@go-to-k/cdkd 0.58.0 → 0.59.1

package/dist/cli.js

@@ -650,7 +650,11 @@ var contextOptions = [
 var destroyOptions = [
   new Option("-f, --force", "Do not ask for confirmation before destroying the stacks").default(
     false
-  )
+  ),
+  new Option(
+    "--remove-protection",
+    "Bypass deletion protection on protected resources by flipping the per-resource protection flag off in-place before delete. Covers stack-level terminationProtection (CDK property) and resource-level protection on AWS::Logs::LogGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster, AWS::DynamoDB::Table, AWS::EC2::Instance, and AWS::ElasticLoadBalancingV2::LoadBalancer."
+  ).default(false)
 ];
 
 // src/provisioning/resource-name.ts
@@ -5709,7 +5713,10 @@ import { GetFunctionUrlConfigCommand } from "@aws-sdk/client-lambda";
 
 // src/deployment/intrinsic-function-resolver.ts
 import { GetCallerIdentityCommand as GetCallerIdentityCommand3 } from "@aws-sdk/client-sts";
-import { DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand2 } from "@aws-sdk/client-ec2";
+import {
+  DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand2,
+  DescribeLaunchTemplatesCommand
+} from "@aws-sdk/client-ec2";
 import { GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";
 import { GetParameterCommand as GetParameterCommand2 } from "@aws-sdk/client-ssm";
 init_aws_clients();
@@ -6185,6 +6192,27 @@ var IntrinsicFunctionResolver = class {
           return physicalId;
       }
     }
+    if (resourceType === "AWS::EC2::LaunchTemplate") {
+      if (attributeName === "LatestVersionNumber" || attributeName === "DefaultVersionNumber") {
+        try {
+          const clients = getAwsClients();
+          const response = await clients.ec2.send(
+            new DescribeLaunchTemplatesCommand({ LaunchTemplateIds: [physicalId] })
+          );
+          const lt = response.LaunchTemplates?.[0];
+          const value = attributeName === "LatestVersionNumber" ? lt?.LatestVersionNumber : lt?.DefaultVersionNumber;
+          if (value !== void 0 && value !== null) {
+            return String(value);
+          }
+        } catch (err) {
+          this.logger.warn(
+            `DescribeLaunchTemplates(${physicalId}) failed for ${attributeName}: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+        return attributeName === "LatestVersionNumber" ? "$Latest" : "$Default";
+      }
+      return physicalId;
+    }
     this.logger.warn(
       `Unknown attribute ${attributeName} for resource type ${resourceType}, returning physical ID`
     );
@@ -16684,6 +16712,7 @@ import {
   ListTagsOfResourceCommand,
   TagResourceCommand as TagResourceCommand4,
   UntagResourceCommand as UntagResourceCommand4,
+  UpdateTableCommand,
   ResourceNotFoundException as ResourceNotFoundException6
 } from "@aws-sdk/client-dynamodb";
 init_aws_clients();
@@ -16849,6 +16878,32 @@ var DynamoDBTableProvider = class {
    */
   async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting DynamoDB table ${logicalId}: ${physicalId}`);
+    if (context?.removeProtection === true) {
+      try {
+        await this.dynamoDBClient.send(
+          new UpdateTableCommand({
+            TableName: physicalId,
+            DeletionProtectionEnabled: false
+          })
+        );
+        this.logger.debug(
+          `Disabled DeletionProtectionEnabled on DynamoDB table ${logicalId}, waiting for ACTIVE`
+        );
+        try {
+          await this.waitForTableActiveAfterUpdate(physicalId);
+        } catch (waitErr) {
+          this.logger.debug(
+            `Could not wait for table ${physicalId} ACTIVE after disabling protection: ${waitErr instanceof Error ? waitErr.message : String(waitErr)}`
+          );
+        }
+      } catch (flipError) {
+        if (!(flipError instanceof ResourceNotFoundException6)) {
+          this.logger.debug(
+            `Could not disable DeletionProtectionEnabled on ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`
+          );
+        }
+      }
+    }
     try {
       await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: physicalId }));
       this.logger.debug(`Successfully deleted DynamoDB table ${logicalId}`);
@@ -16941,6 +16996,28 @@ var DynamoDBTableProvider = class {
     }
     throw new Error(`Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds`);
   }
+  /**
+   * Poll DescribeTable until the table reaches ACTIVE after an UpdateTable
+   * call. Distinct from `waitForTableActive` because `UpdateTable`
+   * transitions the table to `UPDATING` (not `CREATING`); a status
+   * mismatch should not throw — just keep polling — and the call may
+   * also return immediately ACTIVE on the no-op path (already disabled).
+   */
+  async waitForTableActiveAfterUpdate(tableName, maxAttempts = 60) {
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      const response = await this.dynamoDBClient.send(
+        new DescribeTableCommand2({ TableName: tableName })
+      );
+      const status = response.Table?.TableStatus;
+      if (status === "ACTIVE") {
+        return;
+      }
+      await new Promise((resolve4) => setTimeout(resolve4, 1e3));
+    }
+    throw new Error(
+      `Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds after UpdateTable`
+    );
+  }
   /**
    * Resolve a single `Fn::GetAtt` attribute for an existing DynamoDB table.
    *
@@ -17420,6 +17497,23 @@ var LogsLogGroupProvider = class {
    */
   async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting log group ${logicalId}: ${physicalId}`);
+    if (context?.removeProtection === true) {
+      try {
+        await this.logsClient.send(
+          new PutLogGroupDeletionProtectionCommand({
+            logGroupIdentifier: physicalId,
+            deletionProtectionEnabled: false
+          })
+        );
+        this.logger.debug(
+          `Disabled DeletionProtectionEnabled on log group ${logicalId} before delete`
+        );
+      } catch (flipError) {
+        this.logger.debug(
+          `Could not disable DeletionProtectionEnabled on ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`
+        );
+      }
+    }
     try {
       await this.logsClient.send(new DeleteLogGroupCommand({ logGroupName: physicalId }));
       this.logger.debug(`Successfully deleted log group ${logicalId}`);
@@ -19675,7 +19769,8 @@ import {
   DescribeNetworkInterfacesCommand as DescribeNetworkInterfacesCommand2,
   DeleteNetworkInterfaceCommand as DeleteNetworkInterfaceCommand2,
   DescribeVolumesCommand,
-  DescribeInstanceAttributeCommand
+  DescribeInstanceAttributeCommand,
+  ModifyInstanceAttributeCommand
 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var EC2Provider = class {
@@ -21323,6 +21418,25 @@ var EC2Provider = class {
   }
   async deleteInstance(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Terminating EC2 Instance ${logicalId}: ${physicalId}`);
+    if (context?.removeProtection === true) {
+      try {
+        await this.ec2Client.send(
+          new ModifyInstanceAttributeCommand({
+            InstanceId: physicalId,
+            DisableApiTermination: { Value: false }
+          })
+        );
+        this.logger.debug(
+          `Disabled DisableApiTermination on EC2 Instance ${logicalId} before termination`
+        );
+      } catch (flipError) {
+        if (!this.isNotFoundError(flipError)) {
+          this.logger.debug(
+            `Could not disable DisableApiTermination on ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`
+          );
+        }
+      }
+    }
     try {
       await this.ec2Client.send(new TerminateInstancesCommand({ InstanceIds: [physicalId] }));
       this.logger.debug(`Terminate requested for EC2 Instance ${logicalId}, waiting...`);
@@ -28246,6 +28360,25 @@ var ELBv2Provider = class {
   }
   async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting LoadBalancer ${logicalId}: ${physicalId}`);
+    if (context?.removeProtection === true) {
+      try {
+        await this.getClient().send(
+          new ModifyLoadBalancerAttributesCommand({
+            LoadBalancerArn: physicalId,
+            Attributes: [{ Key: "deletion_protection.enabled", Value: "false" }]
+          })
+        );
+        this.logger.debug(
+          `Disabled deletion_protection.enabled on LoadBalancer ${logicalId} before delete`
+        );
+      } catch (flipError) {
+        if (!this.isNotFoundError(flipError)) {
+          this.logger.debug(
+            `Could not disable deletion_protection.enabled on ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`
+          );
+        }
+      }
+    }
     try {
       await this.getClient().send(new DeleteLoadBalancerCommand({ LoadBalancerArn: physicalId }));
       this.logger.debug(`Successfully deleted LoadBalancer ${logicalId}`);
@@ -29257,18 +29390,22 @@ var RDSProvider = class {
   async deleteDBCluster(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DBCluster ${logicalId}: ${physicalId}`);
     try {
-      try {
-        await this.getClient().send(
-          new ModifyDBClusterCommand({
-            DBClusterIdentifier: physicalId,
-            DeletionProtection: false
-          })
-        );
-      } catch (disableError) {
-        if (!this.isNotFoundError(disableError, "DBClusterNotFoundFault")) {
-          this.logger.debug(
-            `Could not disable deletion protection for ${physicalId}: ${disableError instanceof Error ? disableError.message : String(disableError)}`
+      if (context?.removeProtection === true) {
+        try {
+          await this.getClient().send(
+            new ModifyDBClusterCommand({
+              DBClusterIdentifier: physicalId,
+              DeletionProtection: false,
+              ApplyImmediately: true
+            })
           );
+          this.logger.debug(`Disabled DeletionProtection on DBCluster ${logicalId} before delete`);
+        } catch (disableError) {
+          if (!this.isNotFoundError(disableError, "DBClusterNotFoundFault")) {
+            this.logger.debug(
+              `Could not disable deletion protection for ${physicalId}: ${disableError instanceof Error ? disableError.message : String(disableError)}`
+            );
+          }
         }
       }
       await this.getClient().send(
@@ -29392,19 +29529,22 @@ var RDSProvider = class {
   async deleteDBInstance(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DBInstance ${logicalId}: ${physicalId}`);
     try {
-      try {
-        await this.getClient().send(
-          new ModifyDBInstanceCommand({
-            DBInstanceIdentifier: physicalId,
-            DeletionProtection: false,
-            ApplyImmediately: true
-          })
-        );
-      } catch (disableError) {
-        if (!this.isNotFoundError(disableError, "DBInstanceNotFoundFault")) {
-          this.logger.debug(
-            `Could not disable deletion protection for ${physicalId}: ${disableError instanceof Error ? disableError.message : String(disableError)}`
+      if (context?.removeProtection === true) {
+        try {
+          await this.getClient().send(
+            new ModifyDBInstanceCommand({
+              DBInstanceIdentifier: physicalId,
+              DeletionProtection: false,
+              ApplyImmediately: true
+            })
           );
+          this.logger.debug(`Disabled DeletionProtection on DBInstance ${logicalId} before delete`);
+        } catch (disableError) {
+          if (!this.isNotFoundError(disableError, "DBInstanceNotFoundFault")) {
+            this.logger.debug(
+              `Could not disable deletion protection for ${physicalId}: ${disableError instanceof Error ? disableError.message : String(disableError)}`
+            );
+          }
         }
       }
       await this.getClient().send(
@@ -31447,56 +31587,69 @@ var CognitoUserPoolProvider = class {
     }
   }
   /**
-   * Delete a Cognito User Pool
+   * Delete a Cognito User Pool.
+   *
+   * When `context.removeProtection === true`, `DeletionProtection` is flipped
+   * from `ACTIVE` to `INACTIVE` via `UpdateUserPool` before deletion. The
+   * call is idempotent — AWS accepts the no-op already-disabled case
+   * without error. Without `removeProtection`, AWS rejects the delete on a
+   * protected pool with `InvalidParameterException` and the destroy fails;
+   * the user is expected to set `--remove-protection` explicitly.
    *
-   * If DeletionProtection is ACTIVE, it is automatically disabled before deletion.
+   * Pre-PR behavior was an unconditional flip-off; that silent bypass has
+   * been gated on `--remove-protection` to match the rest of the
+   * deletion-protection-bearing types and CDK CLI's refuse-on-protected
+   * semantics. See PR body for migration notes.
    */
   async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Cognito User Pool ${logicalId}: ${physicalId}`);
     try {
-      const deletionProtection = properties?.["DeletionProtection"];
-      if (deletionProtection === "ACTIVE") {
-        this.logger.debug(
-          `Disabling DeletionProtection on Cognito User Pool ${physicalId} before deletion`
-        );
-        await this.getClient().send(
-          new UpdateUserPoolCommand({
-            UserPoolId: physicalId,
-            DeletionProtection: "INACTIVE"
-          })
-        );
-      } else {
-        try {
-          const describeResponse = await this.getClient().send(
-            new DescribeUserPoolCommand({ UserPoolId: physicalId })
-          );
-          if (describeResponse.UserPool?.DeletionProtection === "ACTIVE") {
+      if (context?.removeProtection === true) {
+        const templatedActive = properties?.["DeletionProtection"] === "ACTIVE";
+        let needsFlip = templatedActive;
+        if (!templatedActive) {
+          try {
+            const describeResponse = await this.getClient().send(
+              new DescribeUserPoolCommand({ UserPoolId: physicalId })
+            );
+            needsFlip = describeResponse.UserPool?.DeletionProtection === "ACTIVE";
+          } catch (descError) {
+            if (descError instanceof ResourceNotFoundException12) {
+              const clientRegion = await this.getClient().config.region();
+              assertRegionMatch(
+                clientRegion,
+                context?.expectedRegion,
+                resourceType,
+                logicalId,
+                physicalId
+              );
+              this.logger.debug(
+                `Cognito User Pool ${physicalId} does not exist, skipping deletion`
+              );
+              return;
+            }
             this.logger.debug(
-              `Disabling DeletionProtection on Cognito User Pool ${physicalId} before deletion`
+              `Failed to describe Cognito User Pool ${physicalId}, attempting flip-off anyway`
             );
+            needsFlip = true;
+          }
+        }
+        if (needsFlip) {
+          this.logger.debug(
+            `Disabling DeletionProtection on Cognito User Pool ${physicalId} before deletion (--remove-protection)`
+          );
+          try {
             await this.getClient().send(
               new UpdateUserPoolCommand({
                 UserPoolId: physicalId,
                 DeletionProtection: "INACTIVE"
               })
             );
-          }
-        } catch (descError) {
-          if (descError instanceof ResourceNotFoundException12) {
-            const clientRegion = await this.getClient().config.region();
-            assertRegionMatch(
-              clientRegion,
-              context?.expectedRegion,
-              resourceType,
-              logicalId,
-              physicalId
+          } catch (flipError) {
+            this.logger.debug(
+              `Could not disable DeletionProtection for ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`
             );
-            this.logger.debug(`Cognito User Pool ${physicalId} does not exist, skipping deletion`);
-            return;
           }
-          this.logger.debug(
-            `Failed to describe Cognito User Pool ${physicalId}, proceeding with delete`
-          );
         }
       }
       await this.getClient().send(new DeleteUserPoolCommand({ UserPoolId: physicalId }));
@@ -33885,7 +34038,7 @@ import {
   UpdateDatabaseCommand,
   DeleteDatabaseCommand,
   CreateTableCommand as CreateTableCommand2,
-  UpdateTableCommand,
+  UpdateTableCommand as UpdateTableCommand2,
   DeleteTableCommand as DeleteTableCommand2,
   GetDatabaseCommand,
   GetDatabasesCommand,
@@ -34145,7 +34298,7 @@ var GlueProvider = class {
     const catalogId = properties["CatalogId"];
     try {
       await this.getClient().send(
-        new UpdateTableCommand({
+        new UpdateTableCommand2({
           CatalogId: catalogId,
           DatabaseName: databaseName,
           TableInput: this.buildTableInput(tableInput)
@@ -39884,6 +40037,646 @@ var ECRProvider = class {
   }
 };
 
+// src/provisioning/providers/asg-provider.ts
+import {
+  AutoScalingClient,
+  CreateAutoScalingGroupCommand,
+  UpdateAutoScalingGroupCommand,
+  DeleteAutoScalingGroupCommand,
+  DescribeAutoScalingGroupsCommand
+} from "@aws-sdk/client-auto-scaling";
+var ASGProvider = class {
+  asgClient;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("ASGProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::AutoScaling::AutoScalingGroup",
+      /* @__PURE__ */ new Set([
+        "AutoScalingGroupName",
+        "LaunchTemplate",
+        "MinSize",
+        "MaxSize",
+        "DesiredCapacity",
+        "VPCZoneIdentifier",
+        "AvailabilityZones",
+        "HealthCheckType",
+        "HealthCheckGracePeriod",
+        "Cooldown",
+        "DefaultCooldown",
+        "Tags",
+        "TerminationPolicies",
+        "NewInstancesProtectedFromScaleIn",
+        "CapacityRebalance",
+        "ServiceLinkedRoleARN",
+        "MaxInstanceLifetime",
+        "LoadBalancerNames",
+        "TargetGroupARNs",
+        "MetricsCollection",
+        "LifecycleHookSpecificationList",
+        "MixedInstancesPolicy",
+        "Context",
+        "DesiredCapacityType",
+        "DefaultInstanceWarmup",
+        "TrafficSources",
+        "AvailabilityZoneDistribution",
+        "AvailabilityZoneImpairmentPolicy",
+        "SkipZonalShiftValidation",
+        "CapacityReservationSpecification",
+        "InstanceMaintenancePolicy",
+        "DeletionProtection"
+      ])
+    ]
+  ]);
+  getClient() {
+    if (!this.asgClient) {
+      this.asgClient = new AutoScalingClient(
+        this.providerRegion ? { region: this.providerRegion } : {}
+      );
+    }
+    return this.asgClient;
+  }
+  // ─── Dispatch ─────────────────────────────────────────────────────
+  async create(logicalId, resourceType, properties) {
+    if (resourceType !== "AWS::AutoScaling::AutoScalingGroup") {
+      throw new ProvisioningError(
+        `Unsupported resource type: ${resourceType}`,
+        resourceType,
+        logicalId
+      );
+    }
+    const groupName = properties["AutoScalingGroupName"] || generateResourceName(logicalId, { maxLength: 255 });
+    this.logger.debug(`Creating AutoScalingGroup ${logicalId}: ${groupName}`);
+    try {
+      const launchTemplate = this.buildLaunchTemplate(properties);
+      const tags = this.buildTags(groupName, properties);
+      const vpcZoneIdentifier = this.joinVpcZoneIdentifier(properties["VPCZoneIdentifier"]);
+      const minSize = properties["MinSize"] != null ? Number(properties["MinSize"]) : 0;
+      const maxSize = properties["MaxSize"] != null ? Number(properties["MaxSize"]) : minSize;
+      await this.getClient().send(
+        new CreateAutoScalingGroupCommand({
+          AutoScalingGroupName: groupName,
+          MinSize: minSize,
+          MaxSize: maxSize,
+          ...properties["DesiredCapacity"] != null && {
+            DesiredCapacity: Number(properties["DesiredCapacity"])
+          },
+          ...launchTemplate && { LaunchTemplate: launchTemplate },
+          ...properties["MixedInstancesPolicy"] !== void 0 && {
+            MixedInstancesPolicy: properties["MixedInstancesPolicy"]
+          },
+          ...vpcZoneIdentifier !== void 0 && { VPCZoneIdentifier: vpcZoneIdentifier },
+          ...properties["AvailabilityZones"] !== void 0 && {
+            AvailabilityZones: properties["AvailabilityZones"]
+          },
+          ...properties["HealthCheckType"] !== void 0 && {
+            HealthCheckType: properties["HealthCheckType"]
+          },
+          ...properties["HealthCheckGracePeriod"] != null && {
+            HealthCheckGracePeriod: Number(properties["HealthCheckGracePeriod"])
+          },
+          ...properties["Cooldown"] != null && {
+            DefaultCooldown: Number(properties["Cooldown"])
+          },
+          ...properties["DefaultCooldown"] != null && {
+            DefaultCooldown: Number(properties["DefaultCooldown"])
+          },
+          ...properties["TerminationPolicies"] !== void 0 && {
+            TerminationPolicies: properties["TerminationPolicies"]
+          },
+          ...properties["NewInstancesProtectedFromScaleIn"] !== void 0 && {
+            NewInstancesProtectedFromScaleIn: properties["NewInstancesProtectedFromScaleIn"]
+          },
+          ...properties["CapacityRebalance"] !== void 0 && {
+            CapacityRebalance: properties["CapacityRebalance"]
+          },
+          ...properties["ServiceLinkedRoleARN"] !== void 0 && {
+            ServiceLinkedRoleARN: properties["ServiceLinkedRoleARN"]
+          },
+          ...properties["MaxInstanceLifetime"] != null && {
+            MaxInstanceLifetime: Number(properties["MaxInstanceLifetime"])
+          },
+          ...properties["LoadBalancerNames"] !== void 0 && {
+            LoadBalancerNames: properties["LoadBalancerNames"]
+          },
+          ...properties["TargetGroupARNs"] !== void 0 && {
+            TargetGroupARNs: properties["TargetGroupARNs"]
+          },
+          ...properties["Context"] !== void 0 && {
+            Context: properties["Context"]
+          },
+          ...properties["DesiredCapacityType"] !== void 0 && {
+            DesiredCapacityType: properties["DesiredCapacityType"]
+          },
+          ...properties["DefaultInstanceWarmup"] != null && {
+            DefaultInstanceWarmup: Number(properties["DefaultInstanceWarmup"])
+          },
+          ...properties["LifecycleHookSpecificationList"] !== void 0 && {
+            LifecycleHookSpecificationList: properties["LifecycleHookSpecificationList"]
+          },
+          ...properties["TrafficSources"] !== void 0 && {
+            TrafficSources: properties["TrafficSources"]
+          },
+          ...properties["AvailabilityZoneDistribution"] !== void 0 && {
+            AvailabilityZoneDistribution: properties["AvailabilityZoneDistribution"]
+          },
+          ...properties["AvailabilityZoneImpairmentPolicy"] !== void 0 && {
+            AvailabilityZoneImpairmentPolicy: properties["AvailabilityZoneImpairmentPolicy"]
+          },
+          ...properties["SkipZonalShiftValidation"] !== void 0 && {
+            SkipZonalShiftValidation: properties["SkipZonalShiftValidation"]
+          },
+          ...properties["CapacityReservationSpecification"] !== void 0 && {
+            CapacityReservationSpecification: properties["CapacityReservationSpecification"]
+          },
+          ...properties["InstanceMaintenancePolicy"] !== void 0 && {
+            InstanceMaintenancePolicy: properties["InstanceMaintenancePolicy"]
+          },
+          ...properties["DeletionProtection"] !== void 0 && {
+            DeletionProtection: properties["DeletionProtection"]
+          },
+          ...tags.length > 0 && { Tags: tags }
+        })
+      );
+      this.logger.debug(`Successfully created AutoScalingGroup ${logicalId}: ${groupName}`);
+      const arn = await this.fetchArn(groupName);
+      const attributes = {};
+      if (arn)
+        attributes["Arn"] = arn;
+      if (launchTemplate?.LaunchTemplateId) {
+        attributes["LaunchTemplateID"] = launchTemplate.LaunchTemplateId;
+      }
+      return { physicalId: groupName, attributes };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create AutoScalingGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        groupName,
+        cause
+      );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    if (resourceType !== "AWS::AutoScaling::AutoScalingGroup") {
+      throw new ProvisioningError(
+        `Unsupported resource type: ${resourceType}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    this.logger.debug(`Updating AutoScalingGroup ${logicalId}: ${physicalId}`);
+    const stringEq = (a, b) => JSON.stringify(a) === JSON.stringify(b);
+    if (!stringEq(properties["AutoScalingGroupName"], previousProperties["AutoScalingGroupName"])) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "AutoScalingGroupName is immutable; use cdkd deploy --replace to replace the group"
+      );
+    }
+    if (!stringEq(properties["Tags"] ?? [], previousProperties["Tags"] ?? [])) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "Tags updates on AWS::AutoScaling::AutoScalingGroup are not yet supported by cdkd; use cdkd deploy --replace, or update the tags via AWS console / CLI"
+      );
+    }
+    if (!stringEq(
+      properties["LoadBalancerNames"] ?? [],
+      previousProperties["LoadBalancerNames"] ?? []
+    )) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "LoadBalancerNames diffs require Attach/Detach calls; use cdkd deploy --replace"
+      );
+    }
+    if (!stringEq(properties["TargetGroupARNs"] ?? [], previousProperties["TargetGroupARNs"] ?? [])) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "TargetGroupARNs diffs require Attach/Detach calls; use cdkd deploy --replace"
+      );
+    }
+    if (!stringEq(
+      properties["LifecycleHookSpecificationList"] ?? [],
+      previousProperties["LifecycleHookSpecificationList"] ?? []
+    )) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "LifecycleHookSpecificationList diffs require PutLifecycleHook / DeleteLifecycleHook calls; use cdkd deploy --replace"
+      );
+    }
+    if (!stringEq(
+      properties["MetricsCollection"] ?? [],
+      previousProperties["MetricsCollection"] ?? []
+    )) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "MetricsCollection diffs require EnableMetricsCollection / DisableMetricsCollection calls; use cdkd deploy --replace"
+      );
+    }
+    if (!stringEq(properties["TrafficSources"] ?? [], previousProperties["TrafficSources"] ?? [])) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "TrafficSources diffs require AttachTrafficSources / DetachTrafficSources calls; use cdkd deploy --replace"
+      );
+    }
+    try {
+      const launchTemplate = this.buildLaunchTemplate(properties);
+      const vpcZoneIdentifier = this.joinVpcZoneIdentifier(properties["VPCZoneIdentifier"]);
+      await this.getClient().send(
+        new UpdateAutoScalingGroupCommand({
+          AutoScalingGroupName: physicalId,
+          ...properties["MinSize"] != null && { MinSize: Number(properties["MinSize"]) },
+          ...properties["MaxSize"] != null && { MaxSize: Number(properties["MaxSize"]) },
+          ...properties["DesiredCapacity"] != null && {
+            DesiredCapacity: Number(properties["DesiredCapacity"])
+          },
+          ...launchTemplate && { LaunchTemplate: launchTemplate },
+          ...properties["MixedInstancesPolicy"] !== void 0 && {
+            MixedInstancesPolicy: properties["MixedInstancesPolicy"]
+          },
+          ...vpcZoneIdentifier !== void 0 && { VPCZoneIdentifier: vpcZoneIdentifier },
+          ...properties["AvailabilityZones"] !== void 0 && {
+            AvailabilityZones: properties["AvailabilityZones"]
+          },
+          ...properties["HealthCheckType"] !== void 0 && {
+            HealthCheckType: properties["HealthCheckType"]
+          },
+          ...properties["HealthCheckGracePeriod"] != null && {
+            HealthCheckGracePeriod: Number(properties["HealthCheckGracePeriod"])
+          },
+          ...properties["Cooldown"] != null && {
+            DefaultCooldown: Number(properties["Cooldown"])
+          },
+          ...properties["DefaultCooldown"] != null && {
+            DefaultCooldown: Number(properties["DefaultCooldown"])
+          },
+          ...properties["TerminationPolicies"] !== void 0 && {
+            TerminationPolicies: properties["TerminationPolicies"]
+          },
+          ...properties["NewInstancesProtectedFromScaleIn"] !== void 0 && {
+            NewInstancesProtectedFromScaleIn: properties["NewInstancesProtectedFromScaleIn"]
+          },
+          ...properties["CapacityRebalance"] !== void 0 && {
+            CapacityRebalance: properties["CapacityRebalance"]
+          },
+          ...properties["ServiceLinkedRoleARN"] !== void 0 && {
+            ServiceLinkedRoleARN: properties["ServiceLinkedRoleARN"]
+          },
+          ...properties["MaxInstanceLifetime"] != null && {
+            MaxInstanceLifetime: Number(properties["MaxInstanceLifetime"])
+          },
+          ...properties["Context"] !== void 0 && {
+            Context: properties["Context"]
+          },
+          ...properties["DesiredCapacityType"] !== void 0 && {
+            DesiredCapacityType: properties["DesiredCapacityType"]
+          },
+          ...properties["DefaultInstanceWarmup"] != null && {
+            DefaultInstanceWarmup: Number(properties["DefaultInstanceWarmup"])
+          },
+          ...properties["AvailabilityZoneDistribution"] !== void 0 && {
+            AvailabilityZoneDistribution: properties["AvailabilityZoneDistribution"]
+          },
+          ...properties["AvailabilityZoneImpairmentPolicy"] !== void 0 && {
+            AvailabilityZoneImpairmentPolicy: properties["AvailabilityZoneImpairmentPolicy"]
+          },
+          ...properties["SkipZonalShiftValidation"] !== void 0 && {
+            SkipZonalShiftValidation: properties["SkipZonalShiftValidation"]
+          },
+          ...properties["CapacityReservationSpecification"] !== void 0 && {
+            CapacityReservationSpecification: properties["CapacityReservationSpecification"]
+          },
+          ...properties["InstanceMaintenancePolicy"] !== void 0 && {
+            InstanceMaintenancePolicy: properties["InstanceMaintenancePolicy"]
+          },
+          ...properties["DeletionProtection"] !== void 0 && {
+            DeletionProtection: properties["DeletionProtection"]
+          }
+        })
+      );
+      this.logger.debug(`Successfully updated AutoScalingGroup ${logicalId}`);
+      const arn = await this.fetchArn(physicalId);
+      const attributes = {};
+      if (arn)
+        attributes["Arn"] = arn;
+      if (launchTemplate?.LaunchTemplateId) {
+        attributes["LaunchTemplateID"] = launchTemplate.LaunchTemplateId;
+      }
+      return { physicalId, wasReplaced: false, attributes };
+    } catch (error) {
+      if (error instanceof ResourceUpdateNotSupportedError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update AutoScalingGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting AutoScalingGroup ${logicalId}: ${physicalId}`);
+    if (context?.removeProtection === true) {
+      try {
+        await this.getClient().send(
+          new UpdateAutoScalingGroupCommand({
+            AutoScalingGroupName: physicalId,
+            DeletionProtection: "none"
+          })
+        );
+        this.logger.debug(
+          `Disabled DeletionProtection on AutoScalingGroup ${logicalId} before delete`
+        );
+      } catch (flipError) {
+        this.logger.debug(
+          `Could not disable DeletionProtection on ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`
+        );
+      }
+    }
+    try {
+      await this.getClient().send(
+        new DeleteAutoScalingGroupCommand({
+          AutoScalingGroupName: physicalId,
+          ForceDelete: context?.removeProtection === true
+        })
+      );
+      this.logger.debug(`Successfully initiated deletion of AutoScalingGroup ${logicalId}`);
+      await this.waitForGroupDeleted(physicalId);
+    } catch (error) {
+      if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`AutoScalingGroup ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete AutoScalingGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    const group = await this.describeGroup(physicalId);
+    if (!group) {
+      throw new ProvisioningError(
+        `AutoScalingGroup ${physicalId} not found while resolving attribute ${attributeName}`,
+        "AWS::AutoScaling::AutoScalingGroup",
+        physicalId,
+        physicalId
+      );
+    }
+    switch (attributeName) {
+      case "Arn":
+      case "AutoScalingGroupARN":
+        return group.AutoScalingGroupARN ?? "";
+      case "LaunchConfigurationName":
+        return group.LaunchConfigurationName ?? "";
+      case "LaunchTemplateID":
+      case "LaunchTemplateId":
+        return group.LaunchTemplate?.LaunchTemplateId ?? "";
+      default:
+        return "";
+    }
+  }
+  /**
+   * Read the AWS-current AutoScalingGroup configuration in CFn-property shape.
+   *
+   * Surfaces the user-controllable subset of `DescribeAutoScalingGroups`,
+   * with always-emit placeholders on user-controllable top-level keys per
+   * the cdkd PR #145 always-emit convention so that v3 `observedProperties`
+   * baseline catches console-side ADDs to fields a clean deploy did not
+   * template (e.g. a console-set `DeletionProtection: 'prevent-force-deletion'`
+   * on a group originally created without it).
+   *
+   * Returns `undefined` when the group is gone.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let group;
+    try {
+      group = await this.describeGroup(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err))
+        return void 0;
+      throw err;
+    }
+    if (!group)
+      return void 0;
+    const result = {};
+    if (group.AutoScalingGroupName !== void 0) {
+      result["AutoScalingGroupName"] = group.AutoScalingGroupName;
+    }
+    if (group.LaunchTemplate) {
+      const lt = {};
+      if (group.LaunchTemplate.LaunchTemplateId !== void 0) {
+        lt["LaunchTemplateId"] = group.LaunchTemplate.LaunchTemplateId;
+      }
+      if (group.LaunchTemplate.LaunchTemplateName !== void 0) {
+        lt["LaunchTemplateName"] = group.LaunchTemplate.LaunchTemplateName;
+      }
+      if (group.LaunchTemplate.Version !== void 0) {
+        lt["Version"] = group.LaunchTemplate.Version;
+      }
+      result["LaunchTemplate"] = lt;
+    }
+    result["MinSize"] = group.MinSize ?? 0;
+    result["MaxSize"] = group.MaxSize ?? 0;
+    if (group.DesiredCapacity !== void 0)
+      result["DesiredCapacity"] = group.DesiredCapacity;
+    if (group.VPCZoneIdentifier !== void 0 && group.VPCZoneIdentifier !== "") {
+      result["VPCZoneIdentifier"] = group.VPCZoneIdentifier.split(",").map((s) => s.trim());
+    } else {
+      result["VPCZoneIdentifier"] = [];
+    }
+    result["AvailabilityZones"] = group.AvailabilityZones ?? [];
+    if (group.HealthCheckType !== void 0)
+      result["HealthCheckType"] = group.HealthCheckType;
+    if (group.HealthCheckGracePeriod !== void 0) {
+      result["HealthCheckGracePeriod"] = group.HealthCheckGracePeriod;
+    }
+    if (group.DefaultCooldown !== void 0) {
+      result["Cooldown"] = group.DefaultCooldown;
+    }
+    result["NewInstancesProtectedFromScaleIn"] = group.NewInstancesProtectedFromScaleIn ?? false;
+    result["TerminationPolicies"] = group.TerminationPolicies ?? [];
+    result["CapacityRebalance"] = group.CapacityRebalance ?? false;
+    if (group.ServiceLinkedRoleARN !== void 0) {
+      result["ServiceLinkedRoleARN"] = group.ServiceLinkedRoleARN;
+    }
+    if (group.MaxInstanceLifetime !== void 0) {
+      result["MaxInstanceLifetime"] = group.MaxInstanceLifetime;
+    }
+    result["LoadBalancerNames"] = group.LoadBalancerNames ?? [];
+    result["TargetGroupARNs"] = group.TargetGroupARNs ?? [];
+    if (group.Context !== void 0)
+      result["Context"] = group.Context;
+    if (group.DesiredCapacityType !== void 0) {
+      result["DesiredCapacityType"] = group.DesiredCapacityType;
+    }
+    if (group.DefaultInstanceWarmup !== void 0) {
+      result["DefaultInstanceWarmup"] = group.DefaultInstanceWarmup;
+    }
+    if (group.MixedInstancesPolicy !== void 0) {
+      result["MixedInstancesPolicy"] = group.MixedInstancesPolicy;
+    }
+    if (group.AvailabilityZoneDistribution !== void 0) {
+      result["AvailabilityZoneDistribution"] = group.AvailabilityZoneDistribution;
+    }
+    if (group.AvailabilityZoneImpairmentPolicy !== void 0) {
+      result["AvailabilityZoneImpairmentPolicy"] = group.AvailabilityZoneImpairmentPolicy;
+    }
+    if (group.CapacityReservationSpecification !== void 0) {
+      result["CapacityReservationSpecification"] = group.CapacityReservationSpecification;
+    }
+    if (group.InstanceMaintenancePolicy !== void 0) {
+      result["InstanceMaintenancePolicy"] = group.InstanceMaintenancePolicy;
+    }
+    if (group.DeletionProtection !== void 0) {
+      result["DeletionProtection"] = group.DeletionProtection;
+    } else {
+      result["DeletionProtection"] = "none";
+    }
+    result["Tags"] = normalizeAwsTagsToCfn(group.Tags);
+    return result;
+  }
+  /**
+   * MetricsCollection / LifecycleHookSpecificationList / TrafficSources
+   * are surfaced via separate APIs (`DescribeMetricsCollectionTypes` etc.
+   * + `DescribeLifecycleHooks` + `DescribeTrafficSources`) that this v1
+   * does not yet wire up — declare them as drift-unknown so the comparator
+   * does not fire false-positive drift on every clean run.
+   */
+  getDriftUnknownPaths(_resourceType) {
+    return [
+      "MetricsCollection",
+      "LifecycleHookSpecificationList",
+      "TrafficSources",
+      "NotificationConfigurations"
+    ];
+  }
+  // ─── Helpers ──────────────────────────────────────────────────────
+  buildLaunchTemplate(properties) {
+    const lt = properties["LaunchTemplate"];
+    if (!lt)
+      return void 0;
+    const out = {};
+    if (lt.LaunchTemplateId !== void 0)
+      out.LaunchTemplateId = lt.LaunchTemplateId;
+    if (lt.LaunchTemplateName !== void 0)
+      out.LaunchTemplateName = lt.LaunchTemplateName;
+    if (lt.Version !== void 0) {
+      out.Version = String(lt.Version);
+    }
+    if (out.LaunchTemplateId === void 0 && out.LaunchTemplateName === void 0) {
+      return void 0;
+    }
+    return out;
+  }
+  /**
+   * CFn `Tags` is `[{Key, Value, PropagateAtLaunch?}]`. AWS expects each
+   * tag to also carry `ResourceId: <groupName>` and `ResourceType:
+   * 'auto-scaling-group'`. We tack those on at create time so the SDK
+   * input shape matches without forcing the user to template them.
+   */
+  buildTags(groupName, properties) {
+    const raw = properties["Tags"];
+    if (!raw)
+      return [];
+    return raw.filter((t) => t.Key !== void 0).map((t) => ({
+      ResourceId: groupName,
+      ResourceType: "auto-scaling-group",
+      Key: t.Key,
+      Value: t.Value ?? "",
+      PropagateAtLaunch: t.PropagateAtLaunch ?? false
+    }));
+  }
+  /**
+   * CFn `VPCZoneIdentifier` is a list of subnet ids; the AWS SDK input
+   * field is a comma-joined string.
+   */
+  joinVpcZoneIdentifier(value) {
+    if (value === void 0 || value === null)
+      return void 0;
+    if (Array.isArray(value)) {
+      const cleaned = value.map((v) => String(v).trim()).filter((v) => v.length > 0);
+      if (cleaned.length === 0)
+        return void 0;
+      return cleaned.join(",");
+    }
+    if (typeof value === "string")
+      return value;
+    return void 0;
+  }
+  async describeGroup(groupName) {
+    const response = await this.getClient().send(
+      new DescribeAutoScalingGroupsCommand({
+        AutoScalingGroupNames: [groupName]
+      })
+    );
+    return response.AutoScalingGroups?.[0];
+  }
+  async fetchArn(groupName) {
+    try {
+      const group = await this.describeGroup(groupName);
+      return group?.AutoScalingGroupARN;
+    } catch (err) {
+      this.logger.debug(
+        `DescribeAutoScalingGroups(${groupName}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      return void 0;
+    }
+  }
+  isNotFoundError(error) {
+    if (!(error instanceof Error))
+      return false;
+    const name = error.name ?? "";
+    const message = error.message.toLowerCase();
+    return name === "ValidationError" && (message.includes("autoscalinggroup name not found") || message.includes("not found") || message.includes("does not exist"));
+  }
+  async waitForGroupDeleted(groupName, maxWaitMs = 9e5) {
+    const startTime = Date.now();
+    let delay = 5e3;
+    while (Date.now() - startTime < maxWaitMs) {
+      try {
+        const group = await this.describeGroup(groupName);
+        if (!group)
+          return;
+      } catch (error) {
+        if (this.isNotFoundError(error))
+          return;
+        throw error;
+      }
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(
+      `Timed out waiting for AutoScalingGroup ${groupName} to be deleted (15 minute cap)`
+    );
+  }
+  sleep(ms) {
+    return new Promise((resolve4) => setTimeout(resolve4, ms));
+  }
+};
+
 // src/provisioning/register-providers.ts
 function registerAllProviders(registry) {
   registry.register("AWS::IAM::Role", new IAMRoleProvider());
@@ -39990,6 +40783,7 @@ function registerAllProviders(registry) {
   registry.register("AWS::CodeBuild::Project", new CodeBuildProvider());
   registry.register("AWS::S3Vectors::VectorBucket", new S3VectorsProvider());
   registry.register("AWS::ECR::Repository", new ECRProvider());
+  registry.register("AWS::AutoScaling::AutoScalingGroup", new ASGProvider());
   const s3TablesProvider = new S3TablesProvider();
   registry.register("AWS::S3Tables::TableBucket", s3TablesProvider);
   registry.register("AWS::S3Tables::Namespace", s3TablesProvider);
@@ -42952,6 +43746,43 @@ init_aws_clients();
 // src/cli/commands/destroy-runner.ts
 import * as readline2 from "node:readline/promises";
 init_aws_clients();
+var PROTECTION_PROPERTY_BY_TYPE = {
+  "AWS::Logs::LogGroup": "DeletionProtectionEnabled",
+  "AWS::RDS::DBInstance": "DeletionProtection",
+  "AWS::RDS::DBCluster": "DeletionProtection",
+  "AWS::DynamoDB::Table": "DeletionProtectionEnabled",
+  "AWS::EC2::Instance": "DisableApiTermination",
+  "AWS::Cognito::UserPool": "DeletionProtection",
+  "AWS::AutoScaling::AutoScalingGroup": "DeletionProtection"
+};
+var PROTECTION_ACTIVE_VALUES_BY_TYPE = {
+  "AWS::Cognito::UserPool": /* @__PURE__ */ new Set(["ACTIVE"]),
+  "AWS::AutoScaling::AutoScalingGroup": /* @__PURE__ */ new Set(["prevent-force-deletion", "prevent-all-deletion"])
+};
+function countProtectedResources(state) {
+  let count = 0;
+  for (const resource of Object.values(state.resources ?? {})) {
+    const propName = PROTECTION_PROPERTY_BY_TYPE[resource.resourceType];
+    if (propName) {
+      const recorded = resource.properties?.[propName] ?? resource.observedProperties?.[propName];
+      const activeValues = PROTECTION_ACTIVE_VALUES_BY_TYPE[resource.resourceType];
+      if (activeValues) {
+        if (activeValues.has(recorded))
+          count++;
+      } else if (recorded === true) {
+        count++;
+      }
+      continue;
+    }
+    if (resource.resourceType === "AWS::ElasticLoadBalancingV2::LoadBalancer") {
+      const attrs = resource.properties?.["LoadBalancerAttributes"] ?? resource.observedProperties?.["LoadBalancerAttributes"];
+      const enabled = attrs?.find((a) => a?.Key === "deletion_protection.enabled");
+      if (enabled?.Value === "true")
+        count++;
+    }
+  }
+  return count;
+}
 async function runDestroyForStack(stackName, state, ctx) {
   const logger = getLogger();
   const result = {
@@ -42975,18 +43806,25 @@ Resources to be deleted (${resourceCount}):`);
   for (const [logicalId, resource] of Object.entries(state.resources)) {
     logger.info(`  - ${logicalId} (${resource.resourceType})`);
   }
+  const protectedCount = ctx.removeProtection ? countProtectedResources(state) : 0;
   if (!ctx.skipConfirmation) {
     const rl = readline2.createInterface({
       input: process.stdin,
       output: process.stdout
     });
-    const answer = await rl.question(
-      `
-Are you sure you want to destroy stack "${stackName}" and delete all ${resourceCount} resources? (Y/n): `
-    );
+    const prompt = ctx.removeProtection ? `
+About to destroy ${resourceCount} resources from stack "${stackName}", REMOVING DELETION PROTECTION on ${protectedCount} of them. Continue? (y/N): ` : `
+Are you sure you want to destroy stack "${stackName}" and delete all ${resourceCount} resources? (Y/n): `;
+    const answer = await rl.question(prompt);
     rl.close();
     const trimmed = answer.trim().toLowerCase();
-    if (trimmed === "n" || trimmed === "no") {
+    if (ctx.removeProtection) {
+      if (trimmed !== "y" && trimmed !== "yes") {
+        logger.info("Destroy cancelled");
+        result.cancelled = true;
+        return result;
+      }
+    } else if (trimmed === "n" || trimmed === "no") {
       logger.info("Destroy cancelled");
       result.cancelled = true;
       return result;
@@ -43093,7 +43931,11 @@ Acquiring lock for stack ${stackName}...`);
                     logicalId,
                     resource.physicalId,
                     resource.resourceType,
-                    resource.properties
+                    resource.properties,
+                    {
+                      ...state.region !== void 0 && { expectedRegion: state.region },
+                      ...ctx.removeProtection === true && { removeProtection: true }
+                    }
                   );
                   lastDeleteError = null;
                   break;
@@ -43315,10 +44157,16 @@ Preparing to destroy stack: ${stackName}`);
       const synthStack = appStacks.find((s) => s.stackName === stackName);
       const synthRegion = synthStack?.region;
       if (synthStack?.terminationProtection === true) {
-        const err = new StackTerminationProtectionError(stackName);
-        logger.error(`  \u2717 ${err.message}`);
-        totalErrors++;
-        continue;
+        if (options.removeProtection) {
+          logger.warn(
+            `Stack ${stackName} has terminationProtection: true \u2014 bypassing because --remove-protection set`
+          );
+        } else {
+          const err = new StackTerminationProtectionError(stackName);
+          logger.error(`  \u2717 ${err.message}`);
+          totalErrors++;
+          continue;
+        }
       }
       let stackTargetRegion;
       if (refs.length === 0) {
@@ -43353,6 +44201,7 @@ Preparing to destroy stack: ${stackName}`);
         ...options.profile && { profile: options.profile },
         stateBucket,
         skipConfirmation: options.yes || options.force,
+        removeProtection: options.removeProtection === true,
         ...options.resourceWarnAfter?.globalMs !== void 0 && {
           resourceWarnAfterMs: options.resourceWarnAfter.globalMs
         },
@@ -45190,6 +46039,7 @@ Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
           // skipped when `options.yes` is set OR `--all` was set (the user
           // already accepted the batch prompt).
           skipConfirmation: options.yes || options.all === true,
+          removeProtection: options.removeProtection === true,
           ...options.resourceWarnAfter?.globalMs !== void 0 && {
             resourceWarnAfterMs: options.resourceWarnAfter.globalMs
           },
@@ -45218,7 +46068,11 @@ Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
 function createStateDestroyCommand() {
   const cmd = new Command12("destroy").description(
     "Destroy a stack's AWS resources and remove its state record without requiring the CDK app. For removing only the state record (keeping AWS resources intact), use 'cdkd state orphan'."
-  ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).addOption(stackRegionOption2()).addHelpText(
+  ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).option(
+    "--remove-protection",
+    "Bypass deletion protection on protected resources by flipping the per-resource protection flag off in-place before delete. Covers AWS::Logs::LogGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster, AWS::DynamoDB::Table, AWS::EC2::Instance, and AWS::ElasticLoadBalancingV2::LoadBalancer.",
+    false
+  ).addOption(stackRegionOption2()).addHelpText(
     "after",
     [
       "",
@@ -46358,7 +47212,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.58.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.59.1");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());