@go-to-k/cdkd 0.207.4 → 0.207.6

package/dist/{deploy-engine-ai3rix-L.js → deploy-engine-DMggQBl4.js}

@@ -7,7 +7,7 @@ import { AttachRolePolicyCommand, CreateRoleCommand, DeleteRoleCommand, DeleteRo
 import { PublishCommand, SNSClient } from "@aws-sdk/client-sns";
 import { GetFunctionUrlConfigCommand, InvokeCommand, LambdaClient, UpdateFunctionConfigurationCommand, waitUntilFunctionActiveV2, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
-import { DescribeAvailabilityZonesCommand, DescribeImagesCommand, DescribeLaunchTemplatesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVpcsCommand, DescribeVpnGatewaysCommand, EC2Client } from "@aws-sdk/client-ec2";
+import { DescribeAvailabilityZonesCommand, DescribeImagesCommand, DescribeLaunchTemplatesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVpcsCommand, DescribeVpnGatewaysCommand, EC2Client, ModifyInstanceAttributeCommand } from "@aws-sdk/client-ec2";
 import { DescribeTableCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, GetTemplateCommand, waitUntilChangeSetCreateComplete } from "@aws-sdk/client-cloudformation";
 import { GetRestApiCommand } from "@aws-sdk/client-api-gateway";
@@ -7615,6 +7615,36 @@ var IntrinsicFunctionResolver = class {
 	}
 };
 
+//#endregion
+//#region src/provisioning/ec2-termination-protection.ts
+/**
+* Flip `DisableApiTermination` off on an instance. Idempotent — EC2 accepts the
+* call when the attribute is already false. Non-fatal: a NotFound (already
+* gone) or any other error is swallowed at debug so the actual delete still
+* proceeds (it will surface the real failure if the instance truly cannot be
+* deleted).
+*/
+async function disableInstanceApiTermination(client, instanceId, logger) {
+	try {
+		await client.send(new ModifyInstanceAttributeCommand({
+			InstanceId: instanceId,
+			DisableApiTermination: { Value: false }
+		}));
+		logger.debug(`Disabled DisableApiTermination on EC2 Instance ${instanceId} before deletion`);
+	} catch (flipError) {
+		logger.debug(`Could not disable DisableApiTermination on ${instanceId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`);
+	}
+}
+/**
+* Does this error message indicate the terminate / delete raced the
+* `DisableApiTermination` flip-off propagation (so re-flipping + retrying is
+* the right move)? Matches both the SDK `TerminateInstances` 400 and the Cloud
+* Control `DeleteResource` wrapper of the same underlying EC2 error.
+*/
+function isTerminationProtectionPropagationError(message) {
+	return /may not be terminated|disableApiTermination/i.test(message);
+}
+
 //#endregion
 //#region src/provisioning/json-patch-generator.ts
 /**
@@ -8096,7 +8126,10 @@ var CloudControlProvider = class {
 	*/
 	async delete(logicalId, physicalId, resourceType, _properties, context) {
 		this.logger.debug(`Deleting resource ${logicalId} (${resourceType}), physical ID: ${physicalId}`);
-		try {
+		const isProtectedEc2Instance = context?.removeProtection === true && resourceType === "AWS::EC2::Instance";
+		if (isProtectedEc2Instance) await disableInstanceApiTermination(getAwsClients().ec2, physicalId, this.logger);
+		const maxAttempts = isProtectedEc2Instance ? 5 : 1;
+		for (let attempt = 1;; attempt++) try {
 			const deleteResponse = await this.cloudControlClient.send(new DeleteResourceCommand({
 				TypeName: resourceType,
 				Identifier: physicalId
@@ -8105,6 +8138,7 @@ var CloudControlProvider = class {
 			this.logger.debug(`Delete request submitted for ${logicalId}, token: ${deleteResponse.ProgressEvent.RequestToken}`);
 			await this.waitForOperation(deleteResponse.ProgressEvent.RequestToken, logicalId, "DELETE");
 			this.logger.debug(`Deleted resource ${logicalId}`);
+			return;
 		} catch (error) {
 			const err = error;
 			if (err.name === "ResourceNotFoundException" || err.message?.includes("does not exist") || err.message?.includes("not found") || err.message?.includes("NotFound")) {
@@ -8112,6 +8146,12 @@ var CloudControlProvider = class {
 				this.logger.debug(`Resource ${logicalId} already deleted (not found), treating as success`);
 				return;
 			}
+			if (isProtectedEc2Instance && isTerminationProtectionPropagationError(err.message ?? "") && attempt < maxAttempts) {
+				this.logger.debug(`Cloud Control delete of ${logicalId} raced the DisableApiTermination flip-off (attempt ${attempt}/${maxAttempts}); re-flipping and retrying`);
+				await disableInstanceApiTermination(getAwsClients().ec2, physicalId, this.logger);
+				await this.sleep(3e3 * attempt);
+				continue;
+			}
 			this.handleError(error, "DELETE", resourceType, logicalId, physicalId);
 		}
 	}
@@ -13706,5 +13746,5 @@ var DeployEngine = class {
 };
 
 //#endregion
-export { findLargeInlineResources as $, LockManager as A, getLiveRenderer as At, runDockerStreaming as B, CloudControlProvider as C, isCdkdError as Ct, DiffCalculator as D, getLogger as Dt, applyRoleArnIfSet as E, ConsoleLogger as Et, WorkGraph as F, withSkipPrefix as Ft, resolveCaptureObservedState as G, getDefaultStateBucketName as H, buildDockerImage as I, withStackName as It, resolveStateBucketWithDefaultAndSource as J, resolveSkipPrefix as K, formatDockerLoginError as L, shouldRetainResource as M, PATTERN_B_RESOURCE_TYPES as Mt, AssetPublisher as N, generateResourceName as Nt, DagBuilder as O, setLogger as Ot, stringifyValue as P, generateResourceNameWithFallback as Pt, MIGRATE_TMP_PREFIX as Q, getDockerCmd as R, findActionableSilentDrops as S, formatError as St, IntrinsicFunctionResolver as T, withErrorHandling as Tt, getLegacyStateBucketName as U, Synthesizer as V, resolveApp as W, CFN_TEMPLATE_BODY_LIMIT as X, warnDeprecatedNoPrefixCliFlag as Y, CFN_TEMPLATE_URL_LIMIT as Z, CDK_PATH_TAG as _, ResourceUpdateNotSupportedError as _t, withRetry as a, CdkdError as at, resolveExplicitPhysicalId as b, StateError as bt, formatResourceLine as c, LocalInvokeBuildError as ct, gray as d, LockError as dt, uploadCfnTemplate as et, green as f, MissingCdkCliError as ft, collectInlinePolicyNamesManagedBySiblings as g, ResourceTimeoutError as gt, IAMRoleProvider as h, ProvisioningError as ht, withResourceDeadline as i, AssetError as it, S3StateBackend as j, PATTERN_B_NAME_PROPERTIES as jt, TemplateParser as k, runStackBuffered as kt, bold as l, LocalMigrateError as lt, yellow as m, PartialFailureError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, clearBucketRegionCache as nt, isRetryableTransientError as o, ConfigError as ot, red as p, NestedStackChildDirectDestroyError as pt, resolveStateBucketWithDefault as q, DeployEngine as r, resolveBucketRegion as rt, IMPLICIT_DELETE_DEPENDENCIES as s, DependencyError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, AssemblyReader as tt, cyan as u, LocalStartServiceError as ut, matchesCdkPath as v, StackHasActiveImportsError as vt, assertRegionMatch as w, normalizeAwsError as wt, ProviderRegistry as x, SynthesisError as xt, normalizeAwsTagsToCfn as y, StackTerminationProtectionError as yt, runDockerForeground as z };
-//# sourceMappingURL=deploy-engine-ai3rix-L.js.map
+export { CFN_TEMPLATE_URL_LIMIT as $, DagBuilder as A, setLogger as At, getDockerCmd as B, CloudControlProvider as C, SynthesisError as Ct, IntrinsicFunctionResolver as D, withErrorHandling as Dt, isTerminationProtectionPropagationError as E, normalizeAwsError as Et, AssetPublisher as F, generateResourceName as Ft, getLegacyStateBucketName as G, runDockerStreaming as H, stringifyValue as I, generateResourceNameWithFallback as It, resolveSkipPrefix as J, resolveApp as K, WorkGraph as L, withSkipPrefix as Lt, LockManager as M, getLiveRenderer as Mt, S3StateBackend as N, PATTERN_B_NAME_PROPERTIES as Nt, applyRoleArnIfSet as O, ConsoleLogger as Ot, shouldRetainResource as P, PATTERN_B_RESOURCE_TYPES as Pt, CFN_TEMPLATE_BODY_LIMIT as Q, buildDockerImage as R, withStackName as Rt, findActionableSilentDrops as S, StateError as St, disableInstanceApiTermination as T, isCdkdError as Tt, Synthesizer as U, runDockerForeground as V, getDefaultStateBucketName as W, resolveStateBucketWithDefaultAndSource as X, resolveStateBucketWithDefault as Y, warnDeprecatedNoPrefixCliFlag as Z, CDK_PATH_TAG as _, ProvisioningError as _t, withRetry as a, resolveBucketRegion as at, resolveExplicitPhysicalId as b, StackHasActiveImportsError as bt, formatResourceLine as c, ConfigError as ct, gray as d, LocalMigrateError as dt, MIGRATE_TMP_PREFIX as et, green as f, LocalStartServiceError as ft, collectInlinePolicyNamesManagedBySiblings as g, PartialFailureError as gt, IAMRoleProvider as h, NestedStackChildDirectDestroyError as ht, withResourceDeadline as i, clearBucketRegionCache as it, TemplateParser as j, runStackBuffered as jt, DiffCalculator as k, getLogger as kt, bold as l, DependencyError as lt, yellow as m, MissingCdkCliError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, uploadCfnTemplate as nt, isRetryableTransientError as o, AssetError as ot, red as p, LockError as pt, resolveCaptureObservedState as q, DeployEngine as r, AssemblyReader as rt, IMPLICIT_DELETE_DEPENDENCIES as s, CdkdError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, findLargeInlineResources as tt, cyan as u, LocalInvokeBuildError as ut, matchesCdkPath as v, ResourceTimeoutError as vt, assertRegionMatch as w, formatError as wt, ProviderRegistry as x, StackTerminationProtectionError as xt, normalizeAwsTagsToCfn as y, ResourceUpdateNotSupportedError as yt, formatDockerLoginError as z };
+//# sourceMappingURL=deploy-engine-DMggQBl4.js.map