@aws/ml-container-creator 0.2.0

package/templates/do/clean

@@ -0,0 +1,811 @@
+#!/bin/bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+set -u
+set -o pipefail
+
+# Source configuration
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/config"
+
+# Parse arguments
+CLEANUP_TARGET=""
+FORCE_CLEAN=false
+
+for arg in "$@"; do
+    case "$arg" in
+        --force) FORCE_CLEAN=true ;;
+        -*) ;; # ignore other flags
+        *) CLEANUP_TARGET="$arg" ;;
+    esac
+done
+
+# Function to display usage
+show_usage() {
+<% if (deploymentTarget === 'managed-inference') { %>
+    echo "Usage: ./do/clean [local|ecr|endpoint|codebuild|all]"
+<% } else if (deploymentTarget === 'async-inference') { %>
+    echo "Usage: ./do/clean [local|ecr|endpoint|codebuild|all]"
+<% } else if (deploymentTarget === 'batch-transform') { %>
+    echo "Usage: ./do/clean [local|ecr|batch|codebuild|all]"
+<% } else if (deploymentTarget === 'hyperpod-eks') { %>
+    echo "Usage: ./do/clean [local|ecr|hyperpod|codebuild|all]"
+<% } %>
+    echo ""
+    echo "Cleanup targets:"
+    echo "  local     - Remove local Docker images"
+    echo "  ecr       - Remove images from Amazon ECR"
+<% if (deploymentTarget === 'managed-inference') { %>
+    echo "  endpoint  - Delete SageMaker endpoint, configuration, and model"
+<% } else if (deploymentTarget === 'async-inference') { %>
+    echo "  endpoint  - Delete SageMaker async endpoint, configuration, and inference component"
+<% } else if (deploymentTarget === 'batch-transform') { %>
+    echo "  batch     - Stop running transform job and delete SageMaker model"
+<% } else if (deploymentTarget === 'hyperpod-eks') { %>
+    echo "  hyperpod  - Delete HyperPod EKS deployment and services"
+<% } %>
+    echo "  codebuild - Delete CodeBuild project, IAM role, and S3 source artifacts"
+    echo "  all       - Perform all cleanup operations"
+    echo ""
+    echo "Examples:"
+    echo "  ./do/clean local      # Remove local Docker images only"
+<% if (deploymentTarget === 'managed-inference') { %>
+    echo "  ./do/clean endpoint   # Delete SageMaker resources only"
+<% } else if (deploymentTarget === 'async-inference') { %>
+    echo "  ./do/clean endpoint   # Delete SageMaker async resources only"
+<% } else if (deploymentTarget === 'batch-transform') { %>
+    echo "  ./do/clean batch      # Stop transform job and delete model"
+<% } else if (deploymentTarget === 'hyperpod-eks') { %>
+    echo "  ./do/clean hyperpod   # Delete HyperPod EKS resources only"
+<% } %>
+    echo "  ./do/clean codebuild  # Delete CodeBuild project and rebuild fresh"
+    echo "  ./do/clean all        # Clean up everything"
+}
+
+# Function to confirm action (skipped when --force is set)
+confirm_action() {
+    local message="$1"
+    if [ "${FORCE_CLEAN}" = true ]; then
+        return 0
+    fi
+    echo ""
+    echo "⚠️  ${message}"
+    read -p "   Are you sure? (yes/no): " -r
+    echo ""
+    if [[ ! $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
+        echo "❌ Operation cancelled"
+        return 1
+    fi
+    return 0
+}
+
+# Function to clean local Docker images
+clean_local() {
+    echo "🧹 Cleaning local Docker images"
+    echo "   Project: ${PROJECT_NAME}"
+    
+    # Build list of image patterns to clean
+    # Pattern 1: locally built images (e.g., my-project:latest)
+    # Pattern 2: ECR-pulled images (e.g., <account>.dkr.ecr.<region>.amazonaws.com/<repo>:<project>-latest)
+    LOCAL_PATTERN="^${PROJECT_NAME}:"
+    ECR_PATTERN="\.dkr\.ecr\..*\.amazonaws\.com/${ECR_REPOSITORY_NAME}:${PROJECT_NAME}-"
+
+    # Check if any matching images exist
+    if ! docker images --format "{{.Repository}}:{{.Tag}}" | grep -qE "${LOCAL_PATTERN}|${ECR_PATTERN}"; then
+        echo "ℹ️  No local images found for ${PROJECT_NAME}"
+        return 0
+    fi
+    
+    # List images to be removed
+    echo ""
+    echo "Images to be removed:"
+    docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "${LOCAL_PATTERN}|${ECR_PATTERN}" | while read -r image; do
+        echo "   ${image}"
+    done
+    
+    if ! confirm_action "This will remove all local Docker images for ${PROJECT_NAME}"; then
+        return 1
+    fi
+    
+    # Remove images
+    echo "🗑️  Removing local images..."
+    docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "${LOCAL_PATTERN}|${ECR_PATTERN}" | while read -r image; do
+        echo "   Removing: ${image}"
+        docker rmi "${image}" || echo "   ⚠️  Failed to remove ${image}"
+    done
+    
+    echo "✅ Local images cleaned"
+}
+
+# Function to clean ECR images
+clean_ecr() {
+    echo "🧹 Cleaning ECR images"
+    echo "   Repository: ${ECR_REPOSITORY_NAME}"
+    echo "   Region: ${AWS_REGION}"
+    
+    # Validate AWS credentials
+    if ! aws sts get-caller-identity &> /dev/null; then
+        echo "❌ AWS credentials not configured"
+        echo "   Run: aws configure"
+        exit 4
+    fi
+    
+    # Get AWS account ID
+    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+    
+    # Check if repository exists
+    if ! aws ecr describe-repositories \
+        --repository-names "${ECR_REPOSITORY_NAME}" \
+        --region "${AWS_REGION}" &> /dev/null; then
+        echo "ℹ️  ECR repository ${ECR_REPOSITORY_NAME} does not exist"
+        return 0
+    fi
+    
+    # List images in repository
+    echo ""
+    echo "Checking for images in repository..."
+    
+    if ! IMAGE_IDS=$(aws ecr list-images \
+        --repository-name "${ECR_REPOSITORY_NAME}" \
+        --region "${AWS_REGION}" \
+        --query 'imageIds[*].[imageTag]' \
+        --output text 2>&1); then
+        echo "ℹ️  No images found in repository"
+        return 0
+    fi
+    
+    if [ -z "${IMAGE_IDS}" ] || [ "${IMAGE_IDS}" = "None" ]; then
+        echo "ℹ️  No images found in repository"
+        return 0
+    fi
+    
+    # Display images
+    echo "Images in repository:"
+    echo "${IMAGE_IDS}" | while read -r tag; do
+        if [ -n "${tag}" ] && [ "${tag}" != "None" ]; then
+            echo "   - ${tag}"
+        fi
+    done
+    
+    if ! confirm_action "This will remove all images from ECR repository ${ECR_REPOSITORY_NAME}"; then
+        return 1
+    fi
+    
+    # Remove images
+    echo "🗑️  Removing ECR images..."
+    
+    # Get image IDs in JSON format for batch delete
+    IMAGE_IDS_JSON=$(aws ecr list-images \
+        --repository-name "${ECR_REPOSITORY_NAME}" \
+        --region "${AWS_REGION}" \
+        --query 'imageIds' \
+        --output json)
+    
+    if [ "${IMAGE_IDS_JSON}" != "[]" ]; then
+        if aws ecr batch-delete-image \
+            --repository-name "${ECR_REPOSITORY_NAME}" \
+            --region "${AWS_REGION}" \
+            --image-ids "${IMAGE_IDS_JSON}" &> /dev/null; then
+            echo "✅ ECR images removed"
+        else
+            echo "❌ Failed to remove some ECR images"
+            return 1
+        fi
+    else
+        echo "ℹ️  No images to remove"
+    fi
+}
+
+<% if (deploymentTarget === 'managed-inference') { %>
+# Function to clean SageMaker endpoint and inference components
+clean_endpoint() {
+    echo "🧹 Cleaning SageMaker resources"
+    echo "   Project: ${PROJECT_NAME}"
+    echo "   Region: ${AWS_REGION}"
+    
+    # Validate AWS credentials
+    if ! aws sts get-caller-identity &> /dev/null; then
+        echo "❌ AWS credentials not configured"
+        echo "   Run: aws configure"
+        exit 4
+    fi
+
+    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+    
+    # Use names from config (set by do/deploy) or argument
+    local EP_NAME="${ENDPOINT_NAME:-}"
+    local IC_NAME="${INFERENCE_COMPONENT_NAME:-}"
+    local EPC_NAME="${ENDPOINT_CONFIG_NAME:-}"
+
+    if [ -z "${EP_NAME}" ]; then
+        echo "❌ No endpoint name found"
+        echo "   Run ./do/deploy first, or set ENDPOINT_NAME in do/config"
+        return 1
+    fi
+
+    echo ""
+    echo "Checking for SageMaker resources..."
+
+    local ENDPOINT_EXISTS=false
+
+    if aws sagemaker describe-endpoint \
+        --endpoint-name "${EP_NAME}" \
+        --region "${AWS_REGION}" &> /dev/null; then
+        ENDPOINT_EXISTS=true
+        echo "   ✓ Endpoint: ${EP_NAME}"
+    else
+        echo "ℹ️  Endpoint not found: ${EP_NAME}"
+        return 0
+    fi
+
+    # Check for inference component
+    local IC_EXISTS=false
+    if [ -n "${IC_NAME}" ]; then
+        if aws sagemaker describe-inference-component \
+            --inference-component-name "${IC_NAME}" \
+            --region "${AWS_REGION}" &> /dev/null; then
+            IC_EXISTS=true
+            echo "   ✓ Inference component: ${IC_NAME}"
+        fi
+    fi
+
+    if ! confirm_action "This will delete the SageMaker endpoint and inference component(s)"; then
+        return 1
+    fi
+
+    # Delete inference component first (must be deleted before endpoint)
+    if [ "${IC_EXISTS}" = true ]; then
+        echo "🗑️  Deleting inference component: ${IC_NAME}"
+        if aws sagemaker delete-inference-component \
+            --inference-component-name "${IC_NAME}" \
+            --region "${AWS_REGION}" &> /dev/null; then
+            echo "⏳ Waiting for inference component deletion..."
+            aws sagemaker wait inference-component-deleted \
+                --inference-component-name "${IC_NAME}" \
+                --region "${AWS_REGION}" 2>/dev/null || sleep 15
+            echo "✅ Inference component deleted"
+
+            # Mark inference component as deleted in manifest (non-blocking)
+            ./do/manifest delete --id "arn:aws:sagemaker:${AWS_REGION}:${AWS_ACCOUNT_ID}:inference-component/${IC_NAME}" 2>/dev/null || true
+        else
+            echo "❌ Failed to delete inference component"
+        fi
+    fi
+
+    # Delete endpoint
+    echo "🗑️  Deleting endpoint: ${EP_NAME}"
+    if aws sagemaker delete-endpoint \
+        --endpoint-name "${EP_NAME}" \
+        --region "${AWS_REGION}" &> /dev/null; then
+        echo "✅ Endpoint deleted"
+        echo "⏳ Waiting for endpoint deletion..."
+        aws sagemaker wait endpoint-deleted \
+            --endpoint-name "${EP_NAME}" \
+            --region "${AWS_REGION}" 2>/dev/null || sleep 10
+
+        # Mark endpoint as deleted in manifest (non-blocking)
+        ./do/manifest delete --id "arn:aws:sagemaker:${AWS_REGION}:${AWS_ACCOUNT_ID}:endpoint/${EP_NAME}" 2>/dev/null || true
+    else
+        echo "❌ Failed to delete endpoint"
+    fi
+
+    # Delete endpoint configuration
+    if [ -n "${EPC_NAME}" ]; then
+        echo "🗑️  Deleting endpoint configuration: ${EPC_NAME}"
+        if aws sagemaker delete-endpoint-config \
+            --endpoint-config-name "${EPC_NAME}" \
+            --region "${AWS_REGION}" &> /dev/null; then
+            echo "✅ Endpoint configuration deleted"
+
+            # Mark endpoint config as deleted in manifest (non-blocking)
+            ./do/manifest delete --id "arn:aws:sagemaker:${AWS_REGION}:${AWS_ACCOUNT_ID}:endpoint-config/${EPC_NAME}" 2>/dev/null || true
+        else
+            echo "❌ Failed to delete endpoint configuration"
+        fi
+    fi
+
+    # Remove saved names from config
+    if grep -q "^export ENDPOINT_NAME=" "${SCRIPT_DIR}/config" 2>/dev/null; then
+        sed -i.bak '/^# Last deployed resources/d;/^export ENDPOINT_NAME=/d;/^export ENDPOINT_CONFIG_NAME=/d;/^export INFERENCE_COMPONENT_NAME=/d' "${SCRIPT_DIR}/config"
+        rm -f "${SCRIPT_DIR}/config.bak"
+    fi
+    
+    echo "✅ SageMaker resources cleaned"
+}
+<% } else if (deploymentTarget === 'async-inference') { %>
+# Function to clean SageMaker async endpoint and model
+clean_endpoint() {
+    echo "🧹 Cleaning SageMaker async resources"
+    echo "   Project: ${PROJECT_NAME}"
+    echo "   Region: ${AWS_REGION}"
+    
+    # Validate AWS credentials
+    if ! aws sts get-caller-identity &> /dev/null; then
+        echo "❌ AWS credentials not configured"
+        echo "   Run: aws configure"
+        exit 4
+    fi
+
+    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+    
+    # Use names from config (set by do/deploy) or argument
+    local EP_NAME="${ENDPOINT_NAME:-}"
+    local EPC_NAME="${ENDPOINT_CONFIG_NAME:-}"
+    local SM_MODEL_NAME="${SAGEMAKER_MODEL_NAME:-}"
+
+    if [ -z "${EP_NAME}" ]; then
+        echo "❌ No endpoint name found"
+        echo "   Run ./do/deploy first, or set ENDPOINT_NAME in do/config"
+        return 1
+    fi
+
+    echo ""
+    echo "Checking for SageMaker resources..."
+
+    local ENDPOINT_EXISTS=false
+
+    if aws sagemaker describe-endpoint \
+        --endpoint-name "${EP_NAME}" \
+        --region "${AWS_REGION}" &> /dev/null; then
+        ENDPOINT_EXISTS=true
+        echo "   ✓ Endpoint: ${EP_NAME}"
+    else
+        echo "ℹ️  Endpoint not found: ${EP_NAME}"
+        return 0
+    fi
+
+    if ! confirm_action "This will delete the SageMaker async endpoint and model"; then
+        return 1
+    fi
+
+    # Delete endpoint
+    echo "🗑️  Deleting endpoint: ${EP_NAME}"
+    if aws sagemaker delete-endpoint \
+        --endpoint-name "${EP_NAME}" \
+        --region "${AWS_REGION}" &> /dev/null; then
+        echo "✅ Endpoint deleted"
+        echo "⏳ Waiting for endpoint deletion..."
+        aws sagemaker wait endpoint-deleted \
+            --endpoint-name "${EP_NAME}" \
+            --region "${AWS_REGION}" 2>/dev/null || sleep 10
+
+        # Mark endpoint as deleted in manifest (non-blocking)
+        ./do/manifest delete --id "arn:aws:sagemaker:${AWS_REGION}:${AWS_ACCOUNT_ID}:endpoint/${EP_NAME}" 2>/dev/null || true
+    else
+        echo "❌ Failed to delete endpoint"
+    fi
+
+    # Delete endpoint configuration
+    if [ -n "${EPC_NAME}" ]; then
+        echo "🗑️  Deleting endpoint configuration: ${EPC_NAME}"
+        if aws sagemaker delete-endpoint-config \
+            --endpoint-config-name "${EPC_NAME}" \
+            --region "${AWS_REGION}" &> /dev/null; then
+            echo "✅ Endpoint configuration deleted"
+
+            # Mark endpoint config as deleted in manifest (non-blocking)
+            ./do/manifest delete --id "arn:aws:sagemaker:${AWS_REGION}:${AWS_ACCOUNT_ID}:endpoint-config/${EPC_NAME}" 2>/dev/null || true
+        else
+            echo "❌ Failed to delete endpoint configuration"
+        fi
+    fi
+
+    # Delete SageMaker model (async uses classic model-based flow)
+    if [ -n "${SM_MODEL_NAME}" ]; then
+        echo "🗑️  Deleting SageMaker model: ${SM_MODEL_NAME}"
+        if aws sagemaker delete-model \
+            --model-name "${SM_MODEL_NAME}" \
+            --region "${AWS_REGION}" &> /dev/null; then
+            echo "✅ SageMaker model deleted"
+
+            # Mark model as deleted in manifest (non-blocking)
+            ./do/manifest delete --id "arn:aws:sagemaker:${AWS_REGION}:${AWS_ACCOUNT_ID}:model/${SM_MODEL_NAME}" 2>/dev/null || true
+        else
+            echo "❌ Failed to delete SageMaker model"
+        fi
+    fi
+
+    # Remove saved names from config
+    if grep -q "^export ENDPOINT_NAME=" "${SCRIPT_DIR}/config" 2>/dev/null; then
+        sed -i.bak '/^# Last deployed resources/d;/^export ENDPOINT_NAME=/d;/^export ENDPOINT_CONFIG_NAME=/d;/^export SAGEMAKER_MODEL_NAME=/d' "${SCRIPT_DIR}/config"
+        rm -f "${SCRIPT_DIR}/config.bak"
+    fi
+    
+    echo "✅ SageMaker async resources cleaned"
+}
+<% } else if (deploymentTarget === 'batch-transform') { %>
+# Function to clean SageMaker managed inference batch resources
+clean_batch() {
+    echo "🧹 Cleaning SageMaker managed inference batch resources"
+    echo "   Project: ${PROJECT_NAME}"
+    echo "   Region: ${AWS_REGION}"
+    
+    # Validate AWS credentials
+    if ! aws sts get-caller-identity &> /dev/null; then
+        echo "❌ AWS credentials not configured"
+        echo "   Run: aws configure"
+        exit 4
+    fi
+    
+    # Use names from config (set by do/deploy)
+    local TJ_NAME="${TRANSFORM_JOB_NAME:-}"
+    local SM_MODEL_NAME="${SAGEMAKER_MODEL_NAME:-}"
+
+    if [ -z "${TJ_NAME}" ] && [ -z "${SM_MODEL_NAME}" ]; then
+        echo "❌ No transform job or model name found"
+        echo "   Run ./do/deploy first, or set TRANSFORM_JOB_NAME in do/config"
+        return 1
+    fi
+
+    echo ""
+    echo "Checking for SageMaker resources..."
+
+    # Check transform job status
+    local JOB_EXISTS=false
+    local JOB_STATUS=""
+    if [ -n "${TJ_NAME}" ]; then
+        JOB_STATUS=$(aws sagemaker describe-transform-job \
+            --transform-job-name "${TJ_NAME}" \
+            --region "${AWS_REGION}" \
+            --query 'TransformJobStatus' \
+            --output text 2>/dev/null || echo "")
+        if [ -n "${JOB_STATUS}" ]; then
+            JOB_EXISTS=true
+            echo "   ✓ Transform job: ${TJ_NAME} (${JOB_STATUS})"
+        else
+            echo "ℹ️  Transform job not found: ${TJ_NAME}"
+        fi
+    fi
+
+    # Check model
+    local MODEL_EXISTS=false
+    if [ -n "${SM_MODEL_NAME}" ]; then
+        if aws sagemaker describe-model \
+            --model-name "${SM_MODEL_NAME}" \
+            --region "${AWS_REGION}" &> /dev/null; then
+            MODEL_EXISTS=true
+            echo "   ✓ SageMaker model: ${SM_MODEL_NAME}"
+        else
+            echo "ℹ️  SageMaker model not found: ${SM_MODEL_NAME}"
+        fi
+    fi
+
+    if [ "${JOB_EXISTS}" = false ] && [ "${MODEL_EXISTS}" = false ]; then
+        echo "ℹ️  No batch transform resources found to clean"
+        return 0
+    fi
+
+    if ! confirm_action "This will stop the transform job (if running) and delete the SageMaker model"; then
+        return 1
+    fi
+
+    # Stop transform job if in progress
+    if [ "${JOB_EXISTS}" = true ] && [ "${JOB_STATUS}" = "InProgress" ]; then
+        echo "🗑️  Stopping transform job: ${TJ_NAME}"
+        if aws sagemaker stop-transform-job \
+            --transform-job-name "${TJ_NAME}" \
+            --region "${AWS_REGION}" &> /dev/null; then
+            echo "⏳ Waiting for transform job to stop..."
+            aws sagemaker wait transform-job-completed-or-stopped \
+                --transform-job-name "${TJ_NAME}" \
+                --region "${AWS_REGION}" 2>/dev/null || sleep 15
+            echo "✅ Transform job stopped"
+
+            # Mark transform job as deleted in manifest (non-blocking)
+            AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+            ./do/manifest delete --id "arn:aws:sagemaker:${AWS_REGION}:${AWS_ACCOUNT_ID}:transform-job/${TJ_NAME}" 2>/dev/null || true
+        else
+            echo "❌ Failed to stop transform job"
+        fi
+    fi
+
+    # Delete SageMaker model
+    if [ "${MODEL_EXISTS}" = true ]; then
+        echo "🗑️  Deleting SageMaker model: ${SM_MODEL_NAME}"
+        if aws sagemaker delete-model \
+            --model-name "${SM_MODEL_NAME}" \
+            --region "${AWS_REGION}" &> /dev/null; then
+            echo "✅ SageMaker model deleted"
+        else
+            echo "❌ Failed to delete SageMaker model"
+        fi
+    fi
+
+    # Remove saved names from config
+    if grep -q "^export TRANSFORM_JOB_NAME=" "${SCRIPT_DIR}/config" 2>/dev/null; then
+        sed -i.bak '/^# Last deployed resources/d;/^export TRANSFORM_JOB_NAME=/d;/^export SAGEMAKER_MODEL_NAME=/d' "${SCRIPT_DIR}/config"
+        rm -f "${SCRIPT_DIR}/config.bak"
+    fi
+    
+    echo "✅ SageMaker managed inference batch resources cleaned"
+}
+<% } else if (deploymentTarget === 'hyperpod-eks') { %>
+# Function to clean HyperPod EKS deployment
+clean_hyperpod() {
+    echo "🧹 Cleaning HyperPod EKS resources"
+    echo "   Cluster: ${HYPERPOD_CLUSTER_NAME}"
+    echo "   Namespace: ${HYPERPOD_NAMESPACE}"
+    
+    # Validate AWS credentials
+    if ! aws sts get-caller-identity &> /dev/null; then
+        echo "❌ AWS credentials not configured"
+        echo "   Run: aws configure"
+        exit 4
+    fi
+
+    # Get kubeconfig for HyperPod cluster
+    echo "🔑 Configuring kubectl for HyperPod cluster..."
+    KUBECONFIG_PATH="${HOME}/.kube/hyperpod-${HYPERPOD_CLUSTER_NAME}"
+
+    EKS_CLUSTER_ARN=$(aws sagemaker describe-cluster \
+        --cluster-name "${HYPERPOD_CLUSTER_NAME}" \
+        --region "${AWS_REGION}" \
+        --query "Orchestrator.Eks.ClusterArn" \
+        --output text 2>&1) || {
+        echo "❌ Failed to describe HyperPod cluster: ${HYPERPOD_CLUSTER_NAME}"
+        echo "   Check that the cluster exists and you have permission to access it"
+        return 1
+    }
+
+    EKS_CLUSTER_NAME=$(echo "${EKS_CLUSTER_ARN}" | awk -F'/' '{print $NF}')
+
+    if ! aws eks update-kubeconfig \
+        --name "${EKS_CLUSTER_NAME}" \
+        --region "${AWS_REGION}" \
+        --kubeconfig "${KUBECONFIG_PATH}" 2>&1; then
+        echo "❌ Failed to configure kubectl for EKS cluster: ${EKS_CLUSTER_NAME}"
+        return 1
+    fi
+
+    export KUBECONFIG="${KUBECONFIG_PATH}"
+    
+    if ! confirm_action "This will delete the HyperPod deployment in namespace ${HYPERPOD_NAMESPACE}"; then
+        return 1
+    fi
+    
+    # Delete Kubernetes resources
+    echo "🗑️  Deleting Kubernetes resources..."
+    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+    export AWS_ACCOUNT_ID
+    DELETE_FAILED=false
+    for manifest in hyperpod/*.yaml; do
+        # Skip files that contain no Kubernetes objects (e.g. comment-only PVC stubs)
+        RENDERED=$(envsubst < "${manifest}")
+        if echo "${RENDERED}" | grep -q '^kind:'; then
+            if ! echo "${RENDERED}" | kubectl delete -n "${HYPERPOD_NAMESPACE}" --ignore-not-found -f - 2>&1; then
+                DELETE_FAILED=true
+            fi
+        fi
+    done
+    if [ "${DELETE_FAILED}" = true ]; then
+        echo "❌ Failed to delete some Kubernetes resources"
+        echo "   You may need to manually clean up:"
+        echo "   kubectl get all -n ${HYPERPOD_NAMESPACE}"
+        return 1
+    fi
+
+    # Mark k8s resources as deleted in manifest (non-blocking)
+    ./do/manifest delete --id "${HYPERPOD_NAMESPACE}/${PROJECT_NAME}" 2>/dev/null || true
+    
+    echo "✅ HyperPod EKS resources cleaned"
+}
+<% } %>
+
+# Function to clean CodeBuild project and related resources
+clean_codebuild() {
+    echo "🧹 Cleaning CodeBuild resources"
+    echo "   Project: ${CODEBUILD_PROJECT_NAME:-not set}"
+    echo "   Region: ${AWS_REGION}"
+
+    if [ -z "${CODEBUILD_PROJECT_NAME:-}" ]; then
+        echo "ℹ️  No CodeBuild project name configured (build target may not be codebuild)"
+        return 0
+    fi
+
+    # Validate AWS credentials
+    if ! aws sts get-caller-identity &> /dev/null; then
+        echo "❌ AWS credentials not configured"
+        echo "   Run: aws configure"
+        exit 4
+    fi
+
+    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+
+    # Check if project exists
+    PROJECT_CHECK=$(aws codebuild batch-get-projects \
+        --names "${CODEBUILD_PROJECT_NAME}" \
+        --region "${AWS_REGION}" \
+        --query 'projects[0].name' \
+        --output text 2>/dev/null)
+
+    if [ "$PROJECT_CHECK" = "None" ] || [ -z "$PROJECT_CHECK" ] || [ "$PROJECT_CHECK" = "null" ]; then
+        echo "ℹ️  CodeBuild project not found: ${CODEBUILD_PROJECT_NAME}"
+        return 0
+    fi
+
+    echo ""
+    echo "Resources to be removed:"
+    echo "   • CodeBuild project: ${CODEBUILD_PROJECT_NAME}"
+
+    # Check for service role
+    ROLE_NAME="${CODEBUILD_PROJECT_NAME}-service-role"
+    ROLE_EXISTS=false
+    if aws iam get-role --role-name "${ROLE_NAME}" &> /dev/null; then
+        ROLE_EXISTS=true
+        echo "   • IAM service role: ${ROLE_NAME}"
+    fi
+
+    # Check for S3 source bucket
+    S3_BUCKET="codebuild-source-${AWS_ACCOUNT_ID}-${AWS_REGION}"
+    S3_PREFIX="${PROJECT_NAME}/"
+    S3_EXISTS=false
+    if aws s3api head-bucket --bucket "$S3_BUCKET" --region "${AWS_REGION}" &> /dev/null; then
+        S3_COUNT=$(aws s3 ls "s3://$S3_BUCKET/$S3_PREFIX" --region "${AWS_REGION}" 2>/dev/null | wc -l | tr -d ' ')
+        if [ "$S3_COUNT" -gt 0 ]; then
+            S3_EXISTS=true
+            echo "   • S3 source artifacts: s3://$S3_BUCKET/$S3_PREFIX ($S3_COUNT objects)"
+        fi
+    fi
+
+    if ! confirm_action "This will delete the CodeBuild project and associated resources"; then
+        return 1
+    fi
+
+    # Delete CodeBuild project
+    echo "🗑️  Deleting CodeBuild project: ${CODEBUILD_PROJECT_NAME}"
+    if aws codebuild delete-project \
+        --name "${CODEBUILD_PROJECT_NAME}" \
+        --region "${AWS_REGION}" &> /dev/null; then
+        echo "✅ CodeBuild project deleted"
+
+        # Mark CodeBuild project as deleted in manifest (non-blocking)
+        ./do/manifest delete --id "arn:aws:codebuild:${AWS_REGION}:${AWS_ACCOUNT_ID}:project/${CODEBUILD_PROJECT_NAME}" 2>/dev/null || true
+    else
+        echo "❌ Failed to delete CodeBuild project"
+    fi
+
+    # Delete IAM service role
+    if [ "$ROLE_EXISTS" = true ]; then
+        echo "🗑️  Deleting IAM service role: ${ROLE_NAME}"
+        # Remove inline policies first
+        POLICIES=$(aws iam list-role-policies --role-name "${ROLE_NAME}" --query 'PolicyNames' --output text 2>/dev/null || echo "")
+        for policy in $POLICIES; do
+            aws iam delete-role-policy --role-name "${ROLE_NAME}" --policy-name "$policy" 2>/dev/null || true
+        done
+        if aws iam delete-role --role-name "${ROLE_NAME}" &> /dev/null; then
+            echo "✅ IAM service role deleted"
+
+            # Mark IAM role as deleted in manifest (non-blocking)
+            ./do/manifest delete --id "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLE_NAME}" 2>/dev/null || true
+        else
+            echo "❌ Failed to delete IAM service role"
+        fi
+    fi
+
+    # Delete S3 source artifacts
+    if [ "$S3_EXISTS" = true ]; then
+        echo "🗑️  Deleting S3 source artifacts: s3://$S3_BUCKET/$S3_PREFIX"
+        if aws s3 rm "s3://$S3_BUCKET/$S3_PREFIX" --recursive --region "${AWS_REGION}" &> /dev/null; then
+            echo "✅ S3 source artifacts deleted"
+        else
+            echo "❌ Failed to delete S3 source artifacts"
+        fi
+    fi
+
+    echo "✅ CodeBuild resources cleaned"
+}
+
+# Main script logic
+echo "🧹 Cleanup script for ${PROJECT_NAME}"
+echo ""
+
+if [ -z "${CLEANUP_TARGET}" ]; then
+<% if (deploymentTarget === 'batch-transform') { %>
+    CLEANUP_TARGET="batch"
+<% } else if (deploymentTarget === 'hyperpod-eks') { %>
+    show_usage
+    exit 0
+<% } else { %>
+    show_usage
+    exit 0
+<% } %>
+fi
+
+case "${CLEANUP_TARGET}" in
+    local)
+        clean_local
+        ;;
+    ecr)
+        clean_ecr
+        ;;
+<% if (deploymentTarget === 'managed-inference') { %>
+    endpoint)
+        clean_endpoint
+        ;;
+<% } else if (deploymentTarget === 'async-inference') { %>
+    endpoint)
+        clean_endpoint
+        ;;
+<% } else if (deploymentTarget === 'batch-transform') { %>
+    batch)
+        clean_batch
+        ;;
+<% } else if (deploymentTarget === 'hyperpod-eks') { %>
+    hyperpod)
+        clean_hyperpod
+        ;;
+<% } %>
+    codebuild)
+        clean_codebuild
+        ;;
+    all)
+        echo "🧹 Performing complete cleanup"
+        echo ""
+        
+        # Track what was cleaned
+        CLEANED_ITEMS=()
+        
+        # Clean local images
+        if clean_local; then
+            CLEANED_ITEMS+=("Local Docker images")
+        fi
+        
+        echo ""
+        
+        # Clean ECR images
+        if clean_ecr; then
+            CLEANED_ITEMS+=("ECR images")
+        fi
+        
+        echo ""
+        
+<% if (deploymentTarget === 'managed-inference') { %>
+        # Clean SageMaker resources
+        if clean_endpoint; then
+            CLEANED_ITEMS+=("SageMaker resources")
+        fi
+<% } else if (deploymentTarget === 'async-inference') { %>
+        # Clean SageMaker async resources
+        if clean_endpoint; then
+            CLEANED_ITEMS+=("SageMaker async resources")
+        fi
+<% } else if (deploymentTarget === 'batch-transform') { %>
+        # Clean SageMaker managed inference batch resources
+        if clean_batch; then
+            CLEANED_ITEMS+=("SageMaker managed inference batch resources")
+        fi
+<% } else if (deploymentTarget === 'hyperpod-eks') { %>
+        # Clean HyperPod EKS resources
+        if clean_hyperpod; then
+            CLEANED_ITEMS+=("HyperPod EKS resources")
+        fi
+<% } %>
+        
+        echo ""
+        
+        # Clean CodeBuild resources
+        if clean_codebuild; then
+            CLEANED_ITEMS+=("CodeBuild resources")
+        fi
+        
+        # Display summary
+        echo ""
+        echo "✅ Cleanup complete!"
+        echo ""
+        echo "Summary of cleaned resources:"
+        for item in "${CLEANED_ITEMS[@]}"; do
+            echo "  ✓ ${item}"
+        done
+        ;;
+    *)
+        echo "❌ Unknown cleanup target: ${CLEANUP_TARGET}"
+        echo ""
+        show_usage
+        exit 1
+        ;;
+esac
+
+echo ""
+echo "Cleanup finished!"