId"] !== void 0)
+    return false;
+  if (rule["DestinationPrefixListId"] !== void 0)
+    return false;
+  if (rule["Description"] !== void 0)
+    return false;
+  if (rule["FromPort"] !== void 0 && rule["FromPort"] !== -1)
+    return false;
+  if (rule["ToPort"] !== void 0 && rule["ToPort"] !== -1)
+    return false;
+  return true;
+}
 
 // src/provisioning/providers/apigateway-provider.ts
 import {
@@ -44581,7 +44795,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.3");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.5");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());