search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.63k stars 3.91k forks source link

[aws-wafv2] Destroy/create wrong order on regex pattern #10344

Closed fongie closed 3 years ago

fongie commented 4 years ago

The logical id changed on my regex pattern, and cdk diff specifies that it is removing the old logical id and creating a new one (they are in fact identical though). On deploy, Cloudformation begins by creating the new pattern which resulted in

AWS WAF couldn?t perform the operation because some resource in your request is a duplicate of an existing one. (Service: Wafv2, Status Code: 400, Request ID: a990ad31-fcc1-4175-a06c-a7bfecd0f8cc, Extended Request ID: null)

but it should have first destroyed the old one and then recreated the new one. The order of destroy/create seems to be wrong here.

Reproduction Steps

My code initially looked like this:

constructor() {
...
        const regex = new CfnRegexPatternSet(this, 'block-routes-regex-pattern', {
            name: 'api-block-uri-pattern',
            regularExpressionList: [
                'my-expression',
                'my-expression'
            ],
            scope: 'REGIONAL'
        });
}

I refactored it to this

constructor() {
   const blockUriRegex = this.createRegexPattern(
            [ 'my-expression', 'my-expression' ],
            'api-block-uri-pattern'
        );
}
private createRegexPattern(regularExpressionList: string[], name: string, description?: string): CfnRegexPatternSet {
        return new CfnRegexPatternSet(this, name, {
            name,
            regularExpressionList,
            scope: 'REGIONAL'
        });
    }

As you can see, I did end up changing the CDK id prop with this, which is why the logical id changed (I assume).

cdk diff now shows

Resources
[-] AWS::WAFv2::RegexPatternSet lbfirewallblockroutesregexpatternRANDOM destroy
[+] AWS::WAFv2::RegexPatternSet lb-firewall/api-block-uri-pattern lbfirewallapiblockuripatternRANDOM

What did you expect to happen?

I expected the deployment to first destroy the old pattern and then create the new one. Now, I need to recreate the stack completely.

What actually happened?

see the error above

Environment

Other

This is :bug: Bug Report

njlynch commented 3 years ago

Apologies for the long delay on response here. This is standard CloudFormation behavior for updates: old/existing resources are never deleted until the updates/creations have finished. This is so your stack can maintain consistency; if old resources were deleted first, you'd end up in the situation where -- for some time period -- you had no resources in the stack, which could cause outages or other unexpected issues.

In cases like this, a workaround is to change some other property of the resource so they don't look identical to WAF, then undo that change in a subsequent deployment. It's not the smoothest, but will work around "refactorings" like this. Sorry to not have a better answer.

github-actions[bot] commented 3 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.