@go-to-k/cdkd 0.57.0 → 0.58.0

package/README.md

@@ -487,6 +487,33 @@ Two `orphan` variants at different granularities:
 Both `cdkd destroy` (synth-driven) and `cdkd state destroy`
 (state-driven, no synth) delete AWS resources + state.
 
+## Stack termination protection
+
+CDK's `new Stack(app, 'X', { terminationProtection: true })` is
+honored by `cdkd destroy` and `cdkd destroy --all`. A protected
+stack is refused before the lock is acquired and before any
+per-resource delete runs; in `--all` runs sibling unprotected
+stacks still destroy and the protected ones contribute to the
+partial-failure exit code 2.
+
+Bypass workflow:
+
+1. Edit the CDK code to set `terminationProtection: false`.
+2. Redeploy: `cdkd deploy MyStack`.
+3. Retry: `cdkd destroy MyStack`.
+
+`cdkd state destroy` (state-only, no synth) does **not** honor
+`terminationProtection` — the flag is a CDK property surfaced via
+synth and is not stored in cdkd's state.json. Use `cdkd destroy`
+when synth is available, or accept that `state destroy` is the
+explicit "I know what I'm doing, ignore CDK guards" escape hatch.
+
+A future `--remove-protection` flag (separate scope) will provide
+an explicit one-shot bypass without editing CDK code.
+
+`cdkd diff` (read-only) and `cdkd deploy` (forward-only) are
+unaffected — only destroy is gated.
+
 ## `publish-assets`: synth + build + publish, no deploy
 
 `cdkd publish-assets` runs the asset half of the deploy pipeline

package/dist/cli.js

@@ -1207,6 +1207,18 @@ var ResourceUpdateNotSupportedError = class _ResourceUpdateNotSupportedError ext
   }
   exitCode = 2;
 };
+var StackTerminationProtectionError = class _StackTerminationProtectionError extends CdkdError {
+  constructor(stackName, cause) {
+    super(
+      `Stack '${stackName}' has terminationProtection: true and cannot be destroyed. Set terminationProtection: false in the CDK code, redeploy, then retry 'cdkd destroy ${stackName}'.`,
+      "STACK_TERMINATION_PROTECTION",
+      cause
+    );
+    this.stackName = stackName;
+    this.name = "StackTerminationProtectionError";
+    Object.setPrototypeOf(this, _StackTerminationProtectionError.prototype);
+  }
+};
 function isCdkdError(error) {
   return error instanceof CdkdError;
 }
@@ -1915,7 +1927,10 @@ var AssemblyReader = class {
       assetManifestPath,
       dependencyNames,
       region: env?.region !== "unknown-region" ? env?.region : void 0,
-      account: env?.account !== "unknown-account" ? env?.account : void 0
+      account: env?.account !== "unknown-account" ? env?.account : void 0,
+      ...props?.terminationProtection !== void 0 && {
+        terminationProtection: props.terminationProtection
+      }
     };
   }
   /**
@@ -13565,7 +13580,7 @@ var SNSTopicProvider = class {
       if (properties["DeliveryStatusLogging"]) {
         const loggingConfigs = properties["DeliveryStatusLogging"];
         for (const config of loggingConfigs) {
-          const protocol = config["Protocol"];
+          const protocol = normalizeDeliveryStatusProtocolOrThrow(config["Protocol"], logicalId);
           if (config["SuccessFeedbackRoleArn"]) {
             await this.snsClient.send(
               new SetTopicAttributesCommand({
@@ -13658,7 +13673,7 @@ var SNSTopicProvider = class {
     if (JSON.stringify(properties["DeliveryStatusLogging"]) !== JSON.stringify(previousProperties["DeliveryStatusLogging"])) {
       const loggingConfigs = properties["DeliveryStatusLogging"] || [];
       for (const config of loggingConfigs) {
-        const protocol = config["Protocol"];
+        const protocol = normalizeDeliveryStatusProtocolOrThrow(config["Protocol"], logicalId);
         if (config["SuccessFeedbackRoleArn"]) {
           await this.snsClient.send(
             new SetTopicAttributesCommand({
@@ -13798,16 +13813,22 @@ var SNSTopicProvider = class {
    * FailureFeedbackRoleArn?}]`. Walks the known protocol prefix list
    * (`HTTP` / `HTTPS` / `SQS` / `Lambda` / `Firehose` / `Application`); a
    * protocol is included in the result iff at least one of its three
-   * sub-attributes is set on the topic. Entries are sorted by `Protocol`
-   * for stable positional compare (AWS does not preserve template order
-   * across `GetTopicAttributes` calls).
+   * sub-attributes is set on the topic. Entries are sorted by canonical
+   * PascalCase `Protocol` for stable positional compare (AWS does not
+   * preserve template order across `GetTopicAttributes` calls).
+   *
+   * The emitted `Protocol` value preserves state's case when known
+   * (CDK templates emit lowercase `'lambda'` / `'sqs'` / ...; AWS's
+   * attribute prefix is PascalCase). Without case preservation the
+   * comparator would fire false drift on every clean run for any
+   * lowercase-`Protocol` template.
    *
    * `Subscription` is omitted because CDK manages it via separate
    * `AWS::SNS::Subscription` resources, not as a Topic property.
    *
    * Returns `undefined` when the topic is gone (`NotFoundException`).
    */
-  async readCurrentState(physicalId, _logicalId, _resourceType) {
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
     let attrs;
     try {
       const resp = await this.snsClient.send(
@@ -13849,7 +13870,10 @@ var SNSTopicProvider = class {
         }
       }
     }
-    result["DeliveryStatusLogging"] = mapDeliveryStatusLogging(attrs);
+    result["DeliveryStatusLogging"] = mapDeliveryStatusLogging(
+      attrs,
+      stateProtocolCaseMap(properties?.["DeliveryStatusLogging"])
+    );
     try {
       const tagsResp = await this.snsClient.send(
         new ListTagsForResourceCommand({ ResourceArn: physicalId })
@@ -13938,7 +13962,55 @@ var SNS_DELIVERY_STATUS_PROTOCOLS = [
   "Lambda",
   "SQS"
 ];
-function mapDeliveryStatusLogging(attrs) {
+function normalizeDeliveryStatusProtocol(input) {
+  if (typeof input !== "string")
+    return void 0;
+  const lower = input.toLowerCase();
+  switch (lower) {
+    case "application":
+      return "Application";
+    case "firehose":
+      return "Firehose";
+    case "http":
+      return "HTTP";
+    case "https":
+      return "HTTPS";
+    case "lambda":
+      return "Lambda";
+    case "sqs":
+      return "SQS";
+    default:
+      return void 0;
+  }
+}
+function normalizeDeliveryStatusProtocolOrThrow(input, logicalId) {
+  const normalized = normalizeDeliveryStatusProtocol(input);
+  if (normalized === void 0) {
+    throw new Error(
+      `SNS topic ${logicalId}: unsupported DeliveryStatusLogging protocol ${JSON.stringify(input)}. Expected one of ${SNS_DELIVERY_STATUS_PROTOCOLS.join(", ")} (case-insensitive).`
+    );
+  }
+  return normalized;
+}
+function stateProtocolCaseMap(stateLogging) {
+  const map = /* @__PURE__ */ new Map();
+  if (!Array.isArray(stateLogging))
+    return map;
+  for (const entry of stateLogging) {
+    if (!entry || typeof entry !== "object")
+      continue;
+    const raw = entry["Protocol"];
+    if (typeof raw !== "string")
+      continue;
+    const normalized = normalizeDeliveryStatusProtocol(raw);
+    if (!normalized)
+      continue;
+    if (!map.has(normalized))
+      map.set(normalized, raw);
+  }
+  return map;
+}
+function mapDeliveryStatusLogging(attrs, stateCaseMap = /* @__PURE__ */ new Map()) {
   const result = [];
   for (const protocol of SNS_DELIVERY_STATUS_PROTOCOLS) {
     const success = attrs[`${protocol}SuccessFeedbackRoleArn`];
@@ -13946,7 +14018,9 @@ function mapDeliveryStatusLogging(attrs) {
     const failure = attrs[`${protocol}FailureFeedbackRoleArn`];
     if (success === void 0 && sample === void 0 && failure === void 0)
       continue;
-    const entry = { Protocol: protocol };
+    const entry = {
+      Protocol: stateCaseMap.get(protocol) ?? protocol
+    };
     if (success !== void 0)
       entry["SuccessFeedbackRoleArn"] = success;
     if (sample !== void 0)
@@ -27595,7 +27669,18 @@ var ECSProvider = class {
     let resp;
     try {
       resp = await this.getClient().send(
-        new DescribeClustersCommand({ clusters: [physicalId], include: ["TAGS"] })
+        // AWS DescribeClusters omits `settings` / `configuration` from the
+        // response unless they are explicitly requested via `include`. Without
+        // SETTINGS / CONFIGURATIONS the readCurrentState round-trip silently
+        // surfaces empty `ClusterSettings: []` even when the cluster has
+        // containerInsights enabled — a console-side toggle then can't be
+        // detected as drift because both the deploy-time observedProperties
+        // baseline AND the drift-time AWS read would identically miss the
+        // field. Discovered by the drift-revert integ test (PR #201).
+        new DescribeClustersCommand({
+          clusters: [physicalId],
+          include: ["TAGS", "SETTINGS", "CONFIGURATIONS"]
+        })
       );
     } catch {
       return void 0;
@@ -32342,7 +32427,10 @@ var ServiceDiscoveryProvider = class {
   providerRegion = process.env["AWS_REGION"];
   logger = getLogger().child("ServiceDiscoveryProvider");
   handledProperties = /* @__PURE__ */ new Map([
-    ["AWS::ServiceDiscovery::PrivateDnsNamespace", /* @__PURE__ */ new Set(["Name", "Vpc", "Description", "Tags"])],
+    [
+      "AWS::ServiceDiscovery::PrivateDnsNamespace",
+      /* @__PURE__ */ new Set(["Name", "Vpc", "Description", "Tags", "Properties"])
+    ],
     [
       "AWS::ServiceDiscovery::Service",
       /* @__PURE__ */ new Set([
@@ -32444,13 +32532,18 @@ var ServiceDiscoveryProvider = class {
         logicalId
       );
     }
+    const propsBag = properties["Properties"];
+    const dnsProps = propsBag?.["DnsProperties"];
+    const soa = dnsProps?.["SOA"];
+    const inputProperties = soa?.TTL !== void 0 ? { DnsProperties: { SOA: { TTL: Number(soa.TTL) } } } : void 0;
     try {
       const response = await client.send(
         new CreatePrivateDnsNamespaceCommand({
           Name: name,
           Vpc: vpc,
           ...description && { Description: description },
-          ...tags && tags.length > 0 && { Tags: tags }
+          ...tags && tags.length > 0 && { Tags: tags },
+          ...inputProperties && { Properties: inputProperties }
         })
       );
       const operationId = response.OperationId;
@@ -32840,6 +32933,12 @@ var ServiceDiscoveryProvider = class {
     if (ns.Name !== void 0)
       result["Name"] = ns.Name;
     result["Description"] = ns.Description ?? "";
+    const soa = ns.Properties?.DnsProperties?.SOA;
+    if (soa?.TTL !== void 0) {
+      result["Properties"] = { DnsProperties: { SOA: { TTL: soa.TTL } } };
+    } else {
+      result["Properties"] = {};
+    }
     if (ns.Arn)
       await this.attachTags(result, ns.Arn);
     return result;
@@ -43153,7 +43252,10 @@ async function destroyCommand(stackArgs, options) {
         appStacks = result.stacks.map((s) => ({
           stackName: s.stackName,
           displayName: s.displayName,
-          ...s.region && { region: s.region }
+          ...s.region && { region: s.region },
+          ...s.terminationProtection !== void 0 && {
+            terminationProtection: s.terminationProtection
+          }
         }));
       } catch {
         logger.debug("Could not synthesize app, falling back to state-based stack list");
@@ -43212,6 +43314,12 @@ Preparing to destroy stack: ${stackName}`);
       const refs = stateRefsByName.get(stackName) ?? [];
       const synthStack = appStacks.find((s) => s.stackName === stackName);
       const synthRegion = synthStack?.region;
+      if (synthStack?.terminationProtection === true) {
+        const err = new StackTerminationProtectionError(stackName);
+        logger.error(`  \u2717 ${err.message}`);
+        totalErrors++;
+        continue;
+      }
       let stackTargetRegion;
       if (refs.length === 0) {
         logger.warn(`No state found for stack ${stackName}, skipping`);
@@ -46250,7 +46358,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.57.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.58.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());