@go-to-k/cdkd 0.9.0 → 0.10.0

package/dist/cli.js

@@ -885,6 +885,40 @@ function withErrorHandling(fn) {
     }
   };
 }
+function normalizeAwsError(err, context = {}) {
+  if (!(err instanceof Error)) {
+    return new Error(String(err));
+  }
+  const isUnknown = err.name === "Unknown" || err.message === "UnknownError";
+  if (!isUnknown)
+    return err;
+  const meta = err.$metadata;
+  const status = meta?.httpStatusCode;
+  const bucket = context.bucket ?? "<unknown bucket>";
+  const operation = context.operation ?? "operation";
+  switch (status) {
+    case 301: {
+      const responseHeaders = err.$response?.headers;
+      const region = responseHeaders?.["x-amz-bucket-region"] ?? responseHeaders?.["X-Amz-Bucket-Region"];
+      const where = region ? ` (in ${region})` : "";
+      return new Error(
+        `Bucket '${bucket}'${where} is in a different region than the client. cdkd resolves this automatically; if you see this message, please report it.`
+      );
+    }
+    case 403:
+      return new Error(
+        `Access denied to bucket '${bucket}'. Verify credentials and bucket policy.`
+      );
+    case 404:
+      return new Error(`Bucket '${bucket}' does not exist.`);
+    default: {
+      const statusStr = status !== void 0 ? `HTTP ${status}` : "unknown HTTP status";
+      return new Error(
+        `S3 error during ${operation} on '${bucket}' (${statusStr}). See CloudTrail for details.`
+      );
+    }
+  }
+}
 
 // src/cli/commands/bootstrap.ts
 init_aws_clients();
@@ -995,7 +1029,7 @@ async function bootstrapCommand(options) {
       if (err.name === "NotFound" || err.name === "NoSuchBucket") {
         logger.debug(`Bucket ${bucketName} does not exist, will create`);
       } else {
-        throw error;
+        throw normalizeAwsError(error, { bucket: bucketName, operation: "HeadBucket" });
       }
     }
     if (bucketExists) {
@@ -3197,6 +3231,7 @@ var AssetPublisher = class {
 
 // src/state/s3-state-backend.ts
 import {
+  S3Client as S3Client4,
   GetObjectCommand,
   PutObjectCommand as PutObjectCommand2,
   DeleteObjectCommand,
@@ -3210,15 +3245,44 @@ import {
 var STATE_SCHEMA_VERSION_LEGACY = 1;
 var STATE_SCHEMA_VERSION_CURRENT = 2;
 
+// src/utils/aws-region-resolver.ts
+import { GetBucketLocationCommand, S3Client as S3Client3 } from "@aws-sdk/client-s3";
+var cache = /* @__PURE__ */ new Map();
+async function resolveBucketRegion(bucketName, opts = {}) {
+  const cached = cache.get(bucketName);
+  if (cached)
+    return cached;
+  const promise = (async () => {
+    const client = new S3Client3({
+      region: "us-east-1",
+      ...opts.profile && { profile: opts.profile },
+      ...opts.credentials && { credentials: opts.credentials }
+    });
+    try {
+      const response = await client.send(new GetBucketLocationCommand({ Bucket: bucketName }));
+      return response.LocationConstraint || "us-east-1";
+    } catch {
+      return opts.fallbackRegion ?? "us-east-1";
+    } finally {
+      client.destroy();
+    }
+  })();
+  cache.set(bucketName, promise);
+  return promise;
+}
+
 // src/state/s3-state-backend.ts
 var LEGACY_KEY_DEPTH = 2;
 var NEW_KEY_DEPTH = 3;
 var S3StateBackend = class {
-  constructor(s3Client, config) {
+  constructor(s3Client, config, clientOpts = {}) {
     this.s3Client = s3Client;
     this.config = config;
+    this.clientOpts = clientOpts;
   }
   logger = getLogger().child("S3StateBackend");
+  clientResolved = false;
+  resolveInFlight = null;
   /**
    * Get the new (region-scoped) S3 key for a stack's state file.
    */
@@ -3232,13 +3296,73 @@ var S3StateBackend = class {
   getLegacyStateKey(stackName) {
     return `${this.config.prefix}/${stackName}/state.json`;
   }
+  /**
+   * Resolve the state bucket's actual region and, if it differs from the
+   * client's currently-configured region, replace the S3Client with one
+   * pointed at the bucket's region.
+   *
+   * This is idempotent: subsequent calls return immediately. Concurrent
+   * callers (e.g. when several public methods race during a parallel deploy)
+   * share a single in-flight resolution promise so we never issue more than
+   * one `GetBucketLocation` per backend.
+   *
+   * Errors from `GetBucketLocation` are deliberately swallowed by
+   * `resolveBucketRegion` — the resolver returns `fallbackRegion` so the
+   * caller can surface the more actionable downstream error (e.g. the
+   * `HeadBucket` 404 routed via `normalizeAwsError`).
+   */
+  async ensureClientForBucket() {
+    if (this.clientResolved)
+      return;
+    if (this.resolveInFlight)
+      return this.resolveInFlight;
+    this.resolveInFlight = (async () => {
+      try {
+        const currentRegion = await this.s3Client.config.region();
+        const fallbackRegion = typeof currentRegion === "string" ? currentRegion : void 0;
+        const bucketRegion = await resolveBucketRegion(this.config.bucket, {
+          ...this.clientOpts.profile && { profile: this.clientOpts.profile },
+          ...this.clientOpts.credentials && { credentials: this.clientOpts.credentials },
+          ...fallbackRegion && { fallbackRegion }
+        });
+        if (bucketRegion !== currentRegion) {
+          this.logger.debug(
+            `State bucket '${this.config.bucket}' is in '${bucketRegion}' (client was '${currentRegion}'); rebuilding S3 client.`
+          );
+          const oldClient = this.s3Client;
+          this.s3Client = new S3Client4({
+            region: bucketRegion,
+            ...this.clientOpts.profile && { profile: this.clientOpts.profile },
+            ...this.clientOpts.credentials && { credentials: this.clientOpts.credentials },
+            // Suppress "Are you using a Stream of unknown length" warning,
+            // matching the suppression in AwsClients.
+            logger: { debug: () => {
+            }, info: () => {
+            }, warn: () => {
+            }, error: () => {
+            } }
+          });
+          oldClient.destroy();
+        }
+        this.clientResolved = true;
+      } finally {
+        this.resolveInFlight = null;
+      }
+    })();
+    return this.resolveInFlight;
+  }
   /**
    * Verify that the configured state bucket exists.
    *
    * Called early in deploy/destroy to fail fast before expensive work
    * (asset publishing, Docker builds) runs against a missing bucket.
+   *
+   * Errors are routed through {@link normalizeAwsError} so the AWS SDK v3
+   * synthetic `UnknownError` (e.g. cross-region HEAD) becomes a concrete
+   * "Bucket does not exist" / "Access denied" / "different region" message.
    */
   async verifyBucketExists() {
+    await this.ensureClientForBucket();
     try {
       await this.s3Client.send(new HeadBucketCommand2({ Bucket: this.config.bucket }));
     } catch (error) {
@@ -3248,9 +3372,13 @@ var S3StateBackend = class {
           `State bucket '${this.config.bucket}' does not exist. Run 'cdkd bootstrap' to create it, or specify an existing bucket via --state-bucket, CDKD_STATE_BUCKET, or cdk.json context.cdkd.stateBucket.`
         );
       }
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "HeadBucket"
+      });
       throw new StateError(
-        `Failed to verify state bucket '${this.config.bucket}': ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to verify state bucket '${this.config.bucket}': ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3263,6 +3391,7 @@ var S3StateBackend = class {
    * state without forcing a write-through migration first.
    */
   async stateExists(stackName, region) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     if (await this.headObject(newKey)) {
       return true;
@@ -3285,6 +3414,7 @@ var S3StateBackend = class {
    * preserve the quotes — they are required for `IfMatch` conditions.
    */
   async getState(stackName, region) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     try {
       this.logger.debug(`Getting state for stack: ${stackName} (${region})`);
@@ -3344,6 +3474,7 @@ var S3StateBackend = class {
    * @returns New ETag (with quotes, e.g., `"abc123"`)
    */
   async saveState(stackName, region, state, options = {}) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     const { expectedEtag, migrateLegacy } = options;
     const body = {
@@ -3399,9 +3530,13 @@ var S3StateBackend = class {
           `State has been modified by another process. Expected ETag: ${expectedEtag}, but state has changed.`
         );
       }
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "PutObject"
+      });
       throw new StateError(
-        `Failed to save state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to save state for stack '${stackName}' (${region}): ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3413,6 +3548,7 @@ var S3StateBackend = class {
    * field is left alone.
    */
   async deleteState(stackName, region) {
+    await this.ensureClientForBucket();
     try {
       this.logger.debug(`Deleting state: ${stackName} (${region})`);
       await this.s3Client.send(
@@ -3432,9 +3568,13 @@ var S3StateBackend = class {
       }
       this.logger.debug(`State deleted: ${stackName} (${region})`);
     } catch (error) {
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "DeleteObject"
+      });
       throw new StateError(
-        `Failed to delete state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to delete state for stack '${stackName}' (${region}): ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3453,6 +3593,7 @@ var S3StateBackend = class {
    * shows up exactly once.
    */
   async listStacks() {
+    await this.ensureClientForBucket();
     try {
       this.logger.debug("Listing all stacks");
       const prefix = `${this.config.prefix}/`;
@@ -3503,10 +3644,11 @@ var S3StateBackend = class {
       this.logger.debug(`Found ${refs.length} stack(s) across regions`);
       return refs;
     } catch (error) {
-      throw new StateError(
-        `Failed to list stacks: ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
-      );
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "ListObjectsV2"
+      });
+      throw new StateError(`Failed to list stacks: ${normalized.message}`, normalized);
     }
   }
   /**
@@ -6804,7 +6946,7 @@ Error: ${err.message || "Unknown error"}`,
 import { InvokeCommand } from "@aws-sdk/client-lambda";
 import { PublishCommand } from "@aws-sdk/client-sns";
 import {
-  S3Client as S3Client5,
+  S3Client as S3Client6,
   PutObjectCommand as PutObjectCommand4,
   GetObjectCommand as GetObjectCommand3,
   DeleteObjectCommand as DeleteObjectCommand3
@@ -6873,7 +7015,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
   setResponseBucket(bucket, bucketRegion) {
     this.responseBucket = bucket;
     if (bucketRegion) {
-      this.s3Client = new S3Client5(bucketRegion ? { region: bucketRegion } : {});
+      this.s3Client = new S3Client6(bucketRegion ? { region: bucketRegion } : {});
     }
   }
   /**
@@ -25798,7 +25940,7 @@ var CodeBuildProvider = class {
     const tags = properties["Tags"];
     const envVars = environment?.["EnvironmentVariables"];
     const cfnCache = properties["Cache"];
-    const cache = cfnCache ? {
+    const cache2 = cfnCache ? {
       type: cfnCache["Type"],
       location: cfnCache["Location"],
       modes: cfnCache["Modes"]
@@ -25885,7 +26027,7 @@ var CodeBuildProvider = class {
       timeoutInMinutes: properties["TimeoutInMinutes"],
       queuedTimeoutInMinutes: properties["QueuedTimeoutInMinutes"],
       encryptionKey: properties["EncryptionKey"],
-      cache,
+      cache: cache2,
       vpcConfig,
       logsConfig,
       concurrentBuildLimit: properties["ConcurrentBuildLimit"],
@@ -28429,10 +28571,17 @@ async function deployCommand(stacks, options) {
     ...options.profile && { profile: options.profile }
   });
   setAwsClients(awsClients);
-  const preflightStateBackend = new S3StateBackend(awsClients.s3, {
-    bucket: stateBucket,
-    prefix: options.statePrefix
-  });
+  const preflightStateBackend = new S3StateBackend(
+    awsClients.s3,
+    {
+      bucket: stateBucket,
+      prefix: options.statePrefix
+    },
+    {
+      region,
+      ...options.profile && { profile: options.profile }
+    }
+  );
   await preflightStateBackend.verifyBucketExists();
   let deployInterrupted = false;
   const topLevelSigintHandler = () => {
@@ -28583,7 +28732,10 @@ Deploying stack: ${stackInfo.stackName}${stackRegion !== baseRegion ? ` (region:
             region: baseRegion,
             ...options.profile && { profile: options.profile }
           });
-          const stackStateBackend = new S3StateBackend(stateS3Client.s3, stateConfig);
+          const stackStateBackend = new S3StateBackend(stateS3Client.s3, stateConfig, {
+            region: baseRegion,
+            ...options.profile && { profile: options.profile }
+          });
           const stackLockManager = new LockManager(stateS3Client.s3, stateConfig);
           const stackProviderRegistry = new ProviderRegistry();
           registerAllProviders(stackProviderRegistry);
@@ -28764,7 +28916,10 @@ async function diffCommand(stacks, options) {
       bucket: stateBucket,
       prefix: options.statePrefix
     };
-    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      region,
+      ...options.profile && { profile: options.profile }
+    });
     const diffCalculator = new DiffCalculator();
     const intrinsicResolver = new IntrinsicFunctionResolver(region);
     for (const stackInfo of targetStacks) {
@@ -28884,7 +29039,10 @@ async function destroyCommand(stackArgs, options) {
       bucket: stateBucket,
       prefix: options.statePrefix
     };
-    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile }
+    });
     await stateBackend.verifyBucketExists();
     const lockManager = new LockManager(awsClients.s3, stateConfig);
     const dagBuilder = new DagBuilder();
@@ -29333,7 +29491,10 @@ async function setupStateBackend(options) {
   const bucket = await resolveStateBucketWithDefault(options.stateBucket, region);
   const prefix = options.statePrefix;
   const stateConfig = { bucket, prefix };
-  const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+  const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+    region,
+    ...options.profile && { profile: options.profile }
+  });
   const lockManager = new LockManager(awsClients.s3, stateConfig);
   await stateBackend.verifyBucketExists();
   return {
@@ -29737,7 +29898,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command10();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.9.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.10.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());