@go-to-k/cdkd 0.51.5 → 0.51.7

package/dist/cli.js

@@ -21780,10 +21780,13 @@ var EC2Provider = class {
    *    **AWS::EC2::SecurityGroupIngress**, **AWS::EC2::NetworkAclEntry**,
    *    **AWS::EC2::SubnetNetworkAclAssociation**: rule / association
    *    sub-resources whose AWS API surfaces them inside the parent's
-   *    list, not as standalone Get* responses. v1 drift coverage focuses
-   *    on top-level resources where the property shape comparison is
-   *    cheap and unambiguous; these sub-resources need a more elaborate
-   *    extraction layer that's out of scope for this PR.
+   *    `Describe*` list response, not as standalone `Get*` calls. cdkd
+   *    parses the physicalId to recover the parent id + entry-key, then
+   *    walks the parent's response to find the matching entry and
+   *    reverse-maps it to CFn property shape. `SecurityGroupIngress` uses
+   *    state's full rule signature (when passed via the optional
+   *    `properties` arg) to disambiguate among multiple AWS rules
+   *    sharing the same `(group, protocol, ports)` tuple.
    *
    * Returns `undefined` when the resource is gone (any `*NotFound` /
    * `Invalid*` error from the EC2 SDK matches `isNotFoundError`).
@@ -21807,6 +21810,18 @@ var EC2Provider = class {
           return await this.readInstanceCurrentState(physicalId);
         case "AWS::EC2::NetworkAcl":
           return await this.readNetworkAclCurrentState(physicalId);
+        case "AWS::EC2::VPCGatewayAttachment":
+          return await this.readVpcGatewayAttachmentCurrentState(physicalId);
+        case "AWS::EC2::Route":
+          return await this.readRouteCurrentState(physicalId);
+        case "AWS::EC2::SubnetRouteTableAssociation":
+          return await this.readSubnetRouteTableAssociationCurrentState(physicalId);
+        case "AWS::EC2::SecurityGroupIngress":
+          return await this.readSecurityGroupIngressCurrentState(physicalId, properties);
+        case "AWS::EC2::NetworkAclEntry":
+          return await this.readNetworkAclEntryCurrentState(physicalId);
+        case "AWS::EC2::SubnetNetworkAclAssociation":
+          return await this.readSubnetNetworkAclAssociationCurrentState(physicalId);
         default:
           this.logger.debug(
             `readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`
@@ -22036,6 +22051,269 @@ var EC2Provider = class {
       result["VpcId"] = acl.VpcId;
     return result;
   }
+  /**
+   * AWS::EC2::VPCGatewayAttachment readCurrentState.
+   *
+   * physicalId format: `<igwId>|<vpcId>` (cdkd `createVpcGatewayAttachment`).
+   * AWS API: `DescribeInternetGateways(igwId)` → walk `Attachments[]` for
+   * the matching `VpcId`. Returns `undefined` when the IGW is gone OR is no
+   * longer attached to the recorded VPC. Both fields are immutable on this
+   * resource — drift signal is binary (exists / gone) plus VpcId mismatch.
+   */
+  async readVpcGatewayAttachmentCurrentState(physicalId) {
+    const [igwId, vpcId] = physicalId.split("|");
+    if (!igwId || !vpcId)
+      return void 0;
+    const resp = await this.ec2Client.send(
+      new DescribeInternetGatewaysCommand({ InternetGatewayIds: [igwId] })
+    );
+    const igw = resp.InternetGateways?.[0];
+    if (!igw)
+      return void 0;
+    const attached = igw.Attachments?.some((a) => a.VpcId === vpcId);
+    if (!attached)
+      return void 0;
+    return { InternetGatewayId: igwId, VpcId: vpcId };
+  }
+  /**
+   * AWS::EC2::Route readCurrentState.
+   *
+   * physicalId format: `<routeTableId>|<cidr>` where cidr is either v4 or v6.
+   * AWS API: `DescribeRouteTables(routeTableId)` → walk `Routes[]` for the
+   * entry whose `DestinationCidrBlock` or `DestinationIpv6CidrBlock` matches
+   * the cidr. Returns `undefined` when the route table is gone or the route
+   * has been removed.
+   *
+   * Surfaces the target field (`GatewayId` / `NatGatewayId` / `InstanceId` /
+   * `NetworkInterfaceId` / `VpcPeeringConnectionId` / `EgressOnlyInternetGatewayId` /
+   * `TransitGatewayId` / `VpcEndpointId`) AWS reports for that route. Drift
+   * signal: route target changed.
+   */
+  async readRouteCurrentState(physicalId) {
+    const [rtbId, cidr] = physicalId.split("|");
+    if (!rtbId || !cidr)
+      return void 0;
+    const resp = await this.ec2Client.send(
+      new DescribeRouteTablesCommand2({ RouteTableIds: [rtbId] })
+    );
+    const rtb = resp.RouteTables?.[0];
+    if (!rtb)
+      return void 0;
+    const route = rtb.Routes?.find(
+      (r) => r.DestinationCidrBlock === cidr || r.DestinationIpv6CidrBlock === cidr
+    );
+    if (!route)
+      return void 0;
+    const result = { RouteTableId: rtbId };
+    if (route.DestinationCidrBlock !== void 0) {
+      result["DestinationCidrBlock"] = route.DestinationCidrBlock;
+    } else if (route.DestinationIpv6CidrBlock !== void 0) {
+      result["DestinationIpv6CidrBlock"] = route.DestinationIpv6CidrBlock;
+    }
+    if (route.GatewayId !== void 0)
+      result["GatewayId"] = route.GatewayId;
+    if (route.NatGatewayId !== void 0)
+      result["NatGatewayId"] = route.NatGatewayId;
+    if (route.InstanceId !== void 0)
+      result["InstanceId"] = route.InstanceId;
+    if (route.NetworkInterfaceId !== void 0) {
+      result["NetworkInterfaceId"] = route.NetworkInterfaceId;
+    }
+    if (route.VpcPeeringConnectionId !== void 0) {
+      result["VpcPeeringConnectionId"] = route.VpcPeeringConnectionId;
+    }
+    if (route.EgressOnlyInternetGatewayId !== void 0) {
+      result["EgressOnlyInternetGatewayId"] = route.EgressOnlyInternetGatewayId;
+    }
+    if (route.TransitGatewayId !== void 0) {
+      result["TransitGatewayId"] = route.TransitGatewayId;
+    }
+    if (route.LocalGatewayId !== void 0) {
+      result["LocalGatewayId"] = route.LocalGatewayId;
+    }
+    if (route.CarrierGatewayId !== void 0) {
+      result["CarrierGatewayId"] = route.CarrierGatewayId;
+    }
+    if (route.CoreNetworkArn !== void 0) {
+      result["CoreNetworkArn"] = route.CoreNetworkArn;
+    }
+    return result;
+  }
+  /**
+   * AWS::EC2::SubnetRouteTableAssociation readCurrentState.
+   *
+   * physicalId format: `<rtbassoc-xxx>` (returned by `AssociateRouteTable`).
+   * AWS API: `DescribeRouteTables` filtered by `association.route-table-association-id`,
+   * then walk `Associations[]` for the matching entry. Returns `undefined`
+   * when no route table carries the association id.
+   *
+   * Both `SubnetId` and `RouteTableId` are immutable on this resource —
+   * drift signal is binary (exists / gone).
+   */
+  async readSubnetRouteTableAssociationCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeRouteTablesCommand2({
+        Filters: [{ Name: "association.route-table-association-id", Values: [physicalId] }]
+      })
+    );
+    for (const rtb of resp.RouteTables ?? []) {
+      const assoc = rtb.Associations?.find((a) => a.RouteTableAssociationId === physicalId);
+      if (assoc) {
+        const result = {};
+        if (assoc.SubnetId !== void 0)
+          result["SubnetId"] = assoc.SubnetId;
+        if (assoc.RouteTableId !== void 0)
+          result["RouteTableId"] = assoc.RouteTableId;
+        return result;
+      }
+    }
+    return void 0;
+  }
+  /**
+   * AWS::EC2::SecurityGroupIngress (standalone) readCurrentState.
+   *
+   * physicalId format: `<groupId>|<protocol>|<fromPort>|<toPort>` (cdkd
+   * `createSecurityGroupIngress`). The same tuple can identify multiple
+   * AWS rules (one per `IpRanges` / `Ipv6Ranges` / `UserIdGroupPairs` /
+   * `PrefixListIds` entry). State's full rule signature (passed via the
+   * optional `properties` arg) is used to find the exact matching rule.
+   *
+   * AWS API: `DescribeSecurityGroups(groupId)` → walk `IpPermissions[]`
+   * filtered by protocol+ports → flatten via `flattenIpPermissions` →
+   * find the entry matching state's full signature (CIDR / peer / prefix /
+   * description). Returns `undefined` when the parent SG is gone or no
+   * matching rule exists.
+   */
+  async readSecurityGroupIngressCurrentState(physicalId, properties) {
+    const parts = physicalId.split("|");
+    if (parts.length < 4)
+      return void 0;
+    const groupId = parts[0];
+    const protocol = parts[1];
+    const fromPort = parts[2] === "-1" ? void 0 : parseInt(parts[2], 10);
+    const toPort = parts[3] === "-1" ? void 0 : parseInt(parts[3], 10);
+    const resp = await this.ec2Client.send(
+      new DescribeSecurityGroupsCommand2({ GroupIds: [groupId] })
+    );
+    const sg = resp.SecurityGroups?.[0];
+    if (!sg)
+      return void 0;
+    const candidates = (sg.IpPermissions ?? []).filter(
+      (p) => (p.IpProtocol ?? "-1") === protocol && (p.FromPort ?? void 0) === fromPort && (p.ToPort ?? void 0) === toPort
+    );
+    if (candidates.length === 0)
+      return void 0;
+    const flat = flattenIpPermissions(candidates, "ingress");
+    if (properties && Object.keys(properties).length > 0) {
+      const stateKey = sgRuleKey(properties, "ingress");
+      const match = flat.find((r) => sgRuleKey(r, "ingress") === stateKey);
+      if (match) {
+        return { GroupId: groupId, ...match };
+      }
+      return void 0;
+    }
+    return { GroupId: groupId, ...flat[0] };
+  }
+  /**
+   * AWS::EC2::NetworkAclEntry readCurrentState.
+   *
+   * physicalId format: `<aclId>|<ruleNumber>|<egress>` (cdkd
+   * `createNetworkAclEntry`).
+   *
+   * AWS API: `DescribeNetworkAcls(aclId)` → walk `Entries[]` for the entry
+   * matching `(RuleNumber, Egress)`. Returns `undefined` when the parent
+   * ACL is gone or the rule has been removed.
+   *
+   * Surfaces every user-controllable CFn property (`Protocol`, `RuleAction`,
+   * `CidrBlock`, `Ipv6CidrBlock`, `PortRange`, `IcmpTypeCode`). `Protocol`
+   * is normalized to a number to match CFn input shape (AWS returns it as
+   * a string).
+   */
+  async readNetworkAclEntryCurrentState(physicalId) {
+    const parts = physicalId.split("|");
+    if (parts.length < 3)
+      return void 0;
+    const aclId = parts[0];
+    const ruleNumber = parseInt(parts[1], 10);
+    const egress = parts[2] === "true";
+    const resp = await this.ec2Client.send(
+      new DescribeNetworkAclsCommand({ NetworkAclIds: [aclId] })
+    );
+    const acl = resp.NetworkAcls?.[0];
+    if (!acl)
+      return void 0;
+    const entry = acl.Entries?.find(
+      (e) => e.RuleNumber === ruleNumber && (e.Egress ?? false) === egress
+    );
+    if (!entry)
+      return void 0;
+    const result = {
+      NetworkAclId: aclId,
+      RuleNumber: ruleNumber,
+      Egress: egress
+    };
+    if (entry.Protocol !== void 0) {
+      const n = parseInt(entry.Protocol, 10);
+      result["Protocol"] = Number.isNaN(n) ? entry.Protocol : n;
+    }
+    if (entry.RuleAction !== void 0)
+      result["RuleAction"] = entry.RuleAction;
+    if (entry.CidrBlock !== void 0)
+      result["CidrBlock"] = entry.CidrBlock;
+    if (entry.Ipv6CidrBlock !== void 0)
+      result["Ipv6CidrBlock"] = entry.Ipv6CidrBlock;
+    if (entry.PortRange) {
+      const pr = {};
+      if (entry.PortRange.From !== void 0)
+        pr["From"] = entry.PortRange.From;
+      if (entry.PortRange.To !== void 0)
+        pr["To"] = entry.PortRange.To;
+      if (Object.keys(pr).length > 0)
+        result["PortRange"] = pr;
+    }
+    if (entry.IcmpTypeCode) {
+      const icmp = {};
+      if (entry.IcmpTypeCode.Type !== void 0)
+        icmp["Type"] = entry.IcmpTypeCode.Type;
+      if (entry.IcmpTypeCode.Code !== void 0)
+        icmp["Code"] = entry.IcmpTypeCode.Code;
+      if (Object.keys(icmp).length > 0)
+        result["IcmpTypeCode"] = icmp;
+    }
+    return result;
+  }
+  /**
+   * AWS::EC2::SubnetNetworkAclAssociation readCurrentState.
+   *
+   * physicalId format: `<aclassoc-xxx>` (returned by
+   * `ReplaceNetworkAclAssociation`).
+   *
+   * AWS API: `DescribeNetworkAcls` filtered by `association.association-id`,
+   * then walk `Associations[]` for the matching entry. Returns `undefined`
+   * when no NACL carries the association id.
+   *
+   * Surfaces `NetworkAclId` + `SubnetId`. Drift signal: NetworkAclId
+   * changed (subnet was reassigned to a different NACL via console).
+   */
+  async readSubnetNetworkAclAssociationCurrentState(physicalId) {
+    const resp = await this.ec2Client.send(
+      new DescribeNetworkAclsCommand({
+        Filters: [{ Name: "association.association-id", Values: [physicalId] }]
+      })
+    );
+    for (const acl of resp.NetworkAcls ?? []) {
+      const assoc = acl.Associations?.find((a) => a.NetworkAclAssociationId === physicalId);
+      if (assoc) {
+        const result = {};
+        if (assoc.NetworkAclId !== void 0)
+          result["NetworkAclId"] = assoc.NetworkAclId;
+        if (assoc.SubnetId !== void 0)
+          result["SubnetId"] = assoc.SubnetId;
+        return result;
+      }
+    }
+    return void 0;
+  }
   async verifyExplicit(resourceType, physicalId) {
     try {
       switch (resourceType) {
@@ -35432,22 +35710,28 @@ var FirehoseProvider = class {
    * `KinesisStreamSourceConfiguration` parent fields when present (the
    * `DescribeDeliveryStream` response splits source under `Source.KinesisStreamSourceDescription`).
    *
-   * **Destination configurations**: partial coverage. AWS returns destination
-   * config under `Destinations[0].*DestinationDescription` (note:
-   * `Description`, not `Configuration`). For S3 / ExtendedS3 destinations
-   * the top-level fields with a clean reverse-mapping are surfaced —
-   * `BucketARN`, `RoleARN`, `Prefix`, `ErrorOutputPrefix`, `BufferingHints`,
-   * `CompressionFormat`, plus `S3BackupMode` for Extended. Inner nested
-   * fields (`EncryptionConfiguration`, `CloudWatchLoggingOptions`,
-   * `ProcessingConfiguration`, `DataFormatConversionConfiguration`,
-   * `DynamicPartitioningConfiguration`, `S3BackupConfiguration`) are not
-   * re-shaped — AWS auto-defaults / extra-metadata / write-only redaction
-   * (`Password`) make the round-trip unsafe; they're declared via
-   * `getDriftUnknownPaths()` so the comparator skips them instead of firing
-   * false drift. Non-S3 destination types
+   * **Destination configurations**: full coverage for S3 / ExtendedS3.
+   * AWS returns destination config under `Destinations[0].*DestinationDescription`
+   * (note: `Description`, not `Configuration`); the SDK reuses the same
+   * type as the corresponding `*Configuration` input for the inner
+   * sub-shapes, so reverse-mapping is a `pickDefinedDeep` pass-through.
+   *
+   * Surfaced top-level fields: `BucketARN`, `RoleARN`, `Prefix`,
+   * `ErrorOutputPrefix`, `BufferingHints`, `CompressionFormat`, plus
+   * `S3BackupMode` for Extended. Surfaced inner nested fields:
+   * `EncryptionConfiguration`, `CloudWatchLoggingOptions` (both shapes);
+   * additionally for Extended `ProcessingConfiguration`,
+   * `DataFormatConversionConfiguration`, `DynamicPartitioningConfiguration`,
+   * `S3BackupConfiguration` (reverse-mapped from the AWS-side
+   * `S3BackupDescription`). Each inner subtree is always emitted (even
+   * as `{}` placeholder) so the v3 `observedProperties` baseline catches
+   * console-side ADDs to a previously-default sub-shape.
+   *
+   * Non-S3 destination types
    * (`Redshift`/`Elasticsearch`/`Amazonopensearchservice`/`Splunk`/`HttpEndpoint`/`AmazonOpenSearchServerless`)
-   * stay drift-unknown for v1 — same shape-divergence problem at scale.
-   * `DeliveryStreamEncryptionConfigurationInput` also drift-unknown.
+   * stay drift-unknown — declared via `getDriftUnknownPaths()` until
+   * per-destination reverse-map lands. `DeliveryStreamEncryptionConfigurationInput`
+   * also drift-unknown.
    *
    * Tags are surfaced via a follow-up `ListTagsForDeliveryStream` call
    * with `aws:*` filtered out and always emitted as `[]` placeholder when
@@ -35489,57 +35773,13 @@ var FirehoseProvider = class {
     }
     const dest = desc.Destinations?.[0];
     if (dest?.ExtendedS3DestinationDescription) {
-      const ext = dest.ExtendedS3DestinationDescription;
-      const out = {};
-      if (ext.BucketARN !== void 0)
-        out["BucketARN"] = ext.BucketARN;
-      if (ext.RoleARN !== void 0)
-        out["RoleARN"] = ext.RoleARN;
-      if (ext.Prefix !== void 0)
-        out["Prefix"] = ext.Prefix;
-      if (ext.ErrorOutputPrefix !== void 0)
-        out["ErrorOutputPrefix"] = ext.ErrorOutputPrefix;
-      if (ext.CompressionFormat !== void 0)
-        out["CompressionFormat"] = ext.CompressionFormat;
-      if (ext.BufferingHints) {
-        const hints = {};
-        if (ext.BufferingHints.SizeInMBs !== void 0)
-          hints["SizeInMBs"] = ext.BufferingHints.SizeInMBs;
-        if (ext.BufferingHints.IntervalInSeconds !== void 0)
-          hints["IntervalInSeconds"] = ext.BufferingHints.IntervalInSeconds;
-        if (Object.keys(hints).length > 0)
-          out["BufferingHints"] = hints;
-      }
-      if (ext.S3BackupMode !== void 0)
-        out["S3BackupMode"] = ext.S3BackupMode;
-      if (Object.keys(out).length > 0) {
-        result["ExtendedS3DestinationConfiguration"] = out;
-      }
+      result["ExtendedS3DestinationConfiguration"] = mapExtendedS3DescriptionToCfn(
+        dest.ExtendedS3DestinationDescription
+      );
     } else if (dest?.S3DestinationDescription) {
-      const s3 = dest.S3DestinationDescription;
-      const out = {};
-      if (s3.BucketARN !== void 0)
-        out["BucketARN"] = s3.BucketARN;
-      if (s3.RoleARN !== void 0)
-        out["RoleARN"] = s3.RoleARN;
-      if (s3.Prefix !== void 0)
-        out["Prefix"] = s3.Prefix;
-      if (s3.ErrorOutputPrefix !== void 0)
-        out["ErrorOutputPrefix"] = s3.ErrorOutputPrefix;
-      if (s3.CompressionFormat !== void 0)
-        out["CompressionFormat"] = s3.CompressionFormat;
-      if (s3.BufferingHints) {
-        const hints = {};
-        if (s3.BufferingHints.SizeInMBs !== void 0)
-          hints["SizeInMBs"] = s3.BufferingHints.SizeInMBs;
-        if (s3.BufferingHints.IntervalInSeconds !== void 0)
-          hints["IntervalInSeconds"] = s3.BufferingHints.IntervalInSeconds;
-        if (Object.keys(hints).length > 0)
-          out["BufferingHints"] = hints;
-      }
-      if (Object.keys(out).length > 0) {
-        result["S3DestinationConfiguration"] = out;
-      }
+      result["S3DestinationConfiguration"] = mapS3DescriptionToCfn(
+        dest.S3DestinationDescription
+      );
     }
     try {
       const tagsResp = await this.getClient().send(
@@ -35564,27 +35804,23 @@ var FirehoseProvider = class {
    * docstring for the full rationale per category.
    *
    * Categories:
-   *  - Inner nested fields under S3 / ExtendedS3 destinations: shape
-   *    divergence between `Configuration` (CFn input) and `Description`
-   *    (AWS read), AWS auto-defaults, write-only fields.
-   *  - Non-S3 destination types: same shape-divergence problem at scale,
-   *    deferred to a follow-up.
+   *  - Non-S3 destination types: shape divergence at scale (Description
+   *    vs Configuration field naming, write-only redacted fields like
+   *    Redshift `Password`); reverse-mapping is feasible per-destination
+   *    but deferred until per-shape user demand emerges.
    *  - `DeliveryStreamEncryptionConfigurationInput`: input-only shape
    *    (`KeyARN` + `KeyType`) vs. read-side `DeliveryStreamEncryptionConfiguration`
    *    (extra status / failure fields); not yet round-tripped.
+   *
+   * S3 / ExtendedS3 inner nested fields (`EncryptionConfiguration` /
+   * `CloudWatchLoggingOptions` / `ProcessingConfiguration` /
+   * `DataFormatConversionConfiguration` / `DynamicPartitioningConfiguration` /
+   * `S3BackupConfiguration`) are now surfaced via `mapS3DescriptionToCfn`
+   * / `mapExtendedS3DescriptionToCfn` and no longer drift-unknown.
    */
   getDriftUnknownPaths() {
     return [
-      // S3 / ExtendedS3 nested fields with shape divergence
-      "S3DestinationConfiguration.EncryptionConfiguration",
-      "S3DestinationConfiguration.CloudWatchLoggingOptions",
-      "ExtendedS3DestinationConfiguration.EncryptionConfiguration",
-      "ExtendedS3DestinationConfiguration.CloudWatchLoggingOptions",
-      "ExtendedS3DestinationConfiguration.ProcessingConfiguration",
-      "ExtendedS3DestinationConfiguration.DataFormatConversionConfiguration",
-      "ExtendedS3DestinationConfiguration.DynamicPartitioningConfiguration",
-      "ExtendedS3DestinationConfiguration.S3BackupConfiguration",
-      // Non-S3 destinations (drift-unknown for v1)
+      // Non-S3 destinations (drift-unknown until per-destination reverse-map lands)
       "RedshiftDestinationConfiguration",
       "ElasticsearchDestinationConfiguration",
       "AmazonopensearchserviceDestinationConfiguration",
@@ -35658,6 +35894,68 @@ var FirehoseProvider = class {
     this.logger.warn(`Firehose ${logicalId} did not reach ACTIVE after ${maxAttempts} attempts`);
   }
 };
+function pickDefinedDeep(input) {
+  if (input === void 0 || input === null)
+    return void 0;
+  if (typeof input !== "object")
+    return input;
+  if (Array.isArray(input)) {
+    return input.map((v) => pickDefinedDeep(v));
+  }
+  const out = {};
+  for (const [k, v] of Object.entries(input)) {
+    if (v === void 0)
+      continue;
+    const cleaned = pickDefinedDeep(v);
+    if (cleaned === void 0)
+      continue;
+    if (cleaned !== null && typeof cleaned === "object" && !Array.isArray(cleaned) && Object.keys(cleaned).length === 0) {
+      continue;
+    }
+    out[k] = cleaned;
+  }
+  return out;
+}
+function mapS3DescriptionToCfn(desc) {
+  const out = {};
+  if (desc["BucketARN"] !== void 0)
+    out["BucketARN"] = desc["BucketARN"];
+  if (desc["RoleARN"] !== void 0)
+    out["RoleARN"] = desc["RoleARN"];
+  if (desc["Prefix"] !== void 0)
+    out["Prefix"] = desc["Prefix"];
+  if (desc["ErrorOutputPrefix"] !== void 0) {
+    out["ErrorOutputPrefix"] = desc["ErrorOutputPrefix"];
+  }
+  if (desc["CompressionFormat"] !== void 0) {
+    out["CompressionFormat"] = desc["CompressionFormat"];
+  }
+  if (desc["BufferingHints"]) {
+    const hints = pickDefinedDeep(desc["BufferingHints"]);
+    if (hints && typeof hints === "object" && Object.keys(hints).length > 0) {
+      out["BufferingHints"] = hints;
+    }
+  }
+  out["EncryptionConfiguration"] = pickDefinedDeep(desc["EncryptionConfiguration"]) ?? {};
+  out["CloudWatchLoggingOptions"] = pickDefinedDeep(desc["CloudWatchLoggingOptions"]) ?? {};
+  return out;
+}
+function mapExtendedS3DescriptionToCfn(desc) {
+  const out = mapS3DescriptionToCfn(desc);
+  if (desc["S3BackupMode"] !== void 0)
+    out["S3BackupMode"] = desc["S3BackupMode"];
+  out["ProcessingConfiguration"] = pickDefinedDeep(desc["ProcessingConfiguration"]) ?? {};
+  out["DataFormatConversionConfiguration"] = pickDefinedDeep(desc["DataFormatConversionConfiguration"]) ?? {};
+  out["DynamicPartitioningConfiguration"] = pickDefinedDeep(desc["DynamicPartitioningConfiguration"]) ?? {};
+  if (desc["S3BackupDescription"]) {
+    out["S3BackupConfiguration"] = mapS3DescriptionToCfn(
+      desc["S3BackupDescription"]
+    );
+  } else {
+    out["S3BackupConfiguration"] = {};
+  }
+  return out;
+}
 
 // src/provisioning/providers/cloudtrail-provider.ts
 import {
@@ -44795,7 +45093,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.5");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.7");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());