CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformation
Rudziankoŭ
Rudziankoŭ

Reputation: 11251

AWS CloudFormation delete resources

I have following cloudformation template:

Parameters:
  SizeCondition1:
    Type: String
    Default: SizeCondition1
    Description: >-
      Enter the name of the size condition. Note names cannot be modified after
      creation and must be alphanumeric without spaces.
  SizeURI1:
    Type: String
    Default: '8192'
    Description: Enter the size limit of the URI.
  SizeQuery1:
    Type: String
    Default: '8192'
    Description: Enter the size limit of the query string.
Resources:
  WAFSizeCondition1:
    Type: 'AWS::WAF::SizeConstraintSet'
    Properties:
      Name: !Ref SizeCondition1
      SizeConstraints:
        - FieldToMatch:
            Type: QUERY_STRING
          ComparisonOperator: GT
          Size: !Ref SizeQuery1
          TextTransformation: NONE
        - FieldToMatch:
            Type: URI
          ComparisonOperator: GT
          Size: !Ref SizeURI1
          TextTransformation: NONE
  WafRule:
    Type: 'Custom::CustomResource'
    Properties:
      ServiceToken: !Join 
        - ''
        - - 'arn:aws:lambda:'
          - !Ref 'AWS::Region'
          - ':'
          - !Ref 'AWS::AccountId'
          - ':function:WafLambdaTest'
      Name: WAFRateTest1
      RateLimit: '2000'
      MetricName: WAFRateTest1
      Predicates:
        - DataId: !Ref WAFSizeCondition1
          Negated: false
          Type: SizeConstraint

When I fire DELETE event I see following:

stack progress

Questions:

  1. Why does WafRule delete first? When it can not be removed before WAFSizeCondition1? How can I declare dependency in the template to make WAFSizeCondition1 deletes first?
  2. Why WAFSizeCondition1 can not be deleted? By which resource it referenced? How to handle Resources deletion correctly here?

Upvotes: 0

Views: 2663

Answers (1)

user7401700
user7401700

Reputation:

  1. Cloudformation will choose an order based on some internal logic. To influence its order, you can specify some form of dependency with the DependsOn attribute. e.g:

WAFSizeCondition1:

Type: 'AWS::WAF::SizeConstraintSet'

DependsOn: WafRule

  1. There's a bug in your custom resource, you didn't show how you wrote your function and I suspect you didn't take the correct steps to delete it. According to the waf.delete_web_acl docs:

Permanently deletes a WebACL . You can't delete a WebACL if it still contains any Rules .

To delete a WebACL , perform the following steps:

Update the WebACL to remove Rules , if any. For more information, see UpdateWebACL .

Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a DeleteWebACL request. Submit a DeleteWebACL request.

Upvotes: 1

Related Questions