@go-to-k/cdkd 0.94.9 → 0.94.11

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { $ as normalizeAwsError, A as resolveSkipPrefix, C as WorkGraph, D as getLegacyStateBucketName, E as getDefaultStateBucketName, G as ResourceTimeoutError, I as resolveBucketRegion, J as StackTerminationProtectionError, K as ResourceUpdateNotSupportedError, M as resolveStateBucketWithDefaultAndSource, N as warnDeprecatedNoPrefixCliFlag, O as resolveApp, P as AssemblyReader, R as CdkdError, S as stringifyValue, T as Synthesizer, U as PartialFailureError, V as LocalInvokeBuildError, W as ProvisioningError, _ as DagBuilder, a as withRetry, at as getLiveRenderer, b as S3StateBackend, c as CDK_PATH_TAG, ct as generateResourceName, d as resolveExplicitPhysicalId, dt as withStackName, et as withErrorHandling, f as ProviderRegistry, g as DiffCalculator, h as IntrinsicFunctionResolver, i as withResourceDeadline, it as runStackBuffered, j as resolveStateBucketWithDefault, k as resolveCaptureObservedState, l as matchesCdkPath, lt as generateResourceNameWithFallback, m as assertRegionMatch, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as getLogger, o as IMPLICIT_DELETE_DEPENDENCIES, ot as PATTERN_B_NAME_PROPERTIES, p as CloudControlProvider, q as RouteDiscoveryError, r as DeployEngine, s as IAMRoleProvider, st as PATTERN_B_RESOURCE_TYPES, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as normalizeAwsTagsToCfn, ut as withSkipPrefix, v as TemplateParser, w as buildDockerImage, x as AssetPublisher, y as LockManager } from "./deploy-engine-Cg4l-zyr.js";
+import { A as resolveCaptureObservedState, C as stringifyValue, D as getDefaultStateBucketName, E as Synthesizer, F as AssemblyReader, G as ProvisioningError, H as LocalInvokeBuildError, J as RouteDiscoveryError, K as ResourceTimeoutError, L as resolveBucketRegion, M as resolveStateBucketWithDefault, N as resolveStateBucketWithDefaultAndSource, O as getLegacyStateBucketName, P as warnDeprecatedNoPrefixCliFlag, S as AssetPublisher, T as buildDockerImage, W as PartialFailureError, Y as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as runStackBuffered, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as PATTERN_B_RESOURCE_TYPES, d as normalizeAwsTagsToCfn, dt as withSkipPrefix, et as normalizeAwsError, f as resolveExplicitPhysicalId, ft as withStackName, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveSkipPrefix, k as resolveApp, l as CDK_PATH_TAG, lt as generateResourceName, m as CloudControlProvider, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, ot as getLiveRenderer, p as ProviderRegistry, q as ResourceUpdateNotSupportedError, r as DeployEngine, rt as getLogger, s as IAMRoleProvider, st as PATTERN_B_NAME_PROPERTIES, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as withErrorHandling, u as matchesCdkPath, ut as generateResourceNameWithFallback, v as DagBuilder, w as WorkGraph, x as S3StateBackend, y as TemplateParser, z as CdkdError } from "./deploy-engine-627W8bPG.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -2055,17 +2055,17 @@ var IAMUserGroupProvider = class {
 	* Returns `undefined` when the user / group is gone
 	* (`NoSuchEntityException`).
 	*/
-	async readCurrentState(physicalId, logicalId, resourceType, properties) {
+	async readCurrentState(physicalId, logicalId, resourceType, properties, context) {
 		switch (resourceType) {
-			case "AWS::IAM::User": return this.readUserCurrentState(physicalId, properties);
-			case "AWS::IAM::Group": return this.readGroupCurrentState(physicalId, properties);
+			case "AWS::IAM::User": return this.readUserCurrentState(physicalId, properties, context);
+			case "AWS::IAM::Group": return this.readGroupCurrentState(physicalId, properties, context);
 			case "AWS::IAM::UserToGroupAddition": return;
 			default:
 				this.logger.debug(`readCurrentState: unsupported resource type ${resourceType} for ${logicalId}`);
 				return;
 		}
 	}
-	async readUserCurrentState(physicalId, properties) {
+	async readUserCurrentState(physicalId, properties, context) {
 		let user;
 		try {
 			user = (await this.iamClient.send(new GetUserCommand({ UserName: physicalId }))).User;
@@ -2089,13 +2089,13 @@ var IAMUserGroupProvider = class {
 			if (!(err instanceof NoSuchEntityException)) throw err;
 		}
 		try {
-			result["Policies"] = await this.collectInlinePolicies("user", physicalId, properties?.["Policies"] ?? []);
+			result["Policies"] = await this.collectInlinePolicies("user", physicalId, properties?.["Policies"] ?? [], context);
 		} catch (err) {
 			if (!(err instanceof NoSuchEntityException)) throw err;
 		}
 		return result;
 	}
-	async readGroupCurrentState(physicalId, properties) {
+	async readGroupCurrentState(physicalId, properties, context) {
 		let group;
 		try {
 			group = (await this.iamClient.send(new GetGroupCommand({ GroupName: physicalId }))).Group;
@@ -2113,7 +2113,7 @@ var IAMUserGroupProvider = class {
 			if (!(err instanceof NoSuchEntityException)) throw err;
 		}
 		try {
-			result["Policies"] = await this.collectInlinePolicies("group", physicalId, properties?.["Policies"] ?? []);
+			result["Policies"] = await this.collectInlinePolicies("group", physicalId, properties?.["Policies"] ?? [], context);
 		} catch (err) {
 			if (!(err instanceof NoSuchEntityException)) throw err;
 		}
@@ -2126,8 +2126,13 @@ var IAMUserGroupProvider = class {
 	* for bodies (URL-decoded + JSON-parsed) → reconcile order against
 	* `statePolicies` so a positional compare doesn't fire false drift on
 	* the lexicographic order returned by AWS.
+	*
+	* Issue #323: filters out policies whose name matches an
+	* `AWS::IAM::Policy` sibling in the same stack (via `Users`/`Groups`
+	* attachment field), so policies attached by `iam.Policy({ users: [u] })` /
+	* `groups: [g]` don't fire false drift on the User / Group itself.
 	*/
-	async collectInlinePolicies(kind, physicalId, statePolicies) {
+	async collectInlinePolicies(kind, physicalId, statePolicies, context) {
 		const policyNames = [];
 		let marker;
 		while (true) {
@@ -2142,8 +2147,10 @@ var IAMUserGroupProvider = class {
 			if (!listResp.IsTruncated) break;
 			marker = listResp.Marker;
 		}
+		const managedByOtherResource = collectInlinePolicyNamesManagedBySiblings(physicalId, context, kind === "user" ? "Users" : "Groups");
+		const filteredNames = policyNames.filter((n) => !managedByOtherResource.has(n));
 		const bodies = /* @__PURE__ */ new Map();
-		await Promise.all(policyNames.map(async (name) => {
+		await Promise.all(filteredNames.map(async (name) => {
 			const resp = kind === "user" ? await this.iamClient.send(new GetUserPolicyCommand({
 				UserName: physicalId,
 				PolicyName: name
@@ -28070,6 +28077,14 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
 		const entries = Object.entries(state.resources ?? {}).sort(([a], [b]) => a.localeCompare(b));
 		for (const [logicalId, resource] of entries) {
 			if (providerRegistry.shouldSkipResource(resource.resourceType)) continue;
+			if (resource.resourceType.startsWith("Custom::") || resource.resourceType === "AWS::CloudFormation::CustomResource") {
+				outcomes.push({
+					kind: "skipped",
+					logicalId,
+					resourceType: resource.resourceType
+				});
+				continue;
+			}
 			let provider;
 			try {
 				provider = providerRegistry.getProvider(resource.resourceType);
@@ -28082,16 +28097,8 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
 				continue;
 			}
 			let aws;
-			if (provider.readCurrentState) aws = await provider.readCurrentState(resource.physicalId, logicalId, resource.resourceType, resource.properties ?? {});
+			if (provider.readCurrentState) aws = await provider.readCurrentState(resource.physicalId, logicalId, resource.resourceType, resource.properties ?? {}, buildReadCurrentStateContext(state, logicalId));
 			else {
-				if (resource.resourceType.startsWith("Custom::")) {
-					outcomes.push({
-						kind: "unsupported",
-						logicalId,
-						resourceType: resource.resourceType
-					});
-					continue;
-				}
 				if (CC_API_FALLBACK_DENY_LIST[resource.resourceType]) {
 					outcomes.push({
 						kind: "unsupported",
@@ -28157,6 +28164,24 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
 * paths through plain objects; arrays and scalars surface as a single drift
 * entry on the parent path. So we do not need to parse `[i]` segments.
 */
+/**
+* Issue #323: build the cross-resource context passed to
+* `provider.readCurrentState` so IAM Role / User / Group readers can
+* filter out inline policies managed by a sibling `AWS::IAM::Policy`
+* resource. `excludedLogicalId` is the resource being read — it's
+* omitted from the siblings map so a self-reference can never collide.
+*/
+function buildReadCurrentStateContext(state, excludedLogicalId) {
+	const siblings = {};
+	for (const [lid, res] of Object.entries(state.resources ?? {})) {
+		if (lid === excludedLogicalId) continue;
+		siblings[lid] = {
+			resourceType: res.resourceType,
+			properties: res.properties ?? {}
+		};
+	}
+	return { siblings };
+}
 function setAtPath(target, path, value) {
 	if (path.length === 0) return;
 	const segments = path.split(".");
@@ -28448,12 +28473,17 @@ function writeJsonReport(reports) {
 			logicalId: o.logicalId,
 			type: o.resourceType
 		}));
+		const skipped = r.outcomes.filter((o) => o.kind === "skipped").map((o) => ({
+			logicalId: o.logicalId,
+			type: o.resourceType
+		}));
 		return {
 			stack: r.stackName,
 			region: r.region,
 			drifted,
 			clean,
-			notSupported
+			notSupported,
+			skipped
 		};
 	});
 	process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
@@ -28462,8 +28492,9 @@ function writeHumanReport(reports) {
 	for (const report of reports) {
 		const drifted = report.outcomes.filter((o) => o.kind === "drifted");
 		const unsupported = report.outcomes.filter((o) => o.kind === "unsupported");
-		const total = report.outcomes.length;
-		if (drifted.length === 0) process.stdout.write(`✓ ${report.stackName} (${report.region}): no drift detected (${total} resource${total === 1 ? "" : "s"} checked, ${unsupported.length} unsupported)\n`);
+		const skippedCount = report.outcomes.filter((o) => o.kind === "skipped").length;
+		const checked = report.outcomes.length - skippedCount;
+		if (drifted.length === 0) process.stdout.write(`✓ ${report.stackName} (${report.region}): no drift detected (${checked} resource${checked === 1 ? "" : "s"} checked, ${unsupported.length} unsupported)\n`);
 		else {
 			const word = drifted.length === 1 ? "resource" : "resources";
 			process.stdout.write(`\n⚠ ${report.stackName} (${report.region}): drift detected on ${drifted.length} ${word}\n\n`);
@@ -31031,7 +31062,7 @@ async function refreshObservedForStack(stackName, region, stateBackend, lockMana
 					return;
 				}
 				try {
-					const observed = await provider.readCurrentState(resource.physicalId, logicalId, resource.resourceType, resource.properties ?? {});
+					const observed = await provider.readCurrentState(resource.physicalId, logicalId, resource.resourceType, resource.properties ?? {}, buildReadCurrentStateContext(state, logicalId));
 					if (observed === void 0) {
 						unsupported++;
 						return;
@@ -31872,7 +31903,7 @@ async function captureObservedForImportedResources(stackState, providerRegistry,
 		try {
 			const provider = providerRegistry.getProvider(resource.resourceType);
 			if (!provider.readCurrentState) return;
-			const observed = await provider.readCurrentState(resource.physicalId, logicalId, resource.resourceType, resource.properties ?? {});
+			const observed = await provider.readCurrentState(resource.physicalId, logicalId, resource.resourceType, resource.properties ?? {}, buildReadCurrentStateContext(stackState, logicalId));
 			if (observed !== void 0) resource.observedProperties = observed;
 		} catch (err) {
 			logger.debug(`observedProperties capture for imported ${logicalId} (${resource.resourceType}) failed: ${err instanceof Error ? err.message : String(err)} — drift will fall back to template properties for this resource until the next successful deploy.`);
@@ -41661,7 +41692,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.94.8");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.94.10");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());