@go-to-k/cdkd 0.3.2 → 0.3.4

package/dist/cli.js

@@ -11023,9 +11023,21 @@ var LambdaFunctionProvider = class {
   // Lambda VPC ENI detach is async and can take 20-40 minutes in the worst case;
   // we poll up to 10 minutes and then warn-and-continue, since downstream Subnet/SG
   // deletion has its own retry logic that handles a small remaining window.
+  // Budget for waiting on UpdateFunctionConfiguration to fully apply
+  // (LastUpdateStatus -> Successful) after pre-delete VPC detach.
   eniWaitTimeoutMs = 10 * 60 * 1e3;
   eniWaitInitialDelayMs = 1e4;
   eniWaitMaxDelayMs = 3e4;
+  // delstack-style ENI cleanup tunables.
+  // - initial sleep: gives AWS time to publish post-detach ENI state via
+  //   DescribeNetworkInterfaces (right after the update, the API can return
+  //   an empty list even though ENIs still exist).
+  // - per-ENI retry budget: an in-use ENI cannot be deleted until AWS
+  //   finishes the asynchronous detach; budget gives that time to land.
+  // - retry interval: polling cadence inside the per-ENI loop.
+  eniInitialSleepMs = 1e4;
+  eniDeleteRetryBudgetMs = 9e4;
+  eniDeleteRetryIntervalMs = 5e3;
   constructor() {
     const awsClients = getAwsClients();
     this.lambdaClient = awsClients.lambda;
@@ -11216,6 +11228,7 @@ var LambdaFunctionProvider = class {
           `Pre-delete VPC detach failed for ${physicalId}: ${error instanceof Error ? error.message : String(error)} \u2014 continuing with delete`
         );
       }
+      await this.waitForLambdaUpdateCompleted(physicalId);
     }
     try {
       await this.lambdaClient.send(new DeleteFunctionCommand({ FunctionName: physicalId }));
@@ -11323,51 +11336,47 @@ var LambdaFunctionProvider = class {
    * Timeout is a soft warning — downstream Subnet/SG deletion has its own
    * retries.
    */
-  async cleanupLambdaEnis(functionName) {
+  /**
+   * Poll GetFunction until LastUpdateStatus is no longer `InProgress`.
+   *
+   * After UpdateFunctionConfiguration the Lambda service processes the
+   * change (including VPC detach + hyperplane ENI release) asynchronously.
+   * Returning early — i.e. calling DeleteFunction while the update is still
+   * `InProgress` — aborts the detach, leaving ENIs attached and blocking
+   * downstream Subnet / SG deletion.
+   *
+   * Bounded by eniWaitTimeoutMs (10min) and treated as a soft warning on
+   * timeout: the subsequent ENI cleanup loop and downstream retries cover
+   * the residual edge case.
+   */
+  async waitForLambdaUpdateCompleted(functionName) {
     const start = Date.now();
     let delay = this.eniWaitInitialDelayMs;
-    let attempt = 0;
-    this.logger.debug(
-      `Cleaning up Lambda VPC ENIs for function ${functionName} (timeout ${this.eniWaitTimeoutMs}ms)`
-    );
     for (; ; ) {
-      attempt++;
-      let enis = [];
-      let listFailed = false;
+      let status;
       try {
-        enis = await this.listLambdaEnis(functionName);
+        const resp = await this.lambdaClient.send(
+          new GetFunctionCommand({ FunctionName: functionName })
+        );
+        status = resp.Configuration?.LastUpdateStatus;
       } catch (error) {
-        this.logger.warn(
-          `DescribeNetworkInterfaces failed while cleaning up Lambda ENIs of ${functionName}: ${error instanceof Error ? error.message : String(error)}`
+        if (error instanceof ResourceNotFoundException) {
+          return;
+        }
+        this.logger.debug(
+          `GetFunction failed while waiting for ${functionName} update: ${error instanceof Error ? error.message : String(error)}`
         );
-        listFailed = true;
       }
-      if (!listFailed && enis.length === 0) {
+      if (status && status !== "InProgress") {
         this.logger.debug(
-          `Lambda ENIs for ${functionName} fully cleaned up after ${attempt} attempt(s) / ${Date.now() - start}ms`
+          `Lambda ${functionName} update completed (LastUpdateStatus=${status}) after ${Date.now() - start}ms`
         );
         return;
       }
-      if (enis.length > 0) {
-        await Promise.all(
-          enis.map(async (eni) => {
-            try {
-              await this.ec2Client.send(
-                new DeleteNetworkInterfaceCommand({ NetworkInterfaceId: eni.id })
-              );
-              this.logger.debug(`Deleted Lambda ENI ${eni.id} for ${functionName}`);
-            } catch (error) {
-              this.logger.debug(
-                `ENI ${eni.id} (status=${eni.status}) not yet deletable: ${error instanceof Error ? error.message : String(error)}`
-              );
-            }
-          })
-        );
-      }
       const elapsed = Date.now() - start;
       if (elapsed >= this.eniWaitTimeoutMs) {
         this.logger.warn(
-          `Timeout (${this.eniWaitTimeoutMs}ms) cleaning up Lambda VPC ENIs of ${functionName} (${enis.length} remaining). Continuing \u2014 downstream Subnet/SG deletion will retry as needed.`
+          `Timeout (${this.eniWaitTimeoutMs}ms) waiting for Lambda ${functionName} update to complete; proceeding with delete`
         );
         return;
       }
@@ -11377,6 +11386,47 @@ var LambdaFunctionProvider = class {
       delay = Math.min(delay * 2, this.eniWaitMaxDelayMs);
     }
   }
+  async cleanupLambdaEnis(functionName) {
+    this.logger.debug(`Cleaning up Lambda VPC ENIs for function ${functionName}`);
+    await this.sleep(this.eniInitialSleepMs);
+    let enis = [];
+    try {
+      enis = await this.listLambdaEnis(functionName);
+    } catch (error) {
+      this.logger.warn(
+        `DescribeNetworkInterfaces failed for ${functionName}: ${error instanceof Error ? error.message : String(error)} \u2014 downstream Subnet/SG deletion will fall back to its own ENI cleanup`
+      );
+      return;
+    }
+    if (enis.length === 0) {
+      this.logger.debug(`No Lambda ENIs found for ${functionName} after initial sleep`);
+      return;
+    }
+    await Promise.all(enis.map((eni) => this.deleteEniWithRetry(eni.id, functionName)));
+  }
+  async deleteEniWithRetry(eniId, functionName) {
+    const start = Date.now();
+    for (; ; ) {
+      try {
+        await this.ec2Client.send(new DeleteNetworkInterfaceCommand({ NetworkInterfaceId: eniId }));
+        this.logger.debug(`Deleted Lambda ENI ${eniId} for ${functionName}`);
+        return;
+      } catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        if (msg.includes("InvalidNetworkInterfaceID.NotFound") || msg.includes("does not exist")) {
+          return;
+        }
+        const elapsed = Date.now() - start;
+        if (elapsed >= this.eniDeleteRetryBudgetMs) {
+          this.logger.warn(
+            `Gave up deleting ENI ${eniId} for ${functionName} after ${elapsed}ms: ${msg} \u2014 downstream Subnet/SG deletion will retry`
+          );
+          return;
+        }
+        await this.sleep(this.eniDeleteRetryIntervalMs);
+      }
+    }
+  }
   /**
    * List Lambda-managed ENIs for the given function, paginating through
    * DescribeNetworkInterfaces and filtering on Description substring.
@@ -13839,7 +13889,9 @@ import {
   CreateNetworkAclEntryCommand,
   DeleteNetworkAclEntryCommand,
   ReplaceNetworkAclAssociationCommand,
-  DescribeNetworkAclsCommand
+  DescribeNetworkAclsCommand,
+  DescribeNetworkInterfacesCommand as DescribeNetworkInterfacesCommand2,
+  DeleteNetworkInterfaceCommand as DeleteNetworkInterfaceCommand2
 } from "@aws-sdk/client-ec2";
 init_aws_clients();
 var EC2Provider = class {
@@ -14305,23 +14357,82 @@ var EC2Provider = class {
   }
   async deleteSubnet(logicalId, physicalId, resourceType) {
     this.logger.debug(`Deleting Subnet ${logicalId}: ${physicalId}`);
-    try {
-      await this.ec2Client.send(new DeleteSubnetCommand({ SubnetId: physicalId }));
-      this.logger.debug(`Successfully deleted Subnet ${logicalId}`);
-    } catch (error) {
-      if (this.isNotFoundError(error)) {
-        this.logger.debug(`Subnet ${physicalId} does not exist, skipping deletion`);
+    const maxAttempts = 10;
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+      try {
+        await this.ec2Client.send(new DeleteSubnetCommand({ SubnetId: physicalId }));
+        this.logger.debug(`Successfully deleted Subnet ${logicalId}`);
         return;
+      } catch (error) {
+        if (this.isNotFoundError(error)) {
+          this.logger.debug(`Subnet ${physicalId} does not exist, skipping deletion`);
+          return;
+        }
+        const msg = error instanceof Error ? error.message : String(error);
+        const isDependencyError = msg.includes("has dependencies") || msg.includes("DependencyViolation");
+        if (isDependencyError && attempt < maxAttempts) {
+          await this.cleanupSubnetLambdaEnis(physicalId);
+          this.logger.debug(
+            `Subnet ${physicalId} has dependencies (attempt ${attempt}/${maxAttempts}), retrying in ${attempt * 5}s...`
+          );
+          await new Promise((resolve4) => setTimeout(resolve4, attempt * 5e3));
+          continue;
+        }
+        const cause = error instanceof Error ? error : void 0;
+        throw new ProvisioningError(
+          `Failed to delete Subnet ${logicalId}: ${msg}`,
+          resourceType,
+          logicalId,
+          physicalId,
+          cause
+        );
       }
-      const cause = error instanceof Error ? error : void 0;
-      throw new ProvisioningError(
-        `Failed to delete Subnet ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
-        resourceType,
-        logicalId,
-        physicalId,
-        cause
+    }
+  }
+  /**
+   * Best-effort: list Lambda-managed ENIs in the given subnet and try to
+   * delete each one. Used as a side-channel cleanup when DeleteSubnet
+   * fails with "has dependencies" — the Lambda provider's own ENI cleanup
+   * may have run out of budget before AWS finished detaching, so a second
+   * attempt from the subnet side typically succeeds a few seconds later
+   * once the ENIs flip from `in-use` to `available`.
+   */
+  async cleanupSubnetLambdaEnis(subnetId) {
+    let enis;
+    try {
+      const resp = await this.ec2Client.send(
+        new DescribeNetworkInterfacesCommand2({
+          Filters: [
+            { Name: "subnet-id", Values: [subnetId] },
+            { Name: "requester-id", Values: ["*:awslambda_*"] }
+          ]
+        })
       );
+      enis = (resp.NetworkInterfaces ?? []).filter((ni) => ni.NetworkInterfaceId).map((ni) => ({ id: ni.NetworkInterfaceId, status: ni.Status ?? "unknown" }));
+    } catch (err) {
+      this.logger.debug(
+        `cleanupSubnetLambdaEnis: DescribeNetworkInterfaces failed for ${subnetId}: ${err instanceof Error ? err.message : String(err)}`
+      );
+      return;
     }
+    if (enis.length === 0)
+      return;
+    await Promise.all(
+      enis.map(async (eni) => {
+        try {
+          await this.ec2Client.send(
+            new DeleteNetworkInterfaceCommand2({ NetworkInterfaceId: eni.id })
+          );
+          this.logger.debug(
+            `cleanupSubnetLambdaEnis: deleted Lambda ENI ${eni.id} in subnet ${subnetId}`
+          );
+        } catch (err) {
+          this.logger.debug(
+            `cleanupSubnetLambdaEnis: ENI ${eni.id} (status=${eni.status}) not yet deletable: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+      })
+    );
   }
   async getSubnetAttribute(physicalId, attributeName) {
     if (attributeName === "SubnetId")
@@ -14821,6 +14932,7 @@ var EC2Provider = class {
         }
         const msg = error instanceof Error ? error.message : String(error);
         if (msg.includes("dependent object") && attempt < maxAttempts) {
+          await this.cleanupSecurityGroupLambdaEnis(physicalId);
           this.logger.debug(
             `SecurityGroup ${physicalId} has dependent objects (attempt ${attempt}/${maxAttempts}), retrying in ${attempt * 5}s...`
           );
@@ -14838,6 +14950,48 @@ var EC2Provider = class {
       }
     }
   }
+  /**
+   * Best-effort: list Lambda-managed ENIs that reference the given security
+   * group and try to delete each one. Mirror of cleanupSubnetLambdaEnis but
+   * filtered by `group-id`.
+   */
+  async cleanupSecurityGroupLambdaEnis(groupId) {
+    let enis;
+    try {
+      const resp = await this.ec2Client.send(
+        new DescribeNetworkInterfacesCommand2({
+          Filters: [
+            { Name: "group-id", Values: [groupId] },
+            { Name: "requester-id", Values: ["*:awslambda_*"] }
+          ]
+        })
+      );
+      enis = (resp.NetworkInterfaces ?? []).filter((ni) => ni.NetworkInterfaceId).map((ni) => ({ id: ni.NetworkInterfaceId, status: ni.Status ?? "unknown" }));
+    } catch (err) {
+      this.logger.debug(
+        `cleanupSecurityGroupLambdaEnis: DescribeNetworkInterfaces failed for ${groupId}: ${err instanceof Error ? err.message : String(err)}`
+      );
+      return;
+    }
+    if (enis.length === 0)
+      return;
+    await Promise.all(
+      enis.map(async (eni) => {
+        try {
+          await this.ec2Client.send(
+            new DeleteNetworkInterfaceCommand2({ NetworkInterfaceId: eni.id })
+          );
+          this.logger.debug(
+            `cleanupSecurityGroupLambdaEnis: deleted Lambda ENI ${eni.id} for SG ${groupId}`
+          );
+        } catch (err) {
+          this.logger.debug(
+            `cleanupSecurityGroupLambdaEnis: ENI ${eni.id} (status=${eni.status}) not yet deletable: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+      })
+    );
+  }
   async getSecurityGroupAttribute(physicalId, attributeName) {
     if (attributeName === "GroupId")
       return physicalId;
@@ -27605,7 +27759,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command8();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.3.2");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.3.4");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createDeployCommand());