@go-to-k/cdkd 0.2.0 → 0.3.1

package/dist/cli.js

@@ -3533,6 +3533,60 @@ var TemplateParser = class {
   }
 };
 
+// src/analyzer/lambda-vpc-deps.ts
+function extractLambdaVpcDeleteDeps(resources) {
+  const edges = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const [lambdaId, resource] of Object.entries(resources)) {
+    if (resource.Type !== "AWS::Lambda::Function")
+      continue;
+    const vpcConfig = (resource.Properties ?? {})["VpcConfig"];
+    if (!isObject(vpcConfig))
+      continue;
+    const targets = /* @__PURE__ */ new Set();
+    collectRefIds(vpcConfig["SubnetIds"], targets);
+    collectRefIds(vpcConfig["SecurityGroupIds"], targets);
+    for (const targetId of targets) {
+      if (targetId === lambdaId)
+        continue;
+      if (!(targetId in resources))
+        continue;
+      const key = `${lambdaId}\0${targetId}`;
+      if (seen.has(key))
+        continue;
+      seen.add(key);
+      edges.push({ before: lambdaId, after: targetId });
+    }
+  }
+  return edges;
+}
+function isObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function collectRefIds(value, out) {
+  if (value === null || value === void 0)
+    return;
+  if (Array.isArray(value)) {
+    for (const item of value)
+      collectRefIds(item, out);
+    return;
+  }
+  if (!isObject(value))
+    return;
+  if (typeof value["Ref"] === "string") {
+    const ref = value["Ref"];
+    if (!ref.startsWith("AWS::"))
+      out.add(ref);
+    return;
+  }
+  if (Array.isArray(value["Fn::GetAtt"])) {
+    const arr = value["Fn::GetAtt"];
+    if (typeof arr[0] === "string")
+      out.add(arr[0]);
+    return;
+  }
+}
+
 // src/analyzer/dag-builder.ts
 var { Graph, alg } = graphlib;
 var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
@@ -3581,6 +3635,7 @@ var DagBuilder = class {
     }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
     edgeCount += this.addCustomResourcePolicyEdges(graph, template);
+    edgeCount += this.addLambdaVpcEdges(graph, template);
     if (!alg.isAcyclic(graph)) {
       const cycles = this.findCycles(graph);
       throw new DependencyError(
@@ -3773,6 +3828,41 @@ var DagBuilder = class {
     }
     return added;
   }
+  /**
+   * Add edges from Subnets / SecurityGroups referenced by an
+   * AWS::Lambda::Function VpcConfig to the Lambda itself.
+   *
+   * Same direction as a normal `Ref`-derived edge (Subnet -> Lambda), so for
+   * deploy this just duplicates what extractDependencies already produced.
+   * The point is robustness: if a future template massages the VpcConfig
+   * shape in a way the recursive extractor doesn't anticipate, this pass
+   * still ties the Lambda to its networking resources so that the
+   * deletion-time reverse traversal continues to delete Lambda before
+   * Subnet / SecurityGroup.
+   *
+   * Returns the number of NEW edges added (existing edges are skipped).
+   */
+  addLambdaVpcEdges(graph, template) {
+    const edges = extractLambdaVpcDeleteDeps(template.Resources);
+    if (edges.length === 0)
+      return 0;
+    let added = 0;
+    for (const edge of edges) {
+      const depId = edge.after;
+      const dependentId = edge.before;
+      if (!graph.hasNode(depId) || !graph.hasNode(dependentId))
+        continue;
+      if (graph.hasEdge(depId, dependentId))
+        continue;
+      graph.setEdge(depId, dependentId);
+      added++;
+      this.logger.debug(`Added implicit edge (lambda vpc): ${depId} -> ${dependentId}`);
+    }
+    if (added > 0) {
+      this.logger.debug(`Added ${added} implicit edges for Lambda VpcConfig`);
+    }
+    return added;
+  }
   isCustomResourceType(type) {
     return type === "AWS::CloudFormation::CustomResource" || type.startsWith("Custom::");
   }
@@ -4688,8 +4778,8 @@ var IntrinsicFunctionResolver = class {
           return resource.attributes?.["CidrBlock"] || resource.properties?.["CidrBlock"];
         case "Ipv6CidrBlocks": {
           try {
-            const { EC2Client: EC2Client8, DescribeVpcsCommand: DescribeVpcsCommand3 } = await import("@aws-sdk/client-ec2");
-            const ec2 = new EC2Client8({ region: this.resolverRegion });
+            const { EC2Client: EC2Client9, DescribeVpcsCommand: DescribeVpcsCommand3 } = await import("@aws-sdk/client-ec2");
+            const ec2 = new EC2Client9({ region: this.resolverRegion });
             const maxAttempts = 15;
             for (let attempt = 1; attempt <= maxAttempts; attempt++) {
               const resp = await ec2.send(new DescribeVpcsCommand3({ VpcIds: [physicalId] }));
@@ -10897,9 +10987,14 @@ import {
   GetFunctionCommand,
   ResourceNotFoundException
 } from "@aws-sdk/client-lambda";
+import {
+  DescribeNetworkInterfacesCommand,
+  DeleteNetworkInterfaceCommand
+} from "@aws-sdk/client-ec2";
 init_aws_clients();
 var LambdaFunctionProvider = class {
   lambdaClient;
+  ec2Client;
   logger = getLogger().child("LambdaFunctionProvider");
   handledProperties = /* @__PURE__ */ new Map([
     [
@@ -10919,13 +11014,22 @@ var LambdaFunctionProvider = class {
         "Architectures",
         "PackageType",
         "TracingConfig",
-        "EphemeralStorage"
+        "EphemeralStorage",
+        "VpcConfig"
       ])
     ]
   ]);
+  // ENI detach polling configuration (overridable for tests).
+  // Lambda VPC ENI detach is async and can take 20-40 minutes in the worst case;
+  // we poll up to 10 minutes and then warn-and-continue, since downstream Subnet/SG
+  // deletion has its own retry logic that handles a small remaining window.
+  eniWaitTimeoutMs = 10 * 60 * 1e3;
+  eniWaitInitialDelayMs = 1e4;
+  eniWaitMaxDelayMs = 3e4;
   constructor() {
     const awsClients = getAwsClients();
     this.lambdaClient = awsClients.lambda;
+    this.ec2Client = awsClients.ec2;
   }
   /**
    * Create a Lambda function
@@ -10973,6 +11077,7 @@ var LambdaFunctionProvider = class {
         PackageType: properties["PackageType"],
         TracingConfig: properties["TracingConfig"],
         EphemeralStorage: properties["EphemeralStorage"],
+        VpcConfig: this.buildVpcConfig(properties["VpcConfig"]),
         Tags: tags
       };
       const response = await this.lambdaClient.send(new CreateFunctionCommand(createParams));
@@ -11011,7 +11116,8 @@ var LambdaFunctionProvider = class {
         "Environment",
         "Layers",
         "TracingConfig",
-        "EphemeralStorage"
+        "EphemeralStorage",
+        "VpcConfig"
       ];
       let hasConfigChanges = false;
       for (const field of configFields) {
@@ -11032,7 +11138,11 @@ var LambdaFunctionProvider = class {
           Environment: properties["Environment"],
           Layers: properties["Layers"],
           TracingConfig: properties["TracingConfig"],
-          EphemeralStorage: properties["EphemeralStorage"]
+          EphemeralStorage: properties["EphemeralStorage"],
+          VpcConfig: this.buildVpcConfigForUpdate(
+            properties["VpcConfig"],
+            previousProperties["VpcConfig"]
+          )
         };
         await this.lambdaClient.send(new UpdateFunctionConfigurationCommand(configParams));
         this.logger.debug(`Updated configuration for Lambda function ${physicalId}`);
@@ -11076,9 +11186,37 @@ var LambdaFunctionProvider = class {
   }
   /**
    * Delete a Lambda function
+   *
+   * For VPC-enabled Lambda functions, AWS detaches the hyperplane ENIs
+   * asynchronously after DeleteFunction returns. If we let downstream
+   * resource deletion (Subnet / SecurityGroup) proceed immediately, those
+   * deletions fail with "has dependencies" / "has a dependent object".
+   *
+   * To smooth this out, when properties carry a VpcConfig with subnets or
+   * security groups, we poll DescribeNetworkInterfaces for the function's
+   * managed ENIs and only return once they are gone (or the timeout elapses).
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, properties) {
     this.logger.debug(`Deleting Lambda function ${logicalId}: ${physicalId}`);
+    const hasVpcConfig = this.hasVpcConfig(properties?.["VpcConfig"]);
+    if (hasVpcConfig) {
+      try {
+        await this.lambdaClient.send(
+          new UpdateFunctionConfigurationCommand({
+            FunctionName: physicalId,
+            VpcConfig: { SubnetIds: [], SecurityGroupIds: [] }
+          })
+        );
+        this.logger.debug(`Detached VPC config from Lambda ${physicalId} before deletion`);
+      } catch (error) {
+        if (error instanceof ResourceNotFoundException) {
+          return;
+        }
+        this.logger.warn(
+          `Pre-delete VPC detach failed for ${physicalId}: ${error instanceof Error ? error.message : String(error)} \u2014 continuing with delete`
+        );
+      }
+    }
     try {
       await this.lambdaClient.send(new DeleteFunctionCommand({ FunctionName: physicalId }));
       this.logger.debug(`Successfully deleted Lambda function ${logicalId}`);
@@ -11096,6 +11234,183 @@ var LambdaFunctionProvider = class {
         cause
       );
     }
+    if (hasVpcConfig) {
+      await this.cleanupLambdaEnis(physicalId);
+    }
+  }
+  /**
+   * Build Lambda VpcConfig parameter from CDK properties.
+   *
+   * Returns undefined when VpcConfig is unset, so the SDK leaves the function
+   * outside any VPC. Returns an empty config (no subnets, no SGs) when caller
+   * explicitly clears it on update — that detaches the function from its VPC.
+   */
+  buildVpcConfig(raw) {
+    if (raw === void 0 || raw === null) {
+      return void 0;
+    }
+    if (typeof raw !== "object") {
+      return void 0;
+    }
+    const vpc = raw;
+    const result = {};
+    if (Array.isArray(vpc["SubnetIds"])) {
+      result.SubnetIds = vpc["SubnetIds"];
+    }
+    if (Array.isArray(vpc["SecurityGroupIds"])) {
+      result.SecurityGroupIds = vpc["SecurityGroupIds"];
+    }
+    if (typeof vpc["Ipv6AllowedForDualStack"] === "boolean") {
+      result.Ipv6AllowedForDualStack = vpc["Ipv6AllowedForDualStack"];
+    }
+    return result;
+  }
+  /**
+   * Build VpcConfig for an update call, accounting for VPC detach.
+   *
+   * UpdateFunctionConfiguration treats an absent VpcConfig as "no change",
+   * so omitting it cannot move a function out of its existing VPC. To
+   * detach we must explicitly send empty SubnetIds / SecurityGroupIds.
+   */
+  buildVpcConfigForUpdate(newRaw, previousRaw) {
+    const next = this.buildVpcConfig(newRaw);
+    if (next) {
+      return next;
+    }
+    if (this.hasVpcConfig(previousRaw)) {
+      return { SubnetIds: [], SecurityGroupIds: [] };
+    }
+    return void 0;
+  }
+  /**
+   * Determine whether the function actually attaches to a VPC, i.e. has at
+   * least one Subnet ID. A bare VpcConfig with empty arrays does not create
+   * any ENIs, so we skip the wait in that case.
+   */
+  hasVpcConfig(raw) {
+    if (raw === void 0 || raw === null || typeof raw !== "object") {
+      return false;
+    }
+    const vpc = raw;
+    const subnets = vpc["SubnetIds"];
+    return Array.isArray(subnets) && subnets.length > 0;
+  }
+  /**
+   * Clean up Lambda-managed ENIs for the given function: list, then attempt
+   * DeleteNetworkInterface on each. Repeat until no matching ENIs remain
+   * or the configured timeout elapses.
+   *
+   * Why direct delete (not just wait): an `available` ENI still counts as a
+   * Subnet / SecurityGroup dependency, so DeleteSubnet / DeleteSecurityGroup
+   * fail until the ENI itself is gone. AWS's eventual cleanup of unused
+   * Lambda hyperplane ENIs can take well over an hour, which is far longer
+   * than any reasonable destroy budget. Calling DeleteNetworkInterface
+   * ourselves (best-effort) clears `available` ENIs in seconds.
+   *
+   * In-use ENIs (e.g. immediately after the pre-delete VPC detach) cannot
+   * be deleted yet — we swallow that error and retry on the next iteration
+   * once they transition to `available`.
+   *
+   * Lambda VPC ENI Descriptions follow the pattern
+   *   "AWS Lambda VPC ENI-<functionName>"
+   * (and historically "AWS Lambda VPC ENI-<functionName>-<uuid>"). We
+   * narrow the query with a `requester-id` filter and then match the
+   * function name as a hyphen-bounded token to avoid false positives like
+   * "myfn" matching for function "fn".
+   *
+   * Polling: starts at eniWaitInitialDelayMs (10s), exponential backoff up
+   * to eniWaitMaxDelayMs (30s), bounded by eniWaitTimeoutMs (10min).
+   * Timeout is a soft warning — downstream Subnet/SG deletion has its own
+   * retries.
+   */
+  async cleanupLambdaEnis(functionName) {
+    const start = Date.now();
+    let delay = this.eniWaitInitialDelayMs;
+    let attempt = 0;
+    this.logger.debug(
+      `Cleaning up Lambda VPC ENIs for function ${functionName} (timeout ${this.eniWaitTimeoutMs}ms)`
+    );
+    const descriptionNeedle = `AWS Lambda VPC ENI`;
+    const functionNamePattern = new RegExp(`(^|-)${escapeRegExp(functionName)}(-|$)`);
+    for (; ; ) {
+      attempt++;
+      let enis = [];
+      let listFailed = false;
+      try {
+        enis = await this.listLambdaEnis(descriptionNeedle, functionNamePattern);
+      } catch (error) {
+        this.logger.warn(
+          `DescribeNetworkInterfaces failed while cleaning up Lambda ENIs of ${functionName}: ${error instanceof Error ? error.message : String(error)}`
+        );
+        listFailed = true;
+      }
+      if (!listFailed && enis.length === 0) {
+        this.logger.debug(
+          `Lambda ENIs for ${functionName} fully cleaned up after ${attempt} attempt(s) / ${Date.now() - start}ms`
+        );
+        return;
+      }
+      if (enis.length > 0) {
+        await Promise.all(
+          enis.map(async (eni) => {
+            try {
+              await this.ec2Client.send(
+                new DeleteNetworkInterfaceCommand({ NetworkInterfaceId: eni.id })
+              );
+              this.logger.debug(`Deleted Lambda ENI ${eni.id} for ${functionName}`);
+            } catch (error) {
+              this.logger.debug(
+                `ENI ${eni.id} (status=${eni.status}) not yet deletable: ${error instanceof Error ? error.message : String(error)}`
+              );
+            }
+          })
+        );
+      }
+      const elapsed = Date.now() - start;
+      if (elapsed >= this.eniWaitTimeoutMs) {
+        this.logger.warn(
+          `Timeout (${this.eniWaitTimeoutMs}ms) cleaning up Lambda VPC ENIs of ${functionName} (${enis.length} remaining). Continuing \u2014 downstream Subnet/SG deletion will retry as needed.`
+        );
+        return;
+      }
+      const remaining = this.eniWaitTimeoutMs - elapsed;
+      const sleepMs = Math.min(delay, remaining);
+      await this.sleep(sleepMs);
+      delay = Math.min(delay * 2, this.eniWaitMaxDelayMs);
+    }
+  }
+  /**
+   * List Lambda-managed ENIs for the given function, paginating through
+   * DescribeNetworkInterfaces and filtering on Description substring.
+   *
+   * Server-side filter (`description`) does not support wildcards on this
+   * API, so we narrow with `requester-id` + match Description client-side.
+   */
+  async listLambdaEnis(descriptionNeedle, functionNamePattern) {
+    const enis = [];
+    let nextToken;
+    do {
+      const resp = await this.ec2Client.send(
+        new DescribeNetworkInterfacesCommand({
+          Filters: [
+            // Lambda hyperplane ENIs are owned by the Lambda service principal.
+            { Name: "requester-id", Values: ["*:awslambda_*"] }
+          ],
+          NextToken: nextToken
+        })
+      );
+      for (const ni of resp.NetworkInterfaces ?? []) {
+        const desc = ni.Description ?? "";
+        if (ni.NetworkInterfaceId && desc.includes(descriptionNeedle) && functionNamePattern.test(desc)) {
+          enis.push({ id: ni.NetworkInterfaceId, status: ni.Status ?? "unknown" });
+        }
+      }
+      nextToken = resp.NextToken;
+    } while (nextToken);
+    return enis;
+  }
+  sleep(ms) {
+    return new Promise((resolve4) => setTimeout(resolve4, ms));
   }
   /**
    * Build Lambda Code parameter from CDK properties
@@ -11182,6 +11497,9 @@ var LambdaFunctionProvider = class {
     return (crc ^ 4294967295) >>> 0;
   }
 };
+function escapeRegExp(input) {
+  return input.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 
 // src/provisioning/providers/lambda-permission-provider.ts
 import {
@@ -13505,6 +13823,8 @@ import {
   DeleteSecurityGroupCommand,
   AuthorizeSecurityGroupIngressCommand,
   RevokeSecurityGroupIngressCommand,
+  AuthorizeSecurityGroupEgressCommand,
+  RevokeSecurityGroupEgressCommand,
   CreateTagsCommand,
   DescribeSubnetsCommand as DescribeSubnetsCommand2,
   DescribeSecurityGroupsCommand as DescribeSecurityGroupsCommand2,
@@ -13554,7 +13874,14 @@ var EC2Provider = class {
     ["AWS::EC2::SubnetRouteTableAssociation", /* @__PURE__ */ new Set(["SubnetId", "RouteTableId"])],
     [
       "AWS::EC2::SecurityGroup",
-      /* @__PURE__ */ new Set(["GroupDescription", "GroupName", "VpcId", "SecurityGroupIngress", "Tags"])
+      /* @__PURE__ */ new Set([
+        "GroupDescription",
+        "GroupName",
+        "VpcId",
+        "SecurityGroupIngress",
+        "SecurityGroupEgress",
+        "Tags"
+      ])
     ],
     [
       "AWS::EC2::SecurityGroupIngress",
@@ -13565,7 +13892,8 @@ var EC2Provider = class {
         "ToPort",
         "CidrIp",
         "Description",
-        "SourceSecurityGroupId"
+        "SourceSecurityGroupId",
+        "SourceSecurityGroupOwnerId"
       ])
     ],
     [
@@ -13664,7 +13992,13 @@ var EC2Provider = class {
       case "AWS::EC2::SubnetRouteTableAssociation":
         return this.updateSubnetRouteTableAssociation(logicalId, physicalId);
       case "AWS::EC2::SecurityGroup":
-        return this.updateSecurityGroup(logicalId, physicalId, resourceType, properties);
+        return this.updateSecurityGroup(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
       case "AWS::EC2::SecurityGroupIngress":
         return this.updateSecurityGroupIngress(
           logicalId,
@@ -14389,6 +14723,34 @@ var EC2Provider = class {
           );
         }
       }
+      const egressRules = properties["SecurityGroupEgress"];
+      if (egressRules && Array.isArray(egressRules)) {
+        try {
+          await this.ec2Client.send(
+            new RevokeSecurityGroupEgressCommand({
+              GroupId: groupId,
+              IpPermissions: [
+                {
+                  IpProtocol: "-1",
+                  IpRanges: [{ CidrIp: "0.0.0.0/0" }]
+                }
+              ]
+            })
+          );
+        } catch (error) {
+          if (!this.isNotFoundError(error)) {
+            throw error;
+          }
+        }
+        for (const rule of egressRules) {
+          await this.ec2Client.send(
+            new AuthorizeSecurityGroupEgressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "egress")]
+            })
+          );
+        }
+      }
       this.logger.debug(`Successfully created SecurityGroup ${logicalId}: ${groupId}`);
       return {
         physicalId: groupId,
@@ -14408,10 +14770,22 @@ var EC2Provider = class {
       );
     }
   }
-  async updateSecurityGroup(logicalId, physicalId, resourceType, properties) {
+  async updateSecurityGroup(logicalId, physicalId, resourceType, properties, previousProperties) {
     this.logger.debug(`Updating SecurityGroup ${logicalId}: ${physicalId}`);
     try {
       await this.applyTags(physicalId, properties, logicalId);
+      await this.applySecurityGroupRuleDiff(
+        physicalId,
+        previousProperties["SecurityGroupIngress"] ?? [],
+        properties["SecurityGroupIngress"] ?? [],
+        "ingress"
+      );
+      await this.applySecurityGroupRuleDiff(
+        physicalId,
+        previousProperties["SecurityGroupEgress"] ?? [],
+        properties["SecurityGroupEgress"] ?? [],
+        "egress"
+      );
       this.logger.debug(`Successfully updated SecurityGroup ${logicalId}`);
       return {
         physicalId,
@@ -14769,9 +15143,13 @@ var EC2Provider = class {
   }
   // ─── Helpers ──────────────────────────────────────────────────────
   /**
-   * Build an IpPermission object from CloudFormation-style properties
+   * Build an IpPermission object from CloudFormation-style properties.
+   *
+   * The EC2 IpPermission shape is identical for ingress and egress; only the
+   * CFn property names that point to the "other" security group differ
+   * (SourceSecurityGroupId vs DestinationSecurityGroupId).
    */
-  buildIpPermission(properties) {
+  buildIpPermission(properties, direction = "ingress") {
     const ipProtocol = properties["IpProtocol"] ?? "-1";
     const fromPort = properties["FromPort"];
     const toPort = properties["ToPort"];
@@ -14781,6 +15159,7 @@ var EC2Provider = class {
     if (toPort !== void 0)
       permission.ToPort = toPort;
     const cidrIp = properties["CidrIp"];
+    const cidrIpv6 = properties["CidrIpv6"];
     const description = properties["Description"];
     if (cidrIp) {
       const ipRange = { CidrIp: cidrIp };
@@ -14788,17 +15167,124 @@ var EC2Provider = class {
         ipRange.Description = description;
       permission.IpRanges = [ipRange];
     }
-    const sourceSecurityGroupId = properties["SourceSecurityGroupId"];
-    if (sourceSecurityGroupId) {
+    if (cidrIpv6) {
+      const ipv6Range = { CidrIpv6: cidrIpv6 };
+      if (description)
+        ipv6Range.Description = description;
+      permission.Ipv6Ranges = [ipv6Range];
+    }
+    const peerGroupId = direction === "egress" ? properties["DestinationSecurityGroupId"] : properties["SourceSecurityGroupId"];
+    if (peerGroupId) {
       const groupPair = {
-        GroupId: sourceSecurityGroupId
+        GroupId: peerGroupId
       };
+      if (direction === "ingress") {
+        const peerOwnerId = properties["SourceSecurityGroupOwnerId"];
+        if (peerOwnerId)
+          groupPair.UserId = peerOwnerId;
+      }
       if (description)
         groupPair.Description = description;
       permission.UserIdGroupPairs = [groupPair];
     }
+    const prefixListId = direction === "egress" ? properties["DestinationPrefixListId"] : properties["SourcePrefixListId"];
+    if (prefixListId) {
+      const prefixEntry = {
+        PrefixListId: prefixListId
+      };
+      if (description)
+        prefixEntry.Description = description;
+      permission.PrefixListIds = [prefixEntry];
+    }
     return permission;
   }
+  /**
+   * Compute the diff between two sets of SecurityGroup rule definitions
+   * (ingress or egress) and apply the resulting authorize/revoke calls.
+   *
+   * Rules are identified by a deterministic key derived from their full
+   * shape — protocol, ports, CIDR, peer group, prefix list, description —
+   * so updating any of those fields counts as a replacement (revoke + authorize).
+   */
+  async applySecurityGroupRuleDiff(groupId, previousRules, nextRules, direction) {
+    const ruleKey = (rule) => {
+      const peerKey = direction === "egress" ? rule["DestinationSecurityGroupId"] : rule["SourceSecurityGroupId"];
+      const prefixKey = direction === "egress" ? rule["DestinationPrefixListId"] : rule["SourcePrefixListId"];
+      const peerOwner = direction === "ingress" ? rule["SourceSecurityGroupOwnerId"] : void 0;
+      return JSON.stringify({
+        p: rule["IpProtocol"] ?? "-1",
+        f: rule["FromPort"] ?? null,
+        t: rule["ToPort"] ?? null,
+        c4: rule["CidrIp"] ?? null,
+        c6: rule["CidrIpv6"] ?? null,
+        peer: peerKey ?? null,
+        peerOwner: peerOwner ?? null,
+        pl: prefixKey ?? null,
+        d: rule["Description"] ?? null
+      });
+    };
+    const prevByKey = /* @__PURE__ */ new Map();
+    for (const rule of previousRules)
+      prevByKey.set(ruleKey(rule), rule);
+    const nextByKey = /* @__PURE__ */ new Map();
+    for (const rule of nextRules)
+      nextByKey.set(ruleKey(rule), rule);
+    const toRevoke = [];
+    for (const [key, rule] of prevByKey) {
+      if (!nextByKey.has(key))
+        toRevoke.push(rule);
+    }
+    const toAuthorize = [];
+    for (const [key, rule] of nextByKey) {
+      if (!prevByKey.has(key))
+        toAuthorize.push(rule);
+    }
+    for (const rule of toRevoke) {
+      try {
+        if (direction === "egress") {
+          await this.ec2Client.send(
+            new RevokeSecurityGroupEgressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "egress")]
+            })
+          );
+        } else {
+          await this.ec2Client.send(
+            new RevokeSecurityGroupIngressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "ingress")]
+            })
+          );
+        }
+      } catch (error) {
+        if (!this.isNotFoundError(error))
+          throw error;
+      }
+    }
+    for (const rule of toAuthorize) {
+      try {
+        if (direction === "egress") {
+          await this.ec2Client.send(
+            new AuthorizeSecurityGroupEgressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "egress")]
+            })
+          );
+        } else {
+          await this.ec2Client.send(
+            new AuthorizeSecurityGroupIngressCommand({
+              GroupId: groupId,
+              IpPermissions: [this.buildIpPermission(rule, "ingress")]
+            })
+          );
+        }
+      } catch (error) {
+        if (!(error instanceof Error && error.message.includes("already exists"))) {
+          throw error;
+        }
+      }
+    }
+  }
   // ─── AWS::EC2::NetworkAcl ────────────────────────────────────────
   async createNetworkAcl(logicalId, resourceType, properties) {
     this.logger.debug(`Creating NetworkAcl ${logicalId}`);
@@ -16719,7 +17205,7 @@ var CloudFrontDistributionProvider = class {
       this.logger.debug(`Created CloudFront Distribution: ${distributionId} (${domainName})`);
       if (process.env["CDKD_NO_WAIT"] !== "true") {
         this.logger.debug(`Waiting for Distribution ${distributionId} to reach Deployed status...`);
-        await this.waitForDistributionDeployed(distributionId);
+        await this.waitForDistributionStable(distributionId);
       }
       return {
         physicalId: distributionId,
@@ -16829,7 +17315,7 @@ var CloudFrontDistributionProvider = class {
           })
         );
         etag = updateResponse.ETag;
-        await this.waitForDistributionDeployed(physicalId);
+        await this.waitForDistributionStable(physicalId, false);
         const refreshResponse = await this.cloudFrontClient.send(
           new GetDistributionConfigCommand({ Id: physicalId })
         );
@@ -16873,10 +17359,16 @@ var CloudFrontDistributionProvider = class {
     throw new Error(`Unsupported attribute: ${attributeName} for AWS::CloudFront::Distribution`);
   }
   /**
-   * Wait for a distribution to reach "Deployed" status.
+   * Wait for a distribution to reach a stable state.
+   *
+   * "Stable" means Status === 'Deployed'. When `expectedEnabled` is provided,
+   * we additionally require DistributionConfig.Enabled === expectedEnabled —
+   * this guards against CloudFront's eventually-consistent reads that can
+   * briefly return the pre-update snapshot after UpdateDistribution returns.
+   *
    * Uses exponential backoff polling.
    */
-  async waitForDistributionDeployed(distributionId) {
+  async waitForDistributionStable(distributionId, expectedEnabled) {
     const maxAttempts = 60;
     let delay = 5e3;
     const maxDelay = 3e4;
@@ -16897,12 +17389,16 @@ var CloudFrontDistributionProvider = class {
           new GetDistributionCommand({ Id: distributionId })
         );
         const status = response.Distribution?.Status;
-        if (status === "Deployed") {
-          this.logger.debug(`Distribution ${distributionId} is now Deployed`);
+        const enabled = response.Distribution?.DistributionConfig?.Enabled;
+        const enabledMatches = expectedEnabled === void 0 || enabled === expectedEnabled;
+        if (status === "Deployed" && enabledMatches) {
+          this.logger.debug(
+            `Distribution ${distributionId} is stable (Status=Deployed, Enabled=${enabled})`
+          );
           return;
         }
         this.logger.debug(
-          `Distribution ${distributionId} status: ${status} (attempt ${attempt}/${maxAttempts})`
+          `Distribution ${distributionId} status: ${status}, enabled: ${enabled}` + (expectedEnabled === void 0 ? "" : ` (waiting for Enabled=${expectedEnabled})`) + ` (attempt ${attempt}/${maxAttempts})`
         );
         const sleepEnd = Date.now() + delay;
         while (Date.now() < sleepEnd && !interrupted) {
@@ -16911,7 +17407,7 @@ var CloudFrontDistributionProvider = class {
         delay = Math.min(delay * 1.5, maxDelay);
       }
       this.logger.debug(
-        `Distribution ${distributionId} did not reach Deployed status within timeout, proceeding with deletion attempt`
+        `Distribution ${distributionId} did not reach stable state within timeout, proceeding with next step`
       );
     } finally {
       process.removeListener("SIGINT", sigintHandler);
@@ -24137,7 +24633,7 @@ import {
   DeleteObjectsCommand as DeleteObjectsCommand2
 } from "@aws-sdk/client-s3";
 import { GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
-import { EC2Client as EC2Client7, DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand3 } from "@aws-sdk/client-ec2";
+import { EC2Client as EC2Client8, DescribeAvailabilityZonesCommand as DescribeAvailabilityZonesCommand3 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var S3DirectoryBucketProvider = class {
   s3Client;
@@ -24155,7 +24651,7 @@ var S3DirectoryBucketProvider = class {
   }
   getEc2Client() {
     if (!this.ec2Client) {
-      this.ec2Client = new EC2Client7(this.providerRegion ? { region: this.providerRegion } : {});
+      this.ec2Client = new EC2Client8(this.providerRegion ? { region: this.providerRegion } : {});
     }
     return this.ec2Client;
   }
@@ -25142,6 +25638,44 @@ var DagExecutor = class {
   }
 };
 
+// src/analyzer/implicit-delete-deps.ts
+var IMPLICIT_DELETE_DEPENDENCIES = {
+  // IGW must be deleted AFTER VPCGatewayAttachment
+  "AWS::EC2::InternetGateway": ["AWS::EC2::VPCGatewayAttachment"],
+  // EventBus must be deleted AFTER Rules on that bus
+  "AWS::Events::EventBus": ["AWS::Events::Rule"],
+  // Athena workgroup must be deleted AFTER its named queries
+  "AWS::Athena::WorkGroup": ["AWS::Athena::NamedQuery"],
+  // CloudFront managed-policy-style resources must be deleted AFTER
+  // any Distribution that references them
+  "AWS::CloudFront::ResponseHeadersPolicy": ["AWS::CloudFront::Distribution"],
+  "AWS::CloudFront::CachePolicy": ["AWS::CloudFront::Distribution"],
+  "AWS::CloudFront::OriginAccessControl": ["AWS::CloudFront::Distribution"],
+  // VPC must be deleted AFTER all VPC-dependent resources
+  "AWS::EC2::VPC": [
+    "AWS::EC2::Subnet",
+    "AWS::EC2::SecurityGroup",
+    "AWS::EC2::InternetGateway",
+    "AWS::EC2::EgressOnlyInternetGateway",
+    "AWS::EC2::VPCGatewayAttachment",
+    "AWS::EC2::RouteTable"
+  ],
+  // Subnet must be deleted AFTER any Lambda that may still hold an ENI
+  // in it. Lambda DELETE returns immediately but the ENI is detached
+  // asynchronously by AWS, so deleting the Subnet first races the detach
+  // and yields "DependencyViolation".
+  "AWS::EC2::Subnet": ["AWS::EC2::SubnetRouteTableAssociation", "AWS::Lambda::Function"],
+  // RouteTable must be deleted AFTER Route and Association
+  "AWS::EC2::RouteTable": ["AWS::EC2::Route", "AWS::EC2::SubnetRouteTableAssociation"],
+  // SecurityGroup must be deleted AFTER any Lambda whose ENI is bound
+  // to it (same ENI-detach race as Subnet above).
+  "AWS::EC2::SecurityGroup": [
+    "AWS::EC2::SecurityGroupIngress",
+    "AWS::EC2::SecurityGroupEgress",
+    "AWS::Lambda::Function"
+  ]
+};
+
 // src/deployment/deploy-engine.ts
 var InterruptedError = class extends Error {
   constructor() {
@@ -25149,7 +25683,7 @@ var InterruptedError = class extends Error {
     this.name = "InterruptedError";
   }
 };
-var DeployEngine = class _DeployEngine {
+var DeployEngine = class {
   constructor(stateBackend, lockManager, dagBuilder, diffCalculator, providerRegistry, options = {}, stackRegion) {
     this.stateBackend = stateBackend;
     this.lockManager = lockManager;
@@ -25986,36 +26520,9 @@ var DeployEngine = class _DeployEngine {
     const deps = parser.extractDependencies(resource);
     return deps.size > 0 ? [...deps] : void 0;
   }
-  /**
-   * Implicit dependency map for correct deletion order.
-   *
-   * Key = resource type that must be deleted AFTER all value types are deleted.
-   * Value = resource types that must be deleted BEFORE the key type.
-   *
-   * Example: InternetGateway depends on VPCGatewayAttachment being deleted first,
-   * because AWS won't let you delete an IGW while it's still attached to a VPC.
-   */
-  static IMPLICIT_DELETE_DEPENDENCIES = {
-    // IGW must be deleted AFTER VPCGatewayAttachment
-    "AWS::EC2::InternetGateway": ["AWS::EC2::VPCGatewayAttachment"],
-    // EventBus must be deleted AFTER Rules on that bus
-    "AWS::Events::EventBus": ["AWS::Events::Rule"],
-    // VPC must be deleted AFTER all VPC-dependent resources
-    "AWS::EC2::VPC": [
-      "AWS::EC2::Subnet",
-      "AWS::EC2::SecurityGroup",
-      "AWS::EC2::InternetGateway",
-      "AWS::EC2::EgressOnlyInternetGateway",
-      "AWS::EC2::VPCGatewayAttachment",
-      "AWS::EC2::RouteTable"
-    ],
-    // Subnet must be deleted AFTER RouteTableAssociation
-    "AWS::EC2::Subnet": ["AWS::EC2::SubnetRouteTableAssociation"],
-    // RouteTable must be deleted AFTER Route and Association
-    "AWS::EC2::RouteTable": ["AWS::EC2::Route", "AWS::EC2::SubnetRouteTableAssociation"],
-    // SecurityGroup must be deleted AFTER SecurityGroupIngress/Egress
-    "AWS::EC2::SecurityGroup": ["AWS::EC2::SecurityGroupIngress", "AWS::EC2::SecurityGroupEgress"]
-  };
+  // Type-based implicit deletion ordering rules are defined in
+  // src/analyzer/implicit-delete-deps.ts so the deploy DELETE phase and the
+  // standalone destroy command apply the same rules.
   /**
    * Build a per-resource map of "must be deleted before me" dependencies for
    * the DELETE phase, derived from state-recorded dependencies plus implicit
@@ -26081,7 +26588,7 @@ var DeployEngine = class _DeployEngine {
       const resource = state.resources[id];
       if (!resource)
         continue;
-      const mustDeleteAfter = _DeployEngine.IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
+      const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
       if (!mustDeleteAfter)
         continue;
       for (const depType of mustDeleteAfter) {
@@ -26867,27 +27374,6 @@ Acquiring lock for stack ${stackName}...`);
             }
           };
         }
-        const implicitDeleteDeps = {
-          "AWS::EC2::InternetGateway": ["AWS::EC2::VPCGatewayAttachment"],
-          "AWS::Events::EventBus": ["AWS::Events::Rule"],
-          "AWS::Athena::WorkGroup": ["AWS::Athena::NamedQuery"],
-          "AWS::CloudFront::ResponseHeadersPolicy": ["AWS::CloudFront::Distribution"],
-          "AWS::CloudFront::CachePolicy": ["AWS::CloudFront::Distribution"],
-          "AWS::CloudFront::OriginAccessControl": ["AWS::CloudFront::Distribution"],
-          "AWS::EC2::VPC": [
-            "AWS::EC2::Subnet",
-            "AWS::EC2::SecurityGroup",
-            "AWS::EC2::InternetGateway",
-            "AWS::EC2::VPCGatewayAttachment",
-            "AWS::EC2::RouteTable"
-          ],
-          "AWS::EC2::Subnet": ["AWS::EC2::SubnetRouteTableAssociation"],
-          "AWS::EC2::RouteTable": ["AWS::EC2::Route", "AWS::EC2::SubnetRouteTableAssociation"],
-          "AWS::EC2::SecurityGroup": [
-            "AWS::EC2::SecurityGroupIngress",
-            "AWS::EC2::SecurityGroupEgress"
-          ]
-        };
         const typeToLogicalIds = /* @__PURE__ */ new Map();
         for (const [logicalId, resource] of Object.entries(currentState.resources)) {
           const ids = typeToLogicalIds.get(resource.resourceType) ?? [];
@@ -26895,7 +27381,7 @@ Acquiring lock for stack ${stackName}...`);
           typeToLogicalIds.set(resource.resourceType, ids);
         }
         for (const [logicalId, resource] of Object.entries(currentState.resources)) {
-          const mustDeleteAfter = implicitDeleteDeps[resource.resourceType];
+          const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
           if (!mustDeleteAfter)
             continue;
           for (const depType of mustDeleteAfter) {
@@ -27119,7 +27605,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command8();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.2.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.3.1");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createDeployCommand());