aws-cdk: [cli] Change sets that consist only of `removalPolicy` changes cannot be executed

If the only change to an s3.Bucket object that’s already been deployed is to change its removalPolicy, that change appears in cdk diff, but cdk deploy says (no changes) for that stack, and the change is not made to the bucket.

If you deploy another change, such as to the versioned property, along with the removalPolicy change, the change to removalPolicy is made.

This broke the “Your First AWS CDK app” topic in the developer guide, which updated the removalPolicy to allow cdk destroy to delete the bucket. The user could still complete the tutorial, but the bucket would remain when it should have been deleted. (I have updated this topic to make an additional change with the removalPolicy one, which has the added benefit of showing an IAM policy in the diff, which has the side effect of deploying the removalPolicy change.)

Unmodified version of this topic can be seen here: http://jkindall.aka.corp.amazon.com/snapshot/1605908585/hello_world.html

Reproduction Steps

mkdir hello-cdk
cd hello-cdk
cdk init --language typescript
npm install @aws-cdk/aws-s3

Edit lib/hello-cdk-stack.ts to read:

import * as cdk from '@aws-cdk/core';
import * as s3 from '@aws-cdk/aws-s3';

export class HelloCdkStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new s3.Bucket(this, 'TheBucket', {
      versioned: false,
      // removalPolicy: cdk.RemovalPolicy.DESTROY
    });
  }
}

Then:

npm run build
cdk synth
cdk deploy

Uncomment the removalPolicy definiiton.

Save, build, and cdk diff. Note that the change to the removal policy appears in the diff output.

Now cdk deploy and note that it says HelloCdkStack (no changes). Another cdk diff will reveal that there’s still a difference between the new synthesized template and the deployed one, indicating the change to removalPolicy was not deployed.

Finally change versioned to true, then cdk deploy and watch both changes be deployed. cdk diff afterward to be sure.

Environment

  • CDK CLI Version : 1.74.0
  • Framework Version: 1.74.0
  • Node.js Version: 12.16.3
  • OS : Windows 10
  • Language (Version): TypeScript 3.9.7

This is 🐛 Bug Report

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 8
  • Comments: 18 (15 by maintainers)

Most upvoted comments

Add a WaitConditionHandle. Doesn’t do or cost anything, but does change the template

+2
rix0rrr on Mar 2, 2022

I was able to force a deployment by using:

cdk deploy --no-version-reporting '<STACKNAME>'

This removes the CDKMetadata property, forcing a change. I was able to reproduce this issue using the CloudFormation console. The changeset failed when just changing a retention policy. This seems like a pretty bad CloudFormation bug - is there any public issue tracking this upstream?

+1
blimmer on Apr 12, 2022
Read more comments on GitHub
← aws-cdk: cli: cdk synth doesn't output yaml when having dependency stacks
aws-cdk: [cli] Cloud assembly schema version mismatch →