Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_certificatemanager: cross region SSM parameter not being removed on certificate deletion. #27251

Closed
LiamWibberleyProlific opened this issue Sep 22, 2023 · 2 comments
Closed

aws_certificatemanager: cross region SSM parameter not being removed on certificate deletion. #27251

LiamWibberleyProlific opened this issue Sep 22, 2023 · 2 comments
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@LiamWibberleyProlific
Copy link

Describe the bug

Hi,

We are using 'aws_certificatemanager' to create a new cloud front certificate.

Deploying works perfectly and the creation of the SSM parameter works a treat using cross-region-ssm-writer-handler custom resource.

Today we had a case where we needed to delete the certificate, but this has left behind the ssm parameter, so when creating it again it has resulted in an error saying the SSM parameter already exist.

CDK printed the following information:

CloudfrontCertificateStack-prod |   2 | 9:09:50 AM | DELETE_FAILED        | AWS::CloudFormation::CustomResource  | ExportsWritereuwest142AF533A3E3B99E4 Received response status [FAILED] from custom resource. Message returned: Error: Exports cannot be updated: 

    at throwIfAnyInUse (/var/task/index.js:4:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async handler (/var/task/index.js:3:407)
    at async Runtime.handler (/var/task/__entrypoint__.js:1:932) (RequestId: e60def4b-3ea0-43e9-ab13-65a192131aee)

From looking at the source I can see that we are expecting a reason for each tag why it failed to delete, but as you can see it is not present and using the CLI to see the tags on the SSM param there is none.

This has resulted in the resource being left behind and the cloudformation to be out of sync.

To resolve this I will be manually deleting the resource, but thought it would be worth highlighting it as an issue.

Expected Behavior

I expected the SSM parameter to be removed.

Current Behavior

The parameter was left behind but the resource was removed from cloud formation.

CDK printed the following information:

CloudfrontCertificateStack-prod |   2 | 9:09:50 AM | DELETE_FAILED        | AWS::CloudFormation::CustomResource  | ExportsWritereuwest142AF533A3E3B99E4 Received response status [FAILED] from custom resource. Message returned: Error: Exports cannot be updated: 

    at throwIfAnyInUse (/var/task/index.js:4:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async handler (/var/task/index.js:3:407)
    at async Runtime.handler (/var/task/__entrypoint__.js:1:932) (RequestId: e60def4b-3ea0-43e9-ab13-65a192131aee)

Reproduction Steps

I do not have clear reproduction steps.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

aws-cdk-lib==2.94.0

Framework Version

No response

Node.js Version

16.20.2/x64

OS

Ubuntu 22.04.3 LTS

Language

Python

Language Version

Python 3.11.5

Other information

No response
@LiamWibberleyProlific LiamWibberleyProlific added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 22, 2023
@github-actions github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Sep 22, 2023
@indrora indrora added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 25, 2023
@indrora
Copy link
Contributor

indrora commented Sep 25, 2023

How are you creating the SSM parameter? With the CDK or not?

The CDK doesn't remove resources that aren't created directly and visible to the CDK through CloudFormation.

@indrora indrora added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 25, 2023
@peterwoodworth peterwoodworth removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Sep 25, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Sep 27, 2023
@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
@github-actions github-actions bot added closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Oct 3, 2023
@github-actions github-actions bot closed this as completed Oct 3, 2023
@elliotsegler elliotsegler mentioned this issue Apr 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@indrora @peterwoodworth @LiamWibberleyProlific