@go-to-k/cdkd 0.51.4 → 0.51.6

package/dist/cli.js

@@ -19470,7 +19470,8 @@ import {
   ReplaceNetworkAclAssociationCommand,
   DescribeNetworkAclsCommand,
   DescribeNetworkInterfacesCommand as DescribeNetworkInterfacesCommand2,
-  DeleteNetworkInterfaceCommand as DeleteNetworkInterfaceCommand2
+  DeleteNetworkInterfaceCommand as DeleteNetworkInterfaceCommand2,
+  DescribeVolumesCommand
 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var EC2Provider = class {
@@ -21749,8 +21750,23 @@ var EC2Provider = class {
    *    always emitted (even as `[]`) so the v3 `observedProperties`
    *    baseline catches console-side rule ADDs to a templated SG.
    *  - **AWS::EC2::Instance**: `DescribeInstances` for `ImageId`,
-   *    `InstanceType`, `KeyName`, `SubnetId`. SecurityGroupIds /
-   *    BlockDeviceMappings shape-match is out of scope for v1.
+   *    `InstanceType`, `KeyName`, `SubnetId`, `SecurityGroupIds` (sorted
+   *    list of `SecurityGroups[].GroupId` for stable positional compare),
+   *    `PrivateIpAddress`, `SourceDestCheck`, `Monitoring` (mapped from
+   *    AWS `Monitoring.State` to CFn boolean), `Tenancy` (from
+   *    `Placement.Tenancy`), `IamInstanceProfile` (ARN form — v2 fallback
+   *    state holding a name will fire one-time drift, resolved via
+   *    `cdkd state refresh-observed`), `Tags` (filtered `aws:*`). For
+   *    `BlockDeviceMappings`, `DescribeInstances` only returns
+   *    `(DeviceName, Ebs.VolumeId, Ebs.DeleteOnTermination)`; cdkd
+   *    additionally calls `DescribeVolumes` on the attached volume ids to
+   *    surface `VolumeType` / `VolumeSize` / `Iops` / `Throughput` /
+   *    `Encrypted` / `KmsKeyId` / `SnapshotId`. The DescribeVolumes call
+   *    is best-effort — a permissions gap or other failure falls back to
+   *    the partial shape (DeleteOnTermination only). All arrays / scalars
+   *    that map to user-controllable CFn properties are always emitted
+   *    (even as `[]` or default scalar) so the v3 `observedProperties`
+   *    baseline catches console-side ADDs.
    *  - **AWS::EC2::NetworkAcl**: `DescribeNetworkAcls` for `VpcId`.
    *
    * Skipped (return `undefined`, falls through to the comparator's
@@ -21764,10 +21780,13 @@ var EC2Provider = class {
    *    **AWS::EC2::SecurityGroupIngress**, **AWS::EC2::NetworkAclEntry**,
    *    **AWS::EC2::SubnetNetworkAclAssociation**: rule / association
    *    sub-resources whose AWS API surfaces them inside the parent's
-   *    list, not as standalone Get* responses. v1 drift coverage focuses
-   *    on top-level resources where the property shape comparison is
-   *    cheap and unambiguous; these sub-resources need a more elaborate
-   *    extraction layer that's out of scope for this PR.
+   *    `Describe*` list response, not as standalone `Get*` calls. cdkd
+   *    parses the physicalId to recover the parent id + entry-key, then
+   *    walks the parent's response to find the matching entry and
+   *    reverse-maps it to CFn property shape. `SecurityGroupIngress` uses
+   *    state's full rule signature (when passed via the optional
+   *    `properties` arg) to disambiguate among multiple AWS rules
+   *    sharing the same `(group, protocol, ports)` tuple.
    *
    * Returns `undefined` when the resource is gone (any `*NotFound` /
    * `Invalid*` error from the EC2 SDK matches `isNotFoundError`).
@@ -21791,6 +21810,18 @@ var EC2Provider = class {
           return await this.readInstanceCurrentState(physicalId);
         case "AWS::EC2::NetworkAcl":
           return await this.readNetworkAclCurrentState(physicalId);
+        case "AWS::EC2::VPCGatewayAttachment":
+          return await this.readVpcGatewayAttachmentCurrentState(physicalId);
+        case "AWS::EC2::Route":
+          return await this.readRouteCurrentState(physicalId);
+        case "AWS::EC2::SubnetRouteTableAssociation":
+          return await this.readSubnetRouteTableAssociationCurrentState(physicalId);
+        case "AWS::EC2::SecurityGroupIngress":
+          return await this.readSecurityGroupIngressCurrentState(physicalId, properties);
+        case "AWS::EC2::NetworkAclEntry":
+          return await this.readNetworkAclEntryCurrentState(physicalId);
+        case "AWS::EC2::SubnetNetworkAclAssociation":
+          return await this.readSubnetNetworkAclAssociationCurrentState(physicalId);
         default:
           this.logger.debug(
             `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
@@ -21937,6 +21968,75 @@ var EC2Provider = class {
       result["KeyName"] = instance.KeyName;
     if (instance.SubnetId !== void 0)
       result["SubnetId"] = instance.SubnetId;
+    result["SecurityGroupIds"] = (instance.SecurityGroups ?? []).map((g) => g.GroupId).filter((id) => typeof id === "string").sort();
+    if (instance.PrivateIpAddress !== void 0) {
+      result["PrivateIpAddress"] = instance.PrivateIpAddress;
+    }
+    if (instance.SourceDestCheck !== void 0) {
+      result["SourceDestCheck"] = instance.SourceDestCheck;
+    }
+    const monitoringState = instance.Monitoring?.State;
+    result["Monitoring"] = monitoringState === "enabled" || monitoringState === "pending";
+    if (instance.Placement?.Tenancy !== void 0) {
+      result["Tenancy"] = instance.Placement.Tenancy;
+    }
+    if (instance.IamInstanceProfile?.Arn !== void 0) {
+      result["IamInstanceProfile"] = instance.IamInstanceProfile.Arn;
+    }
+    const ebsMappings = (instance.BlockDeviceMappings ?? []).filter(
+      (m) => m.Ebs?.VolumeId !== void 0
+    );
+    const volumeIds = ebsMappings.map((m) => m.Ebs.VolumeId);
+    let volumesById = /* @__PURE__ */ new Map();
+    if (volumeIds.length > 0) {
+      try {
+        const volResp = await this.ec2Client.send(
+          new DescribeVolumesCommand({ VolumeIds: volumeIds })
+        );
+        for (const v of volResp.Volumes ?? []) {
+          if (v.VolumeId !== void 0)
+            volumesById.set(v.VolumeId, v);
+        }
+      } catch (err) {
+        this.logger.debug(
+          `DescribeVolumes(${volumeIds.join(",")}) failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+        volumesById = /* @__PURE__ */ new Map();
+      }
+    }
+    const blockMappings = [];
+    for (const m of instance.BlockDeviceMappings ?? []) {
+      const out = {};
+      if (m.DeviceName !== void 0)
+        out["DeviceName"] = m.DeviceName;
+      if (m.Ebs?.VolumeId !== void 0) {
+        const ebs = {};
+        if (m.Ebs.DeleteOnTermination !== void 0) {
+          ebs["DeleteOnTermination"] = m.Ebs.DeleteOnTermination;
+        }
+        const vol = volumesById.get(m.Ebs.VolumeId);
+        if (vol !== void 0) {
+          if (vol.VolumeType !== void 0)
+            ebs["VolumeType"] = vol.VolumeType;
+          if (vol.Size !== void 0)
+            ebs["VolumeSize"] = vol.Size;
+          if (vol.Iops !== void 0)
+            ebs["Iops"] = vol.Iops;
+          if (vol.Throughput !== void 0)
+            ebs["Throughput"] = vol.Throughput;
+          if (vol.Encrypted !== void 0)
+            ebs["Encrypted"] = vol.Encrypted;
+          if (vol.KmsKeyId !== void 0)
+            ebs["KmsKeyId"] = vol.KmsKeyId;
+          if (vol.SnapshotId !== void 0)
+            ebs["SnapshotId"] = vol.SnapshotId;
+        }
+        out["Ebs"] = ebs;
+      }
+      blockMappings.push(out);
+    }
+    result["BlockDeviceMappings"] = blockMappings;
+    result["Tags"] = normalizeAwsTagsToCfn(instance.Tags);
     return result;
   }
   async readNetworkAclCurrentState(physicalId) {
@@ -21951,6 +22051,269 @@ var EC2Provider = class {
       result["VpcId"] = acl.VpcId;
     return result;
   }
+  /**
+   * AWS::EC2::VPCGatewayAttachment readCurrentState.
+   *
+   * physicalId format: `<igwId>|<vpcId>` (cdkd `createVpcGatewayAttachment`).
+   * AWS API: `DescribeInternetGateways(igwId)` → walk `Attachments[]` for
+   * the matching `VpcId`. Returns `undefined` when the IGW is gone OR is no
+   * longer attached to the recorded VPC. Both fields are immutable on this
+   * resource — drift signal is binary (exists / gone) plus VpcId mismatch.
+   */
+  async readVpcGatewayAttachmentCurrentState(physicalId) {
+    const [igwId, vpcId] = physicalId.split("|");
+    if (!igwId || !vpcId)
+      return void 0;
+    const resp = await this.ec2Client.send(
+      new DescribeInternetGatewaysCommand({ InternetGatewayIds: [igwId] })
+    );
+    const igw = resp.InternetGateways?.[0];
+    if (!igw)
+      return void 0;
+    const attached = igw.Attachments?.some((a) => a.VpcId === vpcId);
+    if (!attached)
+      return void 0;
+    return { InternetGatewayId: igwId, VpcId: vpcId };
+  }
+  /**
+   * AWS::EC2::Route readCurrentState.
+   *
+   * physicalId format: `<routeTableId>|<cidr>` where cidr is either v4 or v6.
+   * AWS API: `DescribeRouteTables(routeTableId)` → walk `Routes[]` for the
+   * entry whose `DestinationCidrBlock` or `DestinationIpv6CidrBlock` matches
+   * the cidr. Returns `undefined` when the route table is gone or the route
+   * has been removed.
+   *
+   * Surfaces the target field (`GatewayId` / `NatGatewayId` / `InstanceId` /
+   * `NetworkInterfaceId` / `VpcPeeringConnectionId` / `EgressOnlyInternetGatewayId` /
+   * `TransitGatewayId` / `VpcEndpointId`) AWS reports for that route. Drift
+   * signal: route target changed.
+   */
+  async readRouteCurrentState(physicalId) {
+    const [rtbId, cidr] = physicalId.split("|");
+    if (!rtbId || !cidr)
+      return void 0;
+    const resp = await this.ec2Client.send(
+      new DescribeRouteTablesCommand2({ RouteTableIds: [rtbId] })
+    );
+    const rtb = resp.RouteTables?.[0];
+    if (!rtb)
+      return void 0;
+    const route = rtb.Routes?.find(
+      (r) => r.DestinationCidrBlock === cidr || r.DestinationIpv6CidrBlock === cidr
+    );
+    if (!route)
+      return void 0;
+    const result = { RouteTableId: rtbId };
+    if (route.DestinationCidrBlock !== void 0) {
+      result["DestinationCidrBlock"] = route.DestinationCidrBlock;
+    } else if (route.DestinationIpv6CidrBlock !== void 0) {
+      result["DestinationIpv6CidrBlock"] = route.DestinationIpv6CidrBlock;
+    }
+    if (route.GatewayId !== void 0)
+      result["GatewayId"] = route.GatewayId;
+    if (route.NatGatewayId !== void 0)
+      result["NatGatewayId"] = route.NatGatewayId;
+    if (route.InstanceId !== void 0)
+      result["InstanceId"] = route.InstanceId;
+    if (route.NetworkInterfaceId !== void 0) {
+      result["NetworkInterfaceId"] = route.NetworkInterfaceId;
+    }
+    if (route.VpcPeeringConnectionId !== void 0) {
+      result["VpcPeeringConnectionId"] = route.VpcPeeringConnectionId;
+    }
+    if (route.EgressOnlyInternetGatewayId !== void 0) {
+      result["EgressOnlyInternetGatewayId"] = route.EgressOnlyInternetGatewayId;
+    }
+    if (route.TransitGatewayId !== void 0) {
+      result["TransitGatewayId"] = route.TransitGatewayId;
+    }
+    if (route.LocalGatewayId !== void 0) {
+      result["LocalGatewayId"] = route.LocalGatewayId;
+    }
+    if (route.CarrierGatewayId !== void 0) {
+      result["CarrierGatewayId"] = route.CarrierGatewayId;
+    }
+    if (route.CoreNetworkArn !== void 0) {
+      result["CoreNetworkArn"] = route.CoreNetworkArn;
+    }
+    return result;
+  }
+  /**
+   * AWS::EC2::SubnetRouteTableAssociation readCurrentState.
+   *
+   * physicalId format: `<rtbassoc-xxx>` (returned by `AssociateRouteTable`).
+   * AWS API: `DescribeRouteTables` filtered by `association.route-table-association-id`,
+   * then walk `Associations[]` for the matching entry. Returns `undefined`
+   * when no route table carries the association id.
+   *
+   * Both `SubnetId` and `RouteTableId` are immutable on this resource —
+   * drift signal is binary (exists / gone).
+   */
+  async readSubnetRouteTableAssociationCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeRouteTablesCommand2({
+        Filters: [{ Name: "association.route-table-association-id", Values: [physicalId] }]
+      })
+    );
+    for (const rtb of resp.RouteTables ?? []) {
+      const assoc = rtb.Associations?.find((a) => a.RouteTableAssociationId === physicalId);
+      if (assoc) {
+        const result = {};
+        if (assoc.SubnetId !== void 0)
+          result["SubnetId"] = assoc.SubnetId;
+        if (assoc.RouteTableId !== void 0)
+          result["RouteTableId"] = assoc.RouteTableId;
+        return result;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * AWS::EC2::SecurityGroupIngress (standalone) readCurrentState.
+   *
+   * physicalId format: `<groupId>|<protocol>|<fromPort>|<toPort>` (cdkd
+   * `createSecurityGroupIngress`). The same tuple can identify multiple
+   * AWS rules (one per `IpRanges` / `Ipv6Ranges` / `UserIdGroupPairs` /
+   * `PrefixListIds` entry). State's full rule signature (passed via the
+   * optional `properties` arg) is used to find the exact matching rule.
+   *
+   * AWS API: `DescribeSecurityGroups(groupId)` → walk `IpPermissions[]`
+   * filtered by protocol+ports → flatten via `flattenIpPermissions` →
+   * find the entry matching state's full signature (CIDR / peer / prefix /
+   * description). Returns `undefined` when the parent SG is gone or no
+   * matching rule exists.
+   */
+  async readSecurityGroupIngressCurrentState(physicalId, properties) {
+    const parts = physicalId.split("|");
+    if (parts.length < 4)
+      return void 0;
+    const groupId = parts[0];
+    const protocol = parts[1];
+    const fromPort = parts[2] === "-1" ? void 0 : parseInt(parts[2], 10);
+    const toPort = parts[3] === "-1" ? void 0 : parseInt(parts[3], 10);
+    const resp = await this.ec2Client.send(
+      new DescribeSecurityGroupsCommand2({ GroupIds: [groupId] })
+    );
+    const sg = resp.SecurityGroups?.[0];
+    if (!sg)
+      return void 0;
+    const candidates = (sg.IpPermissions ?? []).filter(
+      (p) => (p.IpProtocol ?? "-1") === protocol && (p.FromPort ?? void 0) === fromPort && (p.ToPort ?? void 0) === toPort
+    );
+    if (candidates.length === 0)
+      return void 0;
+    const flat = flattenIpPermissions(candidates, "ingress");
+    if (properties && Object.keys(properties).length > 0) {
+      const stateKey = sgRuleKey(properties, "ingress");
+      const match = flat.find((r) => sgRuleKey(r, "ingress") === stateKey);
+      if (match) {
+        return { GroupId: groupId, ...match };
+      }
+      return void 0;
+    }
+    return { GroupId: groupId, ...flat[0] };
+  }
+  /**
+   * AWS::EC2::NetworkAclEntry readCurrentState.
+   *
+   * physicalId format: `<aclId>|<ruleNumber>|<egress>` (cdkd
+   * `createNetworkAclEntry`).
+   *
+   * AWS API: `DescribeNetworkAcls(aclId)` → walk `Entries[]` for the entry
+   * matching `(RuleNumber, Egress)`. Returns `undefined` when the parent
+   * ACL is gone or the rule has been removed.
+   *
+   * Surfaces every user-controllable CFn property (`Protocol`, `RuleAction`,
+   * `CidrBlock`, `Ipv6CidrBlock`, `PortRange`, `IcmpTypeCode`). `Protocol`
+   * is normalized to a number to match CFn input shape (AWS returns it as
+   * a string).
+   */
+  async readNetworkAclEntryCurrentState(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const aclId = parts[0];
+    const ruleNumber = parseInt(parts[1], 10);
+    const egress = parts[2] === "true";
+    const resp = await this.ec2Client.send(
+      new DescribeNetworkAclsCommand({ NetworkAclIds: [aclId] })
+    );
+    const acl = resp.NetworkAcls?.[0];
+    if (!acl)
+      return void 0;
+    const entry = acl.Entries?.find(
+      (e) => e.RuleNumber === ruleNumber && (e.Egress ?? false) === egress
+    );
+    if (!entry)
+      return void 0;
+    const result = {
+      NetworkAclId: aclId,
+      RuleNumber: ruleNumber,
+      Egress: egress
+    };
+    if (entry.Protocol !== void 0) {
+      const n = parseInt(entry.Protocol, 10);
+      result["Protocol"] = Number.isNaN(n) ? entry.Protocol : n;
+    }
+    if (entry.RuleAction !== void 0)
+      result["RuleAction"] = entry.RuleAction;
+    if (entry.CidrBlock !== void 0)
+      result["CidrBlock"] = entry.CidrBlock;
+    if (entry.Ipv6CidrBlock !== void 0)
+      result["Ipv6CidrBlock"] = entry.Ipv6CidrBlock;
+    if (entry.PortRange) {
+      const pr = {};
+      if (entry.PortRange.From !== void 0)
+        pr["From"] = entry.PortRange.From;
+      if (entry.PortRange.To !== void 0)
+        pr["To"] = entry.PortRange.To;
+      if (Object.keys(pr).length > 0)
+        result["PortRange"] = pr;
+    }
+    if (entry.IcmpTypeCode) {
+      const icmp = {};
+      if (entry.IcmpTypeCode.Type !== void 0)
+        icmp["Type"] = entry.IcmpTypeCode.Type;
+      if (entry.IcmpTypeCode.Code !== void 0)
+        icmp["Code"] = entry.IcmpTypeCode.Code;
+      if (Object.keys(icmp).length > 0)
+        result["IcmpTypeCode"] = icmp;
+    }
+    return result;
+  }
+  /**
+   * AWS::EC2::SubnetNetworkAclAssociation readCurrentState.
+   *
+   * physicalId format: `<aclassoc-xxx>` (returned by
+   * `ReplaceNetworkAclAssociation`).
+   *
+   * AWS API: `DescribeNetworkAcls` filtered by `association.association-id`,
+   * then walk `Associations[]` for the matching entry. Returns `undefined`
+   * when no NACL carries the association id.
+   *
+   * Surfaces `NetworkAclId` + `SubnetId`. Drift signal: NetworkAclId
+   * changed (subnet was reassigned to a different NACL via console).
+   */
+  async readSubnetNetworkAclAssociationCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeNetworkAclsCommand({
+        Filters: [{ Name: "association.association-id", Values: [physicalId] }]
+      })
+    );
+    for (const acl of resp.NetworkAcls ?? []) {
+      const assoc = acl.Associations?.find((a) => a.NetworkAclAssociationId === physicalId);
+      if (assoc) {
+        const result = {};
+        if (assoc.NetworkAclId !== void 0)
+          result["NetworkAclId"] = assoc.NetworkAclId;
+        if (assoc.SubnetId !== void 0)
+          result["SubnetId"] = assoc.SubnetId;
+        return result;
+      }
+    }
+    return void 0;
+  }
   async verifyExplicit(resourceType, physicalId) {
     try {
       switch (resourceType) {
@@ -44710,7 +45073,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.4");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.6");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());