@go-to-k/cdkd 0.63.0 → 0.64.0

package/dist/cli.js

@@ -56180,6 +56180,15 @@ import {
   GetTableCommand,
   GetTablesCommand,
   GetTagsCommand,
+  CreateWorkflowCommand,
+  UpdateWorkflowCommand,
+  DeleteWorkflowCommand,
+  GetWorkflowCommand,
+  ListWorkflowsCommand,
+  CreateSecurityConfigurationCommand,
+  DeleteSecurityConfigurationCommand,
+  GetSecurityConfigurationCommand,
+  GetSecurityConfigurationsCommand,
   EntityNotFoundException
 } from "@aws-sdk/client-glue";
 import { STSClient as STSClient8, GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
@@ -56872,6 +56881,475 @@ var GlueProvider = class {
     return this.cachedAccountId;
   }
 };
+var GlueWorkflowProvider = class {
+  client;
+  stsClient;
+  cachedAccountId;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueWorkflowProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::Glue::Workflow",
+      /* @__PURE__ */ new Set(["Name", "Description", "DefaultRunProperties", "MaxConcurrentRuns", "Tags"])
+    ]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue Workflow ${logicalId}`);
+    const name = properties["Name"];
+    if (!name) {
+      throw new ProvisioningError(
+        `Name is required for Glue Workflow ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      const tags = workflowTagsForCreate(properties["Tags"]);
+      await this.getClient().send(
+        new CreateWorkflowCommand({
+          Name: name,
+          ...properties["Description"] !== void 0 && {
+            Description: properties["Description"]
+          },
+          ...properties["DefaultRunProperties"] !== void 0 && {
+            DefaultRunProperties: properties["DefaultRunProperties"]
+          },
+          ...properties["MaxConcurrentRuns"] !== void 0 && {
+            MaxConcurrentRuns: properties["MaxConcurrentRuns"]
+          },
+          ...tags && { Tags: tags }
+        })
+      );
+      this.logger.debug(`Successfully created Glue Workflow ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    this.logger.debug(`Updating Glue Workflow ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new UpdateWorkflowCommand({
+          Name: physicalId,
+          ...properties["Description"] !== void 0 && {
+            Description: properties["Description"]
+          },
+          ...properties["DefaultRunProperties"] !== void 0 && {
+            DefaultRunProperties: properties["DefaultRunProperties"]
+          },
+          ...properties["MaxConcurrentRuns"] !== void 0 && {
+            MaxConcurrentRuns: properties["MaxConcurrentRuns"]
+          }
+        })
+      );
+      this.logger.debug(`Successfully updated Glue Workflow ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue Workflow ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeleteWorkflowCommand({ Name: physicalId }));
+      this.logger.debug(`Successfully deleted Glue Workflow ${logicalId}`);
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Glue Workflow ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  /**
+   * Read AWS-current Workflow shape via `GetWorkflow`. Surfaces every
+   * user-controllable top-level CFn key with always-emit placeholders
+   * (PR #145):
+   *  - `Description` → `?? ''`
+   *  - `DefaultRunProperties` → `?? {}`
+   *  - `MaxConcurrentRuns` → omitted when AWS reports `undefined` (no
+   *    AWS-side default to anchor a placeholder against; cdkd state may
+   *    legitimately leave this unset)
+   *  - `Tags` → `?? []` (filtered against `aws:cdk:path` and the rest of
+   *    the `aws:`-prefixed reserved space)
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let workflow;
+    try {
+      const resp = await this.getClient().send(
+        new GetWorkflowCommand({ Name: physicalId, IncludeGraph: false })
+      );
+      workflow = resp.Workflow;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!workflow)
+      return void 0;
+    const result = {
+      Name: workflow.Name ?? physicalId,
+      Description: workflow.Description ?? "",
+      DefaultRunProperties: workflow.DefaultRunProperties ?? {}
+    };
+    if (workflow.MaxConcurrentRuns !== void 0) {
+      result["MaxConcurrentRuns"] = workflow.MaxConcurrentRuns;
+    }
+    const arn = await this.buildWorkflowArn(physicalId);
+    let tags = [];
+    try {
+      const tagResp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      tags = normalizeAwsTagsToCfn(tagResp.Tags);
+    } catch (err) {
+      this.logger.debug(
+        `GetTags failed for Glue Workflow ${physicalId}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    result["Tags"] = tags;
+    return result;
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(new GetWorkflowCommand({ Name: explicitName }));
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListWorkflowsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const name of list.Workflows ?? []) {
+        const arn = await this.buildWorkflowArn(name);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: name, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async tagsMatchCdkPath(arn, cdkPath) {
+    try {
+      const resp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      return resp.Tags?.[CDK_PATH_TAG] === cdkPath;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return false;
+      throw err;
+    }
+  }
+  async buildWorkflowArn(workflowName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:workflow/${workflowName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient8(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand8({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
+    }
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
+  }
+};
+var GlueSecurityConfigurationProvider = class {
+  client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueSecurityConfigurationProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    ["AWS::Glue::SecurityConfiguration", /* @__PURE__ */ new Set(["Name", "EncryptionConfiguration"])]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue SecurityConfiguration ${logicalId}`);
+    const name = properties["Name"];
+    if (!name) {
+      throw new ProvisioningError(
+        `Name is required for Glue SecurityConfiguration ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    const encryptionConfiguration = properties["EncryptionConfiguration"];
+    if (!encryptionConfiguration) {
+      throw new ProvisioningError(
+        `EncryptionConfiguration is required for Glue SecurityConfiguration ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      await this.getClient().send(
+        new CreateSecurityConfigurationCommand({
+          Name: name,
+          EncryptionConfiguration: buildEncryptionConfiguration(encryptionConfiguration)
+        })
+      );
+      this.logger.debug(`Successfully created Glue SecurityConfiguration ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue SecurityConfiguration ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    throw new ResourceUpdateNotSupportedError(
+      resourceType,
+      logicalId,
+      "AWS::Glue::SecurityConfiguration is immutable; AWS provides no Update API. Use cdkd deploy --replace, or destroy + redeploy with the new EncryptionConfiguration."
+    );
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue SecurityConfiguration ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeleteSecurityConfigurationCommand({ Name: physicalId }));
+      this.logger.debug(`Successfully deleted Glue SecurityConfiguration ${logicalId}`);
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(
+          `Glue SecurityConfiguration ${physicalId} does not exist, skipping deletion`
+        );
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue SecurityConfiguration ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  /**
+   * Read AWS-current SecurityConfiguration shape via
+   * `GetSecurityConfiguration`. Always emits the three CFn-modeled
+   * sub-configs (`S3Encryption: []`, `CloudWatchEncryption: {}`,
+   * `JobBookmarksEncryption: {}`) per PR #145 even when AWS reports
+   * nothing — closes the "console-side encryption enable on a previously
+   * default config" detection gap on the v3 baseline.
+   *
+   * `DataQualityEncryption` is silently dropped: the CFn schema for
+   * `AWS::Glue::SecurityConfiguration` does not model it, so surfacing it
+   * would fire false drift on every clean run for a key cdkd state can
+   * never carry.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let cfg;
+    try {
+      const resp = await this.getClient().send(
+        new GetSecurityConfigurationCommand({ Name: physicalId })
+      );
+      cfg = resp.SecurityConfiguration;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!cfg)
+      return void 0;
+    return {
+      Name: cfg.Name ?? physicalId,
+      EncryptionConfiguration: mapEncryptionConfigurationToCfn(cfg.EncryptionConfiguration)
+    };
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(new GetSecurityConfigurationCommand({ Name: explicitName }));
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!explicitName) {
+      let nextToken;
+      do {
+        const list = await this.getClient().send(
+          new GetSecurityConfigurationsCommand({ ...nextToken && { NextToken: nextToken } })
+        );
+        for (const _entry of list.SecurityConfigurations ?? []) {
+        }
+        nextToken = list.NextToken;
+      } while (nextToken);
+      return null;
+    }
+    return null;
+  }
+};
+function workflowTagsForCreate(tags) {
+  if (!Array.isArray(tags) || tags.length === 0)
+    return void 0;
+  const out = {};
+  for (const t of tags) {
+    const obj = t;
+    const k = typeof obj["Key"] === "string" ? obj["Key"] : void 0;
+    const v = typeof obj["Value"] === "string" ? obj["Value"] : "";
+    if (!k)
+      continue;
+    out[k] = v;
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+}
+function buildEncryptionConfiguration(input) {
+  const result = {};
+  if (Array.isArray(input["S3Encryption"])) {
+    result.S3Encryption = input["S3Encryption"].map((entry) => {
+      const e = entry;
+      const item = {};
+      if (typeof e["S3EncryptionMode"] === "string") {
+        item.S3EncryptionMode = e["S3EncryptionMode"];
+      }
+      if (typeof e["KmsKeyArn"] === "string") {
+        item.KmsKeyArn = e["KmsKeyArn"];
+      }
+      return item;
+    });
+  }
+  if (input["CloudWatchEncryption"] !== void 0) {
+    const cw = input["CloudWatchEncryption"];
+    const item = {};
+    if (typeof cw["CloudWatchEncryptionMode"] === "string") {
+      item.CloudWatchEncryptionMode = cw["CloudWatchEncryptionMode"];
+    }
+    if (typeof cw["KmsKeyArn"] === "string") {
+      item.KmsKeyArn = cw["KmsKeyArn"];
+    }
+    result.CloudWatchEncryption = item;
+  }
+  if (input["JobBookmarksEncryption"] !== void 0) {
+    const jb = input["JobBookmarksEncryption"];
+    const item = {};
+    if (typeof jb["JobBookmarksEncryptionMode"] === "string") {
+      item.JobBookmarksEncryptionMode = jb["JobBookmarksEncryptionMode"];
+    }
+    if (typeof jb["KmsKeyArn"] === "string") {
+      item.KmsKeyArn = jb["KmsKeyArn"];
+    }
+    result.JobBookmarksEncryption = item;
+  }
+  return result;
+}
+function mapEncryptionConfigurationToCfn(cfg) {
+  const c = cfg ?? {};
+  return {
+    S3Encryption: (c.S3Encryption ?? []).map((entry) => {
+      const out = {};
+      if (entry.S3EncryptionMode !== void 0)
+        out["S3EncryptionMode"] = entry.S3EncryptionMode;
+      if (entry.KmsKeyArn !== void 0)
+        out["KmsKeyArn"] = entry.KmsKeyArn;
+      return out;
+    }),
+    CloudWatchEncryption: c.CloudWatchEncryption ? cleanCfnObject({
+      CloudWatchEncryptionMode: c.CloudWatchEncryption.CloudWatchEncryptionMode,
+      KmsKeyArn: c.CloudWatchEncryption.KmsKeyArn
+    }) : {},
+    JobBookmarksEncryption: c.JobBookmarksEncryption ? cleanCfnObject({
+      JobBookmarksEncryptionMode: c.JobBookmarksEncryption.JobBookmarksEncryptionMode,
+      KmsKeyArn: c.JobBookmarksEncryption.KmsKeyArn
+    }) : {}
+  };
+}
+function cleanCfnObject(obj) {
+  const out = {};
+  for (const [k, v] of Object.entries(obj)) {
+    if (v !== void 0)
+      out[k] = v;
+  }
+  return out;
+}
 
 // src/provisioning/providers/kms-provider.ts
 import {
@@ -63553,6 +64031,8 @@ function registerAllProviders(registry) {
   const glueProvider = new GlueProvider();
   registry.register("AWS::Glue::Database", glueProvider);
   registry.register("AWS::Glue::Table", glueProvider);
+  registry.register("AWS::Glue::Workflow", new GlueWorkflowProvider());
+  registry.register("AWS::Glue::SecurityConfiguration", new GlueSecurityConfigurationProvider());
   const kmsProvider = new KMSProvider();
   registry.register("AWS::KMS::Key", kmsProvider);
   registry.register("AWS::KMS::Alias", kmsProvider);
@@ -68373,7 +68853,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.63.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.64.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());