@go-to-k/cdkd 0.9.0 → 0.11.0

package/README.md

@@ -95,7 +95,7 @@ Reproduce with `./tests/benchmark/run-benchmark.sh all`. See [tests/benchmark/RE
 ```
 1. CLI Layer
    ├── Resolve --app (CLI > CDKD_APP env > cdk.json "app")
-   ├── Resolve --state-bucket (CLI > env > cdk.json > auto: cdkd-state-{accountId}-{region})
+   ├── Resolve --state-bucket (CLI > env > cdk.json > auto: cdkd-state-{accountId}, with legacy fallback to cdkd-state-{accountId}-{region})
    └── Initialize AWS clients
 
 2. Synthesis (self-implemented, no CDK CLI dependency)
@@ -355,7 +355,7 @@ cdkd diff
 cdkd destroy
 ```
 
-That's it. cdkd reads `--app` from `cdk.json` and auto-resolves the state bucket from your AWS account ID (`cdkd-state-{accountId}-{region}`).
+That's it. cdkd reads `--app` from `cdk.json` and auto-resolves the state bucket from your AWS account ID (`cdkd-state-{accountId}`). If you bootstrapped under a previous cdkd version, the legacy region-suffixed name (`cdkd-state-{accountId}-{region}`) is still picked up automatically with a deprecation warning.
 
 ## Usage
 
@@ -547,7 +547,7 @@ s3://{state-bucket}/
 
 | Setting | CLI | cdk.json | Env var | Default |
 |---------|-----|----------|---------|---------|
-| Bucket | `--state-bucket` | `context.cdkd.stateBucket` | `CDKD_STATE_BUCKET` | `cdkd-state-{accountId}-{region}` |
+| Bucket | `--state-bucket` | `context.cdkd.stateBucket` | `CDKD_STATE_BUCKET` | `cdkd-state-{accountId}` (legacy `cdkd-state-{accountId}-{region}` is still read with a deprecation warning) |
 | Prefix | `--state-prefix` | - | - | `cdkd` |
 
 ### Multi-app isolation

package/dist/cli.js

@@ -885,6 +885,40 @@ function withErrorHandling(fn) {
     }
   };
 }
+function normalizeAwsError(err, context = {}) {
+  if (!(err instanceof Error)) {
+    return new Error(String(err));
+  }
+  const isUnknown = err.name === "Unknown" || err.message === "UnknownError";
+  if (!isUnknown)
+    return err;
+  const meta = err.$metadata;
+  const status = meta?.httpStatusCode;
+  const bucket = context.bucket ?? "<unknown bucket>";
+  const operation = context.operation ?? "operation";
+  switch (status) {
+    case 301: {
+      const responseHeaders = err.$response?.headers;
+      const region = responseHeaders?.["x-amz-bucket-region"] ?? responseHeaders?.["X-Amz-Bucket-Region"];
+      const where = region ? ` (in ${region})` : "";
+      return new Error(
+        `Bucket '${bucket}'${where} is in a different region than the client. cdkd resolves this automatically; if you see this message, please report it.`
+      );
+    }
+    case 403:
+      return new Error(
+        `Access denied to bucket '${bucket}'. Verify credentials and bucket policy.`
+      );
+    case 404:
+      return new Error(`Bucket '${bucket}' does not exist.`);
+    default: {
+      const statusStr = status !== void 0 ? `HTTP ${status}` : "unknown HTTP status";
+      return new Error(
+        `S3 error during ${operation} on '${bucket}' (${statusStr}). See CloudTrail for details.`
+      );
+    }
+  }
+}
 
 // src/cli/commands/bootstrap.ts
 init_aws_clients();
@@ -937,7 +971,10 @@ function resolveStateBucket(cliBucket) {
   const bucket = cdkdContext?.["stateBucket"];
   return typeof bucket === "string" ? bucket : void 0;
 }
-function getDefaultStateBucketName(accountId, region) {
+function getDefaultStateBucketName(accountId) {
+  return `cdkd-state-${accountId}`;
+}
+function getLegacyStateBucketName(accountId, region) {
   return `cdkd-state-${accountId}-${region}`;
 }
 async function resolveStateBucketWithDefault(cliBucket, region) {
@@ -947,13 +984,48 @@ async function resolveStateBucketWithDefault(cliBucket, region) {
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
   const { GetCallerIdentityCommand: GetCallerIdentityCommand8 } = await import("@aws-sdk/client-sts");
+  const { S3Client: S3Client10 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
   const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
   const accountId = identity.Account;
-  const bucketName = getDefaultStateBucketName(accountId, region);
-  logger.info(`State bucket: ${bucketName}`);
-  return bucketName;
+  const newName = getDefaultStateBucketName(accountId);
+  const legacyName = getLegacyStateBucketName(accountId, region);
+  const probe = new S3Client10({ region: "us-east-1" });
+  try {
+    if (await bucketExists(probe, newName)) {
+      logger.info(`State bucket: ${newName}`);
+      return newName;
+    }
+    if (await bucketExists(probe, legacyName)) {
+      logger.warn(
+        `Using legacy state bucket name '${legacyName}'. The default has changed to '${newName}'. Future cdkd versions will drop legacy support; consider migrating with cdkd state migrate-bucket (coming in a future release).`
+      );
+      return legacyName;
+    }
+    throw new Error(
+      `No cdkd state bucket found for account ${accountId}. Looked for '${newName}' (current default) and '${legacyName}' (legacy default). Run 'cdkd bootstrap' to create '${newName}'.`
+    );
+  } finally {
+    probe.destroy();
+  }
+}
+async function bucketExists(client, bucketName) {
+  const { HeadBucketCommand: HeadBucketCommand3 } = await import("@aws-sdk/client-s3");
+  try {
+    await client.send(new HeadBucketCommand3({ Bucket: bucketName }));
+    return true;
+  } catch (error) {
+    const err = error;
+    const status = err.$metadata?.httpStatusCode;
+    if (err.name === "NotFound" || err.name === "NoSuchBucket" || status === 404) {
+      return false;
+    }
+    if (status === 301 || status === 403) {
+      return true;
+    }
+    throw error;
+  }
 }
 
 // src/cli/commands/bootstrap.ts
@@ -981,24 +1053,24 @@ async function bootstrapCommand(options) {
     logger.info("No --state-bucket specified, resolving default bucket name...");
     const identity = await awsClients.sts.send(new GetCallerIdentityCommand({}));
     accountId = identity.Account;
-    bucketName = getDefaultStateBucketName(accountId, region);
+    bucketName = getDefaultStateBucketName(accountId);
     logger.info(`Using default state bucket: ${bucketName}`);
   }
   try {
-    let bucketExists = false;
+    let bucketExists2 = false;
     try {
       await s3Client.send(new HeadBucketCommand({ Bucket: bucketName }));
-      bucketExists = true;
+      bucketExists2 = true;
       logger.info(`Bucket ${bucketName} already exists`);
     } catch (error) {
       const err = error;
       if (err.name === "NotFound" || err.name === "NoSuchBucket") {
         logger.debug(`Bucket ${bucketName} does not exist, will create`);
       } else {
-        throw error;
+        throw normalizeAwsError(error, { bucket: bucketName, operation: "HeadBucket" });
       }
     }
-    if (bucketExists) {
+    if (bucketExists2) {
       if (!options.force) {
         logger.warn(
           `Bucket ${bucketName} already exists. Use --force to reconfigure (this will not delete existing state)`
@@ -1085,7 +1157,7 @@ State bucket: ${bucketName}`);
 function createBootstrapCommand() {
   const cmd = new Command("bootstrap").description("Bootstrap cdkd by creating required S3 bucket for state management").option(
     "--state-bucket <bucket>",
-    "Name of S3 bucket to create for state storage (default: cdkd-state-{accountId}-{region})"
+    "Name of S3 bucket to create for state storage (default: cdkd-state-{accountId})"
   ).option("--force", "Force reconfiguration of existing bucket", false).action(withErrorHandling(bootstrapCommand));
   commonOptions.forEach((opt) => cmd.addOption(opt));
   return cmd;
@@ -3197,6 +3269,7 @@ var AssetPublisher = class {
 
 // src/state/s3-state-backend.ts
 import {
+  S3Client as S3Client4,
   GetObjectCommand,
   PutObjectCommand as PutObjectCommand2,
   DeleteObjectCommand,
@@ -3210,15 +3283,44 @@ import {
 var STATE_SCHEMA_VERSION_LEGACY = 1;
 var STATE_SCHEMA_VERSION_CURRENT = 2;
 
+// src/utils/aws-region-resolver.ts
+import { GetBucketLocationCommand, S3Client as S3Client3 } from "@aws-sdk/client-s3";
+var cache = /* @__PURE__ */ new Map();
+async function resolveBucketRegion(bucketName, opts = {}) {
+  const cached = cache.get(bucketName);
+  if (cached)
+    return cached;
+  const promise = (async () => {
+    const client = new S3Client3({
+      region: "us-east-1",
+      ...opts.profile && { profile: opts.profile },
+      ...opts.credentials && { credentials: opts.credentials }
+    });
+    try {
+      const response = await client.send(new GetBucketLocationCommand({ Bucket: bucketName }));
+      return response.LocationConstraint || "us-east-1";
+    } catch {
+      return opts.fallbackRegion ?? "us-east-1";
+    } finally {
+      client.destroy();
+    }
+  })();
+  cache.set(bucketName, promise);
+  return promise;
+}
+
 // src/state/s3-state-backend.ts
 var LEGACY_KEY_DEPTH = 2;
 var NEW_KEY_DEPTH = 3;
 var S3StateBackend = class {
-  constructor(s3Client, config) {
+  constructor(s3Client, config, clientOpts = {}) {
     this.s3Client = s3Client;
     this.config = config;
+    this.clientOpts = clientOpts;
   }
   logger = getLogger().child("S3StateBackend");
+  clientResolved = false;
+  resolveInFlight = null;
   /**
    * Get the new (region-scoped) S3 key for a stack's state file.
    */
@@ -3232,13 +3334,73 @@ var S3StateBackend = class {
   getLegacyStateKey(stackName) {
     return `${this.config.prefix}/${stackName}/state.json`;
   }
+  /**
+   * Resolve the state bucket's actual region and, if it differs from the
+   * client's currently-configured region, replace the S3Client with one
+   * pointed at the bucket's region.
+   *
+   * This is idempotent: subsequent calls return immediately. Concurrent
+   * callers (e.g. when several public methods race during a parallel deploy)
+   * share a single in-flight resolution promise so we never issue more than
+   * one `GetBucketLocation` per backend.
+   *
+   * Errors from `GetBucketLocation` are deliberately swallowed by
+   * `resolveBucketRegion` — the resolver returns `fallbackRegion` so the
+   * caller can surface the more actionable downstream error (e.g. the
+   * `HeadBucket` 404 routed via `normalizeAwsError`).
+   */
+  async ensureClientForBucket() {
+    if (this.clientResolved)
+      return;
+    if (this.resolveInFlight)
+      return this.resolveInFlight;
+    this.resolveInFlight = (async () => {
+      try {
+        const currentRegion = await this.s3Client.config.region();
+        const fallbackRegion = typeof currentRegion === "string" ? currentRegion : void 0;
+        const bucketRegion = await resolveBucketRegion(this.config.bucket, {
+          ...this.clientOpts.profile && { profile: this.clientOpts.profile },
+          ...this.clientOpts.credentials && { credentials: this.clientOpts.credentials },
+          ...fallbackRegion && { fallbackRegion }
+        });
+        if (bucketRegion !== currentRegion) {
+          this.logger.debug(
+            `State bucket '${this.config.bucket}' is in '${bucketRegion}' (client was '${currentRegion}'); rebuilding S3 client.`
+          );
+          const oldClient = this.s3Client;
+          this.s3Client = new S3Client4({
+            region: bucketRegion,
+            ...this.clientOpts.profile && { profile: this.clientOpts.profile },
+            ...this.clientOpts.credentials && { credentials: this.clientOpts.credentials },
+            // Suppress "Are you using a Stream of unknown length" warning,
+            // matching the suppression in AwsClients.
+            logger: { debug: () => {
+            }, info: () => {
+            }, warn: () => {
+            }, error: () => {
+            } }
+          });
+          oldClient.destroy();
+        }
+        this.clientResolved = true;
+      } finally {
+        this.resolveInFlight = null;
+      }
+    })();
+    return this.resolveInFlight;
+  }
   /**
    * Verify that the configured state bucket exists.
    *
    * Called early in deploy/destroy to fail fast before expensive work
    * (asset publishing, Docker builds) runs against a missing bucket.
+   *
+   * Errors are routed through {@link normalizeAwsError} so the AWS SDK v3
+   * synthetic `UnknownError` (e.g. cross-region HEAD) becomes a concrete
+   * "Bucket does not exist" / "Access denied" / "different region" message.
    */
   async verifyBucketExists() {
+    await this.ensureClientForBucket();
     try {
       await this.s3Client.send(new HeadBucketCommand2({ Bucket: this.config.bucket }));
     } catch (error) {
@@ -3248,9 +3410,13 @@ var S3StateBackend = class {
           `State bucket '${this.config.bucket}' does not exist. Run 'cdkd bootstrap' to create it, or specify an existing bucket via --state-bucket, CDKD_STATE_BUCKET, or cdk.json context.cdkd.stateBucket.`
         );
       }
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "HeadBucket"
+      });
       throw new StateError(
-        `Failed to verify state bucket '${this.config.bucket}': ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to verify state bucket '${this.config.bucket}': ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3263,6 +3429,7 @@ var S3StateBackend = class {
    * state without forcing a write-through migration first.
    */
   async stateExists(stackName, region) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     if (await this.headObject(newKey)) {
       return true;
@@ -3285,6 +3452,7 @@ var S3StateBackend = class {
    * preserve the quotes — they are required for `IfMatch` conditions.
    */
   async getState(stackName, region) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     try {
       this.logger.debug(`Getting state for stack: ${stackName} (${region})`);
@@ -3344,6 +3512,7 @@ var S3StateBackend = class {
    * @returns New ETag (with quotes, e.g., `"abc123"`)
    */
   async saveState(stackName, region, state, options = {}) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     const { expectedEtag, migrateLegacy } = options;
     const body = {
@@ -3399,9 +3568,13 @@ var S3StateBackend = class {
           `State has been modified by another process. Expected ETag: ${expectedEtag}, but state has changed.`
         );
       }
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "PutObject"
+      });
       throw new StateError(
-        `Failed to save state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to save state for stack '${stackName}' (${region}): ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3413,6 +3586,7 @@ var S3StateBackend = class {
    * field is left alone.
    */
   async deleteState(stackName, region) {
+    await this.ensureClientForBucket();
     try {
       this.logger.debug(`Deleting state: ${stackName} (${region})`);
       await this.s3Client.send(
@@ -3432,9 +3606,13 @@ var S3StateBackend = class {
       }
       this.logger.debug(`State deleted: ${stackName} (${region})`);
     } catch (error) {
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "DeleteObject"
+      });
       throw new StateError(
-        `Failed to delete state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to delete state for stack '${stackName}' (${region}): ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3453,6 +3631,7 @@ var S3StateBackend = class {
    * shows up exactly once.
    */
   async listStacks() {
+    await this.ensureClientForBucket();
     try {
       this.logger.debug("Listing all stacks");
       const prefix = `${this.config.prefix}/`;
@@ -3503,10 +3682,11 @@ var S3StateBackend = class {
       this.logger.debug(`Found ${refs.length} stack(s) across regions`);
       return refs;
     } catch (error) {
-      throw new StateError(
-        `Failed to list stacks: ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
-      );
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "ListObjectsV2"
+      });
+      throw new StateError(`Failed to list stacks: ${normalized.message}`, normalized);
     }
   }
   /**
@@ -6804,7 +6984,7 @@ Error: ${err.message || "Unknown error"}`,
 import { InvokeCommand } from "@aws-sdk/client-lambda";
 import { PublishCommand } from "@aws-sdk/client-sns";
 import {
-  S3Client as S3Client5,
+  S3Client as S3Client6,
   PutObjectCommand as PutObjectCommand4,
   GetObjectCommand as GetObjectCommand3,
   DeleteObjectCommand as DeleteObjectCommand3
@@ -6873,7 +7053,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
   setResponseBucket(bucket, bucketRegion) {
     this.responseBucket = bucket;
     if (bucketRegion) {
-      this.s3Client = new S3Client5(bucketRegion ? { region: bucketRegion } : {});
+      this.s3Client = new S3Client6(bucketRegion ? { region: bucketRegion } : {});
     }
   }
   /**
@@ -25798,7 +25978,7 @@ var CodeBuildProvider = class {
     const tags = properties["Tags"];
     const envVars = environment?.["EnvironmentVariables"];
     const cfnCache = properties["Cache"];
-    const cache = cfnCache ? {
+    const cache2 = cfnCache ? {
       type: cfnCache["Type"],
       location: cfnCache["Location"],
       modes: cfnCache["Modes"]
@@ -25885,7 +26065,7 @@ var CodeBuildProvider = class {
       timeoutInMinutes: properties["TimeoutInMinutes"],
       queuedTimeoutInMinutes: properties["QueuedTimeoutInMinutes"],
       encryptionKey: properties["EncryptionKey"],
-      cache,
+      cache: cache2,
       vpcConfig,
       logsConfig,
       concurrentBuildLimit: properties["ConcurrentBuildLimit"],
@@ -28429,10 +28609,17 @@ async function deployCommand(stacks, options) {
     ...options.profile && { profile: options.profile }
   });
   setAwsClients(awsClients);
-  const preflightStateBackend = new S3StateBackend(awsClients.s3, {
-    bucket: stateBucket,
-    prefix: options.statePrefix
-  });
+  const preflightStateBackend = new S3StateBackend(
+    awsClients.s3,
+    {
+      bucket: stateBucket,
+      prefix: options.statePrefix
+    },
+    {
+      region,
+      ...options.profile && { profile: options.profile }
+    }
+  );
   await preflightStateBackend.verifyBucketExists();
   let deployInterrupted = false;
   const topLevelSigintHandler = () => {
@@ -28583,7 +28770,10 @@ Deploying stack: ${stackInfo.stackName}${stackRegion !== baseRegion ? ` (region:
             region: baseRegion,
             ...options.profile && { profile: options.profile }
           });
-          const stackStateBackend = new S3StateBackend(stateS3Client.s3, stateConfig);
+          const stackStateBackend = new S3StateBackend(stateS3Client.s3, stateConfig, {
+            region: baseRegion,
+            ...options.profile && { profile: options.profile }
+          });
           const stackLockManager = new LockManager(stateS3Client.s3, stateConfig);
           const stackProviderRegistry = new ProviderRegistry();
           registerAllProviders(stackProviderRegistry);
@@ -28764,7 +28954,10 @@ async function diffCommand(stacks, options) {
       bucket: stateBucket,
       prefix: options.statePrefix
     };
-    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      region,
+      ...options.profile && { profile: options.profile }
+    });
     const diffCalculator = new DiffCalculator();
     const intrinsicResolver = new IntrinsicFunctionResolver(region);
     for (const stackInfo of targetStacks) {
@@ -28884,7 +29077,10 @@ async function destroyCommand(stackArgs, options) {
       bucket: stateBucket,
       prefix: options.statePrefix
     };
-    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile }
+    });
     await stateBackend.verifyBucketExists();
     const lockManager = new LockManager(awsClients.s3, stateConfig);
     const dagBuilder = new DagBuilder();
@@ -29333,7 +29529,10 @@ async function setupStateBackend(options) {
   const bucket = await resolveStateBucketWithDefault(options.stateBucket, region);
   const prefix = options.statePrefix;
   const stateConfig = { bucket, prefix };
-  const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+  const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+    region,
+    ...options.profile && { profile: options.profile }
+  });
   const lockManager = new LockManager(awsClients.s3, stateConfig);
   await stateBackend.verifyBucketExists();
   return {
@@ -29737,7 +29936,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command10();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.9.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.11.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());