@go-to-k/cdkd 0.52.0 → 0.53.0

package/dist/cli.js

@@ -31673,8 +31673,10 @@ var ElastiCacheProvider = class {
 import {
   ServiceDiscoveryClient,
   CreatePrivateDnsNamespaceCommand,
+  UpdatePrivateDnsNamespaceCommand,
   DeleteNamespaceCommand,
   CreateServiceCommand as CreateServiceCommand2,
+  UpdateServiceCommand as UpdateServiceCommand2,
   DeleteServiceCommand as DeleteServiceCommand2,
   GetNamespaceCommand,
   GetOperationCommand,
@@ -31736,12 +31738,18 @@ var ServiceDiscoveryProvider = class {
         );
     }
   }
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
+  update(logicalId, physicalId, resourceType, properties, previousProperties) {
     switch (resourceType) {
       case "AWS::ServiceDiscovery::PrivateDnsNamespace":
-        return this.updateNamespace(logicalId, physicalId);
+        return this.updateNamespace(logicalId, physicalId, resourceType, properties);
       case "AWS::ServiceDiscovery::Service":
-        return this.updateService(logicalId, physicalId);
+        return this.updateService(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -31824,14 +31832,66 @@ var ServiceDiscoveryProvider = class {
       );
     }
   }
-  updateNamespace(logicalId, _physicalId) {
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
-        "AWS::ServiceDiscovery::PrivateDnsNamespace",
+  /**
+   * Update a private DNS namespace.
+   *
+   * AWS exposes `UpdatePrivateDnsNamespace` for two mutable surfaces:
+   *  - `Description`
+   *  - `Properties.DnsProperties.SOA.TTL`
+   *
+   * `Name` and `Vpc` are immutable; the deploy engine's
+   * replacement-detection layer routes those through DELETE+CREATE
+   * before this method is ever called, so we do not validate them here.
+   *
+   * Empty-string Description is intentionally allowed through (`!== undefined`
+   * gate, not truthy) so `cdkd drift --revert` can clear a console-side ADD.
+   */
+  async updateNamespace(logicalId, physicalId, resourceType, properties) {
+    this.logger.debug(`Updating private DNS namespace ${logicalId}: ${physicalId}`);
+    const client = this.getClient();
+    const namespaceChange = {};
+    if (properties["Description"] !== void 0) {
+      namespaceChange.Description = properties["Description"];
+    }
+    const propsBag = properties["Properties"];
+    const dnsProps = propsBag?.["DnsProperties"];
+    const soa = dnsProps?.["SOA"];
+    if (soa?.TTL !== void 0) {
+      namespaceChange.Properties = {
+        DnsProperties: {
+          SOA: { TTL: Number(soa.TTL) }
+        }
+      };
+    }
+    if (Object.keys(namespaceChange).length === 0) {
+      this.logger.debug(`No mutable diff for PrivateDnsNamespace ${logicalId}, skipping update`);
+      return { physicalId, wasReplaced: false };
+    }
+    try {
+      const response = await client.send(
+        new UpdatePrivateDnsNamespaceCommand({
+          Id: physicalId,
+          Namespace: namespaceChange
+        })
+      );
+      const operationId = response.OperationId;
+      if (operationId) {
+        await this.pollOperation(operationId, logicalId, resourceType);
+      }
+      this.logger.debug(`Successfully updated private DNS namespace ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update private DNS namespace ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
         logicalId,
-        "PrivateDnsNamespace updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+        physicalId,
+        cause
+      );
+    }
   }
   async deleteNamespace(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting private DNS namespace ${logicalId}: ${physicalId}`);
@@ -31926,14 +31986,69 @@ var ServiceDiscoveryProvider = class {
       );
     }
   }
-  updateService(logicalId, _physicalId) {
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
-        "AWS::ServiceDiscovery::Service",
+  /**
+   * Update a service discovery service.
+   *
+   * Per AWS docs, `UpdateService` accepts a `ServiceChange` body with
+   * `Description`, `DnsConfig.DnsRecords` (TTLs etc. — `NamespaceId` /
+   * `RoutingPolicy` are not part of the change shape and are immutable
+   * here), and `HealthCheckConfig`. `Name` / `NamespaceId` /
+   * `HealthCheckCustomConfig` are immutable on UpdateService — the
+   * replacement-detection layer routes those through DELETE+CREATE.
+   *
+   * Per AWS docs, omitting `DnsRecords` / `HealthCheckConfig` from the
+   * request DELETES that configuration. To preserve fields cdkd is not
+   * actively reverting, we always echo the AWS-current value when the
+   * caller did not supply a change. `cdkd drift --revert` passes the
+   * full AWS-current snapshot as `properties`, so the round-trip is
+   * value-preserving.
+   */
+  async updateService(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    this.logger.debug(`Updating service discovery service ${logicalId}: ${physicalId}`);
+    const client = this.getClient();
+    const serviceChange = {};
+    if (properties["Description"] !== void 0) {
+      serviceChange.Description = properties["Description"];
+    }
+    const dnsConfig = properties["DnsConfig"];
+    if (dnsConfig?.DnsRecords !== void 0) {
+      const change = { DnsRecords: dnsConfig.DnsRecords };
+      serviceChange.DnsConfig = change;
+    }
+    if (properties["HealthCheckConfig"] !== void 0) {
+      serviceChange.HealthCheckConfig = properties["HealthCheckConfig"];
+    }
+    if (Object.keys(serviceChange).length === 0) {
+      this.logger.debug(
+        `No mutable diff for ServiceDiscovery Service ${logicalId}, skipping update`
+      );
+      return { physicalId, wasReplaced: false };
+    }
+    try {
+      const response = await client.send(
+        new UpdateServiceCommand2({
+          Id: physicalId,
+          Service: serviceChange
+        })
+      );
+      const operationId = response.OperationId;
+      if (operationId) {
+        await this.pollOperation(operationId, logicalId, resourceType);
+      }
+      this.logger.debug(`Successfully updated service discovery service ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update service discovery service ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
         logicalId,
-        "ServiceDiscovery Service updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+        physicalId,
+        cause
+      );
+    }
   }
   async deleteService(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting service discovery service ${logicalId}: ${physicalId}`);
@@ -33020,6 +33135,7 @@ var AppSyncProvider = class {
 import {
   GlueClient,
   CreateDatabaseCommand,
+  UpdateDatabaseCommand,
   DeleteDatabaseCommand,
   CreateTableCommand as CreateTableCommand2,
   UpdateTableCommand,
@@ -33066,11 +33182,7 @@ var GlueProvider = class {
   async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
     switch (resourceType) {
       case "AWS::Glue::Database":
-        throw new ResourceUpdateNotSupportedError(
-          resourceType,
-          logicalId,
-          "Glue Database updates are not yet implemented in cdkd; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-        );
+        return this.updateDatabase(logicalId, physicalId, resourceType, properties);
       case "AWS::Glue::Table":
         return this.updateTable(logicalId, physicalId, resourceType, properties);
       default:
@@ -33121,12 +33233,7 @@ var GlueProvider = class {
       await this.getClient().send(
         new CreateDatabaseCommand({
           CatalogId: catalogId,
-          DatabaseInput: {
-            Name: databaseName,
-            Description: databaseInput["Description"],
-            LocationUri: databaseInput["LocationUri"],
-            Parameters: databaseInput["Parameters"]
-          }
+          DatabaseInput: this.buildDatabaseInput(databaseInput, databaseName)
         })
       );
       this.logger.debug(`Successfully created Glue Database ${logicalId}: ${databaseName}`);
@@ -33145,6 +33252,42 @@ var GlueProvider = class {
       );
     }
   }
+  async updateDatabase(logicalId, physicalId, resourceType, properties) {
+    this.logger.debug(`Updating Glue Database ${logicalId}: ${physicalId}`);
+    const databaseInput = properties["DatabaseInput"];
+    if (!databaseInput) {
+      throw new ProvisioningError(
+        `DatabaseInput is required for Glue Database update ${logicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    const catalogId = properties["CatalogId"];
+    try {
+      await this.getClient().send(
+        new UpdateDatabaseCommand({
+          ...catalogId !== void 0 && { CatalogId: catalogId },
+          Name: physicalId,
+          DatabaseInput: this.buildDatabaseInput(databaseInput, physicalId)
+        })
+      );
+      this.logger.debug(`Successfully updated Glue Database ${logicalId}`);
+      return {
+        physicalId,
+        wasReplaced: false
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Glue Database ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
   async deleteDatabase(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Glue Database ${logicalId}: ${physicalId}`);
     try {
@@ -33316,6 +33459,31 @@ var GlueProvider = class {
     }
   }
   // ─── Helpers ───────────────────────────────────────────────────────
+  /**
+   * Build DatabaseInput for Glue API from CFn template properties.
+   *
+   * Used by both `createDatabase` and `updateDatabase` so the same
+   * field-by-field shape is sent on both paths. Optional fields use
+   * `!== undefined` gates (per `feedback_update_optional_field_undefined_check.md`)
+   * so empty-string Description, empty Parameters map, etc. reach AWS
+   * intact — `cdkd drift --revert` relies on this to clear console-side
+   * additions.
+   */
+  buildDatabaseInput(databaseInput, fallbackName) {
+    const result = {
+      Name: databaseInput["Name"] ?? fallbackName
+    };
+    if (databaseInput["Description"] !== void 0) {
+      result.Description = databaseInput["Description"];
+    }
+    if (databaseInput["LocationUri"] !== void 0) {
+      result.LocationUri = databaseInput["LocationUri"];
+    }
+    if (databaseInput["Parameters"] !== void 0) {
+      result.Parameters = databaseInput["Parameters"];
+    }
+    return result;
+  }
   /**
    * Build TableInput for Glue API from CFn template properties
    */
@@ -34781,10 +34949,12 @@ var KinesisStreamProvider = class {
 import {
   EFSClient,
   CreateFileSystemCommand,
+  UpdateFileSystemCommand,
   DeleteFileSystemCommand,
   CreateMountTargetCommand,
   DeleteMountTargetCommand,
   DescribeMountTargetsCommand,
+  ModifyMountTargetSecurityGroupsCommand,
   CreateAccessPointCommand,
   DeleteAccessPointCommand,
   DescribeFileSystemsCommand,
@@ -34842,29 +35012,122 @@ var EFSProvider = class {
     }
   }
   /**
-   * EFS resources are treated as immutable by cdkd's `update()`. The deploy
-   * engine recreates them on property changes via immutable-property
-   * detection. (AWS does expose `UpdateFileSystem` for ThroughputMode and
-   * `ModifyMountTargetSecurityGroups` for mount-target SGs — those are
-   * deferred to a follow-up PR.) `cdkd drift --revert` surfaces a clear
-   * "use --replace or re-deploy" message instead of silently no-op'ing.
+   * Mutable surfaces by resource type:
+   *  - `AWS::EFS::FileSystem` → `UpdateFileSystem` (ThroughputMode,
+   *    ProvisionedThroughputInMibps). Other property changes
+   *    (Encrypted / KmsKeyId / PerformanceMode / etc.) are routed
+   *    through DELETE+CREATE by the replacement-detection layer; if a
+   *    diff somehow includes them, defensively reject.
+   *  - `AWS::EFS::MountTarget` → `ModifyMountTargetSecurityGroups`
+   *    (SecurityGroups only). IpAddress / SubnetId / FileSystemId are
+   *    immutable.
+   *  - `AWS::EFS::AccessPoint` → no mutable surface; AWS recreates on
+   *    every change. Reject so `cdkd drift --revert` surfaces a clear
+   *    "use --replace" hint.
    */
-  update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-    if (resourceType !== "AWS::EFS::FileSystem" && resourceType !== "AWS::EFS::MountTarget" && resourceType !== "AWS::EFS::AccessPoint") {
+  update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    switch (resourceType) {
+      case "AWS::EFS::FileSystem":
+        return this.updateFileSystem(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::EFS::MountTarget":
+        return this.updateMountTarget(logicalId, physicalId, resourceType, properties);
+      case "AWS::EFS::AccessPoint":
+        return Promise.reject(
+          new ResourceUpdateNotSupportedError(
+            resourceType,
+            logicalId,
+            "EFS AccessPoint is recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+          )
+        );
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+    }
+  }
+  async updateFileSystem(logicalId, physicalId, resourceType, properties, previousProperties) {
+    const immutableKeys = ["Encrypted", "KmsKeyId", "PerformanceMode"];
+    for (const key of immutableKeys) {
+      const next = properties[key];
+      const prev = previousProperties[key];
+      if (next !== void 0 && prev !== void 0 && JSON.stringify(next) !== JSON.stringify(prev)) {
+        throw new ResourceUpdateNotSupportedError(
+          resourceType,
+          logicalId,
+          `EFS FileSystem ${key} is immutable; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack`
+        );
+      }
+    }
+    const newThroughputMode = properties["ThroughputMode"];
+    const newProvisioned = properties["ProvisionedThroughputInMibps"];
+    const oldThroughputMode = previousProperties["ThroughputMode"];
+    const oldProvisioned = previousProperties["ProvisionedThroughputInMibps"];
+    const throughputModeChanged = newThroughputMode !== void 0 && newThroughputMode !== oldThroughputMode;
+    const provisionedChanged = newProvisioned !== void 0 && newProvisioned !== oldProvisioned;
+    if (!throughputModeChanged && !provisionedChanged) {
+      this.logger.debug(`No mutable diff for EFS FileSystem ${logicalId}, skipping update`);
+      return { physicalId, wasReplaced: false };
+    }
+    this.logger.debug(`Updating EFS FileSystem ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new UpdateFileSystemCommand({
+          FileSystemId: physicalId,
+          ...throughputModeChanged && { ThroughputMode: newThroughputMode },
+          ...provisionedChanged && { ProvisionedThroughputInMibps: newProvisioned }
+        })
+      );
+      await this.waitForFileSystemAvailable(physicalId, logicalId, resourceType);
+      this.logger.debug(`Successfully updated EFS FileSystem ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Unsupported resource type: ${resourceType}`,
+        `Failed to update EFS FileSystem ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
-        physicalId
+        physicalId,
+        cause
       );
     }
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
+  }
+  async updateMountTarget(logicalId, physicalId, resourceType, properties) {
+    this.logger.debug(`Updating EFS MountTarget ${logicalId}: ${physicalId}`);
+    const securityGroups = properties["SecurityGroups"];
+    if (securityGroups === void 0) {
+      this.logger.debug(`No mutable diff for EFS MountTarget ${logicalId}, skipping update`);
+      return { physicalId, wasReplaced: false };
+    }
+    try {
+      await this.getClient().send(
+        new ModifyMountTargetSecurityGroupsCommand({
+          MountTargetId: physicalId,
+          SecurityGroups: securityGroups
+        })
+      );
+      this.logger.debug(`Successfully updated EFS MountTarget ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update EFS MountTarget ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
-        "EFS resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+        physicalId,
+        cause
+      );
+    }
   }
   async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
@@ -45339,7 +45602,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.52.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.53.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());