@go-to-k/cdkd 0.31.2 → 0.33.0

package/README.md

@@ -25,6 +25,7 @@
 - **S3-based state management**: No DynamoDB required, uses S3 conditional writes for locking
 - **DAG-based parallelization**: Analyze `Ref`/`Fn::GetAtt` dependencies and execute in parallel
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
+- **VPC route DependsOn relaxation (on by default)**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks). Pass `--no-aggressive-vpc-parallel` to opt out.
 
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. If you encounter an unsupported resource type, deployment will fail with a clear error message.
 
@@ -405,6 +406,51 @@ ElastiCache) don't apply to destroy either — their providers are
 already non-blocking on delete because they're leaves in the destroy
 DAG.
 
+## VPC route DependsOn relaxation (on by default)
+
+CDK synth eagerly injects `DependsOn` from VPC Lambdas (and adjacent
+IAM Role / Policy / Lambda::Url / EventSourceMapping resources) onto
+the private subnet's `DefaultRoute` / `RouteTableAssociation` so that
+nothing tries to invoke the Lambda before its egress path to the
+internet is up. The dependency is real at *runtime* (a Lambda code
+call to a third-party API can't reach the internet without a NAT
+route), but it is NOT required at *deploy time* — `CreateFunction` /
+`CreateFunctionUrlConfig` / `AddPermission` /
+`CreateEventSourceMapping` all accept a function in `Pending` state.
+
+For VPC + Lambda + CloudFront stacks the strict-CDK-ordering chain is serial:
+
+```text
+NAT GW (~2-3 min) → DefaultRoute → Lambda → Lambda::Url → Distribution propagation (~3 min)
+```
+
+cdkd drops the route DependsOn by default so Distribution + Lambda::Url
+dispatch right after IAM Role / Subnet are ready and propagate in
+parallel with NAT stabilization:
+
+| Mode | Critical path | Total |
+| --- | --- | --- |
+| `--no-aggressive-vpc-parallel` (opt-out) | NAT → Lambda → CF (serial) | ~6 min |
+| **default** | max(NAT, CF) | **~3 min** |
+
+Measured **−54.6%** on `tests/integration/bench-cdk-sample` (398.59s
+with `--no-aggressive-vpc-parallel` → 181.03s default).
+
+To opt out (e.g. for a stack with a Custom Resource that synchronously
+invokes a VPC Lambda outside cdkd's Lambda-ServiceToken Active wait):
+
+```bash
+cdkd deploy --no-aggressive-vpc-parallel
+```
+
+Deploy-only — the relaxation has no effect on destroy ordering (the
+route DependsOn doesn't constrain delete-time correctness; Lambda
+hyperplane ENI release is the actual destroy bottleneck and is handled
+separately by `lambda-vpc-deps.ts`).
+
+See [docs/cli-reference.md](docs/cli-reference.md) for the full
+type-pair allowlist, implementation pointers, and trade-off notes.
+
 ## Other CLI flags
 
 For concurrency knobs (`--concurrency`, `--stack-concurrency`,

package/dist/cli.js

@@ -610,6 +610,10 @@ var noWaitOption = new Option(
   "--no-wait",
   "Skip waiting for async resources to stabilize (CloudFront, RDS, ElastiCache, NAT Gateway)"
 );
+var aggressiveVpcParallelOption = new Option(
+  "--no-aggressive-vpc-parallel",
+  "Disable the default relaxation of CDK-injected VPC route DependsOn (on by default; opt out to keep the strict CDK ordering)"
+);
 var deployOptions = [
   new Option("--concurrency <number>", "Maximum concurrent resource operations").default(10).argParser((value) => parseInt(value, 10)),
   new Option("--stack-concurrency <number>", "Maximum concurrent stack deployments").default(4).argParser((value) => parseInt(value, 10)),
@@ -622,6 +626,7 @@ var deployOptions = [
   new Option("--skip-assets", "Skip asset publishing").default(false),
   new Option("--no-rollback", "Skip rollback on deployment failure"),
   noWaitOption,
+  aggressiveVpcParallelOption,
   new Option(
     "-e, --exclusively",
     "Only deploy requested stacks, do not include dependencies"
@@ -4699,6 +4704,58 @@ function collectRefIds(value, out) {
   }
 }
 
+// src/analyzer/cdk-defensive-deps.ts
+var DEFENSIVE_DEPENDS_ON_TYPE_PAIRS = [
+  // VPC Lambda's execution Role (and its inline Policy) get DependsOn'd onto
+  // the route only because CDK assumes the Lambda will run before the route
+  // is up. The Role/Policy create call itself is VPC-agnostic.
+  { fromType: "AWS::IAM::Role", toType: "AWS::EC2::Route" },
+  { fromType: "AWS::IAM::Role", toType: "AWS::EC2::SubnetRouteTableAssociation" },
+  { fromType: "AWS::IAM::Policy", toType: "AWS::EC2::Route" },
+  { fromType: "AWS::IAM::Policy", toType: "AWS::EC2::SubnetRouteTableAssociation" },
+  // VPC Lambda itself: CreateFunction returns synchronously while the
+  // function is still in Pending; the route only matters once the function
+  // is invoked at runtime.
+  { fromType: "AWS::Lambda::Function", toType: "AWS::EC2::Route" },
+  { fromType: "AWS::Lambda::Function", toType: "AWS::EC2::SubnetRouteTableAssociation" },
+  // Lambda::Url is just a deterministic URL derivation off the function; it
+  // doesn't need the function's runtime egress to exist.
+  { fromType: "AWS::Lambda::Url", toType: "AWS::EC2::Route" },
+  { fromType: "AWS::Lambda::Url", toType: "AWS::EC2::SubnetRouteTableAssociation" },
+  // EventSourceMapping just registers the wire-up; AWS handles delivery
+  // async and will retry once the function reaches Active.
+  { fromType: "AWS::Lambda::EventSourceMapping", toType: "AWS::EC2::Route" },
+  {
+    fromType: "AWS::Lambda::EventSourceMapping",
+    toType: "AWS::EC2::SubnetRouteTableAssociation"
+  }
+];
+function defensiveDependsOnToSkip(resource, template) {
+  const skip = /* @__PURE__ */ new Set();
+  if (!resource.DependsOn) {
+    return skip;
+  }
+  const dependsOn = Array.isArray(resource.DependsOn) ? resource.DependsOn : [resource.DependsOn];
+  for (const dep of dependsOn) {
+    if (typeof dep !== "string")
+      continue;
+    const target = template.Resources[dep];
+    if (!target)
+      continue;
+    const fromType = resource.Type;
+    const toType = target.Type;
+    if (!fromType || !toType)
+      continue;
+    const matched = DEFENSIVE_DEPENDS_ON_TYPE_PAIRS.some(
+      (pair) => pair.fromType === fromType && pair.toType === toType
+    );
+    if (matched) {
+      skip.add(dep);
+    }
+  }
+  return skip;
+}
+
 // src/analyzer/dag-builder.ts
 var { Graph, alg } = graphlib;
 var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
@@ -4709,6 +4766,10 @@ var IAM_ROLE_POLICY_TYPES = /* @__PURE__ */ new Set([
 var DagBuilder = class {
   logger = getLogger().child("DagBuilder");
   parser = new TemplateParser();
+  options;
+  constructor(options = {}) {
+    this.options = options;
+  }
   /**
    * Build dependency graph from CloudFormation template
    *
@@ -4727,13 +4788,22 @@ var DagBuilder = class {
     });
     this.logger.debug(`Total nodes: ${resourceIds.length}`);
     let edgeCount = 0;
+    let relaxedEdgeCount = 0;
     for (const logicalId of resourceIds) {
       const resource = this.parser.getResource(template, logicalId);
       if (!resource) {
         continue;
       }
       const dependencies = this.parser.extractDependencies(resource);
+      const skip = this.options.relaxCdkVpcDefensiveDeps ? defensiveDependsOnToSkip(resource, template) : null;
       for (const depId of dependencies) {
+        if (skip?.has(depId)) {
+          relaxedEdgeCount++;
+          this.logger.debug(
+            `Skipped CDK-defensive DependsOn edge: ${depId} -> ${logicalId} (default; opt out with --no-aggressive-vpc-parallel)`
+          );
+          continue;
+        }
         if (graph.hasNode(depId)) {
           graph.setEdge(depId, logicalId);
           edgeCount++;
@@ -4745,6 +4815,11 @@ var DagBuilder = class {
         }
       }
     }
+    if (relaxedEdgeCount > 0) {
+      this.logger.info(
+        `[DagBuilder] Relaxed ${relaxedEdgeCount} CDK-defensive DependsOn edge(s) (default; opt out with --no-aggressive-vpc-parallel)`
+      );
+    }
     this.logger.debug(`Dependency graph built: ${resourceIds.length} nodes, ${edgeCount} edges`);
     edgeCount += this.addCustomResourcePolicyEdges(graph, template);
     edgeCount += this.addLambdaVpcEdges(graph, template);
@@ -32957,7 +33032,9 @@ async function deployCommand(stacks, options) {
       bucket: stateBucket,
       prefix: options.statePrefix
     };
-    const dagBuilder = new DagBuilder();
+    const dagBuilder = new DagBuilder({
+      relaxCdkVpcDefensiveDeps: !!options.aggressiveVpcParallel
+    });
     const diffCalculator = new DiffCalculator();
     const baseRegion = options.region || process.env["AWS_REGION"] || "us-east-1";
     const switchRegion = (region2) => {
@@ -36359,7 +36436,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.31.2");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.33.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());