fix: patch SdkProvider._makeSdk for CDK >= 2.177.0 to support path-style S3 URLs

[whummer]

Problem

When using cdklocal deploy with CDK >= 2.177.0 against a remote LocalStack endpoint (e.g. *.sandbox.localstack.cloud), asset publishing fails with TLS errors:

QuizAppStack: fail: write EPROTO C0988EF501000000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:918:SSL alert number 80

Failed to publish asset GetQuizFunctionLambdaFunction/Code (current_account-current_region-3be8a451)

The root cause is that CDK 2.177.0 reorganised its package structure — aws-cdk/lib now resolves to legacy-exports.js, a thin static wrapper that no longer exposes the real SdkProvider instance methods (e.g. _makeSdk). As a result, the existing patching mechanism in cdklocal no longer takes effect, and S3 clients are created without forcePathStyle: true.

Without path-style URLs, the AWS SDK constructs S3 requests using virtual-hosted-style URLs (e.g. https://<bucket>.abc.sandbox.localstack.cloud/...). The wildcard TLS certificate for sandbox endpoints only covers one subdomain level, so these requests fail the TLS handshake with an internal alert.

Solution

Load the real SdkProvider by resolving the CDK package root and requiring index.js directly (bypassing the exports field), then patch _makeSdk to inject forcePathStyle: true into every SDK instance's config.

The patch is applied conditionally — only when one of the following is true:

• AWS_S3_FORCE_PATH_STYLE is set — explicit opt-in via env var
• AWS_ENDPOINT_URL hostname contains .sandbox. — automatic detection for remote LocalStack sandbox endpoints

[skyrpex]

I wasn't convinced this was going to work with aws-cdk@^2.1114.0 because they removed all exports from the package except for a few, making it illegal to access most of the files and forbidding monkey-patching, BUT turns out that importing a module using an absolute path avoids this restriction. This behavior might be a bug in the node resolution algorithm but if it works temporarily, there's no reason not to accept it.

Just be mindful that this patch could stop working anytime. Any future errors are already swallowed so that's good.