@go-to-k/cdkd 0.1.0 → 0.3.0

package/dist/cli.js

@@ -3533,6 +3533,60 @@ var TemplateParser = class {
   }
 };
 
+// src/analyzer/lambda-vpc-deps.ts
+function extractLambdaVpcDeleteDeps(resources) {
+  const edges = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const [lambdaId, resource] of Object.entries(resources)) {
+    if (resource.Type !== "AWS::Lambda::Function")
+      continue;
+    const vpcConfig = (resource.Properties ?? {})["VpcConfig"];
+    if (!isObject(vpcConfig))
+      continue;
+    const targets = /* @__PURE__ */ new Set();
+    collectRefIds(vpcConfig["SubnetIds"], targets);
+    collectRefIds(vpcConfig["SecurityGroupIds"], targets);
+    for (const targetId of targets) {
+      if (targetId === lambdaId)
+        continue;
+      if (!(targetId in resources))
+        continue;
+      const key = `${lambdaId}\0${targetId}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      edges.push({ before: lambdaId, after: targetId });
+    }
+  }
+  return edges;
+}
+function isObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function collectRefIds(value, out) {
+  if (value === null || value === void 0)
+    return;
+  if (Array.isArray(value)) {
+    for (const item of value)
+      collectRefIds(item, out);
+    return;
+  }
+  if (!isObject(value))
+    return;
+  if (typeof value["Ref"] === "string") {
+    const ref = value["Ref"];
+    if (!ref.startsWith("AWS::"))
+      out.add(ref);
+    return;
+  }
+  if (Array.isArray(value["Fn::GetAtt"])) {
+    const arr = value["Fn::GetAtt"];
+    if (typeof arr[0] === "string")
+      out.add(arr[0]);
+    return;
+  }
+}
+
 // src/analyzer/dag-builder.ts
 var { Graph, alg } = graphlib;
 var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
@@ -3581,6 +3635,7 @@ var DagBuilder = class {
     }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
     edgeCount += this.addCustomResourcePolicyEdges(graph, template);
+    edgeCount += this.addLambdaVpcEdges(graph, template);
     if (!alg.isAcyclic(graph)) {
       const cycles = this.findCycles(graph);
       throw new DependencyError(
@@ -3773,6 +3828,41 @@ var DagBuilder = class {
     }
     return added;
   }
+  /**
+   * Add edges from Subnets / SecurityGroups referenced by an
+   * AWS::Lambda::Function VpcConfig to the Lambda itself.
+   *
+   * Same direction as a normal `Ref`-derived edge (Subnet -> Lambda), so for
+   * deploy this just duplicates what extractDependencies already produced.
+   * The point is robustness: if a future template massages the VpcConfig
+   * shape in a way the recursive extractor doesn't anticipate, this pass
+   * still ties the Lambda to its networking resources so that the
+   * deletion-time reverse traversal continues to delete Lambda before
+   * Subnet / SecurityGroup.
+   *
+   * Returns the number of NEW edges added (existing edges are skipped).
+   */
+  addLambdaVpcEdges(graph, template) {
+    const edges = extractLambdaVpcDeleteDeps(template.Resources);
+    if (edges.length === 0)
+      return 0;
+    let added = 0;
+    for (const edge of edges) {
+      const depId = edge.after;
+      const dependentId = edge.before;
+      if (!graph.hasNode(depId) || !graph.hasNode(dependentId))
+        continue;
+      if (graph.hasEdge(depId, dependentId))
+        continue;
+      graph.setEdge(depId, dependentId);
+      added++;
+      this.logger.debug(`Added implicit edge (lambda vpc): ${depId} -> ${dependentId}`);
+    }
+    if (added > 0) {
+      this.logger.debug(`Added ${added} implicit edges for Lambda VpcConfig`);
+    }
+    return added;
+  }
   isCustomResourceType(type) {
     return type === "AWS::CloudFormation::CustomResource" || type.startsWith("Custom::");
   }
@@ -4688,8 +4778,8 @@ var IntrinsicFunctionResolver = class {
           return resource.attributes?.["CidrBlock"] || resource.properties?.["CidrBlock"];
         case "Ipv6CidrBlocks": {
           try {
-            const { EC2Client: EC2Client8, DescribeVpcsCommand: DescribeVpcsCommand3 } = await import("@aws-sdk/client-ec2");
-            const ec2 = new EC2Client8({ region: this.resolverRegion });
+            const { EC2Client: EC2Client9, DescribeVpcsCommand: DescribeVpcsCommand3 } = await import("@aws-sdk/client-ec2");
+            const ec2 = new EC2Client9({ region: this.resolverRegion });
             const maxAttempts = 15;
             for (let attempt = 1; attempt <= maxAttempts; attempt++) {
               const resp = await ec2.send(new DescribeVpcsCommand3({ VpcIds: [physicalId] }));
@@ -10897,9 +10987,11 @@ import {
   GetFunctionCommand,
   ResourceNotFoundException
 } from "@aws-sdk/client-lambda";
+import { DescribeNetworkInterfacesCommand } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var LambdaFunctionProvider = class {
   lambdaClient;
+  ec2Client;
   logger = getLogger().child("LambdaFunctionProvider");
   handledProperties = /* @__PURE__ */ new Map([
     [
@@ -10919,13 +11011,22 @@ var LambdaFunctionProvider = class {
         "Architectures",
         "PackageType",
         "TracingConfig",
-        "EphemeralStorage"
+        "EphemeralStorage",
+        "VpcConfig"
       ])
     ]
   ]);
+  // ENI detach polling configuration (overridable for tests).
+  // Lambda VPC ENI detach is async and can take 20-40 minutes in the worst case;
+  // we poll up to 10 minutes and then warn-and-continue, since downstream Subnet/SG
+  // deletion has its own retry logic that handles a small remaining window.
+  eniWaitTimeoutMs = 10 * 60 * 1e3;
+  eniWaitInitialDelayMs = 1e4;
+  eniWaitMaxDelayMs = 3e4;
   constructor() {
     const awsClients = getAwsClients();
     this.lambdaClient = awsClients.lambda;
+    this.ec2Client = awsClients.ec2;
   }
   /**
    * Create a Lambda function
@@ -10973,6 +11074,7 @@ var LambdaFunctionProvider = class {
         PackageType: properties["PackageType"],
         TracingConfig: properties["TracingConfig"],
         EphemeralStorage: properties["EphemeralStorage"],
+        VpcConfig: this.buildVpcConfig(properties["VpcConfig"]),
         Tags: tags
       };
       const response = await this.lambdaClient.send(new CreateFunctionCommand(createParams));
@@ -11011,7 +11113,8 @@ var LambdaFunctionProvider = class {
         "Environment",
         "Layers",
         "TracingConfig",
-        "EphemeralStorage"
+        "EphemeralStorage",
+        "VpcConfig"
       ];
       let hasConfigChanges = false;
       for (const field of configFields) {
@@ -11032,7 +11135,11 @@ var LambdaFunctionProvider = class {
           Environment: properties["Environment"],
           Layers: properties["Layers"],
           TracingConfig: properties["TracingConfig"],
-          EphemeralStorage: properties["EphemeralStorage"]
+          EphemeralStorage: properties["EphemeralStorage"],
+          VpcConfig: this.buildVpcConfigForUpdate(
+            properties["VpcConfig"],
+            previousProperties["VpcConfig"]
+          )
         };
         await this.lambdaClient.send(new UpdateFunctionConfigurationCommand(configParams));
         this.logger.debug(`Updated configuration for Lambda function ${physicalId}`);
@@ -11076,9 +11183,19 @@ var LambdaFunctionProvider = class {
   }
   /**
    * Delete a Lambda function
+   *
+   * For VPC-enabled Lambda functions, AWS detaches the hyperplane ENIs
+   * asynchronously after DeleteFunction returns. If we let downstream
+   * resource deletion (Subnet / SecurityGroup) proceed immediately, those
+   * deletions fail with "has dependencies" / "has a dependent object".
+   *
+   * To smooth this out, when properties carry a VpcConfig with subnets or
+   * security groups, we poll DescribeNetworkInterfaces for the function's
+   * managed ENIs and only return once they are gone (or the timeout elapses).
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, properties) {
     this.logger.debug(`Deleting Lambda function ${logicalId}: ${physicalId}`);
+    const hasVpcConfig = this.hasVpcConfig(properties?.["VpcConfig"]);
     try {
       await this.lambdaClient.send(new DeleteFunctionCommand({ FunctionName: physicalId }));
       this.logger.debug(`Successfully deleted Lambda function ${logicalId}`);
@@ -11096,6 +11213,153 @@ var LambdaFunctionProvider = class {
         cause
       );
     }
+    if (hasVpcConfig) {
+      await this.waitForLambdaEnisDetached(physicalId);
+    }
+  }
+  /**
+   * Build Lambda VpcConfig parameter from CDK properties.
+   *
+   * Returns undefined when VpcConfig is unset, so the SDK leaves the function
+   * outside any VPC. Returns an empty config (no subnets, no SGs) when caller
+   * explicitly clears it on update — that detaches the function from its VPC.
+   */
+  buildVpcConfig(raw) {
+    if (raw === void 0 || raw === null) {
+      return void 0;
+    }
+    if (typeof raw !== "object") {
+      return void 0;
+    }
+    const vpc = raw;
+    const result = {};
+    if (Array.isArray(vpc["SubnetIds"])) {
+      result.SubnetIds = vpc["SubnetIds"];
+    }
+    if (Array.isArray(vpc["SecurityGroupIds"])) {
+      result.SecurityGroupIds = vpc["SecurityGroupIds"];
+    }
+    if (typeof vpc["Ipv6AllowedForDualStack"] === "boolean") {
+      result.Ipv6AllowedForDualStack = vpc["Ipv6AllowedForDualStack"];
+    }
+    return result;
+  }
+  /**
+   * Build VpcConfig for an update call, accounting for VPC detach.
+   *
+   * UpdateFunctionConfiguration treats an absent VpcConfig as "no change",
+   * so omitting it cannot move a function out of its existing VPC. To
+   * detach we must explicitly send empty SubnetIds / SecurityGroupIds.
+   */
+  buildVpcConfigForUpdate(newRaw, previousRaw) {
+    const next = this.buildVpcConfig(newRaw);
+    if (next) {
+      return next;
+    }
+    if (this.hasVpcConfig(previousRaw)) {
+      return { SubnetIds: [], SecurityGroupIds: [] };
+    }
+    return void 0;
+  }
+  /**
+   * Determine whether the function actually attaches to a VPC, i.e. has at
+   * least one Subnet ID. A bare VpcConfig with empty arrays does not create
+   * any ENIs, so we skip the wait in that case.
+   */
+  hasVpcConfig(raw) {
+    if (raw === void 0 || raw === null || typeof raw !== "object") {
+      return false;
+    }
+    const vpc = raw;
+    const subnets = vpc["SubnetIds"];
+    return Array.isArray(subnets) && subnets.length > 0;
+  }
+  /**
+   * Poll DescribeNetworkInterfaces until the Lambda-managed ENIs for the
+   * given function are gone, or the configured timeout elapses.
+   *
+   * Lambda VPC ENIs carry a Description like:
+   *   "AWS Lambda VPC ENI-<functionName>-<uuid>"
+   * We match on a substring to be tolerant of format drift.
+   *
+   * Polling: starts at eniWaitInitialDelayMs (10s), exponential backoff up
+   * to eniWaitMaxDelayMs (30s), bounded by eniWaitTimeoutMs (10min).
+   *
+   * Timeout is treated as a soft warning: detach can legitimately take 20-40
+   * minutes in degraded conditions, and downstream Subnet/SG deletion has
+   * its own retries to handle the residual window.
+   */
+  async waitForLambdaEnisDetached(functionName) {
+    const start = Date.now();
+    let delay = this.eniWaitInitialDelayMs;
+    let attempt = 0;
+    this.logger.debug(
+      `Waiting for Lambda VPC ENIs to detach for function ${functionName} (timeout ${this.eniWaitTimeoutMs}ms)`
+    );
+    const descriptionNeedle = `AWS Lambda VPC ENI`;
+    const functionNamePattern = new RegExp(`(^|-)${escapeRegExp(functionName)}(-|$)`);
+    for (; ; ) {
+      attempt++;
+      let count;
+      try {
+        count = await this.countLambdaEnis(descriptionNeedle, functionNamePattern);
+      } catch (error) {
+        this.logger.warn(
+          `DescribeNetworkInterfaces failed while waiting for Lambda ENIs of ${functionName}: ${error instanceof Error ? error.message : String(error)}`
+        );
+        count = -1;
+      }
+      if (count === 0) {
+        this.logger.debug(
+          `Lambda ENIs for ${functionName} fully detached after ${attempt} poll(s) / ${Date.now() - start}ms`
+        );
+        return;
+      }
+      const elapsed = Date.now() - start;
+      if (elapsed >= this.eniWaitTimeoutMs) {
+        this.logger.warn(
+          `Timeout (${this.eniWaitTimeoutMs}ms) waiting for Lambda VPC ENIs of ${functionName} to detach (remaining: ${count >= 0 ? count : "unknown"}). Continuing \u2014 downstream Subnet/SG deletion will retry as needed.`
+        );
+        return;
+      }
+      const remaining = this.eniWaitTimeoutMs - elapsed;
+      const sleepMs = Math.min(delay, remaining);
+      await this.sleep(sleepMs);
+      delay = Math.min(delay * 2, this.eniWaitMaxDelayMs);
+    }
+  }
+  /**
+   * Count remaining Lambda-managed ENIs for the given function, paginating
+   * through DescribeNetworkInterfaces and filtering on Description substring.
+   *
+   * Server-side filter (`description`) does not support wildcards in EC2's API,
+   * so we filter client-side after narrowing on `requester-id` + `status`.
+   */
+  async countLambdaEnis(descriptionNeedle, functionNamePattern) {
+    let nextToken;
+    let count = 0;
+    do {
+      const resp = await this.ec2Client.send(
+        new DescribeNetworkInterfacesCommand({
+          Filters: [
+            // Lambda hyperplane ENIs are owned by the Lambda service principal.
+            { Name: "requester-id", Values: ["*:awslambda_*"] }
+          ],
+          NextToken: nextToken
+        })
+      );
+      for (const ni of resp.NetworkInterfaces ?? []) {
+        const desc = ni.Description ?? "";
+        if (desc.includes(descriptionNeedle) && functionNamePattern.test(desc)) {
+          count++;
+        }
+      }
+      nextToken = resp.NextToken;
+    } while (nextToken);
+    return count;
+  }
+  sleep(ms) {
+    return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
   /**
    * Build Lambda Code parameter from CDK properties
@@ -11182,6 +11446,9 @@ var LambdaFunctionProvider = class {
     return (crc ^ 4294967295) >>> 0;
   }
 };
+function escapeRegExp(input) {
+  return input.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 
 // src/provisioning/providers/lambda-permission-provider.ts
 import {
@@ -13505,6 +13772,8 @@ import {
   DeleteSecurityGroupCommand,
   AuthorizeSecurityGroupIngressCommand,
   RevokeSecurityGroupIngressCommand,
+  AuthorizeSecurityGroupEgressCommand,
+  RevokeSecurityGroupEgressCommand,
   CreateTagsCommand,
   DescribeSubnetsCommand as DescribeSubnetsCommand2,
   DescribeSecurityGroupsCommand as DescribeSecurityGroupsCommand2,
@@ -13554,7 +13823,14 @@ var EC2Provider = class {
     ["AWS::EC2::SubnetRouteTableAssociation", /* @__PURE__ */ new Set(["SubnetId", "RouteTableId"])],
     [
       "AWS::EC2::SecurityGroup",
-      /* @__PURE__ */ new Set(["GroupDescription", "GroupName", "VpcId", "SecurityGroupIngress", "Tags"])
+      /* @__PURE__ */ new Set([
+        "GroupDescription",
+        "GroupName",
+        "VpcId",
+        "SecurityGroupIngress",
+        "SecurityGroupEgress",
+        "Tags"
+      ])
     ],
     [
       "AWS::EC2::SecurityGroupIngress",
@@ -13565,7 +13841,8 @@ var EC2Provider = class {
         "ToPort",
         "CidrIp",
         "Description",
-        "SourceSecurityGroupId"
+        "SourceSecurityGroupId",
+        "SourceSecurityGroupOwnerId"
       ])
     ],
     [
@@ -13664,7 +13941,13 @@ var EC2Provider = class {
       case "AWS::EC2::SubnetRouteTableAssociation":
         return this.updateSubnetRouteTableAssociation(logicalId, physicalId);
       case "AWS::EC2::SecurityGroup":
-        return this.updateSecurityGroup(logicalId, physicalId, resourceType, properties);
+        return this.updateSecurityGroup(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
       case "AWS::EC2::SecurityGroupIngress":
         return this.updateSecurityGroupIngress(
           logicalId,
@@ -14389,6 +14672,34 @@ var EC2Provider = class {
           );
         }
       }
+      const egressRules = properties["SecurityGroupEgress"];
+      if (egressRules && Array.isArray(egressRules)) {
+        try {
+          await this.ec2Client.send(
+            new RevokeSecurityGroupEgressCommand({
+              GroupId: groupId,
+              IpPermissions: [
+                {
+                  IpProtocol: "-1",
+                  IpRanges: [{ CidrIp: "0.0.0.0/0" }]
+                }
+              ]
+            })
+          );
+        } catch (error) {
+          if (!this.isNotFoundError(error)) {
+            throw error;
+          }
+        }
+        for (const rule of egressRules) {
+          await this.ec2Client.send(
+            new AuthorizeSecurityGroupEgressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "egress")]
+            })
+          );
+        }
+      }
       this.logger.debug(`Successfully created SecurityGroup ${logicalId}: ${groupId}`);
       return {
         physicalId: groupId,
@@ -14408,10 +14719,22 @@ var EC2Provider = class {
       );
     }
   }
-  async updateSecurityGroup(logicalId, physicalId, resourceType, properties) {
+  async updateSecurityGroup(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating SecurityGroup ${logicalId}: ${physicalId}`);
     try {
       await this.applyTags(physicalId, properties, logicalId);
+      await this.applySecurityGroupRuleDiff(
+        physicalId,
+        previousProperties["SecurityGroupIngress"] ?? [],
+        properties["SecurityGroupIngress"] ?? [],
+        "ingress"
+      );
+      await this.applySecurityGroupRuleDiff(
+        physicalId,
+        previousProperties["SecurityGroupEgress"] ?? [],
+        properties["SecurityGroupEgress"] ?? [],
+        "egress"
+      );
       this.logger.debug(`Successfully updated SecurityGroup ${logicalId}`);
       return {
         physicalId,
@@ -14769,9 +15092,13 @@ var EC2Provider = class {
   }
   // ─── Helpers ──────────────────────────────────────────────────────
   /**
-   * Build an IpPermission object from CloudFormation-style properties
+   * Build an IpPermission object from CloudFormation-style properties.
+   *
+   * The EC2 IpPermission shape is identical for ingress and egress; only the
+   * CFn property names that point to the "other" security group differ
+   * (SourceSecurityGroupId vs DestinationSecurityGroupId).
    */
-  buildIpPermission(properties) {
+  buildIpPermission(properties, direction = "ingress") {
     const ipProtocol = properties["IpProtocol"] ?? "-1";
     const fromPort = properties["FromPort"];
     const toPort = properties["ToPort"];
@@ -14781,6 +15108,7 @@ var EC2Provider = class {
     if (toPort !== void 0)
       permission.ToPort = toPort;
     const cidrIp = properties["CidrIp"];
+    const cidrIpv6 = properties["CidrIpv6"];
     const description = properties["Description"];
     if (cidrIp) {
       const ipRange = { CidrIp: cidrIp };
@@ -14788,17 +15116,124 @@ var EC2Provider = class {
         ipRange.Description = description;
       permission.IpRanges = [ipRange];
     }
-    const sourceSecurityGroupId = properties["SourceSecurityGroupId"];
-    if (sourceSecurityGroupId) {
+    if (cidrIpv6) {
+      const ipv6Range = { CidrIpv6: cidrIpv6 };
+      if (description)
+        ipv6Range.Description = description;
+      permission.Ipv6Ranges = [ipv6Range];
+    }
+    const peerGroupId = direction === "egress" ? properties["DestinationSecurityGroupId"] : properties["SourceSecurityGroupId"];
+    if (peerGroupId) {
       const groupPair = {
-        GroupId: sourceSecurityGroupId
+        GroupId: peerGroupId
       };
+      if (direction === "ingress") {
+        const peerOwnerId = properties["SourceSecurityGroupOwnerId"];
+        if (peerOwnerId)
+          groupPair.UserId = peerOwnerId;
+      }
       if (description)
         groupPair.Description = description;
       permission.UserIdGroupPairs = [groupPair];
     }
+    const prefixListId = direction === "egress" ? properties["DestinationPrefixListId"] : properties["SourcePrefixListId"];
+    if (prefixListId) {
+      const prefixEntry = {
+        PrefixListId: prefixListId
+      };
+      if (description)
+        prefixEntry.Description = description;
+      permission.PrefixListIds = [prefixEntry];
+    }
     return permission;
   }
+  /**
+   * Compute the diff between two sets of SecurityGroup rule definitions
+   * (ingress or egress) and apply the resulting authorize/revoke calls.
+   *
+   * Rules are identified by a deterministic key derived from their full
+   * shape — protocol, ports, CIDR, peer group, prefix list, description —
+   * so updating any of those fields counts as a replacement (revoke + authorize).
+   */
+  async applySecurityGroupRuleDiff(groupId, previousRules, nextRules, direction) {
+    const ruleKey = (rule) => {
+      const peerKey = direction === "egress" ? rule["DestinationSecurityGroupId"] : rule["SourceSecurityGroupId"];
+      const prefixKey = direction === "egress" ? rule["DestinationPrefixListId"] : rule["SourcePrefixListId"];
+      const peerOwner = direction === "ingress" ? rule["SourceSecurityGroupOwnerId"] : void 0;
+      return JSON.stringify({
+        p: rule["IpProtocol"] ?? "-1",
+        f: rule["FromPort"] ?? null,
+        t: rule["ToPort"] ?? null,
+        c4: rule["CidrIp"] ?? null,
+        c6: rule["CidrIpv6"] ?? null,
+        peer: peerKey ?? null,
+        peerOwner: peerOwner ?? null,
+        pl: prefixKey ?? null,
+        d: rule["Description"] ?? null
+      });
+    };
+    const prevByKey = /* @__PURE__ */ new Map();
+    for (const rule of previousRules)
+      prevByKey.set(ruleKey(rule), rule);
+    const nextByKey = /* @__PURE__ */ new Map();
+    for (const rule of nextRules)
+      nextByKey.set(ruleKey(rule), rule);
+    const toRevoke = [];
+    for (const [key, rule] of prevByKey) {
+      if (!nextByKey.has(key))
+        toRevoke.push(rule);
+    }
+    const toAuthorize = [];
+    for (const [key, rule] of nextByKey) {
+      if (!prevByKey.has(key))
+        toAuthorize.push(rule);
+    }
+    for (const rule of toRevoke) {
+      try {
+        if (direction === "egress") {
+          await this.ec2Client.send(
+            new RevokeSecurityGroupEgressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "egress")]
+            })
+          );
+        } else {
+          await this.ec2Client.send(
+            new RevokeSecurityGroupIngressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "ingress")]
+            })
+          );
+        }
+      } catch (error) {
+        if (!this.isNotFoundError(error))
+          throw error;
+      }
+    }
+    for (const rule of toAuthorize) {
+      try {
+        if (direction === "egress") {
+          await this.ec2Client.send(
+            new AuthorizeSecurityGroupEgressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "egress")]
+            })
+          );
+        } else {
+          await this.ec2Client.send(
+            new AuthorizeSecurityGroupIngressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "ingress")]
+            })
+          );
+        }
+      } catch (error) {
+        if (!(error instanceof Error && error.message.includes("already exists"))) {
+          throw error;
+        }
+      }
+    }
+  }
   // ─── AWS::EC2::NetworkAcl ────────────────────────────────────────
   async createNetworkAcl(logicalId, resourceType, properties) {
     this.logger.debug(`Creating NetworkAcl ${logicalId}`);
@@ -16719,7 +17154,7 @@ var CloudFrontDistributionProvider = class {
       this.logger.debug(`Created CloudFront Distribution: ${distributionId} (${domainName})`);
       if (process.env["CDKD_NO_WAIT"] !== "true") {
         this.logger.debug(`Waiting for Distribution ${distributionId} to reach Deployed status...`);
-        await this.waitForDistributionDeployed(distributionId);
+        await this.waitForDistributionStable(distributionId);
       }
       return {
         physicalId: distributionId,
@@ -16829,7 +17264,7 @@ var CloudFrontDistributionProvider = class {
           })
         );
         etag = updateResponse.ETag;
-        await this.waitForDistributionDeployed(physicalId);
+        await this.waitForDistributionStable(physicalId, false);
         const refreshResponse = await this.cloudFrontClient.send(
           new GetDistributionConfigCommand({ Id: physicalId })
         );
@@ -16873,10 +17308,16 @@ var CloudFrontDistributionProvider = class {
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::CloudFront::Distribution`);
   }
   /**
-   * Wait for a distribution to reach "Deployed" status.
+   * Wait for a distribution to reach a stable state.
+   *
+   * "Stable" means Status === 'Deployed'. When `expectedEnabled` is provided,
+   * we additionally require DistributionConfig.Enabled === expectedEnabled —
+   * this guards against CloudFront's eventually-consistent reads that can
+   * briefly return the pre-update snapshot after UpdateDistribution returns.
+   *
    * Uses exponential backoff polling.
    */
-  async waitForDistributionDeployed(distributionId) {
+  async waitForDistributionStable(distributionId, expectedEnabled) {
     const maxAttempts = 60;
     let delay = 5e3;
     const maxDelay = 3e4;
@@ -16897,12 +17338,16 @@ var CloudFrontDistributionProvider = class {
           new GetDistributionCommand({ Id: distributionId })
         );
         const status = response.Distribution?.Status;
-        if (status === "Deployed") {
-          this.logger.debug(`Distribution ${distributionId} is now Deployed`);
+        const enabled = response.Distribution?.DistributionConfig?.Enabled;
+        const enabledMatches = expectedEnabled === void 0 || enabled === expectedEnabled;
+        if (status === "Deployed" && enabledMatches) {
+          this.logger.debug(
+            `Distribution ${distributionId} is stable (Status=Deployed, Enabled=${enabled})`
+          );
           return;
         }
         this.logger.debug(
-          `Distribution ${distributionId} status: ${status} (attempt ${attempt}/${maxAttempts})`
+          `Distribution ${distributionId} status: ${status}, enabled: ${enabled}` + (expectedEnabled === void 0 ? "" : ` (waiting for Enabled=${expectedEnabled})`) + ` (attempt ${attempt}/${maxAttempts})`
         );
         const sleepEnd = Date.now() + delay;
         while (Date.now() < sleepEnd && !interrupted) {
@@ -16911,7 +17356,7 @@ var CloudFrontDistributionProvider = class {
         delay = Math.min(delay * 1.5, maxDelay);
       }
       this.logger.debug(
-        `Distribution ${distributionId} did not reach Deployed status within timeout, proceeding with deletion attempt`
+        `Distribution ${distributionId} did not reach stable state within timeout, proceeding with next step`
       );
     } finally {
       process.removeListener("SIGINT", sigintHandler);
@@ -24137,7 +24582,7 @@ import {
   DeleteObjectsCommand as DeleteObjectsCommand2
 } from "@aws-sdk/client-s3";
 import { GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
-import { EC2Client as EC2Client7, DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand3 } from "@aws-sdk/client-ec2";
+import { EC2Client as EC2Client8, DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand3 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var S3DirectoryBucketProvider = class {
   s3Client;
@@ -24155,7 +24600,7 @@ var S3DirectoryBucketProvider = class {
   }
   getEc2Client() {
     if (!this.ec2Client) {
-      this.ec2Client = new EC2Client7(this.providerRegion ? { region: this.providerRegion } : {});
+      this.ec2Client = new EC2Client8(this.providerRegion ? { region: this.providerRegion } : {});
     }
     return this.ec2Client;
   }
@@ -25053,15 +25498,141 @@ function registerAllProviders(registry) {
   registry.register("AWS::S3Tables::Table", s3TablesProvider);
 }
 
+// src/deployment/dag-executor.ts
+var DagExecutor = class {
+  nodes = /* @__PURE__ */ new Map();
+  logger = getLogger().child("DagExecutor");
+  add(node) {
+    this.nodes.set(node.id, node);
+  }
+  has(id) {
+    return this.nodes.has(id);
+  }
+  size() {
+    return this.nodes.size;
+  }
+  values() {
+    return this.nodes.values();
+  }
+  async execute(concurrency, fn, cancelled = () => false) {
+    let active = 0;
+    const errors = [];
+    return new Promise((resolve4, reject) => {
+      const dispatch = () => {
+        let changed = true;
+        while (changed) {
+          changed = false;
+          for (const node of this.nodes.values()) {
+            if (node.state !== "pending")
+              continue;
+            const hasFailedDep = [...node.dependencies].some((depId) => {
+              const dep = this.nodes.get(depId);
+              return dep && (dep.state === "failed" || dep.state === "skipped");
+            });
+            if (hasFailedDep) {
+              node.state = "skipped";
+              changed = true;
+              this.logger.debug(`Skipped ${node.id}: dependency failed or was skipped`);
+            }
+          }
+        }
+        const ready = [];
+        for (const node of this.nodes.values()) {
+          if (node.state !== "pending")
+            continue;
+          const depsReady = [...node.dependencies].every((depId) => {
+            const dep = this.nodes.get(depId);
+            return !dep || dep.state === "completed";
+          });
+          if (depsReady)
+            ready.push(node);
+        }
+        if (!cancelled()) {
+          for (const node of ready) {
+            if (active >= concurrency)
+              break;
+            node.state = "running";
+            active++;
+            fn(node).then(() => {
+              node.state = "completed";
+            }).catch((error) => {
+              node.state = "failed";
+              errors.push({ id: node.id, error });
+            }).finally(() => {
+              active--;
+              dispatch();
+            });
+          }
+        }
+        if (active === 0) {
+          if (errors.length > 0) {
+            reject(errors[0].error);
+            return;
+          }
+          const stillPending = [...this.nodes.values()].some((n) => n.state === "pending");
+          if (stillPending && !cancelled()) {
+            const pending = [...this.nodes.values()].filter((n) => n.state === "pending").map((n) => n.id);
+            reject(
+              new Error(
+                `Deadlock detected: ${pending.length} node(s) stuck with unresolvable dependencies (${pending.join(", ")})`
+              )
+            );
+            return;
+          }
+          resolve4();
+        }
+      };
+      dispatch();
+    });
+  }
+};
+
+// src/analyzer/implicit-delete-deps.ts
+var IMPLICIT_DELETE_DEPENDENCIES = {
+  // IGW must be deleted AFTER VPCGatewayAttachment
+  "AWS::EC2::InternetGateway": ["AWS::EC2::VPCGatewayAttachment"],
+  // EventBus must be deleted AFTER Rules on that bus
+  "AWS::Events::EventBus": ["AWS::Events::Rule"],
+  // Athena workgroup must be deleted AFTER its named queries
+  "AWS::Athena::WorkGroup": ["AWS::Athena::NamedQuery"],
+  // CloudFront managed-policy-style resources must be deleted AFTER
+  // any Distribution that references them
+  "AWS::CloudFront::ResponseHeadersPolicy": ["AWS::CloudFront::Distribution"],
+  "AWS::CloudFront::CachePolicy": ["AWS::CloudFront::Distribution"],
+  "AWS::CloudFront::OriginAccessControl": ["AWS::CloudFront::Distribution"],
+  // VPC must be deleted AFTER all VPC-dependent resources
+  "AWS::EC2::VPC": [
+    "AWS::EC2::Subnet",
+    "AWS::EC2::SecurityGroup",
+    "AWS::EC2::InternetGateway",
+    "AWS::EC2::EgressOnlyInternetGateway",
+    "AWS::EC2::VPCGatewayAttachment",
+    "AWS::EC2::RouteTable"
+  ],
+  // Subnet must be deleted AFTER any Lambda that may still hold an ENI
+  // in it. Lambda DELETE returns immediately but the ENI is detached
+  // asynchronously by AWS, so deleting the Subnet first races the detach
+  // and yields "DependencyViolation".
+  "AWS::EC2::Subnet": ["AWS::EC2::SubnetRouteTableAssociation", "AWS::Lambda::Function"],
+  // RouteTable must be deleted AFTER Route and Association
+  "AWS::EC2::RouteTable": ["AWS::EC2::Route", "AWS::EC2::SubnetRouteTableAssociation"],
+  // SecurityGroup must be deleted AFTER any Lambda whose ENI is bound
+  // to it (same ENI-detach race as Subnet above).
+  "AWS::EC2::SecurityGroup": [
+    "AWS::EC2::SecurityGroupIngress",
+    "AWS::EC2::SecurityGroupEgress",
+    "AWS::Lambda::Function"
+  ]
+};
+
 // src/deployment/deploy-engine.ts
-import pLimit from "p-limit";
 var InterruptedError = class extends Error {
   constructor() {
     super("Deployment interrupted by user (Ctrl+C)");
     this.name = "InterruptedError";
   }
 };
-var DeployEngine = class _DeployEngine {
+var DeployEngine = class {
   constructor(stateBackend, lockManager, dagBuilder, diffCalculator, providerRegistry, options = {}, stackRegion) {
     this.stateBackend = stateBackend;
     this.lockManager = lockManager;
@@ -25187,6 +25758,7 @@ var DeployEngine = class _DeployEngine {
         template,
         currentState,
         changes,
+        dag,
         executionLevels,
         stackName,
         parameterValues,
@@ -25219,13 +25791,16 @@ var DeployEngine = class _DeployEngine {
     }
   }
   /**
-   * Execute deployment by processing resources in DAG order
+   * Execute deployment by processing resources via event-driven DAG dispatch.
    *
-   * Important: DELETE operations are executed in reverse dependency order,
-   * while CREATE/UPDATE follow normal dependency order.
-   */
-  async executeDeployment(template, currentState, changes, executionLevels, stackName, parameterValues, conditions, currentEtag, progress) {
-    const limit = pLimit(this.options.concurrency);
+   * - CREATE/UPDATE follow forward dependency order (a node starts as soon as
+   *   ALL of its dependencies are completed — does not wait for unrelated
+   *   siblings in the same "level")
+   * - DELETE follows reverse dependency order (a node starts as soon as all
+   *   resources that depend ON it have finished deleting)
+   */
+  async executeDeployment(template, currentState, changes, dag, executionLevels, stackName, parameterValues, conditions, currentEtag, progress) {
+    const concurrency = this.options.concurrency;
     const newResources = { ...currentState.resources };
     const actualCounts = { created: 0, updated: 0, deleted: 0, skipped: 0 };
     const completedOperations = [];
@@ -25256,32 +25831,36 @@ var DeployEngine = class _DeployEngine {
       Array.from(changes.entries()).filter(([_, change]) => change.changeType === "DELETE").map(([logicalId]) => logicalId)
     );
     try {
-      for (let levelIndex = 0; levelIndex < executionLevels.length; levelIndex++) {
-        if (this.interrupted) {
-          throw new InterruptedError();
-        }
-        const levelNodes = executionLevels[levelIndex];
-        if (!levelNodes)
+      const createUpdateIds = [];
+      for (const [id, change] of changes.entries()) {
+        if (deleteChanges.has(id))
           continue;
-        const level = levelNodes.filter((id) => {
-          if (deleteChanges.has(id))
-            return false;
-          const change = changes.get(id);
-          return !!change && change.changeType !== "NO_CHANGE";
-        });
-        if (level.length === 0)
+        if (change.changeType === "NO_CHANGE")
           continue;
+        createUpdateIds.push(id);
+      }
+      if (createUpdateIds.length > 0) {
         this.logger.info(
-          `Level ${levelIndex + 1}/${executionLevels.length} (${level.length} resources)`
+          `Deploying ${createUpdateIds.length} resource(s) (DAG: ${executionLevels.length} levels, max parallel: ${concurrency})`
         );
-        const results = await Promise.allSettled(
-          level.map(
-            (logicalId) => limit(async () => {
-              const change = changes.get(logicalId);
-              if (!change || change.changeType === "NO_CHANGE") {
-                this.logger.debug(`Skipping ${logicalId} (no change)`);
-                return;
-              }
+        const createUpdateExecutor = new DagExecutor();
+        const provisionable = new Set(createUpdateIds);
+        for (const id of createUpdateIds) {
+          const allDeps = this.dagBuilder.getDirectDependencies(dag, id);
+          const deps = new Set(allDeps.filter((d) => provisionable.has(d)));
+          createUpdateExecutor.add({
+            id,
+            dependencies: deps,
+            state: "pending",
+            data: changes.get(id)
+          });
+        }
+        try {
+          await createUpdateExecutor.execute(
+            concurrency,
+            async (node) => {
+              const logicalId = node.id;
+              const change = node.data;
               const previousState = currentState.resources[logicalId] ? { ...currentState.resources[logicalId] } : void 0;
               try {
                 await this.provisionResource(
@@ -25308,30 +25887,36 @@ var DeployEngine = class _DeployEngine {
                 properties: newResources[logicalId]?.properties
               });
               saveStateAfterResource(logicalId);
-            })
-          )
-        );
-        await saveChain;
-        const failures = results.filter((r) => r.status === "rejected");
-        if (failures.length > 0) {
-          throw failures[0].reason;
+            },
+            () => this.interrupted
+          );
+        } finally {
+          await saveChain;
+        }
+        if (this.interrupted && this.hasPending(createUpdateExecutor)) {
+          throw new InterruptedError();
         }
       }
       if (deleteChanges.size > 0) {
         this.logger.info(`Deleting ${deleteChanges.size} resource(s)`);
-        const deletionLevels = this.buildDeletionLevels(deleteChanges, currentState);
-        for (let levelIndex = 0; levelIndex < deletionLevels.length; levelIndex++) {
-          if (this.interrupted) {
-            throw new InterruptedError();
-          }
-          const level = deletionLevels[levelIndex];
-          if (level.length === 0)
-            continue;
-          const deleteResults = await Promise.allSettled(
-            level.map(
-              (logicalId) => limit(async () => {
-                const change = changes.get(logicalId);
-                const previousState = currentState.resources[logicalId] ? { ...currentState.resources[logicalId] } : void 0;
+        const deleteDeps = this.buildDeletionDependencies(deleteChanges, currentState);
+        const deleteExecutor = new DagExecutor();
+        for (const id of deleteChanges) {
+          deleteExecutor.add({
+            id,
+            dependencies: deleteDeps.get(id) ?? /* @__PURE__ */ new Set(),
+            state: "pending",
+            data: changes.get(id)
+          });
+        }
+        try {
+          await deleteExecutor.execute(
+            concurrency,
+            async (node) => {
+              const logicalId = node.id;
+              const change = node.data;
+              const previousState = currentState.resources[logicalId] ? { ...currentState.resources[logicalId] } : void 0;
+              try {
                 await this.provisionResource(
                   logicalId,
                   change,
@@ -25343,23 +25928,25 @@ var DeployEngine = class _DeployEngine {
                   actualCounts,
                   progress
                 );
-                completedOperations.push({
-                  logicalId,
-                  changeType: "DELETE",
-                  resourceType: change.resourceType,
-                  previousState
-                });
-                saveStateAfterResource(logicalId);
-              })
-            )
+              } catch (provisionError) {
+                this.interrupted = true;
+                throw provisionError;
+              }
+              completedOperations.push({
+                logicalId,
+                changeType: "DELETE",
+                resourceType: change.resourceType,
+                previousState
+              });
+              saveStateAfterResource(logicalId);
+            },
+            () => this.interrupted
           );
+        } finally {
           await saveChain;
-          const deleteFailures = deleteResults.filter(
-            (r) => r.status === "rejected"
-          );
-          if (deleteFailures.length > 0) {
-            throw deleteFailures[0].reason;
-          }
+        }
+        if (this.interrupted && this.hasPending(deleteExecutor)) {
+          throw new InterruptedError();
         }
       }
     } catch (error) {
@@ -25453,12 +26040,12 @@ var DeployEngine = class _DeployEngine {
    * - UPDATE → update back to previous properties
    * - DELETE → cannot rollback (resource already deleted), log warning
    *
-   * Resources created in the same DAG level may have dependencies between them
-   * (e.g., IAM Policy depends on IAM Role). When rolling back CREATEs (deleting),
-   * dependent resources must be deleted before their dependencies. This method
-   * sorts CREATE rollback operations using dependency information from state,
-   * then processes UPDATE/DELETE rollbacks, and finally processes sorted CREATE
-   * rollback deletions.
+   * Resources completed concurrently in the dispatcher may have dependencies
+   * between them (e.g., IAM Policy depends on IAM Role). When rolling back
+   * CREATEs (deleting), dependent resources must be deleted before their
+   * dependencies. This method sorts CREATE rollback operations using dependency
+   * information from state, then processes UPDATE/DELETE rollbacks, and finally
+   * processes sorted CREATE rollback deletions.
    */
   async performRollback(completedOperations, stateResources, _stackName) {
     if (completedOperations.length === 0) {
@@ -25491,7 +26078,7 @@ var DeployEngine = class _DeployEngine {
    * Sort CREATE rollback operations so that resources depending on others
    * are deleted first (reverse dependency order).
    *
-   * Uses state dependencies to build deletion levels, similar to buildDeletionLevels.
+   * Uses state dependencies to determine reverse-dependency order, similar to buildDeletionDependencies.
    */
   sortRollbackCreates(createOps, stateResources) {
     const opMap = /* @__PURE__ */ new Map();
@@ -25882,48 +26469,34 @@ var DeployEngine = class _DeployEngine {
     const deps = parser.extractDependencies(resource);
     return deps.size > 0 ? [...deps] : void 0;
   }
+  // Type-based implicit deletion ordering rules are defined in
+  // src/analyzer/implicit-delete-deps.ts so the deploy DELETE phase and the
+  // standalone destroy command apply the same rules.
   /**
-   * Implicit dependency map for correct deletion order.
+   * Build a per-resource map of "must be deleted before me" dependencies for
+   * the DELETE phase, derived from state-recorded dependencies plus implicit
+   * type-based ordering rules.
    *
-   * Key = resource type that must be deleted AFTER all value types are deleted.
-   * Value = resource types that must be deleted BEFORE the key type.
-   *
-   * Example: InternetGateway depends on VPCGatewayAttachment being deleted first,
-   * because AWS won't let you delete an IGW while it's still attached to a VPC.
-   */
-  static IMPLICIT_DELETE_DEPENDENCIES = {
-    // IGW must be deleted AFTER VPCGatewayAttachment
-    "AWS::EC2::InternetGateway": ["AWS::EC2::VPCGatewayAttachment"],
-    // EventBus must be deleted AFTER Rules on that bus
-    "AWS::Events::EventBus": ["AWS::Events::Rule"],
-    // VPC must be deleted AFTER all VPC-dependent resources
-    "AWS::EC2::VPC": [
-      "AWS::EC2::Subnet",
-      "AWS::EC2::SecurityGroup",
-      "AWS::EC2::InternetGateway",
-      "AWS::EC2::EgressOnlyInternetGateway",
-      "AWS::EC2::VPCGatewayAttachment",
-      "AWS::EC2::RouteTable"
-    ],
-    // Subnet must be deleted AFTER RouteTableAssociation
-    "AWS::EC2::Subnet": ["AWS::EC2::SubnetRouteTableAssociation"],
-    // RouteTable must be deleted AFTER Route and Association
-    "AWS::EC2::RouteTable": ["AWS::EC2::Route", "AWS::EC2::SubnetRouteTableAssociation"],
-    // SecurityGroup must be deleted AFTER SecurityGroupIngress/Egress
-    "AWS::EC2::SecurityGroup": ["AWS::EC2::SecurityGroupIngress", "AWS::EC2::SecurityGroupEgress"]
-  };
+   * For a resource X, the returned set contains every resource Y such that Y
+   * must finish deleting before X starts — i.e., Y depends on X (or is otherwise
+   * required to vanish first per implicit type rules).
+   */
   /**
-   * Build deletion levels from state dependencies (reverse topological order).
-   * Resources that are depended upon by others are deleted LAST.
+   * Returns true if the executor still has un-started pending nodes —
+   * used to distinguish "SIGINT cancelled real work" from "SIGINT landed
+   * after all nodes already completed" (the latter should not error).
    */
-  buildDeletionLevels(deleteIds, state) {
+  hasPending(executor) {
+    for (const node of executor.values()) {
+      if (node.state === "pending")
+        return true;
+    }
+    return false;
+  }
+  buildDeletionDependencies(deleteIds, state) {
     const dependedBy = /* @__PURE__ */ new Map();
-    const inDegree = /* @__PURE__ */ new Map();
     for (const id of deleteIds) {
-      if (!dependedBy.has(id))
-        dependedBy.set(id, /* @__PURE__ */ new Set());
-      if (!inDegree.has(id))
-        inDegree.set(id, 0);
+      dependedBy.set(id, /* @__PURE__ */ new Set());
     }
     for (const id of deleteIds) {
       const resource = state.resources[id];
@@ -25932,38 +26505,11 @@ var DeployEngine = class _DeployEngine {
       for (const dep of resource.dependencies) {
         if (!deleteIds.has(dep))
           continue;
-        if (!dependedBy.has(dep))
-          dependedBy.set(dep, /* @__PURE__ */ new Set());
         dependedBy.get(dep).add(id);
-        inDegree.set(id, (inDegree.get(id) ?? 0) + 1);
       }
     }
     this.addImplicitDeleteDependencies(deleteIds, state, dependedBy);
-    const levels = [];
-    let remaining = new Set(deleteIds);
-    while (remaining.size > 0) {
-      const level = [];
-      for (const id of remaining) {
-        const dependents = dependedBy.get(id);
-        const hasPendingDependents = dependents ? [...dependents].some((d) => remaining.has(d)) : false;
-        if (!hasPendingDependents) {
-          level.push(id);
-        }
-      }
-      if (level.length === 0) {
-        this.logger.warn(
-          `Circular dependency detected in delete order, deleting remaining ${remaining.size} resources`
-        );
-        levels.push([...remaining]);
-        break;
-      }
-      levels.push(level);
-      remaining = new Set([...remaining].filter((id) => !level.includes(id)));
-    }
-    this.logger.debug(
-      `Delete order: ${levels.length} levels - ${levels.map((l, i) => `L${i + 1}(${l.length})`).join(", ")}`
-    );
-    return levels;
+    return dependedBy;
   }
   /**
    * Add implicit delete dependency edges based on resource type relationships.
@@ -25991,7 +26537,7 @@ var DeployEngine = class _DeployEngine {
       const resource = state.resources[id];
       if (!resource)
         continue;
-      const mustDeleteAfter = _DeployEngine.IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
+      const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
       if (!mustDeleteAfter)
         continue;
       for (const depType of mustDeleteAfter) {
@@ -26777,27 +27323,6 @@ Acquiring lock for stack ${stackName}...`);
             }
           };
         }
-        const implicitDeleteDeps = {
-          "AWS::EC2::InternetGateway": ["AWS::EC2::VPCGatewayAttachment"],
-          "AWS::Events::EventBus": ["AWS::Events::Rule"],
-          "AWS::Athena::WorkGroup": ["AWS::Athena::NamedQuery"],
-          "AWS::CloudFront::ResponseHeadersPolicy": ["AWS::CloudFront::Distribution"],
-          "AWS::CloudFront::CachePolicy": ["AWS::CloudFront::Distribution"],
-          "AWS::CloudFront::OriginAccessControl": ["AWS::CloudFront::Distribution"],
-          "AWS::EC2::VPC": [
-            "AWS::EC2::Subnet",
-            "AWS::EC2::SecurityGroup",
-            "AWS::EC2::InternetGateway",
-            "AWS::EC2::VPCGatewayAttachment",
-            "AWS::EC2::RouteTable"
-          ],
-          "AWS::EC2::Subnet": ["AWS::EC2::SubnetRouteTableAssociation"],
-          "AWS::EC2::RouteTable": ["AWS::EC2::Route", "AWS::EC2::SubnetRouteTableAssociation"],
-          "AWS::EC2::SecurityGroup": [
-            "AWS::EC2::SecurityGroupIngress",
-            "AWS::EC2::SecurityGroupEgress"
-          ]
-        };
         const typeToLogicalIds = /* @__PURE__ */ new Map();
         for (const [logicalId, resource] of Object.entries(currentState.resources)) {
           const ids = typeToLogicalIds.get(resource.resourceType) ?? [];
@@ -26805,7 +27330,7 @@ Acquiring lock for stack ${stackName}...`);
           typeToLogicalIds.set(resource.resourceType, ids);
         }
         for (const [logicalId, resource] of Object.entries(currentState.resources)) {
-          const mustDeleteAfter = implicitDeleteDeps[resource.resourceType];
+          const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
           if (!mustDeleteAfter)
             continue;
           for (const depType of mustDeleteAfter) {
@@ -27029,7 +27554,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command8();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.1.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.3.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createDeployCommand());