@go-to-k/cdkd 0.31.1 → 0.32.0

package/README.md

@@ -25,6 +25,7 @@
 - **S3-based state management**: No DynamoDB required, uses S3 conditional writes for locking
 - **DAG-based parallelization**: Analyze `Ref`/`Fn::GetAtt` dependencies and execute in parallel
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
+- **`--aggressive-vpc-parallel`**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks)
 
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. If you encounter an unsupported resource type, deployment will fail with a clear error message.
 
@@ -405,6 +406,51 @@ ElastiCache) don't apply to destroy either — their providers are
 already non-blocking on delete because they're leaves in the destroy
 DAG.
 
+## `--aggressive-vpc-parallel`: relax CDK-defensive VPC route DependsOn
+
+CDK synth eagerly injects `DependsOn` from VPC Lambdas (and adjacent
+IAM Role / Policy / Lambda::Url / EventSourceMapping resources) onto
+the private subnet's `DefaultRoute` / `RouteTableAssociation` so that
+nothing tries to invoke the Lambda before its egress path to the
+internet is up. The dependency is real at *runtime* (a Lambda code
+call to a third-party API can't reach the internet without a NAT
+route), but it is NOT required at *deploy time* — `CreateFunction` /
+`CreateFunctionUrlConfig` / `AddPermission` /
+`CreateEventSourceMapping` all accept a function in `Pending` state.
+
+For VPC + Lambda + CloudFront stacks this turns into a serial
+critical path:
+
+```text
+NAT GW (~2-3 min) → DefaultRoute → Lambda → Lambda::Url → Distribution propagation (~3 min)
+```
+
+Pass `--aggressive-vpc-parallel` to drop the route DependsOn so
+Distribution + Lambda::Url dispatch right after IAM Role / Subnet are
+ready and propagate in parallel with NAT stabilization:
+
+```bash
+cdkd deploy --aggressive-vpc-parallel
+```
+
+| Mode | Critical path | Total |
+| --- | --- | --- |
+| Default | NAT → Lambda → CF (serial) | ~6 min |
+| `--aggressive-vpc-parallel` | max(NAT, CF) | ~3 min |
+
+Measured **−45.6%** on `tests/integration/bench-cdk-sample` (387s
+baseline → 211s relaxed).
+
+Off by default for v1: opt-in is the conservative play because
+CloudFront `Create` / `Delete` are each ~5 min, so a Lambda-side
+async failure incurs a high rollback cost. Deploy-only —
+`cdkd destroy` doesn't accept it (the route DependsOn doesn't
+constrain delete-time correctness; Lambda hyperplane ENI release
+is the actual destroy bottleneck).
+
+See [docs/cli-reference.md](docs/cli-reference.md) for the full
+type-pair allowlist, implementation pointers, and trade-off notes.
+
 ## Other CLI flags
 
 For concurrency knobs (`--concurrency`, `--stack-concurrency`,

package/dist/cli.js

@@ -610,6 +610,10 @@ var noWaitOption = new Option(
   "--no-wait",
   "Skip waiting for async resources to stabilize (CloudFront, RDS, ElastiCache, NAT Gateway)"
 );
+var aggressiveVpcParallelOption = new Option(
+  "--aggressive-vpc-parallel",
+  "Relax CDK-injected VPC route DependsOn to let CloudFront/Lambda::Url create in parallel with NAT GW stabilization"
+).default(false);
 var deployOptions = [
   new Option("--concurrency <number>", "Maximum concurrent resource operations").default(10).argParser((value) => parseInt(value, 10)),
   new Option("--stack-concurrency <number>", "Maximum concurrent stack deployments").default(4).argParser((value) => parseInt(value, 10)),
@@ -622,6 +626,7 @@ var deployOptions = [
   new Option("--skip-assets", "Skip asset publishing").default(false),
   new Option("--no-rollback", "Skip rollback on deployment failure"),
   noWaitOption,
+  aggressiveVpcParallelOption,
   new Option(
     "-e, --exclusively",
     "Only deploy requested stacks, do not include dependencies"
@@ -4699,6 +4704,58 @@ function collectRefIds(value, out) {
   }
 }
 
+// src/analyzer/cdk-defensive-deps.ts
+var DEFENSIVE_DEPENDS_ON_TYPE_PAIRS = [
+  // VPC Lambda's execution Role (and its inline Policy) get DependsOn'd onto
+  // the route only because CDK assumes the Lambda will run before the route
+  // is up. The Role/Policy create call itself is VPC-agnostic.
+  { fromType: "AWS::IAM::Role", toType: "AWS::EC2::Route" },
+  { fromType: "AWS::IAM::Role", toType: "AWS::EC2::SubnetRouteTableAssociation" },
+  { fromType: "AWS::IAM::Policy", toType: "AWS::EC2::Route" },
+  { fromType: "AWS::IAM::Policy", toType: "AWS::EC2::SubnetRouteTableAssociation" },
+  // VPC Lambda itself: CreateFunction returns synchronously while the
+  // function is still in Pending; the route only matters once the function
+  // is invoked at runtime.
+  { fromType: "AWS::Lambda::Function", toType: "AWS::EC2::Route" },
+  { fromType: "AWS::Lambda::Function", toType: "AWS::EC2::SubnetRouteTableAssociation" },
+  // Lambda::Url is just a deterministic URL derivation off the function; it
+  // doesn't need the function's runtime egress to exist.
+  { fromType: "AWS::Lambda::Url", toType: "AWS::EC2::Route" },
+  { fromType: "AWS::Lambda::Url", toType: "AWS::EC2::SubnetRouteTableAssociation" },
+  // EventSourceMapping just registers the wire-up; AWS handles delivery
+  // async and will retry once the function reaches Active.
+  { fromType: "AWS::Lambda::EventSourceMapping", toType: "AWS::EC2::Route" },
+  {
+    fromType: "AWS::Lambda::EventSourceMapping",
+    toType: "AWS::EC2::SubnetRouteTableAssociation"
+  }
+];
+function defensiveDependsOnToSkip(resource, template) {
+  const skip = /* @__PURE__ */ new Set();
+  if (!resource.DependsOn) {
+    return skip;
+  }
+  const dependsOn = Array.isArray(resource.DependsOn) ? resource.DependsOn : [resource.DependsOn];
+  for (const dep of dependsOn) {
+    if (typeof dep !== "string")
+      continue;
+    const target = template.Resources[dep];
+    if (!target)
+      continue;
+    const fromType = resource.Type;
+    const toType = target.Type;
+    if (!fromType || !toType)
+      continue;
+    const matched = DEFENSIVE_DEPENDS_ON_TYPE_PAIRS.some(
+      (pair) => pair.fromType === fromType && pair.toType === toType
+    );
+    if (matched) {
+      skip.add(dep);
+    }
+  }
+  return skip;
+}
+
 // src/analyzer/dag-builder.ts
 var { Graph, alg } = graphlib;
 var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
@@ -4709,6 +4766,10 @@ var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
 var DagBuilder = class {
   logger = getLogger().child("DagBuilder");
   parser = new TemplateParser();
+  options;
+  constructor(options = {}) {
+    this.options = options;
+  }
   /**
    * Build dependency graph from CloudFormation template
    *
@@ -4727,13 +4788,22 @@ var DagBuilder = class {
     });
     this.logger.debug(`Total nodes: ${resourceIds.length}`);
     let edgeCount = 0;
+    let relaxedEdgeCount = 0;
     for (const logicalId of resourceIds) {
       const resource = this.parser.getResource(template, logicalId);
       if (!resource) {
         continue;
       }
       const dependencies = this.parser.extractDependencies(resource);
+      const skip = this.options.relaxCdkVpcDefensiveDeps ? defensiveDependsOnToSkip(resource, template) : null;
       for (const depId of dependencies) {
+        if (skip?.has(depId)) {
+          relaxedEdgeCount++;
+          this.logger.debug(
+            `Skipped CDK-defensive DependsOn edge: ${depId} -> ${logicalId} (--aggressive-vpc-parallel)`
+          );
+          continue;
+        }
         if (graph.hasNode(depId)) {
           graph.setEdge(depId, logicalId);
           edgeCount++;
@@ -4745,6 +4815,11 @@ var DagBuilder = class {
         }
       }
     }
+    if (relaxedEdgeCount > 0) {
+      this.logger.info(
+        `[DagBuilder] Relaxed ${relaxedEdgeCount} CDK-defensive DependsOn edge(s) (--aggressive-vpc-parallel)`
+      );
+    }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
     edgeCount += this.addCustomResourcePolicyEdges(graph, template);
     edgeCount += this.addLambdaVpcEdges(graph, template);
@@ -13036,6 +13111,11 @@ import {
   DeleteNetworkInterfaceCommand
 } from "@aws-sdk/client-ec2";
 init_aws_clients();
+function inlineCodeFileNameForRuntime(runtime) {
+  if (runtime?.startsWith("python"))
+    return "index.py";
+  return "index.js";
+}
 var LambdaFunctionProvider = class {
   lambdaClient;
   ec2Client;
@@ -13138,7 +13218,7 @@ var LambdaFunctionProvider = class {
       const createParams = {
         FunctionName: functionName,
         Role: role,
-        Code: this.buildCode(code),
+        Code: this.buildCode(code, properties["Runtime"]),
         Handler: properties["Handler"],
         Runtime: properties["Runtime"],
         Timeout: properties["Timeout"],
@@ -13224,7 +13304,7 @@ var LambdaFunctionProvider = class {
       const newCode = properties["Code"];
       const oldCode = previousProperties["Code"];
       if (newCode && JSON.stringify(newCode) !== JSON.stringify(oldCode)) {
-        const builtCode = this.buildCode(newCode);
+        const builtCode = this.buildCode(newCode, properties["Runtime"]);
         const codeParams = {
           FunctionName: physicalId,
           S3Bucket: builtCode.S3Bucket,
@@ -13592,7 +13672,7 @@ var LambdaFunctionProvider = class {
   /**
    * Build Lambda Code parameter from CDK properties
    */
-  buildCode(code) {
+  buildCode(code, runtime) {
     const result = {};
     if (code["S3Bucket"]) {
       result.S3Bucket = code["S3Bucket"];
@@ -13604,7 +13684,7 @@ var LambdaFunctionProvider = class {
       result.S3ObjectVersion = code["S3ObjectVersion"];
     }
     if (code["ZipFile"]) {
-      result.ZipFile = this.createZipFromInlineCode(code["ZipFile"]);
+      result.ZipFile = this.createZipFromInlineCode(code["ZipFile"], runtime);
     }
     if (code["ImageUri"]) {
       result.ImageUri = code["ImageUri"];
@@ -13616,13 +13696,14 @@ var LambdaFunctionProvider = class {
    *
    * CloudFormation's ZipFile property automatically wraps inline code in a zip,
    * but the Lambda SDK expects actual zip binary. This creates a minimal zip
-   * containing the code as index.* (matching the Handler).
+   * containing the code as index.* (extension derived from runtime — nodejs
+   * runtimes use index.js, python runtimes use index.py; see CFn ZipFile docs).
    */
-  createZipFromInlineCode(code) {
+  createZipFromInlineCode(code, runtime) {
     const fileData = Buffer.from(code, "utf-8");
     const crc32 = this.crc32(fileData);
     const compressedData = zlib.deflateRawSync(fileData);
-    const fileName = Buffer.from("index.py");
+    const fileName = Buffer.from(inlineCodeFileNameForRuntime(runtime));
     const now = /* @__PURE__ */ new Date();
     const modTime = (now.getHours() << 11 | now.getMinutes() << 5 | now.getSeconds() >> 1) & 65535;
     const modDate = (now.getFullYear() - 1980 << 9 | now.getMonth() + 1 << 5 | now.getDate()) & 65535;
@@ -32951,7 +33032,9 @@ async function deployCommand(stacks, options) {
       bucket: stateBucket,
       prefix: options.statePrefix
     };
-    const dagBuilder = new DagBuilder();
+    const dagBuilder = new DagBuilder({
+      relaxCdkVpcDefensiveDeps: !!options.aggressiveVpcParallel
+    });
     const diffCalculator = new DiffCalculator();
     const baseRegion = options.region || process.env["AWS_REGION"] || "us-east-1";
     const switchRegion = (region2) => {
@@ -36353,7 +36436,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.31.1");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.32.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());