Skip to content

CDK fails to delete old global table upon id change #7189

New issue
New issue
Closed
#8224
Closed
CDK fails to delete old global table upon id change#7189
#8224
Assignees
RomainMuller
Labels
@aws-cdk/aws-dynamodbRelated to Amazon DynamoDBbugThis issue is a bug.p1
@SachinShekhar

Description

@SachinShekhar
SachinShekhar
opened on Apr 6, 2020

When I change id of a Dynamodb Global Table construct with removal policy DESTROY, CDK fails to remove old Global Table.

Note: I am NOT talking about deprecated aws-dynamodb-global. I am talking about new experimental aws-dynamodb.Table.replicationRegions.

Reproduction Steps

  1. Create a new Global Table:
new dynamodb.Table(this, 'Table1', {
      ...
      ...
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      replicationRegions: ['us-west-1', 'eu-central-1']
    });
  1. Deploy the stack.
  2. Change the id of Global Table:
new dynamodb.Table(this, 'Table2', {
      ...
      ...
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      replicationRegions: ['us-west-1', 'eu-central-1']
    });
  1. Deploy the stack.

It'll create a new table with proper replicas, but fail to delete old table. The old table and its replica will remain in the account even after you destroy the stack (meaning it gets completely detached with the stack).

Error Log

The errors are visible in deployment logs.

Error 1 (appears 6 times for 2 replica regions):

5/8 | 2:43:54 PM | DELETE_FAILED        | AWS::CloudFormation::CustomResource | <Old Id>Replicaeucentral15DB8EA77 Failed to delete resource. Error: User: arn:aws:sts::<Account No.>:assumed-role/<Stack Name>-awscdkawsd-OnEventHandlerServiceRol-1WR6JLLTTGU0W/<Stack Name>-awscdkawsdyn-OnEventHandler42BEBAE0-94ML7HG65IAU is not authorized to perform:
dynamodb:UpdateTable on resource: arn:aws:dynamodb:us-east-1:<Account No.>:table/<Old Table Id>
    at invokeUserFunction (/var/task/framework.js:85:19)
    at process._tickCallback (internal/process/next_tick.js:68:7)
Remote function error: AccessDeniedException: User: arn:aws:sts::<Account No.>:assumed-role/<Stack Name>-awscdkawsd-OnEventHandlerServiceRol-1WR6JLLTTGU0W/<Stack Name>-awscdkawsdyn-OnEventHandler42BEBAE0-94ML7HG65IAU is not authorized to perform: dynamodb:UpdateTable on resource: arn:aws:dynamodb:us-east-1:<Account No.>:table/<Old Table Id Online>
    at Request.extractError (/tmp/node_modules/aws-sdk/lib/protocol/json.js:51:27)
    at Request.callListeners (/tmp/node_modules/aws-sdk/lib/sequential_executo

Error 2 (appears 3 times for 2 replica regions):

8/8 | 2:44:10 PM | DELETE_FAILED        | AWS::DynamoDB::Table       | <Old Construct Id><Random No.> Replica cannot be deleted because it has acted as a source region for new replica(s) being added to the table in the last 24 hours. (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ValidationException; Request ID: <Random No.>

Note: I have replaced private info in errors with <xyz>.

Environment

  • CLI Version : 1.31.0 (build 8f3ac79)
  • Framework Version: 1.31.0
  • OS : Windows 10 Pro
  • Language : Typescript

This is 🐛 Bug Report

Metadata

Metadata

Assignees

Labels

@aws-cdk/aws-dynamodbRelated to Amazon DynamoDBbugThis issue is a bug.p1

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions