awsdocs
diff --git a/‎notes.md‎
Lines changed: 165 additions & 0 deletions b/‎notes.md‎
Lines changed: 165 additions & 0 deletions
diff --git a/‎v2/guide/DELETE_refactor.md‎
Lines changed: 115 additions & 0 deletions b/‎v2/guide/DELETE_refactor.md‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎v2/guide/book.adoc‎
Lines changed: 2 additions & 0 deletions b/‎v2/guide/book.adoc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎v2/guide/doc-history.adoc‎
Lines changed: 14 additions & 0 deletions b/‎v2/guide/doc-history.adoc‎
Lines changed: 14 additions & 0 deletions
@@ -0,0 +1,165 @@
+Plugins
+=======
+The |cdk| toolkit provides extension points that enable users to augment the features provided by
+the toolkit. There is currently only one extension point, allowing users to define custom AWS
+credential providers, but other extension points may be added in the future as the needs arise.
+Loading Plugins
+---------------
+Plugins can be loaded by providing the Node module name (or path) to the CDK toolkit:
+1. Using the ``--plugin`` command line option (which can be specified multiple times):
+   .. code-block:: console
+      $ cdk list --plugin=module
+      $ cdk deploy --plugin=module_1 --plugin=module_2
+2. Adding entries to the ``~/.cdk.json`` or ``cdk.json`` file:
+   .. code-block:: js
+      {
+        // ...
+        "plugin": [
+            "module_1",
+            "module_2"
+        ],
+        // ...
+      }
+Authoring Plugins
+-----------------
+Plugins must be authored in TypeScript or Javascript, and are defined by implementing a Node module
+that implements the following protocol, and using :js:class:`~aws-cdk.PluginHost` methods:
+.. tabs::
+    .. code-tab:: typescript
+        import cdk = require('aws-cdk');
+        export = {
+            version: '1', // Version of the plugin infrastructure (currently always '1')
+            init(host: cdk.PluginHost): void {
+                // Your plugin initialization hook.
+                // Use methods of ``host`` to register custom code with the CDK toolkit
+            }
+        };
+    .. code-tab:: javascript
+        export = {
+            version: '1', // Version of the plugin infrastructure (currently always '1')
+            init(host) {
+                // Your plugin initialization hook.
+                // Use methods of ``host`` to register custom code with the CDK toolkit
+            }
+        };
+Credential Provider Plugins
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Custom credential providers are classes implementing the
+:js:class:`~aws-cdk.CredentialProviderSource` interface, and registered to the toolkit using
+the :js:func:`~aws-cdk.PluginHost.registerCredentialProviderSource` method.
+.. tabs::
+   .. code-tab:: typescript
+      import cdk = require('aws-cdk');
+      import aws = require('aws-sdk');
+      class CustomCredentialProviderSource implements cdk.CredentialProviderSource {
+        public async isAvailable(): Promise<boolean> {
+          // Return ``false`` if the plugin could determine it cannot be used (for example,
+          // if it depends on files that are not present on this host).
+          return true;
+        }
+        public async canProvideCredentials(accountId: string): Promise<boolean> {
+          // Return ``false`` if the plugin is unable to provide credentials for the
+          // requested account (for example if it's not managed by the credentials
+          // system that this plugin adds support for).
+          return true;
+        }
+        public async getProvider(accountId: string, mode: cdk.Mode): Promise<aws.Credentials> {
+          let credentials: aws.Credentials;
+          // Somehow obtain credentials in ``credentials``, and return those.
+          return credentials;
+        }
+      }
+      export = {
+        version = '1',
+        init(host: cdk.PluginHost): void {
+          // Register the credential provider to the PluginHost.
+          host.registerCredentialProviderSource(new CustomCredentialProviderSource());
+        }
+      };
+   .. code-tab:: javascript
+      class CustomCredentialProviderSource {
+        async isAvailable() {
+          // Return ``false`` if the plugin could determine it cannot be used (for example,
+          // if it depends on files that are not present on this host).
+          return true;
+        }
+        async canProvideCredentials(accountId) {
+          // Return ``false`` if the plugin is unable to provide credentials for the
+          // requested account (for example if it's not managed by the credentials
+          // system that this plugin adds support for).
+          return true;
+        }
+        async getProvider(accountId, mode) {
+          let credentials;
+          // Somehow obtain credentials in ``credentials``, and return those.
+          return credentials;
+        }
+      }
+      export = {
+        version = '1',
+        init(host) {
+          // Register the credential provider to the PluginHost.
+          host.registerCredentialProviderSource(new CustomCredentialProviderSource());
+        }
+      };
+Note that the credentials obtained from the providers for a given account and mode will be cached,
+and as a consequence it is strongly advised that the credentials objects returned are self-refreshing,
+as descibed in the `AWS SDK for Javascript documentation <https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Credentials.html>`_.
+Reference
+---------
+.. js:module:: aws-cdk
+CredentialProviderSource *(interface)*
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. js:class:: CredentialProviderSource
+   .. js:attribute:: name
+      A friendly name for the provider, which will be used in error messages, for example.
+      :type: ``string``
+   .. js:method:: isAvailable()
+      Whether the credential provider is even online. Guaranteed to be called before any of the other functions are called.
+      :returns: ``Promise<boolean>``
+   .. js:method:: canProvideCredentials(accountId)
+      Whether the credential provider can provide credentials for the given account.
+      :param string accountId: the account ID for which credentials are needed.
+      :returns: ``Promise<boolean>``
+   .. js:method:: getProvider(accountId, mode)
+      Construct a credential provider for the given account and the given access mode.
+      Guaranteed to be called only if canProvideCredentails() returned true at some point.
+      :param string accountId: the account ID for which credentials are needed.
+      :param aws-cdk.Mode mode: the kind of operations the credentials are intended to perform.
+      :returns: ``Promise<aws.Credentials>``
+Mode *(enum)*
+^^^^^^^^^^^^^
+.. js:class:: Mode
+   .. js:data:: ForReading
+      Credentials are inteded to be used for read-only scenarios.
+   .. js:data:: ForWriting
+      Credentials are intended to be used for read-write scenarios.
+Plugin *(interface)*
+^^^^^^^^^^^^^^^^^^^^
+.. js:class:: Plugin()
+   .. js:attribute:: version
+      The version of the plug-in interface used by the plug-in. This will be used by
+      the plug-in host to handle version changes. Currently, the only valid value for
+      this attribute is ``'1'``.
+      :type: ``string``
+   .. js:method:: init(host)
+      When defined, this function is invoked right after the plug-in has been loaded,
+      so that the plug-in is able to initialize itself. It may call methods of the
+      :js:class:`~aws-cdk.PluginHost` instance it receives to register new
+      :js:class:`~aws-cdk.CredentialProviderSource` instances.
+      :param aws-cdk.PluginHost host: The |cdk| plugin host
+      :returns: ``void``
+PluginHost
+^^^^^^^^^^
+.. js:class:: PluginHost()
+   .. js:data:: instance
+      :type: :js:class:`~aws-cdk.PluginHost`
+   .. js:method:: load(moduleSpec)
+      Loads a plug-in into this PluginHost.
+      :param string moduleSpec: the specification (path or name) of the plug-in module to be loaded.
+      :throws Error: if the provided ``moduleSpec`` cannot be loaded or is not a valid :js:class:`~aws-cdk.Plugin`.
+      :returns: ``void``
+   .. js:method:: registerCredentialProviderSource(source)
+      Allows plug-ins to register new :js:class:`~aws-cdk.CredentialProviderSources`.
+      :param aws-cdk.CredentialProviderSources source: a new CredentialProviderSource to register.
+      :returns: ``void``
@@ -0,0 +1,115 @@
+# CDK refactor and cross-stack references
+
+## Executive summary
+
+CloudFormation’s stack refactoring API does not allow modifications (other than resource moves). But we want to give CDK users a more flexible experience, by allowing them to move resources while also adding and removing other resources. These additions and removals will be ignored by the toolkit, and only what has moved will be sent to the API for refactoring. One implication of this flexibility is that the refactor opeartion may leave the infrastructure in a state that is not the same as the CDK application.
+
+This becomes a problem when this putative intermediate state has cross-stack references that don’t exist in the CDK application. Due to the way CloudFormation deals with references and exports, we would either not be able to create this kind of reference, or create it in a way that blocks subsequent deployments.
+
+The proposed solution in this document is to change the matching algorithm to only allow a refactor if the deployed stack and the CDK output are exactly the same, up to resource locations. So, instead of building a more flexible experience on top of CFN, we impose the same constraints they do. In exchange, we gain predictability and also, when we refuse to do a refactor, it's easy to explain to the user why.
+
+## What's wrong
+
+Suppose you have two resources, with logical IDs `Foo` and `Bar`, living in the same stack. `Foo` has a reference to `Bar`:
+
+```
+Resources:
+  Foo:
+    ...
+    Properties:
+      SomeProp:
+        Ref: Bar # <-- in-stack reference
+
+  Bar: ...
+```
+
+Using CloudFormation's stack refactoring API, you can move `Bar` to another stack, as long as you keep `Foo` pointing to it. The way to represent this cross-stack reference in CloudFormation is to create an output in the target stack referencing the resource you want. This output must have an export name which can then be imported using the `Fn::ImportValue` intrinsic function in the consuming stack:
+
+```
+# Original stack
+Resources:
+  Foo:
+    ...
+    Properties:
+      SomeProp:
+        Fn::ImportValue: RefBarExport # <-- replaced with a cross-stack one
+```
+
+```
+# New stack
+Resources:
+  Bar: ...
+Outputs:
+  Value:
+    Ref: Bar
+  Export:
+    Name: RefBarExport
+```
+
+Converting an in-stack reference into a cross-stack reference like this poses no problems when using CloudFormation templates in isolation. But when the templates are the output of a CDK application, there is a case where we may run into problems. Here is an example:
+[Image: Untitled-2025-06-24-1119.excalidraw.png]
+Suppose you have a Lambda function and a DynamoDB table in the same stack, with the function referencing the table (via a `Ref`, for example). This is the deployed state of the infrastructure. Then, in their CDK application, the user moves the table to another stack and, at the same time, replaces the function with another one, `Lambda'`. The matching algorithm will detect that the table was moved from Stack X to Stack Y. But since `Lambda'` is different from `Lambda`, the function is not going to be part of the mappings sent to the stack refactoring API. The result of this refactor is that the table will be moved to the other stack, but the function will stay where it was. Since the stack refactoring API doesn’t allow modifications, `Lambda` still needs to reference `Table`, even if they are in different stacks. The natural thing to do would be to convert the `Ref` into an `Fn::ImportValue`, as described above.
+
+But here is the problem: `Fn::ImportValue` needs a corresponding export. And, in this case, there is none. Note how Stack Y, in the CDK output has no need to export anything, even after the move. We could create an ad-hoc export just for the refactor, but that would cause another problem: the next deploy would fail, as it would try to remove the export while an import for it (in `Lambda`) still exists. We could then try to solve that, by doing a corrective deployment immediately after. First deploying Stack X, thus removing the importer, then deploying Stack Y, which would safely remove the export and add the new function. But in the period between the two deploys, there would be no Lambda function at all, potentially causing downtime for the customer.
+
+In summary: **if a refactor would create cross-stack references that don’t exist in the local CDK output, that refactor is invalid, and cannot be executed.**
+
+## Possible solutions
+
+### 1. Break references before deployment
+
+This is a muti-step solution. Before using the stack refactor API, we will first do a deploy to break all references between resources. Here, “breaking a reference” means replacing CloudFormation intrinsic function calls with the value those functions resolve to:
+
+* For `Fn::ImportValue`, we can get the export value from `describeStacks`.
+* For `Ref`, we can get the physical ID from `describeStackResources`.
+* For `Fn::GetAtt`, we need an additional step. After getting the physical ID from `describeStackResources`, we use CCAPI’s `getResource` method to read the value of the attribute.
+* For `Fn::Sub`, we replace each variable that is not in the map, using either the method for `Ref` or `Fn::GetAtt` described in the two previous points.
+
+The next step is the refactor itself. Since there are no references before the refactor, there won’t be any after, either. And then the next deploy is safe because there is no risk of it trying to remove an export that is in use. Note that the next deploy will reinstate all the references that exist in the CDK app. To recap, these are the states the stacks would go through in the process, in the example above:
+
+
+[Image: states-with-ref-breaking.excalidraw.png]
+
+The problem with this option is that, in the last deployment, if we pick the wrong order, we might cause downtime for customers. In this example, if we deploy stack X before stack Y, there will be a period of time in which no Lambda function is available. This is much higher risk than causing a deployment failure.
+
+### 2. Stop the refactor and give an error message
+
+If we don't have an output to use (and knowing that we can't create one), stop the process, and let the user know that this is an impossible situation. We can marginally reduce the chance of this happening by adding some heuristics to the matching algorithm. These heuristics can exploit patterns in the construct tree. For example, in certain cases we can detect groups of resources that should be moved together because they belong to the same high-level construct.
+
+But there will always be cases that fall outside any of these patterns, such as in the example above.
+
+### 3. Overdo the refactor
+
+This is essentially taking the idea of moving resources together to the extreme, with the following algorithm:
+
+```
+1. Produce an initial list of mappings;
+2. Flag all the problematic references that would be created by this refactor;
+3. While there are flagged references:
+4.   For each flagged reference, include its source in the list of mappings;
+5.   Re-flag all the references as necessary;
+```
+
+Line 4 would guarantee that, instead of generating a problematic cross-stack reference, we would preserve the original in-stack reference (only moved wholesale to another stack). By doing this, however, we could create new problematic references, so we repeat the process until the graph is cleared up.
+
+The downside of this solution is that we may end up refactoring more than the user intended to. For example, moving large numbers of resources across stacks, when the user only wanted a single resource moved.
+
+### 4. Forbid any changes (preferred)
+
+We could go to the other extreme, and forbid any additions, deletions or modifications in the local state compared to the deployed state. We would sacrifice flexibility, but the problem would go away.
+
+### 5. Trust mode for refactoring
+
+The reason this problem arises in the first place is that CloudFormation’s refactor API does not allow modifications. This forces us to compute a new state that includes the resource moves the user has made, but no other changes (additions, deletions or modifications of resources). A successful refactor operation would move the user’s stacks to this new state. But this also creates a mismatch between what is deployed and the CDK output, as in the case of the example above.
+
+If CloudFormation had a “trust mode”, with which clients could include modifications (and therefore CloudFormation made fewer validations), we could send the current state of the CDK application, as is, without having to compute this intermediate state. This trust mode could be enabled with a flag in the API.
+
+*This is the cleanest solution, and the one we would prefer. But most of the work would have to be done on the CloudFormation service. To our knowledge, this is not even in their plans.*
+
+### 6. Direct cross-stack references
+
+Contrary to the old saying, we could solve this problem by *removing* a layer of indirection. Instead of having an output mediating the reference between two resources, CloudFormation could allow direct references, maybe using the existing `Ref` and `Fn::GetAtt` intrinsic functions with fully qualified names (e.g., `{Ref: "SomeStack.SomeResource"}`) or, if necessary, by introducing new functions that work across stacks.
+
+Not only would this simplify the implementation a lot and reduce the risk of bugs, it would also completely solve the problem discussed in this document. If there is no output to create and/or delete, there is no risk of users getting their resources stuck in a deadly embrace. And we could do exactly the refactor the user wants: no more and no less.
+
+The CloudFormation team has already done some [investigation](https://quip-amazon.com/r0TpAvT4CD83/CloudFormation-Cross-AccountRegion-Reference-Solutions) on the problem of cross-stack referencing, and are planning to deliver a new intrinsic function this year. When they deliver this, we can reassess whether we want to switch to the new intrinsic function.
@@ -57,6 +57,8 @@ include::chapter-deploy.adoc[leveloffset=+1]
 
 include::blueprints.adoc[leveloffset=+1]
 
+include::refactor.adoc[leveloffset=+1]
+
 include::plugins.adoc[leveloffset=+1]
 
 include::toolkit-library.adoc[leveloffset=+1]
 
@@ -23,6 +23,20 @@ The table below represents significant documentation milestones. We fix errors a
 [.updates]
 == Updates
 
+[.update,date="2025-09-08"]
+=== Add documentation for preserving deployed resources when refactoring CDK code
+
+With {aws} Cloud Development Kit ({aws} CDK) refactoring, you can refactor your CDK code, such as renaming constructs, moving resources between stacks, and reorganizing your application, while preserving your deployed resources instead of replacing them. For more information, see link:https://docs.aws.amazon.com/cdk/v2/guide/refactor.html[Preserve deployed resources when refactoring CDK code].
+
+[.update,date="2025-08-29"]
+=== Add documentation for opting out of CDK CLI telemetry
+Learn how to opt out of CDK CLI telemetry in advance of its release using the CDK CLI, context values, or an environment variable. For more information, see link:https://docs.aws.amazon.com/cdk/v2/guide/cli-telemetry.html[Configure {aws} CDK CLI telemetry].
+
+[.update,date="2025-08-20"]
+=== Add documentation for CDK feature flag configuration
+
+Use the {aws} CDK CLI `cdk flags` command to view your current feature flag configurations and modify them as needed. For more information, see link:https://docs.aws.amazon.com/cdk/v2/guide/ref-cli-cmd-flags.html[`cdk flags`].
+
 [.update,date="2025-03-27"]
 === Document bootstrap template versions v26 and v27