@go-to-k/cdkd 0.56.0 → 0.57.1

package/dist/cli.js

@@ -13565,7 +13565,7 @@ var SNSTopicProvider = class {
       if (properties["DeliveryStatusLogging"]) {
         const loggingConfigs = properties["DeliveryStatusLogging"];
         for (const config of loggingConfigs) {
-          const protocol = config["Protocol"];
+          const protocol = normalizeDeliveryStatusProtocolOrThrow(config["Protocol"], logicalId);
           if (config["SuccessFeedbackRoleArn"]) {
             await this.snsClient.send(
               new SetTopicAttributesCommand({
@@ -13658,7 +13658,7 @@ var SNSTopicProvider = class {
     if (JSON.stringify(properties["DeliveryStatusLogging"]) !== JSON.stringify(previousProperties["DeliveryStatusLogging"])) {
       const loggingConfigs = properties["DeliveryStatusLogging"] || [];
       for (const config of loggingConfigs) {
-        const protocol = config["Protocol"];
+        const protocol = normalizeDeliveryStatusProtocolOrThrow(config["Protocol"], logicalId);
         if (config["SuccessFeedbackRoleArn"]) {
           await this.snsClient.send(
             new SetTopicAttributesCommand({
@@ -13798,16 +13798,22 @@ var SNSTopicProvider = class {
    * FailureFeedbackRoleArn?}]`. Walks the known protocol prefix list
    * (`HTTP` / `HTTPS` / `SQS` / `Lambda` / `Firehose` / `Application`); a
    * protocol is included in the result iff at least one of its three
-   * sub-attributes is set on the topic. Entries are sorted by `Protocol`
-   * for stable positional compare (AWS does not preserve template order
-   * across `GetTopicAttributes` calls).
+   * sub-attributes is set on the topic. Entries are sorted by canonical
+   * PascalCase `Protocol` for stable positional compare (AWS does not
+   * preserve template order across `GetTopicAttributes` calls).
+   *
+   * The emitted `Protocol` value preserves state's case when known
+   * (CDK templates emit lowercase `'lambda'` / `'sqs'` / ...; AWS's
+   * attribute prefix is PascalCase). Without case preservation the
+   * comparator would fire false drift on every clean run for any
+   * lowercase-`Protocol` template.
    *
    * `Subscription` is omitted because CDK manages it via separate
    * `AWS::SNS::Subscription` resources, not as a Topic property.
    *
    * Returns `undefined` when the topic is gone (`NotFoundException`).
    */
-  async readCurrentState(physicalId, _logicalId, _resourceType) {
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
     let attrs;
     try {
       const resp = await this.snsClient.send(
@@ -13849,7 +13855,10 @@ var SNSTopicProvider = class {
         }
       }
     }
-    result["DeliveryStatusLogging"] = mapDeliveryStatusLogging(attrs);
+    result["DeliveryStatusLogging"] = mapDeliveryStatusLogging(
+      attrs,
+      stateProtocolCaseMap(properties?.["DeliveryStatusLogging"])
+    );
     try {
       const tagsResp = await this.snsClient.send(
         new ListTagsForResourceCommand({ ResourceArn: physicalId })
@@ -13938,7 +13947,55 @@ var SNS_DELIVERY_STATUS_PROTOCOLS = [
   "Lambda",
   "SQS"
 ];
-function mapDeliveryStatusLogging(attrs) {
+function normalizeDeliveryStatusProtocol(input) {
+  if (typeof input !== "string")
+    return void 0;
+  const lower = input.toLowerCase();
+  switch (lower) {
+    case "application":
+      return "Application";
+    case "firehose":
+      return "Firehose";
+    case "http":
+      return "HTTP";
+    case "https":
+      return "HTTPS";
+    case "lambda":
+      return "Lambda";
+    case "sqs":
+      return "SQS";
+    default:
+      return void 0;
+  }
+}
+function normalizeDeliveryStatusProtocolOrThrow(input, logicalId) {
+  const normalized = normalizeDeliveryStatusProtocol(input);
+  if (normalized === void 0) {
+    throw new Error(
+      `SNS topic ${logicalId}: unsupported DeliveryStatusLogging protocol ${JSON.stringify(input)}. Expected one of ${SNS_DELIVERY_STATUS_PROTOCOLS.join(", ")} (case-insensitive).`
+    );
+  }
+  return normalized;
+}
+function stateProtocolCaseMap(stateLogging) {
+  const map = /* @__PURE__ */ new Map();
+  if (!Array.isArray(stateLogging))
+    return map;
+  for (const entry of stateLogging) {
+    if (!entry || typeof entry !== "object")
+      continue;
+    const raw = entry["Protocol"];
+    if (typeof raw !== "string")
+      continue;
+    const normalized = normalizeDeliveryStatusProtocol(raw);
+    if (!normalized)
+      continue;
+    if (!map.has(normalized))
+      map.set(normalized, raw);
+  }
+  return map;
+}
+function mapDeliveryStatusLogging(attrs, stateCaseMap = /* @__PURE__ */ new Map()) {
   const result = [];
   for (const protocol of SNS_DELIVERY_STATUS_PROTOCOLS) {
     const success = attrs[`${protocol}SuccessFeedbackRoleArn`];
@@ -13946,7 +14003,9 @@ function mapDeliveryStatusLogging(attrs) {
     const failure = attrs[`${protocol}FailureFeedbackRoleArn`];
     if (success === void 0 && sample === void 0 && failure === void 0)
       continue;
-    const entry = { Protocol: protocol };
+    const entry = {
+      Protocol: stateCaseMap.get(protocol) ?? protocol
+    };
     if (success !== void 0)
       entry["SuccessFeedbackRoleArn"] = success;
     if (sample !== void 0)
@@ -27595,7 +27654,18 @@ var ECSProvider = class {
     let resp;
     try {
       resp = await this.getClient().send(
-        new DescribeClustersCommand({ clusters: [physicalId], include: ["TAGS"] })
+        // AWS DescribeClusters omits `settings` / `configuration` from the
+        // response unless they are explicitly requested via `include`. Without
+        // SETTINGS / CONFIGURATIONS the readCurrentState round-trip silently
+        // surfaces empty `ClusterSettings: []` even when the cluster has
+        // containerInsights enabled — a console-side toggle then can't be
+        // detected as drift because both the deploy-time observedProperties
+        // baseline AND the drift-time AWS read would identically miss the
+        // field. Discovered by the drift-revert integ test (PR #201).
+        new DescribeClustersCommand({
+          clusters: [physicalId],
+          include: ["TAGS", "SETTINGS", "CONFIGURATIONS"]
+        })
       );
     } catch {
       return void 0;
@@ -27859,6 +27929,10 @@ import {
   DeleteLoadBalancerCommand,
   DescribeLoadBalancersCommand as DescribeLoadBalancersCommand2,
   DescribeLoadBalancerAttributesCommand,
+  ModifyLoadBalancerAttributesCommand,
+  SetSubnetsCommand,
+  SetSecurityGroupsCommand,
+  SetIpAddressTypeCommand,
   CreateTargetGroupCommand,
   DeleteTargetGroupCommand,
   ModifyTargetGroupCommand,
@@ -27919,7 +27993,9 @@ var ELBv2Provider = class {
         "DefaultActions",
         "Port",
         "Protocol",
-        "SslPolicy"
+        "SslPolicy",
+        "AlpnPolicy",
+        "MutualAuthentication"
       ])
     ]
   ]);
@@ -28027,7 +28103,6 @@ var ELBv2Provider = class {
       this.logger.debug(`Successfully created LoadBalancer ${logicalId}: ${lb.LoadBalancerArn}`);
       const lbAttributes = properties["LoadBalancerAttributes"];
       if (lbAttributes && lbAttributes.length > 0) {
-        const { ModifyLoadBalancerAttributesCommand } = await import("@aws-sdk/client-elastic-load-balancing-v2");
         await this.getClient().send(
           new ModifyLoadBalancerAttributesCommand({
             LoadBalancerArn: lb.LoadBalancerArn,
@@ -28063,42 +28138,95 @@ var ELBv2Provider = class {
     }
   }
   async updateLoadBalancer(logicalId, physicalId, _resourceType, properties, previousProperties) {
-    const newAttrs = properties["LoadBalancerAttributes"] ?? [];
-    const oldAttrs = previousProperties["LoadBalancerAttributes"] ?? [];
-    const stripAttrs = (p) => {
-      const { LoadBalancerAttributes: _, ...rest } = p;
-      return rest;
+    const handledKeys = /* @__PURE__ */ new Set([
+      "LoadBalancerAttributes",
+      "Subnets",
+      "SubnetMappings",
+      "SecurityGroups",
+      "IpAddressType",
+      "Tags"
+    ]);
+    const stripHandled = (p) => {
+      const out = {};
+      for (const [k, v] of Object.entries(p)) {
+        if (!handledKeys.has(k))
+          out[k] = v;
+      }
+      return out;
     };
-    if (JSON.stringify(stripAttrs(properties)) !== JSON.stringify(stripAttrs(previousProperties))) {
+    if (JSON.stringify(stripHandled(properties)) !== JSON.stringify(stripHandled(previousProperties))) {
       throw new ResourceUpdateNotSupportedError(
         "AWS::ElasticLoadBalancingV2::LoadBalancer",
         logicalId,
-        "ELBv2 LoadBalancer in-place updates are only supported for LoadBalancerAttributes; for Name / Type / Scheme / Subnets / SecurityGroups / IpAddressType / Tags, re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
+        "ELBv2 LoadBalancer in-place updates are supported for LoadBalancerAttributes / Subnets / SubnetMappings / SecurityGroups / IpAddressType / Tags only; for Name / Type / Scheme, re-deploy with cdkd deploy --replace, or destroy + redeploy the stack"
       );
     }
-    const newMap = new Map(newAttrs.map((a) => [a.Key, a.Value]));
-    const oldMap = new Map(oldAttrs.map((a) => [a.Key, a.Value]));
-    const submitted = [];
-    for (const [k, v] of newMap) {
-      if (oldMap.get(k) !== v)
-        submitted.push({ Key: k, Value: v });
-    }
-    for (const [k] of oldMap) {
-      if (!newMap.has(k))
-        submitted.push({ Key: k, Value: "" });
-    }
-    if (submitted.length > 0) {
-      const { ModifyLoadBalancerAttributesCommand } = await import("@aws-sdk/client-elastic-load-balancing-v2");
+    const newAttrs = properties["LoadBalancerAttributes"] ?? [];
+    const oldAttrs = previousProperties["LoadBalancerAttributes"] ?? [];
+    const newAttrMap = new Map(newAttrs.map((a) => [a.Key, a.Value]));
+    const oldAttrMap = new Map(oldAttrs.map((a) => [a.Key, a.Value]));
+    const submittedAttrs = [];
+    for (const [k, v] of newAttrMap) {
+      if (oldAttrMap.get(k) !== v)
+        submittedAttrs.push({ Key: k, Value: v });
+    }
+    for (const [k] of oldAttrMap) {
+      if (!newAttrMap.has(k))
+        submittedAttrs.push({ Key: k, Value: "" });
+    }
+    if (submittedAttrs.length > 0) {
       await this.getClient().send(
         new ModifyLoadBalancerAttributesCommand({
           LoadBalancerArn: physicalId,
-          Attributes: submitted
+          Attributes: submittedAttrs
         })
       );
       this.logger.debug(
-        `Applied ${submitted.length} LoadBalancerAttributes change(s) for ${logicalId}`
+        `Applied ${submittedAttrs.length} LoadBalancerAttributes change(s) for ${logicalId}`
+      );
+    }
+    const newSubnets = properties["Subnets"];
+    const oldSubnets = previousProperties["Subnets"];
+    const newMappings = properties["SubnetMappings"];
+    const oldMappings = previousProperties["SubnetMappings"];
+    const subnetsChanged = JSON.stringify(newSubnets) !== JSON.stringify(oldSubnets);
+    const mappingsChanged = JSON.stringify(newMappings) !== JSON.stringify(oldMappings);
+    if (subnetsChanged || mappingsChanged) {
+      await this.getClient().send(
+        new SetSubnetsCommand({
+          LoadBalancerArn: physicalId,
+          ...newMappings && newMappings.length > 0 ? { SubnetMappings: newMappings } : { Subnets: newSubnets }
+        })
+      );
+      this.logger.debug(`Updated Subnets / SubnetMappings for ${logicalId}`);
+    }
+    const newSGs = properties["SecurityGroups"];
+    const oldSGs = previousProperties["SecurityGroups"];
+    if (JSON.stringify(newSGs) !== JSON.stringify(oldSGs)) {
+      await this.getClient().send(
+        new SetSecurityGroupsCommand({
+          LoadBalancerArn: physicalId,
+          SecurityGroups: newSGs ?? []
+        })
       );
+      this.logger.debug(`Updated SecurityGroups for ${logicalId}`);
     }
+    const newIpType = properties["IpAddressType"];
+    const oldIpType = previousProperties["IpAddressType"];
+    if (newIpType !== void 0 && newIpType !== oldIpType) {
+      await this.getClient().send(
+        new SetIpAddressTypeCommand({
+          LoadBalancerArn: physicalId,
+          IpAddressType: newIpType
+        })
+      );
+      this.logger.debug(`Updated IpAddressType for ${logicalId}`);
+    }
+    await this.applyTagDiff(
+      physicalId,
+      previousProperties["Tags"],
+      properties["Tags"]
+    );
     return { physicalId, wasReplaced: false };
   }
   async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
@@ -28270,6 +28398,8 @@ var ELBv2Provider = class {
       const certificates = this.convertCertificates(
         properties["Certificates"]
       );
+      const alpnPolicy = properties["AlpnPolicy"];
+      const mutualAuth = properties["MutualAuthentication"];
       const response = await this.getClient().send(
         new CreateListenerCommand({
           LoadBalancerArn: properties["LoadBalancerArn"],
@@ -28278,6 +28408,8 @@ var ELBv2Provider = class {
           SslPolicy: properties["SslPolicy"],
           DefaultActions: defaultActions ?? [],
           ...certificates && { Certificates: certificates },
+          ...alpnPolicy && alpnPolicy.length > 0 && { AlpnPolicy: alpnPolicy },
+          ...mutualAuth !== void 0 && { MutualAuthentication: mutualAuth },
           ...tags.length > 0 && { Tags: tags }
         })
       );
@@ -28312,6 +28444,8 @@ var ELBv2Provider = class {
       const certificates = this.convertCertificates(
         properties["Certificates"]
       );
+      const alpnPolicy = properties["AlpnPolicy"];
+      const mutualAuth = properties["MutualAuthentication"];
       await this.getClient().send(
         new ModifyListenerCommand({
           ListenerArn: physicalId,
@@ -28319,7 +28453,15 @@ var ELBv2Provider = class {
           Protocol: properties["Protocol"],
           SslPolicy: properties["SslPolicy"],
           ...defaultActions && { DefaultActions: defaultActions },
-          ...certificates && { Certificates: certificates }
+          ...certificates && { Certificates: certificates },
+          // AlpnPolicy is a TLS-listener-only field; only forward it
+          // when the diff actually carries values (CFn template-side it
+          // is an array of one entry). An empty array would be rejected
+          // by AWS on non-TLS listeners.
+          ...alpnPolicy && alpnPolicy.length > 0 && { AlpnPolicy: alpnPolicy },
+          // MutualAuthentication is HTTPS-listener-only. Forward when
+          // the user templated it; AWS will reject on non-HTTPS.
+          ...mutualAuth !== void 0 && { MutualAuthentication: mutualAuth }
         })
       );
       await this.applyTagDiff(
@@ -28606,6 +28748,8 @@ var ELBv2Provider = class {
     result["DefaultActions"] = (listener.DefaultActions ?? []).map(
       (a) => a
     );
+    result["AlpnPolicy"] = listener.AlpnPolicy ?? [];
+    result["MutualAuthentication"] = listener.MutualAuthentication ?? {};
     await this.attachTags(result, physicalId);
     return result;
   }
@@ -32268,7 +32412,10 @@ var ServiceDiscoveryProvider = class {
   providerRegion = process.env["AWS_REGION"];
   logger = getLogger().child("ServiceDiscoveryProvider");
   handledProperties = /* @__PURE__ */ new Map([
-    ["AWS::ServiceDiscovery::PrivateDnsNamespace", /* @__PURE__ */ new Set(["Name", "Vpc", "Description", "Tags"])],
+    [
+      "AWS::ServiceDiscovery::PrivateDnsNamespace",
+      /* @__PURE__ */ new Set(["Name", "Vpc", "Description", "Tags", "Properties"])
+    ],
     [
       "AWS::ServiceDiscovery::Service",
       /* @__PURE__ */ new Set([
@@ -32370,13 +32517,18 @@ var ServiceDiscoveryProvider = class {
         logicalId
       );
     }
+    const propsBag = properties["Properties"];
+    const dnsProps = propsBag?.["DnsProperties"];
+    const soa = dnsProps?.["SOA"];
+    const inputProperties = soa?.TTL !== void 0 ? { DnsProperties: { SOA: { TTL: Number(soa.TTL) } } } : void 0;
     try {
       const response = await client.send(
         new CreatePrivateDnsNamespaceCommand({
           Name: name,
           Vpc: vpc,
           ...description && { Description: description },
-          ...tags && tags.length > 0 && { Tags: tags }
+          ...tags && tags.length > 0 && { Tags: tags },
+          ...inputProperties && { Properties: inputProperties }
         })
       );
       const operationId = response.OperationId;
@@ -32766,6 +32918,12 @@ var ServiceDiscoveryProvider = class {
     if (ns.Name !== void 0)
       result["Name"] = ns.Name;
     result["Description"] = ns.Description ?? "";
+    const soa = ns.Properties?.DnsProperties?.SOA;
+    if (soa?.TTL !== void 0) {
+      result["Properties"] = { DnsProperties: { SOA: { TTL: soa.TTL } } };
+    } else {
+      result["Properties"] = {};
+    }
     if (ns.Arn)
       await this.attachTags(result, ns.Arn);
     return result;
@@ -46176,7 +46334,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.56.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.57.1");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());