@go-to-k/cdkd 0.63.0 → 0.65.0

package/dist/cli.js

@@ -56180,6 +56180,35 @@ import {
   GetTableCommand,
   GetTablesCommand,
   GetTagsCommand,
+  CreateWorkflowCommand,
+  UpdateWorkflowCommand,
+  DeleteWorkflowCommand,
+  GetWorkflowCommand,
+  ListWorkflowsCommand,
+  CreateSecurityConfigurationCommand,
+  DeleteSecurityConfigurationCommand,
+  GetSecurityConfigurationCommand,
+  GetSecurityConfigurationsCommand,
+  CreateJobCommand,
+  UpdateJobCommand,
+  DeleteJobCommand,
+  GetJobCommand,
+  CreateCrawlerCommand,
+  UpdateCrawlerCommand,
+  DeleteCrawlerCommand,
+  GetCrawlerCommand,
+  StartCrawlerScheduleCommand,
+  StopCrawlerScheduleCommand,
+  CreateConnectionCommand,
+  UpdateConnectionCommand,
+  DeleteConnectionCommand,
+  GetConnectionCommand,
+  CreateTriggerCommand,
+  UpdateTriggerCommand,
+  DeleteTriggerCommand,
+  GetTriggerCommand,
+  StartTriggerCommand,
+  StopTriggerCommand,
   EntityNotFoundException
 } from "@aws-sdk/client-glue";
 import { STSClient as STSClient8, GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
@@ -56872,6 +56901,1588 @@ var GlueProvider = class {
     return this.cachedAccountId;
   }
 };
+var GlueWorkflowProvider = class {
+  client;
+  stsClient;
+  cachedAccountId;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueWorkflowProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::Glue::Workflow",
+      /* @__PURE__ */ new Set(["Name", "Description", "DefaultRunProperties", "MaxConcurrentRuns", "Tags"])
+    ]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue Workflow ${logicalId}`);
+    const name = properties["Name"];
+    if (!name) {
+      throw new ProvisioningError(
+        `Name is required for Glue Workflow ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      const tags = workflowTagsForCreate(properties["Tags"]);
+      await this.getClient().send(
+        new CreateWorkflowCommand({
+          Name: name,
+          ...properties["Description"] !== void 0 && {
+            Description: properties["Description"]
+          },
+          ...properties["DefaultRunProperties"] !== void 0 && {
+            DefaultRunProperties: properties["DefaultRunProperties"]
+          },
+          ...properties["MaxConcurrentRuns"] !== void 0 && {
+            MaxConcurrentRuns: properties["MaxConcurrentRuns"]
+          },
+          ...tags && { Tags: tags }
+        })
+      );
+      this.logger.debug(`Successfully created Glue Workflow ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    this.logger.debug(`Updating Glue Workflow ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new UpdateWorkflowCommand({
+          Name: physicalId,
+          ...properties["Description"] !== void 0 && {
+            Description: properties["Description"]
+          },
+          ...properties["DefaultRunProperties"] !== void 0 && {
+            DefaultRunProperties: properties["DefaultRunProperties"]
+          },
+          ...properties["MaxConcurrentRuns"] !== void 0 && {
+            MaxConcurrentRuns: properties["MaxConcurrentRuns"]
+          }
+        })
+      );
+      this.logger.debug(`Successfully updated Glue Workflow ${logicalId}`);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue Workflow ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeleteWorkflowCommand({ Name: physicalId }));
+      this.logger.debug(`Successfully deleted Glue Workflow ${logicalId}`);
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Glue Workflow ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue Workflow ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  /**
+   * Read AWS-current Workflow shape via `GetWorkflow`. Surfaces every
+   * user-controllable top-level CFn key with always-emit placeholders
+   * (PR #145):
+   *  - `Description` → `?? ''`
+   *  - `DefaultRunProperties` → `?? {}`
+   *  - `MaxConcurrentRuns` → omitted when AWS reports `undefined` (no
+   *    AWS-side default to anchor a placeholder against; cdkd state may
+   *    legitimately leave this unset)
+   *  - `Tags` → `?? []` (filtered against `aws:cdk:path` and the rest of
+   *    the `aws:`-prefixed reserved space)
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let workflow;
+    try {
+      const resp = await this.getClient().send(
+        new GetWorkflowCommand({ Name: physicalId, IncludeGraph: false })
+      );
+      workflow = resp.Workflow;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!workflow)
+      return void 0;
+    const result = {
+      Name: workflow.Name ?? physicalId,
+      Description: workflow.Description ?? "",
+      DefaultRunProperties: workflow.DefaultRunProperties ?? {}
+    };
+    if (workflow.MaxConcurrentRuns !== void 0) {
+      result["MaxConcurrentRuns"] = workflow.MaxConcurrentRuns;
+    }
+    const arn = await this.buildWorkflowArn(physicalId);
+    let tags = [];
+    try {
+      const tagResp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      tags = normalizeAwsTagsToCfn(tagResp.Tags);
+    } catch (err) {
+      this.logger.debug(
+        `GetTags failed for Glue Workflow ${physicalId}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    result["Tags"] = tags;
+    return result;
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(new GetWorkflowCommand({ Name: explicitName }));
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let nextToken;
+    do {
+      const list = await this.getClient().send(
+        new ListWorkflowsCommand({ ...nextToken && { NextToken: nextToken } })
+      );
+      for (const name of list.Workflows ?? []) {
+        const arn = await this.buildWorkflowArn(name);
+        if (await this.tagsMatchCdkPath(arn, input.cdkPath)) {
+          return { physicalId: name, attributes: {} };
+        }
+      }
+      nextToken = list.NextToken;
+    } while (nextToken);
+    return null;
+  }
+  async tagsMatchCdkPath(arn, cdkPath) {
+    try {
+      const resp = await this.getClient().send(new GetTagsCommand({ ResourceArn: arn }));
+      return resp.Tags?.[CDK_PATH_TAG] === cdkPath;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return false;
+      throw err;
+    }
+  }
+  async buildWorkflowArn(workflowName) {
+    const region = await this.getRegion();
+    const account = await this.getAccountId();
+    return `arn:aws:glue:${region}:${account}:workflow/${workflowName}`;
+  }
+  async getRegion() {
+    const region = await this.getClient().config.region();
+    return region || this.providerRegion || "us-east-1";
+  }
+  async getAccountId() {
+    if (this.cachedAccountId)
+      return this.cachedAccountId;
+    if (!this.stsClient) {
+      this.stsClient = new STSClient8(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    const identity = await this.stsClient.send(new GetCallerIdentityCommand8({}));
+    if (!identity.Account) {
+      throw new Error("Failed to resolve AWS account id from STS");
+    }
+    this.cachedAccountId = identity.Account;
+    return this.cachedAccountId;
+  }
+};
+var GlueSecurityConfigurationProvider = class {
+  client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueSecurityConfigurationProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    ["AWS::Glue::SecurityConfiguration", /* @__PURE__ */ new Set(["Name", "EncryptionConfiguration"])]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue SecurityConfiguration ${logicalId}`);
+    const name = properties["Name"];
+    if (!name) {
+      throw new ProvisioningError(
+        `Name is required for Glue SecurityConfiguration ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    const encryptionConfiguration = properties["EncryptionConfiguration"];
+    if (!encryptionConfiguration) {
+      throw new ProvisioningError(
+        `EncryptionConfiguration is required for Glue SecurityConfiguration ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      await this.getClient().send(
+        new CreateSecurityConfigurationCommand({
+          Name: name,
+          EncryptionConfiguration: buildEncryptionConfiguration(encryptionConfiguration)
+        })
+      );
+      this.logger.debug(`Successfully created Glue SecurityConfiguration ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue SecurityConfiguration ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+    throw new ResourceUpdateNotSupportedError(
+      resourceType,
+      logicalId,
+      "AWS::Glue::SecurityConfiguration is immutable; AWS provides no Update API. Use cdkd deploy --replace, or destroy + redeploy with the new EncryptionConfiguration."
+    );
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue SecurityConfiguration ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeleteSecurityConfigurationCommand({ Name: physicalId }));
+      this.logger.debug(`Successfully deleted Glue SecurityConfiguration ${logicalId}`);
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(
+          `Glue SecurityConfiguration ${physicalId} does not exist, skipping deletion`
+        );
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue SecurityConfiguration ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  /**
+   * Read AWS-current SecurityConfiguration shape via
+   * `GetSecurityConfiguration`. Always emits the three CFn-modeled
+   * sub-configs (`S3Encryption: []`, `CloudWatchEncryption: {}`,
+   * `JobBookmarksEncryption: {}`) per PR #145 even when AWS reports
+   * nothing — closes the "console-side encryption enable on a previously
+   * default config" detection gap on the v3 baseline.
+   *
+   * `DataQualityEncryption` is silently dropped: the CFn schema for
+   * `AWS::Glue::SecurityConfiguration` does not model it, so surfacing it
+   * would fire false drift on every clean run for a key cdkd state can
+   * never carry.
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let cfg;
+    try {
+      const resp = await this.getClient().send(
+        new GetSecurityConfigurationCommand({ Name: physicalId })
+      );
+      cfg = resp.SecurityConfiguration;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!cfg)
+      return void 0;
+    return {
+      Name: cfg.Name ?? physicalId,
+      EncryptionConfiguration: mapEncryptionConfigurationToCfn(cfg.EncryptionConfiguration)
+    };
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (explicitName) {
+      try {
+        await this.getClient().send(new GetSecurityConfigurationCommand({ Name: explicitName }));
+        return { physicalId: explicitName, attributes: {} };
+      } catch (err) {
+        if (err instanceof EntityNotFoundException)
+          return null;
+        throw err;
+      }
+    }
+    if (!explicitName) {
+      let nextToken;
+      do {
+        const list = await this.getClient().send(
+          new GetSecurityConfigurationsCommand({ ...nextToken && { NextToken: nextToken } })
+        );
+        for (const _entry of list.SecurityConfigurations ?? []) {
+        }
+        nextToken = list.NextToken;
+      } while (nextToken);
+      return null;
+    }
+    return null;
+  }
+};
+function workflowTagsForCreate(tags) {
+  if (!Array.isArray(tags) || tags.length === 0)
+    return void 0;
+  const out = {};
+  for (const t of tags) {
+    const obj = t;
+    const k = typeof obj["Key"] === "string" ? obj["Key"] : void 0;
+    const v = typeof obj["Value"] === "string" ? obj["Value"] : "";
+    if (!k)
+      continue;
+    out[k] = v;
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+}
+function buildEncryptionConfiguration(input) {
+  const result = {};
+  if (Array.isArray(input["S3Encryption"])) {
+    result.S3Encryption = input["S3Encryption"].map((entry) => {
+      const e = entry;
+      const item = {};
+      if (typeof e["S3EncryptionMode"] === "string") {
+        item.S3EncryptionMode = e["S3EncryptionMode"];
+      }
+      if (typeof e["KmsKeyArn"] === "string") {
+        item.KmsKeyArn = e["KmsKeyArn"];
+      }
+      return item;
+    });
+  }
+  if (input["CloudWatchEncryption"] !== void 0) {
+    const cw = input["CloudWatchEncryption"];
+    const item = {};
+    if (typeof cw["CloudWatchEncryptionMode"] === "string") {
+      item.CloudWatchEncryptionMode = cw["CloudWatchEncryptionMode"];
+    }
+    if (typeof cw["KmsKeyArn"] === "string") {
+      item.KmsKeyArn = cw["KmsKeyArn"];
+    }
+    result.CloudWatchEncryption = item;
+  }
+  if (input["JobBookmarksEncryption"] !== void 0) {
+    const jb = input["JobBookmarksEncryption"];
+    const item = {};
+    if (typeof jb["JobBookmarksEncryptionMode"] === "string") {
+      item.JobBookmarksEncryptionMode = jb["JobBookmarksEncryptionMode"];
+    }
+    if (typeof jb["KmsKeyArn"] === "string") {
+      item.KmsKeyArn = jb["KmsKeyArn"];
+    }
+    result.JobBookmarksEncryption = item;
+  }
+  return result;
+}
+function mapEncryptionConfigurationToCfn(cfg) {
+  const c = cfg ?? {};
+  return {
+    S3Encryption: (c.S3Encryption ?? []).map((entry) => {
+      const out = {};
+      if (entry.S3EncryptionMode !== void 0)
+        out["S3EncryptionMode"] = entry.S3EncryptionMode;
+      if (entry.KmsKeyArn !== void 0)
+        out["KmsKeyArn"] = entry.KmsKeyArn;
+      return out;
+    }),
+    CloudWatchEncryption: c.CloudWatchEncryption ? cleanCfnObject({
+      CloudWatchEncryptionMode: c.CloudWatchEncryption.CloudWatchEncryptionMode,
+      KmsKeyArn: c.CloudWatchEncryption.KmsKeyArn
+    }) : {},
+    JobBookmarksEncryption: c.JobBookmarksEncryption ? cleanCfnObject({
+      JobBookmarksEncryptionMode: c.JobBookmarksEncryption.JobBookmarksEncryptionMode,
+      KmsKeyArn: c.JobBookmarksEncryption.KmsKeyArn
+    }) : {}
+  };
+}
+function cleanCfnObject(obj) {
+  const out = {};
+  for (const [k, v] of Object.entries(obj)) {
+    if (v !== void 0)
+      out[k] = v;
+  }
+  return out;
+}
+async function buildGlueResourceArn(client, stsClient, resource, name, accountId) {
+  const region = await client.config.region() || process.env["AWS_REGION"] || "us-east-1";
+  const account = accountId ?? await resolveAccountId(stsClient);
+  return `arn:aws:glue:${region}:${account}:${resource}/${name}`;
+}
+async function resolveAccountId(stsClient) {
+  const identity = await stsClient.send(new GetCallerIdentityCommand8({}));
+  if (!identity.Account) {
+    throw new Error("Failed to resolve AWS account id from STS");
+  }
+  return identity.Account;
+}
+async function fetchGlueTags(client, stsClient, resource, name, accountId, logger) {
+  try {
+    const arn = await buildGlueResourceArn(client, stsClient, resource, name, accountId);
+    const resp = await client.send(new GetTagsCommand({ ResourceArn: arn }));
+    return normalizeAwsTagsToCfn(resp.Tags);
+  } catch (err) {
+    logger.debug(
+      `GetTags failed for ${resource}/${name}: ${err instanceof Error ? err.message : String(err)}`
+    );
+    return [];
+  }
+}
+var GlueJobProvider = class {
+  client;
+  stsClient;
+  cachedAccountId;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueJobProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::Glue::Job",
+      /* @__PURE__ */ new Set([
+        "Name",
+        "Role",
+        "Command",
+        "Description",
+        "MaxCapacity",
+        "MaxRetries",
+        "Timeout",
+        "ExecutionProperty",
+        "GlueVersion",
+        "NumberOfWorkers",
+        "WorkerType",
+        "DefaultArguments",
+        "NonOverridableArguments",
+        "Connections",
+        "LogUri",
+        "SecurityConfiguration",
+        "NotificationProperty",
+        "ExecutionClass",
+        "JobMode",
+        "JobRunQueuingEnabled",
+        "MaintenanceWindow",
+        "AllocatedCapacity",
+        "SourceControlDetails",
+        "Tags"
+      ])
+    ]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  getStsClient() {
+    if (!this.stsClient) {
+      this.stsClient = new STSClient8(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.stsClient;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue Job ${logicalId}`);
+    const name = properties["Name"] ?? logicalId;
+    const role = properties["Role"];
+    const command = properties["Command"];
+    if (!role) {
+      throw new ProvisioningError(
+        `Role is required for Glue Job ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    if (!command) {
+      throw new ProvisioningError(
+        `Command is required for Glue Job ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      const tags = cfnTagsToMap(properties["Tags"]);
+      await this.getClient().send(
+        new CreateJobCommand({
+          Name: name,
+          Role: role,
+          Command: buildJobCommand(command),
+          ...buildJobCommonFields(properties),
+          ...tags && { Tags: tags }
+        })
+      );
+      this.logger.debug(`Successfully created Glue Job ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue Job ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating Glue Job ${logicalId}: ${physicalId}`);
+    try {
+      const command = properties["Command"];
+      const update = {
+        ...command !== void 0 && { Command: buildJobCommand(command) },
+        ...buildJobCommonFields(properties),
+        // Role is required at create but mutable on update; include only when defined
+        ...properties["Role"] !== void 0 && { Role: properties["Role"] }
+      };
+      await this.getClient().send(new UpdateJobCommand({ JobName: physicalId, JobUpdate: update }));
+      const oldTags = cfnTagsToMap(previousProperties["Tags"]) ?? {};
+      const newTags = cfnTagsToMap(properties["Tags"]) ?? {};
+      await this.applyTagDiff(physicalId, oldTags, newTags);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Glue Job ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue Job ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeleteJobCommand({ JobName: physicalId }));
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Glue Job ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue Job ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  /**
+   * Read the AWS-current Glue Job in CFn-property shape.
+   *
+   * Always-emit placeholders for user-controllable top-level keys per
+   * PR #145 (`?? '' | [] | {}`) so the v3 `observedProperties` baseline
+   * detects console-side ADDs to fields that weren't templated. Tags
+   * always emit `[]` (PR H pattern).
+   */
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let job;
+    try {
+      const resp = await this.getClient().send(new GetJobCommand({ JobName: physicalId }));
+      job = resp.Job;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!job)
+      return void 0;
+    const result = {
+      Name: job.Name ?? physicalId,
+      Role: job.Role ?? "",
+      Command: pickDefined({
+        Name: job.Command?.Name,
+        ScriptLocation: job.Command?.ScriptLocation,
+        PythonVersion: job.Command?.PythonVersion,
+        Runtime: job.Command?.Runtime
+      }),
+      Description: job.Description ?? "",
+      LogUri: job.LogUri ?? "",
+      DefaultArguments: job.DefaultArguments ?? {},
+      NonOverridableArguments: job.NonOverridableArguments ?? {},
+      Connections: { Connections: job.Connections?.Connections ?? [] },
+      MaxRetries: job.MaxRetries ?? 0,
+      Timeout: job.Timeout ?? 0,
+      ExecutionProperty: { MaxConcurrentRuns: job.ExecutionProperty?.MaxConcurrentRuns ?? 1 },
+      NotificationProperty: { NotifyDelayAfter: job.NotificationProperty?.NotifyDelayAfter ?? 0 },
+      GlueVersion: job.GlueVersion ?? "",
+      NumberOfWorkers: job.NumberOfWorkers ?? 0,
+      WorkerType: job.WorkerType ?? "",
+      MaxCapacity: job.MaxCapacity ?? 0,
+      AllocatedCapacity: job.AllocatedCapacity ?? 0,
+      SecurityConfiguration: job.SecurityConfiguration ?? "",
+      ExecutionClass: job.ExecutionClass ?? "",
+      JobMode: job.JobMode ?? "",
+      JobRunQueuingEnabled: job.JobRunQueuingEnabled ?? false,
+      MaintenanceWindow: job.MaintenanceWindow ?? "",
+      SourceControlDetails: job.SourceControlDetails ? pickDefined(job.SourceControlDetails) : {}
+    };
+    result["Tags"] = await fetchGlueTags(
+      this.getClient(),
+      this.getStsClient(),
+      "job",
+      job.Name ?? physicalId,
+      this.cachedAccountId,
+      this.logger
+    );
+    return result;
+  }
+  async applyTagDiff(physicalId, oldTags, newTags) {
+    const arn = await buildGlueResourceArn(
+      this.getClient(),
+      this.getStsClient(),
+      "job",
+      physicalId,
+      this.cachedAccountId
+    );
+    const toAdd = {};
+    const toRemove = [];
+    for (const [k, v] of Object.entries(newTags)) {
+      if (oldTags[k] !== v)
+        toAdd[k] = v;
+    }
+    for (const k of Object.keys(oldTags)) {
+      if (!(k in newTags))
+        toRemove.push(k);
+    }
+    if (Object.keys(toAdd).length > 0 || toRemove.length > 0) {
+      const { TagResourceCommand: TagResourceCommand17, UntagResourceCommand: UntagResourceCommand16 } = await import("@aws-sdk/client-glue");
+      if (Object.keys(toAdd).length > 0) {
+        await this.getClient().send(new TagResourceCommand17({ ResourceArn: arn, TagsToAdd: toAdd }));
+      }
+      if (toRemove.length > 0) {
+        await this.getClient().send(
+          new UntagResourceCommand16({ ResourceArn: arn, TagsToRemove: toRemove })
+        );
+      }
+    }
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (!explicitName)
+      return null;
+    try {
+      await this.getClient().send(new GetJobCommand({ JobName: explicitName }));
+      return { physicalId: explicitName, attributes: {} };
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return null;
+      throw err;
+    }
+  }
+};
+function buildJobCommand(c) {
+  const result = {};
+  if (c["Name"] !== void 0)
+    result.Name = c["Name"];
+  if (c["ScriptLocation"] !== void 0)
+    result.ScriptLocation = c["ScriptLocation"];
+  if (c["PythonVersion"] !== void 0)
+    result.PythonVersion = c["PythonVersion"];
+  if (c["Runtime"] !== void 0)
+    result.Runtime = c["Runtime"];
+  return result;
+}
+function buildJobCommonFields(p) {
+  const r = {};
+  const passThrough = [
+    "JobMode",
+    "JobRunQueuingEnabled",
+    "Description",
+    "LogUri",
+    "DefaultArguments",
+    "NonOverridableArguments",
+    "MaxRetries",
+    "AllocatedCapacity",
+    "Timeout",
+    "MaxCapacity",
+    "WorkerType",
+    "NumberOfWorkers",
+    "SecurityConfiguration",
+    "GlueVersion",
+    "ExecutionClass",
+    "MaintenanceWindow"
+  ];
+  for (const k of passThrough) {
+    if (p[k] !== void 0) {
+      r[k] = p[k];
+    }
+  }
+  if (p["ExecutionProperty"] !== void 0) {
+    r.ExecutionProperty = p["ExecutionProperty"];
+  }
+  if (p["Connections"] !== void 0) {
+    const conn = p["Connections"];
+    r.Connections = { Connections: conn["Connections"] ?? [] };
+  }
+  if (p["NotificationProperty"] !== void 0) {
+    r.NotificationProperty = p["NotificationProperty"];
+  }
+  if (p["SourceControlDetails"] !== void 0) {
+    r.SourceControlDetails = p["SourceControlDetails"];
+  }
+  return r;
+}
+function cfnTagsToMap(tagsInput) {
+  if (tagsInput === void 0)
+    return void 0;
+  const out = {};
+  if (Array.isArray(tagsInput)) {
+    for (const entry of tagsInput) {
+      const e = entry;
+      const k = e["Key"];
+      const v = e["Value"];
+      if (typeof k === "string")
+        out[k] = typeof v === "string" ? v : "";
+    }
+    return out;
+  }
+  if (typeof tagsInput === "object" && tagsInput !== null) {
+    for (const [k, v] of Object.entries(tagsInput)) {
+      out[k] = typeof v === "string" ? v : "";
+    }
+    return out;
+  }
+  return out;
+}
+function pickDefined(obj) {
+  const out = {};
+  for (const [k, v] of Object.entries(obj)) {
+    if (v === void 0 || v === null)
+      continue;
+    if (typeof v === "object" && !Array.isArray(v)) {
+      const inner = pickDefined(v);
+      out[k] = inner;
+    } else {
+      out[k] = v;
+    }
+  }
+  return out;
+}
+var GlueCrawlerProvider = class {
+  client;
+  stsClient;
+  cachedAccountId;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueCrawlerProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::Glue::Crawler",
+      /* @__PURE__ */ new Set([
+        "Name",
+        "Role",
+        "Targets",
+        "DatabaseName",
+        "Description",
+        "Schedule",
+        "Classifiers",
+        "TablePrefix",
+        "SchemaChangePolicy",
+        "RecrawlPolicy",
+        "LineageConfiguration",
+        "LakeFormationConfiguration",
+        "Configuration",
+        "CrawlerSecurityConfiguration",
+        "Tags"
+      ])
+    ]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  getStsClient() {
+    if (!this.stsClient) {
+      this.stsClient = new STSClient8(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.stsClient;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue Crawler ${logicalId}`);
+    const name = properties["Name"] ?? logicalId;
+    const role = properties["Role"];
+    const targets = properties["Targets"];
+    if (!role) {
+      throw new ProvisioningError(
+        `Role is required for Glue Crawler ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    if (!targets) {
+      throw new ProvisioningError(
+        `Targets is required for Glue Crawler ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      const tags = cfnTagsToMap(properties["Tags"]);
+      await this.getClient().send(
+        new CreateCrawlerCommand({
+          Name: name,
+          Role: role,
+          Targets: targets,
+          ...buildCrawlerCommonFields(properties),
+          ...tags && { Tags: tags }
+        })
+      );
+      this.logger.debug(`Successfully created Glue Crawler ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue Crawler ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating Glue Crawler ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new UpdateCrawlerCommand({
+          Name: physicalId,
+          ...properties["Role"] !== void 0 && { Role: properties["Role"] },
+          ...properties["Targets"] !== void 0 && {
+            Targets: properties["Targets"]
+          },
+          ...buildCrawlerCommonFields(properties)
+        })
+      );
+      const oldTags = cfnTagsToMap(previousProperties["Tags"]) ?? {};
+      const newTags = cfnTagsToMap(properties["Tags"]) ?? {};
+      await this.applyTagDiff(physicalId, oldTags, newTags);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Glue Crawler ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue Crawler ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeleteCrawlerCommand({ Name: physicalId }));
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Glue Crawler ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue Crawler ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let crawler;
+    try {
+      const resp = await this.getClient().send(new GetCrawlerCommand({ Name: physicalId }));
+      crawler = resp.Crawler;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!crawler)
+      return void 0;
+    const result = {
+      Name: crawler.Name ?? physicalId,
+      Role: crawler.Role ?? "",
+      Targets: crawler.Targets ? pickDefined(crawler.Targets) : {},
+      DatabaseName: crawler.DatabaseName ?? "",
+      Description: crawler.Description ?? "",
+      // CFn `Schedule` is the structured wrapper; reverse-map from the
+      // SDK's `Schedule { ScheduleExpression, State }` Description shape.
+      Schedule: crawler.Schedule?.ScheduleExpression ? { ScheduleExpression: crawler.Schedule.ScheduleExpression } : {},
+      Classifiers: crawler.Classifiers ?? [],
+      TablePrefix: crawler.TablePrefix ?? "",
+      SchemaChangePolicy: crawler.SchemaChangePolicy ? pickDefined(crawler.SchemaChangePolicy) : {},
+      RecrawlPolicy: crawler.RecrawlPolicy ? pickDefined(crawler.RecrawlPolicy) : {},
+      LineageConfiguration: crawler.LineageConfiguration ? pickDefined(crawler.LineageConfiguration) : {},
+      LakeFormationConfiguration: crawler.LakeFormationConfiguration ? pickDefined(crawler.LakeFormationConfiguration) : {},
+      Configuration: crawler.Configuration ?? "",
+      CrawlerSecurityConfiguration: crawler.CrawlerSecurityConfiguration ?? ""
+    };
+    result["Tags"] = await fetchGlueTags(
+      this.getClient(),
+      this.getStsClient(),
+      "crawler",
+      crawler.Name ?? physicalId,
+      this.cachedAccountId,
+      this.logger
+    );
+    return result;
+  }
+  /**
+   * Start (or stop) a crawler's schedule. Exposed for downstream tooling
+   * — not part of `update()` because AWS treats schedule activation as a
+   * separate side-effect from crawler config update.
+   */
+  async startSchedule(physicalId) {
+    await this.getClient().send(new StartCrawlerScheduleCommand({ CrawlerName: physicalId }));
+  }
+  async stopSchedule(physicalId) {
+    await this.getClient().send(new StopCrawlerScheduleCommand({ CrawlerName: physicalId }));
+  }
+  async applyTagDiff(physicalId, oldTags, newTags) {
+    const arn = await buildGlueResourceArn(
+      this.getClient(),
+      this.getStsClient(),
+      "crawler",
+      physicalId,
+      this.cachedAccountId
+    );
+    const toAdd = {};
+    const toRemove = [];
+    for (const [k, v] of Object.entries(newTags)) {
+      if (oldTags[k] !== v)
+        toAdd[k] = v;
+    }
+    for (const k of Object.keys(oldTags)) {
+      if (!(k in newTags))
+        toRemove.push(k);
+    }
+    if (Object.keys(toAdd).length > 0 || toRemove.length > 0) {
+      const { TagResourceCommand: TagResourceCommand17, UntagResourceCommand: UntagResourceCommand16 } = await import("@aws-sdk/client-glue");
+      if (Object.keys(toAdd).length > 0) {
+        await this.getClient().send(new TagResourceCommand17({ ResourceArn: arn, TagsToAdd: toAdd }));
+      }
+      if (toRemove.length > 0) {
+        await this.getClient().send(
+          new UntagResourceCommand16({ ResourceArn: arn, TagsToRemove: toRemove })
+        );
+      }
+    }
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (!explicitName)
+      return null;
+    try {
+      await this.getClient().send(new GetCrawlerCommand({ Name: explicitName }));
+      return { physicalId: explicitName, attributes: {} };
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return null;
+      throw err;
+    }
+  }
+};
+function buildCrawlerCommonFields(p) {
+  const r = {};
+  if (p["DatabaseName"] !== void 0)
+    r["DatabaseName"] = p["DatabaseName"];
+  if (p["Description"] !== void 0)
+    r["Description"] = p["Description"];
+  if (p["Classifiers"] !== void 0)
+    r["Classifiers"] = p["Classifiers"];
+  if (p["TablePrefix"] !== void 0)
+    r["TablePrefix"] = p["TablePrefix"];
+  if (p["Schedule"] !== void 0) {
+    const sched = p["Schedule"];
+    if (typeof sched === "string") {
+      r["Schedule"] = sched;
+    } else if (typeof sched === "object" && sched !== null) {
+      const wrap = sched;
+      if (wrap["ScheduleExpression"] !== void 0) {
+        r["Schedule"] = wrap["ScheduleExpression"];
+      }
+    }
+  }
+  if (p["SchemaChangePolicy"] !== void 0) {
+    r["SchemaChangePolicy"] = p["SchemaChangePolicy"];
+  }
+  if (p["RecrawlPolicy"] !== void 0) {
+    r["RecrawlPolicy"] = p["RecrawlPolicy"];
+  }
+  if (p["LineageConfiguration"] !== void 0) {
+    r["LineageConfiguration"] = p["LineageConfiguration"];
+  }
+  if (p["LakeFormationConfiguration"] !== void 0) {
+    r["LakeFormationConfiguration"] = p["LakeFormationConfiguration"];
+  }
+  if (p["Configuration"] !== void 0)
+    r["Configuration"] = p["Configuration"];
+  if (p["CrawlerSecurityConfiguration"] !== void 0) {
+    r["CrawlerSecurityConfiguration"] = p["CrawlerSecurityConfiguration"];
+  }
+  return r;
+}
+var GlueConnectionProvider = class {
+  client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueConnectionProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    ["AWS::Glue::Connection", /* @__PURE__ */ new Set(["ConnectionInput", "CatalogId"])]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue Connection ${logicalId}`);
+    const connectionInput = properties["ConnectionInput"];
+    if (!connectionInput) {
+      throw new ProvisioningError(
+        `ConnectionInput is required for Glue Connection ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    const name = connectionInput["Name"] ?? logicalId;
+    const catalogId = properties["CatalogId"];
+    try {
+      await this.getClient().send(
+        new CreateConnectionCommand({
+          ...catalogId && { CatalogId: catalogId },
+          ConnectionInput: buildConnectionInput(connectionInput, name)
+        })
+      );
+      this.logger.debug(`Successfully created Glue Connection ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue Connection ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    this.logger.debug(`Updating Glue Connection ${logicalId}: ${physicalId}`);
+    const connectionInput = properties["ConnectionInput"];
+    if (!connectionInput) {
+      throw new ProvisioningError(
+        `ConnectionInput is required for Glue Connection update ${logicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    const catalogId = properties["CatalogId"];
+    try {
+      await this.getClient().send(
+        new UpdateConnectionCommand({
+          ...catalogId && { CatalogId: catalogId },
+          Name: physicalId,
+          ConnectionInput: buildConnectionInput(connectionInput, physicalId)
+        })
+      );
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Glue Connection ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, properties, context) {
+    this.logger.debug(`Deleting Glue Connection ${logicalId}: ${physicalId}`);
+    const catalogId = properties?.["CatalogId"];
+    try {
+      await this.getClient().send(
+        new DeleteConnectionCommand({
+          ConnectionName: physicalId,
+          ...catalogId && { CatalogId: catalogId }
+        })
+      );
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Glue Connection ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue Connection ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
+    const catalogId = properties?.["CatalogId"];
+    let conn;
+    try {
+      const resp = await this.getClient().send(
+        new GetConnectionCommand({ Name: physicalId, ...catalogId && { CatalogId: catalogId } })
+      );
+      conn = resp.Connection;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!conn)
+      return void 0;
+    const ci = {
+      Name: conn.Name ?? physicalId,
+      ConnectionType: conn.ConnectionType ?? "",
+      Description: conn.Description ?? "",
+      MatchCriteria: conn.MatchCriteria ?? [],
+      ConnectionProperties: conn.ConnectionProperties ?? {},
+      SparkProperties: conn.SparkProperties ?? {},
+      AthenaProperties: conn.AthenaProperties ?? {},
+      PythonProperties: conn.PythonProperties ?? {},
+      PhysicalConnectionRequirements: conn.PhysicalConnectionRequirements ? pickDefined(conn.PhysicalConnectionRequirements) : {}
+    };
+    return { ConnectionInput: ci };
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["ConnectionInput"]?.["Name"];
+    if (!explicitName)
+      return null;
+    const catalogId = input.properties["CatalogId"];
+    try {
+      await this.getClient().send(
+        new GetConnectionCommand({
+          Name: explicitName,
+          ...catalogId && { CatalogId: catalogId }
+        })
+      );
+      return { physicalId: explicitName, attributes: {} };
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return null;
+      throw err;
+    }
+  }
+};
+function buildConnectionInput(ci, fallbackName) {
+  const result = {
+    Name: ci["Name"] ?? fallbackName,
+    ConnectionType: ci["ConnectionType"],
+    ConnectionProperties: ci["ConnectionProperties"] ?? {}
+  };
+  if (ci["Description"] !== void 0)
+    result.Description = ci["Description"];
+  if (ci["MatchCriteria"] !== void 0)
+    result.MatchCriteria = ci["MatchCriteria"];
+  if (ci["SparkProperties"] !== void 0) {
+    result.SparkProperties = ci["SparkProperties"];
+  }
+  if (ci["AthenaProperties"] !== void 0) {
+    result.AthenaProperties = ci["AthenaProperties"];
+  }
+  if (ci["PythonProperties"] !== void 0) {
+    result.PythonProperties = ci["PythonProperties"];
+  }
+  if (ci["PhysicalConnectionRequirements"] !== void 0) {
+    result.PhysicalConnectionRequirements = ci["PhysicalConnectionRequirements"];
+  }
+  if (ci["AuthenticationConfiguration"] !== void 0) {
+    result.AuthenticationConfiguration = ci["AuthenticationConfiguration"];
+  }
+  if (ci["ValidateCredentials"] !== void 0) {
+    result.ValidateCredentials = ci["ValidateCredentials"];
+  }
+  if (ci["ValidateForComputeEnvironments"] !== void 0) {
+    result.ValidateForComputeEnvironments = ci["ValidateForComputeEnvironments"];
+  }
+  return result;
+}
+var GlueTriggerProvider = class {
+  client;
+  stsClient;
+  cachedAccountId;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("GlueTriggerProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::Glue::Trigger",
+      /* @__PURE__ */ new Set([
+        "Name",
+        "Type",
+        "Schedule",
+        "Actions",
+        "Predicate",
+        "Description",
+        "StartOnCreation",
+        "EventBatchingCondition",
+        "WorkflowName",
+        "Tags"
+      ])
+    ]
+  ]);
+  getClient() {
+    if (!this.client) {
+      this.client = new GlueClient(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.client;
+  }
+  getStsClient() {
+    if (!this.stsClient) {
+      this.stsClient = new STSClient8(this.providerRegion ? { region: this.providerRegion } : {});
+    }
+    return this.stsClient;
+  }
+  async create(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Glue Trigger ${logicalId}`);
+    const name = properties["Name"] ?? logicalId;
+    const type = properties["Type"];
+    const actions = properties["Actions"];
+    if (!type) {
+      throw new ProvisioningError(
+        `Type is required for Glue Trigger ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    if (!actions) {
+      throw new ProvisioningError(
+        `Actions is required for Glue Trigger ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      const tags = cfnTagsToMap(properties["Tags"]);
+      await this.getClient().send(
+        new CreateTriggerCommand({
+          Name: name,
+          Type: type,
+          Actions: actions,
+          ...properties["Schedule"] !== void 0 && {
+            Schedule: properties["Schedule"]
+          },
+          ...properties["Predicate"] !== void 0 && {
+            Predicate: properties["Predicate"]
+          },
+          ...properties["Description"] !== void 0 && {
+            Description: properties["Description"]
+          },
+          ...properties["StartOnCreation"] !== void 0 && {
+            StartOnCreation: properties["StartOnCreation"]
+          },
+          ...properties["WorkflowName"] !== void 0 && {
+            WorkflowName: properties["WorkflowName"]
+          },
+          ...properties["EventBatchingCondition"] !== void 0 && {
+            EventBatchingCondition: properties["EventBatchingCondition"]
+          },
+          ...tags && { Tags: tags }
+        })
+      );
+      this.logger.debug(`Successfully created Glue Trigger ${logicalId}: ${name}`);
+      return { physicalId: name, attributes: {} };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Glue Trigger ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating Glue Trigger ${logicalId}: ${physicalId}`);
+    try {
+      let restart = false;
+      try {
+        const cur = await this.getClient().send(new GetTriggerCommand({ Name: physicalId }));
+        if (cur.Trigger?.State === "ACTIVATED") {
+          restart = true;
+          await this.getClient().send(new StopTriggerCommand({ Name: physicalId }));
+        }
+      } catch (err) {
+        if (!(err instanceof EntityNotFoundException)) {
+          this.logger.debug(
+            `GetTrigger pre-check failed for ${physicalId}; continuing anyway: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+      }
+      const update = {
+        ...properties["Description"] !== void 0 && {
+          Description: properties["Description"]
+        },
+        ...properties["Schedule"] !== void 0 && {
+          Schedule: properties["Schedule"]
+        },
+        ...properties["Actions"] !== void 0 && {
+          Actions: properties["Actions"]
+        },
+        ...properties["Predicate"] !== void 0 && {
+          Predicate: properties["Predicate"]
+        },
+        ...properties["EventBatchingCondition"] !== void 0 && {
+          EventBatchingCondition: properties["EventBatchingCondition"]
+        }
+      };
+      await this.getClient().send(
+        new UpdateTriggerCommand({ Name: physicalId, TriggerUpdate: update })
+      );
+      if (restart) {
+        await this.getClient().send(new StartTriggerCommand({ Name: physicalId }));
+      }
+      const oldTags = cfnTagsToMap(previousProperties["Tags"]) ?? {};
+      const newTags = cfnTagsToMap(properties["Tags"]) ?? {};
+      await this.applyTagDiff(physicalId, oldTags, newTags);
+      return { physicalId, wasReplaced: false };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Glue Trigger ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    this.logger.debug(`Deleting Glue Trigger ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(new DeleteTriggerCommand({ Name: physicalId }));
+    } catch (error) {
+      if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Glue Trigger ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Glue Trigger ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await -- explicit-override-only intentionally has no AWS calls
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName === "Id" || attributeName === "Ref" || attributeName === "Name") {
+      return physicalId;
+    }
+    return void 0;
+  }
+  async readCurrentState(physicalId, _logicalId, _resourceType) {
+    let trig;
+    try {
+      const resp = await this.getClient().send(new GetTriggerCommand({ Name: physicalId }));
+      trig = resp.Trigger;
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return void 0;
+      throw err;
+    }
+    if (!trig)
+      return void 0;
+    const result = {
+      Name: trig.Name ?? physicalId,
+      Type: trig.Type ?? "",
+      Schedule: trig.Schedule ?? "",
+      Description: trig.Description ?? "",
+      WorkflowName: trig.WorkflowName ?? "",
+      Actions: (trig.Actions ?? []).map(
+        (a) => pickDefined(a)
+      ),
+      Predicate: trig.Predicate ? {
+        Logical: trig.Predicate.Logical ?? "",
+        Conditions: (trig.Predicate.Conditions ?? []).map(
+          (c) => pickDefined(c)
+        )
+      } : {},
+      EventBatchingCondition: trig.EventBatchingCondition ? pickDefined(trig.EventBatchingCondition) : {}
+    };
+    result["Tags"] = await fetchGlueTags(
+      this.getClient(),
+      this.getStsClient(),
+      "trigger",
+      trig.Name ?? physicalId,
+      this.cachedAccountId,
+      this.logger
+    );
+    return result;
+  }
+  async applyTagDiff(physicalId, oldTags, newTags) {
+    const arn = await buildGlueResourceArn(
+      this.getClient(),
+      this.getStsClient(),
+      "trigger",
+      physicalId,
+      this.cachedAccountId
+    );
+    const toAdd = {};
+    const toRemove = [];
+    for (const [k, v] of Object.entries(newTags)) {
+      if (oldTags[k] !== v)
+        toAdd[k] = v;
+    }
+    for (const k of Object.keys(oldTags)) {
+      if (!(k in newTags))
+        toRemove.push(k);
+    }
+    if (Object.keys(toAdd).length > 0 || toRemove.length > 0) {
+      const { TagResourceCommand: TagResourceCommand17, UntagResourceCommand: UntagResourceCommand16 } = await import("@aws-sdk/client-glue");
+      if (Object.keys(toAdd).length > 0) {
+        await this.getClient().send(new TagResourceCommand17({ ResourceArn: arn, TagsToAdd: toAdd }));
+      }
+      if (toRemove.length > 0) {
+        await this.getClient().send(
+          new UntagResourceCommand16({ ResourceArn: arn, TagsToRemove: toRemove })
+        );
+      }
+    }
+  }
+  async import(input) {
+    const explicitName = input.knownPhysicalId ?? input.properties["Name"];
+    if (!explicitName)
+      return null;
+    try {
+      await this.getClient().send(new GetTriggerCommand({ Name: explicitName }));
+      return { physicalId: explicitName, attributes: {} };
+    } catch (err) {
+      if (err instanceof EntityNotFoundException)
+        return null;
+      throw err;
+    }
+  }
+};
 
 // src/provisioning/providers/kms-provider.ts
 import {
@@ -63553,6 +65164,12 @@ function registerAllProviders(registry) {
   const glueProvider = new GlueProvider();
   registry.register("AWS::Glue::Database", glueProvider);
   registry.register("AWS::Glue::Table", glueProvider);
+  registry.register("AWS::Glue::Workflow", new GlueWorkflowProvider());
+  registry.register("AWS::Glue::SecurityConfiguration", new GlueSecurityConfigurationProvider());
+  registry.register("AWS::Glue::Job", new GlueJobProvider());
+  registry.register("AWS::Glue::Crawler", new GlueCrawlerProvider());
+  registry.register("AWS::Glue::Connection", new GlueConnectionProvider());
+  registry.register("AWS::Glue::Trigger", new GlueTriggerProvider());
   const kmsProvider = new KMSProvider();
   registry.register("AWS::KMS::Key", kmsProvider);
   registry.register("AWS::KMS::Alias", kmsProvider);
@@ -68373,7 +69990,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.63.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.65.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());