Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AwsCustomResource with delete only action fails with Invalid PhysicalResourceId

See original GitHub issue

I have written some lambda backed custom resources using the provider framework but in some cases the task involved is very simple and does not require the overhead of creating a bespoke lambda.

The CDK offers an alternative to the provider framework which is a custom resource that calls an AWS SDK API

Sometimes a single API call can fill the gap in the CloudFormation coverage. In this case you can use the AwsCustomResource construct. This construct creates a custom resource that can be customized to make specific API calls for the CREATE, UPDATE and DELETE events. Additionally, data returned by the API call can be extracted and used in other constructs/resources (creating a real CloudFormation dependency using Fn::GetAtt under the hood).

The physical id of the custom resource can be specified or derived from the data returned by the API call.

The scenarios is that in a development environment I want to remove any CDK generated secrets and KMS keys.

My understanding is that I can use an AwsCustomResource with just the onDelete event specified, however creating the resource produces an Invalid PhysicalResourceId error.

Reproduction Steps

  // Example
  const key = new Key(this, 'kms-key', {
      alias: 'KMS-Test-Delete-Alias',
       description: 'This is a test KMS key using custom resource',
       enabled: true,
   });

  new AwsCustomResource(this, 'kmsDeleteKeyResource', {
             onDelete: {
                service: 'KMS',
                action: 'scheduleKeyDeletion',
                parameters: {
                    KeyId: key.keyArn,
                    PendingWindowInDays: 7
                },
             },
        });

Error Log

5/8 | 14:40:35 | CREATE_COMPLETE      | AWS::KMS::Key         | kms-key (kmskey49FBC3B3)
5/8 | 14:40:37 | CREATE_IN_PROGRESS   | AWS::KMS::Alias       | kms-key/Alias (kmskeyAlias39245779)
5/8 | 14:40:37 | CREATE_IN_PROGRESS   | Custom::AWS           | kmsDeleteKeyResource/Resource/Default (kmsDeleteKeyResource97160D9C)
5/8 Currently in progress: kmskeyAlias39245779, kmsDeleteKeyResource97160D9C
6/8 | 14:41:31 | CREATE_FAILED        | Custom::AWS           | kmsDeleteKeyResource/Resource/Default (kmsDeleteKeyResource97160D9C) Invalid PhysicalResourceId
               new CustomResource (C:\ScratchPad - AWS\cdk\kms-delete-key-api\node_modules\@aws-cdk\aws-cloudformation\lib\custom-resource.ts:163:21)
               \_ new AwsCustomResource (C:\ScratchPad - AWS\cdk\kms-delete-key-api\node_modules\@aws-cdk\custom-resources\lib\aws-custom-resource\aws-custom-resource.ts:209:27)
               \_ new DemoStack (C:\ScratchPad - AWS\cdk\kms-delete-key-api\example\demo-stack.ts:24:9)
               \_ Object.<anonymous> (C:\ScratchPad - AWS\cdk\kms-delete-key-api\example\cdk.ts:6:17)

Environment

  • CLI Version : aws-cli/1.16.185 Python/3.7.3 Windows/10 botocore/1.12.175
  • Framework Version: aws-cdk@1.22.0
  • OS : Windows 10 1803
  • Language : Typescript

Other

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
jogoldcommented, Feb 6, 2020

@chrisgit in the meantime you can use the following workaround:

const key = new Key(this, 'kms-key', {
  alias: 'KMS-Test-Delete-Alias',
    description: 'This is a test KMS key using custom resource',
    enabled: true,
});

new AwsCustomResource(this, 'kmsDeleteKeyResource', {
  onCreate: { // Dummy call
    service: 'KMS',
    action: 'describeKey',
    parameters: {
      KeyId: key.keyArn
    },
    physicalResourceId: key.keyArn,
  },
  onDelete: {
    service: 'KMS',
    action: 'scheduleKeyDeletion',
    parameters: {
        KeyId: key.keyArn,
        PendingWindowInDays: 7
    },
  },
})
0reactions
eladbcommented, Feb 19, 2020

I think that making an action with just onDelete “just work” is probably a better experience.

Read more comments on GitHub >

github_iconTop Results From Across the Web

aws-cdk/custom-resources module
For Delete , it will always return the current physical resource ID, and if the user returns a different one, an error will...
Read more >
Referencing the physical resource ID in a ...
You create two custom resources. One is just a create, and one is just a delete. const connectDirectory = new AwsCustomResource(this, ...
Read more >
Implementing Custom Resources with AWS CDK
Using AWS CloudFormation or CDK, Learn how to implement AWS Custom Resources when working with CDK, by following an example for S3 Objects....
Read more >
awslabs/aws-cdk - Gitter
Hi, I'm trying to set programmatically the description of a CloudFormation nested stack. So far I've been able to do that only for...
Read more >
Using Custom Resources to Extend your CloudFormation
But background information will only take you so far. ... Update or Delete , the payload will also include a PhysicalResourceId parameter.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

High level construct for an AppSync Elasticsearch data source

Next page

wafv2: CfnWebACL Rules property has incorrect CloudFormation schema