Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(core): stack termination protection #7610

Merged
merged 10 commits into from
May 4, 2020
Merged

feat(core): stack termination protection #7610

merged 10 commits into from
May 4, 2020

Conversation

jogold
Copy link
Contributor

@jogold jogold commented Apr 26, 2020
edited
Loading

Commit Message

feat(core): stack termination protection (#7610)

Add a terminationProtection prop to StackProps to enable stack termination
protection.

This does not require extra IAM permission for existing CDK stacks
(cloudformation:UpdateTerminationProtection).

The logic to evaluate if we can skip deploy is now moved to a separate
function.

Closes #1682

End Commit Message

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@jogold
feat(core): stack termination protection
54ad340 
Add a `terminationProtection` prop to `StackProps` to enable stack termination
protection.

Closes aws#1682
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 54ad340
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@SomayaB SomayaB requested review from shivlaks and removed request for shivlaks April 28, 2020 22:19
eladb
eladb previously requested changes Apr 30, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Just need to move the cx-api change to the cloud-assembly-schema

eladb
eladb reviewed May 3, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, @shivlaks please review and approve when ready

packages/aws-cdk/lib/api/deploy-stack.ts
@@ -149,13 +149,17 @@ export async function deployStack(options: DeployStackOptions): Promise<DeploySt
const deployName = options.deployName || stackArtifact.stackName;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shivlaks do you mind giving this a quick review?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on it

packages/aws-cdk/lib/api/deploy-stack.ts Outdated
Comment on lines 159 to 162
if (JSON.stringify(stackArtifact.template) === JSON.stringify(await cloudFormationStack.template())
&& tagsIdentical
&& cloudFormationStack.terminationProtection === terminationProtection) {
debug(`${deployName}: no change in template, tags or termination protection, skipping (use --force to override)`);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels like we should extract all the logic that decides whether a stack should be updated into a separate function now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

packages/aws-cdk/lib/api/deploy-stack.ts Outdated

// Update termination protection only if it has changed.
if (cloudFormationStack.terminationProtection !== terminationProtection) {
debug('Updating termination protection for stack %s', deployName);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add the previous and new values of terminationProtection in this log

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@eladb eladb assigned shivlaks and unassigned eladb May 3, 2020
@jogold jogold mentioned this pull request May 4, 2020
Closed
@mergify mergify bot dismissed eladb’s stale review May 4, 2020 11:10

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 866e052
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 4268af2
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: acbd210
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

shivlaks
shivlaks reviewed May 4, 2020
View reviewed changes
Copy link
Contributor

@shivlaks shivlaks left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat! this will be really handy for for users

  • It's also probably worth noting somewhere (maybe README) that Nested Stacks inherit this property from their parent stack and that it cannot be set on Nested Stacks.

@jogold
Copy link
Contributor Author

jogold commented May 4, 2020

  • It's also probably worth noting somewhere (maybe README) that Nested Stacks inherit this property from their parent stack and that it cannot be set on Nested Stacks.

I also thought about this and initially tried to find a way to prevent this from happening but AFAIU as NestedStackProps do not extend StackProps it will not be possible to set it on a Nested Stack when using the CDK.

@shivlaks
Copy link
Contributor

shivlaks commented May 4, 2020

I also thought about this and initially tried to find a way to prevent this from happening but AFAIU as NestedStackProps do not extend StackProps it will not be possible to set it on a Nested Stack when using the CDK.

I think it's reasonable since CloudFormation doesn't allow your to set termination directly on nested stacks anyways IIRC. Maybe just mention the behaviour in the README (that termination protection propagates to all nested stacks)

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 24ae092
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: e3789a7
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented May 4, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 7ed60b8 into aws:master May 4, 2020
shivlaks added a commit that referenced this pull request May 4, 2020
@shivlaks
chore(cli): add stack termination stack to cdk ls test
2585911 
missed this in #7610
@shivlaks shivlaks mentioned this pull request May 4, 2020
Merged
mergify bot pushed a commit that referenced this pull request May 5, 2020
@shivlaks
chore(cli): add termination-protection stack to cdk ls test (#7786)
4d4114a 
missed adding this in #7610
@jogold jogold deleted the termination-protection branch May 31, 2020 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb left review comments

@iliapolo iliapolo iliapolo left review comments

@shivlaks shivlaks shivlaks approved these changes

Assignees

@shivlaks shivlaks

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable termination protection of a stack
5 participants
@jogold @aws-cdk-automation @shivlaks @eladb @iliapolo