npm - @go-to-k/cdkd - Versions diffs - 0.207.1 → 0.207.3 - Mend

@go-to-k/cdkd 0.207.1 → 0.207.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli.js +3 -3
package/dist/cli.js.map +1 -1
package/dist/{deploy-engine-CuJDHhTs.js → deploy-engine-ai3rix-L.js} +141 -19
package/dist/{deploy-engine-CuJDHhTs.js.map → deploy-engine-ai3rix-L.js.map} +1 -1
package/dist/index.js +1 -1
package/package.json +1 -1

package/dist/{deploy-engine-CuJDHhTs.js → deploy-engine-ai3rix-L.js} RENAMED Viewed

@@ -5,7 +5,7 @@ import { DeleteObjectCommand, GetBucketLocationCommand, GetObjectCommand, HeadBu
 import { CloudControlClient, CreateResourceCommand, DeleteResourceCommand, GetResourceCommand, GetResourceRequestStatusCommand, ListResourcesCommand, UpdateResourceCommand } from "@aws-sdk/client-cloudcontrol";
 import { AttachRolePolicyCommand, CreateRoleCommand, DeleteRoleCommand, DeleteRolePermissionsBoundaryCommand, DeleteRolePolicyCommand, DetachRolePolicyCommand, GetRoleCommand, GetRolePolicyCommand, IAMClient, ListAttachedRolePoliciesCommand, ListInstanceProfilesForRoleCommand, ListRolePoliciesCommand, ListRoleTagsCommand, ListRolesCommand, NoSuchEntityException, PutRolePermissionsBoundaryCommand, PutRolePolicyCommand, RemoveRoleFromInstanceProfileCommand, TagRoleCommand, UntagRoleCommand, UpdateAssumeRolePolicyCommand, UpdateRoleCommand } from "@aws-sdk/client-iam";
 import { PublishCommand, SNSClient } from "@aws-sdk/client-sns";
-import { GetFunctionUrlConfigCommand, InvokeCommand, LambdaClient, waitUntilFunctionActiveV2, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
+import { GetFunctionUrlConfigCommand, InvokeCommand, LambdaClient, UpdateFunctionConfigurationCommand, waitUntilFunctionActiveV2, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { DescribeAvailabilityZonesCommand, DescribeImagesCommand, DescribeLaunchTemplatesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVpcsCommand, DescribeVpnGatewaysCommand, EC2Client } from "@aws-sdk/client-ec2";
 import { DescribeTableCommand } from "@aws-sdk/client-dynamodb";
@@ -8454,6 +8454,22 @@ function parseLambdaPayload(payloadBytes) {
 	return parsed;
 }
 /**
+* IAM-authorization-propagation signals in a custom resource FAILED reason that
+* indicate the backing Lambda's freshly-attached execution-role policy has not
+* yet taken effect for its assumed-role session (so a recycle + retry will
+* succeed once IAM settles). Lowercase substrings. Intentionally narrow — these
+* are the IAM-permission-not-yet-effective phrases only, NOT generic transient
+* errors (throttling / timeouts), which must not trigger a CR re-invoke.
+*/
+const CR_TRANSIENT_AUTHZ_SIGNALS = [
+	"not authorized to perform",
+	"no identity-based policy allows",
+	"is not in the state functionactive",
+	"not in the state functionactive",
+	"cannot be assumed",
+	"is unable to assume"
+];
+/**
 * Custom Resource Provider
 *
 * Implements Lambda-backed custom resources by invoking the Lambda function
@@ -8517,6 +8533,28 @@ var CustomResourceProvider = class CustomResourceProvider {
 	INITIAL_POLL_INTERVAL_MS = 2e3;
 	/** Max poll interval for async polling with exponential backoff (30 seconds) */
 	MAX_POLL_INTERVAL_MS = 3e4;
+	/**
+	* How many extra times to re-invoke a custom resource whose handler returned
+	* FAILED with a *transient IAM-authorization* reason (e.g. the CDK Provider
+	* framework's `lambda:GetFunction` / "not in the state functionActive" 403
+	* when the framework role's freshly-attached inline policy has not yet
+	* propagated to the assumed-role session). cdkd's fast SDK path invokes the
+	* backing Lambda ~1s after `PutRolePolicy`, so the first cold-start can cache
+	* stale credentials; CloudFormation never hits this because its deployment
+	* latency gives IAM time to settle. This is the CR-path analogue of the
+	* IAM-propagation retry cdkd's `withRetry` already applies to every other
+	* resource (the CR provider opts out of that outer retry via
+	* `disableOuterRetry` to avoid stranding a pre-signed response URL — so we
+	* retry HERE instead, deriving a fresh response URL + RequestId per attempt
+	* and recycling the backing function's execution environment between tries).
+	* Override via `CDKD_CR_AUTHZ_MAX_RETRIES` (0 disables).
+	*/
+	transientAuthzMaxRetries = (() => {
+		const raw = process.env["CDKD_CR_AUTHZ_MAX_RETRIES"];
+		if (raw === void 0 || raw === "") return 2;
+		const n = Number(raw);
+		return Number.isFinite(n) && n >= 0 ? n : 2;
+	})();
 	constructor(config) {
 		const awsClients = getAwsClients();
 		this.lambdaClient = awsClients.lambda;
@@ -8559,8 +8597,7 @@ var CustomResourceProvider = class CustomResourceProvider {
 		if (!serviceToken) throw new ProvisioningError(`ServiceToken is required for custom resource ${logicalId}`, resourceType, logicalId);
 		if (typeof serviceToken !== "string") throw new ProvisioningError(`Custom Resource ${logicalId}: ServiceToken is not a resolved string ARN (got ${typeof serviceToken}). This usually indicates state was written by a pre-fix cdkd import; re-run \`cdkd import\` or \`cdkd state orphan <stack>\` to recover.`, resourceType, logicalId);
 		try {
-			const invocation = await this.prepareInvocation();
-			const request = {
+			const cfnResponse = await this.invokeCustomResourceWithRetry(serviceToken, logicalId, "Create", (invocation) => ({
 				RequestType: "Create",
 				RequestId: invocation.requestId,
 				ResponseURL: invocation.responseURL,
@@ -8568,9 +8605,7 @@ var CustomResourceProvider = class CustomResourceProvider {
 				LogicalResourceId: logicalId,
 				StackId: `arn:aws:cloudformation:us-east-1:000000000000:stack/cdkd-${logicalId}/cdkd`,
 				ResourceProperties: this.stringifyProperties(properties)
-			};
-			this.logger.debug(`Sending custom resource create request: ${serviceToken}`);
-			const cfnResponse = await this.sendRequest(serviceToken, request, invocation.responseKey, logicalId, "Create");
+			}));
 			if (cfnResponse.Status === "FAILED") throw new Error(`Custom resource handler returned FAILED: ${cfnResponse.Reason || "Unknown reason"}`);
 			const physicalId = cfnResponse.PhysicalResourceId || logicalId;
 			const attributes = cfnResponse.Data || {};
@@ -8593,8 +8628,7 @@ var CustomResourceProvider = class CustomResourceProvider {
 		if (!serviceToken) throw new ProvisioningError(`ServiceToken is required for custom resource ${logicalId}`, resourceType, logicalId, physicalId);
 		if (typeof serviceToken !== "string") throw new ProvisioningError(`Custom Resource ${logicalId}: ServiceToken is not a resolved string ARN (got ${typeof serviceToken}). This usually indicates state was written by a pre-fix cdkd import; re-run \`cdkd import\` or \`cdkd state orphan <stack>\` to recover.`, resourceType, logicalId, physicalId);
 		try {
-			const invocation = await this.prepareInvocation();
-			const request = {
+			const cfnResponse = await this.invokeCustomResourceWithRetry(serviceToken, logicalId, "Update", (invocation) => ({
 				RequestType: "Update",
 				RequestId: invocation.requestId,
 				ResponseURL: invocation.responseURL,
@@ -8604,9 +8638,7 @@ var CustomResourceProvider = class CustomResourceProvider {
 				StackId: `arn:aws:cloudformation:us-east-1:000000000000:stack/cdkd-${logicalId}/cdkd`,
 				ResourceProperties: this.stringifyProperties(properties),
 				OldResourceProperties: this.stringifyProperties(previousProperties)
-			};
-			this.logger.debug(`Sending custom resource update request: ${serviceToken}`);
-			const cfnResponse = await this.sendRequest(serviceToken, request, invocation.responseKey, logicalId, "Update");
+			}));
 			if (cfnResponse.Status === "FAILED") throw new Error(`Custom resource handler returned FAILED: ${cfnResponse.Reason || "Unknown reason"}`);
 			const newPhysicalId = cfnResponse.PhysicalResourceId || physicalId;
 			const wasReplaced = newPhysicalId !== physicalId;
@@ -8638,8 +8670,7 @@ var CustomResourceProvider = class CustomResourceProvider {
 		}
 		if (typeof serviceToken !== "string") throw new ProvisioningError(`Custom Resource ${logicalId}: ServiceToken is not a resolved string ARN (got ${typeof serviceToken}). This usually indicates state was written by a pre-fix cdkd import; re-run \`cdkd import\` or \`cdkd state orphan <stack>\` to recover.`, resourceType, logicalId, physicalId);
 		try {
-			const invocation = await this.prepareInvocation();
-			const request = {
+			const cfnResponse = await this.invokeCustomResourceWithRetry(serviceToken, logicalId, "Delete", (invocation) => ({
 				RequestType: "Delete",
 				RequestId: invocation.requestId,
 				ResponseURL: invocation.responseURL,
@@ -8648,9 +8679,7 @@ var CustomResourceProvider = class CustomResourceProvider {
 				PhysicalResourceId: physicalId,
 				StackId: `arn:aws:cloudformation:us-east-1:000000000000:stack/cdkd-${logicalId}/cdkd`,
 				ResourceProperties: this.stringifyProperties(properties)
-			};
-			this.logger.debug(`Sending custom resource delete request: ${serviceToken}`);
-			const cfnResponse = await this.sendRequest(serviceToken, request, invocation.responseKey, logicalId, "Delete");
+			}));
 			if (cfnResponse.Status === "FAILED") this.logger.warn(`Custom resource delete handler returned FAILED for ${logicalId}: ${cfnResponse.Reason || "Unknown reason"}`);
 			else this.logger.debug(`Successfully deleted custom resource ${logicalId}`);
 		} catch (error) {
@@ -8664,6 +8693,98 @@ var CustomResourceProvider = class CustomResourceProvider {
 		return serviceToken.startsWith("arn:aws:sns:");
 	}
 	/**
+	* Invoke a custom resource, retrying on a *transient IAM-authorization*
+	* FAILED response.
+	*
+	* Why this exists: cdkd's fast SDK path attaches a backing Lambda's
+	* execution-role inline policy and invokes the function ~1s later. If IAM has
+	* not propagated the policy to the assumed-role session by the function's
+	* first cold start, the session caches stale (policy-less) credentials for
+	* the warm container's whole life — so the CDK Provider framework's
+	* `lambda:GetFunction` / initial invoke 403s ("not authorized to perform" /
+	* "not in the state functionActive") and the custom resource FAILS.
+	* CloudFormation never hits this because its deployment latency lets IAM
+	* settle first. This is the CR-path analogue of the IAM-propagation retry
+	* cdkd's `withRetry` already applies to every other resource type — the CR
+	* provider opts out of that outer retry (`disableOuterRetry`) to avoid
+	* stranding a pre-signed response URL at an S3 key nobody polls, so we retry
+	* HERE, deriving a FRESH response URL + RequestId per attempt (via
+	* `prepareInvocation()`) and recycling the backing function's execution
+	* environment between tries so its next cold start re-assumes the role.
+	*
+	* `buildRequest` is called once per attempt with the fresh invocation so the
+	* CFn request body always carries the matching ResponseURL / RequestId.
+	* Returns the final response; the caller decides what a terminal FAILED means
+	* (create/update throw, delete warns-and-continues).
+	*/
+	async invokeCustomResourceWithRetry(serviceToken, logicalId, operation, buildRequest) {
+		for (let attempt = 0;; attempt++) {
+			const invocation = await this.prepareInvocation();
+			const request = buildRequest(invocation);
+			this.logger.debug(`Sending custom resource ${operation.toLowerCase()} request: ${serviceToken}`);
+			const cfnResponse = await this.sendRequest(serviceToken, request, invocation.responseKey, logicalId, operation);
+			if (cfnResponse.Status === "FAILED" && attempt < this.transientAuthzMaxRetries && this.isTransientAuthzFailure(cfnResponse.Reason)) {
+				this.logger.warn(`Custom resource ${operation} for ${logicalId} returned a transient IAM-authorization FAILED (attempt ${attempt + 1}/${this.transientAuthzMaxRetries + 1}): ${this.truncateReason(cfnResponse.Reason)}. Recycling the backing function's execution environment and retrying so its next cold start picks up the propagated policy.`);
+				await this.recycleBackingFunctionExecEnv(serviceToken, logicalId);
+				continue;
+			}
+			return cfnResponse;
+		}
+	}
+	/**
+	* Classify a custom resource FAILED reason as a transient IAM-authorization
+	* race (worth retrying).
+	*
+	* Deliberately NARROW — only the IAM-permission-not-yet-effective signals,
+	* NOT cdkd's broad transient classifier (`isRetryableTransientError`, which
+	* also matches throttling / generic timeouts). A custom resource that FAILED
+	* for an unrelated reason (user handler bug, a real timeout, a downstream API
+	* error) must NOT be re-invoked — that would mask genuine failures and waste
+	* the framework's ~minutes-long waiter per attempt. These phrases are the
+	* IAM-authz subset of cdkd's `RETRYABLE_ERROR_MESSAGE_PATTERNS`, plus the CDK
+	* Provider framework's `waitUntilFunctionActive` state phrasing.
+	*/
+	isTransientAuthzFailure(reason) {
+		if (!reason) return false;
+		const lower = reason.toLowerCase();
+		return CR_TRANSIENT_AUTHZ_SIGNALS.some((p) => lower.includes(p));
+	}
+	/** Truncate a CR FAILED reason for log readability. */
+	truncateReason(reason, max = 200) {
+		const r = reason ?? "Unknown reason";
+		return r.length > max ? `${r.slice(0, max)}...` : r;
+	}
+	/**
+	* Force the backing Lambda to drop its warm execution environment(s) so the
+	* next invoke cold-starts and re-assumes the execution role, picking up the
+	* now-propagated inline policy. A plain re-invoke would otherwise reuse the
+	* same warm container that cached the stale credentials. Best-effort: any
+	* failure (e.g. cdkd's own creds lack `lambda:UpdateFunctionConfiguration`)
+	* degrades to a debug log and we still retry the invoke.
+	*
+	* The no-op `Description` write is the least-intrusive way to invalidate warm
+	* containers. It persists on the backing function, but cdkd never reconciles
+	* the CDK Provider framework's backing Lambda against a template `Description`
+	* (the synthesized template leaves it empty / CDK-default and cdkd's diff only
+	* compares state-recorded properties), so it does not surface as drift on a
+	* later deploy. Only the IAM-propagation retry path (rare) ever sets it.
+	*/
+	async recycleBackingFunctionExecEnv(serviceToken, logicalId) {
+		if (this.isSnsServiceToken(serviceToken)) return;
+		try {
+			await this.lambdaClient.send(new UpdateFunctionConfigurationCommand({
+				FunctionName: serviceToken,
+				Description: `cdkd: recycled for IAM-propagation retry (${logicalId})`
+			}));
+			await waitUntilFunctionUpdatedV2({
+				client: this.lambdaClient,
+				maxWaitTime: 120
+			}, { FunctionName: serviceToken });
+		} catch (error) {
+			this.logger.debug(`Could not recycle backing function for ${logicalId} (${error instanceof Error ? error.message : String(error)}); retrying invoke without a forced cold start`);
+		}
+	}
+	/**
 	* Send custom resource request via the appropriate service (Lambda or SNS)
 	* For Lambda: invokes synchronously and returns the response
 	* For SNS: publishes to topic and polls S3 for response
@@ -12205,7 +12326,8 @@ const RETRYABLE_ERROR_MESSAGE_PATTERNS = [
 	"KMS key is invalid for CreateGrant",
 	"Could not deliver test message",
 	"wait 60 seconds",
-	"concurrent update operation"
+	"concurrent update operation",
+	"because it is in use"
 ];
 /**
 * HTTP status codes that always indicate a transient failure worth retrying.
@@ -13584,5 +13706,5 @@ var DeployEngine = class {
 };
 //#endregion
-export { uploadCfnTemplate as $, S3StateBackend as A, PATTERN_B_NAME_PROPERTIES as At, Synthesizer as B, assertRegionMatch as C, normalizeAwsError as Ct, DagBuilder as D, setLogger as Dt, DiffCalculator as E, getLogger as Et, buildDockerImage as F, withStackName as Ft, resolveSkipPrefix as G, getLegacyStateBucketName as H, formatDockerLoginError as I, warnDeprecatedNoPrefixCliFlag as J, resolveStateBucketWithDefault as K, getDockerCmd as L, AssetPublisher as M, generateResourceName as Mt, stringifyValue as N, generateResourceNameWithFallback as Nt, TemplateParser as O, runStackBuffered as Ot, WorkGraph as P, withSkipPrefix as Pt, findLargeInlineResources as Q, runDockerForeground as R, CloudControlProvider as S, isCdkdError as St, applyRoleArnIfSet as T, ConsoleLogger as Tt, resolveApp as U, getDefaultStateBucketName as V, resolveCaptureObservedState as W, CFN_TEMPLATE_URL_LIMIT as X, CFN_TEMPLATE_BODY_LIMIT as Y, MIGRATE_TMP_PREFIX as Z, matchesCdkPath as _, StackHasActiveImportsError as _t, withRetry as a, ConfigError as at, ProviderRegistry as b, SynthesisError as bt, bold as c, LocalMigrateError as ct, green as d, MissingCdkCliError as dt, AssemblyReader as et, red as f, NestedStackChildDirectDestroyError as ft, CDK_PATH_TAG as g, ResourceUpdateNotSupportedError as gt, collectInlinePolicyNamesManagedBySiblings as h, ResourceTimeoutError as ht, withResourceDeadline as i, CdkdError as it, shouldRetainResource as j, PATTERN_B_RESOURCE_TYPES as jt, LockManager as k, getLiveRenderer as kt, cyan as l, LocalStartServiceError as lt, IAMRoleProvider as m, ProvisioningError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, resolveBucketRegion as nt, IMPLICIT_DELETE_DEPENDENCIES as o, DependencyError as ot, yellow as p, PartialFailureError as pt, resolveStateBucketWithDefaultAndSource as q, DeployEngine as r, AssetError as rt, formatResourceLine as s, LocalInvokeBuildError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, clearBucketRegionCache as tt, gray as u, LockError as ut, normalizeAwsTagsToCfn as v, StackTerminationProtectionError as vt, IntrinsicFunctionResolver as w, withErrorHandling as wt, findActionableSilentDrops as x, formatError as xt, resolveExplicitPhysicalId as y, StateError as yt, runDockerStreaming as z };
-//# sourceMappingURL=deploy-engine-CuJDHhTs.js.map
+export { findLargeInlineResources as $, LockManager as A, getLiveRenderer as At, runDockerStreaming as B, CloudControlProvider as C, isCdkdError as Ct, DiffCalculator as D, getLogger as Dt, applyRoleArnIfSet as E, ConsoleLogger as Et, WorkGraph as F, withSkipPrefix as Ft, resolveCaptureObservedState as G, getDefaultStateBucketName as H, buildDockerImage as I, withStackName as It, resolveStateBucketWithDefaultAndSource as J, resolveSkipPrefix as K, formatDockerLoginError as L, shouldRetainResource as M, PATTERN_B_RESOURCE_TYPES as Mt, AssetPublisher as N, generateResourceName as Nt, DagBuilder as O, setLogger as Ot, stringifyValue as P, generateResourceNameWithFallback as Pt, MIGRATE_TMP_PREFIX as Q, getDockerCmd as R, findActionableSilentDrops as S, formatError as St, IntrinsicFunctionResolver as T, withErrorHandling as Tt, getLegacyStateBucketName as U, Synthesizer as V, resolveApp as W, CFN_TEMPLATE_BODY_LIMIT as X, warnDeprecatedNoPrefixCliFlag as Y, CFN_TEMPLATE_URL_LIMIT as Z, CDK_PATH_TAG as _, ResourceUpdateNotSupportedError as _t, withRetry as a, CdkdError as at, resolveExplicitPhysicalId as b, StateError as bt, formatResourceLine as c, LocalInvokeBuildError as ct, gray as d, LockError as dt, uploadCfnTemplate as et, green as f, MissingCdkCliError as ft, collectInlinePolicyNamesManagedBySiblings as g, ResourceTimeoutError as gt, IAMRoleProvider as h, ProvisioningError as ht, withResourceDeadline as i, AssetError as it, S3StateBackend as j, PATTERN_B_NAME_PROPERTIES as jt, TemplateParser as k, runStackBuffered as kt, bold as l, LocalMigrateError as lt, yellow as m, PartialFailureError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, clearBucketRegionCache as nt, isRetryableTransientError as o, ConfigError as ot, red as p, NestedStackChildDirectDestroyError as pt, resolveStateBucketWithDefault as q, DeployEngine as r, resolveBucketRegion as rt, IMPLICIT_DELETE_DEPENDENCIES as s, DependencyError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, AssemblyReader as tt, cyan as u, LocalStartServiceError as ut, matchesCdkPath as v, StackHasActiveImportsError as vt, assertRegionMatch as w, normalizeAwsError as wt, ProviderRegistry as x, SynthesisError as xt, normalizeAwsTagsToCfn as y, StackTerminationProtectionError as yt, runDockerForeground as z };
+//# sourceMappingURL=deploy-engine-ai3rix-L.js.map