@go-to-k/cdkd 0.94.9 → 0.94.11

package/dist/{deploy-engine-Cg4l-zyr.js → deploy-engine-627W8bPG.js}

@@ -7698,7 +7698,7 @@ var IAMRoleProvider = class {
 	*
 	* Returns `undefined` when the role is gone (`NoSuchEntityException`).
 	*/
-	async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
+	async readCurrentState(physicalId, _logicalId, _resourceType, properties, context) {
 		let role;
 		try {
 			role = (await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }))).Role;
@@ -7735,8 +7735,10 @@ var IAMRoleProvider = class {
 				if (!listResp.IsTruncated) break;
 				policyMarker = listResp.Marker;
 			}
+			const managedByOtherResource = collectInlinePolicyNamesManagedBySiblings(physicalId, context, "Roles");
+			const filteredNames = policyNames.filter((n) => !managedByOtherResource.has(n));
 			const bodies = /* @__PURE__ */ new Map();
-			await Promise.all(policyNames.map(async (name) => {
+			await Promise.all(filteredNames.map(async (name) => {
 				const resp = await this.iamClient.send(new GetRolePolicyCommand({
 					RoleName: physicalId,
 					PolicyName: name
@@ -7839,6 +7841,49 @@ var IAMRoleProvider = class {
 		return null;
 	}
 };
+/**
+* Issue #323: build the set of inline-policy names that are managed by
+* a sibling `AWS::IAM::Policy` resource in the same stack via the given
+* attachment field (`Roles` / `Users` / `Groups`). cdkd's IAM Role /
+* User / Group `readCurrentState` helpers exclude these from
+* `ListRolePolicies` / `ListUserPolicies` / `ListGroupPolicies` output
+* to avoid false drift — the inline policy is faithfully managed by
+* the sibling `AWS::IAM::Policy` resource, not the role/user/group
+* itself. The CDK patterns that produce this shape are pervasive:
+* `role.addToPolicy(...)`, `taskRole.addToPolicy(...)`,
+* `bucket.grantRead(role)`, `ContainerImage.fromEcrRepository(repo)`'s
+* execution-role grant, every L2-construct's auto-emitted `Default
+* Policy*`.
+*
+* @param targetPhysicalId  The physicalId of the role/user/group being
+*                          read (matches values in the sibling's
+*                          `Properties.Roles` / `Users` / `Groups`).
+* @param context           Cross-resource context (may be `undefined`
+*                          for callers that don't supply it — e.g.
+*                          deploy-time observed-capture before state
+*                          is complete; the filter then no-ops which
+*                          is safe because the sibling's
+*                          `PutRolePolicy` hasn't fired yet at that
+*                          point).
+* @param attachmentField   Which sibling field to inspect: `'Roles'`,
+*                          `'Users'`, or `'Groups'`.
+* @returns Set of `PolicyName` values to exclude. Empty when no
+*          sibling matches OR when context is undefined.
+*/
+function collectInlinePolicyNamesManagedBySiblings(targetPhysicalId, context, attachmentField) {
+	const result = /* @__PURE__ */ new Set();
+	const siblings = context?.siblings;
+	if (!siblings) return result;
+	for (const sibling of Object.values(siblings)) {
+		if (sibling.resourceType !== "AWS::IAM::Policy") continue;
+		const attachments = sibling.properties[attachmentField];
+		if (!Array.isArray(attachments)) continue;
+		if (!attachments.some((a) => a === targetPhysicalId)) continue;
+		const name = sibling.properties["PolicyName"];
+		if (typeof name === "string") result.add(name);
+	}
+	return result;
+}
 
 //#endregion
 //#region src/deployment/dag-executor.ts
@@ -8266,10 +8311,10 @@ var DeployEngine = class {
 	* the merge step, which is fine: drift falls back to comparing
 	* against `properties`.
 	*/
-	kickOffObservedCapture(provider, logicalId, physicalId, resourceType, resolvedProps) {
+	kickOffObservedCapture(provider, logicalId, physicalId, resourceType, resolvedProps, context) {
 		if (this.options.captureObservedState !== true) return;
 		if (!provider.readCurrentState) return;
-		const promise = provider.readCurrentState(physicalId, logicalId, resourceType, resolvedProps).catch((err) => {
+		const promise = provider.readCurrentState(physicalId, logicalId, resourceType, resolvedProps, context).catch((err) => {
 			this.logger.debug(`observedProperties capture for ${logicalId} (${resourceType}) failed: ${err instanceof Error ? err.message : String(err)} — drift will fall back to template properties for this resource until the next successful deploy.`);
 		});
 		this.observedCaptureTasks.set(logicalId, promise);
@@ -8332,6 +8377,11 @@ var DeployEngine = class {
 			});
 		}
 		if (candidates.length === 0) return;
+		const allSiblings = {};
+		for (const [lid, res] of Object.entries(stateResources)) allSiblings[lid] = {
+			resourceType: res.resourceType,
+			properties: res.properties ?? {}
+		};
 		for (const { logicalId, resource } of candidates) {
 			let provider;
 			try {
@@ -8340,7 +8390,9 @@ var DeployEngine = class {
 				continue;
 			}
 			if (!provider.readCurrentState) continue;
-			this.kickOffObservedCapture(provider, logicalId, resource.physicalId, resource.resourceType, resource.properties ?? {});
+			const siblings = { ...allSiblings };
+			delete siblings[logicalId];
+			this.kickOffObservedCapture(provider, logicalId, resource.physicalId, resource.resourceType, resource.properties ?? {}, { siblings });
 			toRefresh++;
 		}
 		if (toRefresh > 0) this.logger.warn(`cdkd state schema upgrade detected — refreshing observed-properties baseline for ${toRefresh} resource(s) (one-time, runs in parallel with deploy)`);
@@ -9179,5 +9231,5 @@ var DeployEngine = class {
 };
 
 //#endregion
-export { normalizeAwsError as $, resolveSkipPrefix as A, DependencyError as B, WorkGraph as C, getLegacyStateBucketName as D, getDefaultStateBucketName as E, clearBucketRegionCache as F, ResourceTimeoutError as G, LockError as H, resolveBucketRegion as I, StackTerminationProtectionError as J, ResourceUpdateNotSupportedError as K, AssetError as L, resolveStateBucketWithDefaultAndSource as M, warnDeprecatedNoPrefixCliFlag as N, resolveApp as O, AssemblyReader as P, isCdkdError as Q, CdkdError as R, stringifyValue as S, Synthesizer as T, PartialFailureError as U, LocalInvokeBuildError as V, ProvisioningError as W, SynthesisError as X, StateError as Y, formatError as Z, DagBuilder as _, withRetry as a, getLiveRenderer as at, S3StateBackend as b, CDK_PATH_TAG as c, generateResourceName as ct, resolveExplicitPhysicalId as d, withStackName as dt, withErrorHandling as et, ProviderRegistry as f, DiffCalculator as g, IntrinsicFunctionResolver as h, withResourceDeadline as i, runStackBuffered as it, resolveStateBucketWithDefault as j, resolveCaptureObservedState as k, matchesCdkPath as l, generateResourceNameWithFallback as lt, assertRegionMatch as m, DEFAULT_RESOURCE_WARN_AFTER_MS as n, getLogger as nt, IMPLICIT_DELETE_DEPENDENCIES as o, PATTERN_B_NAME_PROPERTIES as ot, CloudControlProvider as p, RouteDiscoveryError as q, DeployEngine as r, setLogger as rt, IAMRoleProvider as s, PATTERN_B_RESOURCE_TYPES as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, ConsoleLogger as tt, normalizeAwsTagsToCfn as u, withSkipPrefix as ut, TemplateParser as v, buildDockerImage as w, AssetPublisher as x, LockManager as y, ConfigError as z };
-//# sourceMappingURL=deploy-engine-Cg4l-zyr.js.map
+export { isCdkdError as $, resolveCaptureObservedState as A, ConfigError as B, stringifyValue as C, getDefaultStateBucketName as D, Synthesizer as E, AssemblyReader as F, ProvisioningError as G, LocalInvokeBuildError as H, clearBucketRegionCache as I, RouteDiscoveryError as J, ResourceTimeoutError as K, resolveBucketRegion as L, resolveStateBucketWithDefault as M, resolveStateBucketWithDefaultAndSource as N, getLegacyStateBucketName as O, warnDeprecatedNoPrefixCliFlag as P, formatError as Q, AssetError as R, AssetPublisher as S, buildDockerImage as T, LockError as U, DependencyError as V, PartialFailureError as W, StateError as X, StackTerminationProtectionError as Y, SynthesisError as Z, DiffCalculator as _, withRetry as a, runStackBuffered as at, LockManager as b, collectInlinePolicyNamesManagedBySiblings as c, PATTERN_B_RESOURCE_TYPES as ct, normalizeAwsTagsToCfn as d, withSkipPrefix as dt, normalizeAwsError as et, resolveExplicitPhysicalId as f, withStackName as ft, IntrinsicFunctionResolver as g, assertRegionMatch as h, withResourceDeadline as i, setLogger as it, resolveSkipPrefix as j, resolveApp as k, CDK_PATH_TAG as l, generateResourceName as lt, CloudControlProvider as m, DEFAULT_RESOURCE_WARN_AFTER_MS as n, ConsoleLogger as nt, IMPLICIT_DELETE_DEPENDENCIES as o, getLiveRenderer as ot, ProviderRegistry as p, ResourceUpdateNotSupportedError as q, DeployEngine as r, getLogger as rt, IAMRoleProvider as s, PATTERN_B_NAME_PROPERTIES as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, withErrorHandling as tt, matchesCdkPath as u, generateResourceNameWithFallback as ut, DagBuilder as v, WorkGraph as w, S3StateBackend as x, TemplateParser as y, CdkdError as z };
+//# sourceMappingURL=deploy-engine-627W8bPG.js.map