cdk-local 0.27.0 → 0.28.1

package/dist/{local-list-KUEmeW9J.js → local-list-CY18YQf1.js}

@@ -10,6 +10,7 @@ import { AssetManifestArtifact } from "@aws-cdk/cloud-assembly-api";
 import { BaseCredentials, CdkAppMultiContext, NonInteractiveIoHost, Toolkit } from "@aws-cdk/toolkit-lib";
 import { CloudFormationClient, DescribeStacksCommand, ListExportsCommand, ListStackResourcesCommand } from "@aws-sdk/client-cloudformation";
 import { GetFunctionConfigurationCommand, LambdaClient } from "@aws-sdk/client-lambda";
+import { GetParameterCommand, GetParametersCommand, SSMClient } from "@aws-sdk/client-ssm";
 import { mkdir, mkdtemp, rm, writeFile } from "node:fs/promises";
 import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
@@ -27,7 +28,6 @@ import { createServer as createServer$2 } from "node:https";
 import * as chokidar from "chokidar";
 import graphlib from "graphlib";
 import { GetSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
-import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
 
 //#region src/cli/options.ts
 /**
@@ -2278,10 +2278,19 @@ function mapStackArtifact(stack) {
 * Thin wrapper around {@link AssemblyReader} that mimics cdkd's
 * `Synthesizer` API so the ported `cdkl invoke` / `start-api` /
 * `run-task` / `start-service` source compiles without rewrites.
+*
+* When `app` resolves to an existing directory it is read as a
+* pre-synthesized cloud assembly (no subprocess synth); otherwise it is
+* executed as the CDK app command.
 */
 var Synthesizer = class {
 	async synthesize(opts) {
 		const reader = new AssemblyReader();
+		const appPath = resolve(opts.app);
+		if (existsSync(appPath) && statSync(appPath).isDirectory()) {
+			getLogger().debug(`Using pre-synthesized cloud assembly at ${appPath}`);
+			return { stacks: await reader.readFromDirectory(appPath) };
+		}
 		const readOpts = {};
 		if (opts.output !== void 0) readOpts.outdir = opts.output;
 		const env = {};
@@ -2354,6 +2363,156 @@ function resolveWatchConfig() {
 	};
 }
 
+//#endregion
+//#region src/local/ssm-parameter-resolver.ts
+/**
+* Resolve CloudFormation template `Parameters` of the SSM-backed types
+* `AWS::SSM::Parameter::Value<String>` / `AWS::SSM::Parameter::Value<List<String>>`
+* (what CDK synthesizes for `ssm.StringParameter.valueForStringParameter(...)`)
+* into their deployed values via SSM Parameter Store.
+*
+* Motivation (issue #94): a container / Lambda env var that `Ref`s such a
+* parameter cannot be resolved from the `--from-cfn-stack` state source.
+* That source is built from `ListStackResources` (deployed RESOURCES); a
+* CloudFormation PARAMETER is not a resource, so the `Ref` misses
+* `context.resources[<id>]` in `state-resolver.ts` and the env var is
+* warn-and-dropped. The synthesized template, however, carries the SSM
+* parameter NAME in each entry's `Default`:
+*
+*   "Parameters": {
+*     "SsmParameterValue...Parameter": {
+*       "Type": "AWS::SSM::Parameter::Value<String>",
+*       "Default": "/path/to/the/parameter"
+*     }
+*   }
+*
+* and the run already has working AWS credentials / region (the same ones
+* `--from-cfn-stack` uses for `ListStackResources`). This module reads each
+* parameter NAME from `Default`, batch-resolves the values via SSM
+* `GetParameters`, and returns a `logicalId -> value` map the CLI feeds
+* into the substitution context so a `Ref` to the parameter's logical id
+* resolves to the value instead of being dropped.
+*
+* Best-effort by design: on any SSM failure (no credentials, access
+* denied, throttling) the helper logs a warn and returns whatever it
+* could resolve (possibly nothing) — the caller then falls back to the
+* existing warn-and-drop behavior on the affected `Ref`s. It NEVER throws
+* out of the substitution pass.
+*/
+/** SSM-backed CFn parameter types CDK synthesizes for SSM lookups. */
+const SSM_STRING_TYPE = "AWS::SSM::Parameter::Value<String>";
+const SSM_LIST_TYPE = "AWS::SSM::Parameter::Value<List<String>>";
+/**
+* Scan a synthesized template's `Parameters` block for entries whose
+* `Type` is one of the SSM-backed parameter types AND whose `Default`
+* carries a usable SSM parameter name. Pure — no AWS calls.
+*
+* Entries without a non-empty string `Default` are skipped (CDK always
+* synthesizes the parameter name into `Default` for the
+* `valueForStringParameter` shape; a parameter declared without a default
+* has no name we can resolve, so it stays warn-and-drop).
+*
+* Exported for unit testing.
+*/
+function collectSsmParameterRefs(template) {
+	const params = template?.Parameters;
+	if (!params) return [];
+	const out = [];
+	for (const [logicalId, entry] of Object.entries(params)) {
+		if (!entry || typeof entry !== "object") continue;
+		const type = entry.Type;
+		const isList = type === SSM_LIST_TYPE;
+		if (type !== SSM_STRING_TYPE && !isList) continue;
+		const ssmName = entry.Default;
+		if (typeof ssmName !== "string" || ssmName.length === 0) continue;
+		out.push({
+			logicalId,
+			ssmName,
+			isList
+		});
+	}
+	return out;
+}
+/**
+* Batch-resolve a set of {@link SsmParameterRef}s via SSM `GetParameters`
+* and return a `logicalId -> resolved value` map. `List<String>`
+* parameters are comma-joined (CloudFormation surfaces the list type as a
+* comma-delimited string when the value is consumed as a `Ref`).
+*
+* `GetParameters` accepts up to 10 names per call, so the refs are
+* chunked. Names that SSM reports as invalid (`InvalidParameters`) are
+* left out of the result map so the caller falls back to warn-and-drop
+* on the corresponding `Ref`. `WithDecryption: true` is set so Secure
+* String parameters resolve too (matching how CloudFormation resolves
+* the `AWS::SSM::Parameter::Value<String>` type at deploy time).
+*
+* Security note: a decrypted SecureString value resolved here is then
+* baked into the container's `Environment` like any other resolved env
+* value, so it follows the standard plaintext-env exposure path — it can
+* appear on the `docker run -e KEY=VALUE` argv (visible in host `ps`) and
+* is not redacted by `redactAwsCredentialsInArgs` (which only covers
+* `SENSITIVE_ENV_KEYS`). This mirrors the deployed Lambda/ECS env and is
+* the same inherent exposure documented in `docker-runner`; routing
+* SecureString-resolved values through the value-from-process-env form is
+* tracked as a follow-up.
+*
+* Best-effort: a failed `GetParameters` chunk logs a warn and is skipped
+* (the other chunks still contribute their values); the function never
+* throws.
+*
+* `label` is the state-source label (e.g. `--from-cfn-stack`) used to
+* prefix warns so the user can tell which source produced them.
+*
+* Exported for unit testing.
+*/
+async function resolveSsmParameters(client, refs, label) {
+	const out = {};
+	if (refs.length === 0) return out;
+	const logger = getLogger();
+	const CHUNK = 10;
+	const byName = /* @__PURE__ */ new Map();
+	for (const ref of refs) {
+		const list = byName.get(ref.ssmName);
+		if (list) list.push(ref);
+		else byName.set(ref.ssmName, [ref]);
+	}
+	const uniqueNames = [...byName.keys()];
+	for (let i = 0; i < uniqueNames.length; i += CHUNK) {
+		const names = uniqueNames.slice(i, i + CHUNK);
+		let resolved;
+		try {
+			const resp = await client.send(new GetParametersCommand({
+				Names: names,
+				WithDecryption: true
+			}));
+			resolved = resp.Parameters ?? [];
+			const invalid = resp.InvalidParameters ?? [];
+			if (invalid.length > 0) logger.warn(`${label}: SSM GetParameters reported invalid parameter name(s): ${invalid.join(", ")}. Ref to the matching CloudFormation parameter(s) will warn-and-drop (was the SSM parameter created?).`);
+		} catch (err) {
+			logger.warn(`${label}: SSM GetParameters(${names.join(", ")}) failed: ${formatSsmError(err)}. Ref to the matching CloudFormation parameter(s) will warn-and-drop (grant ssm:GetParameters or override via --env-vars).`);
+			continue;
+		}
+		for (const p of resolved) {
+			if (typeof p.Name !== "string" || typeof p.Value !== "string") continue;
+			const requesters = byName.get(p.Name);
+			if (!requesters) continue;
+			for (const ref of requesters) out[ref.logicalId] = p.Value;
+		}
+	}
+	return out;
+}
+/**
+* Format an SSM SDK error as `<name>: <message>` so the warn names the
+* error class (e.g. `AccessDeniedException`, `ThrottlingException`).
+* Mirrors `formatAwsErrorForWarn` in `cfn-local-state-provider.ts`.
+* Exported for unit testing.
+*/
+function formatSsmError(err) {
+	if (!(err instanceof Error)) return String(err);
+	const name = err.name && err.name !== "Error" ? err.name : void 0;
+	return name !== void 0 ? `${name}: ${err.message}` : err.message;
+}
+
 //#endregion
 //#region src/local/cfn-local-state-provider.ts
 /**
@@ -2425,6 +2584,7 @@ var CfnLocalStateProvider = class {
 	region;
 	client;
 	lambdaClient;
+	ssmClient;
 	clientOptions;
 	disposed = false;
 	constructor(opts) {
@@ -2449,6 +2609,31 @@ var CfnLocalStateProvider = class {
 		});
 		return this.lambdaClient;
 	}
+	getSsmClient() {
+		if (this.disposed) throw new Error("CfnLocalStateProvider used after dispose()");
+		if (!this.ssmClient) this.ssmClient = new SSMClient({
+			region: this.region,
+			...this.clientOptions.profile !== void 0 && { profile: this.clientOptions.profile }
+		});
+		return this.ssmClient;
+	}
+	/**
+	* Resolve the synthesized template's SSM-backed `Parameters`
+	* (`AWS::SSM::Parameter::Value<String>` /
+	* `AWS::SSM::Parameter::Value<List<String>>`) into a
+	* `parameterLogicalId -> value` map via SSM Parameter Store. See
+	* {@link LocalStateProvider.resolveTemplateSsmParameters}.
+	*
+	* Returns an empty map (and opens no SSM client) when the template
+	* declares no SSM-backed parameters. Best-effort: SSM failures are
+	* absorbed inside {@link resolveSsmParameters} with a per-chunk warn.
+	*/
+	async resolveTemplateSsmParameters(template) {
+		if (this.disposed) throw new Error("CfnLocalStateProvider used after dispose()");
+		const refs = collectSsmParameterRefs(template);
+		if (refs.length === 0) return {};
+		return resolveSsmParameters(this.getSsmClient(), refs, this.label);
+	}
 	/**
 	* Read a deployed Lambda function's already-resolved
 	* `Environment.Variables` via `lambda:GetFunctionConfiguration`. See
@@ -2560,6 +2745,10 @@ var CfnLocalStateProvider = class {
 			this.lambdaClient.destroy();
 			this.lambdaClient = void 0;
 		}
+		if (this.ssmClient) {
+			this.ssmClient.destroy();
+			this.ssmClient = void 0;
+		}
 	}
 };
 /**
@@ -3983,14 +4172,19 @@ function resolveRef(arg, context) {
 	};
 	if (arg.startsWith("AWS::")) return resolvePseudoParameter(arg, context.pseudoParameters);
 	const resource = context.resources[arg];
-	if (!resource) return {
-		kind: "unresolved",
-		reason: `Ref '${arg}': no record in the state source (was the resource deployed?)`
-	};
-	return {
+	if (resource) return {
 		kind: "literal",
 		value: resource.physicalId
 	};
+	const parameterValue = context.parameters?.[arg];
+	if (parameterValue !== void 0) return {
+		kind: "literal",
+		value: parameterValue
+	};
+	return {
+		kind: "unresolved",
+		reason: `Ref '${arg}': no record in the state source (was the resource deployed, or is it a CloudFormation parameter that could not be resolved — e.g. an SSM-backed AWS::SSM::Parameter::Value parameter whose SSM value was not readable?)`
+	};
 }
 function resolvePseudoParameter(name, pseudo) {
 	if (!pseudo) return {
@@ -5110,6 +5304,7 @@ function buildSubstitutionContextFromImageContext(context) {
 	if (!context?.stateResources) return void 0;
 	const subContext = { resources: context.stateResources };
 	if (context.pseudoParameters) subContext.pseudoParameters = { ...context.pseudoParameters };
+	if (context.stateParameters) subContext.parameters = { ...context.stateParameters };
 	return subContext;
 }
 /**
@@ -7139,6 +7334,10 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 					const pseudo = await resolvePseudoParametersForInvoke(lambda.stack.region, options);
 					if (pseudo) subContext.pseudoParameters = pseudo;
 				}
+				if (envHasIntrinsicValue$1(templateEnv) && stateProvider.resolveTemplateSsmParameters) {
+					const ssmParams = await stateProvider.resolveTemplateSsmParameters(lambda.stack.template);
+					if (Object.keys(ssmParams).length > 0) subContext.parameters = ssmParams;
+				}
 				if (envHasCrossStackIntrinsic(templateEnv)) {
 					const resolver = await stateProvider.buildCrossStackResolver(loaded.region);
 					if (resolver) subContext.crossStackResolver = resolver;
@@ -15468,6 +15667,7 @@ async function buildContainerSpec(args) {
 	if (stateBundle) {
 		const context = { resources: stateBundle.state.resources };
 		if (stateBundle.pseudoParameters) context.pseudoParameters = stateBundle.pseudoParameters;
+		if (stateBundle.ssmParameters) context.parameters = stateBundle.ssmParameters;
 		const { env, audit } = substituteEnvVarsFromState(templateEnv, context);
 		templateEnv = env;
 		for (const key of audit.resolvedKeys) getLogger().debug(`Lambda ${logicalId}: state source substituted env var ${key}`);
@@ -16277,6 +16477,10 @@ async function loadStateForRoutedStacks(stacks, routes, routesWithAuth, options,
 				}
 				if (deployedEnvByLambda.size > 0) bundle.deployedEnvByLambda = deployedEnvByLambda;
 			}
+			if (stackHasIntrinsicEnv(stackName) && provider.resolveTemplateSsmParameters) {
+				const ssmParameters = await provider.resolveTemplateSsmParameters(stack.template);
+				if (Object.keys(ssmParameters).length > 0) bundle.ssmParameters = ssmParameters;
+			}
 			out.set(stackName, bundle);
 			logger.debug(`${provider.label}: loaded state for ${stackName} (${loaded.region})`);
 		} finally {
@@ -17441,6 +17645,7 @@ async function localRunTaskCommand(target, options, extraStateProviders) {
 			if (resolver) await applyCrossStackResolverToTask(task, {
 				resources: imageContext?.stateResources ?? {},
 				...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
+				...imageContext?.stateParameters && { parameters: imageContext.stateParameters },
 				consumerRegion,
 				crossStackResolver: resolver
 			});
@@ -17578,6 +17783,10 @@ async function buildEcsImageResolutionContext$1(candidate, stateProvider, option
 	if (stateProvider && wantsState) {
 		const loaded = await stateProvider.load(candidate.stackName, candidate.region);
 		if (loaded) ctx.stateResources = loaded.resources;
+		if (needs.needsEnvOrSecretSubstitution && stateProvider.resolveTemplateSsmParameters) {
+			const ssmParameters = await stateProvider.resolveTemplateSsmParameters(candidate.template);
+			if (Object.keys(ssmParameters).length > 0) ctx.stateParameters = ssmParameters;
+		}
 	} else if (!stateProvider && needs.needsStateResources) logger.warn("Container Image references a same-stack AWS::ECR::Repository. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute the deployed repository URI. Otherwise the resolver will surface its existing error.");
 	else if (!stateProvider && needs.needsEnvOrSecretSubstitution) logger.warn("Container Environment / Secrets entries contain CloudFormation intrinsics (Ref / Fn::GetAtt / Fn::Sub / Fn::Join). Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute them against deployed state. Without a state source these entries are dropped (per-key warnings will follow).");
 	return ctx;
@@ -18917,6 +19126,7 @@ async function runOneTarget(target, runState, stacks, options, discovery, skipPu
 			const subContext = {
 				resources: imageContext?.stateResources ?? {},
 				...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
+				...imageContext?.stateParameters && { parameters: imageContext.stateParameters },
 				consumerRegion,
 				crossStackResolver: resolver
 			};
@@ -18995,6 +19205,10 @@ async function assumeTaskRole(roleArn, region) {
 }
 /**
 * Build the substitution context the ECS resolver consumes.
+*
+* Exported for the site-level binding test that locks the `--from-cfn-stack`
+* SSM-parameter resolution call (issue #94) into this start-service call site
+* (mirrors `local-run-task`'s exported helper).
 */
 async function buildEcsImageResolutionContext(target, stacks, options, stateProvider) {
 	const logger = getLogger();
@@ -19027,6 +19241,10 @@ async function buildEcsImageResolutionContext(target, stacks, options, stateProv
 	if (stateProvider && wantsState) {
 		const loaded = await stateProvider.load(candidate.stackName, candidate.region);
 		if (loaded) ctx.stateResources = loaded.resources;
+		if (needs.needsEnvOrSecretSubstitution && stateProvider.resolveTemplateSsmParameters) {
+			const ssmParameters = await stateProvider.resolveTemplateSsmParameters(candidate.template);
+			if (Object.keys(ssmParameters).length > 0) ctx.stateParameters = ssmParameters;
+		}
 	} else if (!stateProvider && needs.needsStateResources) logger.warn("Container Image references a same-stack AWS::ECR::Repository. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute the deployed repository URI.");
 	else if (!stateProvider && needs.needsEnvOrSecretSubstitution) logger.warn("Container Environment / Secrets entries contain CloudFormation intrinsics. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute them against the deployed state.");
 	return ctx;
@@ -19199,5 +19417,5 @@ function createLocalListCommand(opts = {}) {
 }
 
 //#endregion
-export { materializeLayerFromArn as $, matchRoute as A, parseConnectionsPath as B, evaluateCachedLambdaPolicy as C, buildCorsConfigByApiId as D, applyCorsResponseHeaders as E, HOST_GATEWAY_MIN_VERSION as F, resolveRuntimeCodeMountPath as G, buildDisconnectEvent as H, probeHostGatewaySupport as I, substituteAgainstState as J, resolveRuntimeFileExtension as K, ConnectionRegistry as L, applyAuthorizerOverlay as M, buildHttpApiV2Event as N, buildCorsConfigFromCloudFrontChain as O, buildRestV1Event as P, resolveEnvVars as Q, buildMgmtEndpointEnvUrl as R, computeRequestIdentityHash as S, invokeTokenAuthorizer as T, buildMessageEvent as U, buildConnectEvent as V, createLocalInvokeCommand as W, substituteEnvVarsFromState as X, substituteAgainstStateAsync as Y, substituteEnvVarsFromStateAsync as Z, buildJwksUrlFromIssuer as _, pickRefLogicalId as _t, getContainerNetworkIp as a, isCfnFlagPresent as at, verifyJwtAuthorizer as b, createAuthorizerCache as c, resolveCfnRegion as ct, availableApiIdentifiers as d, countTargets as dt, derivePseudoParametersFromRegion as et, filterRoutesByApiIdentifier as f, listTargets as ft, buildCognitoJwksUrl as g, discoverRoutes as gt, resolveServiceIntegrationParameters as h, parseSelectionExpressionPath as ht, CloudMapRegistry as i, createLocalStateProvider as it, translateLambdaResponse as j, matchPreflight as k, attachStageContext as l, resolveCfnStackName as lt, resolveSelectionExpression as m, discoverWebSocketApisOrThrow as mt, formatTargetListing as n, tryResolveImageFnJoin as nt, createLocalRunTaskCommand as o, rejectExplicitCfnStackWithMultipleStacks as ot, groupRoutesByServer as p, discoverWebSocketApis as pt, resolveRuntimeImage as q, createLocalStartServiceCommand as r, LocalStateSourceError as rt, createLocalStartApiCommand as s, resolveCfnFallbackRegion as st, createLocalListCommand as t, substituteImagePlaceholders as tt, buildStageMap as u, CfnLocalStateProvider as ut, createJwksCache as v, resolveLambdaArnIntrinsic as vt, invokeRequestAuthorizer as w, buildMethodArn as x, verifyCognitoJwt as y, handleConnectionsRequest as z };
-//# sourceMappingURL=local-list-KUEmeW9J.js.map
+export { materializeLayerFromArn as $, matchRoute as A, parseConnectionsPath as B, evaluateCachedLambdaPolicy as C, buildCorsConfigByApiId as D, applyCorsResponseHeaders as E, HOST_GATEWAY_MIN_VERSION as F, resolveRuntimeCodeMountPath as G, buildDisconnectEvent as H, probeHostGatewaySupport as I, substituteAgainstState as J, resolveRuntimeFileExtension as K, ConnectionRegistry as L, applyAuthorizerOverlay as M, buildHttpApiV2Event as N, buildCorsConfigFromCloudFrontChain as O, buildRestV1Event as P, resolveEnvVars as Q, buildMgmtEndpointEnvUrl as R, computeRequestIdentityHash as S, invokeTokenAuthorizer as T, buildMessageEvent as U, buildConnectEvent as V, createLocalInvokeCommand as W, substituteEnvVarsFromState as X, substituteAgainstStateAsync as Y, substituteEnvVarsFromStateAsync as Z, buildJwksUrlFromIssuer as _, parseSelectionExpressionPath as _t, getContainerNetworkIp as a, isCfnFlagPresent as at, verifyJwtAuthorizer as b, resolveLambdaArnIntrinsic as bt, createAuthorizerCache as c, resolveCfnRegion as ct, availableApiIdentifiers as d, collectSsmParameterRefs as dt, derivePseudoParametersFromRegion as et, filterRoutesByApiIdentifier as f, resolveSsmParameters as ft, buildCognitoJwksUrl as g, discoverWebSocketApisOrThrow as gt, resolveServiceIntegrationParameters as h, discoverWebSocketApis as ht, CloudMapRegistry as i, createLocalStateProvider as it, translateLambdaResponse as j, matchPreflight as k, attachStageContext as l, resolveCfnStackName as lt, resolveSelectionExpression as m, listTargets as mt, formatTargetListing as n, tryResolveImageFnJoin as nt, createLocalRunTaskCommand as o, rejectExplicitCfnStackWithMultipleStacks as ot, groupRoutesByServer as p, countTargets as pt, resolveRuntimeImage as q, createLocalStartServiceCommand as r, LocalStateSourceError as rt, createLocalStartApiCommand as s, resolveCfnFallbackRegion as st, createLocalListCommand as t, substituteImagePlaceholders as tt, buildStageMap as u, CfnLocalStateProvider as ut, createJwksCache as v, discoverRoutes as vt, invokeRequestAuthorizer as w, buildMethodArn as x, verifyCognitoJwt as y, pickRefLogicalId as yt, handleConnectionsRequest as z };
+//# sourceMappingURL=local-list-CY18YQf1.js.map