@go-to-k/cdkd 0.27.0 → 0.28.0

package/README.md

@@ -539,9 +539,6 @@ Both flags accept either form on each invocation:
 `TYPE` must look like `AWS::Service::Resource`; malformed types are rejected at parse time. `warn < timeout` is enforced both globally and per-type — so `--resource-warn-after AWS::X=10m --resource-timeout AWS::X=5m` is a parse-time error.
 
 ```bash
-# Bump the per-resource budget to one hour (matches the Custom Resource provider's polling cap)
-cdkd deploy --resource-timeout 1h
-
 # Surface "still running" warnings sooner on a fast-feedback dev loop
 cdkd deploy --resource-warn-after 90s --resource-timeout 10m
 
@@ -550,19 +547,25 @@ cdkd deploy \
   --resource-timeout 30m \
   --resource-timeout AWS::CloudFront::Distribution=1h \
   --resource-timeout AWS::RDS::DBCluster=1h30m
+
+# Force Custom Resources to abort earlier than their 1h self-reported polling cap
+cdkd deploy --resource-timeout AWS::CloudFormation::CustomResource=5m
 ```
 
 ### Why the default is 30m, not 1h
 
-cdkd's Custom Resource provider polls async handlers (`isCompleteHandler` pattern) for up to one hour before giving up. Setting the per-resource timeout to 1h by default would make a single hung Custom Resource hold the whole stack for an hour even though no other resource type ever needs more than a few minutes. A shorter default (`30m`) catches stuck operations faster, and stacks that legitimately rely on long-running Custom Resources opt into the higher budget explicitly with `--resource-timeout 1h`.
+cdkd's Custom Resource provider polls async handlers (`isCompleteHandler` pattern) for up to one hour before giving up. Setting the per-resource timeout to 1h by default would make a single hung non-CR resource hold the whole stack for an hour even though no other resource type ever needs more than a few minutes. The 30m global default catches stuck operations faster.
+
+For Custom Resources specifically, the provider self-reports its 1h polling cap to the engine via the `getMinResourceTimeoutMs()` interface — the deploy engine resolves the per-resource budget as `max(provider self-report, --resource-timeout global)`, so CR resources get their full hour automatically without the user having to remember `--resource-timeout 1h`. To force CR to abort earlier than its self-reported cap, pass an explicit per-type override (`--resource-timeout AWS::CloudFormation::CustomResource=5m`). Per-type overrides always win over the provider's self-report — they're the documented escape hatch.
 
-The error message on timeout names the resource, type, region, elapsed time, and operation, and reminds you to re-run with `--resource-timeout 1h` (or higher) for genuinely-long resources:
+The error message on timeout names the resource, type, region, elapsed time, and operation, and reminds you that long-running resources self-report their needed budget — when you see CR time out, the cause is genuinely the handler, not too-tight a default:
 
 ```text
 Resource MyBucket (AWS::S3::Bucket) in us-east-1 timed out after 30m during CREATE (elapsed 30m).
 This may indicate a stuck Cloud Control polling loop, hung Custom Resource, or
-slow ENI provisioning. Re-run with --resource-timeout 1h if the resource genuinely
-needs more time, or --verbose to see the underlying provider activity.
+slow ENI provisioning. Re-run with --resource-timeout AWS::S3::Bucket=<DURATION>
+to bump the budget for this resource type only, or --verbose to see the
+underlying provider activity.
 ```
 
 Note: `--resource-warn-after` must be less than `--resource-timeout`. Reversed values are rejected at parse time.

package/dist/cli.js

@@ -1133,8 +1133,9 @@ var ResourceTimeoutError = class _ResourceTimeoutError extends CdkdError {
     super(
       `Resource ${logicalId} (${resourceType}) in ${region} timed out after ${timeoutLabel} during ${operation} (elapsed ${elapsedLabel}).
 This may indicate a stuck Cloud Control polling loop, hung Custom Resource, or
-slow ENI provisioning. Re-run with --resource-timeout 1h if the resource genuinely
-needs more time, or --verbose to see the underlying provider activity.`,
+slow ENI provisioning. Re-run with --resource-timeout ${resourceType}=<DURATION>
+to bump the budget for this resource type only, or --verbose to see the
+underlying provider activity.`,
       "RESOURCE_TIMEOUT"
     );
     this.logicalId = logicalId;
@@ -7448,6 +7449,23 @@ var CustomResourceProvider = class _CustomResourceProvider {
   logger = getLogger().child("CustomResourceProvider");
   responseBucket;
   responsePrefix;
+  /**
+   * Opt out of the deploy engine's outer transient-error retry loop.
+   *
+   * The loop re-invokes `provider.create()` from the top on a transient
+   * SDK error (IAM propagation, HTTP 429/503, etc.). Each invocation
+   * generates a brand-new RequestId and a brand-new pre-signed S3
+   * response URL via `prepareInvocation()`. If the underlying Lambda has
+   * already started — e.g. an outer retry fired between the placeholder
+   * `PutObject` and the `Invoke`, or after the `Invoke` returned but a
+   * spurious downstream error fired — the first attempt's Lambda
+   * response lands at an S3 key that nobody polls, hanging the deploy
+   * until the polling timeout. The provider already polls with its own
+   * exponential backoff for async patterns (CDK Provider framework with
+   * isCompleteHandler), so an outer retry adds nothing but the multi-
+   * key bug.
+   */
+  disableOuterRetry = true;
   /** Max time to wait for synchronous S3 response after Lambda invocation (30 seconds) */
   SYNC_RESPONSE_TIMEOUT_MS = 3e4;
   /** Max time to wait for async S3 response (CDK Provider framework with isCompleteHandler) */
@@ -7467,6 +7485,22 @@ var CustomResourceProvider = class _CustomResourceProvider {
     this.responsePrefix = config?.responsePrefix ?? "custom-resource-responses";
     this.asyncResponseTimeoutMs = config?.asyncResponseTimeoutMs ?? _CustomResourceProvider.DEFAULT_ASYNC_RESPONSE_TIMEOUT_MS;
   }
+  /**
+   * Self-reported minimum per-resource timeout.
+   *
+   * Custom Resource async invocations (CDK Provider framework with
+   * `isCompleteHandler`) poll for up to `asyncResponseTimeoutMs`
+   * (default 1 hour, matching CDK's `totalTimeout` default). The deploy
+   * engine's global `--resource-timeout` default is 30 minutes, which
+   * would abort a perfectly healthy CR mid-poll. By self-reporting the
+   * polling cap, the engine lifts the deadline to `max(self-report,
+   * global)` for CR resources only; a user-supplied per-type override
+   * (`--resource-timeout AWS::CloudFormation::CustomResource=5m`) still
+   * wins for explicit escape-hatching.
+   */
+  getMinResourceTimeoutMs() {
+    return this.asyncResponseTimeoutMs;
+  }
   /**
    * Set the S3 bucket for custom resource responses
    * Called by ProviderRegistry when state bucket is configured
@@ -31890,8 +31924,11 @@ var DeployEngine = class {
     const baseLabel = `${verb} ${logicalId} (${resourceType})`;
     renderer.addTask(logicalId, baseLabel);
     const operationKind = change.changeType === "CREATE" ? "CREATE" : change.changeType === "DELETE" ? "DELETE" : "UPDATE";
+    const provider = this.providerRegistry.getProvider(resourceType);
+    const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
     const warnAfterMs = this.options.resourceWarnAfterByType?.[resourceType] ?? this.options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
-    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const globalTimeoutMs = this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
     try {
       await withResourceDeadline(
         async () => {
@@ -31970,7 +32007,10 @@ var DeployEngine = class {
         const { provider: createProvider, properties: createProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
         const result = await this.withRetry(
           () => createProvider.create(logicalId, resourceType, createProps),
-          logicalId
+          logicalId,
+          void 0,
+          void 0,
+          provider
         );
         const dependencies = this.extractAllDependencies(template, logicalId);
         stateResources[logicalId] = {
@@ -32024,7 +32064,10 @@ var DeployEngine = class {
           const { provider: replaceProvider, properties: replaceProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
           const createResult = await this.withRetry(
             () => replaceProvider.create(logicalId, resourceType, replaceProps),
-            logicalId
+            logicalId,
+            void 0,
+            void 0,
+            provider
           );
           const updateReplacePolicy = template?.Resources?.[logicalId]?.UpdateReplacePolicy;
           if (updateReplacePolicy === "Retain") {
@@ -32075,7 +32118,10 @@ var DeployEngine = class {
                 updateProps,
                 currentProps
               ),
-              logicalId
+              logicalId,
+              void 0,
+              void 0,
+              provider
             );
           } catch (updateError) {
             const msg = updateError instanceof Error ? updateError.message : String(updateError);
@@ -32104,7 +32150,10 @@ var DeployEngine = class {
               const { provider: replProvider, properties: replProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
               const createResult = await this.withRetry(
                 () => replProvider.create(logicalId, resourceType, replProps),
-                logicalId
+                logicalId,
+                void 0,
+                void 0,
+                provider
               );
               result = {
                 physicalId: createResult.physicalId,
@@ -32161,7 +32210,8 @@ var DeployEngine = class {
             logicalId,
             3,
             // fewer retries for DELETE
-            5e3
+            5e3,
+            provider
           );
         } catch (deleteError) {
           const msg = deleteError instanceof Error ? deleteError.message : String(deleteError);
@@ -32338,8 +32388,18 @@ var DeployEngine = class {
    * Thin wrapper over `withRetry` from ./retry.js that injects this engine's
    * SIGINT-aware interrupt check and logger. The actual backoff schedule
    * lives there.
+   *
+   * When the provider opts out via `disableOuterRetry`, the operation is
+   * invoked exactly once and the retry loop is skipped entirely. The
+   * Custom Resource provider uses this to avoid re-running its `create()`
+   * — each invocation derives a fresh pre-signed S3 URL and RequestId,
+   * so an outer retry leaves the previous attempt's Lambda response
+   * stranded at an S3 key nobody polls.
    */
-  async withRetry(operation, logicalId, maxRetries, initialDelayMs) {
+  async withRetry(operation, logicalId, maxRetries, initialDelayMs, provider) {
+    if (provider?.disableOuterRetry) {
+      return operation();
+    }
     return withRetry(operation, logicalId, {
       ...maxRetries !== void 0 && { maxRetries },
       ...initialDelayMs !== void 0 && { initialDelayMs },
@@ -33019,16 +33079,19 @@ Acquiring lock for stack ${stackName}...`);
           logger.warn(`Resource ${logicalId} not found in state, skipping`);
           return;
         }
-        const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
-        const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? ctx.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
         const baseLabel = `Deleting ${logicalId} (${resource.resourceType})`;
         renderer.addTask(logicalId, baseLabel);
         try {
           const provider = destroyProviderRegistry.getProvider(resource.resourceType);
+          const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
+          const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
+          const globalTimeoutMs = ctx.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+          const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
           await withResourceDeadline(
             async () => {
+              const maxAttempts = provider.disableOuterRetry ? 0 : 3;
               let lastDeleteError;
-              for (let attempt = 0; attempt <= 3; attempt++) {
+              for (let attempt = 0; attempt <= maxAttempts; attempt++) {
                 try {
                   await provider.delete(
                     logicalId,
@@ -33042,11 +33105,11 @@ Acquiring lock for stack ${stackName}...`);
                   lastDeleteError = retryError;
                   const msg = retryError instanceof Error ? retryError.message : String(retryError);
                   const isRetryable = msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation");
-                  if (!isRetryable || attempt >= 3)
+                  if (!isRetryable || attempt >= maxAttempts)
                     break;
                   const delay = 5e3 * Math.pow(2, attempt);
                   logger.debug(
-                    `  \u23F3 Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/3)`
+                    `  \u23F3 Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/${maxAttempts})`
                   );
                   await new Promise((resolve4) => setTimeout(resolve4, delay));
                 }
@@ -35573,7 +35636,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.27.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.28.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());