diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json index 961e28feed8c7..dfc2bbf3c6fa5 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json @@ -106,8 +106,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineArtifactsBucket22248F97": { "Type": "AWS::S3::Bucket", @@ -142,8 +142,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineRoleD68726F7": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json index a7708e2fb66d8..1dc6ebf2ef08c 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json @@ -157,8 +157,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineArtifactsBucket22248F97": { "Type": "AWS::S3::Bucket", @@ -193,8 +193,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineRoleD68726F7": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json index 9448dd957a9b6..ded136fc1300f 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json @@ -82,8 +82,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineArtifactsBucket22248F97": { "Type": "AWS::S3::Bucket", @@ -118,8 +118,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineRoleD68726F7": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json index d743dde53d584..86db9d8aff7d0 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json @@ -92,8 +92,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineArtifactsBucket22248F97": { "Type": "AWS::S3::Bucket", @@ -128,8 +128,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineRoleD68726F7": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json index 3776591db7866..b08b2065b6a85 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json @@ -115,8 +115,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineArtifactsBucket22248F97": { "Type": "AWS::S3::Bucket", @@ -151,8 +151,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineRoleD68726F7": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json index d0e69fc6f9ec2..6360d98af5e33 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json @@ -330,8 +330,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineArtifactsBucket22248F97": { "Type": "AWS::S3::Bucket", @@ -366,8 +366,8 @@ ] } }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" }, "PipelineRoleD68726F7": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json index 12b5964daed96..5fb4940951329 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json @@ -155,8 +155,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineArtifactsBucket22248F97": { "Type": "AWS::S3::Bucket", @@ -191,8 +191,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineRoleD68726F7": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json index 7d7a6b3fa036d..519555ac5d6e1 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json @@ -103,8 +103,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "MyPipelineArtifactsBucket727923DD": { "Type": "AWS::S3::Bucket", @@ -139,8 +139,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "MyPipelineRoleC0D47CA4": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json index f3affd79bafd8..59e980a3009db 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json @@ -113,8 +113,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineArtifactsBucket22248F97": { "Type": "AWS::S3::Bucket", @@ -149,8 +149,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "PipelineRoleD68726F7": { "Type": "AWS::IAM::Role", diff --git a/packages/@aws-cdk/aws-codepipeline/lib/cross-region-support-stack.ts b/packages/@aws-cdk/aws-codepipeline/lib/cross-region-support-stack.ts index 1f9c07477755f..5caefa991c041 100644 --- a/packages/@aws-cdk/aws-codepipeline/lib/cross-region-support-stack.ts +++ b/packages/@aws-cdk/aws-codepipeline/lib/cross-region-support-stack.ts @@ -34,11 +34,13 @@ export class CrossRegionSupportConstruct extends cdk.Construct { constructor(scope: cdk.Construct, id: string) { super(scope, id); - const encryptionKey = new kms.Key(this, 'CrossRegionCodePipelineReplicationBucketEncryptionKey'); + const encryptionKey = new kms.Key(this, 'CrossRegionCodePipelineReplicationBucketEncryptionKey', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + }); const encryptionAlias = new AliasWithShorterGeneratedName(this, 'CrossRegionCodePipelineReplicationBucketEncryptionAlias', { targetKey: encryptionKey, aliasName: cdk.PhysicalName.GENERATE_IF_NEEDED, - removalPolicy: cdk.RemovalPolicy.RETAIN, + removalPolicy: cdk.RemovalPolicy.DESTROY, }); this.replicationBucket = new s3.Bucket(this, 'CrossRegionCodePipelineReplicationBucket', { bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED, diff --git a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts index b7312764fba14..6fc0b882a7b88 100644 --- a/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts +++ b/packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts @@ -223,7 +223,11 @@ export class Pipeline extends PipelineBase { // If a bucket has been provided, use it - otherwise, create a bucket. let propsBucket = this.getArtifactBucketFromProps(props); if (!propsBucket) { - const encryptionKey = new kms.Key(this, 'ArtifactsBucketEncryptionKey'); + const encryptionKey = new kms.Key(this, 'ArtifactsBucketEncryptionKey', { + // remove the key - there is a grace period of a few days before it's gone for good, + // that should be enough for any emergency access to the bucket artifacts + removalPolicy: RemovalPolicy.DESTROY, + }); propsBucket = new s3.Bucket(this, 'ArtifactsBucket', { bucketName: PhysicalName.GENERATE_IF_NEEDED, encryptionKey, @@ -234,7 +238,7 @@ export class Pipeline extends PipelineBase { new kms.Alias(this, 'ArtifactsBucketEncryptionKeyAlias', { aliasName: this.generateNameForDefaultBucketKeyAlias(), targetKey: encryptionKey, - removalPolicy: RemovalPolicy.RETAIN, // alias should be retained, like the key + removalPolicy: RemovalPolicy.DESTROY, // destroy the alias along with the key }); } this.artifactBucket = propsBucket; diff --git a/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts b/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts index 3c09883230cf0..2bd441f2bfc11 100644 --- a/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts +++ b/packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts @@ -233,8 +233,8 @@ export = { })); expect(pipeline.crossRegionSupport[replicationRegion].stack).to(haveResourceLike('AWS::KMS::Alias', { - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete", }, ResourcePart.CompleteDefinition)); test.done(); diff --git a/packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json b/packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json index b7a1d5ca1de84..8bd8acf87ef53 100644 --- a/packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json +++ b/packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json @@ -71,8 +71,8 @@ "Version": "2012-10-17" } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "pipelinePipeline22F2A91DArtifactsBucketC1799DCD": { "Type": "AWS::S3::Bucket", @@ -107,8 +107,8 @@ ] } }, - "DeletionPolicy": "Retain", - "UpdateReplacePolicy": "Retain" + "DeletionPolicy": "Delete", + "UpdateReplacePolicy": "Delete" }, "pipelinePipeline22F2A91DRole58B7B05E": { "Type": "AWS::IAM::Role", diff --git a/packages/decdk/test/__snapshots__/synth.test.js.snap b/packages/decdk/test/__snapshots__/synth.test.js.snap index 038b710553bf3..448db3229136d 100644 --- a/packages/decdk/test/__snapshots__/synth.test.js.snap +++ b/packages/decdk/test/__snapshots__/synth.test.js.snap @@ -1891,7 +1891,7 @@ Object { "UpdateReplacePolicy": "Retain", }, "PipelineArtifactsBucketEncryptionKey01D58D69": Object { - "DeletionPolicy": "Retain", + "DeletionPolicy": "Delete", "Properties": Object { "KeyPolicy": Object { "Statement": Array [ @@ -2010,10 +2010,10 @@ Object { }, }, "Type": "AWS::KMS::Key", - "UpdateReplacePolicy": "Retain", + "UpdateReplacePolicy": "Delete", }, "PipelineArtifactsBucketEncryptionKeyAlias5C510EEE": Object { - "DeletionPolicy": "Retain", + "DeletionPolicy": "Delete", "Properties": Object { "AliasName": "alias/codepipeline-pipelinepipeline22f2a91d", "TargetKeyId": Object { @@ -2024,7 +2024,7 @@ Object { }, }, "Type": "AWS::KMS::Alias", - "UpdateReplacePolicy": "Retain", + "UpdateReplacePolicy": "Delete", }, "PipelineBuildCodePipelineActionRoleD77A08E6": Object { "Properties": Object {