@go-to-k/cdkd 0.55.0 → 0.57.0

package/dist/cli.js

@@ -24059,18 +24059,23 @@ import {
   ApiGatewayV2Client,
   CreateApiCommand,
   DeleteApiCommand,
+  UpdateApiCommand,
   CreateStageCommand as CreateStageCommand2,
   DeleteStageCommand as DeleteStageCommand2,
   GetStageCommand as GetStageCommand2,
+  UpdateStageCommand as UpdateStageCommand2,
   CreateIntegrationCommand,
   DeleteIntegrationCommand,
   GetIntegrationCommand,
+  UpdateIntegrationCommand,
   CreateRouteCommand as CreateRouteCommand2,
   DeleteRouteCommand as DeleteRouteCommand2,
   GetRouteCommand,
+  UpdateRouteCommand,
   CreateAuthorizerCommand as CreateAuthorizerCommand2,
   DeleteAuthorizerCommand as DeleteAuthorizerCommand2,
   GetAuthorizerCommand as GetAuthorizerCommand2,
+  UpdateAuthorizerCommand as UpdateAuthorizerCommand2,
   GetApiCommand,
   GetApisCommand,
   NotFoundException as NotFoundException4
@@ -24145,22 +24150,59 @@ var ApiGatewayV2Provider = class {
     }
   }
   /**
-   * HTTP API resources are treated as immutable by cdkd: the deploy engine
-   * recreates them on property changes via the immutable-property
-   * replacement path. AWS does expose `UpdateApi` / `UpdateRoute` /
-   * `UpdateIntegration` / `UpdateStage` / `UpdateAuthorizer`, but cdkd
-   * does not yet plumb them through. `cdkd drift --revert` surfaces a
-   * clear "use --replace or re-deploy" message instead of silently
-   * no-op'ing the revert.
+   * AWS API Gateway V2 supports in-place updates for every type cdkd
+   * provisions via the matching `Update*Command`. Each command takes the
+   * full Update input shape (NOT JSON Patch — that's the v1 surface);
+   * cdkd builds the input by selecting only the fields that differ
+   * between `previousProperties` and `properties`, so unchanged fields
+   * are not echoed back. The few immutable identifiers (`ProtocolType`
+   * on Api; `StageName` on Stage) are not part of the Update input shape
+   * and are handled by the deploy engine's immutable-property
+   * replacement path.
    */
-  update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
-    return Promise.reject(
-      new ResourceUpdateNotSupportedError(
-        resourceType,
-        logicalId,
-        "API Gateway V2 (HTTP API) resources are recreated on property changes; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
-      )
-    );
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    switch (resourceType) {
+      case "AWS::ApiGatewayV2::Api":
+        return this.updateApi(logicalId, physicalId, resourceType, properties, previousProperties);
+      case "AWS::ApiGatewayV2::Stage":
+        return this.updateStage(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::ApiGatewayV2::Integration":
+        return this.updateIntegration(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::ApiGatewayV2::Route":
+        return this.updateRoute(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::ApiGatewayV2::Authorizer":
+        return this.updateAuthorizer(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      default:
+        throw new ResourceUpdateNotSupportedError(
+          resourceType,
+          logicalId,
+          "unsupported API Gateway V2 resource type for in-place update; re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+        );
+    }
   }
   async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
@@ -24811,6 +24853,312 @@ var ApiGatewayV2Provider = class {
     } while (nextToken);
     return null;
   }
+  // ─── Update implementations ───────────────────────────────────────
+  /**
+   * `UpdateApi` accepts the full Update input shape (not JSON Patch).
+   * Mutable fields cdkd manages: `Name` / `Description` /
+   * `CorsConfiguration`. `ProtocolType` is immutable — the deploy
+   * engine handles changes via the replacement path; we surface a
+   * `ResourceUpdateNotSupportedError` if it ever reaches us anyway.
+   */
+  async updateApi(logicalId, physicalId, resourceType, properties, previousProperties) {
+    if (properties["ProtocolType"] !== void 0 && previousProperties["ProtocolType"] !== void 0 && properties["ProtocolType"] !== previousProperties["ProtocolType"]) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "ProtocolType is immutable on AWS::ApiGatewayV2::Api; re-deploy with cdkd deploy --replace"
+      );
+    }
+    const input = { ApiId: physicalId };
+    let changed = false;
+    if (properties["Name"] !== void 0 && properties["Name"] !== previousProperties["Name"]) {
+      input.Name = properties["Name"];
+      changed = true;
+    }
+    if (properties["Description"] !== void 0 && properties["Description"] !== previousProperties["Description"]) {
+      input.Description = properties["Description"];
+      changed = true;
+    }
+    if (properties["CorsConfiguration"] !== void 0 && !this.deepEqual(properties["CorsConfiguration"], previousProperties["CorsConfiguration"])) {
+      input.CorsConfiguration = properties["CorsConfiguration"];
+      changed = true;
+    }
+    if (!changed) {
+      this.logger.debug(`No mutable Api fields changed for ${logicalId}; skipping UpdateApi`);
+      return { physicalId, wasReplaced: false };
+    }
+    this.logger.debug(`Updating API Gateway V2 Api ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new UpdateApiCommand(input));
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update API Gateway V2 Api ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  /**
+   * `UpdateStage` keys on `(ApiId, StageName)` — `StageName` is the
+   * physicalId and immutable. Mutable fields cdkd manages:
+   * `AutoDeploy` / `Description`. `ApiId` is also immutable (a stage
+   * cannot be moved between APIs).
+   */
+  async updateStage(logicalId, physicalId, resourceType, properties, previousProperties) {
+    const apiId = properties["ApiId"] ?? previousProperties["ApiId"];
+    if (!apiId) {
+      throw new ProvisioningError(
+        `ApiId is required to update Stage ${logicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    if (properties["ApiId"] !== void 0 && previousProperties["ApiId"] !== void 0 && properties["ApiId"] !== previousProperties["ApiId"]) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "ApiId is immutable on AWS::ApiGatewayV2::Stage; re-deploy with cdkd deploy --replace"
+      );
+    }
+    if (properties["StageName"] !== void 0 && previousProperties["StageName"] !== void 0 && properties["StageName"] !== previousProperties["StageName"]) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "StageName is immutable on AWS::ApiGatewayV2::Stage; re-deploy with cdkd deploy --replace"
+      );
+    }
+    const input = { ApiId: apiId, StageName: physicalId };
+    let changed = false;
+    if (properties["AutoDeploy"] !== void 0 && properties["AutoDeploy"] !== previousProperties["AutoDeploy"]) {
+      input.AutoDeploy = properties["AutoDeploy"];
+      changed = true;
+    }
+    if (properties["Description"] !== void 0 && properties["Description"] !== previousProperties["Description"]) {
+      input.Description = properties["Description"];
+      changed = true;
+    }
+    if (!changed) {
+      this.logger.debug(`No mutable Stage fields changed for ${logicalId}; skipping UpdateStage`);
+      return { physicalId, wasReplaced: false };
+    }
+    this.logger.debug(`Updating API Gateway V2 Stage ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new UpdateStageCommand2(input));
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update API Gateway V2 Stage ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  /**
+   * `UpdateIntegration` keys on `(ApiId, IntegrationId)`. Mutable
+   * fields cdkd manages: `IntegrationType` / `IntegrationUri` /
+   * `IntegrationMethod` / `PayloadFormatVersion`.
+   */
+  async updateIntegration(logicalId, physicalId, resourceType, properties, previousProperties) {
+    const apiId = properties["ApiId"] ?? previousProperties["ApiId"];
+    if (!apiId) {
+      throw new ProvisioningError(
+        `ApiId is required to update Integration ${logicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    if (properties["ApiId"] !== void 0 && previousProperties["ApiId"] !== void 0 && properties["ApiId"] !== previousProperties["ApiId"]) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "ApiId is immutable on AWS::ApiGatewayV2::Integration; re-deploy with cdkd deploy --replace"
+      );
+    }
+    const input = { ApiId: apiId, IntegrationId: physicalId };
+    let changed = false;
+    if (properties["IntegrationType"] !== void 0 && properties["IntegrationType"] !== previousProperties["IntegrationType"]) {
+      input.IntegrationType = properties["IntegrationType"];
+      changed = true;
+    }
+    if (properties["IntegrationUri"] !== void 0 && properties["IntegrationUri"] !== previousProperties["IntegrationUri"]) {
+      input.IntegrationUri = properties["IntegrationUri"];
+      changed = true;
+    }
+    if (properties["IntegrationMethod"] !== void 0 && properties["IntegrationMethod"] !== previousProperties["IntegrationMethod"]) {
+      input.IntegrationMethod = properties["IntegrationMethod"];
+      changed = true;
+    }
+    if (properties["PayloadFormatVersion"] !== void 0 && properties["PayloadFormatVersion"] !== previousProperties["PayloadFormatVersion"]) {
+      input.PayloadFormatVersion = properties["PayloadFormatVersion"];
+      changed = true;
+    }
+    if (!changed) {
+      this.logger.debug(
+        `No mutable Integration fields changed for ${logicalId}; skipping UpdateIntegration`
+      );
+      return { physicalId, wasReplaced: false };
+    }
+    this.logger.debug(`Updating API Gateway V2 Integration ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new UpdateIntegrationCommand(input));
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update API Gateway V2 Integration ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  /**
+   * `UpdateRoute` keys on `(ApiId, RouteId)`. Mutable fields cdkd
+   * manages: `RouteKey` / `Target` / `AuthorizationType` /
+   * `AuthorizerId` / `AuthorizationScopes`.
+   */
+  async updateRoute(logicalId, physicalId, resourceType, properties, previousProperties) {
+    const apiId = properties["ApiId"] ?? previousProperties["ApiId"];
+    if (!apiId) {
+      throw new ProvisioningError(
+        `ApiId is required to update Route ${logicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    if (properties["ApiId"] !== void 0 && previousProperties["ApiId"] !== void 0 && properties["ApiId"] !== previousProperties["ApiId"]) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "ApiId is immutable on AWS::ApiGatewayV2::Route; re-deploy with cdkd deploy --replace"
+      );
+    }
+    const input = { ApiId: apiId, RouteId: physicalId };
+    let changed = false;
+    if (properties["RouteKey"] !== void 0 && properties["RouteKey"] !== previousProperties["RouteKey"]) {
+      input.RouteKey = properties["RouteKey"];
+      changed = true;
+    }
+    if (properties["Target"] !== void 0 && properties["Target"] !== previousProperties["Target"]) {
+      input.Target = properties["Target"];
+      changed = true;
+    }
+    if (properties["AuthorizationType"] !== void 0 && properties["AuthorizationType"] !== previousProperties["AuthorizationType"]) {
+      input.AuthorizationType = properties["AuthorizationType"];
+      changed = true;
+    }
+    if (properties["AuthorizerId"] !== void 0 && properties["AuthorizerId"] !== previousProperties["AuthorizerId"]) {
+      input.AuthorizerId = properties["AuthorizerId"];
+      changed = true;
+    }
+    if (properties["AuthorizationScopes"] !== void 0 && !this.deepEqual(properties["AuthorizationScopes"], previousProperties["AuthorizationScopes"])) {
+      input.AuthorizationScopes = properties["AuthorizationScopes"];
+      changed = true;
+    }
+    if (!changed) {
+      this.logger.debug(`No mutable Route fields changed for ${logicalId}; skipping UpdateRoute`);
+      return { physicalId, wasReplaced: false };
+    }
+    this.logger.debug(`Updating API Gateway V2 Route ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new UpdateRouteCommand(input));
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update API Gateway V2 Route ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  /**
+   * `UpdateAuthorizer` keys on `(ApiId, AuthorizerId)`. Mutable fields
+   * cdkd manages: `AuthorizerType` / `Name` / `IdentitySource` /
+   * `JwtConfiguration` / `AuthorizerUri` /
+   * `AuthorizerPayloadFormatVersion`.
+   */
+  async updateAuthorizer(logicalId, physicalId, resourceType, properties, previousProperties) {
+    const apiId = properties["ApiId"] ?? previousProperties["ApiId"];
+    if (!apiId) {
+      throw new ProvisioningError(
+        `ApiId is required to update Authorizer ${logicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    if (properties["ApiId"] !== void 0 && previousProperties["ApiId"] !== void 0 && properties["ApiId"] !== previousProperties["ApiId"]) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "ApiId is immutable on AWS::ApiGatewayV2::Authorizer; re-deploy with cdkd deploy --replace"
+      );
+    }
+    const input = { ApiId: apiId, AuthorizerId: physicalId };
+    let changed = false;
+    if (properties["AuthorizerType"] !== void 0 && properties["AuthorizerType"] !== previousProperties["AuthorizerType"]) {
+      input.AuthorizerType = properties["AuthorizerType"];
+      changed = true;
+    }
+    if (properties["Name"] !== void 0 && properties["Name"] !== previousProperties["Name"]) {
+      input.Name = properties["Name"];
+      changed = true;
+    }
+    if (properties["IdentitySource"] !== void 0) {
+      const next = Array.isArray(properties["IdentitySource"]) ? properties["IdentitySource"] : [properties["IdentitySource"]];
+      const prev = Array.isArray(previousProperties["IdentitySource"]) ? previousProperties["IdentitySource"] : previousProperties["IdentitySource"] !== void 0 ? [previousProperties["IdentitySource"]] : void 0;
+      if (!this.deepEqual(next, prev)) {
+        input.IdentitySource = next;
+        changed = true;
+      }
+    }
+    if (properties["JwtConfiguration"] !== void 0 && !this.deepEqual(properties["JwtConfiguration"], previousProperties["JwtConfiguration"])) {
+      input.JwtConfiguration = properties["JwtConfiguration"];
+      changed = true;
+    }
+    if (properties["AuthorizerUri"] !== void 0 && properties["AuthorizerUri"] !== previousProperties["AuthorizerUri"]) {
+      input.AuthorizerUri = properties["AuthorizerUri"];
+      changed = true;
+    }
+    if (properties["AuthorizerPayloadFormatVersion"] !== void 0 && properties["AuthorizerPayloadFormatVersion"] !== previousProperties["AuthorizerPayloadFormatVersion"]) {
+      input.AuthorizerPayloadFormatVersion = properties["AuthorizerPayloadFormatVersion"];
+      changed = true;
+    }
+    if (!changed) {
+      this.logger.debug(
+        `No mutable Authorizer fields changed for ${logicalId}; skipping UpdateAuthorizer`
+      );
+      return { physicalId, wasReplaced: false };
+    }
+    this.logger.debug(`Updating API Gateway V2 Authorizer ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new UpdateAuthorizerCommand2(input));
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update API Gateway V2 Authorizer ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
   // ─── Helpers ──────────────────────────────────────────────────────
   /**
    * Convert CloudFormation Tags (Array<{Key, Value}>) to SDK Tags (Record<string, string>).
@@ -24824,6 +25172,24 @@ var ApiGatewayV2Provider = class {
     }
     return result;
   }
+  /**
+   * Structural equality used to skip Update calls when an object /
+   * array property is unchanged. Stable JSON serialization is fine
+   * here because the API Gateway V2 sub-shapes (`CorsConfiguration`,
+   * `JwtConfiguration`, scope arrays, identity-source arrays) are
+   * small primitive maps with no key-order semantics on the AWS side.
+   */
+  deepEqual(a, b) {
+    if (a === b)
+      return true;
+    if (a === void 0 || b === void 0)
+      return false;
+    try {
+      return JSON.stringify(a) === JSON.stringify(b);
+    } catch {
+      return false;
+    }
+  }
 };
 
 // src/provisioning/providers/cloudfront-oai-provider.ts
@@ -27493,6 +27859,10 @@ import {
   DeleteLoadBalancerCommand,
   DescribeLoadBalancersCommand as DescribeLoadBalancersCommand2,
   DescribeLoadBalancerAttributesCommand,
+  ModifyLoadBalancerAttributesCommand,
+  SetSubnetsCommand,
+  SetSecurityGroupsCommand,
+  SetIpAddressTypeCommand,
   CreateTargetGroupCommand,
   DeleteTargetGroupCommand,
   ModifyTargetGroupCommand,
@@ -27553,7 +27923,9 @@ var ELBv2Provider = class {
         "DefaultActions",
         "Port",
         "Protocol",
-        "SslPolicy"
+        "SslPolicy",
+        "AlpnPolicy",
+        "MutualAuthentication"
       ])
     ]
   ]);
@@ -27661,7 +28033,6 @@ var ELBv2Provider = class {
       this.logger.debug(`Successfully created LoadBalancer ${logicalId}: ${lb.LoadBalancerArn}`);
       const lbAttributes = properties["LoadBalancerAttributes"];
       if (lbAttributes && lbAttributes.length > 0) {
-        const { ModifyLoadBalancerAttributesCommand } = await import("@aws-sdk/client-elastic-load-balancing-v2");
         await this.getClient().send(
           new ModifyLoadBalancerAttributesCommand({
             LoadBalancerArn: lb.LoadBalancerArn,
@@ -27697,42 +28068,95 @@ var ELBv2Provider = class {
     }
   }
   async updateLoadBalancer(logicalId, physicalId, _resourceType, properties, previousProperties) {
-    const newAttrs = properties["LoadBalancerAttributes"] ?? [];
-    const oldAttrs = previousProperties["LoadBalancerAttributes"] ?? [];
-    const stripAttrs = (p) => {
-      const { LoadBalancerAttributes: _, ...rest } = p;
-      return rest;
+    const handledKeys = /* @__PURE__ */ new Set([
+      "LoadBalancerAttributes",
+      "Subnets",
+      "SubnetMappings",
+      "SecurityGroups",
+      "IpAddressType",
+      "Tags"
+    ]);
+    const stripHandled = (p) => {
+      const out = {};
+      for (const [k, v] of Object.entries(p)) {
+        if (!handledKeys.has(k))
+          out[k] = v;
+      }
+      return out;
     };
-    if (JSON.stringify(stripAttrs(properties)) !== JSON.stringify(stripAttrs(previousProperties))) {
+    if (JSON.stringify(stripHandled(properties)) !== JSON.stringify(stripHandled(previousProperties))) {
       throw new ResourceUpdateNotSupportedError(
         "AWS::ElasticLoadBalancingV2::LoadBalancer",
         logicalId,
-        "ELBv2 LoadBalancer in-place updates are only supported for LoadBalancerAttributes; for Name / Type / Scheme / Subnets / SecurityGroups / IpAddressType / Tags, re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+        "ELBv2 LoadBalancer in-place updates are supported for LoadBalancerAttributes / Subnets / SubnetMappings / SecurityGroups / IpAddressType / Tags only; for Name / Type / Scheme, re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
       );
     }
-    const newMap = new Map(newAttrs.map((a) => [a.Key, a.Value]));
-    const oldMap = new Map(oldAttrs.map((a) => [a.Key, a.Value]));
-    const submitted = [];
-    for (const [k, v] of newMap) {
-      if (oldMap.get(k) !== v)
-        submitted.push({ Key: k, Value: v });
-    }
-    for (const [k] of oldMap) {
-      if (!newMap.has(k))
-        submitted.push({ Key: k, Value: "" });
-    }
-    if (submitted.length > 0) {
-      const { ModifyLoadBalancerAttributesCommand } = await import("@aws-sdk/client-elastic-load-balancing-v2");
+    const newAttrs = properties["LoadBalancerAttributes"] ?? [];
+    const oldAttrs = previousProperties["LoadBalancerAttributes"] ?? [];
+    const newAttrMap = new Map(newAttrs.map((a) => [a.Key, a.Value]));
+    const oldAttrMap = new Map(oldAttrs.map((a) => [a.Key, a.Value]));
+    const submittedAttrs = [];
+    for (const [k, v] of newAttrMap) {
+      if (oldAttrMap.get(k) !== v)
+        submittedAttrs.push({ Key: k, Value: v });
+    }
+    for (const [k] of oldAttrMap) {
+      if (!newAttrMap.has(k))
+        submittedAttrs.push({ Key: k, Value: "" });
+    }
+    if (submittedAttrs.length > 0) {
       await this.getClient().send(
         new ModifyLoadBalancerAttributesCommand({
           LoadBalancerArn: physicalId,
-          Attributes: submitted
+          Attributes: submittedAttrs
         })
       );
       this.logger.debug(
-        `Applied ${submitted.length} LoadBalancerAttributes change(s) for ${logicalId}`
+        `Applied ${submittedAttrs.length} LoadBalancerAttributes change(s) for ${logicalId}`
       );
     }
+    const newSubnets = properties["Subnets"];
+    const oldSubnets = previousProperties["Subnets"];
+    const newMappings = properties["SubnetMappings"];
+    const oldMappings = previousProperties["SubnetMappings"];
+    const subnetsChanged = JSON.stringify(newSubnets) !== JSON.stringify(oldSubnets);
+    const mappingsChanged = JSON.stringify(newMappings) !== JSON.stringify(oldMappings);
+    if (subnetsChanged || mappingsChanged) {
+      await this.getClient().send(
+        new SetSubnetsCommand({
+          LoadBalancerArn: physicalId,
+          ...newMappings && newMappings.length > 0 ? { SubnetMappings: newMappings } : { Subnets: newSubnets }
+        })
+      );
+      this.logger.debug(`Updated Subnets / SubnetMappings for ${logicalId}`);
+    }
+    const newSGs = properties["SecurityGroups"];
+    const oldSGs = previousProperties["SecurityGroups"];
+    if (JSON.stringify(newSGs) !== JSON.stringify(oldSGs)) {
+      await this.getClient().send(
+        new SetSecurityGroupsCommand({
+          LoadBalancerArn: physicalId,
+          SecurityGroups: newSGs ?? []
+        })
+      );
+      this.logger.debug(`Updated SecurityGroups for ${logicalId}`);
+    }
+    const newIpType = properties["IpAddressType"];
+    const oldIpType = previousProperties["IpAddressType"];
+    if (newIpType !== void 0 && newIpType !== oldIpType) {
+      await this.getClient().send(
+        new SetIpAddressTypeCommand({
+          LoadBalancerArn: physicalId,
+          IpAddressType: newIpType
+        })
+      );
+      this.logger.debug(`Updated IpAddressType for ${logicalId}`);
+    }
+    await this.applyTagDiff(
+      physicalId,
+      previousProperties["Tags"],
+      properties["Tags"]
+    );
     return { physicalId, wasReplaced: false };
   }
   async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
@@ -27904,6 +28328,8 @@ var ELBv2Provider = class {
       const certificates = this.convertCertificates(
         properties["Certificates"]
       );
+      const alpnPolicy = properties["AlpnPolicy"];
+      const mutualAuth = properties["MutualAuthentication"];
       const response = await this.getClient().send(
         new CreateListenerCommand({
           LoadBalancerArn: properties["LoadBalancerArn"],
@@ -27912,6 +28338,8 @@ var ELBv2Provider = class {
           SslPolicy: properties["SslPolicy"],
           DefaultActions: defaultActions ?? [],
           ...certificates && { Certificates: certificates },
+          ...alpnPolicy && alpnPolicy.length > 0 && { AlpnPolicy: alpnPolicy },
+          ...mutualAuth !== void 0 && { MutualAuthentication: mutualAuth },
           ...tags.length > 0 && { Tags: tags }
         })
       );
@@ -27946,6 +28374,8 @@ var ELBv2Provider = class {
       const certificates = this.convertCertificates(
         properties["Certificates"]
       );
+      const alpnPolicy = properties["AlpnPolicy"];
+      const mutualAuth = properties["MutualAuthentication"];
       await this.getClient().send(
         new ModifyListenerCommand({
           ListenerArn: physicalId,
@@ -27953,7 +28383,15 @@ var ELBv2Provider = class {
           Protocol: properties["Protocol"],
           SslPolicy: properties["SslPolicy"],
           ...defaultActions && { DefaultActions: defaultActions },
-          ...certificates && { Certificates: certificates }
+          ...certificates && { Certificates: certificates },
+          // AlpnPolicy is a TLS-listener-only field; only forward it
+          // when the diff actually carries values (CFn template-side it
+          // is an array of one entry). An empty array would be rejected
+          // by AWS on non-TLS listeners.
+          ...alpnPolicy && alpnPolicy.length > 0 && { AlpnPolicy: alpnPolicy },
+          // MutualAuthentication is HTTPS-listener-only. Forward when
+          // the user templated it; AWS will reject on non-HTTPS.
+          ...mutualAuth !== void 0 && { MutualAuthentication: mutualAuth }
         })
       );
       await this.applyTagDiff(
@@ -28240,6 +28678,8 @@ var ELBv2Provider = class {
     result["DefaultActions"] = (listener.DefaultActions ?? []).map(
       (a) => a
     );
+    result["AlpnPolicy"] = listener.AlpnPolicy ?? [];
+    result["MutualAuthentication"] = listener.MutualAuthentication ?? {};
     await this.attachTags(result, physicalId);
     return result;
   }
@@ -45810,7 +46250,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.55.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.57.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());