fix(infra): Improve VPC endpoint deletion

Author: Yuriy Bezsonov

infra/cdk/src/main/resources/lambda/cfn-pre-delete-cleanup.py

@@ -137,24 +137,27 @@ def empty_bucket(bucket_name):
         print(f"Error emptying bucket {bucket_name}: {e}")
 
 def wait_for_deletion(endpoint_ids, max_wait=300):
-    """Poll until endpoints are deleted or timeout."""
+    """Poll until endpoints are fully deleted (not just deleting) or timeout."""
     start_time = time.time()
 
     while time.time() - start_time < max_wait:
         try:
             response = ec2.describe_vpc_endpoints(VpcEndpointIds=endpoint_ids)
-            remaining = [ep for ep in response.get('VpcEndpoints', [])
-                        if ep['State'] not in ['deleted', 'deleting']]
+            endpoints = response.get('VpcEndpoints', [])
+
+            # Wait for fully deleted state, not just deleting
+            remaining = [ep for ep in endpoints if ep['State'] != 'deleted']
 
             if not remaining:
-                print("All endpoints deleted")
+                print("All endpoints fully deleted")
                 return
 
-            print(f"Waiting for {len(remaining)} endpoints to delete...")
+            states = {ep['VpcEndpointId']: ep['State'] for ep in remaining}
+            print(f"Waiting for endpoints: {states}")
             time.sleep(10)
         except ec2.exceptions.ClientError as e:
             if 'InvalidVpcEndpointId.NotFound' in str(e):
-                print("All endpoints deleted")
+                print("All endpoints deleted (not found)")
                 return
             raise
 

infra/cfn/base-stack.yaml

@@ -676,6 +676,22 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
       VolumeSize: "50"
       IamInstanceProfileArn:
         Fn::GetAtt:
@@ -821,22 +837,6 @@ Resources:
                 fi
       ImageId:
         Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:

infra/cfn/java-ai-agents-stack.yaml

@@ -757,6 +757,29 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      VolumeSize: "50"
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      InstanceName: ide
+      InstanceTypes: m7g.xlarge,m6g.xlarge,c7g.xlarge,t4g.xlarge
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -895,29 +918,6 @@ Resources:
                 fi
       ImageId:
         Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      VolumeSize: "50"
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      InstanceName: ide
-      InstanceTypes: m7g.xlarge,m6g.xlarge,c7g.xlarge,t4g.xlarge
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:

infra/cfn/java-on-amazon-eks-stack.yaml

@@ -777,27 +777,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
       ImageId:
         Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
@@ -938,6 +917,27 @@ Resources:
                 fi
       InstanceTypes: m7g.xlarge,m6g.xlarge,c7g.xlarge,t4g.xlarge
       InstanceName: ide
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
@@ -1316,12 +1316,12 @@ Resources:
       Environment:
         ComputeType: BUILD_GENERAL1_MEDIUM
         EnvironmentVariables:
-          - Name: TEMPLATE_TYPE
-            Type: PLAINTEXT
-            Value: java-on-amazon-eks
           - Name: GIT_BRANCH
             Type: PLAINTEXT
             Value: new-ws-infra
+          - Name: TEMPLATE_TYPE
+            Type: PLAINTEXT
+            Value: java-on-amazon-eks
         Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
         ImagePullCredentialsType: CODEBUILD
         PrivilegedMode: false
@@ -1526,12 +1526,12 @@ Resources:
       Description: workshop-setup build complete
       EventPattern:
         detail:
-          project-name:
-            - Ref: CodeBuildProjectA0FF5539
           build-status:
             - SUCCEEDED
             - FAILED
             - STOPPED
+          project-name:
+            - Ref: CodeBuildProjectA0FF5539
         detail-type:
           - CodeBuild Build State Change
         source:
@@ -1563,13 +1563,13 @@ Resources:
         Fn::GetAtt:
           - CodeBuildStartLambdaFunction8349284F
           - Arn
+      ContentHash: "1766319416865"
       ProjectName:
         Ref: CodeBuildProjectA0FF5539
       CodeBuildIamRoleArn:
         Fn::GetAtt:
           - CodeBuildRoleE9A44575
           - Arn
-      ContentHash: "1766262434985"
     DependsOn:
       - CodeBuildCompleteRuleAllowEventRuleWorkshopStackCodeBuildReportLambdaFunctionD77C60919E0B0C89
       - CodeBuildCompleteRuleEE9277E8
@@ -1921,7 +1921,7 @@ Resources:
             - Ref: AWS::AccountId
             - "-"
             - Ref: AWS::Region
-            - "-20251220212715"
+            - "-20251221131657"
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
@@ -2157,15 +2157,15 @@ Resources:
               }
       Environment:
         Variables:
-          EKS_CLUSTER_NAME:
-            Ref: EksClusterB2BDED5B
           S3_BUCKET_NAME:
             Ref: WorkshopBucketFD5BC43F
           SECRET_NAME: workshop-ide-password
           KUBERNETES_AUTH_TYPE: aws
           APP_LABEL: unicorn-store-spring
           K8S_NAMESPACE: unicorn-store-spring
           S3_THREAD_DUMPS_PREFIX: thread-dumps/
+          EKS_CLUSTER_NAME:
+            Ref: EksClusterB2BDED5B
       FunctionName: workshop-thread-dump-lambda
       Handler: index.lambda_handler
       MemorySize: 512
@@ -2939,24 +2939,27 @@ Resources:
                   print(f"Error emptying bucket {bucket_name}: {e}")
 
           def wait_for_deletion(endpoint_ids, max_wait=300):
-              """Poll until endpoints are deleted or timeout."""
+              """Poll until endpoints are fully deleted (not just deleting) or timeout."""
               start_time = time.time()
 
               while time.time() - start_time < max_wait:
                   try:
                       response = ec2.describe_vpc_endpoints(VpcEndpointIds=endpoint_ids)
-                      remaining = [ep for ep in response.get('VpcEndpoints', [])
-                                  if ep['State'] not in ['deleted', 'deleting']]
+                      endpoints = response.get('VpcEndpoints', [])
+
+                      # Wait for fully deleted state, not just deleting
+                      remaining = [ep for ep in endpoints if ep['State'] != 'deleted']
 
                       if not remaining:
-                          print("All endpoints deleted")
+                          print("All endpoints fully deleted")
                           return
 
-                      print(f"Waiting for {len(remaining)} endpoints to delete...")
+                      states = {ep['VpcEndpointId']: ep['State'] for ep in remaining}
+                      print(f"Waiting for endpoints: {states}")
                       time.sleep(10)
                   except ec2.exceptions.ClientError as e:
                       if 'InvalidVpcEndpointId.NotFound' in str(e):
-                          print("All endpoints deleted")
+                          print("All endpoints deleted (not found)")
                           return
                       raise