(pipelines): terminationProtection is ignored on stacks deployed from a CDK CodePipeline

[mpvosseller]

What is the problem?

The Stack property terminationProtection is ignored when the Stack is deployed from a CDK CodePipeline.

If the stack is deployed directly from the CLI (not from the CDK CodePipeline) it works.

A repo demonstrating the issue can be found here: https://github.com/mpvosseller/cdk-pipeline-termination-protection

Reproduction Steps

1) Fork this repo: https://github.com/mpvosseller/cdk-pipeline-termination-protection 2) Create a plain text secret in SecretsManager with your github token 3) Update githubOwner, githubRepo, and githubAccessToken in the file myapp-pipeline-stack.ts 4) Run npm install 5) Run npm run cdk deploy 6) Log into the CloudFormation console 7) Wait for the MyappPipelineStack stack to deploy 8) Wait for the CodePipeline to complete and the Prod-MyappStack stack to be deployed 9) Observe that the MyappPipelineStack stack correctly has termination protection enabled 10) Observe that the Prod-MyappStack stack does NOT have termination protection enabled. This is the bug. terminationProtection was set to true but was not enabled. 11) Run npm run cdk deploy "MyappPipelineStack/Prod/MyappStack" 12) Observe that the Prod-MyappStack stack now has termination protection enabled.

What did you expect to happen?

The Prod-MyappStack should be deployed with termination protection enabled.

What actually happened?

The Prod-MyappStack was deployed without termination protection enabled.

CDK CLI Version

2.0.0 (build 4b6ce31)

Framework Version

2.0.0

Node.js Version

v14.17.4

OS

macOS

Language

Typescript

Language Version

3.9.10

Other information

No response

[rix0rrr]

It's true, CDK Pipelines cannot set the termination protection flag (because the CodePipeline CloudFormation deploy action does not support setting it).

What would your preferred behavior be? I'm thinking we should probably throw an error when we add a stack that has termination protection to the pipeline, what do you think?

[github-actions[bot]]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[mpvosseller]

@rix0rrr Yea, as a stop gap, throwing an error seems better than letting people falsely believe their stack is protected.

Do you think it is possible to have someone on the CDK team file a feature request with the CloudFormation team to add support for whatever is needed to actually support this?

[rix0rrr]

Internal ref: D36476047

In the mean time, it's probably going to be a breaking change for many people if we turn this into an error, so a warning will have to do.

[github-actions[bot]]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[saste]

Please keep this open since the issue is still pending. Also, this should be probably documented to avoid people wondering why the protection is not enabled when they use pipelines.

[andreprawira]

any updates guys? I'm facing this issue as well, I opened an issue which i is similar as this one (correct me if im wrong) https://github.com/aws/aws-cdk/issues/30405 @khushail @tim-finnigan @rix0rrr

[khushail]

@andreprawira , I will check the internal filed ticket (D36476047) with cloudformation team and share updates if any. Thanks for having patience!

[andreprawira]

@khushail thx

[andreprawira]

@khushail i think it works now? i saw termination protection is somehow enabled, the way i do is termination_protection=True through the constructor of the CDK

[philasmar]

We are facing the same issue. We have a CodePipeline with cross-account support. Every time the pipeline runs, a support stack is created/updated in one of the AWS accounts with termination protection disabled. We have set termination protection to true everywhere we could in the code. We also ran the cdk bootstrap command with --termination-protection. I think this is a bug in CDK.