pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
460 stars 155 forks source link

AWS SNS FIFO Topic with archive policy cannot be deleted by pulumi down. #4370

Open nemreid opened 2 months ago

nemreid commented 2 months ago

Describe what happened

Pulumi throws an error when trying to delete an SNS topic with an active archive policy.

Although this is intended AWS behavior to prevent unintended deletion of messages, it makes it impossible to manage this type of resource without manual intervention in every environment.

It should be possible to have some kind of override to allow deletion (by unsetting the archive_policy under the hood) for use in non-production environments.

Sample program

from pulumi import ComponentResource
from pulumi_aws import sns

class SnsFifoTopicWithArchivePolicy(ComponentResource):
        def __init__(self, name: str)
                topic = sns.Topic(
                        f"{name}-topic",
                        content_based_deduplication=True,
                        fifo_topic=True,
                        archive_policy='{"MessageRetentionPeriod": "14"}',
                )

pulumi up -y

pulumi down -y

Log output

Diagnostics:
  aws:sns:Topic (name-topic):
    error: deleting urn:pulumi:stack::project::aws:sns/topic:Topic::name-topic: 1 error occurred:
        * deleting SNS Topic (arn:aws:sns::a-b-1:xxx:name-topic.fifo): operation error SNS: DeleteTopic, https response error StatusCode: 400, RequestID: xxx, InvalidState: Invalid state: Cannot delete a topic with an ArchivePolicy

  pulumi:pulumi:Stack (stack):
    error: update failed

Affected Resource(s)

sns.Topic with fifo_topic=True and archive_policy='{"MessageRetentionPeriod": "<int>"}'

Output of pulumi about

[redacted due to presence of internal packages]

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

t0yv0 commented 2 months ago

I'm sorry this is not working as expected for you. The workaround would be removing archive_policy from sources and executing pulumi up to detach the archive policy, followed by pulumi destroy to delete. This is indeed inconvenient.

I've filed a request in https://github.com/hashicorp/terraform-provider-aws/issues/38885 - the most expedient way for pulumi-aws to gain this feature is having it implemented in the upstream provider. Scanning the code there does not seem to be any functionality for this at the moment.

nemreid commented 2 months ago

Thank you, I have upvoted your terraform issue. From personal experience, I know changes there can take a while, but I hope we can make the pulumi experience better eventually!