(@aws-cdk/aws-certificatemanager): DnsValidatedCertificate.applyRemovalPolicy() not deleting CloudWatch log groups

clemans commented 3 years ago

Brief Description

When deploying a stack with a DnsValidatedCertificate construct, a log group is created with the following naming convention: /aws/lambda/stackName-acmConstructName-AbCdEf012345

Upon destroying the stack, these log groups (sometimes more are created over time) remain as orphaned. This is also true even when calling the method applyRemovalPolicy.

The result is that the user must manually delete these log groups after each time a new feature branch stack is destroyed.

Reproduction Steps

/* ACM Certificate */
  const certificate = new DnsValidatedCertificate(this, `cert${featureSuffix}`, {
      domainName: fqdn,
      hostedZone: { zoneName: domainRoot, hostedZoneId },
      validation: { method: ValidationMethod.DNS }
  })

  certificate.applyRemovalPolicy(RemovalPolicy.DESTROY)

/* Application Load Balancer Ec2 Service */
  const alb = new ApplicationLoadBalancedEc2Service(this, `alb${featureSuffix}`, {
      certificate,
      taskDefinition,
      ...
  })

/* Stack Log Group */
  const logGroup = new LogGroup(this, `logGroup${featureSuffix}`, {
      logGroupName: `/stackName${featureSuffix}/`,
      removalPolicy: RemovalPolicy.DESTROY,
      retention: RetentionDays.THREE_DAYS
  })

/* Stack Services */
  const taskDefinition = new Ec2TaskDefinition(this, `taskDef${featureSuffix}`, {
      ...
  })

  taskDefinition.addContainer(`container${featureSuffix}`, {
      logging: new AwsLogDriver({
         logGroup,
         streamPrefix: `/container       
      })
      ...
  })

What did you expect to happen?

A destroyed stack that had a certificate.applyRemovalPolicy(RemovalPolicy.DESTROY) declaration should in turn delete the log group /aws/lambda/stackName-acmConstructName-AbCdEf012345.

A destroyed stack that had a certificate.applyRemovalPolicy(RemovalPolicy.RETAIN) declaration should in turn retain the log group /aws/lambda/stackName-acmConstructName-AbCdEf012345.

What actually happened?

A destroyed stack that had a certificate.applyRemovalPolicy(RemovalPolicy.DESTROY) declaration does not delete the log group /aws/lambda/stackName-acmConstructName-AbCdEf012345. The log group remains orphaned and the user must manually delete the log group.

Environment

CDK CLI Version: 1.108.0 (build b23f781)
Framework Version: 1.108.0
Node.js Version: v14.7.0
OS : Ubuntu 20.04.2 LTS (Focal Fossa)
Language (Version): JavaScript (Node.js v14.7.0)
Other

Please let me know if any additional information needs to be added and I will happily oblige.

This is :bug: Bug Report

madeline-k commented 3 years ago

@njlynch I removed the cloudwatch label, since I think the fix for this will be entirely in the aws-certificatemanager module. I might take a stab at fixing this anyway though.

github-actions[bot] commented 2 years ago

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

aws / aws-cdk