npm - @go-to-k/cdkd - Versions diffs - 0.94.3 → 0.94.6 - Mend

@go-to-k/cdkd 0.94.3 → 0.94.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +3 -0
package/dist/cli.js +76 -12
package/dist/cli.js.map +3 -3
package/dist/go-to-k-cdkd-0.94.6.tgz +0 -0
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.94.3.tgz +0 -0

package/README.md CHANGED Viewed

@@ -8,6 +8,8 @@ Drop-in CDK CLI for existing CDK apps — faster deploys via AWS SDK instead of
 ![cdkd demo](https://github.com/user-attachments/assets/0128730d-186d-4bd3-abea-aabc80ba4dd5)
+**cdkd complements the AWS CDK CLI rather than replacing it.** Use cdkd in dev/test for rapid iteration and SAM-style local execution; use the AWS CDK CLI in production for full CloudFormation tooling. Bidirectional migration is supported — [import an existing CloudFormation stack](#importing-existing-resources) into cdkd for iteration, or [export back to CloudFormation](#exporting-a-stack-back-to-cloudformation) when ready for production.
 > **⚠️ WARNING: NOT PRODUCTION READY**
 >
 > An experimental project exploring direct SDK provisioning as an alternative to the AWS CDK CLI — **NOT a replacement** and **NOT suitable for production use**. Features are incomplete, APIs may change without notice, and bugs may affect your AWS infrastructure. Use at your own risk in development / testing environments only.
@@ -25,6 +27,7 @@ Drop-in CDK CLI for existing CDK apps — faster deploys via AWS SDK instead of
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
 - **VPC route DependsOn relaxation (on by default)**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks). Pass `--no-aggressive-vpc-parallel` to opt out.
 - **Local execution without deploying** (`cdkd local invoke` / `cdkd local start-api` / `cdkd local run-task`): run any Lambda — stand up every API Gateway route as a local HTTP server — or start every container in an `AWS::ECS::TaskDefinition` on a per-task docker network with the AWS-published metadata-endpoints sidecar. SAM-compatible mental model but reuses cdkd's synthesis / asset / route-discovery (no `template.yaml` round-trip). All AWS Lambda runtimes (Node.js / Python / Ruby / Java / .NET / `provided.*`) and one server per discovered API (HTTP API v2 / REST v1 / Function URL) with their own port / authorizers / CORS configs. `local run-task` is Phase 1 (single task, DependsOn ordering, IAM task-role via AssumeRole) — ECS Services / ALB routing / Service Connect are Phase 2 / Phase 3 follow-ups. `cdkd local run-task --from-state` substitutes intrinsic-valued container `Environment[].Value` (`Ref` / `Fn::GetAtt` / `Fn::Sub` / `Fn::Join`) and `Secrets[].ValueFrom` against the deployed cdkd state — `table.tableName` / `ecs.Secret.fromSecretsManager(secret)` / `ecs.Secret.fromSsmParameter(param)` Just Work locally instead of silently dropping.
+- **Bidirectional CloudFormation migration**: `cdkd import` adopts AWS-deployed resources (including `cdk deploy`-managed CloudFormation stacks via `--migrate-from-cloudformation`) into cdkd state without re-creating them; `cdkd export` hands a cdkd-managed stack back to CloudFormation when you're ready to move to production. See [Importing existing resources](#importing-existing-resources) and [Exporting a stack back to CloudFormation](#exporting-a-stack-back-to-cloudformation).
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. If you encounter an unsupported resource type, deployment will fail with a clear error message.

package/dist/cli.js CHANGED Viewed

@@ -80145,7 +80145,17 @@ function readStringProperty(properties, key, resourceType) {
   return v;
 }
 var IMPORT_UNSUPPORTED_RECREATABLE_TYPES = /* @__PURE__ */ new Set([
-  "AWS::ApiGatewayV2::Stage"
+  // AWS::ApiGatewayV2::Stage — `handlers: []`. HttpApi auto-emits `$default`.
+  "AWS::ApiGatewayV2::Stage",
+  // AWS::IAM::Policy — `handlers: ['create', 'delete', 'update']` (no `read`/
+  // `list`). Inline policies attached to roles / users / groups don't have a
+  // first-class AWS resource id, so CFn IMPORT can't look them up. cdkd's
+  // own IAMPolicyProvider issues `iam:PutRolePolicy` / `PutUserPolicy` /
+  // `PutGroupPolicy` per attachment target; CFn phase-2 CREATE uses the
+  // exact same APIs, so pre-delete + phase-2-CREATE round-trips cleanly.
+  // CDK auto-emits this type for L2 grants (ECS Task Execution Role
+  // ECR pull policy, Lambda execution role inline policies, etc.).
+  "AWS::IAM::Policy"
 ]);
 var PRE_DELETE_HANDLERS = {
   "AWS::ApiGatewayV2::Stage": async (entry) => {
@@ -80165,6 +80175,55 @@ var PRE_DELETE_HANDLERS = {
       }
       throw err;
     }
+  },
+  "AWS::IAM::Policy": async (entry) => {
+    const {
+      IAMClient: IAMClient6,
+      DeleteRolePolicyCommand: DeleteRolePolicyCommand3,
+      DeleteUserPolicyCommand: DeleteUserPolicyCommand3,
+      DeleteGroupPolicyCommand: DeleteGroupPolicyCommand3,
+      NoSuchEntityException: NoSuchEntityException5
+    } = await import("@aws-sdk/client-iam");
+    const policyName = entry.physicalId.includes(":") ? entry.physicalId.split(":")[0] : entry.physicalId;
+    if (!policyName) {
+      throw new Error(
+        `cdkd state's physicalId for ${entry.logicalId} (${entry.resourceType}) is empty / invalid`
+      );
+    }
+    const roles = entry.properties["Roles"];
+    const users = entry.properties["Users"];
+    const groups = entry.properties["Groups"];
+    const hasAttachment = (roles?.length ?? 0) + (users?.length ?? 0) + (groups?.length ?? 0) > 0;
+    if (!hasAttachment) {
+      throw new Error(
+        `cdkd state's properties for ${entry.logicalId} (${entry.resourceType}) has no Roles/Users/Groups attachment recorded \u2014 cannot pre-delete the inline policy. State may be from a pre-v0.74 cdkd binary; re-run \`cdkd state refresh-observed\` before export.`
+      );
+    }
+    const client = new IAMClient6({});
+    const deleteSafely = async (op) => {
+      try {
+        await op();
+      } catch (err) {
+        if (err instanceof NoSuchEntityException5)
+          return;
+        throw err;
+      }
+    };
+    for (const roleName of roles ?? []) {
+      await deleteSafely(
+        () => client.send(new DeleteRolePolicyCommand3({ RoleName: roleName, PolicyName: policyName }))
+      );
+    }
+    for (const userName of users ?? []) {
+      await deleteSafely(
+        () => client.send(new DeleteUserPolicyCommand3({ UserName: userName, PolicyName: policyName }))
+      );
+    }
+    for (const groupName of groups ?? []) {
+      await deleteSafely(
+        () => client.send(new DeleteGroupPolicyCommand3({ GroupName: groupName, PolicyName: policyName }))
+      );
+    }
   }
 };
 async function exportCommand(stackArg, options) {
@@ -80297,15 +80356,6 @@ async function exportCommand(stackArg, options) {
           `${blocked.length} resource(s) block migration. Either destroy them first (cdkd destroy / cdkd state destroy cherry-picked), or remove them from the CDK app and re-synthesize.`
         );
       }
-      if (phase2Creates.length > 0 && !options.includeNonImportable) {
-        logger.error("The following resources cannot be imported into CloudFormation:");
-        for (const p of phase2Creates) {
-          logger.error(`  - ${p.logicalId} (${p.resourceType}): CFn cannot import this type`);
-        }
-        throw new Error(
-          `${phase2Creates.length} non-importable resource(s) detected (Custom::*). Pass --include-non-importable to run a 2-phase migration: phase 1 imports the importable resources; phase 2 CFn-CREATEs the non-importable ones (re-invoking each Custom Resource's backing Lambda onCreate handler \u2014 make sure those are idempotent). Or destroy these resources first.`
-        );
-      }
       if (phase1Imports.length === 0 && phase2Creates.length === 0 && recreateBeforePhase2.length === 0) {
         logger.warn("No resources to migrate \u2014 cdkd state is empty.");
         return;
@@ -80331,14 +80381,28 @@ async function exportCommand(stackArg, options) {
           logger.info(`  ${r.logicalId} (${r.resourceType}) \u2014 physicalId: ${r.physicalId}`);
         }
         logger.info(
-          "  Brief unavailability window (~10s for Stage; HttpApi endpoint URL is unchanged because it embeds ApiId, not StageName). Pass --no-recreate-import-unsupported to block instead."
+          "  Brief unavailability window per type (~10s for Stage; HttpApi endpoint URL is unchanged because it embeds ApiId, not StageName. IAM::Policy: the inline policy attachment is dropped from each Role/User/Group between phases \u2014 any in-flight AWS API call that depends on the granted permission will fail until CFn re-CREATEs in phase 2). Pass --no-recreate-import-unsupported to block instead."
         );
         logger.info("");
       }
       if (options.dryRun) {
+        if (phase2Creates.length > 0 && !options.includeNonImportable) {
+          logger.warn(
+            `${phase2Creates.length} non-importable resource(s) detected (Custom::*). A real run (without --dry-run) would require --include-non-importable to run a 2-phase migration: phase 1 imports the importable resources; phase 2 CFn-CREATEs the non-importable ones (re-invoking each Custom Resource's backing Lambda onCreate handler \u2014 make sure those are idempotent).`
+          );
+        }
         logger.info("--dry-run: no CloudFormation changeset will be created.");
         return;
       }
+      if (phase2Creates.length > 0 && !options.includeNonImportable) {
+        logger.error("The following resources cannot be imported into CloudFormation:");
+        for (const p of phase2Creates) {
+          logger.error(`  - ${p.logicalId} (${p.resourceType}): CFn cannot import this type`);
+        }
+        throw new Error(
+          `${phase2Creates.length} non-importable resource(s) detected (Custom::*). Pass --include-non-importable to run a 2-phase migration: phase 1 imports the importable resources; phase 2 CFn-CREATEs the non-importable ones (re-invoking each Custom Resource's backing Lambda onCreate handler \u2014 make sure those are idempotent). Or destroy these resources first.`
+        );
+      }
       if (!options.yes) {
         const phase2Note = phase2Creates.length > 0 ? ` Phase 2 will then CREATE ${phase2Creates.length} non-importable resource(s) (invoking each Custom Resource's onCreate handler).` : "";
         const recreateNote = recreateBeforePhase2.length > 0 ? ` cdkd will also DELETE ${recreateBeforePhase2.length} AWS resource(s) between phases so CFn can re-CREATE them in phase 2 (brief unavailability window \u2014 see plan above for the affected resources).` : "";
@@ -81176,7 +81240,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command18();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.94.3");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.94.6");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());