@go-to-k/cdkd 0.8.0 → 0.10.0

package/dist/index.js

@@ -783,10 +783,73 @@ Caused by: ${error.cause.message}`;
   }
   return String(error);
 }
+function normalizeAwsError(err, context = {}) {
+  if (!(err instanceof Error)) {
+    return new Error(String(err));
+  }
+  const isUnknown = err.name === "Unknown" || err.message === "UnknownError";
+  if (!isUnknown)
+    return err;
+  const meta = err.$metadata;
+  const status = meta?.httpStatusCode;
+  const bucket = context.bucket ?? "<unknown bucket>";
+  const operation = context.operation ?? "operation";
+  switch (status) {
+    case 301: {
+      const responseHeaders = err.$response?.headers;
+      const region = responseHeaders?.["x-amz-bucket-region"] ?? responseHeaders?.["X-Amz-Bucket-Region"];
+      const where = region ? ` (in ${region})` : "";
+      return new Error(
+        `Bucket '${bucket}'${where} is in a different region than the client. cdkd resolves this automatically; if you see this message, please report it.`
+      );
+    }
+    case 403:
+      return new Error(
+        `Access denied to bucket '${bucket}'. Verify credentials and bucket policy.`
+      );
+    case 404:
+      return new Error(`Bucket '${bucket}' does not exist.`);
+    default: {
+      const statusStr = status !== void 0 ? `HTTP ${status}` : "unknown HTTP status";
+      return new Error(
+        `S3 error during ${operation} on '${bucket}' (${statusStr}). See CloudTrail for details.`
+      );
+    }
+  }
+}
 
 // src/index.ts
 init_aws_clients();
 
+// src/utils/aws-region-resolver.ts
+import { GetBucketLocationCommand, S3Client as S3Client2 } from "@aws-sdk/client-s3";
+var cache = /* @__PURE__ */ new Map();
+async function resolveBucketRegion(bucketName, opts = {}) {
+  const cached = cache.get(bucketName);
+  if (cached)
+    return cached;
+  const promise = (async () => {
+    const client = new S3Client2({
+      region: "us-east-1",
+      ...opts.profile && { profile: opts.profile },
+      ...opts.credentials && { credentials: opts.credentials }
+    });
+    try {
+      const response = await client.send(new GetBucketLocationCommand({ Bucket: bucketName }));
+      return response.LocationConstraint || "us-east-1";
+    } catch {
+      return opts.fallbackRegion ?? "us-east-1";
+    } finally {
+      client.destroy();
+    }
+  })();
+  cache.set(bucketName, promise);
+  return promise;
+}
+function clearBucketRegionCache() {
+  cache.clear();
+}
+
 // src/synthesis/synthesizer.ts
 import { existsSync as existsSync3, mkdirSync, statSync } from "node:fs";
 import { resolve as resolve3 } from "node:path";
@@ -2083,7 +2146,7 @@ import { readFileSync as readFileSync4 } from "node:fs";
 // src/assets/file-asset-publisher.ts
 import { createReadStream, statSync as statSync2 } from "node:fs";
 import { join as join4, basename } from "node:path";
-import { S3Client as S3Client2, HeadObjectCommand, PutObjectCommand } from "@aws-sdk/client-s3";
+import { S3Client as S3Client3, HeadObjectCommand, PutObjectCommand } from "@aws-sdk/client-s3";
 var FileAssetPublisher = class {
   logger = getLogger().child("FileAssetPublisher");
   /**
@@ -2104,7 +2167,7 @@ var FileAssetPublisher = class {
       this.logger.debug(
         `Publishing file asset ${asset.displayName || assetHash} \u2192 s3://${bucketName}/${objectKey}`
       );
-      const client = new S3Client2({
+      const client = new S3Client3({
         region: destRegion
       });
       try {
@@ -2653,6 +2716,7 @@ var AssetPublisher = class {
 
 // src/state/s3-state-backend.ts
 import {
+  S3Client as S3Client4,
   GetObjectCommand,
   PutObjectCommand as PutObjectCommand2,
   DeleteObjectCommand,
@@ -2670,11 +2734,14 @@ var STATE_SCHEMA_VERSION_CURRENT = 2;
 var LEGACY_KEY_DEPTH = 2;
 var NEW_KEY_DEPTH = 3;
 var S3StateBackend = class {
-  constructor(s3Client, config) {
+  constructor(s3Client, config, clientOpts = {}) {
     this.s3Client = s3Client;
     this.config = config;
+    this.clientOpts = clientOpts;
   }
   logger = getLogger().child("S3StateBackend");
+  clientResolved = false;
+  resolveInFlight = null;
   /**
    * Get the new (region-scoped) S3 key for a stack's state file.
    */
@@ -2688,13 +2755,73 @@ var S3StateBackend = class {
   getLegacyStateKey(stackName) {
     return `${this.config.prefix}/${stackName}/state.json`;
   }
+  /**
+   * Resolve the state bucket's actual region and, if it differs from the
+   * client's currently-configured region, replace the S3Client with one
+   * pointed at the bucket's region.
+   *
+   * This is idempotent: subsequent calls return immediately. Concurrent
+   * callers (e.g. when several public methods race during a parallel deploy)
+   * share a single in-flight resolution promise so we never issue more than
+   * one `GetBucketLocation` per backend.
+   *
+   * Errors from `GetBucketLocation` are deliberately swallowed by
+   * `resolveBucketRegion` — the resolver returns `fallbackRegion` so the
+   * caller can surface the more actionable downstream error (e.g. the
+   * `HeadBucket` 404 routed via `normalizeAwsError`).
+   */
+  async ensureClientForBucket() {
+    if (this.clientResolved)
+      return;
+    if (this.resolveInFlight)
+      return this.resolveInFlight;
+    this.resolveInFlight = (async () => {
+      try {
+        const currentRegion = await this.s3Client.config.region();
+        const fallbackRegion = typeof currentRegion === "string" ? currentRegion : void 0;
+        const bucketRegion = await resolveBucketRegion(this.config.bucket, {
+          ...this.clientOpts.profile && { profile: this.clientOpts.profile },
+          ...this.clientOpts.credentials && { credentials: this.clientOpts.credentials },
+          ...fallbackRegion && { fallbackRegion }
+        });
+        if (bucketRegion !== currentRegion) {
+          this.logger.debug(
+            `State bucket '${this.config.bucket}' is in '${bucketRegion}' (client was '${currentRegion}'); rebuilding S3 client.`
+          );
+          const oldClient = this.s3Client;
+          this.s3Client = new S3Client4({
+            region: bucketRegion,
+            ...this.clientOpts.profile && { profile: this.clientOpts.profile },
+            ...this.clientOpts.credentials && { credentials: this.clientOpts.credentials },
+            // Suppress "Are you using a Stream of unknown length" warning,
+            // matching the suppression in AwsClients.
+            logger: { debug: () => {
+            }, info: () => {
+            }, warn: () => {
+            }, error: () => {
+            } }
+          });
+          oldClient.destroy();
+        }
+        this.clientResolved = true;
+      } finally {
+        this.resolveInFlight = null;
+      }
+    })();
+    return this.resolveInFlight;
+  }
   /**
    * Verify that the configured state bucket exists.
    *
    * Called early in deploy/destroy to fail fast before expensive work
    * (asset publishing, Docker builds) runs against a missing bucket.
+   *
+   * Errors are routed through {@link normalizeAwsError} so the AWS SDK v3
+   * synthetic `UnknownError` (e.g. cross-region HEAD) becomes a concrete
+   * "Bucket does not exist" / "Access denied" / "different region" message.
    */
   async verifyBucketExists() {
+    await this.ensureClientForBucket();
     try {
       await this.s3Client.send(new HeadBucketCommand({ Bucket: this.config.bucket }));
     } catch (error) {
@@ -2704,9 +2831,13 @@ var S3StateBackend = class {
           `State bucket '${this.config.bucket}' does not exist. Run 'cdkd bootstrap' to create it, or specify an existing bucket via --state-bucket, CDKD_STATE_BUCKET, or cdk.json context.cdkd.stateBucket.`
         );
       }
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "HeadBucket"
+      });
       throw new StateError(
-        `Failed to verify state bucket '${this.config.bucket}': ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to verify state bucket '${this.config.bucket}': ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -2719,6 +2850,7 @@ var S3StateBackend = class {
    * state without forcing a write-through migration first.
    */
   async stateExists(stackName, region) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     if (await this.headObject(newKey)) {
       return true;
@@ -2741,6 +2873,7 @@ var S3StateBackend = class {
    * preserve the quotes — they are required for `IfMatch` conditions.
    */
   async getState(stackName, region) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     try {
       this.logger.debug(`Getting state for stack: ${stackName} (${region})`);
@@ -2800,6 +2933,7 @@ var S3StateBackend = class {
    * @returns New ETag (with quotes, e.g., `"abc123"`)
    */
   async saveState(stackName, region, state, options = {}) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     const { expectedEtag, migrateLegacy } = options;
     const body = {
@@ -2855,9 +2989,13 @@ var S3StateBackend = class {
           `State has been modified by another process. Expected ETag: ${expectedEtag}, but state has changed.`
         );
       }
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "PutObject"
+      });
       throw new StateError(
-        `Failed to save state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to save state for stack '${stackName}' (${region}): ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -2869,6 +3007,7 @@ var S3StateBackend = class {
    * field is left alone.
    */
   async deleteState(stackName, region) {
+    await this.ensureClientForBucket();
     try {
       this.logger.debug(`Deleting state: ${stackName} (${region})`);
       await this.s3Client.send(
@@ -2888,9 +3027,13 @@ var S3StateBackend = class {
       }
       this.logger.debug(`State deleted: ${stackName} (${region})`);
     } catch (error) {
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "DeleteObject"
+      });
       throw new StateError(
-        `Failed to delete state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to delete state for stack '${stackName}' (${region}): ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -2909,6 +3052,7 @@ var S3StateBackend = class {
    * shows up exactly once.
    */
   async listStacks() {
+    await this.ensureClientForBucket();
     try {
       this.logger.debug("Listing all stacks");
       const prefix = `${this.config.prefix}/`;
@@ -2959,10 +3103,11 @@ var S3StateBackend = class {
       this.logger.debug(`Found ${refs.length} stack(s) across regions`);
       return refs;
     } catch (error) {
-      throw new StateError(
-        `Failed to list stacks: ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
-      );
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "ListObjectsV2"
+      });
+      throw new StateError(`Failed to list stacks: ${normalized.message}`, normalized);
     }
   }
   /**
@@ -5652,6 +5797,29 @@ var JsonPatchGenerator = class {
   }
 };
 
+// src/provisioning/region-check.ts
+function assertRegionMatch(clientRegion, expectedRegion, resourceType, logicalId, physicalId) {
+  if (!expectedRegion) {
+    return;
+  }
+  if (!clientRegion) {
+    throw new ProvisioningError(
+      `Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region is unknown but stack state expects ${expectedRegion}. The resource may exist in ${expectedRegion} and would be silently removed from state if this NotFound were trusted.`,
+      resourceType,
+      logicalId,
+      physicalId
+    );
+  }
+  if (clientRegion !== expectedRegion) {
+    throw new ProvisioningError(
+      `Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region ${clientRegion} does not match stack state region ${expectedRegion}. The resource likely still exists in ${expectedRegion}; rerun the destroy with the correct region (e.g. --region ${expectedRegion}).`,
+      resourceType,
+      logicalId,
+      physicalId
+    );
+  }
+}
+
 // src/provisioning/cloud-control-provider.ts
 var JSON_STRING_PROPERTIES = {
   "AWS::Events::Rule": /* @__PURE__ */ new Set(["EventPattern"])
@@ -5827,7 +5995,7 @@ var CloudControlProvider = class {
   /**
    * Delete a resource using Cloud Control API
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(
       `Deleting resource ${logicalId} (${resourceType}), physical ID: ${physicalId}`
     );
@@ -5854,6 +6022,14 @@ var CloudControlProvider = class {
     } catch (error) {
       const err = error;
       if (err.name === "ResourceNotFoundException" || err.message?.includes("does not exist") || err.message?.includes("not found") || err.message?.includes("NotFound")) {
+        const clientRegion = await this.cloudControlClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Resource ${logicalId} already deleted (not found), treating as success`);
         return;
       }
@@ -6229,7 +6405,7 @@ Error: ${err.message || "Unknown error"}`,
 import { InvokeCommand } from "@aws-sdk/client-lambda";
 import { PublishCommand } from "@aws-sdk/client-sns";
 import {
-  S3Client as S3Client5,
+  S3Client as S3Client6,
   PutObjectCommand as PutObjectCommand4,
   GetObjectCommand as GetObjectCommand3,
   DeleteObjectCommand as DeleteObjectCommand3
@@ -6298,7 +6474,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
   setResponseBucket(bucket, bucketRegion) {
     this.responseBucket = bucket;
     if (bucketRegion) {
-      this.s3Client = new S3Client5(bucketRegion ? { region: bucketRegion } : {});
+      this.s3Client = new S3Client6(bucketRegion ? { region: bucketRegion } : {});
     }
   }
   /**
@@ -6418,7 +6594,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
   /**
    * Delete a custom resource by invoking its Lambda handler
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, _context) {
     this.logger.debug(`Deleting custom resource ${logicalId}: ${physicalId} (${resourceType})`);
     if (!properties) {
       this.logger.warn(
@@ -7240,13 +7416,21 @@ var IAMRoleProvider = class {
    * 3. Remove role from all instance profiles
    * 4. Delete the role itself
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting IAM role ${logicalId}: ${physicalId}`);
     try {
       try {
         await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
       } catch (error) {
         if (error instanceof NoSuchEntityException) {
+          const clientRegion = await this.iamClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Role ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -8273,7 +8457,9 @@ var DeployEngine = class {
             `  Rollback: Deleting created resource ${op.logicalId} (${op.resourceType})`
           );
           const provider = this.providerRegistry.getProvider(op.resourceType);
-          await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties);
+          await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties, {
+            expectedRegion: this.stackRegion
+          });
           delete stateResources[op.logicalId];
           this.logger.info(`  Rollback: ${op.logicalId} deleted successfully`);
           break;
@@ -8415,7 +8601,8 @@ var DeployEngine = class {
                   logicalId,
                   currentResource.physicalId,
                   resourceType,
-                  currentResource.properties
+                  currentResource.properties,
+                  { expectedRegion: this.stackRegion }
                 );
                 this.logger.info(`  \u2713 Old resource deleted`);
               } catch (deleteError) {
@@ -8464,7 +8651,8 @@ var DeployEngine = class {
                     logicalId,
                     currentResource.physicalId,
                     resourceType,
-                    currentProps
+                    currentProps,
+                    { expectedRegion: this.stackRegion }
                   );
                 } catch (deleteError) {
                   const deleteMsg = deleteError instanceof Error ? deleteError.message : String(deleteError);
@@ -8535,7 +8723,8 @@ var DeployEngine = class {
                 logicalId,
                 currentResource.physicalId,
                 resourceType,
-                currentResource.properties
+                currentResource.properties,
+                { expectedRegion: this.stackRegion }
               ),
               logicalId,
               3,
@@ -8800,11 +8989,14 @@ export {
   SynthesisError,
   Synthesizer,
   TemplateParser,
+  clearBucketRegionCache,
   formatError,
   getAwsClients,
   getLogger,
   isCdkdError,
+  normalizeAwsError,
   resetAwsClients,
+  resolveBucketRegion,
   setAwsClients,
   setLogger
 };