@go-to-k/cdkd 0.51.5 → 0.51.6

package/dist/cli.js

@@ -21780,10 +21780,13 @@ var EC2Provider = class {
    *    **AWS::EC2::SecurityGroupIngress**, **AWS::EC2::NetworkAclEntry**,
    *    **AWS::EC2::SubnetNetworkAclAssociation**: rule / association
    *    sub-resources whose AWS API surfaces them inside the parent's
-   *    list, not as standalone Get* responses. v1 drift coverage focuses
-   *    on top-level resources where the property shape comparison is
-   *    cheap and unambiguous; these sub-resources need a more elaborate
-   *    extraction layer that's out of scope for this PR.
+   *    `Describe*` list response, not as standalone `Get*` calls. cdkd
+   *    parses the physicalId to recover the parent id + entry-key, then
+   *    walks the parent's response to find the matching entry and
+   *    reverse-maps it to CFn property shape. `SecurityGroupIngress` uses
+   *    state's full rule signature (when passed via the optional
+   *    `properties` arg) to disambiguate among multiple AWS rules
+   *    sharing the same `(group, protocol, ports)` tuple.
    *
    * Returns `undefined` when the resource is gone (any `*NotFound` /
    * `Invalid*` error from the EC2 SDK matches `isNotFoundError`).
@@ -21807,6 +21810,18 @@ var EC2Provider = class {
           return await this.readInstanceCurrentState(physicalId);
         case "AWS::EC2::NetworkAcl":
           return await this.readNetworkAclCurrentState(physicalId);
+        case "AWS::EC2::VPCGatewayAttachment":
+          return await this.readVpcGatewayAttachmentCurrentState(physicalId);
+        case "AWS::EC2::Route":
+          return await this.readRouteCurrentState(physicalId);
+        case "AWS::EC2::SubnetRouteTableAssociation":
+          return await this.readSubnetRouteTableAssociationCurrentState(physicalId);
+        case "AWS::EC2::SecurityGroupIngress":
+          return await this.readSecurityGroupIngressCurrentState(physicalId, properties);
+        case "AWS::EC2::NetworkAclEntry":
+          return await this.readNetworkAclEntryCurrentState(physicalId);
+        case "AWS::EC2::SubnetNetworkAclAssociation":
+          return await this.readSubnetNetworkAclAssociationCurrentState(physicalId);
         default:
           this.logger.debug(
             `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
@@ -22036,6 +22051,269 @@ var EC2Provider = class {
       result["VpcId"] = acl.VpcId;
     return result;
   }
+  /**
+   * AWS::EC2::VPCGatewayAttachment readCurrentState.
+   *
+   * physicalId format: `<igwId>|<vpcId>` (cdkd `createVpcGatewayAttachment`).
+   * AWS API: `DescribeInternetGateways(igwId)` → walk `Attachments[]` for
+   * the matching `VpcId`. Returns `undefined` when the IGW is gone OR is no
+   * longer attached to the recorded VPC. Both fields are immutable on this
+   * resource — drift signal is binary (exists / gone) plus VpcId mismatch.
+   */
+  async readVpcGatewayAttachmentCurrentState(physicalId) {
+    const [igwId, vpcId] = physicalId.split("|");
+    if (!igwId || !vpcId)
+      return void 0;
+    const resp = await this.ec2Client.send(
+      new DescribeInternetGatewaysCommand({ InternetGatewayIds: [igwId] })
+    );
+    const igw = resp.InternetGateways?.[0];
+    if (!igw)
+      return void 0;
+    const attached = igw.Attachments?.some((a) => a.VpcId === vpcId);
+    if (!attached)
+      return void 0;
+    return { InternetGatewayId: igwId, VpcId: vpcId };
+  }
+  /**
+   * AWS::EC2::Route readCurrentState.
+   *
+   * physicalId format: `<routeTableId>|<cidr>` where cidr is either v4 or v6.
+   * AWS API: `DescribeRouteTables(routeTableId)` → walk `Routes[]` for the
+   * entry whose `DestinationCidrBlock` or `DestinationIpv6CidrBlock` matches
+   * the cidr. Returns `undefined` when the route table is gone or the route
+   * has been removed.
+   *
+   * Surfaces the target field (`GatewayId` / `NatGatewayId` / `InstanceId` /
+   * `NetworkInterfaceId` / `VpcPeeringConnectionId` / `EgressOnlyInternetGatewayId` /
+   * `TransitGatewayId` / `VpcEndpointId`) AWS reports for that route. Drift
+   * signal: route target changed.
+   */
+  async readRouteCurrentState(physicalId) {
+    const [rtbId, cidr] = physicalId.split("|");
+    if (!rtbId || !cidr)
+      return void 0;
+    const resp = await this.ec2Client.send(
+      new DescribeRouteTablesCommand2({ RouteTableIds: [rtbId] })
+    );
+    const rtb = resp.RouteTables?.[0];
+    if (!rtb)
+      return void 0;
+    const route = rtb.Routes?.find(
+      (r) => r.DestinationCidrBlock === cidr || r.DestinationIpv6CidrBlock === cidr
+    );
+    if (!route)
+      return void 0;
+    const result = { RouteTableId: rtbId };
+    if (route.DestinationCidrBlock !== void 0) {
+      result["DestinationCidrBlock"] = route.DestinationCidrBlock;
+    } else if (route.DestinationIpv6CidrBlock !== void 0) {
+      result["DestinationIpv6CidrBlock"] = route.DestinationIpv6CidrBlock;
+    }
+    if (route.GatewayId !== void 0)
+      result["GatewayId"] = route.GatewayId;
+    if (route.NatGatewayId !== void 0)
+      result["NatGatewayId"] = route.NatGatewayId;
+    if (route.InstanceId !== void 0)
+      result["InstanceId"] = route.InstanceId;
+    if (route.NetworkInterfaceId !== void 0) {
+      result["NetworkInterfaceId"] = route.NetworkInterfaceId;
+    }
+    if (route.VpcPeeringConnectionId !== void 0) {
+      result["VpcPeeringConnectionId"] = route.VpcPeeringConnectionId;
+    }
+    if (route.EgressOnlyInternetGatewayId !== void 0) {
+      result["EgressOnlyInternetGatewayId"] = route.EgressOnlyInternetGatewayId;
+    }
+    if (route.TransitGatewayId !== void 0) {
+      result["TransitGatewayId"] = route.TransitGatewayId;
+    }
+    if (route.LocalGatewayId !== void 0) {
+      result["LocalGatewayId"] = route.LocalGatewayId;
+    }
+    if (route.CarrierGatewayId !== void 0) {
+      result["CarrierGatewayId"] = route.CarrierGatewayId;
+    }
+    if (route.CoreNetworkArn !== void 0) {
+      result["CoreNetworkArn"] = route.CoreNetworkArn;
+    }
+    return result;
+  }
+  /**
+   * AWS::EC2::SubnetRouteTableAssociation readCurrentState.
+   *
+   * physicalId format: `<rtbassoc-xxx>` (returned by `AssociateRouteTable`).
+   * AWS API: `DescribeRouteTables` filtered by `association.route-table-association-id`,
+   * then walk `Associations[]` for the matching entry. Returns `undefined`
+   * when no route table carries the association id.
+   *
+   * Both `SubnetId` and `RouteTableId` are immutable on this resource —
+   * drift signal is binary (exists / gone).
+   */
+  async readSubnetRouteTableAssociationCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeRouteTablesCommand2({
+        Filters: [{ Name: "association.route-table-association-id", Values: [physicalId] }]
+      })
+    );
+    for (const rtb of resp.RouteTables ?? []) {
+      const assoc = rtb.Associations?.find((a) => a.RouteTableAssociationId === physicalId);
+      if (assoc) {
+        const result = {};
+        if (assoc.SubnetId !== void 0)
+          result["SubnetId"] = assoc.SubnetId;
+        if (assoc.RouteTableId !== void 0)
+          result["RouteTableId"] = assoc.RouteTableId;
+        return result;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * AWS::EC2::SecurityGroupIngress (standalone) readCurrentState.
+   *
+   * physicalId format: `<groupId>|<protocol>|<fromPort>|<toPort>` (cdkd
+   * `createSecurityGroupIngress`). The same tuple can identify multiple
+   * AWS rules (one per `IpRanges` / `Ipv6Ranges` / `UserIdGroupPairs` /
+   * `PrefixListIds` entry). State's full rule signature (passed via the
+   * optional `properties` arg) is used to find the exact matching rule.
+   *
+   * AWS API: `DescribeSecurityGroups(groupId)` → walk `IpPermissions[]`
+   * filtered by protocol+ports → flatten via `flattenIpPermissions` →
+   * find the entry matching state's full signature (CIDR / peer / prefix /
+   * description). Returns `undefined` when the parent SG is gone or no
+   * matching rule exists.
+   */
+  async readSecurityGroupIngressCurrentState(physicalId, properties) {
+    const parts = physicalId.split("|");
+    if (parts.length < 4)
+      return void 0;
+    const groupId = parts[0];
+    const protocol = parts[1];
+    const fromPort = parts[2] === "-1" ? void 0 : parseInt(parts[2], 10);
+    const toPort = parts[3] === "-1" ? void 0 : parseInt(parts[3], 10);
+    const resp = await this.ec2Client.send(
+      new DescribeSecurityGroupsCommand2({ GroupIds: [groupId] })
+    );
+    const sg = resp.SecurityGroups?.[0];
+    if (!sg)
+      return void 0;
+    const candidates = (sg.IpPermissions ?? []).filter(
+      (p) => (p.IpProtocol ?? "-1") === protocol && (p.FromPort ?? void 0) === fromPort && (p.ToPort ?? void 0) === toPort
+    );
+    if (candidates.length === 0)
+      return void 0;
+    const flat = flattenIpPermissions(candidates, "ingress");
+    if (properties && Object.keys(properties).length > 0) {
+      const stateKey = sgRuleKey(properties, "ingress");
+      const match = flat.find((r) => sgRuleKey(r, "ingress") === stateKey);
+      if (match) {
+        return { GroupId: groupId, ...match };
+      }
+      return void 0;
+    }
+    return { GroupId: groupId, ...flat[0] };
+  }
+  /**
+   * AWS::EC2::NetworkAclEntry readCurrentState.
+   *
+   * physicalId format: `<aclId>|<ruleNumber>|<egress>` (cdkd
+   * `createNetworkAclEntry`).
+   *
+   * AWS API: `DescribeNetworkAcls(aclId)` → walk `Entries[]` for the entry
+   * matching `(RuleNumber, Egress)`. Returns `undefined` when the parent
+   * ACL is gone or the rule has been removed.
+   *
+   * Surfaces every user-controllable CFn property (`Protocol`, `RuleAction`,
+   * `CidrBlock`, `Ipv6CidrBlock`, `PortRange`, `IcmpTypeCode`). `Protocol`
+   * is normalized to a number to match CFn input shape (AWS returns it as
+   * a string).
+   */
+  async readNetworkAclEntryCurrentState(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const aclId = parts[0];
+    const ruleNumber = parseInt(parts[1], 10);
+    const egress = parts[2] === "true";
+    const resp = await this.ec2Client.send(
+      new DescribeNetworkAclsCommand({ NetworkAclIds: [aclId] })
+    );
+    const acl = resp.NetworkAcls?.[0];
+    if (!acl)
+      return void 0;
+    const entry = acl.Entries?.find(
+      (e) => e.RuleNumber === ruleNumber && (e.Egress ?? false) === egress
+    );
+    if (!entry)
+      return void 0;
+    const result = {
+      NetworkAclId: aclId,
+      RuleNumber: ruleNumber,
+      Egress: egress
+    };
+    if (entry.Protocol !== void 0) {
+      const n = parseInt(entry.Protocol, 10);
+      result["Protocol"] = Number.isNaN(n) ? entry.Protocol : n;
+    }
+    if (entry.RuleAction !== void 0)
+      result["RuleAction"] = entry.RuleAction;
+    if (entry.CidrBlock !== void 0)
+      result["CidrBlock"] = entry.CidrBlock;
+    if (entry.Ipv6CidrBlock !== void 0)
+      result["Ipv6CidrBlock"] = entry.Ipv6CidrBlock;
+    if (entry.PortRange) {
+      const pr = {};
+      if (entry.PortRange.From !== void 0)
+        pr["From"] = entry.PortRange.From;
+      if (entry.PortRange.To !== void 0)
+        pr["To"] = entry.PortRange.To;
+      if (Object.keys(pr).length > 0)
+        result["PortRange"] = pr;
+    }
+    if (entry.IcmpTypeCode) {
+      const icmp = {};
+      if (entry.IcmpTypeCode.Type !== void 0)
+        icmp["Type"] = entry.IcmpTypeCode.Type;
+      if (entry.IcmpTypeCode.Code !== void 0)
+        icmp["Code"] = entry.IcmpTypeCode.Code;
+      if (Object.keys(icmp).length > 0)
+        result["IcmpTypeCode"] = icmp;
+    }
+    return result;
+  }
+  /**
+   * AWS::EC2::SubnetNetworkAclAssociation readCurrentState.
+   *
+   * physicalId format: `<aclassoc-xxx>` (returned by
+   * `ReplaceNetworkAclAssociation`).
+   *
+   * AWS API: `DescribeNetworkAcls` filtered by `association.association-id`,
+   * then walk `Associations[]` for the matching entry. Returns `undefined`
+   * when no NACL carries the association id.
+   *
+   * Surfaces `NetworkAclId` + `SubnetId`. Drift signal: NetworkAclId
+   * changed (subnet was reassigned to a different NACL via console).
+   */
+  async readSubnetNetworkAclAssociationCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeNetworkAclsCommand({
+        Filters: [{ Name: "association.association-id", Values: [physicalId] }]
+      })
+    );
+    for (const acl of resp.NetworkAcls ?? []) {
+      const assoc = acl.Associations?.find((a) => a.NetworkAclAssociationId === physicalId);
+      if (assoc) {
+        const result = {};
+        if (assoc.NetworkAclId !== void 0)
+          result["NetworkAclId"] = assoc.NetworkAclId;
+        if (assoc.SubnetId !== void 0)
+          result["SubnetId"] = assoc.SubnetId;
+        return result;
+      }
+    }
+    return void 0;
+  }
   async verifyExplicit(resourceType, physicalId) {
     try {
       switch (resourceType) {
@@ -44795,7 +45073,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.5");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.6");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());