Open mpvosseller opened 2 years ago
It's true, CDK Pipelines cannot set the termination protection flag (because the CodePipeline CloudFormation deploy action does not support setting it).
What would your preferred behavior be? I'm thinking we should probably throw an error when we add a stack that has termination protection to the pipeline, what do you think?
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
@rix0rrr Yea, as a stop gap, throwing an error seems better than letting people falsely believe their stack is protected.
Do you think it is possible to have someone on the CDK team file a feature request with the CloudFormation team to add support for whatever is needed to actually support this?
Internal ref: D36476047
In the mean time, it's probably going to be a breaking change for many people if we turn this into an error, so a warning will have to do.
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
Please keep this open since the issue is still pending. Also, this should be probably documented to avoid people wondering why the protection is not enabled when they use pipelines.
any updates guys? I'm facing this issue as well, I opened an issue which i is similar as this one (correct me if im wrong) https://github.com/aws/aws-cdk/issues/30405 @khushail @tim-finnigan @rix0rrr
@andreprawira , I will check the internal filed ticket (D36476047) with cloudformation team and share updates if any. Thanks for having patience!
@khushail thx
@khushail i think it works now? i saw termination protection is somehow enabled, the way i do is termination_protection=True
through the constructor of the CDK
We are facing the same issue. We have a CodePipeline with cross-account support. Every time the pipeline runs, a support stack is created/updated in one of the AWS accounts with termination protection disabled. We have set termination protection to true everywhere we could in the code. We also ran the cdk bootstrap
command with --termination-protection
. I think this is a bug in CDK.
What is the problem?
The
Stack
propertyterminationProtection
is ignored when theStack
is deployed from a CDKCodePipeline
.If the stack is deployed directly from the CLI (not from the CDK
CodePipeline
) it works.A repo demonstrating the issue can be found here: https://github.com/mpvosseller/cdk-pipeline-termination-protection
Reproduction Steps
1) Fork this repo: https://github.com/mpvosseller/cdk-pipeline-termination-protection 2) Create a plain text secret in
SecretsManager
with your github token 3) UpdategithubOwner
,githubRepo
, andgithubAccessToken
in the filemyapp-pipeline-stack.ts
4) Runnpm install
5) Runnpm run cdk deploy
6) Log into the CloudFormation console 7) Wait for theMyappPipelineStack
stack to deploy 8) Wait for the CodePipeline to complete and theProd-MyappStack
stack to be deployed 9) Observe that theMyappPipelineStack
stack correctly has termination protection enabled 10) Observe that theProd-MyappStack
stack does NOT have termination protection enabled. This is the bug.terminationProtection
was set to true but was not enabled. 11) Runnpm run cdk deploy "MyappPipelineStack/Prod/MyappStack"
12) Observe that theProd-MyappStack
stack now has termination protection enabled.What did you expect to happen?
The
Prod-MyappStack
should be deployed with termination protection enabled.What actually happened?
The
Prod-MyappStack
was deployed without termination protection enabled.CDK CLI Version
2.0.0 (build 4b6ce31)
Framework Version
2.0.0
Node.js Version
v14.17.4
OS
macOS
Language
Typescript
Language Version
3.9.10
Other information
No response