Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@aws-cdk/aws-synthetics: Canary within VPC won't delete ENI and its associated lambda when undeploy #22282

Closed
ynyany opened this issue Sep 29, 2022 · 5 comments
Closed

@aws-cdk/aws-synthetics: Canary within VPC won't delete ENI and its associated lambda when undeploy #22282

ynyany opened this issue Sep 29, 2022 · 5 comments
Labels
@aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics bug This issue is a bug. p2

Comments

@ynyany
Copy link

ynyany commented Sep 29, 2022

Describe the bug

  1. put canary into VPC with an existing security group
  2. deploy the canary
  3. undeply the stack
  4. stack failed to deconstruct lambda (of this canary cwyn-xx) and the ENI it created

if I manually remove the lambda and its ENI then the stack can be deleted.

Expected Behavior

Stack delete automatically including the lambda (behind the canary and its ENI created)

Current Behavior

can not delete the lambda (behind the canary and its ENI created) automatically

Reproduction Steps

  1. put canary into VPC with an existing security group
  2. deploy the canary
  3. undeply the stack
  4. stack failed to deconstruct lambda (of this canary cwyn-xx) and the ENI it created

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.42.1

Framework Version

No response

Node.js Version

14

OS

macos

Language

Typescript

Language Version

No response

Other information

No response
@ynyany ynyany added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 29, 2022
@github-actions github-actions bot added the @aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics label Sep 29, 2022
@peterwoodworth
Copy link
Contributor

Could you provide reproduction code please @ynyany? You're using our L2 Canary construct or a CfnCanary?

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 29, 2022
@ynyany
Copy link
Author

ynyany commented Sep 29, 2022

I am using L1 canary, but looked into L2 canary, it should be the same.

gitst of the canary code


 const allowLambdaSg = new cdk.aws_ec2.SecurityGroup(this, "SecurityGroup", {
      vpc: vpc,
      description: "Security group allowing lambda SG to access OPA ",
      allowAllOutbound: true,
    });
    const vpcConfig =  {
        vpcId: vpc.vpcId,
        subnetIds: vpc.privateSubnets.map((subnet) => subnet.subnetId),
        securityGroupIds: [allowLambdaSg.securityGroupId],
      };
 new synthetics.CfnCanary(this, "Canary", {
      artifactS3Location: artifactsBucket.bucket.s3UrlForObject(prefix),
      executionRoleArn: this.canaryRole.roleArn,
      runtimeVersion: props.runtime.name,
      name: props.canaryName,
      schedule: {
        expression: scheduleExpressString,
      },
      startCanaryAfterCreation: props.startAfterCreation ?? true,
      code: this.createCode(props.test),
      runConfig: {
        activeTracing: true,
        timeoutInSeconds: props.timeoutInSeconds ?? 15,
        environmentVariables: props.environmentVariables,
      },
      vpcConfig,
    });

where VPC is just a new vpc created by

 const subnets = [
      {
        cidrMask: 24,
        name: "PrivateSubnetA",
        subnetType: cdk.aws_ec2.SubnetType.PRIVATE_ISOLATED,
      },
      {
        cidrMask: 24,
        name: "PublicSubnetA",
        subnetType: cdk.aws_ec2.SubnetType.PUBLIC,
      },
    ];

    const vpc = new cdk.aws_ec2.Vpc(this, "object-extension-Vpc", {
      gatewayEndpoints: {
        S3: { service: cdk.aws_ec2.GatewayVpcEndpointAwsService.S3 },
      },
      maxAzs: 2,
      natGatewayProvider: cdk.aws_ec2.NatProvider.gateway(),
      natGateways: 2,
      subnetConfiguration: subnets,
    });

nothing special, the CFN provided did not delete the lambda associated with the lambda, therefore the ENI. because of those behavious the whole stack can not be deleted.

@ynyany
Copy link
Author

ynyany commented Sep 29, 2022

Furthermore, there's an AWS blog to similar issue (outside vpc) https://aws.amazon.com/blogs/mt/delete-amazon-cloudwatch-synthetics-dependent-resources-when-you-delete-a-cloudformation-stack/
this is blocking customer from properly delete our aws solution.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Sep 29, 2022
@kaizencc
Copy link
Contributor

Hi @ynyany, this is not a CDK bug. The behavior you describe is how Canaries work -- when you delete the canary, you must manually delete the underlying resources on your own. There is an issue we're tracking for supporting this as a feature request: #18448 but we're not likely to take that up soon.

If you need an automated way to delete resources that come with your canary, my only suggestion is to follow the blog post you've linked and/or +1 the issue I've linked.

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics bug This issue is a bug. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kaizencc @peterwoodworth @ynyany