Aws-cdk: Enable termination protection of a stack

To add some details - if I create a stack with CDK using cdk deploy, then enable termination protection of this stack using AWS UI or API, and then try to do cdk destroy, I will receive an error with a message: Stack [...] cannot be deleted while TerminationProtection is enabled. That is very important feature for stateful stacks. It would be great to have this flag as a part of StackProps.

+1

@eladb , I think I might be able to pick this one up... but will need to have a bit of a view on integration tests.

If this is only for the client (cdk deploy --enable-termination-protection), it should not take me long.
If it is both, meaning having something in the constructor, it will probably grow arms and legs and take a couple of months as it did happen with the tags.

As a workaround you can run the aws cli or sdk:
https://docs.aws.amazon.com/cli/latest/reference/cloudformation/update-termination-protection.html
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudformation.html#CloudFormation.Client.update_termination_protection

Hi folks.

This is a feature I'm also interested in. I was under the impression I could tag native CF commands on to the cdk cli but was disappointed to find that:

cdk deploy --enable-termination-protection (and different variations along those lines) did not work

I thought a cool workaround would be implementing some sort of cloudformation:DeleteStack Effect.DENY type Policy Doc. I was inspired by the iam policy document test in the cdk source: https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-iam/test/policy-document.test.ts#L62

Unfortunately my attempts to do anything similar were not successful. I couldn't get the IAM changes to show up in the template, nor could I block any type of stack deletion attempts.

Here are my gists where I POCed it in a bare bones new cdk init app:

• Stack: https://gist.github.com/jewelsjacobs/9548f270e2c2b6a0926bcc8ac4e5f777
• App: https://gist.github.com/jewelsjacobs/a19be9daf50d931bc48061b59da5d2f0

My preferable solution in the end was to use an AWSCustomResource. It works very nicely.
https://gist.github.com/jewelsjacobs/69dcad5e398075f60628322a591b105d

Sorry if this seems verbose but I'm including all of this info to:

1. Let you know either the policy doc or cli option would have worked for my use case
2. Give googlers something to search with :)

Hey @Visorgood,

Sorry for so long without a response. This seems like a totally reasonable feature!
If you would like to add it, please feel free to put in a PR. Otherwise somebody will update this issue when there is a change in status.

😸

@eladb Insight on integration tests for @IsmaelMartinez?

Hi @NGL321, I assume I can use the ones in https://github.com/aws/aws-cdk/tree/master/packages/aws-cdk/test/integ/cli as a template... but let me know if there is a better guide.

As far as I can see in here https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-accidental-updates/ the only way to enable termination protection is either by the UI or client, there is no Cloudformation attribute for it (but I am not an expert on cloudformation)

If I don't read it wrong, adding a policy will prevent from elements on your stack been deleted once you delete the stack itself. I don't think we are talking about that case in here.

Let me know if my assumptions are correct and I can help (or work on) this. https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/bin/cdk.ts

Is there any time-line on this issue, expected release version/month ?

When is this feature expected to release?

I am waiting for a response... and then I might be able to dedicate some time to it. Either of you feel free to make the changes and I am happy to help with the little that I know.

@IsmaelMartinez I think the best approach here would be to add a --termination-protection option to deploy and pass this down to deployStack:
https://github.com/aws/aws-cdk/blob/3780c1219cfb0c6c2dbb9c679ab346b3c28cb14e/packages/aws-cdk/lib/api/deploy-stack.ts#L51

There you could call updateTerminationProtection.

But this would maybe not fit with #3437

@IsmaelMartinez I think the best approach here would be to add a --termination-protection option to deploy and pass this down to deployStack:

https://github.com/aws/aws-cdk/blob/3780c1219cfb0c6c2dbb9c679ab346b3c28cb14e/packages/aws-cdk/lib/api/deploy-stack.ts#L51

There you could call updateTerminationProtection.

Thanks for the reply. Yeah, I thought about going down that route.

The question is more, do we want to also add a policy to stop accidental delete of elements in your stack?

If I the functionality, the enable termination protection stops you from deleting the stack, but you can delete all the elements in a stack if you want.

If we only enable the termination protection, as it is, I don’t think it should have much impact in #3437 (but I might be wrong!).

do we know any tentative date when this feature is releasing?

I just submitted PR #7748 that fulfills this request and kinda followed @jogold suggestion on implementing that. Please let me know what you think.