@go-to-k/cdkd 0.27.0 → 0.28.1

package/dist/index.js

@@ -921,8 +921,9 @@ var ResourceTimeoutError = class _ResourceTimeoutError extends CdkdError {
     super(
       `Resource ${logicalId} (${resourceType}) in ${region} timed out after ${timeoutLabel} during ${operation} (elapsed ${elapsedLabel}).
 This may indicate a stuck Cloud Control polling loop, hung Custom Resource, or
-slow ENI provisioning. Re-run with --resource-timeout 1h if the resource genuinely
-needs more time, or --verbose to see the underlying provider activity.`,
+slow ENI provisioning. Re-run with --resource-timeout ${resourceType}=<DURATION>
+to bump the budget for this resource type only, or --verbose to see the
+underlying provider activity.`,
       "RESOURCE_TIMEOUT"
     );
     this.logicalId = logicalId;
@@ -6696,6 +6697,23 @@ var CustomResourceProvider = class _CustomResourceProvider {
   logger = getLogger().child("CustomResourceProvider");
   responseBucket;
   responsePrefix;
+  /**
+   * Opt out of the deploy engine's outer transient-error retry loop.
+   *
+   * The loop re-invokes `provider.create()` from the top on a transient
+   * SDK error (IAM propagation, HTTP 429/503, etc.). Each invocation
+   * generates a brand-new RequestId and a brand-new pre-signed S3
+   * response URL via `prepareInvocation()`. If the underlying Lambda has
+   * already started — e.g. an outer retry fired between the placeholder
+   * `PutObject` and the `Invoke`, or after the `Invoke` returned but a
+   * spurious downstream error fired — the first attempt's Lambda
+   * response lands at an S3 key that nobody polls, hanging the deploy
+   * until the polling timeout. The provider already polls with its own
+   * exponential backoff for async patterns (CDK Provider framework with
+   * isCompleteHandler), so an outer retry adds nothing but the multi-
+   * key bug.
+   */
+  disableOuterRetry = true;
   /** Max time to wait for synchronous S3 response after Lambda invocation (30 seconds) */
   SYNC_RESPONSE_TIMEOUT_MS = 3e4;
   /** Max time to wait for async S3 response (CDK Provider framework with isCompleteHandler) */
@@ -6715,6 +6733,22 @@ var CustomResourceProvider = class _CustomResourceProvider {
     this.responsePrefix = config?.responsePrefix ?? "custom-resource-responses";
     this.asyncResponseTimeoutMs = config?.asyncResponseTimeoutMs ?? _CustomResourceProvider.DEFAULT_ASYNC_RESPONSE_TIMEOUT_MS;
   }
+  /**
+   * Self-reported minimum per-resource timeout.
+   *
+   * Custom Resource async invocations (CDK Provider framework with
+   * `isCompleteHandler`) poll for up to `asyncResponseTimeoutMs`
+   * (default 1 hour, matching CDK's `totalTimeout` default). The deploy
+   * engine's global `--resource-timeout` default is 30 minutes, which
+   * would abort a perfectly healthy CR mid-poll. By self-reporting the
+   * polling cap, the engine lifts the deadline to `max(self-report,
+   * global)` for CR resources only; a user-supplied per-type override
+   * (`--resource-timeout AWS::CloudFormation::CustomResource=5m`) still
+   * wins for explicit escape-hatching.
+   */
+  getMinResourceTimeoutMs() {
+    return this.asyncResponseTimeoutMs;
+  }
   /**
    * Set the S3 bucket for custom resource responses
    * Called by ProviderRegistry when state bucket is configured
@@ -8888,8 +8922,11 @@ var DeployEngine = class {
     const baseLabel = `${verb} ${logicalId} (${resourceType})`;
     renderer.addTask(logicalId, baseLabel);
     const operationKind = change.changeType === "CREATE" ? "CREATE" : change.changeType === "DELETE" ? "DELETE" : "UPDATE";
+    const provider = this.providerRegistry.getProvider(resourceType);
+    const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
     const warnAfterMs = this.options.resourceWarnAfterByType?.[resourceType] ?? this.options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
-    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const globalTimeoutMs = this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
     try {
       await withResourceDeadline(
         async () => {
@@ -8968,7 +9005,10 @@ var DeployEngine = class {
         const { provider: createProvider, properties: createProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
         const result = await this.withRetry(
           () => createProvider.create(logicalId, resourceType, createProps),
-          logicalId
+          logicalId,
+          void 0,
+          void 0,
+          provider
         );
         const dependencies = this.extractAllDependencies(template, logicalId);
         stateResources[logicalId] = {
@@ -9022,7 +9062,10 @@ var DeployEngine = class {
           const { provider: replaceProvider, properties: replaceProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
           const createResult = await this.withRetry(
             () => replaceProvider.create(logicalId, resourceType, replaceProps),
-            logicalId
+            logicalId,
+            void 0,
+            void 0,
+            provider
           );
           const updateReplacePolicy = template?.Resources?.[logicalId]?.UpdateReplacePolicy;
           if (updateReplacePolicy === "Retain") {
@@ -9073,7 +9116,10 @@ var DeployEngine = class {
                 updateProps,
                 currentProps
               ),
-              logicalId
+              logicalId,
+              void 0,
+              void 0,
+              provider
             );
           } catch (updateError) {
             const msg = updateError instanceof Error ? updateError.message : String(updateError);
@@ -9102,7 +9148,10 @@ var DeployEngine = class {
               const { provider: replProvider, properties: replProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
               const createResult = await this.withRetry(
                 () => replProvider.create(logicalId, resourceType, replProps),
-                logicalId
+                logicalId,
+                void 0,
+                void 0,
+                provider
               );
               result = {
                 physicalId: createResult.physicalId,
@@ -9159,7 +9208,8 @@ var DeployEngine = class {
             logicalId,
             3,
             // fewer retries for DELETE
-            5e3
+            5e3,
+            provider
           );
         } catch (deleteError) {
           const msg = deleteError instanceof Error ? deleteError.message : String(deleteError);
@@ -9336,8 +9386,18 @@ var DeployEngine = class {
    * Thin wrapper over `withRetry` from ./retry.js that injects this engine's
    * SIGINT-aware interrupt check and logger. The actual backoff schedule
    * lives there.
+   *
+   * When the provider opts out via `disableOuterRetry`, the operation is
+   * invoked exactly once and the retry loop is skipped entirely. The
+   * Custom Resource provider uses this to avoid re-running its `create()`
+   * — each invocation derives a fresh pre-signed S3 URL and RequestId,
+   * so an outer retry leaves the previous attempt's Lambda response
+   * stranded at an S3 key nobody polls.
    */
-  async withRetry(operation, logicalId, maxRetries, initialDelayMs) {
+  async withRetry(operation, logicalId, maxRetries, initialDelayMs, provider) {
+    if (provider?.disableOuterRetry) {
+      return operation();
+    }
     return withRetry(operation, logicalId, {
       ...maxRetries !== void 0 && { maxRetries },
       ...initialDelayMs !== void 0 && { initialDelayMs },