search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

Renaming logical id of rotation schedule causes rotation schedule to be deleted during UPDATE_COMPLETE_CLEANUP_IN_PROGRESS #1813

Closed abelmokadem closed 8 months ago

abelmokadem commented 1 year ago

Name of the resource

AWS::SecretsManager::RotationSchedule

Resource Name

No response

Issue Description

Like the title says, AWS CloudFormation doesn't check whether a rotation schedule is already active before "creating" a new one on a secret. A secret can only hold one rotation schedule, so what seems to happen is that during the cleanup of the resources, AWS CloudFormation deletes the "old" rotation schedule, which is actually the active one.

The end result is a CloudFormation stack that contains a rotation schedule resource, but in reality there is no rotation schedule active on the Secret.

Expected Behavior

Throw an error if a rotation schedule already exist so that the stack update / create crashes.

Observed Behavior

No error is thrown but also the side effect exists of deleting a rotation schedule during cleanup that should be set.

Test Cases

  1. Deploy a stack with a rotation schedule with logical id X
  2. Rename the logical rotation schedule logical id X form Y
  3. Update the stack
  4. Confirm that the rotation schedule is disabled, but should be enabled.

Other Details

No response

jbct commented 8 months ago

Sorry abelmokadem@ - this was closed by accident. The Secrets Management team is looking into this as a part of our migration to the CloudFormation Registry.