search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.63k stars 3.91k forks source link

RDS: Deleting the cluster fails (maybe because of wrong order of deletion) #31871

Open stephanpelikan opened 2 days ago

stephanpelikan commented 2 days ago

Describe the bug

I created a RDS-cluster (see script below). After using it for a while I needed to destroy it. The cdk destroy command fails:

grafik

This is a little bit strange because it wants to delete the security group first, before the cluster. Imho this fails because the cluster still uses the security group. I don't understand why the cluster, the reader and the writer is DELETE_SKIPPED. How to deal with this?

Regression Issue

Last Known Working CDK Version

No response

Expected Behavior

On deleting an RDS-cluster everything is deleted in the correct order or is forced to be deleted.

Current Behavior

Deletion fails.

Reproduction Steps

This is the way I created the cluster:

    // aws rds describe-db-engine-versions --engine aurora-postgresql --filter "Name=engine-mode,Values=serverless"
    const AURORA_POSTGRES_ENGINE_VERSION = aws_rds.AuroraPostgresEngineVersion.VER_15_6;
    const RDS_MAJOR_VERSION = AURORA_POSTGRES_ENGINE_VERSION.auroraPostgresMajorVersion.split('.')[0];

    const parameterGroup = aws_rds.ParameterGroup.fromParameterGroupName(
        this,
        "PostgreSqlParameterGroup",
        `default.aurora-postgresql${RDS_MAJOR_VERSION}`
    );
    const cluster = new aws_rds.DatabaseCluster(this, 'PostgresqlCluster', {
      clusterIdentifier: APP_NAME,
      engine: aws_rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
      vpc: props.vpc,
      vpcSubnets: {
        subnetType: aws_ec2.SubnetType.PRIVATE_WITH_EGRESS
      } as ec2.SubnetSelection,
      parameterGroup,
      storageType: aws_rds.DBClusterStorageType.AURORA_IOPT1,
      serverlessV2MinCapacity: aws_rds.AuroraCapacityUnit.ACU_1,
      serverlessV2MaxCapacity: aws_rds.AuroraCapacityUnit.ACU_2,
      writer: aws_rds.ClusterInstance.serverlessV2('writer', {
        publiclyAccessible: false,
        allowMajorVersionUpgrade: true,
        autoMinorVersionUpgrade: true,
      }),
      readers: [
        aws_rds.ClusterInstance.serverlessV2('reader', {
          publiclyAccessible: false,
          allowMajorVersionUpgrade: true,
          autoMinorVersionUpgrade: true,
          // Cluster PostgresqlCluster only has serverless readers and no reader is in promotion tier 0-1.Serverless
          // readers in promotion tiers >= 2 will NOT scale with the writer, which can lead to availability issues
          // if a failover event occurs. It is recommended that at least one reader has `scaleWithWriter` set to true
          scaleWithWriter: true,
        }),
      ],
      credentials: aws_rds.Credentials.fromGeneratedSecret("root", { secretName: `${APP_NAME}-DB-root` }),
      removalPolicy: cdk.RemovalPolicy.RETAIN,
      instanceIdentifierBase: APP_NAME,
      defaultDatabaseName: APP_NAME,
    });
    cluster.connections.allowDefaultPortFromAnyIpv4('For EKS cluster and other services of private VPC subnet');

    // Enable the data api via "layer 1" shenanigans
    // @ts-ignore
    cluster.node.defaultChild.addOverride('Properties.EnableHttpEndpoint', true);

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.152.0 (build faa7d79)

Framework Version

No response

Node.js Version

v22.6.0

OS

macos

Language

TypeScript

Language Version

5.5.4

Other information

No response

khushail commented 21 hours ago

Hi @stephanpelikan , thanks for reaching out.

You have put the removal policy to retain. 

removal_policy (Optional[[RemovalPolicy](https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk/RemovalPolicy.html#aws_cdk.RemovalPolicy)]) – The removal policy to apply when the cluster and its instances are removed from the stack or replaced during an update. Default: - RemovalPolicy.SNAPSHOT (remove the cluster and instances, but retain a snapshot of the data)

The error "DELETE_SKIPPED" might be due to the deletion policy of the cluster. Could you please disable the deletion policy like removalPolicy: RemovalPolicy.DESTROYand see if that solves the issue.

Let me know if it works for you!

ashishdhingra commented 20 hours ago

@stephanpelikan Good afternoon. Using your code below:

import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as rds from 'aws-cdk-lib/aws-rds';

export class RdsStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

        // aws rds describe-db-engine-versions --engine aurora-postgresql --filter "Name=engine-mode,Values=serverless"
        const AURORA_POSTGRES_ENGINE_VERSION = rds.AuroraPostgresEngineVersion.VER_15_6;
        const RDS_MAJOR_VERSION = AURORA_POSTGRES_ENGINE_VERSION.auroraPostgresMajorVersion.split('.')[0];
        const APP_NAME = 'TestRdsClusterStack'

        const vpc = new ec2.Vpc(this, 'RdsVpc');
        const parameterGroup = rds.ParameterGroup.fromParameterGroupName(
            this,
            "PostgreSqlParameterGroup",
            `default.aurora-postgresql${RDS_MAJOR_VERSION}`
        );
        const cluster = new rds.DatabaseCluster(this, 'PostgresqlCluster', {
          clusterIdentifier: APP_NAME,
          engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
          vpc: vpc,
          vpcSubnets: {
            subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS
          } as ec2.SubnetSelection,
          parameterGroup,
          storageType: rds.DBClusterStorageType.AURORA_IOPT1,
          serverlessV2MinCapacity: rds.AuroraCapacityUnit.ACU_1,
          serverlessV2MaxCapacity: rds.AuroraCapacityUnit.ACU_2,
          writer: rds.ClusterInstance.serverlessV2('writer', {
            publiclyAccessible: false,
            allowMajorVersionUpgrade: true,
            autoMinorVersionUpgrade: true,
          }),
          readers: [
            rds.ClusterInstance.serverlessV2('reader', {
              publiclyAccessible: false,
              allowMajorVersionUpgrade: true,
              autoMinorVersionUpgrade: true,
              // Cluster PostgresqlCluster only has serverless readers and no reader is in promotion tier 0-1.Serverless
              // readers in promotion tiers >= 2 will NOT scale with the writer, which can lead to availability issues
              // if a failover event occurs. It is recommended that at least one reader has `scaleWithWriter` set to true
              scaleWithWriter: true,
            }),
          ],
          credentials: rds.Credentials.fromGeneratedSecret("root", { secretName: `${APP_NAME}-DB-root` }),
          removalPolicy: cdk.RemovalPolicy.RETAIN,
          instanceIdentifierBase: APP_NAME,
          defaultDatabaseName: APP_NAME,
        });
        cluster.connections.allowDefaultPortFromAnyIpv4('For EKS cluster and other services of private VPC subnet');

        // Enable the data api via "layer 1" shenanigans
        // @ts-ignore
        cluster.node.defaultChild.addOverride('Properties.EnableHttpEndpoint', true);
  }
}

produces below CFN template:

Generated CloudFormation template ```JSON { "Resources": { "RdsVpc4B595F80": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsHostnames": true, "EnableDnsSupport": true, "InstanceTenancy": "default", "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc" } ] }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/Resource" } }, "RdsVpcPublicSubnet1Subnet5B0073A2": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": "us-east-2a", "CidrBlock": "10.0.0.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "Public" }, { "Key": "aws-cdk:subnet-type", "Value": "Public" }, { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet1" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet1/Subnet" } }, "RdsVpcPublicSubnet1RouteTable461E88F8": { "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet1" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet1/RouteTable" } }, "RdsVpcPublicSubnet1RouteTableAssociation67E17D4B": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "RdsVpcPublicSubnet1RouteTable461E88F8" }, "SubnetId": { "Ref": "RdsVpcPublicSubnet1Subnet5B0073A2" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet1/RouteTableAssociation" } }, "RdsVpcPublicSubnet1DefaultRoute7CB81783": { "Type": "AWS::EC2::Route", "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "RdsVpcIGW6F2E5517" }, "RouteTableId": { "Ref": "RdsVpcPublicSubnet1RouteTable461E88F8" } }, "DependsOn": [ "RdsVpcVPCGW5C34CC78" ], "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet1/DefaultRoute" } }, "RdsVpcPublicSubnet1EIP85D94D47": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc", "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet1" } ] }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet1/EIP" } }, "RdsVpcPublicSubnet1NATGateway70C13679": { "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "RdsVpcPublicSubnet1EIP85D94D47", "AllocationId" ] }, "SubnetId": { "Ref": "RdsVpcPublicSubnet1Subnet5B0073A2" }, "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet1" } ] }, "DependsOn": [ "RdsVpcPublicSubnet1DefaultRoute7CB81783", "RdsVpcPublicSubnet1RouteTableAssociation67E17D4B" ], "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet1/NATGateway" } }, "RdsVpcPublicSubnet2SubnetCF82436C": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": "us-east-2b", "CidrBlock": "10.0.32.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "Public" }, { "Key": "aws-cdk:subnet-type", "Value": "Public" }, { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet2" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet2/Subnet" } }, "RdsVpcPublicSubnet2RouteTableF0384A3B": { "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet2" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet2/RouteTable" } }, "RdsVpcPublicSubnet2RouteTableAssociation5492DF0B": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "RdsVpcPublicSubnet2RouteTableF0384A3B" }, "SubnetId": { "Ref": "RdsVpcPublicSubnet2SubnetCF82436C" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet2/RouteTableAssociation" } }, "RdsVpcPublicSubnet2DefaultRoute4D7425A7": { "Type": "AWS::EC2::Route", "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "RdsVpcIGW6F2E5517" }, "RouteTableId": { "Ref": "RdsVpcPublicSubnet2RouteTableF0384A3B" } }, "DependsOn": [ "RdsVpcVPCGW5C34CC78" ], "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet2/DefaultRoute" } }, "RdsVpcPublicSubnet2EIP5AA90403": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc", "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet2" } ] }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet2/EIP" } }, "RdsVpcPublicSubnet2NATGatewayDD5786B8": { "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "RdsVpcPublicSubnet2EIP5AA90403", "AllocationId" ] }, "SubnetId": { "Ref": "RdsVpcPublicSubnet2SubnetCF82436C" }, "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet2" } ] }, "DependsOn": [ "RdsVpcPublicSubnet2DefaultRoute4D7425A7", "RdsVpcPublicSubnet2RouteTableAssociation5492DF0B" ], "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet2/NATGateway" } }, "RdsVpcPublicSubnet3Subnet7527EFEF": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": "us-east-2c", "CidrBlock": "10.0.64.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "Public" }, { "Key": "aws-cdk:subnet-type", "Value": "Public" }, { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet3" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet3/Subnet" } }, "RdsVpcPublicSubnet3RouteTable2CA5A427": { "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet3" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet3/RouteTable" } }, "RdsVpcPublicSubnet3RouteTableAssociation6CA1B30E": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "RdsVpcPublicSubnet3RouteTable2CA5A427" }, "SubnetId": { "Ref": "RdsVpcPublicSubnet3Subnet7527EFEF" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet3/RouteTableAssociation" } }, "RdsVpcPublicSubnet3DefaultRoute0A124EE4": { "Type": "AWS::EC2::Route", "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "RdsVpcIGW6F2E5517" }, "RouteTableId": { "Ref": "RdsVpcPublicSubnet3RouteTable2CA5A427" } }, "DependsOn": [ "RdsVpcVPCGW5C34CC78" ], "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet3/DefaultRoute" } }, "RdsVpcPublicSubnet3EIP172624D2": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc", "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet3" } ] }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet3/EIP" } }, "RdsVpcPublicSubnet3NATGateway901D1A93": { "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "RdsVpcPublicSubnet3EIP172624D2", "AllocationId" ] }, "SubnetId": { "Ref": "RdsVpcPublicSubnet3Subnet7527EFEF" }, "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PublicSubnet3" } ] }, "DependsOn": [ "RdsVpcPublicSubnet3DefaultRoute0A124EE4", "RdsVpcPublicSubnet3RouteTableAssociation6CA1B30E" ], "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PublicSubnet3/NATGateway" } }, "RdsVpcPrivateSubnet1SubnetEDFDAD88": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": "us-east-2a", "CidrBlock": "10.0.96.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "Private" }, { "Key": "aws-cdk:subnet-type", "Value": "Private" }, { "Key": "Name", "Value": "RdsStack/RdsVpc/PrivateSubnet1" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet1/Subnet" } }, "RdsVpcPrivateSubnet1RouteTable08F56F2B": { "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PrivateSubnet1" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet1/RouteTable" } }, "RdsVpcPrivateSubnet1RouteTableAssociation826793A2": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "RdsVpcPrivateSubnet1RouteTable08F56F2B" }, "SubnetId": { "Ref": "RdsVpcPrivateSubnet1SubnetEDFDAD88" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet1/RouteTableAssociation" } }, "RdsVpcPrivateSubnet1DefaultRoute3428EBA3": { "Type": "AWS::EC2::Route", "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "RdsVpcPublicSubnet1NATGateway70C13679" }, "RouteTableId": { "Ref": "RdsVpcPrivateSubnet1RouteTable08F56F2B" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet1/DefaultRoute" } }, "RdsVpcPrivateSubnet2SubnetC48E44F0": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": "us-east-2b", "CidrBlock": "10.0.128.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "Private" }, { "Key": "aws-cdk:subnet-type", "Value": "Private" }, { "Key": "Name", "Value": "RdsStack/RdsVpc/PrivateSubnet2" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet2/Subnet" } }, "RdsVpcPrivateSubnet2RouteTableF033C61F": { "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PrivateSubnet2" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet2/RouteTable" } }, "RdsVpcPrivateSubnet2RouteTableAssociationFE8A14DD": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "RdsVpcPrivateSubnet2RouteTableF033C61F" }, "SubnetId": { "Ref": "RdsVpcPrivateSubnet2SubnetC48E44F0" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet2/RouteTableAssociation" } }, "RdsVpcPrivateSubnet2DefaultRoute5BBFA3CC": { "Type": "AWS::EC2::Route", "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "RdsVpcPublicSubnet2NATGatewayDD5786B8" }, "RouteTableId": { "Ref": "RdsVpcPrivateSubnet2RouteTableF033C61F" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet2/DefaultRoute" } }, "RdsVpcPrivateSubnet3Subnet287D7C2B": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": "us-east-2c", "CidrBlock": "10.0.160.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { "Key": "aws-cdk:subnet-name", "Value": "Private" }, { "Key": "aws-cdk:subnet-type", "Value": "Private" }, { "Key": "Name", "Value": "RdsStack/RdsVpc/PrivateSubnet3" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet3/Subnet" } }, "RdsVpcPrivateSubnet3RouteTable1182FE58": { "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc/PrivateSubnet3" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet3/RouteTable" } }, "RdsVpcPrivateSubnet3RouteTableAssociation3B2AA361": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "RdsVpcPrivateSubnet3RouteTable1182FE58" }, "SubnetId": { "Ref": "RdsVpcPrivateSubnet3Subnet287D7C2B" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet3/RouteTableAssociation" } }, "RdsVpcPrivateSubnet3DefaultRoute4C81B9CC": { "Type": "AWS::EC2::Route", "Properties": { "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "RdsVpcPublicSubnet3NATGateway901D1A93" }, "RouteTableId": { "Ref": "RdsVpcPrivateSubnet3RouteTable1182FE58" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/PrivateSubnet3/DefaultRoute" } }, "RdsVpcIGW6F2E5517": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [ { "Key": "Name", "Value": "RdsStack/RdsVpc" } ] }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/IGW" } }, "RdsVpcVPCGW5C34CC78": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "InternetGatewayId": { "Ref": "RdsVpcIGW6F2E5517" }, "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/VPCGW" } }, "RdsVpcRestrictDefaultSecurityGroupCustomResourceBF3D85EF": { "Type": "Custom::VpcRestrictDefaultSG", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E", "Arn" ] }, "DefaultSecurityGroupId": { "Fn::GetAtt": [ "RdsVpc4B595F80", "DefaultSecurityGroup" ] }, "Account": "139480602983" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "RdsStack/RdsVpc/RestrictDefaultSecurityGroupCustomResource/Default" } }, "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ] }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } ], "Policies": [ { "PolicyName": "Inline", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress" ], "Resource": [ { "Fn::Join": [ "", [ "arn:aws:ec2:us-east-2:139480602983:security-group/", { "Fn::GetAtt": [ "RdsVpc4B595F80", "DefaultSecurityGroup" ] } ] ] } ] } ] } } ] }, "Metadata": { "aws:cdk:path": "RdsStack/Custom::VpcRestrictDefaultSGCustomResourceProvider/Role" } }, "CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E": { "Type": "AWS::Lambda::Function", "Properties": { "Code": { "S3Bucket": "cdk-hnb659fds-assets-139480602983-us-east-2", "S3Key": "ee7de53d64cc9d6248fa6aa550f92358f6c907b5efd6f3298aeab1b5e7ea358a.zip" }, "Timeout": 900, "MemorySize": 128, "Handler": "__entrypoint__.handler", "Role": { "Fn::GetAtt": [ "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0", "Arn" ] }, "Runtime": "nodejs20.x", "Description": "Lambda function for removing all inbound/outbound rules from the VPC default security group" }, "DependsOn": [ "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0" ], "Metadata": { "aws:cdk:path": "RdsStack/Custom::VpcRestrictDefaultSGCustomResourceProvider/Handler", "aws:asset:path": "asset.ee7de53d64cc9d6248fa6aa550f92358f6c907b5efd6f3298aeab1b5e7ea358a", "aws:asset:property": "Code" } }, "PostgresqlClusterSubnetsE44ECA65": { "Type": "AWS::RDS::DBSubnetGroup", "Properties": { "DBSubnetGroupDescription": "Subnets for PostgresqlCluster database", "SubnetIds": [ { "Ref": "RdsVpcPrivateSubnet1SubnetEDFDAD88" }, { "Ref": "RdsVpcPrivateSubnet2SubnetC48E44F0" }, { "Ref": "RdsVpcPrivateSubnet3Subnet287D7C2B" } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "RdsStack/PostgresqlCluster/Subnets/Default" } }, "PostgresqlClusterSecurityGroupA1E50D0D": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "RDS security group", "SecurityGroupEgress": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow all outbound traffic by default", "IpProtocol": "-1" } ], "VpcId": { "Ref": "RdsVpc4B595F80" } }, "Metadata": { "aws:cdk:path": "RdsStack/PostgresqlCluster/SecurityGroup/Resource" } }, "PostgresqlClusterSecurityGroupfrom00000IndirectPort5BC3D866": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "CidrIp": "0.0.0.0/0", "Description": "For EKS cluster and other services of private VPC subnet", "FromPort": { "Fn::GetAtt": [ "PostgresqlCluster304F9FCE", "Endpoint.Port" ] }, "GroupId": { "Fn::GetAtt": [ "PostgresqlClusterSecurityGroupA1E50D0D", "GroupId" ] }, "IpProtocol": "tcp", "ToPort": { "Fn::GetAtt": [ "PostgresqlCluster304F9FCE", "Endpoint.Port" ] } }, "Metadata": { "aws:cdk:path": "RdsStack/PostgresqlCluster/SecurityGroup/from 0.0.0.0_0:{IndirectPort}" } }, "RdsStackPostgresqlClusterSecret08245C7B3fdaad7efa858a3daf9490cf0a702aeb": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": { "Fn::Join": [ "", [ "Generated by the CDK for stack: ", { "Ref": "AWS::StackName" } ] ] }, "GenerateSecretString": { "ExcludeCharacters": " %+~`#$&*()|[]{}:;<>?!'/@\"\\", "GenerateStringKey": "password", "PasswordLength": 30, "SecretStringTemplate": "{\"username\":\"root\"}" }, "Name": "TestRdsClusterStack-DB-root" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "RdsStack/PostgresqlCluster/Secret/Resource" } }, "PostgresqlClusterSecretAttachment5C5F253E": { "Type": "AWS::SecretsManager::SecretTargetAttachment", "Properties": { "SecretId": { "Ref": "RdsStackPostgresqlClusterSecret08245C7B3fdaad7efa858a3daf9490cf0a702aeb" }, "TargetId": { "Ref": "PostgresqlCluster304F9FCE" }, "TargetType": "AWS::RDS::DBCluster" }, "Metadata": { "aws:cdk:path": "RdsStack/PostgresqlCluster/Secret/Attachment/Resource" } }, "PostgresqlCluster304F9FCE": { "Type": "AWS::RDS::DBCluster", "Properties": { "CopyTagsToSnapshot": true, "DBClusterIdentifier": "testrdsclusterstack", "DBClusterParameterGroupName": "default.aurora-postgresql15", "DBSubnetGroupName": { "Ref": "PostgresqlClusterSubnetsE44ECA65" }, "DatabaseName": "TestRdsClusterStack", "DeletionProtection": true, "EnableHttpEndpoint": true, "Engine": "aurora-postgresql", "MasterUserPassword": { "Fn::Join": [ "", [ "{{resolve:secretsmanager:", { "Ref": "RdsStackPostgresqlClusterSecret08245C7B3fdaad7efa858a3daf9490cf0a702aeb" }, ":SecretString:password::}}" ] ] }, "MasterUsername": "root", "Port": 5432, "ServerlessV2ScalingConfiguration": { "MaxCapacity": 2, "MinCapacity": 1 }, "StorageType": "aurora-iopt1", "VpcSecurityGroupIds": [ { "Fn::GetAtt": [ "PostgresqlClusterSecurityGroupA1E50D0D", "GroupId" ] } ] }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "RdsStack/PostgresqlCluster/Resource" } }, "PostgresqlClusterwriterD9CC319B": { "Type": "AWS::RDS::DBInstance", "Properties": { "AllowMajorVersionUpgrade": true, "AutoMinorVersionUpgrade": true, "DBClusterIdentifier": { "Ref": "PostgresqlCluster304F9FCE" }, "DBInstanceClass": "db.serverless", "Engine": "aurora-postgresql", "PromotionTier": 0, "PubliclyAccessible": false }, "DependsOn": [ "RdsVpcPrivateSubnet1DefaultRoute3428EBA3", "RdsVpcPrivateSubnet1RouteTableAssociation826793A2", "RdsVpcPrivateSubnet2DefaultRoute5BBFA3CC", "RdsVpcPrivateSubnet2RouteTableAssociationFE8A14DD", "RdsVpcPrivateSubnet3DefaultRoute4C81B9CC", "RdsVpcPrivateSubnet3RouteTableAssociation3B2AA361" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "RdsStack/PostgresqlCluster/writer/Resource" } }, "PostgresqlClusterreader7A244A54": { "Type": "AWS::RDS::DBInstance", "Properties": { "AllowMajorVersionUpgrade": true, "AutoMinorVersionUpgrade": true, "DBClusterIdentifier": { "Ref": "PostgresqlCluster304F9FCE" }, "DBInstanceClass": "db.serverless", "Engine": "aurora-postgresql", "PromotionTier": 1, "PubliclyAccessible": false }, "DependsOn": [ "PostgresqlClusterwriterD9CC319B", "RdsVpcPrivateSubnet1DefaultRoute3428EBA3", "RdsVpcPrivateSubnet1RouteTableAssociation826793A2", "RdsVpcPrivateSubnet2DefaultRoute5BBFA3CC", "RdsVpcPrivateSubnet2RouteTableAssociationFE8A14DD", "RdsVpcPrivateSubnet3DefaultRoute4C81B9CC", "RdsVpcPrivateSubnet3RouteTableAssociation3B2AA361" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "RdsStack/PostgresqlCluster/reader/Resource" } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/31P0W7CMAz8Ft5DNqpp2iuUCfVlqlrE6+Smpgu0CbIdEKr671PpaNGk7el85zvnEunFa6QXM7jw3JTHeW0L3eYC5qjgwp8tmki3u5NR8d7t0liloaityUPhUHptmjIfBLdQ1Djpk7Zk9saCWO9Gcz+8J2kPHyAbELzAVaVkzyA4HU6cIDkcDUOTH7YUAfPVoBOVowlk5bohH063Dv8KiasImTtFJet2DQIFMMZ1YEFSw/Njcr16FO7mHA0NHdere/BGEscCzmCn+GbhBhxUSLodWvSpAbZAFcrDL0bD703XqQzZBzKo4sDim4nu3R+rlPzZlkgrYFRLZpRcoLKu6pTzJeoDP50Xbzp61i+zA1s7p+DENqizAb8BNqDkwx8CAAA=" }, "Metadata": { "aws:cdk:path": "RdsStack/CDKMetadata/Default" } } }, "Parameters": { "BootstrapVersion": { "Type": "AWS::SSM::Parameter::Value", "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" } }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5" ], { "Ref": "BootstrapVersion" } ] } ] }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." } ] } } } ```

As @khushail pointed out, in your CDK code, removalPolicy: cdk.RemovalPolicy.RETAIN causes DeletionPolicy for resource AWS::RDS::DBCluster (and some other resources) to Retain. This causes CloudFormation to skip resource deletion and when it tries to delete SecurityGroup, it fails since it has dependent resources.

Thanks, Ashish