AWS CDK Removal Policy - krdheeraj51/aws-labs GitHub Wiki

The Removal Policy in AWS Cloud Development Kit (CDK) is a crucial concept that defines the behavior of AWS resources when they are no longer managed by CloudFormation. This can occur under various circumstances, such as when a resource is removed from the CDK application, a change necessitating resource replacement is made, or the entire stack is deleted.

Key Concepts of Removal Policy

1. Definition: The Removal Policy controls what happens to a resource when it stops being managed by CloudFormation. The three primary scenarios include:

   • The resource is removed from the template.
   • A modification requires the resource to be replaced.
   • The stack itself is deleted.

2. Default Behavior: Many stateful resources in the AWS Construct Library default to a Removal Policy of RETAIN, which prevents accidental data loss. This means that if you delete the stack, the resources remain intact in your AWS account but become orphaned from the stack.

Types of Removal Policies

The AWS CDK provides several options for defining the removal policy:

• DESTROY: This is the default policy that physically deletes the resource when it is no longer part of the application. Use this option when you are sure that the data can be safely discarded.

• RETAIN: This policy retains the resource in your account, allowing for potential recovery later. It’s advisable to use this for resources containing critical data that should not be lost.

• SNAPSHOT: This option deletes the resource but takes a snapshot of its data before deletion. It’s particularly useful for stateful resources like databases where you may want to preserve data for future use.

• RETAIN_ON_UPDATE_OR_DELETE: This policy retains resources during both update and delete operations, ensuring that important data remains intact even if changes are made to the stack.

Applying Removal Policies

When defining a resource in your CDK stack, you can specify its removal policy directly. Here’s an example in TypeScript:

import * as cdk from 'aws-cdk-lib';
import { RemovalPolicy } from 'aws-cdk-lib';

const table = new dynamodb.Table(this, 'MyTable', {
  partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
  removalPolicy: RemovalPolicy.DESTROY, // Change to RETAIN or SNAPSHOT as needed
});

Important Considerations

• Always carefully consider which removal policy to apply based on the importance of the data contained within your resources.

• If you manually delete resources outside of CDK management, it can lead to inconsistencies and errors during subsequent deployments. Always manage resources through your CDK code to avoid such issues.

• For stateful resources that may contain sensitive or important data, using RETAIN is generally recommended to prevent accidental data loss.

Conclusion

Understanding and effectively managing removal policies in AWS CDK is essential for maintaining control over your cloud resources and ensuring data integrity. By selecting the appropriate removal policy, developers can safeguard against unintended deletions and facilitate better resource management practices within their AWS environments.

Resources

• https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_s3/BucketPolicyProps.html