@go-to-k/cdkd 0.94.11 → 0.94.13

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { A as resolveCaptureObservedState, C as stringifyValue, D as getDefaultStateBucketName, E as Synthesizer, F as AssemblyReader, G as ProvisioningError, H as LocalInvokeBuildError, J as RouteDiscoveryError, K as ResourceTimeoutError, L as resolveBucketRegion, M as resolveStateBucketWithDefault, N as resolveStateBucketWithDefaultAndSource, O as getLegacyStateBucketName, P as warnDeprecatedNoPrefixCliFlag, S as AssetPublisher, T as buildDockerImage, W as PartialFailureError, Y as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as runStackBuffered, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as PATTERN_B_RESOURCE_TYPES, d as normalizeAwsTagsToCfn, dt as withSkipPrefix, et as normalizeAwsError, f as resolveExplicitPhysicalId, ft as withStackName, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveSkipPrefix, k as resolveApp, l as CDK_PATH_TAG, lt as generateResourceName, m as CloudControlProvider, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, ot as getLiveRenderer, p as ProviderRegistry, q as ResourceUpdateNotSupportedError, r as DeployEngine, rt as getLogger, s as IAMRoleProvider, st as PATTERN_B_NAME_PROPERTIES, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as withErrorHandling, u as matchesCdkPath, ut as generateResourceNameWithFallback, v as DagBuilder, w as WorkGraph, x as S3StateBackend, y as TemplateParser, z as CdkdError } from "./deploy-engine-627W8bPG.js";
+import { A as resolveCaptureObservedState, C as stringifyValue, D as getDefaultStateBucketName, E as Synthesizer, F as AssemblyReader, G as ProvisioningError, H as LocalInvokeBuildError, J as RouteDiscoveryError, K as ResourceTimeoutError, L as resolveBucketRegion, M as resolveStateBucketWithDefault, N as resolveStateBucketWithDefaultAndSource, O as getLegacyStateBucketName, P as warnDeprecatedNoPrefixCliFlag, S as AssetPublisher, T as buildDockerImage, W as PartialFailureError, Y as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as runStackBuffered, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as PATTERN_B_RESOURCE_TYPES, d as normalizeAwsTagsToCfn, dt as withSkipPrefix, et as normalizeAwsError, f as resolveExplicitPhysicalId, ft as withStackName, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveSkipPrefix, k as resolveApp, l as CDK_PATH_TAG, lt as generateResourceName, m as CloudControlProvider, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, ot as getLiveRenderer, p as ProviderRegistry, q as ResourceUpdateNotSupportedError, r as DeployEngine, rt as getLogger, s as IAMRoleProvider, st as PATTERN_B_NAME_PROPERTIES, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as withErrorHandling, u as matchesCdkPath, ut as generateResourceNameWithFallback, v as DagBuilder, w as WorkGraph, x as S3StateBackend, y as TemplateParser, z as CdkdError } from "./deploy-engine-SarGY6-L.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -31567,6 +31567,7 @@ async function importCommand(stackArg, options) {
 				}
 			}
 			const stackState = buildStackState(stackInfo.stackName, targetRegion, rows, templateParser, template, existingState, selectiveMode);
+			await resolveImportedProperties(stackState, template, targetRegion, stateBackend, logger);
 			await captureObservedForImportedResources(stackState, providerRegistry, logger);
 			const saveOptions = {};
 			if (existingEtag) saveOptions.expectedEtag = existingEtag;
@@ -31791,6 +31792,81 @@ function buildStackState(stackName, region, rows, templateParser, template, exis
 		lastModified: Date.now()
 	};
 }
+/**
+* Walk every resource in `stackState.resources` and overwrite its
+* `properties` with the result of running the synth template's raw
+* Properties through `IntrinsicFunctionResolver` against the assembled
+* state map.
+*
+* Closes issue #328. `cdkd deploy` runs the resolver against each
+* resource's Properties before calling `provider.create()` and stores
+* the resolved shape in state — this brings `cdkd import` in line so
+* the v3 schema's `properties` field consistently holds "resolved
+* template intent" (post-intrinsic substitution) across both write
+* paths. Without this, sub-resource types whose `delete()` reads
+* properties at delete time (e.g. `AWS::Lambda::Permission` whose
+* `FunctionName` is `{Fn::GetAtt: [..., 'Arn']}`) get raw intrinsic
+* objects passed to the AWS SDK and fail validation.
+*
+* The resolver is run AFTER all `provider.import()` calls finish, so by
+* the time it walks each resource every logicalId in the importable set
+* has a known `physicalId` in `stackState.resources` for Ref / GetAtt
+* to bind against.
+*
+* Edge cases:
+*   - Parameters / Conditions are resolved from the template up front
+*     (same shape the deploy engine builds for its CREATE / UPDATE
+*     intrinsic context). Resolution failures here log + leave the
+*     template's defaults untouched — the resolver itself tolerates
+*     missing parameter / condition entries.
+*   - Per-resource try/catch: if a Properties tree references a
+*     resource not in the importable set (custom resource that wasn't
+*     adopted, out-of-scope sibling in selective mode), the resolver
+*     throws `Ref <X> not found` / `Resource <X> not found for
+*     Fn::GetAtt`. We log the failure and leave the resource's
+*     original properties intact. The eventual `cdkd destroy` failure
+*     on the un-resolved props is a narrower problem than aborting the
+*     whole adoption flow.
+*
+* `existingState`'s `resources` survive the walk only when they
+* weren't re-imported in this run — selective merge preserves them as
+* already-stored, which on the v3 baseline is already resolved-shape
+* from a prior import / deploy, so re-resolving is a no-op.
+*/
+async function resolveImportedProperties(stackState, template, region, stateBackend, logger) {
+	const entries = Object.entries(stackState.resources);
+	if (entries.length === 0) return;
+	const resolver = new IntrinsicFunctionResolver(region);
+	let parameters = {};
+	let conditions = {};
+	try {
+		parameters = await resolver.resolveParameters(template);
+	} catch (err) {
+		logger.debug(`Template parameter resolution failed during import-time property resolution: ${err instanceof Error ? err.message : String(err)} — continuing without parameters; resources referencing them will be skipped per-resource.`);
+	}
+	try {
+		conditions = await resolver.evaluateConditions({
+			template,
+			resources: stackState.resources,
+			parameters
+		});
+	} catch (err) {
+		logger.debug(`Template condition evaluation failed during import-time property resolution: ${err instanceof Error ? err.message : String(err)} — continuing without conditions.`);
+	}
+	const baseContext = {
+		template,
+		resources: stackState.resources,
+		...Object.keys(parameters).length > 0 && { parameters },
+		...Object.keys(conditions).length > 0 && { conditions },
+		stateBackend,
+		stackName: stackState.stackName
+	};
+	for (const [logicalId, resource] of entries) try {
+		resource.properties = await resolver.resolve(resource.properties ?? {}, baseContext);
+	} catch (err) {
+		logger.warn(`Failed to resolve intrinsics in Properties for imported resource '${logicalId}' (${resource.resourceType}): ${err instanceof Error ? err.message : String(err)}. State will be written with the raw intrinsic shape, which may cause 'cdkd destroy' to fail on this resource — re-import once every referenced sibling is in state, or remove this resource via 'cdkd state orphan'.`);
+	}
+}
 function printSummary(rows) {
 	const logger = getLogger();
 	const counts = {
@@ -40576,9 +40652,12 @@ function readStringProperty(properties, key, resourceType) {
 * are hard-blocked instead with a clear error message.
 *
 * Verified via `aws cloudformation describe-type --type RESOURCE
-* --type-name <T> | jq .handlers` — types with `handlers: []` are
-* candidates. Currently only `AWS::ApiGatewayV2::Stage` qualifies (every
-* sibling ApiGwV2 type has `[create, delete, list, read, update]`).
+* --type-name <T> | jq .handlers` — types with `handlers: []` (or a
+* missing `read` / `list` handler that prevents CFn from looking the
+* resource up by identifier) are candidates. Currently registered:
+* `AWS::ApiGatewayV2::Stage` (no handlers at all) and `AWS::IAM::Policy`
+* (no `read` / `list` — inline policy attachments have no first-class
+* AWS resource id). See the per-entry comment for each addition.
 */
 const IMPORT_UNSUPPORTED_RECREATABLE_TYPES = new Set(["AWS::ApiGatewayV2::Stage", "AWS::IAM::Policy"]);
 const PRE_DELETE_HANDLERS = {
@@ -41692,7 +41771,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.94.10");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.94.12");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());