@go-to-k/cdkd 0.61.0 → 0.62.0

package/dist/cli.js

@@ -30482,22 +30482,42 @@ import {
   PutBucketOwnershipControlsCommand,
   PutBucketNotificationConfigurationCommand,
   PutBucketCorsCommand,
+  DeleteBucketCorsCommand,
   PutBucketLifecycleConfigurationCommand,
+  DeleteBucketLifecycleCommand,
   PutPublicAccessBlockCommand,
   PutBucketEncryptionCommand as PutBucketEncryptionCommand2,
   PutBucketLoggingCommand,
   PutBucketWebsiteCommand,
+  DeleteBucketWebsiteCommand,
   PutBucketAccelerateConfigurationCommand,
   PutBucketMetricsConfigurationCommand,
+  DeleteBucketMetricsConfigurationCommand,
   PutBucketAnalyticsConfigurationCommand,
+  DeleteBucketAnalyticsConfigurationCommand,
   PutBucketIntelligentTieringConfigurationCommand,
+  DeleteBucketIntelligentTieringConfigurationCommand,
   PutBucketInventoryConfigurationCommand,
+  DeleteBucketInventoryConfigurationCommand,
   PutBucketReplicationCommand,
+  DeleteBucketReplicationCommand,
   PutObjectLockConfigurationCommand,
   GetBucketEncryptionCommand,
   GetBucketTaggingCommand,
   GetBucketVersioningCommand,
   GetPublicAccessBlockCommand,
+  GetBucketLifecycleConfigurationCommand,
+  GetBucketCorsCommand,
+  GetBucketWebsiteCommand,
+  GetBucketLoggingCommand,
+  GetBucketNotificationConfigurationCommand,
+  GetBucketReplicationCommand,
+  GetObjectLockConfigurationCommand,
+  GetBucketAccelerateConfigurationCommand,
+  ListBucketMetricsConfigurationsCommand,
+  ListBucketAnalyticsConfigurationsCommand,
+  ListBucketIntelligentTieringConfigurationsCommand,
+  ListBucketInventoryConfigurationsCommand,
   NoSuchBucket,
   ListObjectVersionsCommand,
   DeleteObjectsCommand
@@ -30834,6 +30854,16 @@ var S3BucketProvider = class {
    * SDK: PutBucketLogging with BucketLoggingStatus.LoggingEnabled
    */
   async applyLoggingConfiguration(bucketName, loggingConfig) {
+    if (!loggingConfig || !loggingConfig["DestinationBucketName"]) {
+      await this.s3Client.send(
+        new PutBucketLoggingCommand({
+          Bucket: bucketName,
+          BucketLoggingStatus: {}
+        })
+      );
+      this.logger.debug(`Cleared logging configuration on bucket ${bucketName}`);
+      return;
+    }
     await this.s3Client.send(
       new PutBucketLoggingCommand({
         Bucket: bucketName,
@@ -30919,6 +30949,77 @@ var S3BucketProvider = class {
     );
     this.logger.debug(`Applied accelerate configuration to bucket ${bucketName}`);
   }
+  /**
+   * Apply notification configuration (full-replace via PutBucketNotificationConfiguration)
+   *
+   * CFn property: NotificationConfiguration with TopicConfigurations,
+   *   QueueConfigurations, LambdaConfigurations, EventBridgeConfiguration.
+   * SDK uses the same structure (PutBucketNotificationConfiguration replaces
+   * the entire notification configuration in one call).
+   */
+  async applyNotificationConfiguration(bucketName, notifConfig) {
+    const cfg = {};
+    if (notifConfig) {
+      const topics = notifConfig["TopicConfigurations"];
+      if (topics && Array.isArray(topics) && topics.length > 0) {
+        cfg.TopicConfigurations = topics.map((t) => ({
+          Id: t["Id"],
+          TopicArn: t["Topic"] ?? t["TopicArn"],
+          Events: t["Event"] !== void 0 ? [t["Event"]] : t["Events"],
+          Filter: this.cfnNotifFilterToSdk(t["Filter"])
+        }));
+      }
+      const queues = notifConfig["QueueConfigurations"];
+      if (queues && Array.isArray(queues) && queues.length > 0) {
+        cfg.QueueConfigurations = queues.map((q) => ({
+          Id: q["Id"],
+          QueueArn: q["Queue"] ?? q["QueueArn"],
+          Events: q["Event"] !== void 0 ? [q["Event"]] : q["Events"],
+          Filter: this.cfnNotifFilterToSdk(q["Filter"])
+        }));
+      }
+      const lambdas = notifConfig["LambdaConfigurations"];
+      if (lambdas && Array.isArray(lambdas) && lambdas.length > 0) {
+        cfg.LambdaFunctionConfigurations = lambdas.map((l) => ({
+          Id: l["Id"],
+          LambdaFunctionArn: l["Function"] ?? l["LambdaFunctionArn"],
+          Events: l["Event"] !== void 0 ? [l["Event"]] : l["Events"],
+          Filter: this.cfnNotifFilterToSdk(l["Filter"])
+        }));
+      }
+      const eb = notifConfig["EventBridgeConfiguration"];
+      if (eb !== void 0) {
+        cfg.EventBridgeConfiguration = {};
+      }
+    }
+    await this.s3Client.send(
+      new PutBucketNotificationConfigurationCommand({
+        Bucket: bucketName,
+        NotificationConfiguration: cfg
+      })
+    );
+    this.logger.debug(`Applied notification configuration to bucket ${bucketName}`);
+  }
+  /**
+   * Convert CFn notification Filter ({ S3Key: { Rules: [{ Name, Value }] } })
+   * to SDK NotificationConfigurationFilter.Key.FilterRules.
+   */
+  cfnNotifFilterToSdk(filter) {
+    if (!filter || typeof filter !== "object")
+      return void 0;
+    const f = filter;
+    const s3Key = f["S3Key"];
+    if (!s3Key)
+      return void 0;
+    const rules = s3Key["Rules"];
+    if (!rules || !Array.isArray(rules) || rules.length === 0)
+      return void 0;
+    return {
+      Key: {
+        FilterRules: rules.filter((r) => r.Name !== void 0 && r.Value !== void 0).map((r) => ({ Name: r.Name, Value: r.Value }))
+      }
+    };
+  }
   /**
    * Apply metrics configurations
    *
@@ -31214,20 +31315,226 @@ var S3BucketProvider = class {
       );
       this.logger.debug(`Applied ownership controls to bucket ${bucketName}`);
     }
+    const publicAccessBlock = properties["PublicAccessBlockConfiguration"];
+    if (publicAccessBlock) {
+      await this.applyPublicAccessBlockConfiguration(bucketName, publicAccessBlock);
+    }
+    const bucketEncryption = properties["BucketEncryption"];
+    if (bucketEncryption?.ServerSideEncryptionConfiguration && Array.isArray(bucketEncryption.ServerSideEncryptionConfiguration) && bucketEncryption.ServerSideEncryptionConfiguration.length > 0) {
+      await this.applyBucketEncryption(bucketName, bucketEncryption);
+    }
+  }
+  /**
+   * Diff CFn-shape sub-config values between previous and new state.
+   *
+   * Three transitions:
+   * - undefined -> defined  (value differs from previous, OR previous undefined): Put
+   * - defined -> undefined: Delete
+   * - defined -> defined (different): Put
+   * - unchanged: skip
+   *
+   * For the array-shaped configs (Metrics / Analytics / IntelligentTier /
+   * Inventory) this is per-id rather than per-config — see the dedicated
+   * helpers below.
+   */
+  async diffSubConfig(_bucketName, oldVal, newVal, onPut, onDelete) {
+    const same = JSON.stringify(oldVal ?? null) === JSON.stringify(newVal ?? null);
+    if (same)
+      return;
+    if (newVal === void 0 || newVal === null) {
+      await onDelete();
+      return;
+    }
+    await onPut(newVal);
+  }
+  /**
+   * Per-id diff for the four array-shaped configs (MetricsConfigurations,
+   * AnalyticsConfigurations, IntelligentTieringConfigurations,
+   * InventoryConfigurations). Each AWS API operates on one config per
+   * (bucket, id) pair: Put-on-add or Put-on-change, Delete-on-removed.
+   */
+  async diffArrayConfigById(_bucketName, oldArr, newArr, onPut, onDelete) {
+    const oldById = /* @__PURE__ */ new Map();
+    for (const c of oldArr ?? []) {
+      const id = c["Id"];
+      if (id)
+        oldById.set(id, c);
+    }
+    const newById = /* @__PURE__ */ new Map();
+    for (const c of newArr ?? []) {
+      const id = c["Id"];
+      if (id)
+        newById.set(id, c);
+    }
+    for (const [id, cfg] of newById) {
+      const old = oldById.get(id);
+      if (!old || JSON.stringify(old) !== JSON.stringify(cfg)) {
+        await onPut(id, cfg);
+      }
+    }
+    for (const id of oldById.keys()) {
+      if (!newById.has(id)) {
+        await onDelete(id);
+      }
+    }
+  }
+  /**
+   * Apply the diff between previous and new sub-configs, issuing Put / Delete
+   * SDK calls only for differing keys. Called from `update()`.
+   *
+   * Versioning / PublicAccessBlock / Tags / OwnershipControls / BucketEncryption
+   * stay on `applyConfiguration` (the unconditional always-PUT path) because
+   * their AWS APIs don't have a clean "delete" counterpart and they
+   * round-trip safely as no-ops when state == AWS-current. The 12 sub-configs
+   * below DO have proper Put/Delete pairs so the diff path is preferable.
+   */
+  async applySubConfigDiffs(bucketName, properties, previousProperties) {
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["LifecycleConfiguration"],
+      properties["LifecycleConfiguration"],
+      async (cfg) => {
+        if (!cfg.Rules || !Array.isArray(cfg.Rules) || cfg.Rules.length === 0)
+          return;
+        await this.applyLifecycleConfiguration(bucketName, cfg);
+      },
+      async () => {
+        await this.s3Client.send(new DeleteBucketLifecycleCommand({ Bucket: bucketName }));
+        this.logger.debug(`Deleted lifecycle configuration on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["CorsConfiguration"],
+      properties["CorsConfiguration"],
+      async (cfg) => {
+        if (!cfg.CorsRules || !Array.isArray(cfg.CorsRules) || cfg.CorsRules.length === 0)
+          return;
+        await this.applyCorsConfiguration(bucketName, cfg);
+      },
+      async () => {
+        await this.s3Client.send(new DeleteBucketCorsCommand({ Bucket: bucketName }));
+        this.logger.debug(`Deleted CORS configuration on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["WebsiteConfiguration"],
+      properties["WebsiteConfiguration"],
+      async (cfg) => this.applyWebsiteConfiguration(bucketName, cfg),
+      async () => {
+        await this.s3Client.send(new DeleteBucketWebsiteCommand({ Bucket: bucketName }));
+        this.logger.debug(`Deleted website configuration on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["LoggingConfiguration"],
+      properties["LoggingConfiguration"],
+      async (cfg) => this.applyLoggingConfiguration(bucketName, cfg),
+      async () => this.applyLoggingConfiguration(bucketName, void 0)
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["NotificationConfiguration"],
+      properties["NotificationConfiguration"],
+      async (cfg) => this.applyNotificationConfiguration(bucketName, cfg),
+      async () => this.applyNotificationConfiguration(bucketName, void 0)
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["ReplicationConfiguration"],
+      properties["ReplicationConfiguration"],
+      async (cfg) => this.applyReplicationConfiguration(bucketName, cfg),
+      async () => {
+        await this.s3Client.send(new DeleteBucketReplicationCommand({ Bucket: bucketName }));
+        this.logger.debug(`Deleted replication configuration on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["ObjectLockConfiguration"],
+      properties["ObjectLockConfiguration"],
+      async (cfg) => this.applyObjectLockConfiguration(bucketName, cfg),
+      async () => {
+        await this.s3Client.send(
+          new PutObjectLockConfigurationCommand({
+            Bucket: bucketName,
+            ObjectLockConfiguration: { ObjectLockEnabled: "Enabled" }
+          })
+        );
+        this.logger.debug(`Cleared object lock rule on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["AccelerateConfiguration"],
+      properties["AccelerateConfiguration"],
+      async (cfg) => this.applyAccelerateConfiguration(bucketName, cfg),
+      async () => this.applyAccelerateConfiguration(bucketName, { AccelerationStatus: "Suspended" })
+    );
+    await this.diffArrayConfigById(
+      bucketName,
+      previousProperties["MetricsConfigurations"],
+      properties["MetricsConfigurations"],
+      async (_id, cfg) => this.applyMetricsConfigurations(bucketName, [cfg]),
+      async (id) => {
+        await this.s3Client.send(
+          new DeleteBucketMetricsConfigurationCommand({ Bucket: bucketName, Id: id })
+        );
+        this.logger.debug(`Deleted metrics configuration ${id} on bucket ${bucketName}`);
+      }
+    );
+    await this.diffArrayConfigById(
+      bucketName,
+      previousProperties["AnalyticsConfigurations"],
+      properties["AnalyticsConfigurations"],
+      async (_id, cfg) => this.applyAnalyticsConfigurations(bucketName, [cfg]),
+      async (id) => {
+        await this.s3Client.send(
+          new DeleteBucketAnalyticsConfigurationCommand({ Bucket: bucketName, Id: id })
+        );
+        this.logger.debug(`Deleted analytics configuration ${id} on bucket ${bucketName}`);
+      }
+    );
+    await this.diffArrayConfigById(
+      bucketName,
+      previousProperties["IntelligentTieringConfigurations"],
+      properties["IntelligentTieringConfigurations"],
+      async (_id, cfg) => this.applyIntelligentTieringConfigurations(bucketName, [cfg]),
+      async (id) => {
+        await this.s3Client.send(
+          new DeleteBucketIntelligentTieringConfigurationCommand({
+            Bucket: bucketName,
+            Id: id
+          })
+        );
+        this.logger.debug(
+          `Deleted intelligent tiering configuration ${id} on bucket ${bucketName}`
+        );
+      }
+    );
+    await this.diffArrayConfigById(
+      bucketName,
+      previousProperties["InventoryConfigurations"],
+      properties["InventoryConfigurations"],
+      async (_id, cfg) => this.applyInventoryConfigurations(bucketName, [cfg]),
+      async (id) => {
+        await this.s3Client.send(
+          new DeleteBucketInventoryConfigurationCommand({ Bucket: bucketName, Id: id })
+        );
+        this.logger.debug(`Deleted inventory configuration ${id} on bucket ${bucketName}`);
+      }
+    );
+  }
+  /**
+   * Apply ALL sub-configs unconditionally on initial create. Used by
+   * `create()` so the bucket starts out matching the template.
+   */
+  async applyAllSubConfigsForCreate(bucketName, properties) {
     const notifConfig = properties["NotificationConfiguration"];
-    if (notifConfig?.["EventBridgeConfiguration"]) {
-      const ebConfig = notifConfig["EventBridgeConfiguration"];
-      await this.s3Client.send(
-        new PutBucketNotificationConfigurationCommand({
-          Bucket: bucketName,
-          NotificationConfiguration: {
-            EventBridgeConfiguration: {
-              EventBridgeEnabled: ebConfig.EventBridgeEnabled ?? true
-            }
-          }
-        })
-      );
-      this.logger.debug(`Applied EventBridge notification to bucket ${bucketName}`);
+    if (notifConfig) {
+      await this.applyNotificationConfiguration(bucketName, notifConfig);
     }
     const corsConfig = properties["CorsConfiguration"];
     if (corsConfig?.CorsRules && Array.isArray(corsConfig.CorsRules) && corsConfig.CorsRules.length > 0) {
@@ -31237,16 +31544,8 @@ var S3BucketProvider = class {
     if (lifecycleConfig?.Rules && Array.isArray(lifecycleConfig.Rules) && lifecycleConfig.Rules.length > 0) {
       await this.applyLifecycleConfiguration(bucketName, lifecycleConfig);
     }
-    const publicAccessBlock = properties["PublicAccessBlockConfiguration"];
-    if (publicAccessBlock) {
-      await this.applyPublicAccessBlockConfiguration(bucketName, publicAccessBlock);
-    }
-    const bucketEncryption = properties["BucketEncryption"];
-    if (bucketEncryption?.ServerSideEncryptionConfiguration && Array.isArray(bucketEncryption.ServerSideEncryptionConfiguration) && bucketEncryption.ServerSideEncryptionConfiguration.length > 0) {
-      await this.applyBucketEncryption(bucketName, bucketEncryption);
-    }
     const loggingConfig = properties["LoggingConfiguration"];
-    if (loggingConfig) {
+    if (loggingConfig?.["DestinationBucketName"]) {
       await this.applyLoggingConfiguration(bucketName, loggingConfig);
     }
     const websiteConfig = properties["WebsiteConfiguration"];
@@ -31316,6 +31615,7 @@ var S3BucketProvider = class {
         }
       }
       await this.applyConfiguration(bucketName, properties);
+      await this.applyAllSubConfigsForCreate(bucketName, properties);
       const attributes = await this.buildAttributes(bucketName);
       this.logger.debug(`Successfully created S3 bucket ${logicalId}: ${bucketName}`);
       return {
@@ -31355,6 +31655,7 @@ var S3BucketProvider = class {
         /* skipTags */
         true
       );
+      await this.applySubConfigDiffs(physicalId, properties, previousProperties);
       await this.applyTagDiff(
         physicalId,
         previousProperties["Tags"],
@@ -31417,20 +31718,23 @@ var S3BucketProvider = class {
    * into a single CFn-shaped object. Each call can throw a "feature not
    * configured" error (`NoSuchBucketConfiguration`,
    * `ServerSideEncryptionConfigurationNotFoundError`, `NoSuchTagSet`,
-   * `NoSuchPublicAccessBlockConfiguration`) — those are caught individually
-   * and the corresponding key is omitted from the result, NOT treated as
-   * the bucket being absent.
+   * `NoSuchPublicAccessBlockConfiguration`, etc.) — those are caught
+   * individually and the corresponding key is emitted as a CFn-shape
+   * placeholder (per docs/provider-development.md § 3b: always-emit
+   * user-controllable top-level keys), NOT treated as the bucket being
+   * absent.
    *
    * Only the bucket-gone case (`NoSuchBucket`, HTTP 404 from `HeadBucket`)
    * returns `undefined`.
    *
    * Coverage: `BucketName`, `VersioningConfiguration`, `BucketEncryption`,
-   * `PublicAccessBlockConfiguration`, `Tags`. Other configuration
-   * properties (Lifecycle, CORS, Website, Logging, Notification,
-   * Replication, ObjectLock, Accelerate, Metrics/Analytics/IntelligentTier/
-   * Inventory) are out of scope for v1 — they each need their own GET +
-   * shape mapping; CC API drift detection picks them up via `GetResource`
-   * once a user works through the SDK provider boundary.
+   * `PublicAccessBlockConfiguration`, `Tags`, plus all 12 sub-configs:
+   * `LifecycleConfiguration`, `CorsConfiguration`, `WebsiteConfiguration`,
+   * `LoggingConfiguration`, `NotificationConfiguration`,
+   * `ReplicationConfiguration`, `ObjectLockConfiguration`,
+   * `AccelerateConfiguration`, `MetricsConfigurations`,
+   * `AnalyticsConfigurations`, `IntelligentTieringConfigurations`,
+   * `InventoryConfigurations`.
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
     try {
@@ -31442,17 +31746,75 @@ var S3BucketProvider = class {
       }
       throw err;
     }
-    const result = {
-      BucketName: physicalId
+    const [
+      versioning,
+      encryption,
+      pab,
+      tags,
+      lifecycle,
+      cors,
+      website,
+      logging,
+      notification,
+      replication,
+      objectLock,
+      accelerate,
+      metrics,
+      analytics,
+      intelligentTier,
+      inventory
+    ] = await Promise.all([
+      this.readVersioning(physicalId),
+      this.readEncryption(physicalId),
+      this.readPublicAccessBlock(physicalId),
+      this.readTags(physicalId),
+      this.readLifecycle(physicalId),
+      this.readCors(physicalId),
+      this.readWebsite(physicalId),
+      this.readLogging(physicalId),
+      this.readNotification(physicalId),
+      this.readReplication(physicalId),
+      this.readObjectLock(physicalId),
+      this.readAccelerate(physicalId),
+      this.readMetricsList(physicalId),
+      this.readAnalyticsList(physicalId),
+      this.readIntelligentTieringList(physicalId),
+      this.readInventoryList(physicalId)
+    ]);
+    return {
+      BucketName: physicalId,
+      VersioningConfiguration: versioning,
+      BucketEncryption: encryption,
+      PublicAccessBlockConfiguration: pab,
+      Tags: tags,
+      LifecycleConfiguration: lifecycle,
+      CorsConfiguration: cors,
+      WebsiteConfiguration: website,
+      LoggingConfiguration: logging,
+      NotificationConfiguration: notification,
+      ReplicationConfiguration: replication,
+      ObjectLockConfiguration: objectLock,
+      AccelerateConfiguration: accelerate,
+      MetricsConfigurations: metrics,
+      AnalyticsConfigurations: analytics,
+      IntelligentTieringConfigurations: intelligentTier,
+      InventoryConfigurations: inventory
     };
-    {
-      const resp = await this.s3Client.send(new GetBucketVersioningCommand({ Bucket: physicalId }));
-      result["VersioningConfiguration"] = { Status: resp.Status ?? "Suspended" };
-    }
+  }
+  // -------------------------------------------------------------------
+  // readCurrentState helpers — one per sub-config. Each catches the
+  // "feature not configured" error and returns the always-emit
+  // placeholder shape per docs/provider-development.md § 3b.
+  // -------------------------------------------------------------------
+  async readVersioning(bucket) {
+    const resp = await this.s3Client.send(new GetBucketVersioningCommand({ Bucket: bucket }));
+    return { Status: resp.Status ?? "Suspended" };
+  }
+  async readEncryption(bucket) {
     try {
-      const resp = await this.s3Client.send(new GetBucketEncryptionCommand({ Bucket: physicalId }));
+      const resp = await this.s3Client.send(new GetBucketEncryptionCommand({ Bucket: bucket }));
       const rules = resp.ServerSideEncryptionConfiguration?.Rules ?? [];
-      result["BucketEncryption"] = {
+      return {
         ServerSideEncryptionConfiguration: rules.map((rule) => {
           const out = {};
           const sse = rule.ApplyServerSideEncryptionByDefault;
@@ -31472,17 +31834,16 @@ var S3BucketProvider = class {
     } catch (err) {
       const e = err;
       if (e.name === "ServerSideEncryptionConfigurationNotFoundError") {
-        result["BucketEncryption"] = { ServerSideEncryptionConfiguration: [] };
-      } else {
-        throw err;
+        return { ServerSideEncryptionConfiguration: [] };
       }
+      throw err;
     }
+  }
+  async readPublicAccessBlock(bucket) {
     try {
-      const resp = await this.s3Client.send(
-        new GetPublicAccessBlockCommand({ Bucket: physicalId })
-      );
+      const resp = await this.s3Client.send(new GetPublicAccessBlockCommand({ Bucket: bucket }));
       const cfg = resp.PublicAccessBlockConfiguration;
-      result["PublicAccessBlockConfiguration"] = {
+      return {
         BlockPublicAcls: cfg?.BlockPublicAcls ?? false,
         BlockPublicPolicy: cfg?.BlockPublicPolicy ?? false,
         IgnorePublicAcls: cfg?.IgnorePublicAcls ?? false,
@@ -31491,28 +31852,593 @@ var S3BucketProvider = class {
     } catch (err) {
       const e = err;
       if (e.name === "NoSuchPublicAccessBlockConfiguration") {
-        result["PublicAccessBlockConfiguration"] = {
+        return {
           BlockPublicAcls: false,
           BlockPublicPolicy: false,
           IgnorePublicAcls: false,
           RestrictPublicBuckets: false
         };
-      } else {
-        throw err;
       }
+      throw err;
+    }
+  }
+  async readTags(bucket) {
+    try {
+      const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: bucket }));
+      return normalizeAwsTagsToCfn(resp.TagSet);
+    } catch (err) {
+      const e = err;
+      if (e.name === "NoSuchTagSet")
+        return [];
+      throw err;
+    }
+  }
+  async readLifecycle(bucket) {
+    try {
+      const resp = await this.s3Client.send(
+        new GetBucketLifecycleConfigurationCommand({ Bucket: bucket })
+      );
+      const rules = resp.Rules ?? [];
+      return {
+        Rules: rules.map((r) => {
+          const out = {};
+          if (r.ID !== void 0)
+            out["Id"] = r.ID;
+          if (r.Status !== void 0)
+            out["Status"] = r.Status;
+          if (r.Prefix !== void 0)
+            out["Prefix"] = r.Prefix;
+          if (r.Expiration) {
+            const exp = {};
+            if (r.Expiration.Days !== void 0)
+              exp["Days"] = r.Expiration.Days;
+            if (r.Expiration.Date !== void 0)
+              exp["Date"] = r.Expiration.Date.toISOString();
+            if (r.Expiration.ExpiredObjectDeleteMarker !== void 0)
+              exp["ExpiredObjectDeleteMarker"] = r.Expiration.ExpiredObjectDeleteMarker;
+            out["Expiration"] = exp;
+          }
+          if (r.Transitions && r.Transitions.length > 0) {
+            out["Transitions"] = r.Transitions.map((t) => {
+              const item = {};
+              if (t.Days !== void 0)
+                item["TransitionInDays"] = t.Days;
+              if (t.Date !== void 0)
+                item["TransitionDate"] = t.Date.toISOString();
+              if (t.StorageClass !== void 0)
+                item["StorageClass"] = t.StorageClass;
+              return item;
+            });
+          }
+          if (r.NoncurrentVersionExpiration) {
+            const nve = {};
+            if (r.NoncurrentVersionExpiration.NoncurrentDays !== void 0)
+              nve["NoncurrentDays"] = r.NoncurrentVersionExpiration.NoncurrentDays;
+            if (r.NoncurrentVersionExpiration.NewerNoncurrentVersions !== void 0)
+              nve["NewerNoncurrentVersions"] = r.NoncurrentVersionExpiration.NewerNoncurrentVersions;
+            out["NoncurrentVersionExpiration"] = nve;
+          }
+          if (r.NoncurrentVersionTransitions && r.NoncurrentVersionTransitions.length > 0) {
+            out["NoncurrentVersionTransitions"] = r.NoncurrentVersionTransitions.map((nvt) => {
+              const item = {};
+              if (nvt.NoncurrentDays !== void 0)
+                item["NoncurrentDays"] = nvt.NoncurrentDays;
+              if (nvt.StorageClass !== void 0)
+                item["StorageClass"] = nvt.StorageClass;
+              if (nvt.NewerNoncurrentVersions !== void 0)
+                item["NewerNoncurrentVersions"] = nvt.NewerNoncurrentVersions;
+              return item;
+            });
+          }
+          if (r.AbortIncompleteMultipartUpload) {
+            out["AbortIncompleteMultipartUpload"] = {
+              DaysAfterInitiation: r.AbortIncompleteMultipartUpload.DaysAfterInitiation
+            };
+          }
+          if (r.Filter) {
+            const f = r.Filter;
+            const cfnFilter = {};
+            const and = f["And"];
+            const tagOnly = f["Tag"];
+            if (and) {
+              if (and["Prefix"] !== void 0)
+                cfnFilter["Prefix"] = and["Prefix"];
+              if (and["Tags"])
+                cfnFilter["TagFilters"] = and["Tags"];
+              if (and["ObjectSizeGreaterThan"] !== void 0)
+                cfnFilter["ObjectSizeGreaterThan"] = and["ObjectSizeGreaterThan"];
+              if (and["ObjectSizeLessThan"] !== void 0)
+                cfnFilter["ObjectSizeLessThan"] = and["ObjectSizeLessThan"];
+            } else if (tagOnly) {
+              cfnFilter["TagFilters"] = [tagOnly];
+            } else {
+              if (f["Prefix"] !== void 0)
+                cfnFilter["Prefix"] = f["Prefix"];
+              if (f["ObjectSizeGreaterThan"] !== void 0)
+                cfnFilter["ObjectSizeGreaterThan"] = f["ObjectSizeGreaterThan"];
+              if (f["ObjectSizeLessThan"] !== void 0)
+                cfnFilter["ObjectSizeLessThan"] = f["ObjectSizeLessThan"];
+            }
+            if (Object.keys(cfnFilter).length > 0)
+              out["Filter"] = cfnFilter;
+          }
+          return out;
+        })
+      };
+    } catch (err) {
+      const e = err;
+      if (e.name === "NoSuchLifecycleConfiguration")
+        return { Rules: [] };
+      throw err;
+    }
+  }
+  async readCors(bucket) {
+    try {
+      const resp = await this.s3Client.send(new GetBucketCorsCommand({ Bucket: bucket }));
+      const rules = resp.CORSRules ?? [];
+      return {
+        CorsRules: rules.map((r) => {
+          const out = {};
+          if (r.ID !== void 0)
+            out["Id"] = r.ID;
+          if (r.AllowedHeaders !== void 0)
+            out["AllowedHeaders"] = r.AllowedHeaders;
+          if (r.AllowedMethods !== void 0)
+            out["AllowedMethods"] = r.AllowedMethods;
+          if (r.AllowedOrigins !== void 0)
+            out["AllowedOrigins"] = r.AllowedOrigins;
+          if (r.ExposeHeaders !== void 0)
+            out["ExposedHeaders"] = r.ExposeHeaders;
+          if (r.MaxAgeSeconds !== void 0)
+            out["MaxAge"] = r.MaxAgeSeconds;
+          return out;
+        })
+      };
+    } catch (err) {
+      const e = err;
+      if (e.name === "NoSuchCORSConfiguration")
+        return { CorsRules: [] };
+      throw err;
+    }
+  }
+  async readWebsite(bucket) {
+    try {
+      const resp = await this.s3Client.send(new GetBucketWebsiteCommand({ Bucket: bucket }));
+      const out = {};
+      if (resp.IndexDocument?.Suffix !== void 0) {
+        out["IndexDocument"] = resp.IndexDocument.Suffix;
+      }
+      if (resp.ErrorDocument?.Key !== void 0) {
+        out["ErrorDocument"] = resp.ErrorDocument.Key;
+      }
+      if (resp.RedirectAllRequestsTo) {
+        const redirect = {};
+        if (resp.RedirectAllRequestsTo.HostName !== void 0)
+          redirect["HostName"] = resp.RedirectAllRequestsTo.HostName;
+        if (resp.RedirectAllRequestsTo.Protocol !== void 0)
+          redirect["Protocol"] = resp.RedirectAllRequestsTo.Protocol;
+        out["RedirectAllRequestsTo"] = redirect;
+      }
+      if (resp.RoutingRules && resp.RoutingRules.length > 0) {
+        out["RoutingRules"] = resp.RoutingRules.map((rr) => {
+          const ruleOut = {};
+          if (rr.Condition) {
+            const c = {};
+            if (rr.Condition.HttpErrorCodeReturnedEquals !== void 0)
+              c["HttpErrorCodeReturnedEquals"] = rr.Condition.HttpErrorCodeReturnedEquals;
+            if (rr.Condition.KeyPrefixEquals !== void 0)
+              c["KeyPrefixEquals"] = rr.Condition.KeyPrefixEquals;
+            ruleOut["RoutingRuleCondition"] = c;
+          }
+          if (rr.Redirect) {
+            const r = {};
+            if (rr.Redirect.HostName !== void 0)
+              r["HostName"] = rr.Redirect.HostName;
+            if (rr.Redirect.HttpRedirectCode !== void 0)
+              r["HttpRedirectCode"] = rr.Redirect.HttpRedirectCode;
+            if (rr.Redirect.Protocol !== void 0)
+              r["Protocol"] = rr.Redirect.Protocol;
+            if (rr.Redirect.ReplaceKeyPrefixWith !== void 0)
+              r["ReplaceKeyPrefixWith"] = rr.Redirect.ReplaceKeyPrefixWith;
+            if (rr.Redirect.ReplaceKeyWith !== void 0)
+              r["ReplaceKeyWith"] = rr.Redirect.ReplaceKeyWith;
+            ruleOut["RedirectRule"] = r;
+          }
+          return ruleOut;
+        });
+      }
+      return out;
+    } catch (err) {
+      const e = err;
+      if (e.name === "NoSuchWebsiteConfiguration")
+        return {};
+      throw err;
     }
+  }
+  async readLogging(bucket) {
+    const resp = await this.s3Client.send(new GetBucketLoggingCommand({ Bucket: bucket }));
+    if (!resp.LoggingEnabled)
+      return {};
+    const out = {};
+    if (resp.LoggingEnabled.TargetBucket !== void 0)
+      out["DestinationBucketName"] = resp.LoggingEnabled.TargetBucket;
+    if (resp.LoggingEnabled.TargetPrefix !== void 0)
+      out["LogFilePrefix"] = resp.LoggingEnabled.TargetPrefix;
+    return out;
+  }
+  async readNotification(bucket) {
+    const resp = await this.s3Client.send(
+      new GetBucketNotificationConfigurationCommand({ Bucket: bucket })
+    );
+    const out = {};
+    if (resp.TopicConfigurations && resp.TopicConfigurations.length > 0) {
+      out["TopicConfigurations"] = resp.TopicConfigurations.map((t) => {
+        const e = {};
+        if (t.Id !== void 0)
+          e["Id"] = t.Id;
+        if (t.TopicArn !== void 0)
+          e["Topic"] = t.TopicArn;
+        if (t.Events !== void 0)
+          e["Events"] = t.Events;
+        if (t.Filter)
+          e["Filter"] = this.sdkNotifFilterToCfn(t.Filter);
+        return e;
+      });
+    }
+    if (resp.QueueConfigurations && resp.QueueConfigurations.length > 0) {
+      out["QueueConfigurations"] = resp.QueueConfigurations.map((q) => {
+        const e = {};
+        if (q.Id !== void 0)
+          e["Id"] = q.Id;
+        if (q.QueueArn !== void 0)
+          e["Queue"] = q.QueueArn;
+        if (q.Events !== void 0)
+          e["Events"] = q.Events;
+        if (q.Filter)
+          e["Filter"] = this.sdkNotifFilterToCfn(q.Filter);
+        return e;
+      });
+    }
+    if (resp.LambdaFunctionConfigurations && resp.LambdaFunctionConfigurations.length > 0) {
+      out["LambdaConfigurations"] = resp.LambdaFunctionConfigurations.map((l) => {
+        const e = {};
+        if (l.Id !== void 0)
+          e["Id"] = l.Id;
+        if (l.LambdaFunctionArn !== void 0)
+          e["Function"] = l.LambdaFunctionArn;
+        if (l.Events !== void 0)
+          e["Events"] = l.Events;
+        if (l.Filter)
+          e["Filter"] = this.sdkNotifFilterToCfn(l.Filter);
+        return e;
+      });
+    }
+    if (resp.EventBridgeConfiguration) {
+      out["EventBridgeConfiguration"] = {};
+    }
+    return out;
+  }
+  sdkNotifFilterToCfn(filter) {
+    if (!filter || typeof filter !== "object")
+      return {};
+    const f = filter;
+    const key = f["Key"];
+    if (!key)
+      return {};
+    const filterRules = key["FilterRules"];
+    if (!filterRules)
+      return {};
+    return {
+      S3Key: {
+        Rules: filterRules.map((r) => ({ Name: r.Name, Value: r.Value }))
+      }
+    };
+  }
+  async readReplication(bucket) {
     try {
-      const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: physicalId }));
-      result["Tags"] = normalizeAwsTagsToCfn(resp.TagSet);
+      const resp = await this.s3Client.send(new GetBucketReplicationCommand({ Bucket: bucket }));
+      const cfg = resp.ReplicationConfiguration;
+      if (!cfg)
+        return {};
+      const out = {};
+      if (cfg.Role !== void 0)
+        out["Role"] = cfg.Role;
+      if (cfg.Rules) {
+        out["Rules"] = cfg.Rules.map((r) => {
+          const ruleOut = {};
+          if (r.ID !== void 0)
+            ruleOut["Id"] = r.ID;
+          if (r.Status !== void 0)
+            ruleOut["Status"] = r.Status;
+          if (r.Priority !== void 0)
+            ruleOut["Priority"] = r.Priority;
+          if (r.Prefix !== void 0)
+            ruleOut["Prefix"] = r.Prefix;
+          if (r.Destination) {
+            const d = {};
+            if (r.Destination.Bucket !== void 0)
+              d["Bucket"] = r.Destination.Bucket;
+            if (r.Destination.Account !== void 0)
+              d["Account"] = r.Destination.Account;
+            if (r.Destination.StorageClass !== void 0)
+              d["StorageClass"] = r.Destination.StorageClass;
+            ruleOut["Destination"] = d;
+          }
+          if (r.Filter) {
+            const f = r.Filter;
+            const cfnFilter = {};
+            const and = f["And"];
+            const tagOnly = f["Tag"];
+            if (and) {
+              if (and["Prefix"] !== void 0)
+                cfnFilter["Prefix"] = and["Prefix"];
+              const tags = and["Tags"];
+              if (tags && tags.length > 0)
+                cfnFilter["TagFilter"] = tags[0];
+            } else if (tagOnly) {
+              cfnFilter["TagFilter"] = tagOnly;
+            } else if (f["Prefix"] !== void 0) {
+              cfnFilter["Prefix"] = f["Prefix"];
+            }
+            if (Object.keys(cfnFilter).length > 0)
+              ruleOut["Filter"] = cfnFilter;
+          }
+          if (r.DeleteMarkerReplication) {
+            ruleOut["DeleteMarkerReplication"] = {
+              Status: r.DeleteMarkerReplication.Status
+            };
+          }
+          return ruleOut;
+        });
+      }
+      return out;
     } catch (err) {
       const e = err;
-      if (e.name === "NoSuchTagSet") {
-        result["Tags"] = [];
+      if (e.name === "ReplicationConfigurationNotFoundError")
+        return {};
+      throw err;
+    }
+  }
+  async readObjectLock(bucket) {
+    try {
+      const resp = await this.s3Client.send(
+        new GetObjectLockConfigurationCommand({ Bucket: bucket })
+      );
+      const cfg = resp.ObjectLockConfiguration;
+      if (!cfg)
+        return {};
+      const out = {};
+      if (cfg.ObjectLockEnabled !== void 0)
+        out["ObjectLockEnabled"] = cfg.ObjectLockEnabled;
+      if (cfg.Rule?.DefaultRetention) {
+        const r = cfg.Rule.DefaultRetention;
+        const retention = {};
+        if (r.Mode !== void 0)
+          retention["Mode"] = r.Mode;
+        if (r.Days !== void 0)
+          retention["Days"] = r.Days;
+        if (r.Years !== void 0)
+          retention["Years"] = r.Years;
+        out["Rule"] = { DefaultRetention: retention };
+      }
+      return out;
+    } catch (err) {
+      const e = err;
+      if (e.name === "ObjectLockConfigurationNotFoundError" || e.name === "NoSuchBucketConfiguration") {
+        return {};
+      }
+      throw err;
+    }
+  }
+  async readAccelerate(bucket) {
+    const resp = await this.s3Client.send(
+      new GetBucketAccelerateConfigurationCommand({ Bucket: bucket })
+    );
+    return { AccelerationStatus: resp.Status ?? "Suspended" };
+  }
+  async readMetricsList(bucket) {
+    const out = [];
+    let continuationToken;
+    while (true) {
+      const resp = await this.s3Client.send(
+        new ListBucketMetricsConfigurationsCommand({
+          Bucket: bucket,
+          ContinuationToken: continuationToken
+        })
+      );
+      for (const c of resp.MetricsConfigurationList ?? []) {
+        out.push(this.metricsSdkToCfn(c));
+      }
+      if (!resp.IsTruncated)
+        break;
+      continuationToken = resp.NextContinuationToken;
+    }
+    return out;
+  }
+  metricsSdkToCfn(c) {
+    const out = {};
+    if (c["Id"] !== void 0)
+      out["Id"] = c["Id"];
+    const f = c["Filter"];
+    if (f) {
+      const and = f["And"];
+      const tagOnly = f["Tag"];
+      if (and) {
+        if (and["Prefix"] !== void 0)
+          out["Prefix"] = and["Prefix"];
+        if (and["Tags"])
+          out["TagFilters"] = and["Tags"];
+        if (and["AccessPointArn"] !== void 0)
+          out["AccessPointArn"] = and["AccessPointArn"];
+      } else if (tagOnly) {
+        out["TagFilters"] = [tagOnly];
       } else {
-        throw err;
+        if (f["Prefix"] !== void 0)
+          out["Prefix"] = f["Prefix"];
+        if (f["AccessPointArn"] !== void 0)
+          out["AccessPointArn"] = f["AccessPointArn"];
       }
     }
-    return result;
+    return out;
+  }
+  async readAnalyticsList(bucket) {
+    const out = [];
+    let continuationToken;
+    while (true) {
+      const resp = await this.s3Client.send(
+        new ListBucketAnalyticsConfigurationsCommand({
+          Bucket: bucket,
+          ContinuationToken: continuationToken
+        })
+      );
+      for (const c of resp.AnalyticsConfigurationList ?? []) {
+        out.push(this.analyticsSdkToCfn(c));
+      }
+      if (!resp.IsTruncated)
+        break;
+      continuationToken = resp.NextContinuationToken;
+    }
+    return out;
+  }
+  analyticsSdkToCfn(c) {
+    const out = {};
+    if (c["Id"] !== void 0)
+      out["Id"] = c["Id"];
+    const f = c["Filter"];
+    if (f) {
+      const and = f["And"];
+      const tagOnly = f["Tag"];
+      if (and) {
+        if (and["Prefix"] !== void 0)
+          out["Prefix"] = and["Prefix"];
+        if (and["Tags"])
+          out["TagFilters"] = and["Tags"];
+      } else if (tagOnly) {
+        out["TagFilters"] = [tagOnly];
+      } else if (f["Prefix"] !== void 0) {
+        out["Prefix"] = f["Prefix"];
+      }
+    }
+    const sca = c["StorageClassAnalysis"];
+    if (sca?.["DataExport"]) {
+      const dataExport = sca["DataExport"];
+      const dest = dataExport["Destination"];
+      const s3Dest = dest?.["S3BucketDestination"];
+      out["StorageClassAnalysis"] = {
+        DataExport: {
+          OutputSchemaVersion: dataExport["OutputSchemaVersion"],
+          Destination: s3Dest ? {
+            S3BucketDestination: {
+              BucketArn: s3Dest["Bucket"],
+              BucketAccountId: s3Dest["BucketAccountId"],
+              Format: s3Dest["Format"],
+              Prefix: s3Dest["Prefix"]
+            }
+          } : void 0
+        }
+      };
+    }
+    return out;
+  }
+  async readIntelligentTieringList(bucket) {
+    const out = [];
+    let continuationToken;
+    while (true) {
+      const resp = await this.s3Client.send(
+        new ListBucketIntelligentTieringConfigurationsCommand({
+          Bucket: bucket,
+          ContinuationToken: continuationToken
+        })
+      );
+      for (const c of resp.IntelligentTieringConfigurationList ?? []) {
+        out.push(this.intelligentTieringSdkToCfn(c));
+      }
+      if (!resp.IsTruncated)
+        break;
+      continuationToken = resp.NextContinuationToken;
+    }
+    return out;
+  }
+  intelligentTieringSdkToCfn(c) {
+    const out = {};
+    if (c["Id"] !== void 0)
+      out["Id"] = c["Id"];
+    if (c["Status"] !== void 0)
+      out["Status"] = c["Status"];
+    if (c["Tierings"]) {
+      const tierings = c["Tierings"];
+      out["Tierings"] = tierings.map((t) => ({
+        AccessTier: t["AccessTier"],
+        Days: t["Days"]
+      }));
+    }
+    const f = c["Filter"];
+    if (f) {
+      const and = f["And"];
+      const tagOnly = f["Tag"];
+      if (and) {
+        if (and["Prefix"] !== void 0)
+          out["Prefix"] = and["Prefix"];
+        if (and["Tags"])
+          out["TagFilters"] = and["Tags"];
+      } else if (tagOnly) {
+        out["TagFilters"] = [tagOnly];
+      } else if (f["Prefix"] !== void 0) {
+        out["Prefix"] = f["Prefix"];
+      }
+    }
+    return out;
+  }
+  async readInventoryList(bucket) {
+    const out = [];
+    let continuationToken;
+    while (true) {
+      const resp = await this.s3Client.send(
+        new ListBucketInventoryConfigurationsCommand({
+          Bucket: bucket,
+          ContinuationToken: continuationToken
+        })
+      );
+      for (const c of resp.InventoryConfigurationList ?? []) {
+        out.push(this.inventorySdkToCfn(c));
+      }
+      if (!resp.IsTruncated)
+        break;
+      continuationToken = resp.NextContinuationToken;
+    }
+    return out;
+  }
+  inventorySdkToCfn(c) {
+    const out = {};
+    if (c["Id"] !== void 0)
+      out["Id"] = c["Id"];
+    if (c["IsEnabled"] !== void 0)
+      out["Enabled"] = c["IsEnabled"];
+    if (c["IncludedObjectVersions"] !== void 0)
+      out["IncludedObjectVersions"] = c["IncludedObjectVersions"];
+    const schedule = c["Schedule"];
+    if (schedule?.["Frequency"] !== void 0)
+      out["ScheduleFrequency"] = schedule["Frequency"];
+    if (c["OptionalFields"] !== void 0)
+      out["OptionalFields"] = c["OptionalFields"];
+    const dest = c["Destination"];
+    const s3Dest = dest?.["S3BucketDestination"];
+    if (s3Dest) {
+      const cfnDest = {};
+      if (s3Dest["Bucket"] !== void 0)
+        cfnDest["BucketArn"] = s3Dest["Bucket"];
+      if (s3Dest["AccountId"] !== void 0)
+        cfnDest["BucketAccountId"] = s3Dest["AccountId"];
+      if (s3Dest["Format"] !== void 0)
+        cfnDest["Format"] = s3Dest["Format"];
+      if (s3Dest["Prefix"] !== void 0)
+        cfnDest["Prefix"] = s3Dest["Prefix"];
+      out["Destination"] = cfnDest;
+    }
+    const filter = c["Filter"];
+    if (filter?.["Prefix"] !== void 0)
+      out["Prefix"] = filter["Prefix"];
+    return out;
   }
   /**
    * Adopt an existing S3 bucket into cdkd state.
@@ -67067,7 +67993,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.61.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.62.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());