@go-to-k/cdkd 0.26.0 → 0.28.0

package/README.md

@@ -539,9 +539,6 @@ Both flags accept either form on each invocation:
 `TYPE` must look like `AWS::Service::Resource`; malformed types are rejected at parse time. `warn < timeout` is enforced both globally and per-type — so `--resource-warn-after AWS::X=10m --resource-timeout AWS::X=5m` is a parse-time error.
 
 ```bash
-# Bump the per-resource budget to one hour (matches the Custom Resource provider's polling cap)
-cdkd deploy --resource-timeout 1h
-
 # Surface "still running" warnings sooner on a fast-feedback dev loop
 cdkd deploy --resource-warn-after 90s --resource-timeout 10m
 
@@ -550,19 +547,25 @@ cdkd deploy \
   --resource-timeout 30m \
   --resource-timeout AWS::CloudFront::Distribution=1h \
   --resource-timeout AWS::RDS::DBCluster=1h30m
+
+# Force Custom Resources to abort earlier than their 1h self-reported polling cap
+cdkd deploy --resource-timeout AWS::CloudFormation::CustomResource=5m
 ```
 
 ### Why the default is 30m, not 1h
 
-cdkd's Custom Resource provider polls async handlers (`isCompleteHandler` pattern) for up to one hour before giving up. Setting the per-resource timeout to 1h by default would make a single hung Custom Resource hold the whole stack for an hour even though no other resource type ever needs more than a few minutes. A shorter default (`30m`) catches stuck operations faster, and stacks that legitimately rely on long-running Custom Resources opt into the higher budget explicitly with `--resource-timeout 1h`.
+cdkd's Custom Resource provider polls async handlers (`isCompleteHandler` pattern) for up to one hour before giving up. Setting the per-resource timeout to 1h by default would make a single hung non-CR resource hold the whole stack for an hour even though no other resource type ever needs more than a few minutes. The 30m global default catches stuck operations faster.
+
+For Custom Resources specifically, the provider self-reports its 1h polling cap to the engine via the `getMinResourceTimeoutMs()` interface — the deploy engine resolves the per-resource budget as `max(provider self-report, --resource-timeout global)`, so CR resources get their full hour automatically without the user having to remember `--resource-timeout 1h`. To force CR to abort earlier than its self-reported cap, pass an explicit per-type override (`--resource-timeout AWS::CloudFormation::CustomResource=5m`). Per-type overrides always win over the provider's self-report — they're the documented escape hatch.
 
-The error message on timeout names the resource, type, region, elapsed time, and operation, and reminds you to re-run with `--resource-timeout 1h` (or higher) for genuinely-long resources:
+The error message on timeout names the resource, type, region, elapsed time, and operation, and reminds you that long-running resources self-report their needed budget — when you see CR time out, the cause is genuinely the handler, not too-tight a default:
 
 ```text
 Resource MyBucket (AWS::S3::Bucket) in us-east-1 timed out after 30m during CREATE (elapsed 30m).
 This may indicate a stuck Cloud Control polling loop, hung Custom Resource, or
-slow ENI provisioning. Re-run with --resource-timeout 1h if the resource genuinely
-needs more time, or --verbose to see the underlying provider activity.
+slow ENI provisioning. Re-run with --resource-timeout AWS::S3::Bucket=<DURATION>
+to bump the budget for this resource type only, or --verbose to see the
+underlying provider activity.
 ```
 
 Note: `--resource-warn-after` must be less than `--resource-timeout`. Reversed values are rejected at parse time.

package/dist/cli.js

@@ -1133,8 +1133,9 @@ var ResourceTimeoutError = class _ResourceTimeoutError extends CdkdError {
     super(
       `Resource ${logicalId} (${resourceType}) in ${region} timed out after ${timeoutLabel} during ${operation} (elapsed ${elapsedLabel}).
 This may indicate a stuck Cloud Control polling loop, hung Custom Resource, or
-slow ENI provisioning. Re-run with --resource-timeout 1h if the resource genuinely
-needs more time, or --verbose to see the underlying provider activity.`,
+slow ENI provisioning. Re-run with --resource-timeout ${resourceType}=<DURATION>
+to bump the budget for this resource type only, or --verbose to see the
+underlying provider activity.`,
       "RESOURCE_TIMEOUT"
     );
     this.logicalId = logicalId;
@@ -7448,6 +7449,23 @@ var CustomResourceProvider = class _CustomResourceProvider {
   logger = getLogger().child("CustomResourceProvider");
   responseBucket;
   responsePrefix;
+  /**
+   * Opt out of the deploy engine's outer transient-error retry loop.
+   *
+   * The loop re-invokes `provider.create()` from the top on a transient
+   * SDK error (IAM propagation, HTTP 429/503, etc.). Each invocation
+   * generates a brand-new RequestId and a brand-new pre-signed S3
+   * response URL via `prepareInvocation()`. If the underlying Lambda has
+   * already started — e.g. an outer retry fired between the placeholder
+   * `PutObject` and the `Invoke`, or after the `Invoke` returned but a
+   * spurious downstream error fired — the first attempt's Lambda
+   * response lands at an S3 key that nobody polls, hanging the deploy
+   * until the polling timeout. The provider already polls with its own
+   * exponential backoff for async patterns (CDK Provider framework with
+   * isCompleteHandler), so an outer retry adds nothing but the multi-
+   * key bug.
+   */
+  disableOuterRetry = true;
   /** Max time to wait for synchronous S3 response after Lambda invocation (30 seconds) */
   SYNC_RESPONSE_TIMEOUT_MS = 3e4;
   /** Max time to wait for async S3 response (CDK Provider framework with isCompleteHandler) */
@@ -7467,6 +7485,22 @@ var CustomResourceProvider = class _CustomResourceProvider {
     this.responsePrefix = config?.responsePrefix ?? "custom-resource-responses";
     this.asyncResponseTimeoutMs = config?.asyncResponseTimeoutMs ?? _CustomResourceProvider.DEFAULT_ASYNC_RESPONSE_TIMEOUT_MS;
   }
+  /**
+   * Self-reported minimum per-resource timeout.
+   *
+   * Custom Resource async invocations (CDK Provider framework with
+   * `isCompleteHandler`) poll for up to `asyncResponseTimeoutMs`
+   * (default 1 hour, matching CDK's `totalTimeout` default). The deploy
+   * engine's global `--resource-timeout` default is 30 minutes, which
+   * would abort a perfectly healthy CR mid-poll. By self-reporting the
+   * polling cap, the engine lifts the deadline to `max(self-report,
+   * global)` for CR resources only; a user-supplied per-type override
+   * (`--resource-timeout AWS::CloudFormation::CustomResource=5m`) still
+   * wins for explicit escape-hatching.
+   */
+  getMinResourceTimeoutMs() {
+    return this.asyncResponseTimeoutMs;
+  }
   /**
    * Set the S3 bucket for custom resource responses
    * Called by ProviderRegistry when state bucket is configured
@@ -8638,6 +8672,33 @@ var IAMRoleProvider = class {
       this.logger.debug(`Added/updated ${tagsToAdd.length} tags on role ${roleName}`);
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing IAM role.
+   *
+   * CloudFormation's `AWS::IAM::Role` exposes `Arn` and `RoleId`; both are
+   * available from the `GetRole` response. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    try {
+      const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
+      switch (attributeName) {
+        case "Arn":
+          return resp.Role?.Arn;
+        case "RoleId":
+          return resp.Role?.RoleId;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof NoSuchEntityException)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -10488,17 +10549,35 @@ var S3BucketProvider = class {
     return region || "us-east-1";
   }
   /**
-   * Build attributes for an S3 bucket
+   * Build attributes for an S3 bucket.
+   *
+   * Covers every CloudFormation `Fn::GetAtt` return value for
+   * `AWS::S3::Bucket`. All fields are derivable from `bucketName` + region —
+   * no extra AWS API call is needed. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket-return-values
    */
   async buildAttributes(bucketName) {
     const region = await this.getRegion();
     return {
       Arn: `arn:aws:s3:::${bucketName}`,
       DomainName: `${bucketName}.s3.amazonaws.com`,
+      DualStackDomainName: `${bucketName}.s3.dualstack.${region}.amazonaws.com`,
       RegionalDomainName: `${bucketName}.s3.${region}.amazonaws.com`,
       WebsiteURL: `http://${bucketName}.s3-website-${region}.amazonaws.com`
     };
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing bucket.
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references. All S3 Bucket attributes are
+   * derivable from bucket name + region, so this avoids the round trip and
+   * reuses the same templating as `buildAttributes`.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    const attrs = await this.buildAttributes(physicalId);
+    return attrs[attributeName];
+  }
   /**
    * Apply versioning configuration if specified
    */
@@ -11793,6 +11872,43 @@ var SQSQueueProvider = class {
       return `arn:aws:sqs:unknown:unknown:${queueName}`;
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing SQS queue.
+   *
+   * CloudFormation's `AWS::SQS::Queue` exposes `Arn`, `QueueName` and
+   * `QueueUrl`. The cdkd physicalId is the queue URL; `QueueUrl` and
+   * `QueueName` are derivable from it without an AWS call, while `Arn`
+   * requires `GetQueueAttributes`. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-properties-sqs-queues-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    switch (attributeName) {
+      case "QueueUrl":
+        return physicalId;
+      case "QueueName":
+        return physicalId.substring(physicalId.lastIndexOf("/") + 1);
+      case "Arn": {
+        try {
+          const resp = await this.sqsClient.send(
+            new GetQueueAttributesCommand({
+              QueueUrl: physicalId,
+              AttributeNames: ["QueueArn"]
+            })
+          );
+          return resp.Attributes?.["QueueArn"];
+        } catch (err) {
+          if (err instanceof QueueDoesNotExist)
+            return void 0;
+          throw err;
+        }
+      }
+      default:
+        return void 0;
+    }
+  }
   /**
    * Adopt an existing SQS queue into cdkd state.
    *
@@ -12328,6 +12444,28 @@ var SNSTopicProvider = class {
       );
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing SNS topic.
+   *
+   * CloudFormation's `AWS::SNS::Topic` exposes `TopicName` and `TopicArn`.
+   * The cdkd physicalId is the topic ARN, so both are derivable without
+   * an AWS call. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html#aws-properties-sns-topic-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- consistent async signature with other providers
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    switch (attributeName) {
+      case "TopicArn":
+        return physicalId;
+      case "TopicName":
+        return physicalId.split(":").pop();
+      default:
+        return void 0;
+    }
+  }
   /**
    * Adopt an existing SNS topic into cdkd state.
    *
@@ -13309,6 +13447,43 @@ var LambdaFunctionProvider = class {
     }
     return (crc ^ 4294967295) >>> 0;
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing Lambda function.
+   *
+   * CloudFormation's `AWS::Lambda::Function` exposes `Arn`,
+   * `SnapStartResponse.ApplyOn`, and `SnapStartResponse.OptimizationStatus`
+   * as documented at
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#aws-resource-lambda-function-return-values.
+   *
+   * All three live in the same `GetFunction` response (`Configuration.FunctionArn`
+   * and `Configuration.SnapStart.{ApplyOn,OptimizationStatus}`), so a single API
+   * call covers every supported attr. Used by `cdkd orphan` to live-fetch
+   * attribute values that need to be substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName !== "Arn" && attributeName !== "SnapStartResponse.ApplyOn" && attributeName !== "SnapStartResponse.OptimizationStatus") {
+      return void 0;
+    }
+    try {
+      const resp = await this.lambdaClient.send(
+        new GetFunctionCommand({ FunctionName: physicalId })
+      );
+      switch (attributeName) {
+        case "Arn":
+          return resp.Configuration?.FunctionArn;
+        case "SnapStartResponse.ApplyOn":
+          return resp.Configuration?.SnapStart?.ApplyOn;
+        case "SnapStartResponse.OptimizationStatus":
+          return resp.Configuration?.SnapStart?.OptimizationStatus;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing Lambda function into cdkd state.
    *
@@ -13581,6 +13756,7 @@ var LambdaPermissionProvider = class {
 import {
   CreateFunctionUrlConfigCommand,
   DeleteFunctionUrlConfigCommand,
+  GetFunctionUrlConfigCommand as GetFunctionUrlConfigCommand2,
   UpdateFunctionUrlConfigCommand,
   ResourceNotFoundException as ResourceNotFoundException3
 } from "@aws-sdk/client-lambda";
@@ -13708,6 +13884,36 @@ var LambdaUrlProvider = class {
       );
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing Lambda Function
+   * URL.
+   *
+   * CloudFormation's `AWS::Lambda::Url` exposes `FunctionArn` and
+   * `FunctionUrl`. Both come from `GetFunctionUrlConfig`. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-url.html#aws-resource-lambda-url-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    try {
+      const resp = await this.lambdaClient.send(
+        new GetFunctionUrlConfigCommand2({ FunctionName: physicalId })
+      );
+      switch (attributeName) {
+        case "FunctionArn":
+          return resp.FunctionArn;
+        case "FunctionUrl":
+          return resp.FunctionUrl;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing Lambda Function URL into cdkd state.
    *
@@ -14419,6 +14625,40 @@ var DynamoDBTableProvider = class {
     }
     throw new Error(`Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds`);
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing DynamoDB table.
+   *
+   * CloudFormation's `AWS::DynamoDB::Table` exposes `Arn`, `StreamArn`
+   * (a.k.a. `LatestStreamArn` in the SDK; CFn returns the latest enabled
+   * stream's ARN), and `LatestStreamLabel`. All three are sibling fields on
+   * the same `DescribeTable` response, so a single API call covers every
+   * supported attr. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#aws-resource-dynamodb-table-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    try {
+      const resp = await this.dynamoDBClient.send(
+        new DescribeTableCommand2({ TableName: physicalId })
+      );
+      switch (attributeName) {
+        case "Arn":
+          return resp.Table?.TableArn;
+        case "StreamArn":
+          return resp.Table?.LatestStreamArn;
+        case "LatestStreamLabel":
+          return resp.Table?.LatestStreamLabel;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException6)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing DynamoDB table into cdkd state.
    *
@@ -14706,6 +14946,23 @@ var LogsLogGroupProvider = class {
       return `arn:aws:logs:unknown:unknown:log-group:${logGroupName}:*`;
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing log group.
+   *
+   * CloudFormation's `AWS::Logs::LogGroup` exposes only `Arn`. The ARN is
+   * derivable from the log group name + account + region via the existing
+   * `buildArn` helper. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#aws-resource-logs-loggroup-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName !== "Arn") {
+      return void 0;
+    }
+    return this.buildArn(physicalId);
+  }
   /**
    * Adopt an existing CloudWatch Logs log group into cdkd state.
    *
@@ -16743,29 +17000,63 @@ var EC2Provider = class {
       }
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an `AWS::EC2::VPC`.
+   *
+   * CloudFormation returns `CidrBlock`, `CidrBlockAssociations`,
+   * `DefaultNetworkAcl`, `DefaultSecurityGroup`, and `Ipv6CidrBlocks`. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html#aws-resource-ec2-vpc-return-values
+   *
+   * `DefaultNetworkAcl` and `DefaultSecurityGroup` previously returned wrong
+   * values (DHCP options id and `undefined` respectively); the AWS console
+   * surfaces these the same way as CFn — by filtering the relevant
+   * `Describe*` API on `vpc-id` + the `default` flag.
+   */
   async getVpcAttribute(physicalId, attributeName) {
-    if (attributeName === "VpcId")
-      return physicalId;
     try {
-      const response = await this.ec2Client.send(new DescribeVpcsCommand2({ VpcIds: [physicalId] }));
-      const vpc = response.Vpcs?.[0];
-      if (!vpc)
-        return void 0;
       switch (attributeName) {
-        case "CidrBlock":
-          return vpc.CidrBlock;
-        case "Ipv6CidrBlocks":
-          return vpc.Ipv6CidrBlockAssociationSet?.filter(
-            (a) => a.Ipv6CidrBlockState?.State === "associated"
-          ).map((a) => a.Ipv6CidrBlock) || [];
-        case "CidrBlockAssociations":
-          return vpc.CidrBlockAssociationSet?.map((a) => a.AssociationId) || [];
-        case "DefaultNetworkAcl":
-          return vpc.DhcpOptionsId;
-        case "DefaultSecurityGroup":
-          return void 0;
-        default:
-          return void 0;
+        case "DefaultNetworkAcl": {
+          const resp = await this.ec2Client.send(
+            new DescribeNetworkAclsCommand({
+              Filters: [
+                { Name: "vpc-id", Values: [physicalId] },
+                { Name: "default", Values: ["true"] }
+              ]
+            })
+          );
+          return resp.NetworkAcls?.[0]?.NetworkAclId;
+        }
+        case "DefaultSecurityGroup": {
+          const resp = await this.ec2Client.send(
+            new DescribeSecurityGroupsCommand2({
+              Filters: [
+                { Name: "vpc-id", Values: [physicalId] },
+                { Name: "group-name", Values: ["default"] }
+              ]
+            })
+          );
+          return resp.SecurityGroups?.[0]?.GroupId;
+        }
+        default: {
+          const response = await this.ec2Client.send(
+            new DescribeVpcsCommand2({ VpcIds: [physicalId] })
+          );
+          const vpc = response.Vpcs?.[0];
+          if (!vpc)
+            return void 0;
+          switch (attributeName) {
+            case "CidrBlock":
+              return vpc.CidrBlock;
+            case "Ipv6CidrBlocks":
+              return vpc.Ipv6CidrBlockAssociationSet?.filter(
+                (a) => a.Ipv6CidrBlockState?.State === "associated"
+              ).map((a) => a.Ipv6CidrBlock) || [];
+            case "CidrBlockAssociations":
+              return vpc.CidrBlockAssociationSet?.map((a) => a.AssociationId) || [];
+            default:
+              return void 0;
+          }
+        }
       }
     } catch {
       return void 0;
@@ -31633,8 +31924,11 @@ var DeployEngine = class {
     const baseLabel = `${verb} ${logicalId} (${resourceType})`;
     renderer.addTask(logicalId, baseLabel);
     const operationKind = change.changeType === "CREATE" ? "CREATE" : change.changeType === "DELETE" ? "DELETE" : "UPDATE";
+    const provider = this.providerRegistry.getProvider(resourceType);
+    const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
     const warnAfterMs = this.options.resourceWarnAfterByType?.[resourceType] ?? this.options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
-    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const globalTimeoutMs = this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
     try {
       await withResourceDeadline(
         async () => {
@@ -31713,7 +32007,10 @@ var DeployEngine = class {
         const { provider: createProvider, properties: createProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
         const result = await this.withRetry(
           () => createProvider.create(logicalId, resourceType, createProps),
-          logicalId
+          logicalId,
+          void 0,
+          void 0,
+          provider
         );
         const dependencies = this.extractAllDependencies(template, logicalId);
         stateResources[logicalId] = {
@@ -31767,7 +32064,10 @@ var DeployEngine = class {
           const { provider: replaceProvider, properties: replaceProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
           const createResult = await this.withRetry(
             () => replaceProvider.create(logicalId, resourceType, replaceProps),
-            logicalId
+            logicalId,
+            void 0,
+            void 0,
+            provider
           );
           const updateReplacePolicy = template?.Resources?.[logicalId]?.UpdateReplacePolicy;
           if (updateReplacePolicy === "Retain") {
@@ -31818,7 +32118,10 @@ var DeployEngine = class {
                 updateProps,
                 currentProps
               ),
-              logicalId
+              logicalId,
+              void 0,
+              void 0,
+              provider
             );
           } catch (updateError) {
             const msg = updateError instanceof Error ? updateError.message : String(updateError);
@@ -31847,7 +32150,10 @@ var DeployEngine = class {
               const { provider: replProvider, properties: replProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
               const createResult = await this.withRetry(
                 () => replProvider.create(logicalId, resourceType, replProps),
-                logicalId
+                logicalId,
+                void 0,
+                void 0,
+                provider
               );
               result = {
                 physicalId: createResult.physicalId,
@@ -31904,7 +32210,8 @@ var DeployEngine = class {
             logicalId,
             3,
             // fewer retries for DELETE
-            5e3
+            5e3,
+            provider
           );
         } catch (deleteError) {
           const msg = deleteError instanceof Error ? deleteError.message : String(deleteError);
@@ -32081,8 +32388,18 @@ var DeployEngine = class {
    * Thin wrapper over `withRetry` from ./retry.js that injects this engine's
    * SIGINT-aware interrupt check and logger. The actual backoff schedule
    * lives there.
+   *
+   * When the provider opts out via `disableOuterRetry`, the operation is
+   * invoked exactly once and the retry loop is skipped entirely. The
+   * Custom Resource provider uses this to avoid re-running its `create()`
+   * — each invocation derives a fresh pre-signed S3 URL and RequestId,
+   * so an outer retry leaves the previous attempt's Lambda response
+   * stranded at an S3 key nobody polls.
    */
-  async withRetry(operation, logicalId, maxRetries, initialDelayMs) {
+  async withRetry(operation, logicalId, maxRetries, initialDelayMs, provider) {
+    if (provider?.disableOuterRetry) {
+      return operation();
+    }
     return withRetry(operation, logicalId, {
       ...maxRetries !== void 0 && { maxRetries },
       ...initialDelayMs !== void 0 && { initialDelayMs },
@@ -32762,16 +33079,19 @@ Acquiring lock for stack ${stackName}...`);
           logger.warn(`Resource ${logicalId} not found in state, skipping`);
           return;
         }
-        const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
-        const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? ctx.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
         const baseLabel = `Deleting ${logicalId} (${resource.resourceType})`;
         renderer.addTask(logicalId, baseLabel);
         try {
           const provider = destroyProviderRegistry.getProvider(resource.resourceType);
+          const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
+          const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
+          const globalTimeoutMs = ctx.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+          const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
           await withResourceDeadline(
             async () => {
+              const maxAttempts = provider.disableOuterRetry ? 0 : 3;
               let lastDeleteError;
-              for (let attempt = 0; attempt <= 3; attempt++) {
+              for (let attempt = 0; attempt <= maxAttempts; attempt++) {
                 try {
                   await provider.delete(
                     logicalId,
@@ -32785,11 +33105,11 @@ Acquiring lock for stack ${stackName}...`);
                   lastDeleteError = retryError;
                   const msg = retryError instanceof Error ? retryError.message : String(retryError);
                   const isRetryable = msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation");
-                  if (!isRetryable || attempt >= 3)
+                  if (!isRetryable || attempt >= maxAttempts)
                     break;
                   const delay = 5e3 * Math.pow(2, attempt);
                   logger.debug(
-                    `  \u23F3 Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/3)`
+                    `  \u23F3 Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/${maxAttempts})`
                   );
                   await new Promise((resolve4) => setTimeout(resolve4, delay));
                 }
@@ -35316,7 +35636,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.26.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.28.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());