search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.1k stars 53 forks source link

AWS::EC2::InstanceConnectEndpoint DELETE_FAILED #2000

Open nathanhammond opened 2 months ago

nathanhammond commented 2 months ago

Name of the resource

AWS::EC2::InstanceConnectEndpoint

Issue Description

The AWS::EC2::InstanceConnectEndpoint CloudFormation Construct can not successfully be deleted unless it has already completed deployment. In other words, issuing a DELETE of the resource while it is still in the "provisioning" state will fail.

The construct needs to be allowed to progress to a state (e.g. reach CREATE_COMPLETE) where it will accept a DELETE prior to having the DELETE issued to it.

This issue is 100% reproducible, and mostly shows up in rollbacks.

Expected Behavior

Delete of the AWS::EC2::InstanceConnectEndpoint should succeed in the case of needing to delete before provisioning has completed.

Observed Behavior

During rollbacks the AWS::EC2::InstanceConnectEndpoint will often fail to delete because it is still provisioning. If, after failing rollback, I wait until provisioning is complete and then issue destroy for the stack, it will succeed.

Test Cases

Here is some CDK code:

const vpc = new ec2.Vpc(this, 'my-vpc', {
  vpcName: 'my-vpc',
  availabilityZones: ['us-east-1a', 'us-east-1b'],
  natGateways: 0,
  ipAddresses: ec2.IpAddresses.cidr('172.31.0.0/16'),
});

const eiceSubnet = vpc.isolatedSubnets[0];
new ec2.CfnInstanceConnectEndpoint(this, 'my-instance-connect-endpoint', {
  subnetId: eiceSubnet.subnetId,
  securityGroupIds: [instanceConnectSecurityGroup.securityGroupId],
});

// TODO: insert some resource that fails at runtime.
// e.g. Lambda-backed CustomResource which is just `throw new Error()`

Other Details

No response