@go-to-k/cdkd 0.61.0 → 0.63.0

package/dist/cli.js

@@ -30482,22 +30482,42 @@ import {
   PutBucketOwnershipControlsCommand,
   PutBucketNotificationConfigurationCommand,
   PutBucketCorsCommand,
+  DeleteBucketCorsCommand,
   PutBucketLifecycleConfigurationCommand,
+  DeleteBucketLifecycleCommand,
   PutPublicAccessBlockCommand,
   PutBucketEncryptionCommand as PutBucketEncryptionCommand2,
   PutBucketLoggingCommand,
   PutBucketWebsiteCommand,
+  DeleteBucketWebsiteCommand,
   PutBucketAccelerateConfigurationCommand,
   PutBucketMetricsConfigurationCommand,
+  DeleteBucketMetricsConfigurationCommand,
   PutBucketAnalyticsConfigurationCommand,
+  DeleteBucketAnalyticsConfigurationCommand,
   PutBucketIntelligentTieringConfigurationCommand,
+  DeleteBucketIntelligentTieringConfigurationCommand,
   PutBucketInventoryConfigurationCommand,
+  DeleteBucketInventoryConfigurationCommand,
   PutBucketReplicationCommand,
+  DeleteBucketReplicationCommand,
   PutObjectLockConfigurationCommand,
   GetBucketEncryptionCommand,
   GetBucketTaggingCommand,
   GetBucketVersioningCommand,
   GetPublicAccessBlockCommand,
+  GetBucketLifecycleConfigurationCommand,
+  GetBucketCorsCommand,
+  GetBucketWebsiteCommand,
+  GetBucketLoggingCommand,
+  GetBucketNotificationConfigurationCommand,
+  GetBucketReplicationCommand,
+  GetObjectLockConfigurationCommand,
+  GetBucketAccelerateConfigurationCommand,
+  ListBucketMetricsConfigurationsCommand,
+  ListBucketAnalyticsConfigurationsCommand,
+  ListBucketIntelligentTieringConfigurationsCommand,
+  ListBucketInventoryConfigurationsCommand,
   NoSuchBucket,
   ListObjectVersionsCommand,
   DeleteObjectsCommand
@@ -30834,6 +30854,16 @@ var S3BucketProvider = class {
    * SDK: PutBucketLogging with BucketLoggingStatus.LoggingEnabled
    */
   async applyLoggingConfiguration(bucketName, loggingConfig) {
+    if (!loggingConfig || !loggingConfig["DestinationBucketName"]) {
+      await this.s3Client.send(
+        new PutBucketLoggingCommand({
+          Bucket: bucketName,
+          BucketLoggingStatus: {}
+        })
+      );
+      this.logger.debug(`Cleared logging configuration on bucket ${bucketName}`);
+      return;
+    }
     await this.s3Client.send(
       new PutBucketLoggingCommand({
         Bucket: bucketName,
@@ -30919,6 +30949,77 @@ var S3BucketProvider = class {
     );
     this.logger.debug(`Applied accelerate configuration to bucket ${bucketName}`);
   }
+  /**
+   * Apply notification configuration (full-replace via PutBucketNotificationConfiguration)
+   *
+   * CFn property: NotificationConfiguration with TopicConfigurations,
+   *   QueueConfigurations, LambdaConfigurations, EventBridgeConfiguration.
+   * SDK uses the same structure (PutBucketNotificationConfiguration replaces
+   * the entire notification configuration in one call).
+   */
+  async applyNotificationConfiguration(bucketName, notifConfig) {
+    const cfg = {};
+    if (notifConfig) {
+      const topics = notifConfig["TopicConfigurations"];
+      if (topics && Array.isArray(topics) && topics.length > 0) {
+        cfg.TopicConfigurations = topics.map((t) => ({
+          Id: t["Id"],
+          TopicArn: t["Topic"] ?? t["TopicArn"],
+          Events: t["Event"] !== void 0 ? [t["Event"]] : t["Events"],
+          Filter: this.cfnNotifFilterToSdk(t["Filter"])
+        }));
+      }
+      const queues = notifConfig["QueueConfigurations"];
+      if (queues && Array.isArray(queues) && queues.length > 0) {
+        cfg.QueueConfigurations = queues.map((q) => ({
+          Id: q["Id"],
+          QueueArn: q["Queue"] ?? q["QueueArn"],
+          Events: q["Event"] !== void 0 ? [q["Event"]] : q["Events"],
+          Filter: this.cfnNotifFilterToSdk(q["Filter"])
+        }));
+      }
+      const lambdas = notifConfig["LambdaConfigurations"];
+      if (lambdas && Array.isArray(lambdas) && lambdas.length > 0) {
+        cfg.LambdaFunctionConfigurations = lambdas.map((l) => ({
+          Id: l["Id"],
+          LambdaFunctionArn: l["Function"] ?? l["LambdaFunctionArn"],
+          Events: l["Event"] !== void 0 ? [l["Event"]] : l["Events"],
+          Filter: this.cfnNotifFilterToSdk(l["Filter"])
+        }));
+      }
+      const eb = notifConfig["EventBridgeConfiguration"];
+      if (eb !== void 0) {
+        cfg.EventBridgeConfiguration = {};
+      }
+    }
+    await this.s3Client.send(
+      new PutBucketNotificationConfigurationCommand({
+        Bucket: bucketName,
+        NotificationConfiguration: cfg
+      })
+    );
+    this.logger.debug(`Applied notification configuration to bucket ${bucketName}`);
+  }
+  /**
+   * Convert CFn notification Filter ({ S3Key: { Rules: [{ Name, Value }] } })
+   * to SDK NotificationConfigurationFilter.Key.FilterRules.
+   */
+  cfnNotifFilterToSdk(filter) {
+    if (!filter || typeof filter !== "object")
+      return void 0;
+    const f = filter;
+    const s3Key = f["S3Key"];
+    if (!s3Key)
+      return void 0;
+    const rules = s3Key["Rules"];
+    if (!rules || !Array.isArray(rules) || rules.length === 0)
+      return void 0;
+    return {
+      Key: {
+        FilterRules: rules.filter((r) => r.Name !== void 0 && r.Value !== void 0).map((r) => ({ Name: r.Name, Value: r.Value }))
+      }
+    };
+  }
   /**
    * Apply metrics configurations
    *
@@ -31214,20 +31315,226 @@ var S3BucketProvider = class {
       );
       this.logger.debug(`Applied ownership controls to bucket ${bucketName}`);
     }
+    const publicAccessBlock = properties["PublicAccessBlockConfiguration"];
+    if (publicAccessBlock) {
+      await this.applyPublicAccessBlockConfiguration(bucketName, publicAccessBlock);
+    }
+    const bucketEncryption = properties["BucketEncryption"];
+    if (bucketEncryption?.ServerSideEncryptionConfiguration && Array.isArray(bucketEncryption.ServerSideEncryptionConfiguration) && bucketEncryption.ServerSideEncryptionConfiguration.length > 0) {
+      await this.applyBucketEncryption(bucketName, bucketEncryption);
+    }
+  }
+  /**
+   * Diff CFn-shape sub-config values between previous and new state.
+   *
+   * Three transitions:
+   * - undefined -> defined  (value differs from previous, OR previous undefined): Put
+   * - defined -> undefined: Delete
+   * - defined -> defined (different): Put
+   * - unchanged: skip
+   *
+   * For the array-shaped configs (Metrics / Analytics / IntelligentTier /
+   * Inventory) this is per-id rather than per-config — see the dedicated
+   * helpers below.
+   */
+  async diffSubConfig(_bucketName, oldVal, newVal, onPut, onDelete) {
+    const same = JSON.stringify(oldVal ?? null) === JSON.stringify(newVal ?? null);
+    if (same)
+      return;
+    if (newVal === void 0 || newVal === null) {
+      await onDelete();
+      return;
+    }
+    await onPut(newVal);
+  }
+  /**
+   * Per-id diff for the four array-shaped configs (MetricsConfigurations,
+   * AnalyticsConfigurations, IntelligentTieringConfigurations,
+   * InventoryConfigurations). Each AWS API operates on one config per
+   * (bucket, id) pair: Put-on-add or Put-on-change, Delete-on-removed.
+   */
+  async diffArrayConfigById(_bucketName, oldArr, newArr, onPut, onDelete) {
+    const oldById = /* @__PURE__ */ new Map();
+    for (const c of oldArr ?? []) {
+      const id = c["Id"];
+      if (id)
+        oldById.set(id, c);
+    }
+    const newById = /* @__PURE__ */ new Map();
+    for (const c of newArr ?? []) {
+      const id = c["Id"];
+      if (id)
+        newById.set(id, c);
+    }
+    for (const [id, cfg] of newById) {
+      const old = oldById.get(id);
+      if (!old || JSON.stringify(old) !== JSON.stringify(cfg)) {
+        await onPut(id, cfg);
+      }
+    }
+    for (const id of oldById.keys()) {
+      if (!newById.has(id)) {
+        await onDelete(id);
+      }
+    }
+  }
+  /**
+   * Apply the diff between previous and new sub-configs, issuing Put / Delete
+   * SDK calls only for differing keys. Called from `update()`.
+   *
+   * Versioning / PublicAccessBlock / Tags / OwnershipControls / BucketEncryption
+   * stay on `applyConfiguration` (the unconditional always-PUT path) because
+   * their AWS APIs don't have a clean "delete" counterpart and they
+   * round-trip safely as no-ops when state == AWS-current. The 12 sub-configs
+   * below DO have proper Put/Delete pairs so the diff path is preferable.
+   */
+  async applySubConfigDiffs(bucketName, properties, previousProperties) {
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["LifecycleConfiguration"],
+      properties["LifecycleConfiguration"],
+      async (cfg) => {
+        if (!cfg.Rules || !Array.isArray(cfg.Rules) || cfg.Rules.length === 0)
+          return;
+        await this.applyLifecycleConfiguration(bucketName, cfg);
+      },
+      async () => {
+        await this.s3Client.send(new DeleteBucketLifecycleCommand({ Bucket: bucketName }));
+        this.logger.debug(`Deleted lifecycle configuration on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["CorsConfiguration"],
+      properties["CorsConfiguration"],
+      async (cfg) => {
+        if (!cfg.CorsRules || !Array.isArray(cfg.CorsRules) || cfg.CorsRules.length === 0)
+          return;
+        await this.applyCorsConfiguration(bucketName, cfg);
+      },
+      async () => {
+        await this.s3Client.send(new DeleteBucketCorsCommand({ Bucket: bucketName }));
+        this.logger.debug(`Deleted CORS configuration on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["WebsiteConfiguration"],
+      properties["WebsiteConfiguration"],
+      async (cfg) => this.applyWebsiteConfiguration(bucketName, cfg),
+      async () => {
+        await this.s3Client.send(new DeleteBucketWebsiteCommand({ Bucket: bucketName }));
+        this.logger.debug(`Deleted website configuration on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["LoggingConfiguration"],
+      properties["LoggingConfiguration"],
+      async (cfg) => this.applyLoggingConfiguration(bucketName, cfg),
+      async () => this.applyLoggingConfiguration(bucketName, void 0)
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["NotificationConfiguration"],
+      properties["NotificationConfiguration"],
+      async (cfg) => this.applyNotificationConfiguration(bucketName, cfg),
+      async () => this.applyNotificationConfiguration(bucketName, void 0)
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["ReplicationConfiguration"],
+      properties["ReplicationConfiguration"],
+      async (cfg) => this.applyReplicationConfiguration(bucketName, cfg),
+      async () => {
+        await this.s3Client.send(new DeleteBucketReplicationCommand({ Bucket: bucketName }));
+        this.logger.debug(`Deleted replication configuration on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["ObjectLockConfiguration"],
+      properties["ObjectLockConfiguration"],
+      async (cfg) => this.applyObjectLockConfiguration(bucketName, cfg),
+      async () => {
+        await this.s3Client.send(
+          new PutObjectLockConfigurationCommand({
+            Bucket: bucketName,
+            ObjectLockConfiguration: { ObjectLockEnabled: "Enabled" }
+          })
+        );
+        this.logger.debug(`Cleared object lock rule on bucket ${bucketName}`);
+      }
+    );
+    await this.diffSubConfig(
+      bucketName,
+      previousProperties["AccelerateConfiguration"],
+      properties["AccelerateConfiguration"],
+      async (cfg) => this.applyAccelerateConfiguration(bucketName, cfg),
+      async () => this.applyAccelerateConfiguration(bucketName, { AccelerationStatus: "Suspended" })
+    );
+    await this.diffArrayConfigById(
+      bucketName,
+      previousProperties["MetricsConfigurations"],
+      properties["MetricsConfigurations"],
+      async (_id, cfg) => this.applyMetricsConfigurations(bucketName, [cfg]),
+      async (id) => {
+        await this.s3Client.send(
+          new DeleteBucketMetricsConfigurationCommand({ Bucket: bucketName, Id: id })
+        );
+        this.logger.debug(`Deleted metrics configuration ${id} on bucket ${bucketName}`);
+      }
+    );
+    await this.diffArrayConfigById(
+      bucketName,
+      previousProperties["AnalyticsConfigurations"],
+      properties["AnalyticsConfigurations"],
+      async (_id, cfg) => this.applyAnalyticsConfigurations(bucketName, [cfg]),
+      async (id) => {
+        await this.s3Client.send(
+          new DeleteBucketAnalyticsConfigurationCommand({ Bucket: bucketName, Id: id })
+        );
+        this.logger.debug(`Deleted analytics configuration ${id} on bucket ${bucketName}`);
+      }
+    );
+    await this.diffArrayConfigById(
+      bucketName,
+      previousProperties["IntelligentTieringConfigurations"],
+      properties["IntelligentTieringConfigurations"],
+      async (_id, cfg) => this.applyIntelligentTieringConfigurations(bucketName, [cfg]),
+      async (id) => {
+        await this.s3Client.send(
+          new DeleteBucketIntelligentTieringConfigurationCommand({
+            Bucket: bucketName,
+            Id: id
+          })
+        );
+        this.logger.debug(
+          `Deleted intelligent tiering configuration ${id} on bucket ${bucketName}`
+        );
+      }
+    );
+    await this.diffArrayConfigById(
+      bucketName,
+      previousProperties["InventoryConfigurations"],
+      properties["InventoryConfigurations"],
+      async (_id, cfg) => this.applyInventoryConfigurations(bucketName, [cfg]),
+      async (id) => {
+        await this.s3Client.send(
+          new DeleteBucketInventoryConfigurationCommand({ Bucket: bucketName, Id: id })
+        );
+        this.logger.debug(`Deleted inventory configuration ${id} on bucket ${bucketName}`);
+      }
+    );
+  }
+  /**
+   * Apply ALL sub-configs unconditionally on initial create. Used by
+   * `create()` so the bucket starts out matching the template.
+   */
+  async applyAllSubConfigsForCreate(bucketName, properties) {
     const notifConfig = properties["NotificationConfiguration"];
-    if (notifConfig?.["EventBridgeConfiguration"]) {
-      const ebConfig = notifConfig["EventBridgeConfiguration"];
-      await this.s3Client.send(
-        new PutBucketNotificationConfigurationCommand({
-          Bucket: bucketName,
-          NotificationConfiguration: {
-            EventBridgeConfiguration: {
-              EventBridgeEnabled: ebConfig.EventBridgeEnabled ?? true
-            }
-          }
-        })
-      );
-      this.logger.debug(`Applied EventBridge notification to bucket ${bucketName}`);
+    if (notifConfig) {
+      await this.applyNotificationConfiguration(bucketName, notifConfig);
     }
     const corsConfig = properties["CorsConfiguration"];
     if (corsConfig?.CorsRules && Array.isArray(corsConfig.CorsRules) && corsConfig.CorsRules.length > 0) {
@@ -31237,16 +31544,8 @@ var S3BucketProvider = class {
     if (lifecycleConfig?.Rules && Array.isArray(lifecycleConfig.Rules) && lifecycleConfig.Rules.length > 0) {
       await this.applyLifecycleConfiguration(bucketName, lifecycleConfig);
     }
-    const publicAccessBlock = properties["PublicAccessBlockConfiguration"];
-    if (publicAccessBlock) {
-      await this.applyPublicAccessBlockConfiguration(bucketName, publicAccessBlock);
-    }
-    const bucketEncryption = properties["BucketEncryption"];
-    if (bucketEncryption?.ServerSideEncryptionConfiguration && Array.isArray(bucketEncryption.ServerSideEncryptionConfiguration) && bucketEncryption.ServerSideEncryptionConfiguration.length > 0) {
-      await this.applyBucketEncryption(bucketName, bucketEncryption);
-    }
     const loggingConfig = properties["LoggingConfiguration"];
-    if (loggingConfig) {
+    if (loggingConfig?.["DestinationBucketName"]) {
       await this.applyLoggingConfiguration(bucketName, loggingConfig);
     }
     const websiteConfig = properties["WebsiteConfiguration"];
@@ -31316,6 +31615,7 @@ var S3BucketProvider = class {
         }
       }
       await this.applyConfiguration(bucketName, properties);
+      await this.applyAllSubConfigsForCreate(bucketName, properties);
       const attributes = await this.buildAttributes(bucketName);
       this.logger.debug(`Successfully created S3 bucket ${logicalId}: ${bucketName}`);
       return {
@@ -31355,6 +31655,7 @@ var S3BucketProvider = class {
         /* skipTags */
         true
       );
+      await this.applySubConfigDiffs(physicalId, properties, previousProperties);
       await this.applyTagDiff(
         physicalId,
         previousProperties["Tags"],
@@ -31417,20 +31718,23 @@ var S3BucketProvider = class {
    * into a single CFn-shaped object. Each call can throw a "feature not
    * configured" error (`NoSuchBucketConfiguration`,
    * `ServerSideEncryptionConfigurationNotFoundError`, `NoSuchTagSet`,
-   * `NoSuchPublicAccessBlockConfiguration`) — those are caught individually
-   * and the corresponding key is omitted from the result, NOT treated as
-   * the bucket being absent.
+   * `NoSuchPublicAccessBlockConfiguration`, etc.) — those are caught
+   * individually and the corresponding key is emitted as a CFn-shape
+   * placeholder (per docs/provider-development.md § 3b: always-emit
+   * user-controllable top-level keys), NOT treated as the bucket being
+   * absent.
    *
    * Only the bucket-gone case (`NoSuchBucket`, HTTP 404 from `HeadBucket`)
    * returns `undefined`.
    *
    * Coverage: `BucketName`, `VersioningConfiguration`, `BucketEncryption`,
-   * `PublicAccessBlockConfiguration`, `Tags`. Other configuration
-   * properties (Lifecycle, CORS, Website, Logging, Notification,
-   * Replication, ObjectLock, Accelerate, Metrics/Analytics/IntelligentTier/
-   * Inventory) are out of scope for v1 — they each need their own GET +
-   * shape mapping; CC API drift detection picks them up via `GetResource`
-   * once a user works through the SDK provider boundary.
+   * `PublicAccessBlockConfiguration`, `Tags`, plus all 12 sub-configs:
+   * `LifecycleConfiguration`, `CorsConfiguration`, `WebsiteConfiguration`,
+   * `LoggingConfiguration`, `NotificationConfiguration`,
+   * `ReplicationConfiguration`, `ObjectLockConfiguration`,
+   * `AccelerateConfiguration`, `MetricsConfigurations`,
+   * `AnalyticsConfigurations`, `IntelligentTieringConfigurations`,
+   * `InventoryConfigurations`.
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
     try {
@@ -31442,17 +31746,75 @@ var S3BucketProvider = class {
       }
       throw err;
     }
-    const result = {
-      BucketName: physicalId
+    const [
+      versioning,
+      encryption,
+      pab,
+      tags,
+      lifecycle,
+      cors,
+      website,
+      logging,
+      notification,
+      replication,
+      objectLock,
+      accelerate,
+      metrics,
+      analytics,
+      intelligentTier,
+      inventory
+    ] = await Promise.all([
+      this.readVersioning(physicalId),
+      this.readEncryption(physicalId),
+      this.readPublicAccessBlock(physicalId),
+      this.readTags(physicalId),
+      this.readLifecycle(physicalId),
+      this.readCors(physicalId),
+      this.readWebsite(physicalId),
+      this.readLogging(physicalId),
+      this.readNotification(physicalId),
+      this.readReplication(physicalId),
+      this.readObjectLock(physicalId),
+      this.readAccelerate(physicalId),
+      this.readMetricsList(physicalId),
+      this.readAnalyticsList(physicalId),
+      this.readIntelligentTieringList(physicalId),
+      this.readInventoryList(physicalId)
+    ]);
+    return {
+      BucketName: physicalId,
+      VersioningConfiguration: versioning,
+      BucketEncryption: encryption,
+      PublicAccessBlockConfiguration: pab,
+      Tags: tags,
+      LifecycleConfiguration: lifecycle,
+      CorsConfiguration: cors,
+      WebsiteConfiguration: website,
+      LoggingConfiguration: logging,
+      NotificationConfiguration: notification,
+      ReplicationConfiguration: replication,
+      ObjectLockConfiguration: objectLock,
+      AccelerateConfiguration: accelerate,
+      MetricsConfigurations: metrics,
+      AnalyticsConfigurations: analytics,
+      IntelligentTieringConfigurations: intelligentTier,
+      InventoryConfigurations: inventory
     };
-    {
-      const resp = await this.s3Client.send(new GetBucketVersioningCommand({ Bucket: physicalId }));
-      result["VersioningConfiguration"] = { Status: resp.Status ?? "Suspended" };
-    }
+  }
+  // -------------------------------------------------------------------
+  // readCurrentState helpers — one per sub-config. Each catches the
+  // "feature not configured" error and returns the always-emit
+  // placeholder shape per docs/provider-development.md § 3b.
+  // -------------------------------------------------------------------
+  async readVersioning(bucket) {
+    const resp = await this.s3Client.send(new GetBucketVersioningCommand({ Bucket: bucket }));
+    return { Status: resp.Status ?? "Suspended" };
+  }
+  async readEncryption(bucket) {
     try {
-      const resp = await this.s3Client.send(new GetBucketEncryptionCommand({ Bucket: physicalId }));
+      const resp = await this.s3Client.send(new GetBucketEncryptionCommand({ Bucket: bucket }));
       const rules = resp.ServerSideEncryptionConfiguration?.Rules ?? [];
-      result["BucketEncryption"] = {
+      return {
         ServerSideEncryptionConfiguration: rules.map((rule) => {
           const out = {};
           const sse = rule.ApplyServerSideEncryptionByDefault;
@@ -31472,17 +31834,16 @@ var S3BucketProvider = class {
     } catch (err) {
       const e = err;
       if (e.name === "ServerSideEncryptionConfigurationNotFoundError") {
-        result["BucketEncryption"] = { ServerSideEncryptionConfiguration: [] };
-      } else {
-        throw err;
+        return { ServerSideEncryptionConfiguration: [] };
       }
+      throw err;
     }
+  }
+  async readPublicAccessBlock(bucket) {
     try {
-      const resp = await this.s3Client.send(
-        new GetPublicAccessBlockCommand({ Bucket: physicalId })
-      );
+      const resp = await this.s3Client.send(new GetPublicAccessBlockCommand({ Bucket: bucket }));
       const cfg = resp.PublicAccessBlockConfiguration;
-      result["PublicAccessBlockConfiguration"] = {
+      return {
         BlockPublicAcls: cfg?.BlockPublicAcls ?? false,
         BlockPublicPolicy: cfg?.BlockPublicPolicy ?? false,
         IgnorePublicAcls: cfg?.IgnorePublicAcls ?? false,
@@ -31491,28 +31852,593 @@ var S3BucketProvider = class {
     } catch (err) {
       const e = err;
       if (e.name === "NoSuchPublicAccessBlockConfiguration") {
-        result["PublicAccessBlockConfiguration"] = {
+        return {
           BlockPublicAcls: false,
           BlockPublicPolicy: false,
           IgnorePublicAcls: false,
           RestrictPublicBuckets: false
         };
-      } else {
-        throw err;
       }
+      throw err;
+    }
+  }
+  async readTags(bucket) {
+    try {
+      const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: bucket }));
+      return normalizeAwsTagsToCfn(resp.TagSet);
+    } catch (err) {
+      const e = err;
+      if (e.name === "NoSuchTagSet")
+        return [];
+      throw err;
+    }
+  }
+  async readLifecycle(bucket) {
+    try {
+      const resp = await this.s3Client.send(
+        new GetBucketLifecycleConfigurationCommand({ Bucket: bucket })
+      );
+      const rules = resp.Rules ?? [];
+      return {
+        Rules: rules.map((r) => {
+          const out = {};
+          if (r.ID !== void 0)
+            out["Id"] = r.ID;
+          if (r.Status !== void 0)
+            out["Status"] = r.Status;
+          if (r.Prefix !== void 0)
+            out["Prefix"] = r.Prefix;
+          if (r.Expiration) {
+            const exp = {};
+            if (r.Expiration.Days !== void 0)
+              exp["Days"] = r.Expiration.Days;
+            if (r.Expiration.Date !== void 0)
+              exp["Date"] = r.Expiration.Date.toISOString();
+            if (r.Expiration.ExpiredObjectDeleteMarker !== void 0)
+              exp["ExpiredObjectDeleteMarker"] = r.Expiration.ExpiredObjectDeleteMarker;
+            out["Expiration"] = exp;
+          }
+          if (r.Transitions && r.Transitions.length > 0) {
+            out["Transitions"] = r.Transitions.map((t) => {
+              const item = {};
+              if (t.Days !== void 0)
+                item["TransitionInDays"] = t.Days;
+              if (t.Date !== void 0)
+                item["TransitionDate"] = t.Date.toISOString();
+              if (t.StorageClass !== void 0)
+                item["StorageClass"] = t.StorageClass;
+              return item;
+            });
+          }
+          if (r.NoncurrentVersionExpiration) {
+            const nve = {};
+            if (r.NoncurrentVersionExpiration.NoncurrentDays !== void 0)
+              nve["NoncurrentDays"] = r.NoncurrentVersionExpiration.NoncurrentDays;
+            if (r.NoncurrentVersionExpiration.NewerNoncurrentVersions !== void 0)
+              nve["NewerNoncurrentVersions"] = r.NoncurrentVersionExpiration.NewerNoncurrentVersions;
+            out["NoncurrentVersionExpiration"] = nve;
+          }
+          if (r.NoncurrentVersionTransitions && r.NoncurrentVersionTransitions.length > 0) {
+            out["NoncurrentVersionTransitions"] = r.NoncurrentVersionTransitions.map((nvt) => {
+              const item = {};
+              if (nvt.NoncurrentDays !== void 0)
+                item["NoncurrentDays"] = nvt.NoncurrentDays;
+              if (nvt.StorageClass !== void 0)
+                item["StorageClass"] = nvt.StorageClass;
+              if (nvt.NewerNoncurrentVersions !== void 0)
+                item["NewerNoncurrentVersions"] = nvt.NewerNoncurrentVersions;
+              return item;
+            });
+          }
+          if (r.AbortIncompleteMultipartUpload) {
+            out["AbortIncompleteMultipartUpload"] = {
+              DaysAfterInitiation: r.AbortIncompleteMultipartUpload.DaysAfterInitiation
+            };
+          }
+          if (r.Filter) {
+            const f = r.Filter;
+            const cfnFilter = {};
+            const and = f["And"];
+            const tagOnly = f["Tag"];
+            if (and) {
+              if (and["Prefix"] !== void 0)
+                cfnFilter["Prefix"] = and["Prefix"];
+              if (and["Tags"])
+                cfnFilter["TagFilters"] = and["Tags"];
+              if (and["ObjectSizeGreaterThan"] !== void 0)
+                cfnFilter["ObjectSizeGreaterThan"] = and["ObjectSizeGreaterThan"];
+              if (and["ObjectSizeLessThan"] !== void 0)
+                cfnFilter["ObjectSizeLessThan"] = and["ObjectSizeLessThan"];
+            } else if (tagOnly) {
+              cfnFilter["TagFilters"] = [tagOnly];
+            } else {
+              if (f["Prefix"] !== void 0)
+                cfnFilter["Prefix"] = f["Prefix"];
+              if (f["ObjectSizeGreaterThan"] !== void 0)
+                cfnFilter["ObjectSizeGreaterThan"] = f["ObjectSizeGreaterThan"];
+              if (f["ObjectSizeLessThan"] !== void 0)
+                cfnFilter["ObjectSizeLessThan"] = f["ObjectSizeLessThan"];
+            }
+            if (Object.keys(cfnFilter).length > 0)
+              out["Filter"] = cfnFilter;
+          }
+          return out;
+        })
+      };
+    } catch (err) {
+      const e = err;
+      if (e.name === "NoSuchLifecycleConfiguration")
+        return { Rules: [] };
+      throw err;
+    }
+  }
+  async readCors(bucket) {
+    try {
+      const resp = await this.s3Client.send(new GetBucketCorsCommand({ Bucket: bucket }));
+      const rules = resp.CORSRules ?? [];
+      return {
+        CorsRules: rules.map((r) => {
+          const out = {};
+          if (r.ID !== void 0)
+            out["Id"] = r.ID;
+          if (r.AllowedHeaders !== void 0)
+            out["AllowedHeaders"] = r.AllowedHeaders;
+          if (r.AllowedMethods !== void 0)
+            out["AllowedMethods"] = r.AllowedMethods;
+          if (r.AllowedOrigins !== void 0)
+            out["AllowedOrigins"] = r.AllowedOrigins;
+          if (r.ExposeHeaders !== void 0)
+            out["ExposedHeaders"] = r.ExposeHeaders;
+          if (r.MaxAgeSeconds !== void 0)
+            out["MaxAge"] = r.MaxAgeSeconds;
+          return out;
+        })
+      };
+    } catch (err) {
+      const e = err;
+      if (e.name === "NoSuchCORSConfiguration")
+        return { CorsRules: [] };
+      throw err;
+    }
+  }
+  async readWebsite(bucket) {
+    try {
+      const resp = await this.s3Client.send(new GetBucketWebsiteCommand({ Bucket: bucket }));
+      const out = {};
+      if (resp.IndexDocument?.Suffix !== void 0) {
+        out["IndexDocument"] = resp.IndexDocument.Suffix;
+      }
+      if (resp.ErrorDocument?.Key !== void 0) {
+        out["ErrorDocument"] = resp.ErrorDocument.Key;
+      }
+      if (resp.RedirectAllRequestsTo) {
+        const redirect = {};
+        if (resp.RedirectAllRequestsTo.HostName !== void 0)
+          redirect["HostName"] = resp.RedirectAllRequestsTo.HostName;
+        if (resp.RedirectAllRequestsTo.Protocol !== void 0)
+          redirect["Protocol"] = resp.RedirectAllRequestsTo.Protocol;
+        out["RedirectAllRequestsTo"] = redirect;
+      }
+      if (resp.RoutingRules && resp.RoutingRules.length > 0) {
+        out["RoutingRules"] = resp.RoutingRules.map((rr) => {
+          const ruleOut = {};
+          if (rr.Condition) {
+            const c = {};
+            if (rr.Condition.HttpErrorCodeReturnedEquals !== void 0)
+              c["HttpErrorCodeReturnedEquals"] = rr.Condition.HttpErrorCodeReturnedEquals;
+            if (rr.Condition.KeyPrefixEquals !== void 0)
+              c["KeyPrefixEquals"] = rr.Condition.KeyPrefixEquals;
+            ruleOut["RoutingRuleCondition"] = c;
+          }
+          if (rr.Redirect) {
+            const r = {};
+            if (rr.Redirect.HostName !== void 0)
+              r["HostName"] = rr.Redirect.HostName;
+            if (rr.Redirect.HttpRedirectCode !== void 0)
+              r["HttpRedirectCode"] = rr.Redirect.HttpRedirectCode;
+            if (rr.Redirect.Protocol !== void 0)
+              r["Protocol"] = rr.Redirect.Protocol;
+            if (rr.Redirect.ReplaceKeyPrefixWith !== void 0)
+              r["ReplaceKeyPrefixWith"] = rr.Redirect.ReplaceKeyPrefixWith;
+            if (rr.Redirect.ReplaceKeyWith !== void 0)
+              r["ReplaceKeyWith"] = rr.Redirect.ReplaceKeyWith;
+            ruleOut["RedirectRule"] = r;
+          }
+          return ruleOut;
+        });
+      }
+      return out;
+    } catch (err) {
+      const e = err;
+      if (e.name === "NoSuchWebsiteConfiguration")
+        return {};
+      throw err;
+    }
+  }
+  async readLogging(bucket) {
+    const resp = await this.s3Client.send(new GetBucketLoggingCommand({ Bucket: bucket }));
+    if (!resp.LoggingEnabled)
+      return {};
+    const out = {};
+    if (resp.LoggingEnabled.TargetBucket !== void 0)
+      out["DestinationBucketName"] = resp.LoggingEnabled.TargetBucket;
+    if (resp.LoggingEnabled.TargetPrefix !== void 0)
+      out["LogFilePrefix"] = resp.LoggingEnabled.TargetPrefix;
+    return out;
+  }
+  async readNotification(bucket) {
+    const resp = await this.s3Client.send(
+      new GetBucketNotificationConfigurationCommand({ Bucket: bucket })
+    );
+    const out = {};
+    if (resp.TopicConfigurations && resp.TopicConfigurations.length > 0) {
+      out["TopicConfigurations"] = resp.TopicConfigurations.map((t) => {
+        const e = {};
+        if (t.Id !== void 0)
+          e["Id"] = t.Id;
+        if (t.TopicArn !== void 0)
+          e["Topic"] = t.TopicArn;
+        if (t.Events !== void 0)
+          e["Events"] = t.Events;
+        if (t.Filter)
+          e["Filter"] = this.sdkNotifFilterToCfn(t.Filter);
+        return e;
+      });
+    }
+    if (resp.QueueConfigurations && resp.QueueConfigurations.length > 0) {
+      out["QueueConfigurations"] = resp.QueueConfigurations.map((q) => {
+        const e = {};
+        if (q.Id !== void 0)
+          e["Id"] = q.Id;
+        if (q.QueueArn !== void 0)
+          e["Queue"] = q.QueueArn;
+        if (q.Events !== void 0)
+          e["Events"] = q.Events;
+        if (q.Filter)
+          e["Filter"] = this.sdkNotifFilterToCfn(q.Filter);
+        return e;
+      });
+    }
+    if (resp.LambdaFunctionConfigurations && resp.LambdaFunctionConfigurations.length > 0) {
+      out["LambdaConfigurations"] = resp.LambdaFunctionConfigurations.map((l) => {
+        const e = {};
+        if (l.Id !== void 0)
+          e["Id"] = l.Id;
+        if (l.LambdaFunctionArn !== void 0)
+          e["Function"] = l.LambdaFunctionArn;
+        if (l.Events !== void 0)
+          e["Events"] = l.Events;
+        if (l.Filter)
+          e["Filter"] = this.sdkNotifFilterToCfn(l.Filter);
+        return e;
+      });
+    }
+    if (resp.EventBridgeConfiguration) {
+      out["EventBridgeConfiguration"] = {};
+    }
+    return out;
+  }
+  sdkNotifFilterToCfn(filter) {
+    if (!filter || typeof filter !== "object")
+      return {};
+    const f = filter;
+    const key = f["Key"];
+    if (!key)
+      return {};
+    const filterRules = key["FilterRules"];
+    if (!filterRules)
+      return {};
+    return {
+      S3Key: {
+        Rules: filterRules.map((r) => ({ Name: r.Name, Value: r.Value }))
+      }
+    };
+  }
+  async readReplication(bucket) {
+    try {
+      const resp = await this.s3Client.send(new GetBucketReplicationCommand({ Bucket: bucket }));
+      const cfg = resp.ReplicationConfiguration;
+      if (!cfg)
+        return {};
+      const out = {};
+      if (cfg.Role !== void 0)
+        out["Role"] = cfg.Role;
+      if (cfg.Rules) {
+        out["Rules"] = cfg.Rules.map((r) => {
+          const ruleOut = {};
+          if (r.ID !== void 0)
+            ruleOut["Id"] = r.ID;
+          if (r.Status !== void 0)
+            ruleOut["Status"] = r.Status;
+          if (r.Priority !== void 0)
+            ruleOut["Priority"] = r.Priority;
+          if (r.Prefix !== void 0)
+            ruleOut["Prefix"] = r.Prefix;
+          if (r.Destination) {
+            const d = {};
+            if (r.Destination.Bucket !== void 0)
+              d["Bucket"] = r.Destination.Bucket;
+            if (r.Destination.Account !== void 0)
+              d["Account"] = r.Destination.Account;
+            if (r.Destination.StorageClass !== void 0)
+              d["StorageClass"] = r.Destination.StorageClass;
+            ruleOut["Destination"] = d;
+          }
+          if (r.Filter) {
+            const f = r.Filter;
+            const cfnFilter = {};
+            const and = f["And"];
+            const tagOnly = f["Tag"];
+            if (and) {
+              if (and["Prefix"] !== void 0)
+                cfnFilter["Prefix"] = and["Prefix"];
+              const tags = and["Tags"];
+              if (tags && tags.length > 0)
+                cfnFilter["TagFilter"] = tags[0];
+            } else if (tagOnly) {
+              cfnFilter["TagFilter"] = tagOnly;
+            } else if (f["Prefix"] !== void 0) {
+              cfnFilter["Prefix"] = f["Prefix"];
+            }
+            if (Object.keys(cfnFilter).length > 0)
+              ruleOut["Filter"] = cfnFilter;
+          }
+          if (r.DeleteMarkerReplication) {
+            ruleOut["DeleteMarkerReplication"] = {
+              Status: r.DeleteMarkerReplication.Status
+            };
+          }
+          return ruleOut;
+        });
+      }
+      return out;
+    } catch (err) {
+      const e = err;
+      if (e.name === "ReplicationConfigurationNotFoundError")
+        return {};
+      throw err;
     }
+  }
+  async readObjectLock(bucket) {
     try {
-      const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: physicalId }));
-      result["Tags"] = normalizeAwsTagsToCfn(resp.TagSet);
+      const resp = await this.s3Client.send(
+        new GetObjectLockConfigurationCommand({ Bucket: bucket })
+      );
+      const cfg = resp.ObjectLockConfiguration;
+      if (!cfg)
+        return {};
+      const out = {};
+      if (cfg.ObjectLockEnabled !== void 0)
+        out["ObjectLockEnabled"] = cfg.ObjectLockEnabled;
+      if (cfg.Rule?.DefaultRetention) {
+        const r = cfg.Rule.DefaultRetention;
+        const retention = {};
+        if (r.Mode !== void 0)
+          retention["Mode"] = r.Mode;
+        if (r.Days !== void 0)
+          retention["Days"] = r.Days;
+        if (r.Years !== void 0)
+          retention["Years"] = r.Years;
+        out["Rule"] = { DefaultRetention: retention };
+      }
+      return out;
     } catch (err) {
       const e = err;
-      if (e.name === "NoSuchTagSet") {
-        result["Tags"] = [];
+      if (e.name === "ObjectLockConfigurationNotFoundError" || e.name === "NoSuchBucketConfiguration") {
+        return {};
+      }
+      throw err;
+    }
+  }
+  async readAccelerate(bucket) {
+    const resp = await this.s3Client.send(
+      new GetBucketAccelerateConfigurationCommand({ Bucket: bucket })
+    );
+    return { AccelerationStatus: resp.Status ?? "Suspended" };
+  }
+  async readMetricsList(bucket) {
+    const out = [];
+    let continuationToken;
+    while (true) {
+      const resp = await this.s3Client.send(
+        new ListBucketMetricsConfigurationsCommand({
+          Bucket: bucket,
+          ContinuationToken: continuationToken
+        })
+      );
+      for (const c of resp.MetricsConfigurationList ?? []) {
+        out.push(this.metricsSdkToCfn(c));
+      }
+      if (!resp.IsTruncated)
+        break;
+      continuationToken = resp.NextContinuationToken;
+    }
+    return out;
+  }
+  metricsSdkToCfn(c) {
+    const out = {};
+    if (c["Id"] !== void 0)
+      out["Id"] = c["Id"];
+    const f = c["Filter"];
+    if (f) {
+      const and = f["And"];
+      const tagOnly = f["Tag"];
+      if (and) {
+        if (and["Prefix"] !== void 0)
+          out["Prefix"] = and["Prefix"];
+        if (and["Tags"])
+          out["TagFilters"] = and["Tags"];
+        if (and["AccessPointArn"] !== void 0)
+          out["AccessPointArn"] = and["AccessPointArn"];
+      } else if (tagOnly) {
+        out["TagFilters"] = [tagOnly];
       } else {
-        throw err;
+        if (f["Prefix"] !== void 0)
+          out["Prefix"] = f["Prefix"];
+        if (f["AccessPointArn"] !== void 0)
+          out["AccessPointArn"] = f["AccessPointArn"];
       }
     }
-    return result;
+    return out;
+  }
+  async readAnalyticsList(bucket) {
+    const out = [];
+    let continuationToken;
+    while (true) {
+      const resp = await this.s3Client.send(
+        new ListBucketAnalyticsConfigurationsCommand({
+          Bucket: bucket,
+          ContinuationToken: continuationToken
+        })
+      );
+      for (const c of resp.AnalyticsConfigurationList ?? []) {
+        out.push(this.analyticsSdkToCfn(c));
+      }
+      if (!resp.IsTruncated)
+        break;
+      continuationToken = resp.NextContinuationToken;
+    }
+    return out;
+  }
+  analyticsSdkToCfn(c) {
+    const out = {};
+    if (c["Id"] !== void 0)
+      out["Id"] = c["Id"];
+    const f = c["Filter"];
+    if (f) {
+      const and = f["And"];
+      const tagOnly = f["Tag"];
+      if (and) {
+        if (and["Prefix"] !== void 0)
+          out["Prefix"] = and["Prefix"];
+        if (and["Tags"])
+          out["TagFilters"] = and["Tags"];
+      } else if (tagOnly) {
+        out["TagFilters"] = [tagOnly];
+      } else if (f["Prefix"] !== void 0) {
+        out["Prefix"] = f["Prefix"];
+      }
+    }
+    const sca = c["StorageClassAnalysis"];
+    if (sca?.["DataExport"]) {
+      const dataExport = sca["DataExport"];
+      const dest = dataExport["Destination"];
+      const s3Dest = dest?.["S3BucketDestination"];
+      out["StorageClassAnalysis"] = {
+        DataExport: {
+          OutputSchemaVersion: dataExport["OutputSchemaVersion"],
+          Destination: s3Dest ? {
+            S3BucketDestination: {
+              BucketArn: s3Dest["Bucket"],
+              BucketAccountId: s3Dest["BucketAccountId"],
+              Format: s3Dest["Format"],
+              Prefix: s3Dest["Prefix"]
+            }
+          } : void 0
+        }
+      };
+    }
+    return out;
+  }
+  async readIntelligentTieringList(bucket) {
+    const out = [];
+    let continuationToken;
+    while (true) {
+      const resp = await this.s3Client.send(
+        new ListBucketIntelligentTieringConfigurationsCommand({
+          Bucket: bucket,
+          ContinuationToken: continuationToken
+        })
+      );
+      for (const c of resp.IntelligentTieringConfigurationList ?? []) {
+        out.push(this.intelligentTieringSdkToCfn(c));
+      }
+      if (!resp.IsTruncated)
+        break;
+      continuationToken = resp.NextContinuationToken;
+    }
+    return out;
+  }
+  intelligentTieringSdkToCfn(c) {
+    const out = {};
+    if (c["Id"] !== void 0)
+      out["Id"] = c["Id"];
+    if (c["Status"] !== void 0)
+      out["Status"] = c["Status"];
+    if (c["Tierings"]) {
+      const tierings = c["Tierings"];
+      out["Tierings"] = tierings.map((t) => ({
+        AccessTier: t["AccessTier"],
+        Days: t["Days"]
+      }));
+    }
+    const f = c["Filter"];
+    if (f) {
+      const and = f["And"];
+      const tagOnly = f["Tag"];
+      if (and) {
+        if (and["Prefix"] !== void 0)
+          out["Prefix"] = and["Prefix"];
+        if (and["Tags"])
+          out["TagFilters"] = and["Tags"];
+      } else if (tagOnly) {
+        out["TagFilters"] = [tagOnly];
+      } else if (f["Prefix"] !== void 0) {
+        out["Prefix"] = f["Prefix"];
+      }
+    }
+    return out;
+  }
+  async readInventoryList(bucket) {
+    const out = [];
+    let continuationToken;
+    while (true) {
+      const resp = await this.s3Client.send(
+        new ListBucketInventoryConfigurationsCommand({
+          Bucket: bucket,
+          ContinuationToken: continuationToken
+        })
+      );
+      for (const c of resp.InventoryConfigurationList ?? []) {
+        out.push(this.inventorySdkToCfn(c));
+      }
+      if (!resp.IsTruncated)
+        break;
+      continuationToken = resp.NextContinuationToken;
+    }
+    return out;
+  }
+  inventorySdkToCfn(c) {
+    const out = {};
+    if (c["Id"] !== void 0)
+      out["Id"] = c["Id"];
+    if (c["IsEnabled"] !== void 0)
+      out["Enabled"] = c["IsEnabled"];
+    if (c["IncludedObjectVersions"] !== void 0)
+      out["IncludedObjectVersions"] = c["IncludedObjectVersions"];
+    const schedule = c["Schedule"];
+    if (schedule?.["Frequency"] !== void 0)
+      out["ScheduleFrequency"] = schedule["Frequency"];
+    if (c["OptionalFields"] !== void 0)
+      out["OptionalFields"] = c["OptionalFields"];
+    const dest = c["Destination"];
+    const s3Dest = dest?.["S3BucketDestination"];
+    if (s3Dest) {
+      const cfnDest = {};
+      if (s3Dest["Bucket"] !== void 0)
+        cfnDest["BucketArn"] = s3Dest["Bucket"];
+      if (s3Dest["AccountId"] !== void 0)
+        cfnDest["BucketAccountId"] = s3Dest["AccountId"];
+      if (s3Dest["Format"] !== void 0)
+        cfnDest["Format"] = s3Dest["Format"];
+      if (s3Dest["Prefix"] !== void 0)
+        cfnDest["Prefix"] = s3Dest["Prefix"];
+      out["Destination"] = cfnDest;
+    }
+    const filter = c["Filter"];
+    if (filter?.["Prefix"] !== void 0)
+      out["Prefix"] = filter["Prefix"];
+    return out;
   }
   /**
    * Adopt an existing S3 bucket into cdkd state.
@@ -41291,6 +42217,42 @@ var EC2Provider = class {
       throw err;
     }
   }
+  /**
+   * Drift-unknown paths per resource type.
+   *
+   * The 6 EC2 sub-resource types (`AWS::EC2::Route` /
+   * `VPCGatewayAttachment` / `SubnetRouteTableAssociation` /
+   * `SecurityGroupIngress` / `NetworkAclEntry` /
+   * `SubnetNetworkAclAssociation`) have NO AWS-side `Tags` API — the
+   * underlying AWS objects (route entries, NACL entries, route-table
+   * associations, NACL associations, IGW attachments) are not
+   * tag-bearing on AWS, and the corresponding CFn schemas do not model
+   * `Tags` either. Declaring `'Tags'` here is defense-in-depth: if a
+   * future CFn schema revision adds `Tags` to one of these types, or
+   * cdkd state somehow carries `Tags` for one of them via a custom
+   * property override, the drift comparator will skip the path
+   * instead of firing guaranteed false-positive drift on every clean
+   * run.
+   *
+   * Other EC2 types (`VPC` / `Subnet` / `InternetGateway` /
+   * `NatGateway` / `RouteTable` / `SecurityGroup` / `Instance` /
+   * `NetworkAcl`) have first-class Tags support via
+   * `DescribeTags` — they surface `Tags` directly in
+   * `readCurrentState` and don't need this declaration.
+   */
+  getDriftUnknownPaths(resourceType) {
+    switch (resourceType) {
+      case "AWS::EC2::Route":
+      case "AWS::EC2::VPCGatewayAttachment":
+      case "AWS::EC2::SubnetRouteTableAssociation":
+      case "AWS::EC2::SecurityGroupIngress":
+      case "AWS::EC2::NetworkAclEntry":
+      case "AWS::EC2::SubnetNetworkAclAssociation":
+        return ["Tags"];
+      default:
+        return [];
+    }
+  }
   async readVpcCurrentState(physicalId) {
     const resp = await this.ec2Client.send(new DescribeVpcsCommand2({ VpcIds: [physicalId] }));
     const vpc = resp.Vpcs?.[0];
@@ -57018,6 +57980,349 @@ var KinesisStreamProvider = class {
   }
 };
 
+// src/provisioning/providers/kinesis-streamconsumer-provider.ts
+import {
+  KinesisClient as KinesisClient2,
+  RegisterStreamConsumerCommand,
+  DeregisterStreamConsumerCommand,
+  DescribeStreamConsumerCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand18,
+  TagResourceCommand as TagResourceCommand15,
+  UntagResourceCommand as UntagResourceCommand15,
+  ResourceNotFoundException as ResourceNotFoundException14
+} from "@aws-sdk/client-kinesis";
+var KinesisStreamConsumerProvider = class {
+  client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("KinesisStreamConsumerProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    ["AWS::Kinesis::StreamConsumer", /* @__PURE__ */ new Set(["ConsumerName", "StreamARN", "Tags"])]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new KinesisClient2(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  /**
+   * Register a Kinesis stream consumer.
+   *
+   * Polls `DescribeStreamConsumer` until ConsumerStatus flips from
+   * `CREATING` to `ACTIVE` (matches CFn behavior). 1s polling interval
+   * is faster than the CC API exponential backoff used to be.
+   */
+  async create(logicalId, resourceType, properties) {
+    const consumerName = properties["ConsumerName"];
+    const streamArn = properties["StreamARN"];
+    if (!consumerName) {
+      throw new ProvisioningError(
+        "AWS::Kinesis::StreamConsumer requires ConsumerName",
+        resourceType,
+        logicalId
+      );
+    }
+    if (!streamArn) {
+      throw new ProvisioningError(
+        "AWS::Kinesis::StreamConsumer requires StreamARN",
+        resourceType,
+        logicalId
+      );
+    }
+    this.logger.debug(`Registering Kinesis stream consumer ${logicalId}: ${consumerName}`);
+    const tagList = Array.isArray(properties["Tags"]) ? properties["Tags"] : void 0;
+    const tagMap = tagListToMap(tagList);
+    try {
+      const resp = await this.getClient().send(
+        new RegisterStreamConsumerCommand({
+          StreamARN: streamArn,
+          ConsumerName: consumerName,
+          ...tagMap && Object.keys(tagMap).length > 0 ? { Tags: tagMap } : {}
+        })
+      );
+      const consumer = resp.Consumer;
+      if (!consumer?.ConsumerARN || !consumer.ConsumerName) {
+        throw new ProvisioningError(
+          "RegisterStreamConsumer did not return ConsumerARN/ConsumerName",
+          resourceType,
+          logicalId
+        );
+      }
+      const consumerArn = consumer.ConsumerARN;
+      await this.waitForConsumerActive(consumerArn);
+      this.logger.debug(`Successfully registered Kinesis stream consumer ${logicalId}`);
+      return {
+        physicalId: consumerArn,
+        attributes: {
+          ConsumerARN: consumerArn,
+          ConsumerName: consumer.ConsumerName,
+          ConsumerStatus: consumer.ConsumerStatus,
+          ConsumerCreationTimestamp: consumer.ConsumerCreationTimestamp?.toISOString() ?? void 0,
+          // CFn `Id` for StreamConsumer is the ConsumerARN (matches the
+          // CFn return-values doc).
+          Id: consumerArn,
+          StreamARN: streamArn
+        }
+      };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to register Kinesis stream consumer ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        consumerName,
+        cause
+      );
+    }
+  }
+  /**
+   * Update is a no-op for the immutable `ConsumerName` / `StreamARN`
+   * fields (the deploy engine's replacement-detection layer triggers
+   * DELETE + CREATE for those changes). Tags ARE mutable via
+   * `TagResource` / `UntagResource` so the diff is applied here.
+   *
+   * If a non-Tags property changes, throw `ResourceUpdateNotSupportedError`
+   * — `cdkd drift --revert` will surface that to the user with the
+   * "use cdkd deploy --replace" suggestion.
+   */
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    const newConsumerName = properties["ConsumerName"];
+    const oldConsumerName = previousProperties["ConsumerName"];
+    const newStreamArn = properties["StreamARN"];
+    const oldStreamArn = previousProperties["StreamARN"];
+    if (newConsumerName !== oldConsumerName || newStreamArn !== oldStreamArn) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "AWS::Kinesis::StreamConsumer ConsumerName / StreamARN are immutable; re-deploy with cdkd deploy --replace, or destroy + redeploy"
+      );
+    }
+    await this.applyTagDiff(
+      physicalId,
+      previousProperties["Tags"],
+      properties["Tags"]
+    );
+    let attrs = {};
+    try {
+      const resp = await this.getClient().send(
+        new DescribeStreamConsumerCommand({ ConsumerARN: physicalId })
+      );
+      const desc = resp.ConsumerDescription;
+      if (desc) {
+        attrs = {
+          ConsumerARN: desc.ConsumerARN,
+          ConsumerName: desc.ConsumerName,
+          ConsumerStatus: desc.ConsumerStatus,
+          ConsumerCreationTimestamp: desc.ConsumerCreationTimestamp?.toISOString() ?? void 0,
+          Id: desc.ConsumerARN,
+          StreamARN: desc.StreamARN
+        };
+      }
+    } catch (err) {
+      this.logger.debug(
+        `DescribeStreamConsumer(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    return {
+      physicalId,
+      wasReplaced: false,
+      attributes: attrs
+    };
+  }
+  /**
+   * Deregister a Kinesis stream consumer.
+   *
+   * Per CFn semantics, DELETE returns once `DeregisterStreamConsumer`
+   * returns — AWS handles eventual disappearance asynchronously, but
+   * cdkd does not need to poll for that. `ResourceNotFoundException`
+   * is treated as idempotent success (subject to the standard region
+   * verification for delete idempotency).
+   */
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deregistering Kinesis stream consumer ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeregisterStreamConsumerCommand({ ConsumerARN: physicalId }));
+      this.logger.debug(`Successfully deregistered Kinesis stream consumer ${logicalId}`);
+    } catch (error) {
+      if (error instanceof ResourceNotFoundException14) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Kinesis stream consumer ${physicalId} not found, skipping`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to deregister Kinesis stream consumer ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "ConsumerARN" || attributeName === "Id") {
+      return physicalId;
+    }
+    const resp = await this.getClient().send(
+      new DescribeStreamConsumerCommand({ ConsumerARN: physicalId })
+    );
+    const desc = resp.ConsumerDescription;
+    if (!desc)
+      return void 0;
+    switch (attributeName) {
+      case "ConsumerName":
+        return desc.ConsumerName;
+      case "ConsumerStatus":
+        return desc.ConsumerStatus;
+      case "ConsumerCreationTimestamp":
+        return desc.ConsumerCreationTimestamp?.toISOString() ?? void 0;
+      case "StreamARN":
+        return desc.StreamARN;
+      default:
+        return void 0;
+    }
+  }
+  /**
+   * Read the AWS-current StreamConsumer configuration in CFn-property shape.
+   *
+   * Surfaces `ConsumerName` + `StreamARN` (the only user-controllable
+   * top-level CFn properties). AWS-managed read-only fields
+   * (`ConsumerARN`, `ConsumerCreationTimestamp`, `ConsumerStatus`) are
+   * omitted — they are not in `handledProperties` and surface only as
+   * `getAttribute` results.
+   *
+   * `Tags` are surfaced via `ListTagsForResource(ResourceARN=ConsumerARN)`
+   * with `aws:*` filtered out and the always-emit `[]` placeholder
+   * pattern (PR #145). The CFn schema for `AWS::Kinesis::StreamConsumer`
+   * does not currently model Tags as a top-level property, but cdkd
+   * surfaces it defensively so future schema revisions or custom
+   * property overrides can round-trip cleanly.
+   *
+   * Returns `undefined` when the consumer is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    if (resourceType !== "AWS::Kinesis::StreamConsumer")
+      return void 0;
+    let desc;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeStreamConsumerCommand({ ConsumerARN: physicalId })
+      );
+      desc = resp.ConsumerDescription;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException14)
+        return void 0;
+      throw err;
+    }
+    if (!desc)
+      return void 0;
+    const result = {};
+    if (desc.ConsumerName !== void 0)
+      result["ConsumerName"] = desc.ConsumerName;
+    if (desc.StreamARN !== void 0)
+      result["StreamARN"] = desc.StreamARN;
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand18({ ResourceARN: physicalId })
+      );
+      result["Tags"] = normalizeAwsTagsToCfn(tagsResp.Tags);
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException14)
+        return void 0;
+      this.logger.debug(
+        `ListTagsForResource(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      result["Tags"] = [];
+    }
+    return result;
+  }
+  /**
+   * Apply a diff between old and new CFn-shape Tags arrays via Kinesis's
+   * generic `TagResource` (TagMap shape) / `UntagResource` (TagKeys list)
+   * APIs. Mirrors `KinesisStreamProvider.applyTagDiff`, except the
+   * Kinesis service splits the per-resource-type tag APIs vs the generic
+   * tag APIs — StreamConsumer uses the generic ones (which accept any
+   * Kinesis resource ARN).
+   */
+  async applyTagDiff(consumerArn, oldTagsRaw, newTagsRaw) {
+    const oldMap = tagListToMap(oldTagsRaw) ?? {};
+    const newMap = tagListToMap(newTagsRaw) ?? {};
+    const tagsToAdd = {};
+    for (const [k, v] of Object.entries(newMap)) {
+      if (oldMap[k] !== v)
+        tagsToAdd[k] = v;
+    }
+    const tagsToRemove = [];
+    for (const k of Object.keys(oldMap)) {
+      if (!(k in newMap))
+        tagsToRemove.push(k);
+    }
+    if (tagsToRemove.length > 0) {
+      await this.getClient().send(
+        new UntagResourceCommand15({ ResourceARN: consumerArn, TagKeys: tagsToRemove })
+      );
+      this.logger.debug(
+        `Removed ${tagsToRemove.length} tag(s) from Kinesis stream consumer ${consumerArn}`
+      );
+    }
+    if (Object.keys(tagsToAdd).length > 0) {
+      await this.getClient().send(
+        new TagResourceCommand15({ ResourceARN: consumerArn, Tags: tagsToAdd })
+      );
+      this.logger.debug(
+        `Added/updated ${Object.keys(tagsToAdd).length} tag(s) on Kinesis stream consumer ${consumerArn}`
+      );
+    }
+  }
+  /**
+   * Poll DescribeStreamConsumer until the consumer reaches `ACTIVE`.
+   *
+   * Uses 1s polling intervals — consumer registration is typically
+   * sub-second, but AWS can take up to ~30s under load. Caps at 60
+   * attempts (1 minute total) which is bounded above by the per-resource
+   * `--resource-timeout` deadline.
+   */
+  async waitForConsumerActive(consumerArn, maxAttempts = 60) {
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      const resp = await this.getClient().send(
+        new DescribeStreamConsumerCommand({ ConsumerARN: consumerArn })
+      );
+      const status = resp.ConsumerDescription?.ConsumerStatus;
+      this.logger.debug(
+        `Consumer ${consumerArn} status: ${status} (attempt ${attempt}/${maxAttempts})`
+      );
+      if (status === "ACTIVE")
+        return;
+      if (status !== "CREATING") {
+        throw new Error(`Unexpected consumer status: ${status}`);
+      }
+      await new Promise((resolve4) => setTimeout(resolve4, 1e3));
+    }
+    throw new Error(
+      `Consumer ${consumerArn} did not reach ACTIVE status within ${maxAttempts} seconds`
+    );
+  }
+};
+function tagListToMap(tags) {
+  if (!tags || tags.length === 0)
+    return void 0;
+  const out = {};
+  for (const t of tags) {
+    if (t.Key !== void 0 && t.Value !== void 0)
+      out[t.Key] = t.Value;
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+}
+
 // src/provisioning/providers/efs-provider.ts
 import {
   EFSClient,
@@ -57831,7 +59136,7 @@ import {
   DescribeDeliveryStreamCommand,
   ListDeliveryStreamsCommand,
   ListTagsForDeliveryStreamCommand,
-  ResourceNotFoundException as ResourceNotFoundException14
+  ResourceNotFoundException as ResourceNotFoundException15
 } from "@aws-sdk/client-firehose";
 var FirehoseProvider = class {
   client;
@@ -58064,7 +59369,7 @@ var FirehoseProvider = class {
       );
       this.logger.debug(`Successfully deleted Firehose delivery stream ${logicalId}`);
     } catch (error) {
-      if (error instanceof ResourceNotFoundException14) {
+      if (error instanceof ResourceNotFoundException15) {
         const clientRegion = await this.getClient().config.region();
         assertRegionMatch(
           clientRegion,
@@ -58243,7 +59548,7 @@ var FirehoseProvider = class {
       );
       desc = resp.DeliveryStreamDescription;
     } catch (err) {
-      if (err instanceof ResourceNotFoundException14)
+      if (err instanceof ResourceNotFoundException15)
         return void 0;
       throw err;
     }
@@ -58314,7 +59619,7 @@ var FirehoseProvider = class {
       );
       result["Tags"] = normalizeAwsTagsToCfn(tagsResp.Tags);
     } catch (err) {
-      if (err instanceof ResourceNotFoundException14)
+      if (err instanceof ResourceNotFoundException15)
         return void 0;
       this.logger.debug(
         `Firehose ListTagsForDeliveryStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -58358,7 +59663,7 @@ var FirehoseProvider = class {
         );
         return { physicalId: explicit, attributes: {} };
       } catch (err) {
-        if (err instanceof ResourceNotFoundException14)
+        if (err instanceof ResourceNotFoundException15)
           return null;
         throw err;
       }
@@ -58993,7 +60298,7 @@ import {
   UpdateProjectCommand,
   BatchGetProjectsCommand,
   ListProjectsCommand,
-  ResourceNotFoundException as ResourceNotFoundException15
+  ResourceNotFoundException as ResourceNotFoundException16
 } from "@aws-sdk/client-codebuild";
 var CodeBuildProvider = class {
   client;
@@ -59231,7 +60536,7 @@ var CodeBuildProvider = class {
       await this.getClient().send(new DeleteProjectCommand({ name: physicalId }));
       this.logger.debug(`Successfully deleted CodeBuild Project ${logicalId}`);
     } catch (error) {
-      if (error instanceof ResourceNotFoundException15) {
+      if (error instanceof ResourceNotFoundException16) {
         const clientRegion = await this.getClient().config.region();
         assertRegionMatch(
           clientRegion,
@@ -59302,7 +60607,7 @@ var CodeBuildProvider = class {
       );
       project = resp.projects?.[0];
     } catch (err) {
-      if (err instanceof ResourceNotFoundException15)
+      if (err instanceof ResourceNotFoundException16)
         return void 0;
       throw err;
     }
@@ -59549,7 +60854,7 @@ var CodeBuildProvider = class {
         );
         return resp.projects?.[0]?.name ? { physicalId: explicit, attributes: {} } : null;
       } catch (err) {
-        if (err instanceof ResourceNotFoundException15)
+        if (err instanceof ResourceNotFoundException16)
           return null;
         throw err;
       }
@@ -59589,7 +60894,7 @@ import {
   GetVectorBucketCommand,
   ListIndexesCommand,
   ListVectorBucketsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand18,
+  ListTagsForResourceCommand as ListTagsForResourceCommand19,
   DeleteIndexCommand
 } from "@aws-sdk/client-s3vectors";
 var S3VectorsProvider = class {
@@ -59823,7 +61128,7 @@ var S3VectorsProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand18({ resourceArn: bucket.vectorBucketArn })
+            new ListTagsForResourceCommand19({ resourceArn: bucket.vectorBucketArn })
           );
           if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
             return { physicalId: bucket.vectorBucketName, attributes: {} };
@@ -60167,7 +61472,7 @@ import {
   ListNamespacesCommand as ListNamespacesCommand2,
   ListTablesCommand as ListTablesCommand2,
   ListTableBucketsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand19,
+  ListTagsForResourceCommand as ListTagsForResourceCommand20,
   NotFoundException as NotFoundException6
 } from "@aws-sdk/client-s3tables";
 var S3TablesProvider = class {
@@ -60651,7 +61956,7 @@ var S3TablesProvider = class {
         if (input.cdkPath) {
           try {
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand19({ resourceArn: bucket.arn })
+              new ListTagsForResourceCommand20({ resourceArn: bucket.arn })
             );
             if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
               return { physicalId: bucket.arn, attributes: {} };
@@ -60731,7 +62036,7 @@ var S3TablesProvider = class {
                   continue;
                 try {
                   const tagsResp = await this.getClient().send(
-                    new ListTagsForResourceCommand19({ resourceArn: table.tableARN })
+                    new ListTagsForResourceCommand20({ resourceArn: table.tableARN })
                   );
                   if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
                     return {
@@ -60816,8 +62121,8 @@ import {
   SetRepositoryPolicyCommand,
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
-  TagResourceCommand as TagResourceCommand15,
-  ListTagsForResourceCommand as ListTagsForResourceCommand20,
+  TagResourceCommand as TagResourceCommand16,
+  ListTagsForResourceCommand as ListTagsForResourceCommand21,
   LifecyclePolicyNotFoundException,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
@@ -61005,7 +62310,7 @@ var ECRProvider = class {
         const repoArn = describeResponse.repositories?.[0]?.repositoryArn;
         if (repoArn && newTags) {
           await this.getClient().send(
-            new TagResourceCommand15({
+            new TagResourceCommand16({
               resourceArn: repoArn,
               tags: newTags
             })
@@ -61147,7 +62452,7 @@ var ECRProvider = class {
     if (r.repositoryArn) {
       try {
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand20({ resourceArn: r.repositoryArn })
+          new ListTagsForResourceCommand21({ resourceArn: r.repositoryArn })
         );
         const tags = normalizeAwsTagsToCfn(tagsResp.tags);
         result["Tags"] = tags;
@@ -61193,7 +62498,7 @@ var ECRProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand20({ resourceArn: repo.repositoryArn })
+            new ListTagsForResourceCommand21({ resourceArn: repo.repositoryArn })
           );
           if (matchesCdkPath(tagsResp.tags, input.cdkPath)) {
             return { physicalId: repo.repositoryName, attributes: {} };
@@ -62252,6 +63557,7 @@ function registerAllProviders(registry) {
   registry.register("AWS::KMS::Key", kmsProvider);
   registry.register("AWS::KMS::Alias", kmsProvider);
   registry.register("AWS::Kinesis::Stream", new KinesisStreamProvider());
+  registry.register("AWS::Kinesis::StreamConsumer", new KinesisStreamConsumerProvider());
   const efsProvider = new EFSProvider();
   registry.register("AWS::EFS::FileSystem", efsProvider);
   registry.register("AWS::EFS::MountTarget", efsProvider);
@@ -67067,7 +68373,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.61.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.63.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());