@go-to-k/cdkd 0.1.0 → 0.3.0

package/dist/index.js

@@ -3139,6 +3139,62 @@ var TemplateParser = class {
 
 // src/analyzer/dag-builder.ts
 import graphlib from "graphlib";
+
+// src/analyzer/lambda-vpc-deps.ts
+function extractLambdaVpcDeleteDeps(resources) {
+  const edges = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const [lambdaId, resource] of Object.entries(resources)) {
+    if (resource.Type !== "AWS::Lambda::Function")
+      continue;
+    const vpcConfig = (resource.Properties ?? {})["VpcConfig"];
+    if (!isObject(vpcConfig))
+      continue;
+    const targets = /* @__PURE__ */ new Set();
+    collectRefIds(vpcConfig["SubnetIds"], targets);
+    collectRefIds(vpcConfig["SecurityGroupIds"], targets);
+    for (const targetId of targets) {
+      if (targetId === lambdaId)
+        continue;
+      if (!(targetId in resources))
+        continue;
+      const key = `${lambdaId}\0${targetId}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      edges.push({ before: lambdaId, after: targetId });
+    }
+  }
+  return edges;
+}
+function isObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function collectRefIds(value, out) {
+  if (value === null || value === void 0)
+    return;
+  if (Array.isArray(value)) {
+    for (const item of value)
+      collectRefIds(item, out);
+    return;
+  }
+  if (!isObject(value))
+    return;
+  if (typeof value["Ref"] === "string") {
+    const ref = value["Ref"];
+    if (!ref.startsWith("AWS::"))
+      out.add(ref);
+    return;
+  }
+  if (Array.isArray(value["Fn::GetAtt"])) {
+    const arr = value["Fn::GetAtt"];
+    if (typeof arr[0] === "string")
+      out.add(arr[0]);
+    return;
+  }
+}
+
+// src/analyzer/dag-builder.ts
 var { Graph, alg } = graphlib;
 var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
   "AWS::IAM::Policy",
@@ -3186,6 +3242,7 @@ var DagBuilder = class {
     }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
     edgeCount += this.addCustomResourcePolicyEdges(graph, template);
+    edgeCount += this.addLambdaVpcEdges(graph, template);
     if (!alg.isAcyclic(graph)) {
       const cycles = this.findCycles(graph);
       throw new DependencyError(
@@ -3378,6 +3435,41 @@ var DagBuilder = class {
     }
     return added;
   }
+  /**
+   * Add edges from Subnets / SecurityGroups referenced by an
+   * AWS::Lambda::Function VpcConfig to the Lambda itself.
+   *
+   * Same direction as a normal `Ref`-derived edge (Subnet -> Lambda), so for
+   * deploy this just duplicates what extractDependencies already produced.
+   * The point is robustness: if a future template massages the VpcConfig
+   * shape in a way the recursive extractor doesn't anticipate, this pass
+   * still ties the Lambda to its networking resources so that the
+   * deletion-time reverse traversal continues to delete Lambda before
+   * Subnet / SecurityGroup.
+   *
+   * Returns the number of NEW edges added (existing edges are skipped).
+   */
+  addLambdaVpcEdges(graph, template) {
+    const edges = extractLambdaVpcDeleteDeps(template.Resources);
+    if (edges.length === 0)
+      return 0;
+    let added = 0;
+    for (const edge of edges) {
+      const depId = edge.after;
+      const dependentId = edge.before;
+      if (!graph.hasNode(depId) || !graph.hasNode(dependentId))
+        continue;
+      if (graph.hasEdge(depId, dependentId))
+        continue;
+      graph.setEdge(depId, dependentId);
+      added++;
+      this.logger.debug(`Added implicit edge (lambda vpc): ${depId} -> ${dependentId}`);
+    }
+    if (added > 0) {
+      this.logger.debug(`Added ${added} implicit edges for Lambda VpcConfig`);
+    }
+    return added;
+  }
   isCustomResourceType(type) {
     return type === "AWS::CloudFormation::CustomResource" || type.startsWith("Custom::");
   }
@@ -6993,15 +7085,141 @@ var IAMRoleProvider = class {
   }
 };
 
+// src/deployment/dag-executor.ts
+var DagExecutor = class {
+  nodes = /* @__PURE__ */ new Map();
+  logger = getLogger().child("DagExecutor");
+  add(node) {
+    this.nodes.set(node.id, node);
+  }
+  has(id) {
+    return this.nodes.has(id);
+  }
+  size() {
+    return this.nodes.size;
+  }
+  values() {
+    return this.nodes.values();
+  }
+  async execute(concurrency, fn, cancelled = () => false) {
+    let active = 0;
+    const errors = [];
+    return new Promise((resolve4, reject) => {
+      const dispatch = () => {
+        let changed = true;
+        while (changed) {
+          changed = false;
+          for (const node of this.nodes.values()) {
+            if (node.state !== "pending")
+              continue;
+            const hasFailedDep = [...node.dependencies].some((depId) => {
+              const dep = this.nodes.get(depId);
+              return dep && (dep.state === "failed" || dep.state === "skipped");
+            });
+            if (hasFailedDep) {
+              node.state = "skipped";
+              changed = true;
+              this.logger.debug(`Skipped ${node.id}: dependency failed or was skipped`);
+            }
+          }
+        }
+        const ready = [];
+        for (const node of this.nodes.values()) {
+          if (node.state !== "pending")
+            continue;
+          const depsReady = [...node.dependencies].every((depId) => {
+            const dep = this.nodes.get(depId);
+            return !dep || dep.state === "completed";
+          });
+          if (depsReady)
+            ready.push(node);
+        }
+        if (!cancelled()) {
+          for (const node of ready) {
+            if (active >= concurrency)
+              break;
+            node.state = "running";
+            active++;
+            fn(node).then(() => {
+              node.state = "completed";
+            }).catch((error) => {
+              node.state = "failed";
+              errors.push({ id: node.id, error });
+            }).finally(() => {
+              active--;
+              dispatch();
+            });
+          }
+        }
+        if (active === 0) {
+          if (errors.length > 0) {
+            reject(errors[0].error);
+            return;
+          }
+          const stillPending = [...this.nodes.values()].some((n) => n.state === "pending");
+          if (stillPending && !cancelled()) {
+            const pending = [...this.nodes.values()].filter((n) => n.state === "pending").map((n) => n.id);
+            reject(
+              new Error(
+                `Deadlock detected: ${pending.length} node(s) stuck with unresolvable dependencies (${pending.join(", ")})`
+              )
+            );
+            return;
+          }
+          resolve4();
+        }
+      };
+      dispatch();
+    });
+  }
+};
+
+// src/analyzer/implicit-delete-deps.ts
+var IMPLICIT_DELETE_DEPENDENCIES = {
+  // IGW must be deleted AFTER VPCGatewayAttachment
+  "AWS::EC2::InternetGateway": ["AWS::EC2::VPCGatewayAttachment"],
+  // EventBus must be deleted AFTER Rules on that bus
+  "AWS::Events::EventBus": ["AWS::Events::Rule"],
+  // Athena workgroup must be deleted AFTER its named queries
+  "AWS::Athena::WorkGroup": ["AWS::Athena::NamedQuery"],
+  // CloudFront managed-policy-style resources must be deleted AFTER
+  // any Distribution that references them
+  "AWS::CloudFront::ResponseHeadersPolicy": ["AWS::CloudFront::Distribution"],
+  "AWS::CloudFront::CachePolicy": ["AWS::CloudFront::Distribution"],
+  "AWS::CloudFront::OriginAccessControl": ["AWS::CloudFront::Distribution"],
+  // VPC must be deleted AFTER all VPC-dependent resources
+  "AWS::EC2::VPC": [
+    "AWS::EC2::Subnet",
+    "AWS::EC2::SecurityGroup",
+    "AWS::EC2::InternetGateway",
+    "AWS::EC2::EgressOnlyInternetGateway",
+    "AWS::EC2::VPCGatewayAttachment",
+    "AWS::EC2::RouteTable"
+  ],
+  // Subnet must be deleted AFTER any Lambda that may still hold an ENI
+  // in it. Lambda DELETE returns immediately but the ENI is detached
+  // asynchronously by AWS, so deleting the Subnet first races the detach
+  // and yields "DependencyViolation".
+  "AWS::EC2::Subnet": ["AWS::EC2::SubnetRouteTableAssociation", "AWS::Lambda::Function"],
+  // RouteTable must be deleted AFTER Route and Association
+  "AWS::EC2::RouteTable": ["AWS::EC2::Route", "AWS::EC2::SubnetRouteTableAssociation"],
+  // SecurityGroup must be deleted AFTER any Lambda whose ENI is bound
+  // to it (same ENI-detach race as Subnet above).
+  "AWS::EC2::SecurityGroup": [
+    "AWS::EC2::SecurityGroupIngress",
+    "AWS::EC2::SecurityGroupEgress",
+    "AWS::Lambda::Function"
+  ]
+};
+
 // src/deployment/deploy-engine.ts
-import pLimit from "p-limit";
 var InterruptedError = class extends Error {
   constructor() {
     super("Deployment interrupted by user (Ctrl+C)");
     this.name = "InterruptedError";
   }
 };
-var DeployEngine = class _DeployEngine {
+var DeployEngine = class {
   constructor(stateBackend, lockManager, dagBuilder, diffCalculator, providerRegistry, options = {}, stackRegion) {
     this.stateBackend = stateBackend;
     this.lockManager = lockManager;
@@ -7127,6 +7345,7 @@ var DeployEngine = class _DeployEngine {
         template,
         currentState,
         changes,
+        dag,
         executionLevels,
         stackName,
         parameterValues,
@@ -7159,13 +7378,16 @@ var DeployEngine = class _DeployEngine {
     }
   }
   /**
-   * Execute deployment by processing resources in DAG order
+   * Execute deployment by processing resources via event-driven DAG dispatch.
    *
-   * Important: DELETE operations are executed in reverse dependency order,
-   * while CREATE/UPDATE follow normal dependency order.
-   */
-  async executeDeployment(template, currentState, changes, executionLevels, stackName, parameterValues, conditions, currentEtag, progress) {
-    const limit = pLimit(this.options.concurrency);
+   * - CREATE/UPDATE follow forward dependency order (a node starts as soon as
+   *   ALL of its dependencies are completed — does not wait for unrelated
+   *   siblings in the same "level")
+   * - DELETE follows reverse dependency order (a node starts as soon as all
+   *   resources that depend ON it have finished deleting)
+   */
+  async executeDeployment(template, currentState, changes, dag, executionLevels, stackName, parameterValues, conditions, currentEtag, progress) {
+    const concurrency = this.options.concurrency;
     const newResources = { ...currentState.resources };
     const actualCounts = { created: 0, updated: 0, deleted: 0, skipped: 0 };
     const completedOperations = [];
@@ -7196,32 +7418,36 @@ var DeployEngine = class _DeployEngine {
       Array.from(changes.entries()).filter(([_, change]) => change.changeType === "DELETE").map(([logicalId]) => logicalId)
     );
     try {
-      for (let levelIndex = 0; levelIndex < executionLevels.length; levelIndex++) {
-        if (this.interrupted) {
-          throw new InterruptedError();
-        }
-        const levelNodes = executionLevels[levelIndex];
-        if (!levelNodes)
+      const createUpdateIds = [];
+      for (const [id, change] of changes.entries()) {
+        if (deleteChanges.has(id))
           continue;
-        const level = levelNodes.filter((id) => {
-          if (deleteChanges.has(id))
-            return false;
-          const change = changes.get(id);
-          return !!change && change.changeType !== "NO_CHANGE";
-        });
-        if (level.length === 0)
+        if (change.changeType === "NO_CHANGE")
           continue;
+        createUpdateIds.push(id);
+      }
+      if (createUpdateIds.length > 0) {
         this.logger.info(
-          `Level ${levelIndex + 1}/${executionLevels.length} (${level.length} resources)`
+          `Deploying ${createUpdateIds.length} resource(s) (DAG: ${executionLevels.length} levels, max parallel: ${concurrency})`
         );
-        const results = await Promise.allSettled(
-          level.map(
-            (logicalId) => limit(async () => {
-              const change = changes.get(logicalId);
-              if (!change || change.changeType === "NO_CHANGE") {
-                this.logger.debug(`Skipping ${logicalId} (no change)`);
-                return;
-              }
+        const createUpdateExecutor = new DagExecutor();
+        const provisionable = new Set(createUpdateIds);
+        for (const id of createUpdateIds) {
+          const allDeps = this.dagBuilder.getDirectDependencies(dag, id);
+          const deps = new Set(allDeps.filter((d) => provisionable.has(d)));
+          createUpdateExecutor.add({
+            id,
+            dependencies: deps,
+            state: "pending",
+            data: changes.get(id)
+          });
+        }
+        try {
+          await createUpdateExecutor.execute(
+            concurrency,
+            async (node) => {
+              const logicalId = node.id;
+              const change = node.data;
               const previousState = currentState.resources[logicalId] ? { ...currentState.resources[logicalId] } : void 0;
               try {
                 await this.provisionResource(
@@ -7248,30 +7474,36 @@ var DeployEngine = class _DeployEngine {
                 properties: newResources[logicalId]?.properties
               });
               saveStateAfterResource(logicalId);
-            })
-          )
-        );
-        await saveChain;
-        const failures = results.filter((r) => r.status === "rejected");
-        if (failures.length > 0) {
-          throw failures[0].reason;
+            },
+            () => this.interrupted
+          );
+        } finally {
+          await saveChain;
+        }
+        if (this.interrupted && this.hasPending(createUpdateExecutor)) {
+          throw new InterruptedError();
         }
       }
       if (deleteChanges.size > 0) {
         this.logger.info(`Deleting ${deleteChanges.size} resource(s)`);
-        const deletionLevels = this.buildDeletionLevels(deleteChanges, currentState);
-        for (let levelIndex = 0; levelIndex < deletionLevels.length; levelIndex++) {
-          if (this.interrupted) {
-            throw new InterruptedError();
-          }
-          const level = deletionLevels[levelIndex];
-          if (level.length === 0)
-            continue;
-          const deleteResults = await Promise.allSettled(
-            level.map(
-              (logicalId) => limit(async () => {
-                const change = changes.get(logicalId);
-                const previousState = currentState.resources[logicalId] ? { ...currentState.resources[logicalId] } : void 0;
+        const deleteDeps = this.buildDeletionDependencies(deleteChanges, currentState);
+        const deleteExecutor = new DagExecutor();
+        for (const id of deleteChanges) {
+          deleteExecutor.add({
+            id,
+            dependencies: deleteDeps.get(id) ?? /* @__PURE__ */ new Set(),
+            state: "pending",
+            data: changes.get(id)
+          });
+        }
+        try {
+          await deleteExecutor.execute(
+            concurrency,
+            async (node) => {
+              const logicalId = node.id;
+              const change = node.data;
+              const previousState = currentState.resources[logicalId] ? { ...currentState.resources[logicalId] } : void 0;
+              try {
                 await this.provisionResource(
                   logicalId,
                   change,
@@ -7283,23 +7515,25 @@ var DeployEngine = class _DeployEngine {
                   actualCounts,
                   progress
                 );
-                completedOperations.push({
-                  logicalId,
-                  changeType: "DELETE",
-                  resourceType: change.resourceType,
-                  previousState
-                });
-                saveStateAfterResource(logicalId);
-              })
-            )
+              } catch (provisionError) {
+                this.interrupted = true;
+                throw provisionError;
+              }
+              completedOperations.push({
+                logicalId,
+                changeType: "DELETE",
+                resourceType: change.resourceType,
+                previousState
+              });
+              saveStateAfterResource(logicalId);
+            },
+            () => this.interrupted
           );
+        } finally {
           await saveChain;
-          const deleteFailures = deleteResults.filter(
-            (r) => r.status === "rejected"
-          );
-          if (deleteFailures.length > 0) {
-            throw deleteFailures[0].reason;
-          }
+        }
+        if (this.interrupted && this.hasPending(deleteExecutor)) {
+          throw new InterruptedError();
         }
       }
     } catch (error) {
@@ -7393,12 +7627,12 @@ var DeployEngine = class _DeployEngine {
    * - UPDATE → update back to previous properties
    * - DELETE → cannot rollback (resource already deleted), log warning
    *
-   * Resources created in the same DAG level may have dependencies between them
-   * (e.g., IAM Policy depends on IAM Role). When rolling back CREATEs (deleting),
-   * dependent resources must be deleted before their dependencies. This method
-   * sorts CREATE rollback operations using dependency information from state,
-   * then processes UPDATE/DELETE rollbacks, and finally processes sorted CREATE
-   * rollback deletions.
+   * Resources completed concurrently in the dispatcher may have dependencies
+   * between them (e.g., IAM Policy depends on IAM Role). When rolling back
+   * CREATEs (deleting), dependent resources must be deleted before their
+   * dependencies. This method sorts CREATE rollback operations using dependency
+   * information from state, then processes UPDATE/DELETE rollbacks, and finally
+   * processes sorted CREATE rollback deletions.
    */
   async performRollback(completedOperations, stateResources, _stackName) {
     if (completedOperations.length === 0) {
@@ -7431,7 +7665,7 @@ var DeployEngine = class _DeployEngine {
    * Sort CREATE rollback operations so that resources depending on others
    * are deleted first (reverse dependency order).
    *
-   * Uses state dependencies to build deletion levels, similar to buildDeletionLevels.
+   * Uses state dependencies to determine reverse-dependency order, similar to buildDeletionDependencies.
    */
   sortRollbackCreates(createOps, stateResources) {
     const opMap = /* @__PURE__ */ new Map();
@@ -7822,48 +8056,34 @@ var DeployEngine = class _DeployEngine {
     const deps = parser.extractDependencies(resource);
     return deps.size > 0 ? [...deps] : void 0;
   }
+  // Type-based implicit deletion ordering rules are defined in
+  // src/analyzer/implicit-delete-deps.ts so the deploy DELETE phase and the
+  // standalone destroy command apply the same rules.
   /**
-   * Implicit dependency map for correct deletion order.
+   * Build a per-resource map of "must be deleted before me" dependencies for
+   * the DELETE phase, derived from state-recorded dependencies plus implicit
+   * type-based ordering rules.
    *
-   * Key = resource type that must be deleted AFTER all value types are deleted.
-   * Value = resource types that must be deleted BEFORE the key type.
-   *
-   * Example: InternetGateway depends on VPCGatewayAttachment being deleted first,
-   * because AWS won't let you delete an IGW while it's still attached to a VPC.
-   */
-  static IMPLICIT_DELETE_DEPENDENCIES = {
-    // IGW must be deleted AFTER VPCGatewayAttachment
-    "AWS::EC2::InternetGateway": ["AWS::EC2::VPCGatewayAttachment"],
-    // EventBus must be deleted AFTER Rules on that bus
-    "AWS::Events::EventBus": ["AWS::Events::Rule"],
-    // VPC must be deleted AFTER all VPC-dependent resources
-    "AWS::EC2::VPC": [
-      "AWS::EC2::Subnet",
-      "AWS::EC2::SecurityGroup",
-      "AWS::EC2::InternetGateway",
-      "AWS::EC2::EgressOnlyInternetGateway",
-      "AWS::EC2::VPCGatewayAttachment",
-      "AWS::EC2::RouteTable"
-    ],
-    // Subnet must be deleted AFTER RouteTableAssociation
-    "AWS::EC2::Subnet": ["AWS::EC2::SubnetRouteTableAssociation"],
-    // RouteTable must be deleted AFTER Route and Association
-    "AWS::EC2::RouteTable": ["AWS::EC2::Route", "AWS::EC2::SubnetRouteTableAssociation"],
-    // SecurityGroup must be deleted AFTER SecurityGroupIngress/Egress
-    "AWS::EC2::SecurityGroup": ["AWS::EC2::SecurityGroupIngress", "AWS::EC2::SecurityGroupEgress"]
-  };
+   * For a resource X, the returned set contains every resource Y such that Y
+   * must finish deleting before X starts — i.e., Y depends on X (or is otherwise
+   * required to vanish first per implicit type rules).
+   */
   /**
-   * Build deletion levels from state dependencies (reverse topological order).
-   * Resources that are depended upon by others are deleted LAST.
+   * Returns true if the executor still has un-started pending nodes —
+   * used to distinguish "SIGINT cancelled real work" from "SIGINT landed
+   * after all nodes already completed" (the latter should not error).
    */
-  buildDeletionLevels(deleteIds, state) {
+  hasPending(executor) {
+    for (const node of executor.values()) {
+      if (node.state === "pending")
+        return true;
+    }
+    return false;
+  }
+  buildDeletionDependencies(deleteIds, state) {
     const dependedBy = /* @__PURE__ */ new Map();
-    const inDegree = /* @__PURE__ */ new Map();
     for (const id of deleteIds) {
-      if (!dependedBy.has(id))
-        dependedBy.set(id, /* @__PURE__ */ new Set());
-      if (!inDegree.has(id))
-        inDegree.set(id, 0);
+      dependedBy.set(id, /* @__PURE__ */ new Set());
     }
     for (const id of deleteIds) {
       const resource = state.resources[id];
@@ -7872,38 +8092,11 @@ var DeployEngine = class _DeployEngine {
       for (const dep of resource.dependencies) {
         if (!deleteIds.has(dep))
           continue;
-        if (!dependedBy.has(dep))
-          dependedBy.set(dep, /* @__PURE__ */ new Set());
         dependedBy.get(dep).add(id);
-        inDegree.set(id, (inDegree.get(id) ?? 0) + 1);
       }
     }
     this.addImplicitDeleteDependencies(deleteIds, state, dependedBy);
-    const levels = [];
-    let remaining = new Set(deleteIds);
-    while (remaining.size > 0) {
-      const level = [];
-      for (const id of remaining) {
-        const dependents = dependedBy.get(id);
-        const hasPendingDependents = dependents ? [...dependents].some((d) => remaining.has(d)) : false;
-        if (!hasPendingDependents) {
-          level.push(id);
-        }
-      }
-      if (level.length === 0) {
-        this.logger.warn(
-          `Circular dependency detected in delete order, deleting remaining ${remaining.size} resources`
-        );
-        levels.push([...remaining]);
-        break;
-      }
-      levels.push(level);
-      remaining = new Set([...remaining].filter((id) => !level.includes(id)));
-    }
-    this.logger.debug(
-      `Delete order: ${levels.length} levels - ${levels.map((l, i) => `L${i + 1}(${l.length})`).join(", ")}`
-    );
-    return levels;
+    return dependedBy;
   }
   /**
    * Add implicit delete dependency edges based on resource type relationships.
@@ -7931,7 +8124,7 @@ var DeployEngine = class _DeployEngine {
       const resource = state.resources[id];
       if (!resource)
         continue;
-      const mustDeleteAfter = _DeployEngine.IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
+      const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
       if (!mustDeleteAfter)
         continue;
       for (const depType of mustDeleteAfter) {