Update clean up

Author: Yuriy Bezsonov

infra/cdk/src/main/resources/lambda/cfn-pre-delete-cleanup.py

@@ -67,8 +67,8 @@ def start_guardduty_endpoint_deletion(vpc_id):
 
     return endpoint_ids
 
-def cleanup_guardduty_security_groups(vpc_id):
-    """Delete GuardDuty managed security groups for the VPC."""
+def cleanup_guardduty_security_groups(vpc_id, max_retries=6, retry_delay=10):
+    """Delete GuardDuty managed security groups for the VPC with retry logic."""
     if not vpc_id:
         print("No VPC ID provided, skipping security group cleanup")
         return
@@ -92,11 +92,20 @@ def cleanup_guardduty_security_groups(vpc_id):
             sg_id = sg['GroupId']
             sg_name = sg['GroupName']
             print(f"Deleting GuardDuty security group: {sg_name} ({sg_id})")
-            try:
-                ec2.delete_security_group(GroupId=sg_id)
-                print(f"Deleted security group: {sg_id}")
-            except Exception as e:
-                print(f"Error deleting security group {sg_id}: {e}")
+
+            # Retry deletion - ENIs may take time to detach after endpoint deletion
+            for attempt in range(max_retries):
+                try:
+                    ec2.delete_security_group(GroupId=sg_id)
+                    print(f"Deleted security group: {sg_id}")
+                    break
+                except ec2.exceptions.ClientError as e:
+                    if 'DependencyViolation' in str(e) and attempt < max_retries - 1:
+                        print(f"Security group has dependencies, waiting {retry_delay}s (attempt {attempt + 1}/{max_retries})...")
+                        time.sleep(retry_delay)
+                    else:
+                        print(f"Error deleting security group {sg_id}: {e}")
+                        break
 
     except Exception as e:
         print(f"Error listing GuardDuty security groups: {e}")

infra/cfn/base-stack.yaml

@@ -676,25 +676,6 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -837,6 +818,25 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceProfile61B92038
           - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:

infra/cfn/java-ai-agents-stack.yaml

@@ -757,30 +757,7 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      InstanceName: ide
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      VolumeSize: "50"
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      SecurityGroupIds:
-        Fn::Join:
-          - ""
-          - - Fn::GetAtt:
-                - IdeSecurityGroup73B02454
-                - GroupId
-            - ","
-            - Fn::GetAtt:
-                - IdeInternalSecurityGroupB0A5D76B
-                - GroupId
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
+      InstanceTypes: m7g.xlarge,m6g.xlarge,c7g.xlarge,t4g.xlarge
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -917,7 +894,30 @@ Resources:
                 "
                     exit 1
                 fi
-      InstanceTypes: m7g.xlarge,m6g.xlarge,c7g.xlarge,t4g.xlarge
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
+      SecurityGroupIds:
+        Fn::Join:
+          - ""
+          - - Fn::GetAtt:
+                - IdeSecurityGroup73B02454
+                - GroupId
+            - ","
+            - Fn::GetAtt:
+                - IdeInternalSecurityGroupB0A5D76B
+                - GroupId
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
+      VolumeSize: "50"
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      InstanceName: ide
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:

infra/cfn/java-on-amazon-eks-stack.yaml

@@ -777,12 +777,8 @@ Resources:
         Fn::GetAtt:
           - IdeInstanceLauncherFunction803C5A2A
           - Arn
-      IamInstanceProfileArn:
-        Fn::GetAtt:
-          - IdeInstanceProfile61B92038
-          - Arn
-      InstanceName: ide
-      InstanceTypes: m7g.xlarge,m6g.xlarge,c7g.xlarge,t4g.xlarge
+      ImageId:
+        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
       UserData:
         Fn::Base64:
           Fn::Join:
@@ -919,8 +915,19 @@ Resources:
                 "
                     exit 1
                 fi
-      ImageId:
-        Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter
+      InstanceTypes: m7g.xlarge,m6g.xlarge,c7g.xlarge,t4g.xlarge
+      InstanceName: ide
+      IamInstanceProfileArn:
+        Fn::GetAtt:
+          - IdeInstanceProfile61B92038
+          - Arn
+      VolumeSize: "50"
+      SubnetIds:
+        Fn::Join:
+          - ""
+          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
+            - ","
+            - Ref: VpcPublicSubnet2SubnetA811849C
       SecurityGroupIds:
         Fn::Join:
           - ""
@@ -931,13 +938,6 @@ Resources:
             - Fn::GetAtt:
                 - IdeInternalSecurityGroupB0A5D76B
                 - GroupId
-      SubnetIds:
-        Fn::Join:
-          - ""
-          - - Ref: VpcPublicSubnet1Subnet8E8DEDC0
-            - ","
-            - Ref: VpcPublicSubnet2SubnetA811849C
-      VolumeSize: "50"
     UpdateReplacePolicy: Delete
     DeletionPolicy: Delete
   IdeEipAssociationDFF81215:
@@ -1563,13 +1563,13 @@ Resources:
         Fn::GetAtt:
           - CodeBuildStartLambdaFunction8349284F
           - Arn
-      ContentHash: "1766254404082"
+      ContentHash: "1766259269788"
+      ProjectName:
+        Ref: CodeBuildProjectA0FF5539
       CodeBuildIamRoleArn:
         Fn::GetAtt:
           - CodeBuildRoleE9A44575
           - Arn
-      ProjectName:
-        Ref: CodeBuildProjectA0FF5539
     DependsOn:
       - CodeBuildCompleteRuleAllowEventRuleWorkshopStackCodeBuildReportLambdaFunctionD77C60919E0B0C89
       - CodeBuildCompleteRuleEE9277E8
@@ -1921,7 +1921,7 @@ Resources:
             - Ref: AWS::AccountId
             - "-"
             - Ref: AWS::Region
-            - "-20251220191324"
+            - "-20251220203430"
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
@@ -2157,13 +2157,13 @@ Resources:
               }
       Environment:
         Variables:
-          S3_THREAD_DUMPS_PREFIX: thread-dumps/
-          K8S_NAMESPACE: unicorn-store-spring
-          APP_LABEL: unicorn-store-spring
-          KUBERNETES_AUTH_TYPE: aws
-          SECRET_NAME: workshop-ide-password
           S3_BUCKET_NAME:
             Ref: WorkshopBucketFD5BC43F
+          SECRET_NAME: workshop-ide-password
+          KUBERNETES_AUTH_TYPE: aws
+          APP_LABEL: unicorn-store-spring
+          K8S_NAMESPACE: unicorn-store-spring
+          S3_THREAD_DUMPS_PREFIX: thread-dumps/
           EKS_CLUSTER_NAME:
             Ref: EksClusterB2BDED5B
       FunctionName: workshop-thread-dump-lambda
@@ -2709,9 +2709,6 @@ Resources:
         Fn::GetAtt:
           - UnicornUnicornStoreDatabaseSetupFunction04E12F8B
           - Arn
-      SqlStatements: |
-        CREATE TABLE IF NOT EXISTS unicorns(id TEXT DEFAULT gen_random_uuid() PRIMARY KEY, name TEXT, age TEXT, size TEXT, type TEXT);
-        CREATE EXTENSION IF NOT EXISTS vector;
       SecretName:
         Fn::Join:
           - "-"
@@ -2742,6 +2739,9 @@ Resources:
                         - Fn::Split:
                             - ":"
                             - Ref: DatabaseSecret3B817195
+      SqlStatements: |
+        CREATE TABLE IF NOT EXISTS unicorns(id TEXT DEFAULT gen_random_uuid() PRIMARY KEY, name TEXT, age TEXT, size TEXT, type TEXT);
+        CREATE EXTENSION IF NOT EXISTS vector;
     DependsOn:
       - DatabaseClusterDatabaseWriterF4C0B9A6
       - DatabaseCluster5B53A178
@@ -2859,8 +2859,8 @@ Resources:
 
               return endpoint_ids
 
-          def cleanup_guardduty_security_groups(vpc_id):
-              """Delete GuardDuty managed security groups for the VPC."""
+          def cleanup_guardduty_security_groups(vpc_id, max_retries=6, retry_delay=10):
+              """Delete GuardDuty managed security groups for the VPC with retry logic."""
               if not vpc_id:
                   print("No VPC ID provided, skipping security group cleanup")
                   return
@@ -2884,11 +2884,20 @@ Resources:
                       sg_id = sg['GroupId']
                       sg_name = sg['GroupName']
                       print(f"Deleting GuardDuty security group: {sg_name} ({sg_id})")
-                      try:
-                          ec2.delete_security_group(GroupId=sg_id)
-                          print(f"Deleted security group: {sg_id}")
-                      except Exception as e:
-                          print(f"Error deleting security group {sg_id}: {e}")
+
+                      # Retry deletion - ENIs may take time to detach after endpoint deletion
+                      for attempt in range(max_retries):
+                          try:
+                              ec2.delete_security_group(GroupId=sg_id)
+                              print(f"Deleted security group: {sg_id}")
+                              break
+                          except ec2.exceptions.ClientError as e:
+                              if 'DependencyViolation' in str(e) and attempt < max_retries - 1:
+                                  print(f"Security group has dependencies, waiting {retry_delay}s (attempt {attempt + 1}/{max_retries})...")
+                                  time.sleep(retry_delay)
+                              else:
+                                  print(f"Error deleting security group {sg_id}: {e}")
+                                  break
 
               except Exception as e:
                   print(f"Error listing GuardDuty security groups: {e}")