aws-certificatemanager: DnsValidatedCertificate instances throw on applyRemovalPolicy #20649

IggyMi · 2022-06-07T12:31:10Z

Describe the bug

Calling applyRemovalPolicy on DnsValidatedCertificate instances throws CfnResource error and fails to synthesize the stack.

Expected Behavior

Chosen retention policy should be applied to DnsValidatedCertificate created resources.

Current Behavior

Currently calling applyRemovalPolicy on DnsValidatedCertificate instance will throw

Error: Cannot apply RemovalPolicy: no child or not a CfnResource. Apply the removal policy on the CfnResource directly.
    at DnsValidatedCertificate.applyRemovalPolicy (/Users/ignotasmikalauskas/Projects/resq-infra/certificates/node_modules/aws-cdk-lib/core/lib/resource.ts:227:13)

Reproduction Steps

The error is thrown while attempting to run the following construct

import { Construct } from 'constructs';
import { DnsValidatedCertificate } from 'aws-cdk-lib/aws-certificatemanager';
import { RemovalPolicy } from 'aws-cdk-lib';
import { IHostedZone } from 'aws-cdk-lib/aws-route53';

export interface CertificateProps {
  hostedZone: IHostedZone;
  domainName: string;
  region: string;
}

export class Certificate extends Construct {
  constructor(scope: Construct, id: string, props: CertificateProps) {
    super(scope, id);

    const { domainName, region, hostedZone } = props;

    const certificate = new DnsValidatedCertificate(this, 'Certificate', {
      domainName: `*.${domainName}`,
      hostedZone,
      region
    });
    certificate.applyRemovalPolicy(RemovalPolicy.RETAIN);

   // ... business logic ...
  }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.24.1 (build 585f9ca)

Framework Version

No response

Node.js Version

v16.14.0

OS

macOS Monterey 12.2.1

Language

Typescript

Language Version

3.9.7

Other information

No response

The text was updated successfully, but these errors were encountered:

peterwoodworth · 2022-06-07T17:11:19Z

This happens because the DnsValidatedCertificate doesn't leverage the CfnCertificate resource, but rather utilizes a custom resource. As a result, custom resources can't have removal policy set the same way as when using the CloudFormation resource directly.

We should call this out in the docs, and potentially support setting removal policy through the custom resource if possible

ruebroad · 2022-07-26T12:20:31Z

@peterwoodworth how is this not a bug? If the method is available and should work but doesn't - isn't that a bug?

peterwoodworth · 2022-07-26T18:27:49Z

I think there are two problems here @ruebroad, one bug and one feature request

The bug: DnsValidatedCertificate allows you to call applyRemovalPolicy(). This is a consequence of the construct extending CertificateBase which extends Resource
I think we still ultimately want this construct to extend resource, so you will still be able to call this method. I think that we could override this method on DnsValidatedCertificate to give a more clear error message about how there is no underlying CfnResource for this construct.

The FR: You cannot set the removal policy of DnsValidatedCertificate at all. This is a consequence of not being able to set the removal policy of custom resources the same way as most other Cfn resources, so it's not something that should work (though you're right, the method is available so we do claim to support it). We handle the deletion of the Certificate inside the custom resource here

aws-cdk/packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js

Lines 298 to 310 in 83f1668

    
           case 'Delete': 
        
             physicalResourceId = event.PhysicalResourceId; 
        
             // If the resource didn't create correctly, the physical resource ID won't be the 
        
             // certificate ARN, so don't try to delete it in that case. 
        
             if (physicalResourceId.startsWith('arn:')) { 
        
               await deleteCertificate( 
        
                 physicalResourceId, 
        
                 event.ResourceProperties.Region, 
        
                 event.ResourceProperties.HostedZoneId, 
        
                 event.ResourceProperties.Route53Endpoint, 
        
                 event.ResourceProperties.CleanupRecords === "true", 
        
               ); 
        
             }

We could do something like create a removalPolicy prop for DnsValidatedCertificate which ends up getting parsed in the custom resource here.

vechorko · 2022-08-23T11:21:52Z

just want to follow up this topic and know when it will be added in the next release

peterwoodworth · 2022-08-23T18:20:24Z

This isn't something the team will be able to get to soon. The quickest way to see this in a new release is for the community to contribute it 🙂

…Certificate (#22040) This PR adds a method override for `applyRemovalPolicy` which allows the user to specify a removal policy for the `DnsValidatedCertificate` construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the `RemovalPolicy` is set to `retain`. This is also needed to allow for an easier migration from `DnsValidatedCertificate` -> `Certificate` fixes #20649 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2022-09-15T15:12:04Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

…Certificate (aws#22040) This PR adds a method override for `applyRemovalPolicy` which allows the user to specify a removal policy for the `DnsValidatedCertificate` construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the `RemovalPolicy` is set to `retain`. This is also needed to allow for an easier migration from `DnsValidatedCertificate` -> `Certificate` fixes aws#20649 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…Certificate (#22122) This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain. This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate reroll of #22040 This has the same changes as #22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed. I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables. fixes #20649, fixes #14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…Certificate (aws#22122) This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain. This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate reroll of aws#22040 This has the same changes as aws#22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed. I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables. fixes aws#20649, fixes aws#14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…Certificate (aws#22040) This PR adds a method override for `applyRemovalPolicy` which allows the user to specify a removal policy for the `DnsValidatedCertificate` construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the `RemovalPolicy` is set to `retain`. This is also needed to allow for an easier migration from `DnsValidatedCertificate` -> `Certificate` fixes aws#20649 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…Certificate (aws#22122) This PR adds a method override for applyRemovalPolicy which allows the user to specify a removal policy for the DnsValidatedCertificate construct. Since this construct is backed by a custom resource, the lambda handler was updated to no longer delete the certificate if the RemovalPolicy is set to retain. This is also needed to allow for an easier migration from DnsValidatedCertificate -> Certificate reroll of aws#22040 This has the same changes as aws#22040 with the addition of some logic to handle only processing updates for certain parameters. If `RemovalPolicy` is changed for example, the update will not be processed. I also added an integration test with some manual instructions. In order to test ACM certificates I also updated the integ-runner to handle some additional special env variables. fixes aws#20649, fixes aws#14519 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

IggyMi added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 7, 2022

github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Jun 7, 2022

github-actions bot assigned comcalvi Jun 7, 2022

peterwoodworth added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 7, 2022

peterwoodworth unassigned comcalvi Jun 7, 2022

peterwoodworth added feature-request A feature should be added or improved. documentation This is a problem with documentation. and removed bug This issue is a bug. labels Jun 7, 2022

peterwoodworth mentioned this issue Jul 7, 2022

(aws-certificatemanager): DnsValidatedCertificate should support RemovalPolicy #15871

Closed

2 tasks

peterwoodworth added bug This issue is a bug. and removed feature-request A feature should be added or improved. labels Jul 26, 2022

corymhall self-assigned this Sep 14, 2022

corymhall mentioned this issue Sep 14, 2022

fix(certificatemanager): unable to set removal policy on DnsValidatedCertificate #22040

Merged

4 tasks

mergify bot closed this as completed in #22040 Sep 15, 2022

corymhall mentioned this issue Sep 19, 2022

fix(certificatemanager): unable to set removal policy on DnsValidatedCertificate #22122

Merged

4 tasks

maxd mentioned this issue Sep 20, 2022

(aws-rds): Can't destroy a stack with a database that has removalPolicy property set to RemovalPolicy.RETAIN #22141

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws-certificatemanager: DnsValidatedCertificate instances throw on applyRemovalPolicy #20649

aws-certificatemanager: DnsValidatedCertificate instances throw on applyRemovalPolicy #20649

IggyMi commented Jun 7, 2022

peterwoodworth commented Jun 7, 2022

ruebroad commented Jul 26, 2022

peterwoodworth commented Jul 26, 2022

vechorko commented Aug 23, 2022

peterwoodworth commented Aug 23, 2022

github-actions bot commented Sep 15, 2022