@go-to-k/cdkd 0.51.7 → 0.51.9

package/dist/cli.js

@@ -19471,7 +19471,8 @@ import {
   DescribeNetworkAclsCommand,
   DescribeNetworkInterfacesCommand as DescribeNetworkInterfacesCommand2,
   DeleteNetworkInterfaceCommand as DeleteNetworkInterfaceCommand2,
-  DescribeVolumesCommand
+  DescribeVolumesCommand,
+  DescribeInstanceAttributeCommand
 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var EC2Provider = class {
@@ -21761,12 +21762,14 @@ var EC2Provider = class {
    *    `(DeviceName, Ebs.VolumeId, Ebs.DeleteOnTermination)`; cdkd
    *    additionally calls `DescribeVolumes` on the attached volume ids to
    *    surface `VolumeType` / `VolumeSize` / `Iops` / `Throughput` /
-   *    `Encrypted` / `KmsKeyId` / `SnapshotId`. The DescribeVolumes call
-   *    is best-effort — a permissions gap or other failure falls back to
-   *    the partial shape (DeleteOnTermination only). All arrays / scalars
-   *    that map to user-controllable CFn properties are always emitted
-   *    (even as `[]` or default scalar) so the v3 `observedProperties`
-   *    baseline catches console-side ADDs.
+   *    `Encrypted` / `KmsKeyId` / `SnapshotId`. `DisableApiTermination`
+   *    is recovered via a separate `DescribeInstanceAttribute` call (the
+   *    `DescribeInstances` response does not include it). Both extra
+   *    calls are best-effort — a permissions gap or other failure falls
+   *    back to omitting the key. All arrays / scalars that map to
+   *    user-controllable CFn properties are always emitted (even as `[]`
+   *    or default scalar) so the v3 `observedProperties` baseline
+   *    catches console-side ADDs.
    *  - **AWS::EC2::NetworkAcl**: `DescribeNetworkAcls` for `VpcId`.
    *
    * Skipped (return `undefined`, falls through to the comparator's
@@ -22037,6 +22040,21 @@ var EC2Provider = class {
     }
     result["BlockDeviceMappings"] = blockMappings;
     result["Tags"] = normalizeAwsTagsToCfn(instance.Tags);
+    try {
+      const attrResp = await this.ec2Client.send(
+        new DescribeInstanceAttributeCommand({
+          InstanceId: physicalId,
+          Attribute: "disableApiTermination"
+        })
+      );
+      if (attrResp.DisableApiTermination?.Value !== void 0) {
+        result["DisableApiTermination"] = attrResp.DisableApiTermination.Value;
+      }
+    } catch (err) {
+      this.logger.debug(
+        `DescribeInstanceAttribute(disableApiTermination, ${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   async readNetworkAclCurrentState(physicalId) {
@@ -35729,9 +35747,22 @@ var FirehoseProvider = class {
    *
    * Non-S3 destination types
    * (`Redshift`/`Elasticsearch`/`Amazonopensearchservice`/`Splunk`/`HttpEndpoint`/`AmazonOpenSearchServerless`)
-   * stay drift-unknown — declared via `getDriftUnknownPaths()` until
-   * per-destination reverse-map lands. `DeliveryStreamEncryptionConfigurationInput`
-   * also drift-unknown.
+   * are reverse-mapped via `mapRedshiftDescriptionToCfn` /
+   * `mapHttpEndpointDescriptionToCfn` / `mapNonS3DestinationToCfn`. The
+   * SDK reuses field names between Description and Configuration for
+   * these destinations, so a `pickDefinedDeep` pass-through produces a
+   * CFn-compatible shape. AWS-managed read-only `VpcId` is stripped
+   * from `VpcConfigurationDescription`. Write-only fields AWS strips
+   * from descriptions (`RedshiftDestinationConfiguration.Password`,
+   * `HttpEndpointDestinationConfiguration.EndpointConfiguration.AccessKey`)
+   * stay drift-unknown via `getDriftUnknownPaths` — no AWS API recovers them.
+   *
+   * `DeliveryStreamEncryptionConfigurationInput` is also surfaced. AWS
+   * returns the read-side shape `DeliveryStreamEncryptionConfiguration`
+   * (with extra `Status` / `FailureDescription` fields); we reverse-map
+   * to the CFn input shape (`KeyARN` + `KeyType`) and always emit a
+   * `{}` placeholder so the v3 baseline catches console-side encryption
+   * enables on a previously-default stream.
    *
    * Tags are surfaced via a follow-up `ListTagsForDeliveryStream` call
    * with `aws:*` filtered out and always emitted as `[]` placeholder when
@@ -35780,7 +35811,38 @@ var FirehoseProvider = class {
       result["S3DestinationConfiguration"] = mapS3DescriptionToCfn(
         dest.S3DestinationDescription
       );
+    } else if (dest?.RedshiftDestinationDescription) {
+      result["RedshiftDestinationConfiguration"] = mapRedshiftDescriptionToCfn(
+        dest.RedshiftDestinationDescription
+      );
+    } else if (dest?.ElasticsearchDestinationDescription) {
+      result["ElasticsearchDestinationConfiguration"] = mapNonS3DestinationToCfn(
+        dest.ElasticsearchDestinationDescription
+      );
+    } else if (dest?.AmazonopensearchserviceDestinationDescription) {
+      result["AmazonopensearchserviceDestinationConfiguration"] = mapNonS3DestinationToCfn(
+        dest.AmazonopensearchserviceDestinationDescription
+      );
+    } else if (dest?.AmazonOpenSearchServerlessDestinationDescription) {
+      result["AmazonOpenSearchServerlessDestinationConfiguration"] = mapNonS3DestinationToCfn(
+        dest.AmazonOpenSearchServerlessDestinationDescription
+      );
+    } else if (dest?.SplunkDestinationDescription) {
+      result["SplunkDestinationConfiguration"] = mapNonS3DestinationToCfn(
+        dest.SplunkDestinationDescription
+      );
+    } else if (dest?.HttpEndpointDestinationDescription) {
+      result["HttpEndpointDestinationConfiguration"] = mapHttpEndpointDescriptionToCfn(
+        dest.HttpEndpointDestinationDescription
+      );
     }
+    const enc = desc.DeliveryStreamEncryptionConfiguration;
+    const encOut = {};
+    if (enc?.KeyARN !== void 0)
+      encOut["KeyARN"] = enc.KeyARN;
+    if (enc?.KeyType !== void 0)
+      encOut["KeyType"] = enc.KeyType;
+    result["DeliveryStreamEncryptionConfigurationInput"] = encOut;
     try {
       const tagsResp = await this.getClient().send(
         new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId })
@@ -35803,32 +35865,23 @@ var FirehoseProvider = class {
    * fire false-positive drift on every run. See the `readCurrentState`
    * docstring for the full rationale per category.
    *
-   * Categories:
-   *  - Non-S3 destination types: shape divergence at scale (Description
-   *    vs Configuration field naming, write-only redacted fields like
-   *    Redshift `Password`); reverse-mapping is feasible per-destination
-   *    but deferred until per-shape user demand emerges.
-   *  - `DeliveryStreamEncryptionConfigurationInput`: input-only shape
-   *    (`KeyARN` + `KeyType`) vs. read-side `DeliveryStreamEncryptionConfiguration`
-   *    (extra status / failure fields); not yet round-tripped.
-   *
-   * S3 / ExtendedS3 inner nested fields (`EncryptionConfiguration` /
-   * `CloudWatchLoggingOptions` / `ProcessingConfiguration` /
-   * `DataFormatConversionConfiguration` / `DynamicPartitioningConfiguration` /
-   * `S3BackupConfiguration`) are now surfaced via `mapS3DescriptionToCfn`
-   * / `mapExtendedS3DescriptionToCfn` and no longer drift-unknown.
+   * Only write-only fields AWS strips from descriptions remain:
+   * Redshift `Password`, HttpEndpoint `EndpointConfiguration.AccessKey`.
+   * State that carries these would otherwise fire drift on every run —
+   * declaring them as drift-unknown is the cleanest fix because there
+   * is no AWS read API to recover their values.
+   *
+   * S3 / ExtendedS3 inner nested fields, non-S3 destination types
+   * (Redshift / Elasticsearch / Amazonopensearchservice / Splunk /
+   * HttpEndpoint / AmazonOpenSearchServerless), and
+   * `DeliveryStreamEncryptionConfigurationInput` are all reverse-mapped
+   * by `readCurrentState` and no longer drift-unknown.
    */
   getDriftUnknownPaths() {
     return [
-      // Non-S3 destinations (drift-unknown until per-destination reverse-map lands)
-      "RedshiftDestinationConfiguration",
-      "ElasticsearchDestinationConfiguration",
-      "AmazonopensearchserviceDestinationConfiguration",
-      "SplunkDestinationConfiguration",
-      "HttpEndpointDestinationConfiguration",
-      "AmazonOpenSearchServerlessDestinationConfiguration",
-      // Encryption input shape (deferred)
-      "DeliveryStreamEncryptionConfigurationInput"
+      // Write-only fields AWS does not return on read — no API workaround.
+      "RedshiftDestinationConfiguration.Password",
+      "HttpEndpointDestinationConfiguration.EndpointConfiguration.AccessKey"
     ];
   }
   async import(input) {
@@ -35956,6 +36009,70 @@ function mapExtendedS3DescriptionToCfn(desc) {
   }
   return out;
 }
+function mapNonS3DestinationToCfn(desc) {
+  const cleaned = pickDefinedDeep(desc);
+  if (!cleaned)
+    return {};
+  if (cleaned["VpcConfigurationDescription"]) {
+    const vpc = { ...cleaned["VpcConfigurationDescription"] };
+    delete vpc["VpcId"];
+    delete cleaned["VpcConfigurationDescription"];
+    if (Object.keys(vpc).length > 0)
+      cleaned["VpcConfiguration"] = vpc;
+  }
+  return cleaned;
+}
+function mapRedshiftDescriptionToCfn(desc) {
+  const out = {};
+  for (const k of [
+    "RoleARN",
+    "ClusterJDBCURL",
+    "CopyCommand",
+    "Username",
+    "RetryOptions",
+    "ProcessingConfiguration",
+    "S3BackupMode",
+    "CloudWatchLoggingOptions",
+    "SecretsManagerConfiguration"
+  ]) {
+    const v = pickDefinedDeep(desc[k]);
+    if (v !== void 0)
+      out[k] = v;
+  }
+  if (desc["S3DestinationDescription"]) {
+    out["S3Configuration"] = mapS3DescriptionToCfn(
+      desc["S3DestinationDescription"]
+    );
+  }
+  if (desc["S3BackupDescription"]) {
+    out["S3BackupConfiguration"] = mapS3DescriptionToCfn(
+      desc["S3BackupDescription"]
+    );
+  }
+  return out;
+}
+function mapHttpEndpointDescriptionToCfn(desc) {
+  const out = {};
+  for (const k of [
+    "BufferingHints",
+    "CloudWatchLoggingOptions",
+    "RequestConfiguration",
+    "ProcessingConfiguration",
+    "RoleARN",
+    "RetryOptions",
+    "SecretsManagerConfiguration"
+  ]) {
+    const v = pickDefinedDeep(desc[k]);
+    if (v !== void 0)
+      out[k] = v;
+  }
+  if (desc["EndpointConfiguration"]) {
+    const endpoint = pickDefinedDeep(desc["EndpointConfiguration"]);
+    if (endpoint !== void 0)
+      out["EndpointConfiguration"] = endpoint;
+  }
+  return out;
+}
 
 // src/provisioning/providers/cloudtrail-provider.ts
 import {
@@ -45093,7 +45210,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.7");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.9");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());