AwsCustomResource with delete only action fails with Invalid PhysicalResourceId
See original GitHub issueI have written some lambda backed custom resources using the provider framework but in some cases the task involved is very simple and does not require the overhead of creating a bespoke lambda.
The CDK offers an alternative to the provider framework which is a custom resource that calls an AWS SDK API
Sometimes a single API call can fill the gap in the CloudFormation coverage. In this case you can use the AwsCustomResource construct. This construct creates a custom resource that can be customized to make specific API calls for the CREATE, UPDATE and DELETE events. Additionally, data returned by the API call can be extracted and used in other constructs/resources (creating a real CloudFormation dependency using Fn::GetAtt under the hood).
The physical id of the custom resource can be specified or derived from the data returned by the API call.
The scenarios is that in a development environment I want to remove any CDK generated secrets and KMS keys.
My understanding is that I can use an AwsCustomResource with just the onDelete event specified, however creating the resource produces an Invalid PhysicalResourceId error.
Reproduction Steps
// Example
const key = new Key(this, 'kms-key', {
alias: 'KMS-Test-Delete-Alias',
description: 'This is a test KMS key using custom resource',
enabled: true,
});
new AwsCustomResource(this, 'kmsDeleteKeyResource', {
onDelete: {
service: 'KMS',
action: 'scheduleKeyDeletion',
parameters: {
KeyId: key.keyArn,
PendingWindowInDays: 7
},
},
});
Error Log
5/8 | 14:40:35 | CREATE_COMPLETE | AWS::KMS::Key | kms-key (kmskey49FBC3B3)
5/8 | 14:40:37 | CREATE_IN_PROGRESS | AWS::KMS::Alias | kms-key/Alias (kmskeyAlias39245779)
5/8 | 14:40:37 | CREATE_IN_PROGRESS | Custom::AWS | kmsDeleteKeyResource/Resource/Default (kmsDeleteKeyResource97160D9C)
5/8 Currently in progress: kmskeyAlias39245779, kmsDeleteKeyResource97160D9C
6/8 | 14:41:31 | CREATE_FAILED | Custom::AWS | kmsDeleteKeyResource/Resource/Default (kmsDeleteKeyResource97160D9C) Invalid PhysicalResourceId
new CustomResource (C:\ScratchPad - AWS\cdk\kms-delete-key-api\node_modules\@aws-cdk\aws-cloudformation\lib\custom-resource.ts:163:21)
\_ new AwsCustomResource (C:\ScratchPad - AWS\cdk\kms-delete-key-api\node_modules\@aws-cdk\custom-resources\lib\aws-custom-resource\aws-custom-resource.ts:209:27)
\_ new DemoStack (C:\ScratchPad - AWS\cdk\kms-delete-key-api\example\demo-stack.ts:24:9)
\_ Object.<anonymous> (C:\ScratchPad - AWS\cdk\kms-delete-key-api\example\cdk.ts:6:17)
Environment
- CLI Version : aws-cli/1.16.185 Python/3.7.3 Windows/10 botocore/1.12.175
- Framework Version: aws-cdk@1.22.0
- OS : Windows 10 1803
- Language : Typescript
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (5 by maintainers)
Top GitHub Comments
@chrisgit in the meantime you can use the following workaround:
I think that making an action with just
onDelete
“just work” is probably a better experience.