make sure resources are set up in isolated namespaces (#1)

Reviewed-on: #1
2026-05-27 12:51:26 +00:00
parent 0e728cc193
commit 6ac9702dc5
11 changed files with 184 additions and 36 deletions
--- a/src/commands/infra.py
+++ b/src/commands/infra.py
@@ -51,6 +51,8 @@ def setup(
                    profile=cfg.aws.profile,
                    account_id=account_id,
                    region=cfg.aws.region,
+                    bootstrap_qualifier=cfg.infra.effective_bootstrap_qualifier,
+                    toolkit_stack_name=cfg.infra.effective_toolkit_stack_name,
                    cloudformation_execution_policy=cloudformation_execution_policy,
                )
        with CONSOLE.status("Running cdk deploy..."):
@@ -58,6 +60,9 @@ def setup(
                profile=cfg.aws.profile,
                account_id=account_id,
                region=cfg.aws.region,
+                stack_name=cfg.infra.stack_name,
+                bootstrap_qualifier=cfg.infra.effective_bootstrap_qualifier,
+                toolkit_stack_name=cfg.infra.effective_toolkit_stack_name,
                config_path=config,
                config_dir=str(Path(config).parent),
                config_snapshot=cfg.model_dump(mode="json"),
@@ -82,7 +87,7 @@ def setup(
 def status(config: str = CONFIG_OPT) -> None:
    """Show current infrastructure status."""
    cfg = load_cfg(config)
-    stack = cloudformation.stack_status(cfg.aws.region, cfg.aws.profile)
+    stack = cloudformation.stack_status(cfg.aws.region, cfg.aws.profile, cfg.infra.stack_name)

    table = Table(title="Infrastructure Status")
    table.add_column("Resource", style="cyan")
@@ -91,7 +96,7 @@ def status(config: str = CONFIG_OPT) -> None:
    table.add_column("ARN / URI")

    if not stack:
-        table.add_row("CDK Stack", provisioning.STACK_NAME, "[red]missing[/red]", "-")
+        table.add_row("CDK Stack", cfg.infra.stack_name, "[red]missing[/red]", "-")
        table.add_row("S3 Bucket", cfg.s3.bucket, "[red]unknown[/red]", "-")
        table.add_row("IAM Role", cfg.sagemaker.role_name, "[red]unknown[/red]", "-")
        if cfg.mlflow.mode is not MlflowMode.disabled:
@@ -114,7 +119,7 @@ def status(config: str = CONFIG_OPT) -> None:
    )
    table.add_row(
        "IAM Role",
-        cfg.sagemaker.role_name,
+        _role_name(cfg.sagemaker.role_name, outputs.get("SageMakerRoleArn", "")),
        "[green]managed[/green]",
        outputs.get("SageMakerRoleArn", "-"),
    )
@@ -156,10 +161,13 @@ def destroy(
 ) -> None:
    """Destroy the CDK stack."""
    cfg = _destroy_config(config)
+    stack_name = _destroy_stack_name(config, cfg)
+    bootstrap_qualifier = _destroy_bootstrap_qualifier(config, cfg)
+    toolkit_stack_name = _destroy_toolkit_stack_name(config, cfg)

    if not yes and not delete_bucket_data:
        typer.confirm(
-            f"Destroy CDK stack '{provisioning.STACK_NAME}' while retaining S3 bucket data?",
+            f"Destroy CDK stack '{stack_name}' while retaining S3 bucket data?",
            abort=True,
        )

@@ -172,13 +180,17 @@ def destroy(
                provisioning.destroy(
                    profile=cfg.aws.profile,
                    account_id=account_id,
+                    stack_name=stack_name,
+                    bootstrap_qualifier=bootstrap_qualifier,
+                    toolkit_stack_name=toolkit_stack_name,
                    config_path=str(snapshot_path),
                    delete_bucket_data=delete_bucket_data,
                )
    except RuntimeError as e:
        CONSOLE.print(f"[red]{e}[/red]")
        raise typer.Exit(1)
-    CONSOLE.print(f"[green]✓[/green] Destroyed stack: {provisioning.STACK_NAME}")
+    CONSOLE.print(f"[green]✓[/green] Destroyed stack: {stack_name}")
+    CONSOLE.print(f"[yellow]CDK bootstrap stack retained: {toolkit_stack_name}[/yellow]")


 def _destroy_config(config_path: str) -> Config:
@@ -190,6 +202,13 @@ def _destroy_config(config_path: str) -> Config:
    return load_cfg(config_path)


+def _role_name(configured_name: str, role_arn: str) -> str:
+    if configured_name:
+        return configured_name
+    if role_arn:
+        return role_arn.rsplit("/", 1)[-1]
+    return "-"
+
 def _destroy_account_id(config_path: str, cfg: Config) -> str:
    config_dir = str(Path(config_path).parent)
    state = read_infra_state(config_dir)
@@ -197,3 +216,30 @@ def _destroy_account_id(config_path: str, cfg: Config) -> str:
    if account_id:
        return str(account_id)
    return identity.account_id(cfg.aws.region, cfg.aws.profile)
+
+
+def _destroy_stack_name(config_path: str, cfg: Config) -> str:
+    config_dir = str(Path(config_path).parent)
+    state = read_infra_state(config_dir)
+    stack_name = state.get("stack_name")
+    if stack_name:
+        return str(stack_name)
+    return cfg.infra.stack_name
+
+
+def _destroy_bootstrap_qualifier(config_path: str, cfg: Config) -> str:
+    config_dir = str(Path(config_path).parent)
+    state = read_infra_state(config_dir)
+    bootstrap_qualifier = state.get("bootstrap_qualifier")
+    if bootstrap_qualifier:
+        return str(bootstrap_qualifier)
+    return cfg.infra.effective_bootstrap_qualifier
+
+
+def _destroy_toolkit_stack_name(config_path: str, cfg: Config) -> str:
+    config_dir = str(Path(config_path).parent)
+    state = read_infra_state(config_dir)
+    toolkit_stack_name = state.get("toolkit_stack_name")
+    if toolkit_stack_name:
+        return str(toolkit_stack_name)
+    return cfg.infra.effective_toolkit_stack_name