@go-to-k/cdkd 0.51.8 → 0.51.10

package/dist/cli.js

@@ -13792,10 +13792,15 @@ var SNSTopicProvider = class {
    * `create()`'s behavior of only sending Tags when the template carries
    * them).
    *
-   * `DeliveryStatusLogging` is intentionally omitted: it fans out into
-   * per-protocol attributes (`{Protocol}SuccessFeedbackRoleArn`, etc.) whose
-   * round-trip back to the CFn array shape needs more thought than fits in
-   * this PR.
+   * `DeliveryStatusLogging` is reverse-mapped from per-protocol flat
+   * attributes (`{Protocol}SuccessFeedbackRoleArn` etc.) back to the CFn
+   * array shape `[{Protocol, SuccessFeedbackRoleArn?, SuccessFeedbackSampleRate?,
+   * FailureFeedbackRoleArn?}]`. Walks the known protocol prefix list
+   * (`HTTP` / `HTTPS` / `SQS` / `Lambda` / `Firehose` / `Application`); a
+   * protocol is included in the result iff at least one of its three
+   * sub-attributes is set on the topic. Entries are sorted by `Protocol`
+   * for stable positional compare (AWS does not preserve template order
+   * across `GetTopicAttributes` calls).
    *
    * `Subscription` is omitted because CDK manages it via separate
    * `AWS::SNS::Subscription` resources, not as a Topic property.
@@ -13844,6 +13849,7 @@ var SNSTopicProvider = class {
         }
       }
     }
+    result["DeliveryStatusLogging"] = mapDeliveryStatusLogging(attrs);
     try {
       const tagsResp = await this.snsClient.send(
         new ListTagsForResourceCommand({ ResourceArn: physicalId })
@@ -13858,16 +13864,13 @@ var SNSTopicProvider = class {
     return result;
   }
   /**
-   * `DeliveryStatusLogging` fans out to per-protocol attributes
-   * (`{Protocol}SuccessFeedbackRoleArn` etc.) whose round-trip back to the
-   * CFn array shape is not yet implemented; `Subscription` is managed via
-   * separate `AWS::SNS::Subscription` resources rather than the Topic
-   * itself. Both are absent from `readCurrentState`, so tell the drift
-   * comparator to skip them and avoid the guaranteed false-positive that
-   * would fire on every clean run when the user did template either.
+   * Only `Subscription` remains drift-unknown — CDK manages topic
+   * subscriptions via separate `AWS::SNS::Subscription` resources, so the
+   * inline `Topic.Subscription` property is intentionally not surfaced.
+   * `DeliveryStatusLogging` is now reverse-mapped (see `readCurrentState`).
    */
   getDriftUnknownPaths() {
-    return ["DeliveryStatusLogging", "Subscription"];
+    return ["Subscription"];
   }
   /**
    * Adopt an existing SNS topic into cdkd state.
@@ -13927,6 +13930,33 @@ var SNSTopicProvider = class {
     return null;
   }
 };
+var SNS_DELIVERY_STATUS_PROTOCOLS = [
+  "Application",
+  "Firehose",
+  "HTTP",
+  "HTTPS",
+  "Lambda",
+  "SQS"
+];
+function mapDeliveryStatusLogging(attrs) {
+  const result = [];
+  for (const protocol of SNS_DELIVERY_STATUS_PROTOCOLS) {
+    const success = attrs[`${protocol}SuccessFeedbackRoleArn`];
+    const sample = attrs[`${protocol}SuccessFeedbackSampleRate`];
+    const failure = attrs[`${protocol}FailureFeedbackRoleArn`];
+    if (success === void 0 && sample === void 0 && failure === void 0)
+      continue;
+    const entry = { Protocol: protocol };
+    if (success !== void 0)
+      entry["SuccessFeedbackRoleArn"] = success;
+    if (sample !== void 0)
+      entry["SuccessFeedbackSampleRate"] = sample;
+    if (failure !== void 0)
+      entry["FailureFeedbackRoleArn"] = failure;
+    result.push(entry);
+  }
+  return result;
+}
 
 // src/provisioning/providers/sns-subscription-provider.ts
 import {
@@ -19471,7 +19501,8 @@ import {
   DescribeNetworkAclsCommand,
   DescribeNetworkInterfacesCommand as DescribeNetworkInterfacesCommand2,
   DeleteNetworkInterfaceCommand as DeleteNetworkInterfaceCommand2,
-  DescribeVolumesCommand
+  DescribeVolumesCommand,
+  DescribeInstanceAttributeCommand
 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var EC2Provider = class {
@@ -21761,12 +21792,14 @@ var EC2Provider = class {
    *    `(DeviceName, Ebs.VolumeId, Ebs.DeleteOnTermination)`; cdkd
    *    additionally calls `DescribeVolumes` on the attached volume ids to
    *    surface `VolumeType` / `VolumeSize` / `Iops` / `Throughput` /
-   *    `Encrypted` / `KmsKeyId` / `SnapshotId`. The DescribeVolumes call
-   *    is best-effort — a permissions gap or other failure falls back to
-   *    the partial shape (DeleteOnTermination only). All arrays / scalars
-   *    that map to user-controllable CFn properties are always emitted
-   *    (even as `[]` or default scalar) so the v3 `observedProperties`
-   *    baseline catches console-side ADDs.
+   *    `Encrypted` / `KmsKeyId` / `SnapshotId`. `DisableApiTermination`
+   *    is recovered via a separate `DescribeInstanceAttribute` call (the
+   *    `DescribeInstances` response does not include it). Both extra
+   *    calls are best-effort — a permissions gap or other failure falls
+   *    back to omitting the key. All arrays / scalars that map to
+   *    user-controllable CFn properties are always emitted (even as `[]`
+   *    or default scalar) so the v3 `observedProperties` baseline
+   *    catches console-side ADDs.
    *  - **AWS::EC2::NetworkAcl**: `DescribeNetworkAcls` for `VpcId`.
    *
    * Skipped (return `undefined`, falls through to the comparator's
@@ -22037,6 +22070,21 @@ var EC2Provider = class {
     }
     result["BlockDeviceMappings"] = blockMappings;
     result["Tags"] = normalizeAwsTagsToCfn(instance.Tags);
+    try {
+      const attrResp = await this.ec2Client.send(
+        new DescribeInstanceAttributeCommand({
+          InstanceId: physicalId,
+          Attribute: "disableApiTermination"
+        })
+      );
+      if (attrResp.DisableApiTermination?.Value !== void 0) {
+        result["DisableApiTermination"] = attrResp.DisableApiTermination.Value;
+      }
+    } catch (err) {
+      this.logger.debug(
+        `DescribeInstanceAttribute(disableApiTermination, ${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   async readNetworkAclCurrentState(physicalId) {
@@ -35737,10 +35785,14 @@ var FirehoseProvider = class {
    * from `VpcConfigurationDescription`. Write-only fields AWS strips
    * from descriptions (`RedshiftDestinationConfiguration.Password`,
    * `HttpEndpointDestinationConfiguration.EndpointConfiguration.AccessKey`)
-   * stay drift-unknown via `getDriftUnknownPaths`.
-   * `DeliveryStreamEncryptionConfigurationInput` is also still
-   * drift-unknown (separate `Get*` call needed for the read-side
-   * `DeliveryStreamEncryptionConfiguration`).
+   * stay drift-unknown via `getDriftUnknownPaths` — no AWS API recovers them.
+   *
+   * `DeliveryStreamEncryptionConfigurationInput` is also surfaced. AWS
+   * returns the read-side shape `DeliveryStreamEncryptionConfiguration`
+   * (with extra `Status` / `FailureDescription` fields); we reverse-map
+   * to the CFn input shape (`KeyARN` + `KeyType`) and always emit a
+   * `{}` placeholder so the v3 baseline catches console-side encryption
+   * enables on a previously-default stream.
    *
    * Tags are surfaced via a follow-up `ListTagsForDeliveryStream` call
    * with `aws:*` filtered out and always emitted as `[]` placeholder when
@@ -35814,6 +35866,13 @@ var FirehoseProvider = class {
         dest.HttpEndpointDestinationDescription
       );
     }
+    const enc = desc.DeliveryStreamEncryptionConfiguration;
+    const encOut = {};
+    if (enc?.KeyARN !== void 0)
+      encOut["KeyARN"] = enc.KeyARN;
+    if (enc?.KeyType !== void 0)
+      encOut["KeyType"] = enc.KeyType;
+    result["DeliveryStreamEncryptionConfigurationInput"] = encOut;
     try {
       const tagsResp = await this.getClient().send(
         new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId })
@@ -35836,30 +35895,23 @@ var FirehoseProvider = class {
    * fire false-positive drift on every run. See the `readCurrentState`
    * docstring for the full rationale per category.
    *
-   * Categories:
-   *  - Write-only fields AWS strips from descriptions: Redshift
-   *    `Password`, HttpEndpoint `EndpointConfiguration.AccessKey`. State
-   *    that carries these fires drift on every run otherwise; declaring
-   *    them as drift-unknown is the cleanest fix.
-   *  - `DeliveryStreamEncryptionConfigurationInput`: input-only shape
-   *    (`KeyARN` + `KeyType`) vs. read-side `DeliveryStreamEncryptionConfiguration`
-   *    (extra status / failure fields); not yet round-tripped.
+   * Only write-only fields AWS strips from descriptions remain:
+   * Redshift `Password`, HttpEndpoint `EndpointConfiguration.AccessKey`.
+   * State that carries these would otherwise fire drift on every run —
+   * declaring them as drift-unknown is the cleanest fix because there
+   * is no AWS read API to recover their values.
    *
-   * S3 / ExtendedS3 inner nested fields and non-S3 destination types
+   * S3 / ExtendedS3 inner nested fields, non-S3 destination types
    * (Redshift / Elasticsearch / Amazonopensearchservice / Splunk /
-   * HttpEndpoint / AmazonOpenSearchServerless) are now reverse-mapped
-   * via `mapS3DescriptionToCfn` / `mapExtendedS3DescriptionToCfn` /
-   * `mapNonS3DestinationToCfn` / `mapRedshiftDescriptionToCfn` /
-   * `mapHttpEndpointDescriptionToCfn` and no longer drift-unknown at the
-   * top level.
+   * HttpEndpoint / AmazonOpenSearchServerless), and
+   * `DeliveryStreamEncryptionConfigurationInput` are all reverse-mapped
+   * by `readCurrentState` and no longer drift-unknown.
    */
   getDriftUnknownPaths() {
     return [
-      // Write-only fields AWS does not return on read.
+      // Write-only fields AWS does not return on read — no API workaround.
       "RedshiftDestinationConfiguration.Password",
-      "HttpEndpointDestinationConfiguration.EndpointConfiguration.AccessKey",
-      // Encryption input shape (deferred — separate Get* call needed).
-      "DeliveryStreamEncryptionConfigurationInput"
+      "HttpEndpointDestinationConfiguration.EndpointConfiguration.AccessKey"
     ];
   }
   async import(input) {
@@ -45188,7 +45240,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.8");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.10");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());