npm - @go-to-k/cdkd - Versions diffs - 0.26.0 → 0.28.0 - Mend

@go-to-k/cdkd 0.26.0 → 0.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +10 -7
package/dist/cli.js +356 -36
package/dist/cli.js.map +3 -3
package/dist/go-to-k-cdkd-0.28.0.tgz +0 -0
package/dist/index.js +96 -9
package/dist/index.js.map +2 -2
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.26.0.tgz +0 -0

package/dist/go-to-k-cdkd-0.28.0.tgz ADDED Viewed

Binary file

package/dist/index.js CHANGED Viewed

@@ -921,8 +921,9 @@ var ResourceTimeoutError = class _ResourceTimeoutError extends CdkdError {
     super(
       `Resource ${logicalId} (${resourceType}) in ${region} timed out after ${timeoutLabel} during ${operation} (elapsed ${elapsedLabel}).
 This may indicate a stuck Cloud Control polling loop, hung Custom Resource, or
-slow ENI provisioning. Re-run with --resource-timeout 1h if the resource genuinely
-needs more time, or --verbose to see the underlying provider activity.`,
+slow ENI provisioning. Re-run with --resource-timeout ${resourceType}=<DURATION>
+to bump the budget for this resource type only, or --verbose to see the
+underlying provider activity.`,
       "RESOURCE_TIMEOUT"
     );
     this.logicalId = logicalId;
@@ -6696,6 +6697,23 @@ var CustomResourceProvider = class _CustomResourceProvider {
   logger = getLogger().child("CustomResourceProvider");
   responseBucket;
   responsePrefix;
+  /**
+   * Opt out of the deploy engine's outer transient-error retry loop.
+   *
+   * The loop re-invokes `provider.create()` from the top on a transient
+   * SDK error (IAM propagation, HTTP 429/503, etc.). Each invocation
+   * generates a brand-new RequestId and a brand-new pre-signed S3
+   * response URL via `prepareInvocation()`. If the underlying Lambda has
+   * already started — e.g. an outer retry fired between the placeholder
+   * `PutObject` and the `Invoke`, or after the `Invoke` returned but a
+   * spurious downstream error fired — the first attempt's Lambda
+   * response lands at an S3 key that nobody polls, hanging the deploy
+   * until the polling timeout. The provider already polls with its own
+   * exponential backoff for async patterns (CDK Provider framework with
+   * isCompleteHandler), so an outer retry adds nothing but the multi-
+   * key bug.
+   */
+  disableOuterRetry = true;
   /** Max time to wait for synchronous S3 response after Lambda invocation (30 seconds) */
   SYNC_RESPONSE_TIMEOUT_MS = 3e4;
   /** Max time to wait for async S3 response (CDK Provider framework with isCompleteHandler) */
@@ -6715,6 +6733,22 @@ var CustomResourceProvider = class _CustomResourceProvider {
     this.responsePrefix = config?.responsePrefix ?? "custom-resource-responses";
     this.asyncResponseTimeoutMs = config?.asyncResponseTimeoutMs ?? _CustomResourceProvider.DEFAULT_ASYNC_RESPONSE_TIMEOUT_MS;
   }
+  /**
+   * Self-reported minimum per-resource timeout.
+   *
+   * Custom Resource async invocations (CDK Provider framework with
+   * `isCompleteHandler`) poll for up to `asyncResponseTimeoutMs`
+   * (default 1 hour, matching CDK's `totalTimeout` default). The deploy
+   * engine's global `--resource-timeout` default is 30 minutes, which
+   * would abort a perfectly healthy CR mid-poll. By self-reporting the
+   * polling cap, the engine lifts the deadline to `max(self-report,
+   * global)` for CR resources only; a user-supplied per-type override
+   * (`--resource-timeout AWS::CloudFormation::CustomResource=5m`) still
+   * wins for explicit escape-hatching.
+   */
+  getMinResourceTimeoutMs() {
+    return this.asyncResponseTimeoutMs;
+  }
   /**
    * Set the S3 bucket for custom resource responses
    * Called by ProviderRegistry when state bucket is configured
@@ -7886,6 +7920,33 @@ var IAMRoleProvider = class {
       this.logger.debug(`Added/updated ${tagsToAdd.length} tags on role ${roleName}`);
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing IAM role.
+   *
+   * CloudFormation's `AWS::IAM::Role` exposes `Arn` and `RoleId`; both are
+   * available from the `GetRole` response. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    try {
+      const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
+      switch (attributeName) {
+        case "Arn":
+          return resp.Role?.Arn;
+        case "RoleId":
+          return resp.Role?.RoleId;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof NoSuchEntityException)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -8861,8 +8922,11 @@ var DeployEngine = class {
     const baseLabel = `${verb} ${logicalId} (${resourceType})`;
     renderer.addTask(logicalId, baseLabel);
     const operationKind = change.changeType === "CREATE" ? "CREATE" : change.changeType === "DELETE" ? "DELETE" : "UPDATE";
+    const provider = this.providerRegistry.getProvider(resourceType);
+    const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
     const warnAfterMs = this.options.resourceWarnAfterByType?.[resourceType] ?? this.options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
-    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const globalTimeoutMs = this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
     try {
       await withResourceDeadline(
         async () => {
@@ -8941,7 +9005,10 @@ var DeployEngine = class {
         const { provider: createProvider, properties: createProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
         const result = await this.withRetry(
           () => createProvider.create(logicalId, resourceType, createProps),
-          logicalId
+          logicalId,
+          void 0,
+          void 0,
+          provider
         );
         const dependencies = this.extractAllDependencies(template, logicalId);
         stateResources[logicalId] = {
@@ -8995,7 +9062,10 @@ var DeployEngine = class {
           const { provider: replaceProvider, properties: replaceProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
           const createResult = await this.withRetry(
             () => replaceProvider.create(logicalId, resourceType, replaceProps),
-            logicalId
+            logicalId,
+            void 0,
+            void 0,
+            provider
           );
           const updateReplacePolicy = template?.Resources?.[logicalId]?.UpdateReplacePolicy;
           if (updateReplacePolicy === "Retain") {
@@ -9046,7 +9116,10 @@ var DeployEngine = class {
                 updateProps,
                 currentProps
               ),
-              logicalId
+              logicalId,
+              void 0,
+              void 0,
+              provider
             );
           } catch (updateError) {
             const msg = updateError instanceof Error ? updateError.message : String(updateError);
@@ -9075,7 +9148,10 @@ var DeployEngine = class {
               const { provider: replProvider, properties: replProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
               const createResult = await this.withRetry(
                 () => replProvider.create(logicalId, resourceType, replProps),
-                logicalId
+                logicalId,
+                void 0,
+                void 0,
+                provider
               );
               result = {
                 physicalId: createResult.physicalId,
@@ -9132,7 +9208,8 @@ var DeployEngine = class {
             logicalId,
             3,
             // fewer retries for DELETE
-            5e3
+            5e3,
+            provider
           );
         } catch (deleteError) {
           const msg = deleteError instanceof Error ? deleteError.message : String(deleteError);
@@ -9309,8 +9386,18 @@ var DeployEngine = class {
    * Thin wrapper over `withRetry` from ./retry.js that injects this engine's
    * SIGINT-aware interrupt check and logger. The actual backoff schedule
    * lives there.
+   *
+   * When the provider opts out via `disableOuterRetry`, the operation is
+   * invoked exactly once and the retry loop is skipped entirely. The
+   * Custom Resource provider uses this to avoid re-running its `create()`
+   * — each invocation derives a fresh pre-signed S3 URL and RequestId,
+   * so an outer retry leaves the previous attempt's Lambda response
+   * stranded at an S3 key nobody polls.
    */
-  async withRetry(operation, logicalId, maxRetries, initialDelayMs) {
+  async withRetry(operation, logicalId, maxRetries, initialDelayMs, provider) {
+    if (provider?.disableOuterRetry) {
+      return operation();
+    }
     return withRetry(operation, logicalId, {
       ...maxRetries !== void 0 && { maxRetries },
       ...initialDelayMs !== void 0 && { initialDelayMs },