@go-to-k/cdkd 0.51.9 → 0.52.0

package/dist/cli.js

@@ -13792,10 +13792,15 @@ var SNSTopicProvider = class {
    * `create()`'s behavior of only sending Tags when the template carries
    * them).
    *
-   * `DeliveryStatusLogging` is intentionally omitted: it fans out into
-   * per-protocol attributes (`{Protocol}SuccessFeedbackRoleArn`, etc.) whose
-   * round-trip back to the CFn array shape needs more thought than fits in
-   * this PR.
+   * `DeliveryStatusLogging` is reverse-mapped from per-protocol flat
+   * attributes (`{Protocol}SuccessFeedbackRoleArn` etc.) back to the CFn
+   * array shape `[{Protocol, SuccessFeedbackRoleArn?, SuccessFeedbackSampleRate?,
+   * FailureFeedbackRoleArn?}]`. Walks the known protocol prefix list
+   * (`HTTP` / `HTTPS` / `SQS` / `Lambda` / `Firehose` / `Application`); a
+   * protocol is included in the result iff at least one of its three
+   * sub-attributes is set on the topic. Entries are sorted by `Protocol`
+   * for stable positional compare (AWS does not preserve template order
+   * across `GetTopicAttributes` calls).
    *
    * `Subscription` is omitted because CDK manages it via separate
    * `AWS::SNS::Subscription` resources, not as a Topic property.
@@ -13844,6 +13849,7 @@ var SNSTopicProvider = class {
         }
       }
     }
+    result["DeliveryStatusLogging"] = mapDeliveryStatusLogging(attrs);
     try {
       const tagsResp = await this.snsClient.send(
         new ListTagsForResourceCommand({ ResourceArn: physicalId })
@@ -13858,16 +13864,13 @@ var SNSTopicProvider = class {
     return result;
   }
   /**
-   * `DeliveryStatusLogging` fans out to per-protocol attributes
-   * (`{Protocol}SuccessFeedbackRoleArn` etc.) whose round-trip back to the
-   * CFn array shape is not yet implemented; `Subscription` is managed via
-   * separate `AWS::SNS::Subscription` resources rather than the Topic
-   * itself. Both are absent from `readCurrentState`, so tell the drift
-   * comparator to skip them and avoid the guaranteed false-positive that
-   * would fire on every clean run when the user did template either.
+   * Only `Subscription` remains drift-unknown — CDK manages topic
+   * subscriptions via separate `AWS::SNS::Subscription` resources, so the
+   * inline `Topic.Subscription` property is intentionally not surfaced.
+   * `DeliveryStatusLogging` is now reverse-mapped (see `readCurrentState`).
    */
   getDriftUnknownPaths() {
-    return ["DeliveryStatusLogging", "Subscription"];
+    return ["Subscription"];
   }
   /**
    * Adopt an existing SNS topic into cdkd state.
@@ -13927,6 +13930,33 @@ var SNSTopicProvider = class {
     return null;
   }
 };
+var SNS_DELIVERY_STATUS_PROTOCOLS = [
+  "Application",
+  "Firehose",
+  "HTTP",
+  "HTTPS",
+  "Lambda",
+  "SQS"
+];
+function mapDeliveryStatusLogging(attrs) {
+  const result = [];
+  for (const protocol of SNS_DELIVERY_STATUS_PROTOCOLS) {
+    const success = attrs[`${protocol}SuccessFeedbackRoleArn`];
+    const sample = attrs[`${protocol}SuccessFeedbackSampleRate`];
+    const failure = attrs[`${protocol}FailureFeedbackRoleArn`];
+    if (success === void 0 && sample === void 0 && failure === void 0)
+      continue;
+    const entry = { Protocol: protocol };
+    if (success !== void 0)
+      entry["SuccessFeedbackRoleArn"] = success;
+    if (sample !== void 0)
+      entry["SuccessFeedbackSampleRate"] = sample;
+    if (failure !== void 0)
+      entry["FailureFeedbackRoleArn"] = failure;
+    result.push(entry);
+  }
+  return result;
+}
 
 // src/provisioning/providers/sns-subscription-provider.ts
 import {
@@ -17029,11 +17059,15 @@ var DynamoDBTableProvider = class {
 // src/provisioning/providers/logs-loggroup-provider.ts
 import {
   CreateLogGroupCommand,
+  DeleteIndexPolicyCommand,
   DeleteLogGroupCommand,
   DescribeIndexPoliciesCommand,
   DescribeLogGroupsCommand,
   GetDataProtectionPolicyCommand,
   ListTagsForResourceCommand as ListTagsForResourceCommand2,
+  PutBearerTokenAuthenticationCommand,
+  PutIndexPolicyCommand,
+  PutLogGroupDeletionProtectionCommand,
   PutRetentionPolicyCommand,
   DeleteRetentionPolicyCommand,
   TagResourceCommand as TagResourceCommand5,
@@ -17086,6 +17120,9 @@ var LogsLogGroupProvider = class {
       if (properties["LogGroupClass"]) {
         createParams.logGroupClass = properties["LogGroupClass"];
       }
+      if (properties["DeletionProtectionEnabled"] !== void 0) {
+        createParams.deletionProtectionEnabled = properties["DeletionProtectionEnabled"];
+      }
       if (properties["Tags"]) {
         const cfnTags = properties["Tags"];
         createParams.tags = Object.fromEntries(cfnTags.map((t) => [t.Key, t.Value]));
@@ -17109,6 +17146,30 @@ var LogsLogGroupProvider = class {
           })
         );
       }
+      const fieldIndexPolicies = properties["FieldIndexPolicies"];
+      if (fieldIndexPolicies && fieldIndexPolicies.length > 0) {
+        if (fieldIndexPolicies.length > 1) {
+          this.logger.debug(
+            `Log group ${logicalId} declares ${fieldIndexPolicies.length} FieldIndexPolicies; AWS only supports one log-group-level field index policy. Applying the first.`
+          );
+        }
+        const first = fieldIndexPolicies[0];
+        const policyDocument = typeof first === "string" ? first : JSON.stringify(first);
+        await this.logsClient.send(
+          new PutIndexPolicyCommand({
+            logGroupIdentifier: logGroupName,
+            policyDocument
+          })
+        );
+      }
+      if (properties["BearerTokenAuthenticationEnabled"] !== void 0) {
+        await this.logsClient.send(
+          new PutBearerTokenAuthenticationCommand({
+            logGroupIdentifier: logGroupName,
+            bearerTokenAuthenticationEnabled: properties["BearerTokenAuthenticationEnabled"]
+          })
+        );
+      }
       this.logger.debug(`Successfully created log group ${logicalId}: ${logGroupName}`);
       const arn = await this.buildArn(logGroupName);
       return {
@@ -17141,7 +17202,10 @@ var LogsLogGroupProvider = class {
   /**
    * Update a CloudWatch Logs log group
    *
-   * Only RetentionInDays can be updated. LogGroupName is immutable (requires replacement).
+   * Mutable: `RetentionInDays`, `DataProtectionPolicy`, `Tags`,
+   * `DeletionProtectionEnabled`, `BearerTokenAuthenticationEnabled`,
+   * `FieldIndexPolicies`. `LogGroupName` / `KmsKeyId` / `LogGroupClass`
+   * are immutable on AWS-side and require replacement.
    */
   async update(logicalId, physicalId, _resourceType, properties, previousProperties) {
     this.logger.debug(`Updating log group ${logicalId}: ${physicalId}`);
@@ -17180,6 +17244,70 @@ var LogsLogGroupProvider = class {
         );
       }
     }
+    if (properties["DeletionProtectionEnabled"] !== previousProperties["DeletionProtectionEnabled"]) {
+      const next = properties["DeletionProtectionEnabled"];
+      if (next !== void 0) {
+        await this.logsClient.send(
+          new PutLogGroupDeletionProtectionCommand({
+            logGroupIdentifier: physicalId,
+            deletionProtectionEnabled: next
+          })
+        );
+      } else {
+        await this.logsClient.send(
+          new PutLogGroupDeletionProtectionCommand({
+            logGroupIdentifier: physicalId,
+            deletionProtectionEnabled: false
+          })
+        );
+      }
+    }
+    if (properties["BearerTokenAuthenticationEnabled"] !== previousProperties["BearerTokenAuthenticationEnabled"]) {
+      const next = properties["BearerTokenAuthenticationEnabled"];
+      if (next !== void 0) {
+        await this.logsClient.send(
+          new PutBearerTokenAuthenticationCommand({
+            logGroupIdentifier: physicalId,
+            bearerTokenAuthenticationEnabled: next
+          })
+        );
+      } else {
+        await this.logsClient.send(
+          new PutBearerTokenAuthenticationCommand({
+            logGroupIdentifier: physicalId,
+            bearerTokenAuthenticationEnabled: false
+          })
+        );
+      }
+    }
+    const newFieldIndex = properties["FieldIndexPolicies"];
+    const oldFieldIndex = previousProperties["FieldIndexPolicies"];
+    if (JSON.stringify(newFieldIndex) !== JSON.stringify(oldFieldIndex)) {
+      if (newFieldIndex && newFieldIndex.length > 0) {
+        if (newFieldIndex.length > 1) {
+          this.logger.debug(
+            `Log group ${physicalId} declares ${newFieldIndex.length} FieldIndexPolicies; AWS only supports one log-group-level field index policy. Applying the first.`
+          );
+        }
+        const first = newFieldIndex[0];
+        const policyDocument = typeof first === "string" ? first : JSON.stringify(first);
+        await this.logsClient.send(
+          new PutIndexPolicyCommand({
+            logGroupIdentifier: physicalId,
+            policyDocument
+          })
+        );
+      } else {
+        try {
+          await this.logsClient.send(
+            new DeleteIndexPolicyCommand({ logGroupIdentifier: physicalId })
+          );
+        } catch (err) {
+          if (!(err instanceof ResourceNotFoundException7))
+            throw err;
+        }
+      }
+    }
     const newTags = properties["Tags"];
     const oldTags = previousProperties["Tags"];
     if (JSON.stringify(newTags) !== JSON.stringify(oldTags)) {
@@ -17296,14 +17424,15 @@ var LogsLogGroupProvider = class {
    * `AWS::Logs::ResourcePolicy` resource type — account-wide, not
    * per-log-group).
    *
-   * Known limitation: cdkd's `create()` / `update()` flows do NOT yet
-   * apply `FieldIndexPolicies` / `DeletionProtectionEnabled` /
-   * `BearerTokenAuthenticationEnabled` — they're in `handledProperties`
-   * to prevent CC API fallback but no actual `PutIndexPolicy` /
-   * `PutLogGroupDeletionProtection` / `PutBearerTokenAuthentication`
-   * calls fire. Surfacing these in `readCurrentState` means a user
-   * who templates them will see drift on the first run; a follow-up
-   * needs to wire the create/update flow.
+   * Write-side coverage: `FieldIndexPolicies` is applied via
+   * `PutIndexPolicy` (CloudWatch Logs allows at most one log-group-level
+   * field index policy at a time, so the CFn array is effectively 0-or-1
+   * — the first entry is applied and a debug log notes any additional
+   * entries are ignored). `DeletionProtectionEnabled` is forwarded as
+   * part of `CreateLogGroup` and updated via
+   * `PutLogGroupDeletionProtection`. `BearerTokenAuthenticationEnabled`
+   * is applied via `PutBearerTokenAuthentication` after the log group
+   * exists (it is not part of `CreateLogGroupRequest`).
    *
    * Tags are read via `ListTagsForResource` (using the log-group ARN from
    * the same `DescribeLogGroups` response). CDK's `aws:*` auto-tags are
@@ -33961,10 +34090,10 @@ var KMSProvider = class {
    * Dispatches by resource type:
    *   - `AWS::KMS::Key` → `DescribeKey`. Surfaces `Description`, `KeySpec`,
    *     `KeyUsage`, `Enabled`, `MultiRegion`, `Origin`. `KeyPolicy` is
-   *     intentionally NOT retrieved — `GetKeyPolicy` is a separate call
-   *     and the policy body needs JSON parsing for comparison; deferred
-   *     to a follow-up. `EnableKeyRotation` / `RotationPeriodInDays`
-   *     would require `GetKeyRotationStatus`; also deferred.
+   *     additionally retrieved via `GetKeyPolicy` (URL-decoded JSON-parsed)
+   *     and `EnableKeyRotation` / `RotationPeriodInDays` via
+   *     `GetKeyRotationStatus` (Class 1 discriminator-gated on `KeySpec`
+   *     since asymmetric keys reject the call).
    *   - `AWS::KMS::Alias` → `ListAliases` filtered to the alias name.
    *     Surfaces `AliasName`, `TargetKeyId`. `ListAliases` is paginated
    *     since there's no direct "describe one alias" API.
@@ -45210,7 +45339,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.9");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.52.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());