@go-to-k/cdkd 0.68.0 → 0.69.0

package/README.md

@@ -607,6 +607,14 @@ cdkd local invoke MyStack/Handler --assume-role arn:aws:iam::123456789012:role/M
 
 # Attach a Node debugger
 cdkd local invoke MyStack/Handler --debug-port 9229
+
+# After `cdkd deploy`, recover intrinsic-valued env vars (Ref / Fn::GetAtt
+# / Fn::Sub) from cdkd's S3 state instead of dropping them. Off by default
+# — keeps the local-only / unscoped flow safe; opt in when you want the
+# handler to see the deployed physical IDs (S3 bucket names, DDB table
+# names, IAM role ARNs, ...). Disambiguate with `--stack-region <region>`
+# when the same stack name has state in multiple regions.
+cdkd local invoke MyStack/Handler --from-state
 ```
 
 See [docs/cli-reference.md](docs/cli-reference.md#local-invoke-run-lambda-functions-locally)

package/dist/cli.js

@@ -70177,6 +70177,183 @@ function isLiteralEnvValue(value) {
   return typeof value === "string" || typeof value === "number" || typeof value === "boolean";
 }
 
+// src/local-invoke/state-resolver.ts
+function substituteAgainstState(value, resources) {
+  if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+    return { kind: "literal", value };
+  }
+  if (value === null || typeof value !== "object") {
+    return {
+      kind: "unresolved",
+      reason: `unsupported value type: ${value === null ? "null" : typeof value}`
+    };
+  }
+  const obj = value;
+  const keys = Object.keys(obj);
+  if (keys.length !== 1) {
+    return {
+      kind: "unresolved",
+      reason: `expected an intrinsic with one key, got ${keys.length} keys`
+    };
+  }
+  const intrinsic = keys[0];
+  const arg = obj[intrinsic];
+  if (intrinsic === "Ref") {
+    return resolveRef(arg, resources);
+  }
+  if (intrinsic === "Fn::GetAtt") {
+    return resolveGetAtt(arg, resources);
+  }
+  if (intrinsic === "Fn::Sub") {
+    return resolveSub(arg, resources);
+  }
+  return {
+    kind: "unresolved",
+    reason: `unsupported intrinsic '${intrinsic}' (only Ref, Fn::GetAtt, Fn::Sub are wired in --from-state v1)`
+  };
+}
+function resolveRef(arg, resources) {
+  if (typeof arg !== "string" || arg.length === 0) {
+    return { kind: "unresolved", reason: `Ref expects a non-empty logical ID, got ${typeof arg}` };
+  }
+  const resource = resources[arg];
+  if (!resource) {
+    return {
+      kind: "unresolved",
+      reason: `Ref '${arg}': no record in cdkd state (was the resource deployed?)`
+    };
+  }
+  return { kind: "literal", value: resource.physicalId };
+}
+function resolveGetAtt(arg, resources) {
+  let logicalId;
+  let attr;
+  if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string") {
+    logicalId = arg[0];
+    if (typeof arg[1] !== "string") {
+      return {
+        kind: "unresolved",
+        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported in --from-state v1)`
+      };
+    }
+    attr = arg[1];
+  } else if (typeof arg === "string") {
+    const dot = arg.indexOf(".");
+    if (dot <= 0 || dot === arg.length - 1) {
+      return {
+        kind: "unresolved",
+        reason: `Fn::GetAtt string form must be '<LogicalId>.<Attribute>', got '${arg}'`
+      };
+    }
+    logicalId = arg.slice(0, dot);
+    attr = arg.slice(dot + 1);
+  } else {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt expects [LogicalId, Attribute] or 'LogicalId.Attribute', got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
+    };
+  }
+  const resource = resources[logicalId];
+  if (!resource) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt '${logicalId}.${attr}': no record in cdkd state`
+    };
+  }
+  const cached = resource.attributes?.[attr];
+  if (cached === void 0) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt '${logicalId}.${attr}': attribute not captured in cdkd state at deploy time`
+    };
+  }
+  if (typeof cached === "string" || typeof cached === "number" || typeof cached === "boolean") {
+    return { kind: "literal", value: cached };
+  }
+  return { kind: "literal", value: JSON.stringify(cached) };
+}
+function resolveSub(arg, resources) {
+  let template;
+  let bindings = {};
+  if (typeof arg === "string") {
+    template = arg;
+  } else if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] !== null && typeof arg[1] === "object" && !Array.isArray(arg[1])) {
+    template = arg[0];
+    bindings = arg[1];
+  } else {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Sub expects a string or [string, object], got ${Array.isArray(arg) ? "malformed array" : typeof arg}`
+    };
+  }
+  const placeholderRegex = /\$\{([^}]+)\}/g;
+  const placeholders = [];
+  template.replace(placeholderRegex, (_, key) => {
+    placeholders.push(key);
+    return "";
+  });
+  const resolutions = /* @__PURE__ */ new Map();
+  for (const placeholder of placeholders) {
+    if (resolutions.has(placeholder))
+      continue;
+    if (placeholder in bindings) {
+      const sub = substituteAgainstState(bindings[placeholder], resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+      continue;
+    }
+    const dot = placeholder.indexOf(".");
+    if (dot === -1) {
+      const sub = resolveRef(placeholder, resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+    } else {
+      const sub = resolveGetAtt(placeholder, resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+    }
+  }
+  const out = template.replace(placeholderRegex, (_, key) => {
+    return resolutions.get(key) ?? "";
+  });
+  return { kind: "literal", value: out };
+}
+function substituteEnvVarsFromState(templateEnv, resources) {
+  const env = {};
+  const audit = { resolvedKeys: [], unresolved: [] };
+  if (!templateEnv)
+    return { env, audit };
+  for (const [key, value] of Object.entries(templateEnv)) {
+    if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+      env[key] = value;
+      continue;
+    }
+    const result = substituteAgainstState(value, resources);
+    if (result.kind === "literal") {
+      env[key] = result.value;
+      audit.resolvedKeys.push(key);
+    } else {
+      audit.unresolved.push({ key, reason: result.reason });
+    }
+  }
+  return { env, audit };
+}
+
 // src/local-invoke/runtime-image.ts
 var SUPPORTED_RUNTIMES = {
   "nodejs18.x": { image: "public.ecr.aws/lambda/nodejs:18", fileExtension: ".js" },
@@ -70353,8 +70530,10 @@ async function waitForRieReady(host, port, timeoutMs = 5e3) {
   while (Date.now() < deadline) {
     try {
       const ok = await httpProbe(host, port, 500);
-      if (ok)
+      if (ok) {
+        await delay(250);
         return;
+      }
     } catch (err) {
       lastError = err;
     }
@@ -70408,12 +70587,7 @@ async function invokeRie(host, port, event, timeoutMs) {
   const timer = setTimeout(() => controller.abort(), timeoutMs);
   let response;
   try {
-    response = await fetch(url, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body,
-      signal: controller.signal
-    });
+    response = await fetchWithStartupRetry(url, body, controller.signal);
   } catch (err) {
     if (err.name === "AbortError") {
       throw new Error(
@@ -70432,8 +70606,32 @@ async function invokeRie(host, port, event, timeoutMs) {
   }
   return { payload, raw };
 }
+async function fetchWithStartupRetry(url, body, signal) {
+  const maxAttempts = 3;
+  let lastError;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      return await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body,
+        signal
+      });
+    } catch (err) {
+      const name = err.name;
+      if (name === "AbortError")
+        throw err;
+      lastError = err;
+      if (attempt === maxAttempts)
+        break;
+      await delay(200);
+    }
+  }
+  throw lastError;
+}
 
 // src/cli/commands/local-invoke.ts
+init_aws_clients();
 async function localInvokeCommand(target, options) {
   const logger = getLogger();
   if (options.verbose) {
@@ -70464,13 +70662,44 @@ async function localInvokeCommand(target, options) {
     lambda.inlineCode ?? "",
     resolveRuntimeFileExtension(lambda.runtime)
   );
+  let stateAudit;
+  let templateEnv = getTemplateEnv(lambda.resource);
+  let stateForRoleHint;
+  if (options.fromState) {
+    const loaded = await loadStateForStack(lambda.stack.stackName, lambda.stack.region, {
+      ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
+      ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+      statePrefix: options.statePrefix,
+      ...options.region !== void 0 && { region: options.region },
+      ...options.profile !== void 0 && { profile: options.profile }
+    });
+    if (loaded) {
+      stateForRoleHint = loaded.state;
+      const { env, audit } = substituteEnvVarsFromState(templateEnv, loaded.state.resources);
+      templateEnv = env;
+      stateAudit = audit;
+      for (const key of audit.resolvedKeys) {
+        logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
+      }
+      for (const { key, reason } of audit.unresolved) {
+        logger.warn(
+          `--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`
+        );
+      }
+    }
+  }
   const overrides = readEnvOverridesFile(options.envVars);
-  const envResult = resolveEnvVars(lambda.logicalId, getTemplateEnv(lambda.resource), overrides);
+  const envResult = resolveEnvVars(lambda.logicalId, templateEnv, overrides);
   for (const key of envResult.unresolved) {
+    if (stateAudit && stateAudit.unresolved.some((u) => u.key === key))
+      continue;
     logger.warn(
-      `Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or wait for --from-state in PR 2.`
+      `Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or pass --from-state to recover deployed values.`
     );
   }
+  if (options.fromState && !options.assumeRole && stateForRoleHint) {
+    suggestAssumeRoleFromState(stateForRoleHint, lambda.logicalId);
+  }
   const event = await readEvent(options);
   const image = resolveRuntimeImage(lambda.runtime);
   const dockerEnv = {
@@ -70649,6 +70878,109 @@ function materializeInlineCode(handler, source, fileExtension) {
   writeFileSync5(filePath, source, "utf-8");
   return dir;
 }
+async function loadStateForStack(stackName, synthRegion, opts) {
+  const logger = getLogger();
+  const region = opts.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? synthRegion ?? "us-east-1";
+  let stateBucket;
+  try {
+    stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, region);
+  } catch (err) {
+    logger.warn(
+      `--from-state: could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Falling back to PR 1 warn-and-drop semantics.`
+    );
+    return void 0;
+  }
+  const awsClients = new AwsClients({
+    ...opts.region !== void 0 && { region: opts.region },
+    ...opts.profile !== void 0 && { profile: opts.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: opts.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...opts.region !== void 0 && { region: opts.region },
+      ...opts.profile !== void 0 && { profile: opts.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
+    if (refs.length === 0) {
+      logger.warn(
+        `--from-state: no cdkd state found for stack '${stackName}' in bucket '${stateBucket}'. Was it deployed via 'cdkd deploy'? Falling back to PR 1 warn-and-drop semantics.`
+      );
+      return void 0;
+    }
+    let targetRegion;
+    if (opts.stackRegion) {
+      const found = refs.find((r) => r.region === opts.stackRegion);
+      if (!found) {
+        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+        logger.warn(
+          `--from-state: stack '${stackName}' has no state in region '${opts.stackRegion}' (available: ${seen}). Falling back.`
+        );
+        return void 0;
+      }
+      targetRegion = opts.stackRegion;
+    } else if (synthRegion && refs.some((r) => r.region === synthRegion)) {
+      targetRegion = synthRegion;
+    } else if (refs.length === 1) {
+      targetRegion = refs[0].region ?? synthRegion ?? region;
+    } else {
+      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      logger.warn(
+        `--from-state: stack '${stackName}' has state in multiple regions (${seen}). Re-run with --stack-region <region>. Falling back.`
+      );
+      return void 0;
+    }
+    const stateData = await stateBackend.getState(stackName, targetRegion);
+    if (!stateData) {
+      logger.warn(
+        `--from-state: state record for '${stackName}' (${targetRegion}) returned empty. Falling back.`
+      );
+      return void 0;
+    }
+    logger.debug(`--from-state: loaded state for ${stackName} (${targetRegion})`);
+    return { state: stateData.state, region: targetRegion };
+  } finally {
+    awsClients.destroy();
+  }
+}
+function suggestAssumeRoleFromState(state, logicalId) {
+  const logger = getLogger();
+  const lambda = state.resources[logicalId];
+  if (!lambda)
+    return;
+  const roleRef = lambda.properties?.["Role"] ?? lambda.observedProperties?.["Role"];
+  let roleArn;
+  if (typeof roleRef === "string" && roleRef.startsWith("arn:")) {
+    roleArn = roleRef;
+  } else if (typeof roleRef === "object" && roleRef !== null) {
+    const refLogicalId = pickReferencedLogicalId(roleRef);
+    if (refLogicalId) {
+      const roleResource = state.resources[refLogicalId];
+      const cached = roleResource?.attributes?.["Arn"];
+      if (typeof cached === "string" && cached.startsWith("arn:")) {
+        roleArn = cached;
+      }
+    }
+  }
+  if (roleArn) {
+    logger.info(
+      `Hint: the deployed function uses execution role ${roleArn}. Re-run with --assume-role <that-arn> to invoke under the deployed function's narrow permissions.`
+    );
+  }
+}
+function pickReferencedLogicalId(intrinsic) {
+  if ("Ref" in intrinsic && typeof intrinsic["Ref"] === "string")
+    return intrinsic["Ref"];
+  if ("Fn::GetAtt" in intrinsic) {
+    const arg = intrinsic["Fn::GetAtt"];
+    if (Array.isArray(arg) && typeof arg[0] === "string")
+      return arg[0];
+    if (typeof arg === "string")
+      return arg.split(".")[0];
+  }
+  return void 0;
+}
 function createLocalCommand() {
   const local = new Command14("local").description(
     "Local Lambda execution against the AWS Lambda Runtime Interface Emulator (Docker required)"
@@ -70667,8 +70999,20 @@ function createLocalCommand() {
       "--assume-role <arn>",
       `Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the "developer admin / function narrow" skew). Off by default \u2014 when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default).`
     )
+  ).addOption(
+    new Option7(
+      "--from-state",
+      "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default \u2014 keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy."
+    ).default(false)
+  ).addOption(
+    new Option7(
+      "--stack-region <region>",
+      "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions)."
+    )
   ).action(withErrorHandling(localInvokeCommand));
-  [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => invoke.addOption(opt));
+  [...commonOptions, ...appOptions, ...contextOptions, ...stateOptions].forEach(
+    (opt) => invoke.addOption(opt)
+  );
   invoke.addOption(deprecatedRegionOption);
   local.addCommand(invoke);
   return local;
@@ -70703,7 +71047,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command15();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.68.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.69.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());