@go-to-k/cdkd 0.29.0 → 0.30.1

package/dist/cli.js

@@ -1304,14 +1304,14 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
   const { GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
-  const { S3Client: S3Client11 } = await import("@aws-sdk/client-s3");
+  const { S3Client: S3Client12 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
   const identity = await awsClients.sts.send(new GetCallerIdentityCommand11({}));
   const accountId = identity.Account;
   const newName = getDefaultStateBucketName(accountId);
   const legacyName = getLegacyStateBucketName(accountId, region);
-  const probe = new S3Client11({ region: "us-east-1" });
+  const probe = new S3Client12({ region: "us-east-1" });
   try {
     const newExists = await bucketExists(probe, newName);
     const legacyExists = await bucketExists(probe, legacyName);
@@ -12966,7 +12966,9 @@ import {
   GetFunctionCommand,
   ListFunctionsCommand,
   ListTagsCommand,
-  ResourceNotFoundException
+  ResourceNotFoundException,
+  waitUntilFunctionActiveV2,
+  waitUntilFunctionUpdatedV2
 } from "@aws-sdk/client-lambda";
 import {
   DescribeNetworkInterfacesCommand,
@@ -13009,6 +13011,14 @@ var LambdaFunctionProvider = class {
   eniWaitTimeoutMs = 10 * 60 * 1e3;
   eniWaitInitialDelayMs = 1e4;
   eniWaitMaxDelayMs = 3e4;
+  // Budget for the post-CreateFunction / post-Update wait that blocks until
+  // Configuration.State === 'Active' and LastUpdateStatus === 'Successful'.
+  // Must NOT be skipped by --no-wait: downstream resources (Custom Resource
+  // Invokes, EventSourceMappings, etc.) cannot operate against a function
+  // still in Pending / InProgress, so this is required for correctness, not
+  // a "convenience wait" like CloudFront / RDS readiness.
+  // Seconds (the SDK waiter contract is seconds, not ms).
+  functionReadyMaxWaitSeconds = 10 * 60;
   // delstack-style ENI cleanup tunables.
   // - initial sleep: gives AWS time to publish post-detach ENI state via
   //   DescribeNetworkInterfaces (right after the update, the API can return
@@ -13077,6 +13087,7 @@ var LambdaFunctionProvider = class {
         Tags: tags
       };
       const response = await this.lambdaClient.send(new CreateFunctionCommand(createParams));
+      await this.waitForFunctionActive(logicalId, resourceType, functionName);
       this.logger.debug(`Successfully created Lambda function ${logicalId}: ${functionName}`);
       return {
         physicalId: response.FunctionName || functionName,
@@ -13086,6 +13097,9 @@ var LambdaFunctionProvider = class {
         }
       };
     } catch (error) {
+      if (error instanceof ProvisioningError) {
+        throw error;
+      }
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
         `Failed to create Lambda function ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
@@ -13142,6 +13156,7 @@ var LambdaFunctionProvider = class {
         };
         await this.lambdaClient.send(new UpdateFunctionConfigurationCommand(configParams));
         this.logger.debug(`Updated configuration for Lambda function ${physicalId}`);
+        await this.waitForFunctionUpdated(logicalId, resourceType, physicalId);
       }
       const newCode = properties["Code"];
       const oldCode = previousProperties["Code"];
@@ -13157,6 +13172,7 @@ var LambdaFunctionProvider = class {
         };
         await this.lambdaClient.send(new UpdateFunctionCodeCommand(codeParams));
         this.logger.debug(`Updated code for Lambda function ${physicalId}`);
+        await this.waitForFunctionUpdated(logicalId, resourceType, physicalId);
       }
       const getResponse = await this.lambdaClient.send(
         new GetFunctionCommand({ FunctionName: physicalId })
@@ -13170,6 +13186,9 @@ var LambdaFunctionProvider = class {
         }
       };
     } catch (error) {
+      if (error instanceof ProvisioningError) {
+        throw error;
+      }
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
         `Failed to update Lambda function ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
@@ -13336,6 +13355,58 @@ var LambdaFunctionProvider = class {
    * Timeout is a soft warning — downstream Subnet/SG deletion has its own
    * retries.
    */
+  /**
+   * Block until the function's State === 'Active'.
+   *
+   * Used after CreateFunction. Wraps the SDK's built-in
+   * `waitUntilFunctionActiveV2` (acceptors: SUCCESS=Active, FAILURE=Failed,
+   * RETRY=Pending). The waiter throws on FAILURE / TIMEOUT — both surface
+   * as `ProvisioningError` with the function-name as physicalId so the
+   * deploy engine's per-resource error handling treats them identically to
+   * a CreateFunction failure.
+   */
+  async waitForFunctionActive(logicalId, resourceType, functionName) {
+    try {
+      await waitUntilFunctionActiveV2(
+        { client: this.lambdaClient, maxWaitTime: this.functionReadyMaxWaitSeconds },
+        { FunctionName: functionName }
+      );
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Lambda function ${logicalId} did not reach Active state: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        functionName,
+        cause
+      );
+    }
+  }
+  /**
+   * Block until the function's LastUpdateStatus === 'Successful'.
+   *
+   * Used after UpdateFunctionConfiguration / UpdateFunctionCode. Wraps the
+   * SDK's `waitUntilFunctionUpdatedV2` (acceptors: SUCCESS=Successful,
+   * FAILURE=Failed, RETRY=InProgress). Same error-wrapping contract as
+   * `waitForFunctionActive`.
+   */
+  async waitForFunctionUpdated(logicalId, resourceType, functionName) {
+    try {
+      await waitUntilFunctionUpdatedV2(
+        { client: this.lambdaClient, maxWaitTime: this.functionReadyMaxWaitSeconds },
+        { FunctionName: functionName }
+      );
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Lambda function ${logicalId} update did not complete: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        functionName,
+        cause
+      );
+    }
+  }
   /**
    * Poll GetFunction until LastUpdateStatus is no longer `InProgress`.
    *
@@ -13348,6 +13419,12 @@ var LambdaFunctionProvider = class {
    * Bounded by eniWaitTimeoutMs (10min) and treated as a soft warning on
    * timeout: the subsequent ENI cleanup loop and downstream retries cover
    * the residual edge case.
+   *
+   * NOTE: deliberately separate from `waitForFunctionUpdated` (which uses
+   * the SDK's `waitUntilFunctionUpdatedV2` and throws on FAILURE). The
+   * pre-delete path needs a more lenient acceptor: if a prior update
+   * failed, we still want to proceed with DeleteFunction rather than
+   * abort, because the function is going away anyway.
    */
   async waitForLambdaUpdateCompleted(functionName) {
     const start = Date.now();
@@ -35330,6 +35407,7 @@ import {
   waitUntilStackUpdateComplete,
   waitUntilStackDeleteComplete
 } from "@aws-sdk/client-cloudformation";
+import { S3Client as S3Client11, PutObjectCommand as PutObjectCommand5, DeleteObjectCommand as DeleteObjectCommand4 } from "@aws-sdk/client-s3";
 var STABLE_TERMINAL_STATUSES = /* @__PURE__ */ new Set([
   "CREATE_COMPLETE",
   "UPDATE_COMPLETE",
@@ -35338,9 +35416,11 @@ var STABLE_TERMINAL_STATUSES = /* @__PURE__ */ new Set([
   "IMPORT_ROLLBACK_COMPLETE"
 ]);
 var TEMPLATE_BODY_LIMIT = 51200;
+var TEMPLATE_URL_LIMIT = 1048576;
+var MIGRATE_TMP_PREFIX = "cdkd-migrate-tmp";
 async function retireCloudFormationStack(options) {
   const logger = getLogger();
-  const { cfnStackName, cfnClient, yes } = options;
+  const { cfnStackName, cfnClient, yes, stateBucket, s3ClientOpts } = options;
   logger.info(`[1/4] Inspecting CloudFormation stack '${cfnStackName}'...`);
   const desc = await cfnClient.send(new DescribeStacksCommand({ StackName: cfnStackName }));
   const stack = desc.Stacks?.[0];
@@ -35370,39 +35450,69 @@ async function retireCloudFormationStack(options) {
       return { outcome: "cancelled" };
     }
   }
-  let updateRan = false;
   if (!modified) {
     logger.info(`[2/4] Template already has Retain on every resource \u2014 skipping UpdateStack.`);
   } else {
     logger.info(`[2/4] Injected DeletionPolicy=Retain and UpdateReplacePolicy=Retain.`);
-    if (newBody.length > TEMPLATE_BODY_LIMIT) {
+    if (newBody.length > TEMPLATE_URL_LIMIT) {
       throw new Error(
-        `Modified template is ${newBody.length} bytes, exceeds the inline UpdateStack TemplateBody limit (${TEMPLATE_BODY_LIMIT}). cdkd state has already been written; retire the stack manually with: (1) edit the template to add DeletionPolicy: Retain and UpdateReplacePolicy: Retain to every resource, (2) UpdateStack with the modified template via S3 TemplateURL, (3) DeleteStack. Inline TemplateURL fallback is a planned follow-up.`
+        `Modified template is ${newBody.length} bytes, exceeds the CloudFormation UpdateStack TemplateURL limit (${TEMPLATE_URL_LIMIT}). cdkd state has already been written; retire the stack manually with (1) shrink the template, then (2) UpdateStack with Retain policies, (3) DeleteStack \u2014 or split the stack and retry.`
       );
     }
-    logger.info(`[3/4] Updating CloudFormation stack with Retain policies...`);
-    try {
-      await cfnClient.send(
-        new UpdateStackCommand({
-          StackName: cfnStackName,
-          TemplateBody: newBody,
-          Capabilities: capabilities
-        })
+    let updateInput;
+    let s3Cleanup;
+    if (newBody.length <= TEMPLATE_BODY_LIMIT) {
+      updateInput = { TemplateBody: newBody };
+    } else {
+      logger.info(
+        `  Template is ${newBody.length} bytes (over ${TEMPLATE_BODY_LIMIT} inline limit) \u2014 uploading to state bucket '${stateBucket}'.`
       );
-      updateRan = true;
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (/No updates are to be performed/i.test(msg)) {
-        logger.info(`  CloudFormation reports no updates needed \u2014 proceeding to delete.`);
-      } else {
-        throw err;
-      }
+      const uploaded = await uploadTemplateForUpdateStack({
+        bucket: stateBucket,
+        body: newBody,
+        cfnStackName,
+        ...s3ClientOpts && { s3ClientOpts }
+      });
+      updateInput = { TemplateURL: uploaded.url };
+      s3Cleanup = uploaded.cleanup;
     }
-    if (updateRan) {
-      await waitUntilStackUpdateComplete(
-        { client: cfnClient, maxWaitTime: 1800 },
-        { StackName: cfnStackName }
-      );
+    try {
+      logger.info(`[3/4] Updating CloudFormation stack with Retain policies...`);
+      let updateRan = false;
+      try {
+        await cfnClient.send(
+          new UpdateStackCommand({
+            StackName: cfnStackName,
+            ...updateInput,
+            Capabilities: capabilities
+          })
+        );
+        updateRan = true;
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (/No updates are to be performed/i.test(msg)) {
+          logger.info(`  CloudFormation reports no updates needed \u2014 proceeding to delete.`);
+        } else {
+          throw err;
+        }
+      }
+      if (updateRan) {
+        await waitUntilStackUpdateComplete(
+          { client: cfnClient, maxWaitTime: 1800 },
+          { StackName: cfnStackName }
+        );
+      }
+    } finally {
+      if (s3Cleanup) {
+        try {
+          await s3Cleanup();
+        } catch (cleanupErr) {
+          const msg = cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr);
+          logger.warn(
+            `Failed to delete temporary template upload from '${stateBucket}'. Clean up manually under prefix '${MIGRATE_TMP_PREFIX}/'. Cause: ${msg}`
+          );
+        }
+      }
     }
   }
   logger.info(`[4/4] Deleting CloudFormation stack '${cfnStackName}' (resources retained)...`);
@@ -35416,6 +35526,41 @@ async function retireCloudFormationStack(options) {
   );
   return { outcome: modified ? "retired" : "no-template-change" };
 }
+async function uploadTemplateForUpdateStack(args) {
+  const { bucket, body, cfnStackName, s3ClientOpts } = args;
+  const region = await resolveBucketRegion(bucket, {
+    ...s3ClientOpts?.profile && { profile: s3ClientOpts.profile },
+    ...s3ClientOpts?.credentials && { credentials: s3ClientOpts.credentials }
+  });
+  const s3 = new S3Client11({
+    region,
+    ...s3ClientOpts?.profile && { profile: s3ClientOpts.profile },
+    ...s3ClientOpts?.credentials && { credentials: s3ClientOpts.credentials }
+  });
+  const key = `${MIGRATE_TMP_PREFIX}/${cfnStackName}/${Date.now()}.json`;
+  try {
+    await s3.send(
+      new PutObjectCommand5({
+        Bucket: bucket,
+        Key: key,
+        Body: body,
+        ContentType: "application/json"
+      })
+    );
+  } catch (err) {
+    s3.destroy();
+    throw err;
+  }
+  const url = `https://${bucket}.s3.${region}.amazonaws.com/${key}`;
+  const cleanup = async () => {
+    try {
+      await s3.send(new DeleteObjectCommand4({ Bucket: bucket, Key: key }));
+    } finally {
+      s3.destroy();
+    }
+  };
+  return { url, cleanup };
+}
 function injectRetainPolicies(templateBody, cfnStackName) {
   let parsed;
   try {
@@ -35695,7 +35840,13 @@ async function importCommand(stackArg, options) {
         await retireCloudFormationStack({
           cfnStackName: migrationCfnStackName,
           cfnClient: awsClients.cloudFormation,
-          yes: options.yes
+          yes: options.yes,
+          // Reuse cdkd's state bucket as transient storage for the
+          // Retain-injected template when it exceeds the 51,200-byte
+          // inline UpdateStack limit. Forward `--profile` so the
+          // upload identity matches the one that just wrote cdkd state.
+          stateBucket,
+          ...options.profile && { s3ClientOpts: { profile: options.profile } }
         });
       }
     } finally {
@@ -35988,7 +36139,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.29.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.30.1");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());