Escape hatch: be able to delete an entire resource from the subtree #1408
Comments
eladb
added
feature-request
|
If a certain cdk object creates a role, how do I then stop that role from being created? I may need to abandon AWS CDK in my organization. There are certain resources I am not allowed to create with my user's AWS Role. I was hoping to be able to delete the resources and reference an ARN where needed instead of having then created with cdk. Thank you |
|
This is definitely in our roadmap and a legitimate request. Many AWS constructs allow you to pass in an |
|
Hi @eladb, Thanks for the reply. I was attempting to use an AutoscalingGroup instance, but the role that is passed in (thank you for allowing a role to be passed in btw) to a new InstanceProfile. But creating an Instance profile is also an off-limits IAM function within my organization. So my thought was to simply delete the Instance Profile and use an existing one within my Amazon account. I could not figure out how to delete the Instance Profile that was created by the AutoscalingGroup. I think the above problem is related to this issue. Correct? Thanks |
|
@jcamilli I have the same for the customer (but for ecs.FargateTaskDefinition- on addContainer it creates redundant for me IAM Policy to create log stream and put log events) |
NGL321
added
the
closing-soon
NGL321
added
the
pr/needs-community-review
eladb
added
@aws-cdk/core
|
Would like this feature. I just wanted to add a custom route table to my subnets while still using the VPC construct. I have a new route table but I can't remove the already existing ones. |
|
I have a similar use case: would like to use existing Elastic IPs with NAT Gateways. I can override the NAT Gateway's allocationId by: but I can't remove the EIPs created by the VPC construct... EDITED: Apparently this works, but it would be nice to a have a publicly documented |
Immutably imported `Role`s could not be used for CodeBuild `Project`s, because they would create a policy but be unable to attach it to the Role. That leaves an unattached Policy, which is invalid. Fix this by making `Policy` objects only render to an `AWS::IAM::Policy` resource if they actually have any effect. It is perfectly allowed to create new unattached Policy objects, or have empty Policy objects. Only if and when they actually need to mutate the policy of an IAM identity will they render themselves to the CloudFormation template. Being able to abstract away these kinds of concerns is exactly the value of a higher-level programming model. To allow for the rare cases where an empty Policy object would be considered a programming error, we still have the flag `mustCreate` which triggers the legacy behavior of alwyas creating the `AWS::IAM::Policy` resource which must have a statement and be attached to an identity. Fixes #1408. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* <!-- Please read the contribution guidelines and follow the pull-request checklist: https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md -->
Sometimes users might want to delete an entire resource.
See #1404 for a use case
The text was updated successfully, but these errors were encountered: