@fjall/components-infrastructure 2.16.0 → 2.17.0

package/dist/lib/resources/aws/compute/ec2GracefulTerminationHandler.js

@@ -43,8 +43,13 @@ export class Ec2GracefulTerminationHandler extends Construct {
         const dataVolumeOwnerLogicalId = resolveOptionalString(props.dataVolumeOwnerLogicalId);
         this.queue = new SQSQueue(this, `${id}Queue`, {
             visibilityTimeout: QUEUE_VISIBILITY_TIMEOUT_SECONDS,
-            deadLetterQueue: { enabled: true, maxReceiveCount: 5 }
+            deadLetterQueue: { enabled: true, maxReceiveCount: 5 },
+            // Transient instance-drain signals — no durable state. Pinned DESTROY
+            // (now also the SQSQueue wrapper default) so a replacing deploy of the
+            // parent Ec2Instance reclaims this queue + DLQ instead of orphaning them.
+            removalPolicy: "DESTROY"
         });
+        const stack = Stack.of(this);
         const ecsPolicies = ecsClusterArn !== undefined
             ? [
                 new PolicyStatement({
@@ -66,6 +71,9 @@ export class Ec2GracefulTerminationHandler extends Construct {
                 })
             ]
             : [];
+        // EIP/ENI mutations cannot be ARN-scoped (the resources are not known at
+        // synth), but the Lambda only ever drains instances in its own region — a
+        // region clamp removes the cross-region blast radius a bare "*" would allow.
         const ec2Policies = new PolicyStatement({
             effect: Effect.ALLOW,
             actions: [
@@ -74,7 +82,10 @@ export class Ec2GracefulTerminationHandler extends Construct {
                 "ec2:DescribeNetworkInterfaces",
                 "ec2:DetachNetworkInterface"
             ],
-            resources: ["*"]
+            resources: ["*"],
+            conditions: {
+                StringEquals: { "aws:RequestedRegion": stack.region }
+            }
         });
         const elbReadPolicy = new PolicyStatement({
             effect: Effect.ALLOW,
@@ -94,7 +105,6 @@ export class Ec2GracefulTerminationHandler extends Construct {
                 }
             }
         });
-        const stack = Stack.of(this);
         // Account/region-scoped wildcard rather than the specific ASG ARN —
         // see PersistentDataVolume for the full deadlock writeup. Same gotcha:
         // a specific ARN creates a CFN Ref to the ASG, the Lambda's IAM Policy

package/dist/lib/resources/aws/compute/persistentDataVolume.js

@@ -105,7 +105,11 @@ export class PersistentDataVolume extends Construct {
         Tags.of(this.volume).add(PERSISTENT_DATA_VOLUME_TAG_STACK_ID, Aws.STACK_ID);
         this.queue = new SQSQueue(this, `${id}Queue`, {
             visibilityTimeout: QUEUE_VISIBILITY_TIMEOUT_SECONDS,
-            deadLetterQueue: { enabled: true, maxReceiveCount: 5 }
+            deadLetterQueue: { enabled: true, maxReceiveCount: 5 },
+            // Transient volume-attach signals — no durable state (the EBS volume
+            // itself is SNAPSHOT above). Pinned DESTROY (now also the SQSQueue wrapper
+            // default) so a replacing deploy reclaims this queue + DLQ, not orphans.
+            removalPolicy: "DESTROY"
         });
         const sourcePath = path.resolve(__dirname, LAUNCHING_LAMBDA_SOURCE_FILE);
         const source = readFileSync(sourcePath, "utf-8");

package/dist/lib/resources/aws/messaging/sns.d.ts

@@ -7,6 +7,11 @@ export interface SNSTopicProps {
     displayName?: string;
     fifo?: boolean;
     contentBasedDeduplication?: boolean;
+    /**
+     * Removal policy for the topic. Defaults to DESTROY — a topic is a transient
+     * fan-out medium with no durable state (see the constructor). Pass "RETAIN"
+     * only for a topic that must survive stack deletion.
+     */
     removalPolicy?: RemovalPolicyString;
 }
 export declare class SNSTopic extends Construct {

package/dist/lib/resources/aws/messaging/sns.js

@@ -22,7 +22,13 @@ export class SNSTopic extends Construct {
                 ? (props.contentBasedDeduplication ?? true)
                 : undefined
         });
-        this.topic.applyRemovalPolicy(toRemovalPolicy(props.removalPolicy));
+        // An SNS topic is a transient fan-out medium: it holds no durable state
+        // (subscriptions are re-created by the next deploy), so the wrapper defaults
+        // to DESTROY — deliberately NOT the env-aware production->RETAIN of
+        // data-bearing wrappers (S3, EventBus). RETAIN here buys no protection and
+        // orphans the topic on a parent construct's logical-ID churn (the same leak
+        // class fixed for SQS). Durable topics opt into RETAIN via props.removalPolicy.
+        this.topic.applyRemovalPolicy(toRemovalPolicy(props.removalPolicy ?? "DESTROY"));
         new CfnOutput(this, `${id}TopicArn`, {
             key: `${id}TopicArn`,
             value: this.topic.topicArn,

package/dist/lib/resources/aws/messaging/sqs.d.ts

@@ -60,6 +60,12 @@ export interface SQSQueueProps {
     contentBasedDeduplication?: boolean;
     fifoThroughputLimit?: "perQueue" | "perMessageGroupId";
     deduplicationScope?: "queue" | "messageGroup";
+    /**
+     * Removal policy for the queue (and its auto-created DLQ, which tracks it).
+     * Defaults to DESTROY — a queue is a transient work medium (see the
+     * constructor). Pass "RETAIN" only for a queue whose contents are
+     * irreplaceable and must survive stack deletion.
+     */
     removalPolicy?: RemovalPolicyString;
 }
 export declare class SQSQueue extends Construct {

package/dist/lib/resources/aws/messaging/sqs.js

@@ -83,6 +83,14 @@ export class SQSQueue extends Construct {
         this.id = id;
         // Sanitise id for CloudFormation output keys (must be alphanumeric)
         const outputName = toPascalCase(id);
+        // SQS queues are transient work mediums: their contents (job messages,
+        // failed-delivery copies) regenerate from a source of truth held elsewhere
+        // (Postgres, the producing schedule/rule), so the wrapper defaults to
+        // DESTROY — deliberately NOT the env-aware production->RETAIN of
+        // data-bearing wrappers (S3, EventBus). RETAIN here buys no protection and
+        // orphans the queue on a parent construct's logical-ID churn (the prod
+        // orphan leak). Durable queues opt into RETAIN via props.removalPolicy.
+        const resolvedRemovalPolicy = toRemovalPolicy(props.removalPolicy ?? "DESTROY");
         const isFifo = props.queueType === "fifo";
         const queueName = props.queueName
             ? isFifo
@@ -110,7 +118,7 @@ export class SQSQueue extends Construct {
                     fifo: isFifo,
                     encryption: toEncryption(props.encryption),
                     retentionPeriod: Duration.days(SQS_LIMITS.DEAD_LETTER_QUEUE.DEFAULT_RETENTION_DAYS),
-                    removalPolicy: toRemovalPolicy(props.removalPolicy)
+                    removalPolicy: resolvedRemovalPolicy
                 });
                 deadLetterQueue = {
                     queue: this.dlq,
@@ -156,7 +164,7 @@ export class SQSQueue extends Construct {
             deduplicationScope: isFifo
                 ? toDeduplicationScope(props.deduplicationScope)
                 : undefined,
-            removalPolicy: toRemovalPolicy(props.removalPolicy)
+            removalPolicy: resolvedRemovalPolicy
         });
         new CfnOutput(this, `${outputName}QueueUrl`, {
             key: `${outputName}QueueUrl`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "2.16.0",
+  "version": "2.17.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -63,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^2.16.0",
-    "@fjall/util": "^2.16.0",
+    "@fjall/generator": "^2.17.0",
+    "@fjall/util": "^2.17.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "2383b19f1e7db980ae603a6c75dca2c61b7a1d42"
+  "gitHead": "21cfe1aae339e12183af2813ec81f581b9b77d49"
 }