Destroying stack which contains AwsCustomeResource leaves AWS resources

[raziza]

I've created this issue and it was closed immediately.

It is about using AwsCustomResource to do something - in my case AttachPolicy to a ThingGroup. On deployment the AwsCustomResource is creating for itself in order to function (not my code) - lambda, roles, logs.. and then I guess the lambda is running and attaching the policy to the thing group.

When I destroy the stack, look like the policy is detached from the thing group (my part), but not all the automatically created AWS resources were removed. Such as log groups from cloudwatch..

Would like to reopen this as an issue.

[peterwoodworth]

If you create a basic AwsCustomResource like this:

    const customresource = new cr.AwsCustomResource(this, 'custom', {
      onCreate: {
        service: 'SecretsManager',
        action: 'createSecret',
        parameters: {
          Name: 'test',
        },
        physicalResourceId: cr.PhysicalResourceId.of('test'),
      },
      onDelete: {
        service: 'SecretsManager',
        action: 'deleteSecret',
        parameters: {
          SecretId: 'test',
        },
        physicalResourceId: cr.PhysicalResourceId.of('test'),
      },
      policy: cr.AwsCustomResourcePolicy.fromStatements(
        [
          new iam.PolicyStatement({
            actions: ['secretsmanager:*'],
            resources: ['*'],
            effect: iam.Effect.ALLOW,
          })
        ]
      ),
    });

Then I get a template with a Function, Role, Policy, and Custom Resource. Upon deploying and deleting this stack, every resource named in the template will get deleted. I've also configured this custom resource to delete the same resource that the custom resource initially created with the API call

Lambda as a service will always create a log group - this isn't unique to CDK or CloudFormation. But, CDK does give a way to manage LogGroups created by Lambda - the LogRetention construct. See an example here of how you might implement a LogRetention construct to manage the logs for your AwsCustomResource Lambda function.

    const fn = customresource.node.findChild('Provider') as lambda.Function;
    new logs.LogRetention(this, 'retention', {
      logGroupName: `/aws/lambda/${fn.functionName}`,
      retention: logs.RetentionDays.ONE_WEEK,
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      // role: logRetentionRole
    });

There are plenty of resources that don't get automatically deleted when you create a CloudFormation stack. Such as buckets, or tables. There are also a number of resources which get automatically created if you create a different resource, whether you define them in your stack or not. Log groups fit into both of these categories - and it's well documented which resources do this both in CloudFormation and in CDK.

[raziza]

I've saw this trick on line but it still does not delete my log group - but it even changing my log retention to "never expired"

When I bootsrap the CDK I am aware that some resources are created. But when I create a stack and destroying it I would except all the resources created to be removed as well.. (unless we specified a removePolicy.RETAIN).

[raziza]

I've found also this issue related to our topic

[peterwoodworth]

But when I create a stack and destroying it I would except all the resources created to be removed as well.. (unless we specified a removePolicy.RETAIN).

Like I said, it's documented both in CDK and CloudFormation that this is just how some resources work in CloudFormation. The best we can offer in terms of automatically deleting the log group is to create a LogRetention construct that will have control over the automatically created log groups when creating a lambda function, and setting this LogRetention construct to RemovalPolicy.DESTROY. The snippet I gave should successfully do this for you

I've found also #26538 related to our topic

You've linked back to this discussion 🙂

[raziza]

This would be a good workaround for us but I've tried already before posting the question and it didn't work. It even change the retention to 'nexer expired'

…

On Thu, Aug 3, 2023, 18:54 Peter Woodworth ***@***.***> wrote: But when I create a stack and destroying it I would except all the resources created to be removed as well.. (unless we specified a removePolicy.RETAIN). Like I said, it's documented both in CDK and CloudFormation that this is just how some resources work in CloudFormation. The best we can offer in terms of automatically deleting the log group is to create a LogRetention construct that will have control over the automatically created log groups when creating a lambda function, and setting this LogRetention construct to RemovalPolicy.DESTROY. The snippet I gave should successfully do this for you I've found also #26538 <#26538> related to our topic You've linked back to this discussion 🙂 — Reply to this email directly, view it on GitHub <#26538 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC4GQH5JDMY7AZGPZNO72S3XTPJWBANCNFSM6AAAAAA22NYN5I> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[peterwoodworth]

There's actually a PR that will see to make this much easier #21820 if no workarounds are able to work for you. You could try creating an AwsCustomResource as a workaround in the meantime

[raziza]

This looks good..
At the moment we don't have a solution as this workaround does not work.
But we can wait for the PR..