custom_resources: explain how to do replacement with AwsCustomResource

What is the problem?

We can use AwsCustomResource to map custom resource create/update/delete to an SDK call. However, there are updates that actually require a new resource to be created and the original one deleted.

For example, suppose we are using such a custom resource to manage IoT Core role aliases. The create action maps to createRoleAlias, the update action maps to updateRoleAlias, and the delete action maps to deleteRoleAlias. However, if we are specifically trying to update the role alias name itself, then we cannot just call updateRoleAlias, because under normal circumstances the new role alias does not exist yet and must be created not updated.

Even if some mechanism were added to AwsCustomResource or AwsSdkCall to detect updates requiring replacement, there is still an issue. If the deployment were to fail, CloudFormation will attempt to rollback by issuing another update back to the original parameters. But this would also be detected as a replacement, which would issue another createRoleAlias, which would fail because the original role alias still exists. So now you’d need something akin to ignore_error_codes_matching, but only in the specific case of a rollback after an update requiring replacement.

Reproduction Steps

Use AwsCustomResource to create an IoT Core role alias. Then try to update the role alias name.

What did you expect to happen?

It should be able to handle updates requiring replacement, or the construct should be deprecated with a warning that it cannot be used in most cases.

What actually happened?

It tried to update a non-existent role alias and failed.

CDK CLI Version

1.130.0

Framework Version

No response

Node.js Version

16.13.0

OS

Alpine 3.14

Language

Python

Language Version

3.9

Other information

No response