npm - @go-to-k/cdkd - Versions diffs - 0.99.0 → 0.99.1 - Mend

@go-to-k/cdkd 0.99.0 → 0.99.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js +143 -20
package/dist/cli.js.map +1 -1
package/dist/go-to-k-cdkd-0.99.1.tgz +0 -0
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.99.0.tgz +0 -0

package/dist/cli.js CHANGED Viewed

@@ -4217,23 +4217,83 @@ var S3BucketPolicyProvider = class {
 	/**
 	* Adopt an existing S3 bucket policy into cdkd state.
 	*
-	* **Explicit override only.** An `S3::BucketPolicy` is a policy document
-	* attached to a bucket via `PutBucketPolicy` — it has no standalone
-	* identity and is not independently taggable. There is no `aws:cdk:path`
-	* tag to look up by; only the bucket itself is taggable.
+	* The operational identifier for an `S3::BucketPolicy` is the **bucket
+	* name** — every AWS SDK call (`PutBucketPolicy` / `GetBucketPolicy` /
+	* `DeleteBucketPolicy`) takes the bucket name via the `Bucket`
+	* parameter, and cdkd's `create()` records `properties.Bucket` as the
+	* resource's `physicalId` so subsequent `update()` / `delete()` /
+	* `readCurrentState()` calls hit the right bucket. A `BucketPolicy`
+	* has no standalone identity, no taggable ARN, and no `aws:cdk:path`
+	* lookup — only the bucket itself is taggable.
+	*
+	* Resolution order (closes [#356](https://github.com/go-to-k/cdkd/issues/356)):
+	*
+	* 1. **`knownPhysicalId` if it matches an S3 bucket name shape.**
+	*    Preserves the `cdkd import --resource <logicalId>=<bucketName>`
+	*    path that has always worked.
+	* 2. **`properties.Bucket` if it is a literal bucket name.** Closes
+	*    the `--migrate-from-cloudformation` case: AWS CloudFormation's
+	*    `DescribeStackResources` returns the CFn-generated policy NAME
+	*    for `AWS::S3::BucketPolicy` (e.g.
+	*    `MyStack-MyBucketPolicy-XXXXXXXXXX`), which is NOT a valid S3
+	*    bucket name. The first time cdkd touches the imported state with
+	*    that name, `readCurrentState` → `GetBucketPolicy` rejects it.
+	* 3. **Hard error** when neither path resolves a bucket name. This
+	*    covers (a) `--migrate-from-cloudformation` against a CFn stack
+	*    whose template carries `Bucket: {Ref: <MyBucket>}` (the typical
+	*    CDK shape) when the referenced bucket is NOT in the importable
+	*    set (or hasn't been imported yet in the current run), and (b)
+	*    explicit `--resource <logicalId>=<non-bucket-name>` typos.
+	*    Pointing the user at `--resource <logicalId>=<bucketName>` is
+	*    the recovery path that always works.
 	*
-	* Users adopting an existing bucket policy should pass
-	* `--resource <logicalId>=<bucketName>` (matching the physical id
-	* format returned by `create()`).
+	* Intrinsic-valued `Bucket` (e.g. `{Ref: <MyBucket>}`) falls into
+	* branch 3 here even when the referenced sibling has been imported in
+	* the same run — `import()` is called BEFORE
+	* `resolveImportedProperties` runs the synth template's Properties
+	* through the intrinsic resolver, so the raw intrinsic object is what
+	* we see. The recovery message names `--resource` as the explicit
+	* escape hatch.
 	*/
 	async import(input) {
-		if (input.knownPhysicalId) return {
+		if (input.knownPhysicalId && isS3BucketName(input.knownPhysicalId)) return {
 			physicalId: input.knownPhysicalId,
 			attributes: {}
 		};
-		return null;
+		const bucket = input.properties["Bucket"];
+		if (typeof bucket === "string" && isS3BucketName(bucket)) return {
+			physicalId: bucket,
+			attributes: {}
+		};
+		const knownNote = input.knownPhysicalId ? ` Got knownPhysicalId='${input.knownPhysicalId}' (not a valid S3 bucket name; CloudFormation returns the policy resource NAME for AWS::S3::BucketPolicy, which is not the operational identifier).` : "";
+		const bucketNote = bucket !== void 0 ? ` Properties.Bucket=${JSON.stringify(bucket)} did not resolve to a literal bucket name (intrinsic-valued entries like {Ref: <Bucket>} are not resolved at import time).` : " Properties.Bucket is missing.";
+		throw new Error(`Cannot determine bucket name for ${input.resourceType} '${input.logicalId}'.${knownNote}${bucketNote} Re-run with --resource ${input.logicalId}=<bucketName> (e.g. my-bucket-12345) to point cdkd at the bucket this policy is attached to.`);
 	}
 };
+/**
+* Recognize an S3 bucket name. AWS rules
+* (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html):
+*   - 3-63 characters
+*   - lowercase letters, digits, hyphens, and dots
+*   - must start and end with a letter or digit
+*   - no consecutive dots
+*   - no `xn--` prefix (reserved for IDN bucket names)
+*   - no `-s3alias` suffix (reserved for S3 Access Point aliases)
+*   - no `--ol-s3` suffix (reserved for S3 on Outposts)
+*
+* A practical pattern that excludes the obvious CFn-generated names like
+* `MyStack-MyBucketPolicy-XXXXXXXXXX` (which contain uppercase letters
+* and exceed 63 chars in common cases) while accepting every normal CDK
+* auto-generated and user-declared bucket name.
+*/
+function isS3BucketName(value) {
+	if (value.length < 3 || value.length > 63) return false;
+	if (!/^[a-z0-9][a-z0-9.-]*[a-z0-9]$/.test(value)) return false;
+	if (value.includes("..")) return false;
+	if (value.startsWith("xn--")) return false;
+	if (value.endsWith("-s3alias") || value.endsWith("--ol-s3")) return false;
+	return true;
+}
 //#endregion
 //#region src/provisioning/providers/sqs-queue-provider.ts
@@ -5593,22 +5653,60 @@ var SNSTopicPolicyProvider = class {
 	/**
 	* Adopt an existing SNS topic policy into cdkd state.
 	*
-	* **Explicit override only.** A `TopicPolicy` is an attachment to one or
-	* more SNS topics applied via `SetTopicAttributes(AttributeName=Policy)` —
-	* it has no standalone identity and is not independently taggable. There
-	* is no `aws:cdk:path` tag to look up by, and the policy has no name/ARN
-	* of its own.
+	* The operational identifier for a `TopicPolicy` is the **comma-joined
+	* list of SNS topic ARNs** the policy is attached to — every AWS SDK
+	* call (`SetTopicAttributes` / `GetTopicAttributes`) takes a topic ARN
+	* via the `TopicArn` parameter, and cdkd's `create()` records
+	* `topics.join(',')` as the resource's `physicalId` so subsequent
+	* `update()` / `delete()` / `readCurrentState()` calls hit the right
+	* topic(s). A `TopicPolicy` has no standalone identity, no taggable
+	* ARN, and no `aws:cdk:path` lookup — only the parent topics are
+	* taggable.
+	*
+	* Resolution order (closes [#356](https://github.com/go-to-k/cdkd/issues/356)):
+	*
+	* 1. **`knownPhysicalId` if it is a comma-joined list of SNS topic ARNs.**
+	*    Preserves the `cdkd import --resource <logicalId>=<topic-arns>`
+	*    path that has always worked.
+	* 2. **`properties.Topics.join(',')` if every entry is a literal topic
+	*    ARN.** Closes the `--migrate-from-cloudformation` case: AWS
+	*    CloudFormation's `DescribeStackResources` returns the CFn-generated
+	*    policy NAME for `AWS::SNS::TopicPolicy` (e.g.
+	*    `MyStack-MyTopicPolicy-XXXXXXXXXX`), which is NOT a valid topic
+	*    ARN. The first time cdkd touches the imported state with that
+	*    name, `readCurrentState` → `GetTopicAttributes` rejects it.
+	* 3. **Hard error** when neither path resolves a topic-ARN list. This
+	*    covers (a) `--migrate-from-cloudformation` against a CFn stack
+	*    whose template carries `Topics: [{Ref: <MyTopic>}]` (the typical
+	*    CDK shape) when the referenced topic is NOT in the importable
+	*    set (or hasn't been imported yet in the current run), and (b)
+	*    explicit `--resource <logicalId>=<non-arn>` typos. Pointing the
+	*    user at `--resource <logicalId>=<topic-arns>` is the recovery
+	*    path that always works.
 	*
-	* Users adopting an existing topic policy should pass
-	* `--resource <logicalId>=<comma-joined-topic-ARNs>` (matching the
-	* physical id format returned by `create()`).
+	* Intrinsic-valued `Topics` entries (e.g. `{Ref: <MyTopic>}`) fall into
+	* branch 3 here even when the referenced sibling has been imported in
+	* the same run — `import()` is called BEFORE
+	* `resolveImportedProperties` runs the synth template's Properties
+	* through the intrinsic resolver, so the raw intrinsic object is what
+	* we see. The recovery message names `--resource` as the explicit
+	* escape hatch.
 	*/
 	async import(input) {
-		if (input.knownPhysicalId) return {
+		if (input.knownPhysicalId && isSnsTopicArnList(input.knownPhysicalId)) return {
 			physicalId: input.knownPhysicalId,
 			attributes: {}
 		};
-		return null;
+		const topics = input.properties["Topics"];
+		if (Array.isArray(topics) && topics.length > 0) {
+			if (topics.every((t) => typeof t === "string" && isSnsTopicArn(t))) return {
+				physicalId: topics.join(","),
+				attributes: {}
+			};
+		}
+		const knownNote = input.knownPhysicalId ? ` Got knownPhysicalId='${input.knownPhysicalId}' (not a comma-joined list of SNS topic ARNs; CloudFormation returns the policy resource NAME for AWS::SNS::TopicPolicy, which is not the operational identifier).` : "";
+		const topicsNote = Array.isArray(topics) && topics.length > 0 ? ` Properties.Topics=${JSON.stringify(topics)} did not resolve to a list of literal topic ARNs (intrinsic-valued entries like {Ref: <Topic>} are not resolved at import time).` : " Properties.Topics is missing or empty.";
+		throw new Error(`Cannot determine topic ARNs for ${input.resourceType} '${input.logicalId}'.${knownNote}${topicsNote} Re-run with --resource ${input.logicalId}=<comma-joined-topic-ARNs> (e.g. arn:aws:sns:${input.region}:<account>:<topic-name>) to point cdkd at the topic(s) this policy is attached to.`);
 	}
 	/**
 	* Set the policy on a single SNS topic
@@ -5621,6 +5719,31 @@ var SNSTopicPolicyProvider = class {
 		}));
 	}
 };
+/**
+* Recognize a single SNS topic ARN. AWS standard form is
+* `arn:<partition>:sns:<region>:<account>:<name>`; FIFO topics end in
+* `.fifo`. Accepts every partition (`aws` / `aws-cn` / `aws-us-gov` /
+* `aws-iso` / etc.) via the broader `arn:<partition>:sns:` prefix shape.
+*/
+function isSnsTopicArn(value) {
+	return /^arn:[a-z0-9-]+:sns:[a-z0-9-]+:\d{12}:[\w.-]+$/.test(value);
+}
+/**
+* Recognize a comma-joined list of SNS topic ARNs. cdkd's `create()`
+* records `topics.join(',')` as the `physicalId`, so a single ARN
+* (`arn:aws:sns:us-east-1:123456789012:my-topic`) is also accepted.
+* Every comma-separated segment must be a valid SNS topic ARN — a CFn
+* generated name like `MyStack-MyTopicPolicy-XXX` is correctly rejected
+* because it does not match the ARN prefix, and a partially-valid
+* mixture (one literal ARN + one CFn name) is also rejected so we fall
+* back to the properties-based resolution rather than baking a half-bad
+* list into state.
+*/
+function isSnsTopicArnList(value) {
+	const segments = value.split(",");
+	if (segments.length === 0) return false;
+	return segments.every((s) => isSnsTopicArn(s));
+}
 //#endregion
 //#region src/provisioning/providers/lambda-function-provider.ts
@@ -42424,7 +42547,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.98.2");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.99.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());