@intentius/chant-lexicon-aws 0.0.6 → 0.0.8

package/src/plugin.ts

@@ -1,4 +1,6 @@
+import { createRequire } from "module";
 import type { LexiconPlugin, IntrinsicDef, SkillDefinition } from "@intentius/chant/lexicon";
+const require = createRequire(import.meta.url);
 import type { LintRule } from "@intentius/chant/lint/rule";
 import type { PostSynthCheck } from "@intentius/chant/lint/post-synth";
 import type { TemplateParser } from "@intentius/chant/import/parser";
@@ -58,34 +60,34 @@ export const awsPlugin: LexiconPlugin = {
  * Shared bucket configuration — encryption, versioning, public access
  */
 
-import * as aws from "@intentius/chant-lexicon-aws";
+import { ServerSideEncryptionByDefault, ServerSideEncryptionRule, BucketEncryption, PublicAccessBlockConfiguration, VersioningConfiguration } from "@intentius/chant-lexicon-aws";
 
 // Encryption default — AES256 server-side encryption
-export const encryptionDefault = new aws.ServerSideEncryptionByDefault({
-  sseAlgorithm: "AES256",
+export const encryptionDefault = new ServerSideEncryptionByDefault({
+  SSEAlgorithm: "AES256",
 });
 
 // Encryption rule wrapping the default
-export const encryptionRule = new aws.ServerSideEncryptionRule({
-  serverSideEncryptionByDefault: encryptionDefault,
+export const encryptionRule = new ServerSideEncryptionRule({
+  ServerSideEncryptionByDefault: encryptionDefault,
 });
 
 // Bucket encryption configuration
-export const bucketEncryption = new aws.BucketEncryption({
-  serverSideEncryptionConfiguration: [encryptionRule],
+export const bucketEncryption = new BucketEncryption({
+  ServerSideEncryptionConfiguration: [encryptionRule],
 });
 
 // Public access block — deny all public access
-export const publicAccessBlock = new aws.PublicAccessBlockConfiguration({
-  blockPublicAcls: true,
-  blockPublicPolicy: true,
-  ignorePublicAcls: true,
-  restrictPublicBuckets: true,
+export const publicAccessBlock = new PublicAccessBlockConfiguration({
+  BlockPublicAcls: true,
+  BlockPublicPolicy: true,
+  IgnorePublicAcls: true,
+  RestrictPublicBuckets: true,
 });
 
 // Versioning — enabled
-export const versioningEnabled = new aws.VersioningConfiguration({
-  status: "Enabled",
+export const versioningEnabled = new VersioningConfiguration({
+  Status: "Enabled",
 });
 `,
       "data-bucket.ts": `/**
@@ -96,10 +98,10 @@ import { Bucket, Sub, AWS } from "@intentius/chant-lexicon-aws";
 import { versioningEnabled, bucketEncryption, publicAccessBlock } from "./config";
 
 export const dataBucket = new Bucket({
-  bucketName: Sub\`\${AWS.StackName}-data\`,
-  versioningConfiguration: versioningEnabled,
-  bucketEncryption: bucketEncryption,
-  publicAccessBlockConfiguration: publicAccessBlock,
+  BucketName: Sub\`\${AWS.StackName}-\${AWS.AccountId}-data\`,
+  VersioningConfiguration: versioningEnabled,
+  BucketEncryption: bucketEncryption,
+  PublicAccessBlockConfiguration: publicAccessBlock,
 });
 `,
       "logs-bucket.ts": `/**
@@ -110,11 +112,11 @@ import { Bucket, Sub, AWS } from "@intentius/chant-lexicon-aws";
 import { versioningEnabled, bucketEncryption, publicAccessBlock } from "./config";
 
 export const logsBucket = new Bucket({
-  bucketName: Sub\`\${AWS.StackName}-logs\`,
-  accessControl: "LogDeliveryWrite",
-  versioningConfiguration: versioningEnabled,
-  bucketEncryption: bucketEncryption,
-  publicAccessBlockConfiguration: publicAccessBlock,
+  BucketName: Sub\`\${AWS.StackName}-\${AWS.AccountId}-logs\`,
+  AccessControl: "LogDeliveryWrite",
+  VersioningConfiguration: versioningEnabled,
+  BucketEncryption: bucketEncryption,
+  PublicAccessBlockConfiguration: publicAccessBlock,
 });
 `,
     };
@@ -229,44 +231,17 @@ export const logsBucket = new Bucket({
 
     console.error(`Packaged ${stats.resources} resources, ${stats.ruleCount} rules, ${stats.skillCount} skills`);
 
-    // Produce .tgz via bun pm pack
-    const packProc = Bun.spawn(["bun", "pm", "pack"], {
-      cwd: pkgDir,
-      stdout: "pipe",
-      stderr: "pipe",
-    });
-    const packOut = await new Response(packProc.stdout).text();
-    const packErr = await new Response(packProc.stderr).text();
-    const packExit = await packProc.exited;
+    // Produce .tgz via pack command
+    const { getRuntime } = await import("@intentius/chant/runtime-adapter");
+    const rt = getRuntime();
+    const { stdout: packOut, stderr: packErr, exitCode: packExit } = await rt.spawn(
+      rt.commands.packCmd,
+      { cwd: pkgDir },
+    );
     if (packExit === 0) {
       console.error(`Tarball: ${packOut.trim()}`);
     } else {
-      console.error(`bun pm pack failed: ${packErr}`);
-    }
-  },
-
-  async rollback(options?: { restore?: string; verbose?: boolean }): Promise<void> {
-    const { listSnapshots, restoreSnapshot } = await import("./codegen/rollback");
-    const { join, dirname } = await import("path");
-    const { fileURLToPath } = await import("url");
-
-    const pkgDir = dirname(dirname(fileURLToPath(import.meta.url)));
-    const snapshotsDir = join(pkgDir, ".snapshots");
-
-    if (options?.restore) {
-      const generatedDir = join(pkgDir, "src", "generated");
-      restoreSnapshot(String(options.restore), generatedDir);
-      console.error(`Restored snapshot: ${options.restore}`);
-    } else {
-      const snapshots = listSnapshots(snapshotsDir);
-      if (snapshots.length === 0) {
-        console.error("No snapshots available.");
-      } else {
-        console.error(`Available snapshots (${snapshots.length}):`);
-        for (const s of snapshots) {
-          console.error(`  ${s.timestamp}  ${s.resourceCount} resources  ${s.path}`);
-        }
-      }
+      console.error(`${rt.commands.packCmd.join(" ")} failed: ${packErr}`);
     }
   },
 
@@ -278,49 +253,80 @@ export const logsBucket = new Bucket({
   skills(): SkillDefinition[] {
     return [
       {
-        name: "aws-cloudformation",
-        description: "AWS CloudFormation best practices and common patterns",
+        name: "chant-aws",
+        description: "AWS CloudFormation template management — workflows, patterns, and troubleshooting",
         content: `---
-name: aws-cloudformation
-description: AWS CloudFormation best practices and common patterns
+skill: chant-aws
+description: Build, validate, and deploy CloudFormation templates from a chant project
+user-invocable: true
 ---
 
-# AWS CloudFormation with Chant
+# Deploying CloudFormation from Chant
 
-## Common Resource Types
+This project defines CloudFormation resources as TypeScript in \`src/\`. Use these steps to build, validate, and deploy.
 
-- \`AWS::S3::Bucket\` — Object storage
-- \`AWS::Lambda::Function\` — Serverless compute
-- \`AWS::DynamoDB::Table\` — NoSQL database
-- \`AWS::IAM::Role\` — Identity and access management
-- \`AWS::SNS::Topic\` — Pub/sub messaging
-- \`AWS::SQS::Queue\` — Message queue
-- \`AWS::EC2::SecurityGroup\` — Network firewall rules
+## Build the template
 
-## Intrinsic Functions
+\`\`\`bash
+chant build src/ --output stack.json
+\`\`\`
 
-- \`Sub\` — String interpolation with \`\${}\` syntax
-- \`Ref\` — Reference a resource or parameter
-- \`GetAtt\` — Get a resource attribute (e.g. ARN)
-- \`If\` — Conditional value based on a condition
-- \`Join\` — Join strings with a delimiter
-- \`Select\` — Pick an item from a list by index
+## Validate before deploying
 
-## Pseudo Parameters
+\`\`\`bash
+chant lint src/
+aws cloudformation validate-template --template-body file://stack.json
+\`\`\`
 
-- \`AWS::StackName\` — Name of the current stack
-- \`AWS::Region\` — Current deployment region
-- \`AWS::AccountId\` — Current AWS account ID
-- \`AWS::Partition\` — Partition (aws, aws-cn, aws-us-gov)
+## Deploy a new stack
 
-## Best Practices
+\`\`\`bash
+aws cloudformation deploy \\
+  --template-file stack.json \\
+  --stack-name <stack-name> \\
+  --capabilities CAPABILITY_NAMED_IAM
+\`\`\`
 
-1. **Always enable encryption** — Use \`BucketEncryption\` for S3, \`SSESpecification\` for DynamoDB
-2. **Block public access** — Set \`PublicAccessBlockConfiguration\` on all S3 buckets
-3. **Use least-privilege IAM** — Avoid \`*\` in IAM policy actions and resources
-4. **Enable versioning** — Turn on \`VersioningConfiguration\` for data buckets
-5. **Use Sub for dynamic names** — \`Sub\\\`\\\${AWS::StackName}-suffix\\\`\` for unique naming
-6. **Share config via direct imports** — Put common settings in a config file and import directly
+Add \`--parameter-overrides Key=Value\` if the template has parameters.
+
+## Update an existing stack
+
+1. Edit the TypeScript source
+2. Rebuild: \`chant build src/ --output stack.json\`
+3. Preview changes:
+   \`\`\`bash
+   aws cloudformation create-change-set \\
+     --stack-name <stack-name> \\
+     --template-body file://stack.json \\
+     --change-set-name update-$(date +%s) \\
+     --capabilities CAPABILITY_NAMED_IAM
+   aws cloudformation describe-change-set \\
+     --stack-name <stack-name> \\
+     --change-set-name update-<id>
+   \`\`\`
+4. Execute: \`aws cloudformation execute-change-set --stack-name <stack-name> --change-set-name update-<id>\`
+
+Or deploy directly: \`aws cloudformation deploy --template-file stack.json --stack-name <stack-name> --capabilities CAPABILITY_NAMED_IAM\`
+
+## Delete a stack
+
+\`\`\`bash
+aws cloudformation delete-stack --stack-name <stack-name>
+aws cloudformation wait stack-delete-complete --stack-name <stack-name>
+\`\`\`
+
+## Check stack status
+
+\`\`\`bash
+aws cloudformation describe-stacks --stack-name <stack-name>
+aws cloudformation describe-stack-events --stack-name <stack-name> --max-items 10
+\`\`\`
+
+## Troubleshooting deploy failures
+
+- Check events: \`aws cloudformation describe-stack-events --stack-name <stack-name>\`
+- Rollback stuck: \`aws cloudformation continue-update-rollback --stack-name <stack-name>\`
+- Drift: \`aws cloudformation detect-stack-drift --stack-name <stack-name>\`
 `,
         triggers: [
           { type: "file-pattern", value: "**/*.aws.ts" },
@@ -424,31 +430,31 @@ description: AWS CloudFormation best practices and common patterns
         description: "AWS S3 bucket with versioning and encryption",
         mimeType: "text/typescript",
         async handler(): Promise<string> {
-          return `import * as aws from "@intentius/chant-lexicon-aws";
+          return `import { ServerSideEncryptionByDefault, ServerSideEncryptionRule, BucketEncryption, VersioningConfiguration, Bucket, Sub, AWS } from "@intentius/chant-lexicon-aws";
 
 // Encryption configuration
-export const encryptionDefault = new aws.ServerSideEncryptionByDefault({
-  sseAlgorithm: "AES256",
+export const encryptionDefault = new ServerSideEncryptionByDefault({
+  SSEAlgorithm: "AES256",
 });
 
-export const encryptionRule = new aws.ServerSideEncryptionRule({
-  serverSideEncryptionByDefault: encryptionDefault,
+export const encryptionRule = new ServerSideEncryptionRule({
+  ServerSideEncryptionByDefault: encryptionDefault,
 });
 
-export const bucketEncryption = new aws.BucketEncryption({
-  serverSideEncryptionConfiguration: [encryptionRule],
+export const bucketEncryption = new BucketEncryption({
+  ServerSideEncryptionConfiguration: [encryptionRule],
 });
 
 // Versioning
-export const versioningEnabled = new aws.VersioningConfiguration({
-  status: "Enabled",
+export const versioningEnabled = new VersioningConfiguration({
+  Status: "Enabled",
 });
 
-// Create a versioned bucket with encryption
-export const dataBucket = new aws.Bucket({
-  bucketName: aws.Sub\`\${aws.AWS.StackName}-data\`,
-  versioningConfiguration: versioningEnabled,
-  bucketEncryption: bucketEncryption,
+// Create a versioned bucket with encryption (AccountId ensures global uniqueness)
+export const dataBucket = new Bucket({
+  BucketName: Sub\`\${AWS.StackName}-\${AWS.AccountId}-data\`,
+  VersioningConfiguration: versioningEnabled,
+  BucketEncryption: bucketEncryption,
 });
 `;
         },
@@ -459,17 +465,17 @@ export const dataBucket = new aws.Bucket({
         description: "Using AttrRefs for cross-resource references",
         mimeType: "text/typescript",
         async handler(): Promise<string> {
-          return `import * as aws from "@intentius/chant-lexicon-aws";
+          return `import { Bucket, VersioningConfiguration, Role } from "@intentius/chant-lexicon-aws";
 
 // Create a bucket
-export const dataBucket = new aws.Bucket({
-  bucketName: "my-data-bucket",
-  versioningConfiguration: new aws.VersioningConfiguration({ status: "Enabled" }),
+export const dataBucket = new Bucket({
+  BucketName: "my-data-bucket",
+  VersioningConfiguration: new VersioningConfiguration({ Status: "Enabled" }),
 });
 
 // Create a role that references the bucket's ARN
-export const role = new aws.Role({
-  assumeRolePolicyDocument: {
+export const role = new Role({
+  AssumeRolePolicyDocument: {
     Version: "2012-10-17",
     Statement: [{
       Effect: "Allow",

package/src/serializer.test.ts

@@ -18,9 +18,9 @@ class MockBucket implements Declarable {
   readonly lexicon = "aws";
   readonly entityType = "AWS::S3::Bucket";
   readonly arn: AttrRef;
-  readonly props: { bucketName?: string; versioningConfiguration?: { status: string } };
+  readonly props: { BucketName?: string; VersioningConfiguration?: { Status: string } };
 
-  constructor(props: { bucketName?: string; versioningConfiguration?: { status: string } } = {}) {
+  constructor(props: { BucketName?: string; VersioningConfiguration?: { Status: string } } = {}) {
     this.props = props;
     this.arn = new AttrRef(this, "Arn");
   }
@@ -57,7 +57,7 @@ describe("awsSerializer.serialize", () => {
 
   test("serializes resources", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "my-bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "my-bucket" }));
 
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
@@ -86,8 +86,8 @@ describe("awsSerializer.serialize", () => {
   test("serializes nested properties", () => {
     const entities = new Map<string, Declarable>();
     entities.set("MyBucket", new MockBucket({
-      bucketName: "my-bucket",
-      versioningConfiguration: { status: "Enabled" },
+      BucketName: "my-bucket",
+      VersioningConfiguration: { Status: "Enabled" },
     }));
 
     const output = awsSerializer.serialize(entities);
@@ -98,21 +98,20 @@ describe("awsSerializer.serialize", () => {
     });
   });
 
-  test("converts property names to PascalCase", () => {
+  test("passes through property names verbatim", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "test" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "test" }));
 
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
 
     expect(template.Resources.MyBucket.Properties.BucketName).toBeDefined();
-    expect(template.Resources.MyBucket.Properties.bucketName).toBeUndefined();
   });
 
   test("handles multiple resources", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("DataBucket", new MockBucket({ bucketName: "data-bucket" }));
-    entities.set("LogsBucket", new MockBucket({ bucketName: "logs-bucket" }));
+    entities.set("DataBucket", new MockBucket({ BucketName: "data-bucket" }));
+    entities.set("LogsBucket", new MockBucket({ BucketName: "logs-bucket" }));
 
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
@@ -125,7 +124,7 @@ describe("awsSerializer.serialize", () => {
   test("handles resources and parameters together", () => {
     const entities = new Map<string, Declarable>();
     entities.set("Env", new Parameter("String"));
-    entities.set("MyBucket", new MockBucket({ bucketName: "bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "bucket" }));
 
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
@@ -154,9 +153,9 @@ class MockEncryption implements Declarable {
   readonly lexicon = "aws";
   readonly entityType = "AWS::S3::Bucket.BucketEncryption";
   readonly kind = "property" as const;
-  readonly props: { serverSideEncryptionConfiguration: unknown[] };
+  readonly props: { ServerSideEncryptionConfiguration: unknown[] };
 
-  constructor(props: { serverSideEncryptionConfiguration: unknown[] }) {
+  constructor(props: { ServerSideEncryptionConfiguration: unknown[] }) {
     this.props = props;
   }
 }
@@ -164,14 +163,14 @@ class MockEncryption implements Declarable {
 describe("property-kind Declarables", () => {
   test("property-kind Declarables are inlined into parent properties", () => {
     const encryption = new MockEncryption({
-      serverSideEncryptionConfiguration: [
-        { serverSideEncryptionByDefault: { sseAlgorithm: "AES256" } },
+      ServerSideEncryptionConfiguration: [
+        { ServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" } },
       ],
     });
 
-    const bucket = new MockBucket({ bucketName: "my-bucket" });
+    const bucket = new MockBucket({ BucketName: "my-bucket" });
     // Manually set encryption as a prop
-    (bucket.props as Record<string, unknown>).encryption = encryption;
+    (bucket.props as Record<string, unknown>).BucketEncryption = encryption;
 
     const entities = new Map<string, Declarable>();
     entities.set("DataEncryption", encryption);
@@ -181,23 +180,23 @@ describe("property-kind Declarables", () => {
     const template = JSON.parse(output);
 
     // Encryption should be inlined, not a Ref
-    expect(template.Resources.MyBucket.Properties.Encryption).toEqual({
+    expect(template.Resources.MyBucket.Properties.BucketEncryption).toEqual({
       ServerSideEncryptionConfiguration: [
-        { ServerSideEncryptionByDefault: { SseAlgorithm: "AES256" } },
+        { ServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" } },
       ],
     });
   });
 
   test("property-kind Declarables do NOT appear as standalone Resources", () => {
     const encryption = new MockEncryption({
-      serverSideEncryptionConfiguration: [
-        { serverSideEncryptionByDefault: { sseAlgorithm: "AES256" } },
+      ServerSideEncryptionConfiguration: [
+        { ServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" } },
       ],
     });
 
     const entities = new Map<string, Declarable>();
     entities.set("DataEncryption", encryption);
-    entities.set("MyBucket", new MockBucket({ bucketName: "my-bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "my-bucket" }));
 
     const output = awsSerializer.serialize(entities);
     const template = JSON.parse(output);
@@ -207,16 +206,16 @@ describe("property-kind Declarables", () => {
   });
 
   test("resource-kind Declarables still emit Ref when referenced", () => {
-    const sourceBucket = new MockBucket({ bucketName: "source" });
+    const sourceBucket = new MockBucket({ BucketName: "source" });
 
     class MockConfig implements Declarable {
       readonly [DECLARABLE_MARKER] = true as const;
       readonly lexicon = "aws";
       readonly entityType = "AWS::S3::ReplicationDestination";
-      readonly props: { bucket: Declarable };
+      readonly props: { Bucket: Declarable };
 
-      constructor(bucket: Declarable) {
-        this.props = { bucket };
+      constructor(Bucket: Declarable) {
+        this.props = { Bucket };
       }
     }
 
@@ -233,7 +232,7 @@ describe("property-kind Declarables", () => {
 
 describe("intrinsic serialization", () => {
   test("handles AttrRef in properties", () => {
-    const source = new MockBucket({ bucketName: "source" });
+    const source = new MockBucket({ BucketName: "source" });
     // Set the logical name on the AttrRef before using it
     (source.arn as Record<string, unknown>)._setLogicalName("SourceBucket");
 
@@ -241,10 +240,10 @@ describe("intrinsic serialization", () => {
       readonly [DECLARABLE_MARKER] = true as const;
       readonly lexicon = "aws";
       readonly entityType = "AWS::S3::ReplicationConfiguration";
-      readonly props: { sourceArn: AttrRef };
+      readonly props: { SourceArn: AttrRef };
 
-      constructor(sourceArn: AttrRef) {
-        this.props = { sourceArn };
+      constructor(SourceArn: AttrRef) {
+        this.props = { SourceArn };
       }
     }
 
@@ -256,14 +255,14 @@ describe("intrinsic serialization", () => {
     const template = JSON.parse(output);
 
     expect(template.Resources.Replication.Properties.SourceArn).toEqual({
-      "Fn::GetAttr": ["SourceBucket", "Arn"],
+      "Fn::GetAtt": ["SourceBucket", "Arn"],
     });
   });
 });
 
 describe("LexiconOutput serialization", () => {
   test("generates CF Outputs section for LexiconOutputs", () => {
-    const bucket = new MockBucket({ bucketName: "data-bucket" });
+    const bucket = new MockBucket({ BucketName: "data-bucket" });
     const lexiconOutput = new LexiconOutput(bucket.arn, "DataBucketArn");
     lexiconOutput._setSourceEntity("dataBucket");
 
@@ -275,13 +274,13 @@ describe("LexiconOutput serialization", () => {
 
     expect(template.Outputs).toBeDefined();
     expect(template.Outputs.DataBucketArn).toEqual({
-      Value: { "Fn::GetAttr": ["dataBucket", "Arn"] },
+      Value: { "Fn::GetAtt": ["dataBucket", "Arn"] },
     });
   });
 
   test("generates multiple CF Outputs", () => {
-    const dataBucket = new MockBucket({ bucketName: "data-bucket" });
-    const logsBucket = new MockBucket({ bucketName: "logs-bucket" });
+    const dataBucket = new MockBucket({ BucketName: "data-bucket" });
+    const logsBucket = new MockBucket({ BucketName: "logs-bucket" });
 
     const dataOutput = new LexiconOutput(dataBucket.arn, "DataBucketArn");
     dataOutput._setSourceEntity("dataBucket");
@@ -298,16 +297,16 @@ describe("LexiconOutput serialization", () => {
     expect(template.Outputs).toBeDefined();
     expect(Object.keys(template.Outputs)).toHaveLength(2);
     expect(template.Outputs.DataBucketArn.Value).toEqual({
-      "Fn::GetAttr": ["dataBucket", "Arn"],
+      "Fn::GetAtt": ["dataBucket", "Arn"],
     });
     expect(template.Outputs.LogsBucketArn.Value).toEqual({
-      "Fn::GetAttr": ["logsBucket", "Arn"],
+      "Fn::GetAtt": ["logsBucket", "Arn"],
     });
   });
 
   test("omits Outputs section when no LexiconOutputs provided", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "bucket" }));
 
     const result = awsSerializer.serialize(entities);
     const template = JSON.parse(result);
@@ -317,7 +316,7 @@ describe("LexiconOutput serialization", () => {
 
   test("omits Outputs section when empty LexiconOutputs array", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "bucket" }));
 
     const result = awsSerializer.serialize(entities, []);
     const template = JSON.parse(result as string);
@@ -430,7 +429,7 @@ describe("nested stack serialization", () => {
       Resources: {},
     });
 
-    const bucket = new MockBucket({ bucketName: "data" });
+    const bucket = new MockBucket({ BucketName: "data" });
 
     const entities = new Map<string, Declarable>();
     entities.set("network", stack as unknown as Declarable);
@@ -446,7 +445,7 @@ describe("nested stack serialization", () => {
 
   test("without nested stacks returns plain string", () => {
     const entities = new Map<string, Declarable>();
-    entities.set("MyBucket", new MockBucket({ bucketName: "bucket" }));
+    entities.set("MyBucket", new MockBucket({ BucketName: "bucket" }));
 
     const result = awsSerializer.serialize(entities);
     expect(typeof result).toBe("string");
@@ -460,7 +459,7 @@ describe("nested stack serialization", () => {
         subnet: { Type: "AWS::EC2::Subnet" },
       },
       Outputs: {
-        subnetId: { Value: { "Fn::GetAttr": ["subnet", "SubnetId"] } },
+        subnetId: { Value: { "Fn::GetAtt": ["subnet", "SubnetId"] } },
       },
     });
 
@@ -472,7 +471,7 @@ describe("nested stack serialization", () => {
       entityType: "AWS::Lambda::Function",
       kind: "resource" as const,
       props: {
-        vpcConfig: { subnetIds: [subnetRef] },
+        VpcConfig: { SubnetIds: [subnetRef] },
       },
     } as unknown as Declarable;
 

package/src/serializer.ts

@@ -3,7 +3,6 @@ import { isPropertyDeclarable } from "@intentius/chant/declarable";
 import type { Serializer, SerializerResult } from "@intentius/chant/serializer";
 import type { LexiconOutput } from "@intentius/chant/lexicon-output";
 import { walkValue, type SerializerVisitor } from "@intentius/chant/serializer-walker";
-import { toPascalCase } from "@intentius/chant/codegen/case";
 import { isChildProject, type ChildProjectInstance } from "@intentius/chant/child-project";
 import { isStackOutput, type StackOutput } from "@intentius/chant/stack-output";
 
@@ -68,7 +67,7 @@ interface CFOutput {
  */
 function cfnVisitor(entityNames: Map<Declarable, string>): SerializerVisitor {
   return {
-    attrRef: (name, attr) => ({ "Fn::GetAttr": [name, attr] }),
+    attrRef: (name, attr) => ({ "Fn::GetAtt": [name, attr] }),
     resourceRef: (name) => ({ Ref: name }),
     propertyDeclarable: (entity, walk) => {
       if (!("props" in entity) || typeof entity.props !== "object" || entity.props === null) {
@@ -78,26 +77,19 @@ function cfnVisitor(entityNames: Map<Declarable, string>): SerializerVisitor {
       const cfProps: Record<string, unknown> = {};
       for (const [key, value] of Object.entries(props)) {
         if (value !== undefined) {
-          const cfKey = toPascalCase(key);
-          cfProps[cfKey] = walk(value);
+          cfProps[key] = walk(value);
         }
       }
       return Object.keys(cfProps).length > 0 ? cfProps : undefined;
     },
-    transformKey: toPascalCase,
   };
 }
 
 /**
  * Convert a value to CF-compatible JSON using the generic walker.
  */
-function toCFValue(value: unknown, entityNames: Map<Declarable, string>, convertKeys = false): unknown {
-  const visitor = cfnVisitor(entityNames);
-  if (!convertKeys) {
-    // When not converting keys, use a visitor without transformKey
-    return walkValue(value, entityNames, { ...visitor, transformKey: undefined });
-  }
-  return walkValue(value, entityNames, visitor);
+function toCFValue(value: unknown, entityNames: Map<Declarable, string>): unknown {
+  return walkValue(value, entityNames, cfnVisitor(entityNames));
 }
 
 /**
@@ -116,8 +108,7 @@ function toProperties(
 
   for (const [key, value] of Object.entries(props)) {
     if (value !== undefined) {
-      const cfKey = toPascalCase(key);
-      cfProps[cfKey] = toCFValue(value, entityNames, true);
+      cfProps[key] = toCFValue(value, entityNames);
     }
   }
 
@@ -231,7 +222,7 @@ function serializeToTemplate(
       const logicalName = ref.getLogicalName();
       if (logicalName) {
         const output: CFOutput = {
-          Value: { "Fn::GetAttr": [logicalName, ref.attribute] },
+          Value: { "Fn::GetAtt": [logicalName, ref.attribute] },
         };
         if (stackOutput.description) {
           output.Description = stackOutput.description;
@@ -247,7 +238,7 @@ function serializeToTemplate(
     for (const output of outputs) {
       template.Outputs[output.outputName] = {
         Value: {
-          "Fn::GetAttr": [output.sourceEntity, output.sourceAttribute],
+          "Fn::GetAtt": [output.sourceEntity, output.sourceAttribute],
         },
       };
     }