@go-to-k/cdkd 0.62.0 → 0.64.0

package/dist/cli.js

@@ -42217,6 +42217,42 @@ var EC2Provider = class {
       throw err;
     }
   }
+  /**
+   * Drift-unknown paths per resource type.
+   *
+   * The 6 EC2 sub-resource types (`AWS::EC2::Route` /
+   * `VPCGatewayAttachment` / `SubnetRouteTableAssociation` /
+   * `SecurityGroupIngress` / `NetworkAclEntry` /
+   * `SubnetNetworkAclAssociation`) have NO AWS-side `Tags` API — the
+   * underlying AWS objects (route entries, NACL entries, route-table
+   * associations, NACL associations, IGW attachments) are not
+   * tag-bearing on AWS, and the corresponding CFn schemas do not model
+   * `Tags` either. Declaring `'Tags'` here is defense-in-depth: if a
+   * future CFn schema revision adds `Tags` to one of these types, or
+   * cdkd state somehow carries `Tags` for one of them via a custom
+   * property override, the drift comparator will skip the path
+   * instead of firing guaranteed false-positive drift on every clean
+   * run.
+   *
+   * Other EC2 types (`VPC` / `Subnet` / `InternetGateway` /
+   * `NatGateway` / `RouteTable` / `SecurityGroup` / `Instance` /
+   * `NetworkAcl`) have first-class Tags support via
+   * `DescribeTags` — they surface `Tags` directly in
+   * `readCurrentState` and don't need this declaration.
+   */
+  getDriftUnknownPaths(resourceType) {
+    switch (resourceType) {
+      case "AWS::EC2::Route":
+      case "AWS::EC2::VPCGatewayAttachment":
+      case "AWS::EC2::SubnetRouteTableAssociation":
+      case "AWS::EC2::SecurityGroupIngress":
+      case "AWS::EC2::NetworkAclEntry":
+      case "AWS::EC2::SubnetNetworkAclAssociation":
+        return ["Tags"];
+      default:
+        return [];
+    }
+  }
   async readVpcCurrentState(physicalId) {
     const resp = await this.ec2Client.send(new DescribeVpcsCommand2({ VpcIds: [physicalId] }));
     const vpc = resp.Vpcs?.[0];
@@ -56144,6 +56180,15 @@ import {
   GetTableCommand,
   GetTablesCommand,
   GetTagsCommand,
+  CreateWorkflowCommand,
+  UpdateWorkflowCommand,
+  DeleteWorkflowCommand,
+  GetWorkflowCommand,
+  ListWorkflowsCommand,
+  CreateSecurityConfigurationCommand,
+  DeleteSecurityConfigurationCommand,
+  GetSecurityConfigurationCommand,
+  GetSecurityConfigurationsCommand,
   EntityNotFoundException
 } from "@aws-sdk/client-glue";
 import { STSClient as STSClient8, GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
@@ -56836,162 +56881,57 @@ var GlueProvider = class {
     return this.cachedAccountId;
   }
 };
-
-// src/provisioning/providers/kms-provider.ts
-import {
-  KMSClient as KMSClient2,
-  CreateKeyCommand,
-  DescribeKeyCommand,
-  GetKeyPolicyCommand,
-  GetKeyRotationStatusCommand,
-  ListAliasesCommand as ListAliasesCommand2,
-  ListKeysCommand,
-  ListResourceTagsCommand,
-  ScheduleKeyDeletionCommand,
-  CreateAliasCommand,
-  DeleteAliasCommand,
-  UpdateAliasCommand,
-  EnableKeyRotationCommand,
-  DisableKeyRotationCommand,
-  UpdateKeyDescriptionCommand,
-  PutKeyPolicyCommand,
-  EnableKeyCommand,
-  DisableKeyCommand,
-  TagResourceCommand as TagResourceCommand14,
-  UntagResourceCommand as UntagResourceCommand14,
-  NotFoundException as NotFoundException5
-} from "@aws-sdk/client-kms";
-var KMSProvider = class {
+var GlueWorkflowProvider = class {
   client;
+  stsClient;
+  cachedAccountId;
   providerRegion = process.env["AWS_REGION"];
-  logger = getLogger().child("KMSProvider");
+  logger = getLogger().child("GlueWorkflowProvider");
   handledProperties = /* @__PURE__ */ new Map([
     [
-      "AWS::KMS::Key",
-      /* @__PURE__ */ new Set([
-        "Description",
-        "KeyPolicy",
-        "KeySpec",
-        "KeyUsage",
-        "EnableKeyRotation",
-        "Tags",
-        "Enabled",
-        "MultiRegion",
-        "PendingWindowInDays",
-        "RotationPeriodInDays",
-        "Origin",
-        "BypassPolicyLockoutSafetyCheck"
-      ])
-    ],
-    ["AWS::KMS::Alias", /* @__PURE__ */ new Set(["AliasName", "TargetKeyId"])]
+      "AWS::Glue::Workflow",
+      /* @__PURE__ */ new Set(["Name", "Description", "DefaultRunProperties", "MaxConcurrentRuns", "Tags"])
+    ]
   ]);
   getClient() {
     if (!this.client) {
-      this.client = new KMSClient2(this.providerRegion ? { region: this.providerRegion } : {});
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
     }
     return this.client;
   }
-  // ─── Dispatch ─────────────────────────────────────────────────────
   async create(logicalId, resourceType, properties) {
-    switch (resourceType) {
-      case "AWS::KMS::Key":
-        return this.createKey(logicalId, resourceType, properties);
-      case "AWS::KMS::Alias":
-        return this.createAlias(logicalId, resourceType, properties);
-      default:
-        throw new ProvisioningError(
-          `Unsupported resource type: ${resourceType}`,
-          resourceType,
-          logicalId
-        );
-    }
-  }
-  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
-    switch (resourceType) {
-      case "AWS::KMS::Key":
-        return this.updateKey(logicalId, physicalId, resourceType, properties, _previousProperties);
-      case "AWS::KMS::Alias":
-        return this.updateAlias(logicalId, physicalId, resourceType, properties);
-      default:
-        throw new ProvisioningError(
-          `Unsupported resource type: ${resourceType}`,
-          resourceType,
-          logicalId,
-          physicalId
-        );
-    }
-  }
-  async delete(logicalId, physicalId, resourceType, _properties, context) {
-    switch (resourceType) {
-      case "AWS::KMS::Key":
-        return this.deleteKey(logicalId, physicalId, resourceType, _properties, context);
-      case "AWS::KMS::Alias":
-        return this.deleteAlias(logicalId, physicalId, resourceType, context);
-      default:
-        throw new ProvisioningError(
-          `Unsupported resource type: ${resourceType}`,
-          resourceType,
-          logicalId,
-          physicalId
-        );
+    this.logger.debug(`Creating Glue Workflow ${logicalId}`);
+    const name = properties["Name"];
+    if (!name) {
+      throw new ProvisioningError(
+        `Name is required for Glue Workflow ${logicalId}`,
+        resourceType,
+        logicalId
+      );
     }
-  }
-  // ─── AWS::KMS::Key ─────────────────────────────────────────────────
-  async createKey(logicalId, resourceType, properties) {
-    this.logger.debug(`Creating KMS Key ${logicalId}`);
-    const description = properties["Description"];
-    const keyPolicy = properties["KeyPolicy"];
-    const keySpec = properties["KeySpec"];
-    const keyUsage = properties["KeyUsage"];
-    const enableKeyRotation = properties["EnableKeyRotation"];
-    const tags = properties["Tags"];
-    const multiRegion = properties["MultiRegion"];
-    const origin = properties["Origin"];
-    const bypassPolicyLockoutSafetyCheck = properties["BypassPolicyLockoutSafetyCheck"];
     try {
-      const result = await this.getClient().send(
-        new CreateKeyCommand({
-          Description: description,
-          KeySpec: keySpec,
-          KeyUsage: keyUsage,
-          Policy: keyPolicy ? typeof keyPolicy === "string" ? keyPolicy : JSON.stringify(keyPolicy) : void 0,
-          Tags: tags ? tags.map((t) => ({ TagKey: t.Key, TagValue: t.Value })) : void 0,
-          MultiRegion: multiRegion,
-          Origin: origin,
-          BypassPolicyLockoutSafetyCheck: bypassPolicyLockoutSafetyCheck
+      const tags = workflowTagsForCreate(properties["Tags"]);
+      await this.getClient().send(
+        new CreateWorkflowCommand({
+          Name: name,
+          ...properties["Description"] !== void 0 && {
+            Description: properties["Description"]
+          },
+          ...properties["DefaultRunProperties"] !== void 0 && {
+            DefaultRunProperties: properties["DefaultRunProperties"]
+          },
+          ...properties["MaxConcurrentRuns"] !== void 0 && {
+            MaxConcurrentRuns: properties["MaxConcurrentRuns"]
+          },
+          ...tags && { Tags: tags }
         })
       );
-      const keyId = result.KeyMetadata.KeyId;
-      const keyArn = result.KeyMetadata.Arn;
-      if (enableKeyRotation) {
-        const rotationPeriodInDays = properties["RotationPeriodInDays"];
-        this.logger.debug(`Enabling key rotation for KMS Key ${logicalId}`);
-        await this.getClient().send(
-          new EnableKeyRotationCommand({
-            KeyId: keyId,
-            ...rotationPeriodInDays !== void 0 && {
-              RotationPeriodInDays: rotationPeriodInDays
-            }
-          })
-        );
-      }
-      const enabled = properties["Enabled"];
-      if (enabled === false) {
-        this.logger.debug(`Disabling KMS Key ${logicalId}`);
-        await this.getClient().send(new DisableKeyCommand({ KeyId: keyId }));
-      }
-      this.logger.debug(`Successfully created KMS Key ${logicalId}: ${keyId}`);
-      return {
-        physicalId: keyId,
-        attributes: {
-          Arn: keyArn,
-          KeyId: keyId
-        }
-      };
+      this.logger.debug(`Successfully created Glue Workflow ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
     } catch (error) {
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to create KMS Key ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to create Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
         void 0,
@@ -56999,75 +56939,29 @@ var KMSProvider = class {
       );
     }
   }
-  async updateKey(logicalId, physicalId, resourceType, properties, previousProperties) {
-    this.logger.debug(`Updating KMS Key ${logicalId}: ${physicalId}`);
+  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    this.logger.debug(`Updating Glue Workflow ${logicalId}: ${physicalId}`);
     try {
-      const newDescription = properties["Description"];
-      const oldDescription = previousProperties["Description"];
-      if (newDescription !== oldDescription) {
-        this.logger.debug(`Updating description for KMS Key ${logicalId}`);
-        await this.getClient().send(
-          new UpdateKeyDescriptionCommand({
-            KeyId: physicalId,
-            Description: newDescription ?? ""
-          })
-        );
-      }
-      const newEnableKeyRotation = properties["EnableKeyRotation"];
-      const oldEnableKeyRotation = previousProperties["EnableKeyRotation"];
-      if (newEnableKeyRotation !== oldEnableKeyRotation) {
-        if (newEnableKeyRotation) {
-          const rotationPeriodInDays = properties["RotationPeriodInDays"];
-          this.logger.debug(`Enabling key rotation for KMS Key ${logicalId}`);
-          await this.getClient().send(
-            new EnableKeyRotationCommand({
-              KeyId: physicalId,
-              ...rotationPeriodInDays !== void 0 && {
-                RotationPeriodInDays: rotationPeriodInDays
-              }
-            })
-          );
-        } else {
-          this.logger.debug(`Disabling key rotation for KMS Key ${logicalId}`);
-          await this.getClient().send(new DisableKeyRotationCommand({ KeyId: physicalId }));
-        }
-      }
-      const newEnabled = properties["Enabled"];
-      const oldEnabled = previousProperties["Enabled"];
-      if (newEnabled !== oldEnabled) {
-        if (newEnabled === false) {
-          this.logger.debug(`Disabling KMS Key ${logicalId}`);
-          await this.getClient().send(new DisableKeyCommand({ KeyId: physicalId }));
-        } else {
-          this.logger.debug(`Enabling KMS Key ${logicalId}`);
-          await this.getClient().send(new EnableKeyCommand({ KeyId: physicalId }));
-        }
-      }
-      await this.applyTagDiff(
-        physicalId,
-        previousProperties["Tags"],
-        properties["Tags"]
+      await this.getClient().send(
+        new UpdateWorkflowCommand({
+          Name: physicalId,
+          ...properties["Description"] !== void 0 && {
+            Description: properties["Description"]
+          },
+          ...properties["DefaultRunProperties"] !== void 0 && {
+            DefaultRunProperties: properties["DefaultRunProperties"]
+          },
+          ...properties["MaxConcurrentRuns"] !== void 0 && {
+            MaxConcurrentRuns: properties["MaxConcurrentRuns"]
+          }
+        })
       );
-      const newKeyPolicy = properties["KeyPolicy"];
-      const oldKeyPolicy = previousProperties["KeyPolicy"];
-      const newPolicyStr = newKeyPolicy ? typeof newKeyPolicy === "string" ? newKeyPolicy : JSON.stringify(newKeyPolicy) : void 0;
-      const oldPolicyStr = oldKeyPolicy ? typeof oldKeyPolicy === "string" ? oldKeyPolicy : JSON.stringify(oldKeyPolicy) : void 0;
-      if (newPolicyStr !== oldPolicyStr && newPolicyStr) {
-        this.logger.debug(`Updating key policy for KMS Key ${logicalId}`);
-        await this.getClient().send(
-          new PutKeyPolicyCommand({
-            KeyId: physicalId,
-            PolicyName: "default",
-            Policy: newPolicyStr
-          })
-        );
-      }
-      this.logger.debug(`Successfully updated KMS Key ${logicalId}`);
+      this.logger.debug(`Successfully updated Glue Workflow ${logicalId}`);
       return { physicalId, wasReplaced: false };
     } catch (error) {
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to update KMS Key ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to update Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
         physicalId,
@@ -57075,19 +56969,13 @@ var KMSProvider = class {
       );
     }
   }
-  async deleteKey(logicalId, physicalId, resourceType, properties, context) {
-    this.logger.debug(`Scheduling deletion for KMS Key ${logicalId}: ${physicalId}`);
-    const pendingWindowInDays = properties?.["PendingWindowInDays"] ?? 7;
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue Workflow ${logicalId}: ${physicalId}`);
     try {
-      await this.getClient().send(
-        new ScheduleKeyDeletionCommand({
-          KeyId: physicalId,
-          PendingWindowInDays: pendingWindowInDays
-        })
-      );
-      this.logger.debug(`Successfully scheduled deletion for KMS Key ${logicalId}`);
+      await this.getClient().send(new DeleteWorkflowCommand({ Name: physicalId }));
+      this.logger.debug(`Successfully deleted Glue Workflow ${logicalId}`);
     } catch (error) {
-      if (error instanceof NotFoundException5) {
+      if (error instanceof EntityNotFoundException) {
         const clientRegion = await this.getClient().config.region();
         assertRegionMatch(
           clientRegion,
@@ -57096,12 +56984,12 @@ var KMSProvider = class {
           logicalId,
           physicalId
         );
-        this.logger.debug(`KMS Key ${physicalId} does not exist, skipping deletion`);
+        this.logger.debug(`Glue Workflow ${physicalId} does not exist, skipping deletion`);
         return;
       }
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to schedule deletion for KMS Key ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to delete Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
         physicalId,
@@ -57109,10 +56997,636 @@ var KMSProvider = class {
       );
     }
   }
-  /**
-   * Apply a diff between old and new CFn-shape Tags arrays via KMS's
-   * `TagResource` / `UntagResource` APIs. KMS uses `{TagKey, TagValue}`
-   * (NOT the standard `{Key, Value}` shape) keyed by `KeyId`.
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  /**
+   * Read AWS-current Workflow shape via `GetWorkflow`. Surfaces every
+   * user-controllable top-level CFn key with always-emit placeholders
+   * (PR #145):
+   *  - `Description` → `?? ''`
+   *  - `DefaultRunProperties` → `?? {}`
+   *  - `MaxConcurrentRuns` → omitted when AWS reports `undefined` (no
+   *    AWS-side default to anchor a placeholder against; cdkd state may
+   *    legitimately leave this unset)
+   *  - `Tags` → `?? []` (filtered against `aws:cdk:path` and the rest of
+   *    the `aws:`-prefixed reserved space)
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let workflow;
+    try {
+      const resp = await this.getClient().send(
+        new GetWorkflowCommand({ Name: physicalId, IncludeGraph: false })
+      );
+      workflow = resp.Workflow;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!workflow)
+      return void 0;
+    const result = {
+      Name: workflow.Name ?? physicalId,
+      Description: workflow.Description ?? "",
+      DefaultRunProperties: workflow.DefaultRunProperties ?? {}
+    };
+    if (workflow.MaxConcurrentRuns !== void 0) {
+      result["MaxConcurrentRuns"] = workflow.MaxConcurrentRuns;
+    }
+    const arn = await this.buildWorkflowArn(physicalId);
+    let tags = [];
+    try {
+      const tagResp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      tags = normalizeAwsTagsToCfn(tagResp.Tags);
+    } catch (err) {
+      this.logger.debug(
+        `GetTags failed for Glue Workflow ${physicalId}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    result["Tags"] = tags;
+    return result;
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(new GetWorkflowCommand({ Name: explicitName }));
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListWorkflowsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const name of list.Workflows ?? []) {
+        const arn = await this.buildWorkflowArn(name);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: name, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async tagsMatchCdkPath(arn, cdkPath) {
+    try {
+      const resp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      return resp.Tags?.[CDK_PATH_TAG] === cdkPath;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return false;
+      throw err;
+    }
+  }
+  async buildWorkflowArn(workflowName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:workflow/${workflowName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient8(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand8({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
+    }
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
+  }
+};
+var GlueSecurityConfigurationProvider = class {
+  client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueSecurityConfigurationProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    ["AWS::Glue::SecurityConfiguration", /* @__PURE__ */ new Set(["Name", "EncryptionConfiguration"])]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue SecurityConfiguration ${logicalId}`);
+    const name = properties["Name"];
+    if (!name) {
+      throw new ProvisioningError(
+        `Name is required for Glue SecurityConfiguration ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    const encryptionConfiguration = properties["EncryptionConfiguration"];
+    if (!encryptionConfiguration) {
+      throw new ProvisioningError(
+        `EncryptionConfiguration is required for Glue SecurityConfiguration ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      await this.getClient().send(
+        new CreateSecurityConfigurationCommand({
+          Name: name,
+          EncryptionConfiguration: buildEncryptionConfiguration(encryptionConfiguration)
+        })
+      );
+      this.logger.debug(`Successfully created Glue SecurityConfiguration ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue SecurityConfiguration ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    throw new ResourceUpdateNotSupportedError(
+      resourceType,
+      logicalId,
+      "AWS::Glue::SecurityConfiguration is immutable; AWS provides no Update API. Use cdkd deploy --replace, or destroy + redeploy with the new EncryptionConfiguration."
+    );
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue SecurityConfiguration ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeleteSecurityConfigurationCommand({ Name: physicalId }));
+      this.logger.debug(`Successfully deleted Glue SecurityConfiguration ${logicalId}`);
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(
+          `Glue SecurityConfiguration ${physicalId} does not exist, skipping deletion`
+        );
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue SecurityConfiguration ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  /**
+   * Read AWS-current SecurityConfiguration shape via
+   * `GetSecurityConfiguration`. Always emits the three CFn-modeled
+   * sub-configs (`S3Encryption: []`, `CloudWatchEncryption: {}`,
+   * `JobBookmarksEncryption: {}`) per PR #145 even when AWS reports
+   * nothing — closes the "console-side encryption enable on a previously
+   * default config" detection gap on the v3 baseline.
+   *
+   * `DataQualityEncryption` is silently dropped: the CFn schema for
+   * `AWS::Glue::SecurityConfiguration` does not model it, so surfacing it
+   * would fire false drift on every clean run for a key cdkd state can
+   * never carry.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let cfg;
+    try {
+      const resp = await this.getClient().send(
+        new GetSecurityConfigurationCommand({ Name: physicalId })
+      );
+      cfg = resp.SecurityConfiguration;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!cfg)
+      return void 0;
+    return {
+      Name: cfg.Name ?? physicalId,
+      EncryptionConfiguration: mapEncryptionConfigurationToCfn(cfg.EncryptionConfiguration)
+    };
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(new GetSecurityConfigurationCommand({ Name: explicitName }));
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!explicitName) {
+      let nextToken;
+      do {
+        const list = await this.getClient().send(
+          new GetSecurityConfigurationsCommand({ ...nextToken && { NextToken: nextToken } })
+        );
+        for (const _entry of list.SecurityConfigurations ?? []) {
+        }
+        nextToken = list.NextToken;
+      } while (nextToken);
+      return null;
+    }
+    return null;
+  }
+};
+function workflowTagsForCreate(tags) {
+  if (!Array.isArray(tags) || tags.length === 0)
+    return void 0;
+  const out = {};
+  for (const t of tags) {
+    const obj = t;
+    const k = typeof obj["Key"] === "string" ? obj["Key"] : void 0;
+    const v = typeof obj["Value"] === "string" ? obj["Value"] : "";
+    if (!k)
+      continue;
+    out[k] = v;
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+}
+function buildEncryptionConfiguration(input) {
+  const result = {};
+  if (Array.isArray(input["S3Encryption"])) {
+    result.S3Encryption = input["S3Encryption"].map((entry) => {
+      const e = entry;
+      const item = {};
+      if (typeof e["S3EncryptionMode"] === "string") {
+        item.S3EncryptionMode = e["S3EncryptionMode"];
+      }
+      if (typeof e["KmsKeyArn"] === "string") {
+        item.KmsKeyArn = e["KmsKeyArn"];
+      }
+      return item;
+    });
+  }
+  if (input["CloudWatchEncryption"] !== void 0) {
+    const cw = input["CloudWatchEncryption"];
+    const item = {};
+    if (typeof cw["CloudWatchEncryptionMode"] === "string") {
+      item.CloudWatchEncryptionMode = cw["CloudWatchEncryptionMode"];
+    }
+    if (typeof cw["KmsKeyArn"] === "string") {
+      item.KmsKeyArn = cw["KmsKeyArn"];
+    }
+    result.CloudWatchEncryption = item;
+  }
+  if (input["JobBookmarksEncryption"] !== void 0) {
+    const jb = input["JobBookmarksEncryption"];
+    const item = {};
+    if (typeof jb["JobBookmarksEncryptionMode"] === "string") {
+      item.JobBookmarksEncryptionMode = jb["JobBookmarksEncryptionMode"];
+    }
+    if (typeof jb["KmsKeyArn"] === "string") {
+      item.KmsKeyArn = jb["KmsKeyArn"];
+    }
+    result.JobBookmarksEncryption = item;
+  }
+  return result;
+}
+function mapEncryptionConfigurationToCfn(cfg) {
+  const c = cfg ?? {};
+  return {
+    S3Encryption: (c.S3Encryption ?? []).map((entry) => {
+      const out = {};
+      if (entry.S3EncryptionMode !== void 0)
+        out["S3EncryptionMode"] = entry.S3EncryptionMode;
+      if (entry.KmsKeyArn !== void 0)
+        out["KmsKeyArn"] = entry.KmsKeyArn;
+      return out;
+    }),
+    CloudWatchEncryption: c.CloudWatchEncryption ? cleanCfnObject({
+      CloudWatchEncryptionMode: c.CloudWatchEncryption.CloudWatchEncryptionMode,
+      KmsKeyArn: c.CloudWatchEncryption.KmsKeyArn
+    }) : {},
+    JobBookmarksEncryption: c.JobBookmarksEncryption ? cleanCfnObject({
+      JobBookmarksEncryptionMode: c.JobBookmarksEncryption.JobBookmarksEncryptionMode,
+      KmsKeyArn: c.JobBookmarksEncryption.KmsKeyArn
+    }) : {}
+  };
+}
+function cleanCfnObject(obj) {
+  const out = {};
+  for (const [k, v] of Object.entries(obj)) {
+    if (v !== void 0)
+      out[k] = v;
+  }
+  return out;
+}
+
+// src/provisioning/providers/kms-provider.ts
+import {
+  KMSClient as KMSClient2,
+  CreateKeyCommand,
+  DescribeKeyCommand,
+  GetKeyPolicyCommand,
+  GetKeyRotationStatusCommand,
+  ListAliasesCommand as ListAliasesCommand2,
+  ListKeysCommand,
+  ListResourceTagsCommand,
+  ScheduleKeyDeletionCommand,
+  CreateAliasCommand,
+  DeleteAliasCommand,
+  UpdateAliasCommand,
+  EnableKeyRotationCommand,
+  DisableKeyRotationCommand,
+  UpdateKeyDescriptionCommand,
+  PutKeyPolicyCommand,
+  EnableKeyCommand,
+  DisableKeyCommand,
+  TagResourceCommand as TagResourceCommand14,
+  UntagResourceCommand as UntagResourceCommand14,
+  NotFoundException as NotFoundException5
+} from "@aws-sdk/client-kms";
+var KMSProvider = class {
+  client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("KMSProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::KMS::Key",
+      /* @__PURE__ */ new Set([
+        "Description",
+        "KeyPolicy",
+        "KeySpec",
+        "KeyUsage",
+        "EnableKeyRotation",
+        "Tags",
+        "Enabled",
+        "MultiRegion",
+        "PendingWindowInDays",
+        "RotationPeriodInDays",
+        "Origin",
+        "BypassPolicyLockoutSafetyCheck"
+      ])
+    ],
+    ["AWS::KMS::Alias", /* @__PURE__ */ new Set(["AliasName", "TargetKeyId"])]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new KMSClient2(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  // ─── Dispatch ─────────────────────────────────────────────────────
+  async create(logicalId, resourceType, properties) {
+    switch (resourceType) {
+      case "AWS::KMS::Key":
+        return this.createKey(logicalId, resourceType, properties);
+      case "AWS::KMS::Alias":
+        return this.createAlias(logicalId, resourceType, properties);
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId
+        );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    switch (resourceType) {
+      case "AWS::KMS::Key":
+        return this.updateKey(logicalId, physicalId, resourceType, properties, _previousProperties);
+      case "AWS::KMS::Alias":
+        return this.updateAlias(logicalId, physicalId, resourceType, properties);
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    switch (resourceType) {
+      case "AWS::KMS::Key":
+        return this.deleteKey(logicalId, physicalId, resourceType, _properties, context);
+      case "AWS::KMS::Alias":
+        return this.deleteAlias(logicalId, physicalId, resourceType, context);
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+    }
+  }
+  // ─── AWS::KMS::Key ─────────────────────────────────────────────────
+  async createKey(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating KMS Key ${logicalId}`);
+    const description = properties["Description"];
+    const keyPolicy = properties["KeyPolicy"];
+    const keySpec = properties["KeySpec"];
+    const keyUsage = properties["KeyUsage"];
+    const enableKeyRotation = properties["EnableKeyRotation"];
+    const tags = properties["Tags"];
+    const multiRegion = properties["MultiRegion"];
+    const origin = properties["Origin"];
+    const bypassPolicyLockoutSafetyCheck = properties["BypassPolicyLockoutSafetyCheck"];
+    try {
+      const result = await this.getClient().send(
+        new CreateKeyCommand({
+          Description: description,
+          KeySpec: keySpec,
+          KeyUsage: keyUsage,
+          Policy: keyPolicy ? typeof keyPolicy === "string" ? keyPolicy : JSON.stringify(keyPolicy) : void 0,
+          Tags: tags ? tags.map((t) => ({ TagKey: t.Key, TagValue: t.Value })) : void 0,
+          MultiRegion: multiRegion,
+          Origin: origin,
+          BypassPolicyLockoutSafetyCheck: bypassPolicyLockoutSafetyCheck
+        })
+      );
+      const keyId = result.KeyMetadata.KeyId;
+      const keyArn = result.KeyMetadata.Arn;
+      if (enableKeyRotation) {
+        const rotationPeriodInDays = properties["RotationPeriodInDays"];
+        this.logger.debug(`Enabling key rotation for KMS Key ${logicalId}`);
+        await this.getClient().send(
+          new EnableKeyRotationCommand({
+            KeyId: keyId,
+            ...rotationPeriodInDays !== void 0 && {
+              RotationPeriodInDays: rotationPeriodInDays
+            }
+          })
+        );
+      }
+      const enabled = properties["Enabled"];
+      if (enabled === false) {
+        this.logger.debug(`Disabling KMS Key ${logicalId}`);
+        await this.getClient().send(new DisableKeyCommand({ KeyId: keyId }));
+      }
+      this.logger.debug(`Successfully created KMS Key ${logicalId}: ${keyId}`);
+      return {
+        physicalId: keyId,
+        attributes: {
+          Arn: keyArn,
+          KeyId: keyId
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create KMS Key ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async updateKey(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating KMS Key ${logicalId}: ${physicalId}`);
+    try {
+      const newDescription = properties["Description"];
+      const oldDescription = previousProperties["Description"];
+      if (newDescription !== oldDescription) {
+        this.logger.debug(`Updating description for KMS Key ${logicalId}`);
+        await this.getClient().send(
+          new UpdateKeyDescriptionCommand({
+            KeyId: physicalId,
+            Description: newDescription ?? ""
+          })
+        );
+      }
+      const newEnableKeyRotation = properties["EnableKeyRotation"];
+      const oldEnableKeyRotation = previousProperties["EnableKeyRotation"];
+      if (newEnableKeyRotation !== oldEnableKeyRotation) {
+        if (newEnableKeyRotation) {
+          const rotationPeriodInDays = properties["RotationPeriodInDays"];
+          this.logger.debug(`Enabling key rotation for KMS Key ${logicalId}`);
+          await this.getClient().send(
+            new EnableKeyRotationCommand({
+              KeyId: physicalId,
+              ...rotationPeriodInDays !== void 0 && {
+                RotationPeriodInDays: rotationPeriodInDays
+              }
+            })
+          );
+        } else {
+          this.logger.debug(`Disabling key rotation for KMS Key ${logicalId}`);
+          await this.getClient().send(new DisableKeyRotationCommand({ KeyId: physicalId }));
+        }
+      }
+      const newEnabled = properties["Enabled"];
+      const oldEnabled = previousProperties["Enabled"];
+      if (newEnabled !== oldEnabled) {
+        if (newEnabled === false) {
+          this.logger.debug(`Disabling KMS Key ${logicalId}`);
+          await this.getClient().send(new DisableKeyCommand({ KeyId: physicalId }));
+        } else {
+          this.logger.debug(`Enabling KMS Key ${logicalId}`);
+          await this.getClient().send(new EnableKeyCommand({ KeyId: physicalId }));
+        }
+      }
+      await this.applyTagDiff(
+        physicalId,
+        previousProperties["Tags"],
+        properties["Tags"]
+      );
+      const newKeyPolicy = properties["KeyPolicy"];
+      const oldKeyPolicy = previousProperties["KeyPolicy"];
+      const newPolicyStr = newKeyPolicy ? typeof newKeyPolicy === "string" ? newKeyPolicy : JSON.stringify(newKeyPolicy) : void 0;
+      const oldPolicyStr = oldKeyPolicy ? typeof oldKeyPolicy === "string" ? oldKeyPolicy : JSON.stringify(oldKeyPolicy) : void 0;
+      if (newPolicyStr !== oldPolicyStr && newPolicyStr) {
+        this.logger.debug(`Updating key policy for KMS Key ${logicalId}`);
+        await this.getClient().send(
+          new PutKeyPolicyCommand({
+            KeyId: physicalId,
+            PolicyName: "default",
+            Policy: newPolicyStr
+          })
+        );
+      }
+      this.logger.debug(`Successfully updated KMS Key ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update KMS Key ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async deleteKey(logicalId, physicalId, resourceType, properties, context) {
+    this.logger.debug(`Scheduling deletion for KMS Key ${logicalId}: ${physicalId}`);
+    const pendingWindowInDays = properties?.["PendingWindowInDays"] ?? 7;
+    try {
+      await this.getClient().send(
+        new ScheduleKeyDeletionCommand({
+          KeyId: physicalId,
+          PendingWindowInDays: pendingWindowInDays
+        })
+      );
+      this.logger.debug(`Successfully scheduled deletion for KMS Key ${logicalId}`);
+    } catch (error) {
+      if (error instanceof NotFoundException5) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`KMS Key ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to schedule deletion for KMS Key ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  /**
+   * Apply a diff between old and new CFn-shape Tags arrays via KMS's
+   * `TagResource` / `UntagResource` APIs. KMS uses `{TagKey, TagValue}`
+   * (NOT the standard `{Key, Value}` shape) keyed by `KeyId`.
    */
   async applyTagDiff(keyId, oldTagsRaw, newTagsRaw) {
     const toMap = (tags) => {
@@ -57944,6 +58458,349 @@ var KinesisStreamProvider = class {
   }
 };
 
+// src/provisioning/providers/kinesis-streamconsumer-provider.ts
+import {
+  KinesisClient as KinesisClient2,
+  RegisterStreamConsumerCommand,
+  DeregisterStreamConsumerCommand,
+  DescribeStreamConsumerCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand18,
+  TagResourceCommand as TagResourceCommand15,
+  UntagResourceCommand as UntagResourceCommand15,
+  ResourceNotFoundException as ResourceNotFoundException14
+} from "@aws-sdk/client-kinesis";
+var KinesisStreamConsumerProvider = class {
+  client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("KinesisStreamConsumerProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    ["AWS::Kinesis::StreamConsumer", /* @__PURE__ */ new Set(["ConsumerName", "StreamARN", "Tags"])]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new KinesisClient2(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  /**
+   * Register a Kinesis stream consumer.
+   *
+   * Polls `DescribeStreamConsumer` until ConsumerStatus flips from
+   * `CREATING` to `ACTIVE` (matches CFn behavior). 1s polling interval
+   * is faster than the CC API exponential backoff used to be.
+   */
+  async create(logicalId, resourceType, properties) {
+    const consumerName = properties["ConsumerName"];
+    const streamArn = properties["StreamARN"];
+    if (!consumerName) {
+      throw new ProvisioningError(
+        "AWS::Kinesis::StreamConsumer requires ConsumerName",
+        resourceType,
+        logicalId
+      );
+    }
+    if (!streamArn) {
+      throw new ProvisioningError(
+        "AWS::Kinesis::StreamConsumer requires StreamARN",
+        resourceType,
+        logicalId
+      );
+    }
+    this.logger.debug(`Registering Kinesis stream consumer ${logicalId}: ${consumerName}`);
+    const tagList = Array.isArray(properties["Tags"]) ? properties["Tags"] : void 0;
+    const tagMap = tagListToMap(tagList);
+    try {
+      const resp = await this.getClient().send(
+        new RegisterStreamConsumerCommand({
+          StreamARN: streamArn,
+          ConsumerName: consumerName,
+          ...tagMap && Object.keys(tagMap).length > 0 ? { Tags: tagMap } : {}
+        })
+      );
+      const consumer = resp.Consumer;
+      if (!consumer?.ConsumerARN || !consumer.ConsumerName) {
+        throw new ProvisioningError(
+          "RegisterStreamConsumer did not return ConsumerARN/ConsumerName",
+          resourceType,
+          logicalId
+        );
+      }
+      const consumerArn = consumer.ConsumerARN;
+      await this.waitForConsumerActive(consumerArn);
+      this.logger.debug(`Successfully registered Kinesis stream consumer ${logicalId}`);
+      return {
+        physicalId: consumerArn,
+        attributes: {
+          ConsumerARN: consumerArn,
+          ConsumerName: consumer.ConsumerName,
+          ConsumerStatus: consumer.ConsumerStatus,
+          ConsumerCreationTimestamp: consumer.ConsumerCreationTimestamp?.toISOString() ?? void 0,
+          // CFn `Id` for StreamConsumer is the ConsumerARN (matches the
+          // CFn return-values doc).
+          Id: consumerArn,
+          StreamARN: streamArn
+        }
+      };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to register Kinesis stream consumer ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        consumerName,
+        cause
+      );
+    }
+  }
+  /**
+   * Update is a no-op for the immutable `ConsumerName` / `StreamARN`
+   * fields (the deploy engine's replacement-detection layer triggers
+   * DELETE + CREATE for those changes). Tags ARE mutable via
+   * `TagResource` / `UntagResource` so the diff is applied here.
+   *
+   * If a non-Tags property changes, throw `ResourceUpdateNotSupportedError`
+   * — `cdkd drift --revert` will surface that to the user with the
+   * "use cdkd deploy --replace" suggestion.
+   */
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    const newConsumerName = properties["ConsumerName"];
+    const oldConsumerName = previousProperties["ConsumerName"];
+    const newStreamArn = properties["StreamARN"];
+    const oldStreamArn = previousProperties["StreamARN"];
+    if (newConsumerName !== oldConsumerName || newStreamArn !== oldStreamArn) {
+      throw new ResourceUpdateNotSupportedError(
+        resourceType,
+        logicalId,
+        "AWS::Kinesis::StreamConsumer ConsumerName / StreamARN are immutable; re-deploy with cdkd deploy --replace, or destroy + redeploy"
+      );
+    }
+    await this.applyTagDiff(
+      physicalId,
+      previousProperties["Tags"],
+      properties["Tags"]
+    );
+    let attrs = {};
+    try {
+      const resp = await this.getClient().send(
+        new DescribeStreamConsumerCommand({ ConsumerARN: physicalId })
+      );
+      const desc = resp.ConsumerDescription;
+      if (desc) {
+        attrs = {
+          ConsumerARN: desc.ConsumerARN,
+          ConsumerName: desc.ConsumerName,
+          ConsumerStatus: desc.ConsumerStatus,
+          ConsumerCreationTimestamp: desc.ConsumerCreationTimestamp?.toISOString() ?? void 0,
+          Id: desc.ConsumerARN,
+          StreamARN: desc.StreamARN
+        };
+      }
+    } catch (err) {
+      this.logger.debug(
+        `DescribeStreamConsumer(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    return {
+      physicalId,
+      wasReplaced: false,
+      attributes: attrs
+    };
+  }
+  /**
+   * Deregister a Kinesis stream consumer.
+   *
+   * Per CFn semantics, DELETE returns once `DeregisterStreamConsumer`
+   * returns — AWS handles eventual disappearance asynchronously, but
+   * cdkd does not need to poll for that. `ResourceNotFoundException`
+   * is treated as idempotent success (subject to the standard region
+   * verification for delete idempotency).
+   */
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deregistering Kinesis stream consumer ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeregisterStreamConsumerCommand({ ConsumerARN: physicalId }));
+      this.logger.debug(`Successfully deregistered Kinesis stream consumer ${logicalId}`);
+    } catch (error) {
+      if (error instanceof ResourceNotFoundException14) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Kinesis stream consumer ${physicalId} not found, skipping`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to deregister Kinesis stream consumer ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "ConsumerARN" || attributeName === "Id") {
+      return physicalId;
+    }
+    const resp = await this.getClient().send(
+      new DescribeStreamConsumerCommand({ ConsumerARN: physicalId })
+    );
+    const desc = resp.ConsumerDescription;
+    if (!desc)
+      return void 0;
+    switch (attributeName) {
+      case "ConsumerName":
+        return desc.ConsumerName;
+      case "ConsumerStatus":
+        return desc.ConsumerStatus;
+      case "ConsumerCreationTimestamp":
+        return desc.ConsumerCreationTimestamp?.toISOString() ?? void 0;
+      case "StreamARN":
+        return desc.StreamARN;
+      default:
+        return void 0;
+    }
+  }
+  /**
+   * Read the AWS-current StreamConsumer configuration in CFn-property shape.
+   *
+   * Surfaces `ConsumerName` + `StreamARN` (the only user-controllable
+   * top-level CFn properties). AWS-managed read-only fields
+   * (`ConsumerARN`, `ConsumerCreationTimestamp`, `ConsumerStatus`) are
+   * omitted — they are not in `handledProperties` and surface only as
+   * `getAttribute` results.
+   *
+   * `Tags` are surfaced via `ListTagsForResource(ResourceARN=ConsumerARN)`
+   * with `aws:*` filtered out and the always-emit `[]` placeholder
+   * pattern (PR #145). The CFn schema for `AWS::Kinesis::StreamConsumer`
+   * does not currently model Tags as a top-level property, but cdkd
+   * surfaces it defensively so future schema revisions or custom
+   * property overrides can round-trip cleanly.
+   *
+   * Returns `undefined` when the consumer is gone
+   * (`ResourceNotFoundException`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    if (resourceType !== "AWS::Kinesis::StreamConsumer")
+      return void 0;
+    let desc;
+    try {
+      const resp = await this.getClient().send(
+        new DescribeStreamConsumerCommand({ ConsumerARN: physicalId })
+      );
+      desc = resp.ConsumerDescription;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException14)
+        return void 0;
+      throw err;
+    }
+    if (!desc)
+      return void 0;
+    const result = {};
+    if (desc.ConsumerName !== void 0)
+      result["ConsumerName"] = desc.ConsumerName;
+    if (desc.StreamARN !== void 0)
+      result["StreamARN"] = desc.StreamARN;
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand18({ ResourceARN: physicalId })
+      );
+      result["Tags"] = normalizeAwsTagsToCfn(tagsResp.Tags);
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException14)
+        return void 0;
+      this.logger.debug(
+        `ListTagsForResource(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+      result["Tags"] = [];
+    }
+    return result;
+  }
+  /**
+   * Apply a diff between old and new CFn-shape Tags arrays via Kinesis's
+   * generic `TagResource` (TagMap shape) / `UntagResource` (TagKeys list)
+   * APIs. Mirrors `KinesisStreamProvider.applyTagDiff`, except the
+   * Kinesis service splits the per-resource-type tag APIs vs the generic
+   * tag APIs — StreamConsumer uses the generic ones (which accept any
+   * Kinesis resource ARN).
+   */
+  async applyTagDiff(consumerArn, oldTagsRaw, newTagsRaw) {
+    const oldMap = tagListToMap(oldTagsRaw) ?? {};
+    const newMap = tagListToMap(newTagsRaw) ?? {};
+    const tagsToAdd = {};
+    for (const [k, v] of Object.entries(newMap)) {
+      if (oldMap[k] !== v)
+        tagsToAdd[k] = v;
+    }
+    const tagsToRemove = [];
+    for (const k of Object.keys(oldMap)) {
+      if (!(k in newMap))
+        tagsToRemove.push(k);
+    }
+    if (tagsToRemove.length > 0) {
+      await this.getClient().send(
+        new UntagResourceCommand15({ ResourceARN: consumerArn, TagKeys: tagsToRemove })
+      );
+      this.logger.debug(
+        `Removed ${tagsToRemove.length} tag(s) from Kinesis stream consumer ${consumerArn}`
+      );
+    }
+    if (Object.keys(tagsToAdd).length > 0) {
+      await this.getClient().send(
+        new TagResourceCommand15({ ResourceARN: consumerArn, Tags: tagsToAdd })
+      );
+      this.logger.debug(
+        `Added/updated ${Object.keys(tagsToAdd).length} tag(s) on Kinesis stream consumer ${consumerArn}`
+      );
+    }
+  }
+  /**
+   * Poll DescribeStreamConsumer until the consumer reaches `ACTIVE`.
+   *
+   * Uses 1s polling intervals — consumer registration is typically
+   * sub-second, but AWS can take up to ~30s under load. Caps at 60
+   * attempts (1 minute total) which is bounded above by the per-resource
+   * `--resource-timeout` deadline.
+   */
+  async waitForConsumerActive(consumerArn, maxAttempts = 60) {
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      const resp = await this.getClient().send(
+        new DescribeStreamConsumerCommand({ ConsumerARN: consumerArn })
+      );
+      const status = resp.ConsumerDescription?.ConsumerStatus;
+      this.logger.debug(
+        `Consumer ${consumerArn} status: ${status} (attempt ${attempt}/${maxAttempts})`
+      );
+      if (status === "ACTIVE")
+        return;
+      if (status !== "CREATING") {
+        throw new Error(`Unexpected consumer status: ${status}`);
+      }
+      await new Promise((resolve4) => setTimeout(resolve4, 1e3));
+    }
+    throw new Error(
+      `Consumer ${consumerArn} did not reach ACTIVE status within ${maxAttempts} seconds`
+    );
+  }
+};
+function tagListToMap(tags) {
+  if (!tags || tags.length === 0)
+    return void 0;
+  const out = {};
+  for (const t of tags) {
+    if (t.Key !== void 0 && t.Value !== void 0)
+      out[t.Key] = t.Value;
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+}
+
 // src/provisioning/providers/efs-provider.ts
 import {
   EFSClient,
@@ -58757,7 +59614,7 @@ import {
   DescribeDeliveryStreamCommand,
   ListDeliveryStreamsCommand,
   ListTagsForDeliveryStreamCommand,
-  ResourceNotFoundException as ResourceNotFoundException14
+  ResourceNotFoundException as ResourceNotFoundException15
 } from "@aws-sdk/client-firehose";
 var FirehoseProvider = class {
   client;
@@ -58990,7 +59847,7 @@ var FirehoseProvider = class {
       );
       this.logger.debug(`Successfully deleted Firehose delivery stream ${logicalId}`);
     } catch (error) {
-      if (error instanceof ResourceNotFoundException14) {
+      if (error instanceof ResourceNotFoundException15) {
         const clientRegion = await this.getClient().config.region();
         assertRegionMatch(
           clientRegion,
@@ -59169,7 +60026,7 @@ var FirehoseProvider = class {
       );
       desc = resp.DeliveryStreamDescription;
     } catch (err) {
-      if (err instanceof ResourceNotFoundException14)
+      if (err instanceof ResourceNotFoundException15)
         return void 0;
       throw err;
     }
@@ -59240,7 +60097,7 @@ var FirehoseProvider = class {
       );
       result["Tags"] = normalizeAwsTagsToCfn(tagsResp.Tags);
     } catch (err) {
-      if (err instanceof ResourceNotFoundException14)
+      if (err instanceof ResourceNotFoundException15)
         return void 0;
       this.logger.debug(
         `Firehose ListTagsForDeliveryStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -59284,7 +60141,7 @@ var FirehoseProvider = class {
         );
         return { physicalId: explicit, attributes: {} };
       } catch (err) {
-        if (err instanceof ResourceNotFoundException14)
+        if (err instanceof ResourceNotFoundException15)
           return null;
         throw err;
       }
@@ -59919,7 +60776,7 @@ import {
   UpdateProjectCommand,
   BatchGetProjectsCommand,
   ListProjectsCommand,
-  ResourceNotFoundException as ResourceNotFoundException15
+  ResourceNotFoundException as ResourceNotFoundException16
 } from "@aws-sdk/client-codebuild";
 var CodeBuildProvider = class {
   client;
@@ -60157,7 +61014,7 @@ var CodeBuildProvider = class {
       await this.getClient().send(new DeleteProjectCommand({ name: physicalId }));
       this.logger.debug(`Successfully deleted CodeBuild Project ${logicalId}`);
     } catch (error) {
-      if (error instanceof ResourceNotFoundException15) {
+      if (error instanceof ResourceNotFoundException16) {
         const clientRegion = await this.getClient().config.region();
         assertRegionMatch(
           clientRegion,
@@ -60228,7 +61085,7 @@ var CodeBuildProvider = class {
       );
       project = resp.projects?.[0];
     } catch (err) {
-      if (err instanceof ResourceNotFoundException15)
+      if (err instanceof ResourceNotFoundException16)
         return void 0;
       throw err;
     }
@@ -60475,7 +61332,7 @@ var CodeBuildProvider = class {
         );
         return resp.projects?.[0]?.name ? { physicalId: explicit, attributes: {} } : null;
       } catch (err) {
-        if (err instanceof ResourceNotFoundException15)
+        if (err instanceof ResourceNotFoundException16)
           return null;
         throw err;
       }
@@ -60515,7 +61372,7 @@ import {
   GetVectorBucketCommand,
   ListIndexesCommand,
   ListVectorBucketsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand18,
+  ListTagsForResourceCommand as ListTagsForResourceCommand19,
   DeleteIndexCommand
 } from "@aws-sdk/client-s3vectors";
 var S3VectorsProvider = class {
@@ -60749,7 +61606,7 @@ var S3VectorsProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand18({ resourceArn: bucket.vectorBucketArn })
+            new ListTagsForResourceCommand19({ resourceArn: bucket.vectorBucketArn })
           );
           if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
             return { physicalId: bucket.vectorBucketName, attributes: {} };
@@ -61093,7 +61950,7 @@ import {
   ListNamespacesCommand as ListNamespacesCommand2,
   ListTablesCommand as ListTablesCommand2,
   ListTableBucketsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand19,
+  ListTagsForResourceCommand as ListTagsForResourceCommand20,
   NotFoundException as NotFoundException6
 } from "@aws-sdk/client-s3tables";
 var S3TablesProvider = class {
@@ -61577,7 +62434,7 @@ var S3TablesProvider = class {
         if (input.cdkPath) {
           try {
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand19({ resourceArn: bucket.arn })
+              new ListTagsForResourceCommand20({ resourceArn: bucket.arn })
             );
             if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
               return { physicalId: bucket.arn, attributes: {} };
@@ -61657,7 +62514,7 @@ var S3TablesProvider = class {
                   continue;
                 try {
                   const tagsResp = await this.getClient().send(
-                    new ListTagsForResourceCommand19({ resourceArn: table.tableARN })
+                    new ListTagsForResourceCommand20({ resourceArn: table.tableARN })
                   );
                   if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
                     return {
@@ -61742,8 +62599,8 @@ import {
   SetRepositoryPolicyCommand,
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
-  TagResourceCommand as TagResourceCommand15,
-  ListTagsForResourceCommand as ListTagsForResourceCommand20,
+  TagResourceCommand as TagResourceCommand16,
+  ListTagsForResourceCommand as ListTagsForResourceCommand21,
   LifecyclePolicyNotFoundException,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
@@ -61931,7 +62788,7 @@ var ECRProvider = class {
         const repoArn = describeResponse.repositories?.[0]?.repositoryArn;
         if (repoArn && newTags) {
           await this.getClient().send(
-            new TagResourceCommand15({
+            new TagResourceCommand16({
               resourceArn: repoArn,
               tags: newTags
             })
@@ -62073,7 +62930,7 @@ var ECRProvider = class {
     if (r.repositoryArn) {
       try {
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand20({ resourceArn: r.repositoryArn })
+          new ListTagsForResourceCommand21({ resourceArn: r.repositoryArn })
         );
         const tags = normalizeAwsTagsToCfn(tagsResp.tags);
         result["Tags"] = tags;
@@ -62119,7 +62976,7 @@ var ECRProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand20({ resourceArn: repo.repositoryArn })
+            new ListTagsForResourceCommand21({ resourceArn: repo.repositoryArn })
           );
           if (matchesCdkPath(tagsResp.tags, input.cdkPath)) {
             return { physicalId: repo.repositoryName, attributes: {} };
@@ -63174,10 +64031,13 @@ function registerAllProviders(registry) {
   const glueProvider = new GlueProvider();
   registry.register("AWS::Glue::Database", glueProvider);
   registry.register("AWS::Glue::Table", glueProvider);
+  registry.register("AWS::Glue::Workflow", new GlueWorkflowProvider());
+  registry.register("AWS::Glue::SecurityConfiguration", new GlueSecurityConfigurationProvider());
   const kmsProvider = new KMSProvider();
   registry.register("AWS::KMS::Key", kmsProvider);
   registry.register("AWS::KMS::Alias", kmsProvider);
   registry.register("AWS::Kinesis::Stream", new KinesisStreamProvider());
+  registry.register("AWS::Kinesis::StreamConsumer", new KinesisStreamConsumerProvider());
   const efsProvider = new EFSProvider();
   registry.register("AWS::EFS::FileSystem", efsProvider);
   registry.register("AWS::EFS::MountTarget", efsProvider);
@@ -67993,7 +68853,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.62.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.64.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());