Home > Mobile >  RETAIN removalPolicy on secret stack so it doesn't get deleted on synth
RETAIN removalPolicy on secret stack so it doesn't get deleted on synth

Time:04-29

I have a cdk stack, including a secrets stack and I'm currently trying to do a deployment my app, and I have recently deleted a secret stack and container from ecr. However, as the current deployed app relies on this I get the following when deploying

Export <redacted>-*******-secrets-stack:ExportsOutputRefoauth2proxysecret66696FAADBFA07E9 cannot be deleted as it is in use by <redacted>-*******-ecs-stack

So I added back the secret stack

import { Stack, StackProps } from "aws-cdk-lib";
import { Construct } from "constructs";
import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";

interface SecretsStackProps extends StackProps {
  namespace: string;
}

export class SecretsStack extends Stack {
  public oauth2ProxySecrets: secretsmanager.Secret;
  public appSecrets: secretsmanager.Secret;

  constructor(scope: Construct, id: string, props: SecretsStackProps) {
    super(scope, id, props);

    // added this back
    this.oauth2ProxySecrets = new secretsmanager.Secret(this, `oauth2-proxy-secret`, {
        secretName: `${props.namespace}/<redacted>/oauth2-proxy`
      }
    );
    //

    this.appSecrets = new secretsmanager.Secret(this, `app-secret`, {
      secretName: `${props.namespace}/<redacted>/app`
    });
  }
}

How would I go about retaining this stack, from my knowledge as this container/stack is not being used it's trying to delete the stack, but can't due to the current deployment.

Any help here would be great.

CodePudding user response:

This happens because it tries to update the stack with the secrets first, and then the stacks that used to import them.

This fails because exports cannot be deleted before imports.

The solution to removing the stack is to make it a two-step process. First, and this is the main part, we need to ensure that the exports are kept even though they are not imported anywhere. For that, a helper method exists: Stack.exportValue.

So you'd need to add the following to the exporting stack:

this.exportValue(oauth2ProxySecrets.secretArn);
this.exportValue(appSecrets.secretArn);

After you do this, the deployment will go through. After the deployment, you will be free to remove the stack code completely, as it will not be decoupled from other stacks.

  • Related