feat(resources): Add JSONata propertyTransforms support for diff suppression

Implements CloudFormation-compatible property transforms using JSONata
expressions. These transforms normalize cloud provider responses to prevent
spurious diffs during refresh/update cycles.

Key changes:
- Extract propertyTransforms from CloudFormation schemas during code generation
- Add JSONata evaluation engine (blues/jsonata-go) for runtime transforms
- Apply transforms during diff calculation to normalize values before comparison
- Support all JSONata functions from CF schemas ($lowercase, $uppercase, $join, etc.)

75 resources now have propertyTransforms including:
- RDS: $lowercase(DBClusterIdentifier), $lowercase(Engine)
- EFS: $uppercase() for replicationOverwriteProtection enum normalization
- Various AWS services with identifier case normalization

Includes E2E tests validating:
- EFS DISABLED→REPLICATING enum transition handling
- RDS UPPERCASE→lowercase identifier normalization

Author: rshade

provider/cmd/pulumi-resource-aws-native/metadata.json

@@ -63,6 +63,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.29.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.2 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/blues/jsonata-go v1.5.4 // indirect
 	github.com/charmbracelet/bubbles v0.16.1 // indirect
 	github.com/charmbracelet/bubbletea v0.25.0 // indirect
 	github.com/charmbracelet/lipgloss v0.7.1 // indirect

provider/go.mod

@@ -147,6 +147,8 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/blues/jsonata-go v1.5.4 h1:XCsXaVVMrt4lcpKeJw6mNJHqQpWU751cnHdCFUq3xd8=
+github.com/blues/jsonata-go v1.5.4/go.mod h1:uns2jymDrnI7y+UFYCqsRTEiAH22GyHnNXrkupAVFWI=
 github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=

provider/go.sum

@@ -54,6 +54,16 @@ type CloudAPIResource struct {
 
 	// ListHandlerSchema contains a minimal subset of the CloudFormation list handler schema for a resource.
 	ListHandlerSchema *ListHandlerSchema `json:"listHandlerSchema,omitempty"`
+
+	// PropertyTransforms maps SDK property paths to JSONata expressions for drift detection.
+	// CloudFormation schemas include these transforms to define how property values should be
+	// normalized during comparison (e.g., case normalization, numeric to string mappings).
+	//
+	// Paths use lowerCamelCase with "/" separators and "*" for array elements.
+	// Example: {"securityGroupEgress/*/ipProtocol": "$lowercase(IpProtocol)"}
+	//
+	// The expressions are evaluated using JSONata (https://jsonata.org/).
+	PropertyTransforms map[string]string `json:"propertyTransforms,omitempty"`
 }
 
 type AutoNamingSpec struct {

provider/pkg/metadata/metadata.go

@@ -104,7 +104,8 @@ type cfnProvider struct {
 	forbiddenAccountIds []string
 	defaultTags         map[string]string
 
-	pulumiSchema []byte
+	pulumiSchema   []byte
+	transformCache *resources.TransformCache
 
 	cfn    *cloudformation.Client
 	ccc    client.CloudControlClient
@@ -127,12 +128,13 @@ func NewAwsNativeProvider(host *provider.HostClient, name, version string,
 	}
 
 	return &cfnProvider{
-		host:         host,
-		canceler:     makeCancellationContext(),
-		name:         name,
-		version:      version,
-		resourceMap:  resourceMap,
-		pulumiSchema: pulumiSchema,
+		host:           host,
+		canceler:       makeCancellationContext(),
+		name:           name,
+		version:        version,
+		resourceMap:    resourceMap,
+		pulumiSchema:   pulumiSchema,
+		transformCache: resources.NewTransformCache(),
 	}, nil
 }
 
@@ -841,6 +843,17 @@ func (p *cfnProvider) Diff(ctx context.Context, req *pulumirpc.DiffRequest) (*pu
 		return &pulumirpc.DiffResponse{Changes: pulumirpc.DiffResponse_DIFF_NONE}, nil
 	}
 
+	// Apply propertyTransform-based diff suppression for semantically equivalent values.
+	// This handles cases where AWS returns normalized values (e.g., lowercase identifiers,
+	// REPLICATING instead of DISABLED for EFS replication) that should not trigger updates.
+	resourceToken := string(urn.Type())
+	if spec, hasSpec := p.resourceMap.Resources[resourceToken]; hasSpec {
+		diff = resources.SuppressAWSManagedDiffs(resourceToken, &spec, diff, oldInputs, p.transformCache)
+		if diff == nil || (len(diff.Adds) == 0 && len(diff.Updates) == 0 && len(diff.Deletes) == 0) {
+			return &pulumirpc.DiffResponse{Changes: pulumirpc.DiffResponse_DIFF_NONE}, nil
+		}
+	}
+
 	return &pulumirpc.DiffResponse{
 		Changes:             pulumirpc.DiffResponse_DIFF_UNKNOWN,
 		DeleteBeforeReplace: true,
@@ -1062,7 +1075,7 @@ func (p *cfnProvider) Read(ctx context.Context, req *pulumirpc.ReadRequest) (*pu
 			// 4. Suppress AWS-managed changes from the diff. This removes:
 			//    - aws:* prefixed tags that AWS adds automatically (users cannot manage these)
 			//    - Resource-specific state transitions (e.g., EFS replication protection)
-			diff = resources.SuppressAWSManagedDiffs(resourceToken, &spec, diff, inputs)
+			diff = resources.SuppressAWSManagedDiffs(resourceToken, &spec, diff, inputs, p.transformCache)
 			// 5. Apply this difference to the actual inputs (not a projection) that we have in state.
 			newInputs = resources.ApplyDiff(inputs, diff)
 		}

provider/pkg/provider/provider.go

@@ -77,9 +77,10 @@ const (
 )
 
 func TestEfsReplicationProtection(t *testing.T) {
-	// Skip: takes ~45 min to run. Manual testing only.
+	// Skip: takes ~45 min to run due to EFS replication setup time. Manual testing only.
 	// Run with: go test -v -timeout 45m -run TestEfsReplicationProtection ./pkg/provider
-	t.Skip("Manual test: EFS replication takes ~45 minutes")
+	// The REPLICATING state suppression is now handled via propertyTransform.
+	t.Skip("Manual test: EFS replication setup takes ~45 minutes")
 
 	skipIfShort(t)
 
@@ -182,6 +183,94 @@ func TestEfsReplicationProtection(t *testing.T) {
 	t.Log("Test passed: Refresh and subsequent Up succeeded with REPLICATING enum value")
 }
 
+// TestRdsLowercaseTransforms tests that RDS DBCluster propertyTransforms correctly
+// suppress spurious diffs when AWS returns lowercase values for identifiers.
+//
+// RDS DBCluster has propertyTransforms like:
+//   - "$lowercase(DBClusterIdentifier)"
+//   - "$lowercase(Engine)"
+//   - "$lowercase(DBSubnetGroupName)"
+//
+// AWS always returns these values in lowercase, even if you provide uppercase input.
+// Without propertyTransforms, Pulumi would detect a diff and try to update.
+func TestRdsLowercaseTransforms(t *testing.T) {
+	// Skip: takes ~15-20 min to run (Aurora cluster creation). Manual testing only.
+	// Run with: go test -v -timeout 30m -run TestRdsLowercaseTransforms ./pkg/provider
+	t.Skip("Manual test: RDS cluster creation takes ~15-20 minutes")
+
+	skipIfShort(t)
+
+	// Use a random suffix to avoid naming conflicts
+	clusterSuffix := fmt.Sprintf("%d", rand.Intn(10000))
+
+	pt := pulumitest.NewPulumiTest(t, filepath.Join("testdata", "rds-lowercase-transforms"),
+		opttest.Env("PULUMI_DEBUG_GRPC", "true"),
+		opttest.LocalProviderPath("aws-native", filepath.Join("..", "..", "..", "bin")),
+	)
+	pt.SetConfig(t, "aws-native:region", "us-west-2")
+	pt.SetConfig(t, "clusterSuffix", clusterSuffix)
+	defer pt.Destroy(t)
+
+	// Phase 1: Initial deployment with UPPERCASE values
+	t.Log("=== Phase 1: Initial Preview and Up with UPPERCASE values ===")
+	pt.Preview(t)
+
+	up := pt.Up(t)
+	assert.NotNil(t, up.Summary)
+
+	// Verify AWS returned values
+	engine, ok := up.Outputs["engine"].Value.(string)
+	assert.True(t, ok, "engine output should be a string")
+	t.Logf("Engine after up: %s", engine)
+	assert.Equal(t, "aurora-mysql", engine, "Engine should be aurora-mysql")
+
+	// The key test: dbClusterIdentifier was specified as UPPERCASE but AWS returns lowercase
+	dbClusterIdentifier, ok := up.Outputs["dbClusterIdentifier"].Value.(string)
+	assert.True(t, ok, "dbClusterIdentifier output should be a string")
+	t.Logf("DBClusterIdentifier after up: %s (input was UPPERCASE)", dbClusterIdentifier)
+	// AWS normalizes identifiers to lowercase
+	expectedIdentifier := strings.ToLower(fmt.Sprintf("RDS-TRANSFORM-CLUSTER-%s", clusterSuffix))
+	assert.Equal(t, expectedIdentifier, dbClusterIdentifier,
+		"AWS should return dbClusterIdentifier in lowercase even though input was UPPERCASE")
+
+	// Log all outputs for debugging
+	t.Log("=== Outputs after initial up ===")
+	for k, v := range up.Outputs {
+		t.Logf("  %s = %v", k, v.Value)
+	}
+
+	// Phase 2: Refresh to get the current state from AWS
+	t.Log("=== Phase 2: Refresh to sync state with AWS ===")
+	refreshResult := pt.Refresh(t)
+	assert.NotNil(t, refreshResult.Summary, "Refresh should complete successfully")
+
+	t.Logf("=== Refresh StdOut ===\n%s", refreshResult.StdOut)
+	if refreshResult.StdErr != "" {
+		t.Logf("=== Refresh StdErr ===\n%s", refreshResult.StdErr)
+	}
+
+	// Phase 3: Run up again - this should NOT try to change anything
+	// The propertyTransforms should suppress the diff between UPPERCASE (input) and lowercase (AWS)
+	t.Log("=== Phase 3: Up after refresh (should have no changes) ===")
+	upAfterRefresh := pt.Up(t)
+	assert.NotNil(t, upAfterRefresh.Summary, "Up after refresh should complete successfully")
+
+	// Verify no changes were made
+	if upAfterRefresh.Summary.ResourceChanges != nil {
+		changes := *upAfterRefresh.Summary.ResourceChanges
+		t.Logf("Resource changes after refresh: %+v", changes)
+		// The only changes should be "same", not "update"
+		assert.Zero(t, changes["update"], "There should be no updates - propertyTransforms should suppress case diffs")
+	}
+
+	t.Log("=== Outputs after up (post-refresh) ===")
+	for k, v := range upAfterRefresh.Outputs {
+		t.Logf("  %s = %v", k, v.Value)
+	}
+
+	t.Log("Test passed: RDS lowercase propertyTransforms correctly suppressed case diffs")
+}
+
 func testUpgradeFrom(t *testing.T, test *pulumitest.PulumiTest, version string) {
 	result := providertest.PreviewProviderUpgrade(t, test, "aws-native", version)
 	assertpreview.HasNoChanges(t, result)

provider/pkg/provider/provider_2e2_test.go

@@ -0,0 +1,78 @@
+name: rds-lowercase-transforms
+runtime: yaml
+description: Test RDS DBCluster lowercase propertyTransforms
+
+config:
+  clusterSuffix:
+    type: string
+    default: "test"
+
+resources:
+  # Create a DB subnet group (required for Aurora)
+  dbSubnetGroup:
+    type: aws-native:rds:DbSubnetGroup
+    properties:
+      # Use UPPERCASE to test the $lowercase transform
+      dbSubnetGroupName: RDS-TRANSFORM-TEST-${clusterSuffix}
+      dbSubnetGroupDescription: Test subnet group for RDS propertyTransform testing
+      subnetIds:
+        - ${subnet1.id}
+        - ${subnet2.id}
+
+  # VPC for the RDS cluster
+  vpc:
+    type: aws-native:ec2:Vpc
+    properties:
+      cidrBlock: 10.0.0.0/16
+      enableDnsHostnames: true
+      enableDnsSupport: true
+
+  # Subnets in different AZs (required for Aurora)
+  subnet1:
+    type: aws-native:ec2:Subnet
+    properties:
+      vpcId: ${vpc.id}
+      cidrBlock: 10.0.1.0/24
+      availabilityZone: us-west-2a
+
+  subnet2:
+    type: aws-native:ec2:Subnet
+    properties:
+      vpcId: ${vpc.id}
+      cidrBlock: 10.0.2.0/24
+      availabilityZone: us-west-2b
+
+  # Aurora Serverless v2 cluster with UPPERCASE identifiers
+  # Note: engine must be lowercase (AWS requirement), but identifiers can be UPPERCASE
+  # AWS will normalize identifiers to lowercase, which propertyTransforms handle
+  dbCluster:
+    type: aws-native:rds:DbCluster
+    properties:
+      # Engine must be lowercase (AWS requirement)
+      engine: aurora-mysql
+      engineMode: provisioned
+      # Use UPPERCASE to test the $lowercase(DBClusterIdentifier) transform
+      # AWS will normalize this to lowercase
+      dbClusterIdentifier: RDS-TRANSFORM-CLUSTER-${clusterSuffix}
+      masterUsername: admin
+      manageMasterUserPassword: true
+      # dbSubnetGroupName comes from the subnet group output (already lowercase from AWS)
+      dbSubnetGroupName: ${dbSubnetGroup.dbSubnetGroupName}
+      serverlessV2ScalingConfiguration:
+        minCapacity: 0.5
+        maxCapacity: 2
+      # Note: AWS Native doesn't have skipFinalSnapshot - CloudFormation handles this differently
+      # deletionProtection defaults to false
+    options:
+      dependsOn:
+        - ${dbSubnetGroup}
+
+outputs:
+  # The engine should be returned lowercase by AWS
+  engine: ${dbCluster.engine}
+  # The cluster ID should be returned lowercase by AWS
+  dbClusterIdentifier: ${dbCluster.dbClusterIdentifier}
+  # The subnet group name should be returned lowercase by AWS
+  dbSubnetGroupName: ${dbSubnetGroup.dbSubnetGroupName}
+  # Full cluster for debugging
+  clusterArn: ${dbCluster.dbClusterArn}