@go-to-k/cdkd 0.99.0 → 0.99.2

package/dist/cli.js

@@ -4217,23 +4217,83 @@ var S3BucketPolicyProvider = class {
 	/**
 	* Adopt an existing S3 bucket policy into cdkd state.
 	*
-	* **Explicit override only.** An `S3::BucketPolicy` is a policy document
-	* attached to a bucket via `PutBucketPolicy` — it has no standalone
-	* identity and is not independently taggable. There is no `aws:cdk:path`
-	* tag to look up by; only the bucket itself is taggable.
+	* The operational identifier for an `S3::BucketPolicy` is the **bucket
+	* name** — every AWS SDK call (`PutBucketPolicy` / `GetBucketPolicy` /
+	* `DeleteBucketPolicy`) takes the bucket name via the `Bucket`
+	* parameter, and cdkd's `create()` records `properties.Bucket` as the
+	* resource's `physicalId` so subsequent `update()` / `delete()` /
+	* `readCurrentState()` calls hit the right bucket. A `BucketPolicy`
+	* has no standalone identity, no taggable ARN, and no `aws:cdk:path`
+	* lookup — only the bucket itself is taggable.
+	*
+	* Resolution order (closes [#356](https://github.com/go-to-k/cdkd/issues/356)):
+	*
+	* 1. **`knownPhysicalId` if it matches an S3 bucket name shape.**
+	*    Preserves the `cdkd import --resource <logicalId>=<bucketName>`
+	*    path that has always worked.
+	* 2. **`properties.Bucket` if it is a literal bucket name.** Closes
+	*    the `--migrate-from-cloudformation` case: AWS CloudFormation's
+	*    `DescribeStackResources` returns the CFn-generated policy NAME
+	*    for `AWS::S3::BucketPolicy` (e.g.
+	*    `MyStack-MyBucketPolicy-XXXXXXXXXX`), which is NOT a valid S3
+	*    bucket name. The first time cdkd touches the imported state with
+	*    that name, `readCurrentState` → `GetBucketPolicy` rejects it.
+	* 3. **Hard error** when neither path resolves a bucket name. This
+	*    covers (a) `--migrate-from-cloudformation` against a CFn stack
+	*    whose template carries `Bucket: {Ref: <MyBucket>}` (the typical
+	*    CDK shape) when the referenced bucket is NOT in the importable
+	*    set (or hasn't been imported yet in the current run), and (b)
+	*    explicit `--resource <logicalId>=<non-bucket-name>` typos.
+	*    Pointing the user at `--resource <logicalId>=<bucketName>` is
+	*    the recovery path that always works.
 	*
-	* Users adopting an existing bucket policy should pass
-	* `--resource <logicalId>=<bucketName>` (matching the physical id
-	* format returned by `create()`).
+	* Intrinsic-valued `Bucket` (e.g. `{Ref: <MyBucket>}`) falls into
+	* branch 3 here even when the referenced sibling has been imported in
+	* the same run — `import()` is called BEFORE
+	* `resolveImportedProperties` runs the synth template's Properties
+	* through the intrinsic resolver, so the raw intrinsic object is what
+	* we see. The recovery message names `--resource` as the explicit
+	* escape hatch.
 	*/
 	async import(input) {
-		if (input.knownPhysicalId) return {
+		if (input.knownPhysicalId && isS3BucketName(input.knownPhysicalId)) return {
 			physicalId: input.knownPhysicalId,
 			attributes: {}
 		};
-		return null;
+		const bucket = input.properties["Bucket"];
+		if (typeof bucket === "string" && isS3BucketName(bucket)) return {
+			physicalId: bucket,
+			attributes: {}
+		};
+		const knownNote = input.knownPhysicalId ? ` Got knownPhysicalId='${input.knownPhysicalId}' (not a valid S3 bucket name; CloudFormation returns the policy resource NAME for AWS::S3::BucketPolicy, which is not the operational identifier).` : "";
+		const bucketNote = bucket !== void 0 ? ` Properties.Bucket=${JSON.stringify(bucket)} did not resolve to a literal bucket name (intrinsic-valued entries like {Ref: <Bucket>} are not resolved at import time).` : " Properties.Bucket is missing.";
+		throw new Error(`Cannot determine bucket name for ${input.resourceType} '${input.logicalId}'.${knownNote}${bucketNote} Re-run with --resource ${input.logicalId}=<bucketName> (e.g. my-bucket-12345) to point cdkd at the bucket this policy is attached to.`);
 	}
 };
+/**
+* Recognize an S3 bucket name. AWS rules
+* (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html):
+*   - 3-63 characters
+*   - lowercase letters, digits, hyphens, and dots
+*   - must start and end with a letter or digit
+*   - no consecutive dots
+*   - no `xn--` prefix (reserved for IDN bucket names)
+*   - no `-s3alias` suffix (reserved for S3 Access Point aliases)
+*   - no `--ol-s3` suffix (reserved for S3 on Outposts)
+*
+* A practical pattern that excludes the obvious CFn-generated names like
+* `MyStack-MyBucketPolicy-XXXXXXXXXX` (which contain uppercase letters
+* and exceed 63 chars in common cases) while accepting every normal CDK
+* auto-generated and user-declared bucket name.
+*/
+function isS3BucketName(value) {
+	if (value.length < 3 || value.length > 63) return false;
+	if (!/^[a-z0-9][a-z0-9.-]*[a-z0-9]$/.test(value)) return false;
+	if (value.includes("..")) return false;
+	if (value.startsWith("xn--")) return false;
+	if (value.endsWith("-s3alias") || value.endsWith("--ol-s3")) return false;
+	return true;
+}
 
 //#endregion
 //#region src/provisioning/providers/sqs-queue-provider.ts
@@ -5593,22 +5653,60 @@ var SNSTopicPolicyProvider = class {
 	/**
 	* Adopt an existing SNS topic policy into cdkd state.
 	*
-	* **Explicit override only.** A `TopicPolicy` is an attachment to one or
-	* more SNS topics applied via `SetTopicAttributes(AttributeName=Policy)` —
-	* it has no standalone identity and is not independently taggable. There
-	* is no `aws:cdk:path` tag to look up by, and the policy has no name/ARN
-	* of its own.
+	* The operational identifier for a `TopicPolicy` is the **comma-joined
+	* list of SNS topic ARNs** the policy is attached to — every AWS SDK
+	* call (`SetTopicAttributes` / `GetTopicAttributes`) takes a topic ARN
+	* via the `TopicArn` parameter, and cdkd's `create()` records
+	* `topics.join(',')` as the resource's `physicalId` so subsequent
+	* `update()` / `delete()` / `readCurrentState()` calls hit the right
+	* topic(s). A `TopicPolicy` has no standalone identity, no taggable
+	* ARN, and no `aws:cdk:path` lookup — only the parent topics are
+	* taggable.
+	*
+	* Resolution order (closes [#356](https://github.com/go-to-k/cdkd/issues/356)):
+	*
+	* 1. **`knownPhysicalId` if it is a comma-joined list of SNS topic ARNs.**
+	*    Preserves the `cdkd import --resource <logicalId>=<topic-arns>`
+	*    path that has always worked.
+	* 2. **`properties.Topics.join(',')` if every entry is a literal topic
+	*    ARN.** Closes the `--migrate-from-cloudformation` case: AWS
+	*    CloudFormation's `DescribeStackResources` returns the CFn-generated
+	*    policy NAME for `AWS::SNS::TopicPolicy` (e.g.
+	*    `MyStack-MyTopicPolicy-XXXXXXXXXX`), which is NOT a valid topic
+	*    ARN. The first time cdkd touches the imported state with that
+	*    name, `readCurrentState` → `GetTopicAttributes` rejects it.
+	* 3. **Hard error** when neither path resolves a topic-ARN list. This
+	*    covers (a) `--migrate-from-cloudformation` against a CFn stack
+	*    whose template carries `Topics: [{Ref: <MyTopic>}]` (the typical
+	*    CDK shape) when the referenced topic is NOT in the importable
+	*    set (or hasn't been imported yet in the current run), and (b)
+	*    explicit `--resource <logicalId>=<non-arn>` typos. Pointing the
+	*    user at `--resource <logicalId>=<topic-arns>` is the recovery
+	*    path that always works.
 	*
-	* Users adopting an existing topic policy should pass
-	* `--resource <logicalId>=<comma-joined-topic-ARNs>` (matching the
-	* physical id format returned by `create()`).
+	* Intrinsic-valued `Topics` entries (e.g. `{Ref: <MyTopic>}`) fall into
+	* branch 3 here even when the referenced sibling has been imported in
+	* the same run — `import()` is called BEFORE
+	* `resolveImportedProperties` runs the synth template's Properties
+	* through the intrinsic resolver, so the raw intrinsic object is what
+	* we see. The recovery message names `--resource` as the explicit
+	* escape hatch.
 	*/
 	async import(input) {
-		if (input.knownPhysicalId) return {
+		if (input.knownPhysicalId && isSnsTopicArnList(input.knownPhysicalId)) return {
 			physicalId: input.knownPhysicalId,
 			attributes: {}
 		};
-		return null;
+		const topics = input.properties["Topics"];
+		if (Array.isArray(topics) && topics.length > 0) {
+			if (topics.every((t) => typeof t === "string" && isSnsTopicArn(t))) return {
+				physicalId: topics.join(","),
+				attributes: {}
+			};
+		}
+		const knownNote = input.knownPhysicalId ? ` Got knownPhysicalId='${input.knownPhysicalId}' (not a comma-joined list of SNS topic ARNs; CloudFormation returns the policy resource NAME for AWS::SNS::TopicPolicy, which is not the operational identifier).` : "";
+		const topicsNote = Array.isArray(topics) && topics.length > 0 ? ` Properties.Topics=${JSON.stringify(topics)} did not resolve to a list of literal topic ARNs (intrinsic-valued entries like {Ref: <Topic>} are not resolved at import time).` : " Properties.Topics is missing or empty.";
+		throw new Error(`Cannot determine topic ARNs for ${input.resourceType} '${input.logicalId}'.${knownNote}${topicsNote} Re-run with --resource ${input.logicalId}=<comma-joined-topic-ARNs> (e.g. arn:aws:sns:${input.region}:<account>:<topic-name>) to point cdkd at the topic(s) this policy is attached to.`);
 	}
 	/**
 	* Set the policy on a single SNS topic
@@ -5621,6 +5719,31 @@ var SNSTopicPolicyProvider = class {
 		}));
 	}
 };
+/**
+* Recognize a single SNS topic ARN. AWS standard form is
+* `arn:<partition>:sns:<region>:<account>:<name>`; FIFO topics end in
+* `.fifo`. Accepts every partition (`aws` / `aws-cn` / `aws-us-gov` /
+* `aws-iso` / etc.) via the broader `arn:<partition>:sns:` prefix shape.
+*/
+function isSnsTopicArn(value) {
+	return /^arn:[a-z0-9-]+:sns:[a-z0-9-]+:\d{12}:[\w.-]+$/.test(value);
+}
+/**
+* Recognize a comma-joined list of SNS topic ARNs. cdkd's `create()`
+* records `topics.join(',')` as the `physicalId`, so a single ARN
+* (`arn:aws:sns:us-east-1:123456789012:my-topic`) is also accepted.
+* Every comma-separated segment must be a valid SNS topic ARN — a CFn
+* generated name like `MyStack-MyTopicPolicy-XXX` is correctly rejected
+* because it does not match the ARN prefix, and a partially-valid
+* mixture (one literal ARN + one CFn name) is also rejected so we fall
+* back to the properties-based resolution rather than baking a half-bad
+* list into state.
+*/
+function isSnsTopicArnList(value) {
+	const segments = value.split(",");
+	if (segments.length === 0) return false;
+	return segments.every((s) => isSnsTopicArn(s));
+}
 
 //#endregion
 //#region src/provisioning/providers/lambda-function-provider.ts
@@ -31999,7 +32122,8 @@ async function importCommand(stackArg, options) {
 					stackName: stackInfo.stackName,
 					region: targetRegion,
 					providerRegistry,
-					override: overrides.get(logicalId)
+					override: overrides.get(logicalId),
+					overrides
 				});
 				rows.push(outcome);
 			}
@@ -32053,9 +32177,54 @@ async function importCommand(stackArg, options) {
 		awsClients.destroy();
 	}
 }
+/**
+* Recursively substitute `{Ref: <LogicalId>}` shapes in an arbitrary value
+* tree with the matching entry from `overrides`. Used to bridge the gap
+* between CDK synth's template (which carries raw intrinsics) and what a
+* provider's `import()` needs to see at the time it's called — specifically
+* for sub-resource providers like `SQSQueuePolicyProvider` whose fallback
+* path reads `properties.<ParentKey>` as a literal operational identifier
+* (queue URL / topic ARN / bucket name) rather than the unresolved intrinsic.
+*
+* Scope is intentionally narrow:
+*   - Only `{Ref: <X>}` shapes are substituted. `Fn::GetAtt` is NOT handled
+*     here — the overrides map carries physical IDs only, not the
+*     per-resource attributes a GetAtt resolution needs. Full GetAtt /
+*     Fn::Sub / Fn::Join handling happens later in
+*     `resolveImportedProperties` against the populated `stackState.resources`.
+*   - Pseudo-parameter refs (`AWS::Region` / `AWS::AccountId` / etc.) are
+*     left untouched — those are handled by the full resolver post-import.
+*   - When the `Ref` target is NOT in the overrides map, the intrinsic is
+*     left in place (the post-import resolver may resolve it from the
+*     `stackState.resources` built by other imports).
+*
+* Closes issue #361 — `AWS::SQS::QueuePolicy` under
+* `--migrate-from-cloudformation` previously hard-errored because
+* `properties.Queues[0]` arrived at `provider.import()` as
+* `{Ref: <Queue>}` and the queue URL needed for the fallback identification
+* branch was never substituted in.
+*
+* Pure-functional — does not mutate `value`.
+*/
+function substituteOverrideRefs(value, overrides) {
+	if (value === null || value === void 0) return value;
+	if (typeof value !== "object") return value;
+	if (Array.isArray(value)) return value.map((v) => substituteOverrideRefs(v, overrides));
+	const obj = value;
+	const keys = Object.keys(obj);
+	if (keys.length === 1 && keys[0] === "Ref" && typeof obj["Ref"] === "string") {
+		const refTarget = obj["Ref"];
+		const resolved = overrides.get(refTarget);
+		if (resolved !== void 0) return resolved;
+		return value;
+	}
+	const result = {};
+	for (const [k, v] of Object.entries(obj)) result[k] = substituteOverrideRefs(v, overrides);
+	return result;
+}
 async function importOne(task) {
 	const logger = getLogger();
-	const { logicalId, resource, stackName, region, providerRegistry, override } = task;
+	const { logicalId, resource, stackName, region, providerRegistry, override, overrides } = task;
 	if (!providerRegistry.hasProvider(resource.Type)) return {
 		logicalId,
 		resourceType: resource.Type,
@@ -32070,13 +32239,14 @@ async function importOne(task) {
 		reason: `provider does not implement import (yet)`
 	};
 	const cdkPath = readCdkPath(resource);
+	const properties = substituteOverrideRefs(resource.Properties ?? {}, overrides);
 	const input = {
 		logicalId,
 		resourceType: resource.Type,
 		cdkPath,
 		stackName,
 		region,
-		properties: resource.Properties ?? {},
+		properties,
 		...override !== void 0 && { knownPhysicalId: override }
 	};
 	try {
@@ -42424,7 +42594,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.98.2");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.99.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());