npm - @go-to-k/cdkd - Versions diffs - 0.94.5 → 0.94.6 - Mend

@go-to-k/cdkd 0.94.5 → 0.94.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +1 -0
package/dist/cli.js +62 -3
package/dist/cli.js.map +3 -3
package/dist/go-to-k-cdkd-0.94.6.tgz +0 -0
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.94.5.tgz +0 -0

package/README.md CHANGED Viewed

@@ -27,6 +27,7 @@ Drop-in CDK CLI for existing CDK apps — faster deploys via AWS SDK instead of
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
 - **VPC route DependsOn relaxation (on by default)**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks). Pass `--no-aggressive-vpc-parallel` to opt out.
 - **Local execution without deploying** (`cdkd local invoke` / `cdkd local start-api` / `cdkd local run-task`): run any Lambda — stand up every API Gateway route as a local HTTP server — or start every container in an `AWS::ECS::TaskDefinition` on a per-task docker network with the AWS-published metadata-endpoints sidecar. SAM-compatible mental model but reuses cdkd's synthesis / asset / route-discovery (no `template.yaml` round-trip). All AWS Lambda runtimes (Node.js / Python / Ruby / Java / .NET / `provided.*`) and one server per discovered API (HTTP API v2 / REST v1 / Function URL) with their own port / authorizers / CORS configs. `local run-task` is Phase 1 (single task, DependsOn ordering, IAM task-role via AssumeRole) — ECS Services / ALB routing / Service Connect are Phase 2 / Phase 3 follow-ups. `cdkd local run-task --from-state` substitutes intrinsic-valued container `Environment[].Value` (`Ref` / `Fn::GetAtt` / `Fn::Sub` / `Fn::Join`) and `Secrets[].ValueFrom` against the deployed cdkd state — `table.tableName` / `ecs.Secret.fromSecretsManager(secret)` / `ecs.Secret.fromSsmParameter(param)` Just Work locally instead of silently dropping.
+- **Bidirectional CloudFormation migration**: `cdkd import` adopts AWS-deployed resources (including `cdk deploy`-managed CloudFormation stacks via `--migrate-from-cloudformation`) into cdkd state without re-creating them; `cdkd export` hands a cdkd-managed stack back to CloudFormation when you're ready to move to production. See [Importing existing resources](#importing-existing-resources) and [Exporting a stack back to CloudFormation](#exporting-a-stack-back-to-cloudformation).
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. If you encounter an unsupported resource type, deployment will fail with a clear error message.

package/dist/cli.js CHANGED Viewed

@@ -80145,7 +80145,17 @@ function readStringProperty(properties, key, resourceType) {
   return v;
 }
 var IMPORT_UNSUPPORTED_RECREATABLE_TYPES = /* @__PURE__ */ new Set([
-  "AWS::ApiGatewayV2::Stage"
+  // AWS::ApiGatewayV2::Stage — `handlers: []`. HttpApi auto-emits `$default`.
+  "AWS::ApiGatewayV2::Stage",
+  // AWS::IAM::Policy — `handlers: ['create', 'delete', 'update']` (no `read`/
+  // `list`). Inline policies attached to roles / users / groups don't have a
+  // first-class AWS resource id, so CFn IMPORT can't look them up. cdkd's
+  // own IAMPolicyProvider issues `iam:PutRolePolicy` / `PutUserPolicy` /
+  // `PutGroupPolicy` per attachment target; CFn phase-2 CREATE uses the
+  // exact same APIs, so pre-delete + phase-2-CREATE round-trips cleanly.
+  // CDK auto-emits this type for L2 grants (ECS Task Execution Role
+  // ECR pull policy, Lambda execution role inline policies, etc.).
+  "AWS::IAM::Policy"
 ]);
 var PRE_DELETE_HANDLERS = {
   "AWS::ApiGatewayV2::Stage": async (entry) => {
@@ -80165,6 +80175,55 @@ var PRE_DELETE_HANDLERS = {
       }
       throw err;
     }
+  },
+  "AWS::IAM::Policy": async (entry) => {
+    const {
+      IAMClient: IAMClient6,
+      DeleteRolePolicyCommand: DeleteRolePolicyCommand3,
+      DeleteUserPolicyCommand: DeleteUserPolicyCommand3,
+      DeleteGroupPolicyCommand: DeleteGroupPolicyCommand3,
+      NoSuchEntityException: NoSuchEntityException5
+    } = await import("@aws-sdk/client-iam");
+    const policyName = entry.physicalId.includes(":") ? entry.physicalId.split(":")[0] : entry.physicalId;
+    if (!policyName) {
+      throw new Error(
+        `cdkd state's physicalId for ${entry.logicalId} (${entry.resourceType}) is empty / invalid`
+      );
+    }
+    const roles = entry.properties["Roles"];
+    const users = entry.properties["Users"];
+    const groups = entry.properties["Groups"];
+    const hasAttachment = (roles?.length ?? 0) + (users?.length ?? 0) + (groups?.length ?? 0) > 0;
+    if (!hasAttachment) {
+      throw new Error(
+        `cdkd state's properties for ${entry.logicalId} (${entry.resourceType}) has no Roles/Users/Groups attachment recorded \u2014 cannot pre-delete the inline policy. State may be from a pre-v0.74 cdkd binary; re-run \`cdkd state refresh-observed\` before export.`
+      );
+    }
+    const client = new IAMClient6({});
+    const deleteSafely = async (op) => {
+      try {
+        await op();
+      } catch (err) {
+        if (err instanceof NoSuchEntityException5)
+          return;
+        throw err;
+      }
+    };
+    for (const roleName of roles ?? []) {
+      await deleteSafely(
+        () => client.send(new DeleteRolePolicyCommand3({ RoleName: roleName, PolicyName: policyName }))
+      );
+    }
+    for (const userName of users ?? []) {
+      await deleteSafely(
+        () => client.send(new DeleteUserPolicyCommand3({ UserName: userName, PolicyName: policyName }))
+      );
+    }
+    for (const groupName of groups ?? []) {
+      await deleteSafely(
+        () => client.send(new DeleteGroupPolicyCommand3({ GroupName: groupName, PolicyName: policyName }))
+      );
+    }
   }
 };
 async function exportCommand(stackArg, options) {
@@ -80322,7 +80381,7 @@ async function exportCommand(stackArg, options) {
           logger.info(`  ${r.logicalId} (${r.resourceType}) \u2014 physicalId: ${r.physicalId}`);
         }
         logger.info(
-          "  Brief unavailability window (~10s for Stage; HttpApi endpoint URL is unchanged because it embeds ApiId, not StageName). Pass --no-recreate-import-unsupported to block instead."
+          "  Brief unavailability window per type (~10s for Stage; HttpApi endpoint URL is unchanged because it embeds ApiId, not StageName. IAM::Policy: the inline policy attachment is dropped from each Role/User/Group between phases \u2014 any in-flight AWS API call that depends on the granted permission will fail until CFn re-CREATEs in phase 2). Pass --no-recreate-import-unsupported to block instead."
         );
         logger.info("");
       }
@@ -81181,7 +81240,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command18();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.94.5");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.94.6");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());