Skip to content

fix(codepipeline): prevent S3 bucket orphaning in cross-region support stacks #35692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(codepipeline): prevent S3 bucket orphaning in cross-region support stacks #35692

wants to merge 1 commit into from

Conversation

ychjamie
Copy link

@ychjamie ychjamie commented Oct 7, 2025
edited
Loading

Issue # (if applicable)

Closes #35654.

Reason for this change

When using CDK Pipelines with cross-region deployments, the S3 replication bucket created by the cross-region support stack is orphaned during cdk destroy operations. This prevents clean teardown of preview/ephemeral environments and causes redeployment failures due to existing bucket conflicts.

Description of changes

Added removalPolicy: cdk.RemovalPolicy.DESTROY to the S3 replication bucket in CrossRegionSupportConstruct. This aligns the bucket's lifecycle management with the existing KMS key pattern in the same file and enables proper cleanup during stack destruction.

Key changes:

  • Added removalPolicy: cdk.RemovalPolicy.DESTROY to S3 bucket configuration (line 85 in cross-region-support-stack.ts)
  • Added 2 unit tests to verify CloudFormation template includes DeletionPolicy: Delete
  • Tests validate lifecycle consistency across all synthesis modes

Design decision: Used removalPolicy only (not autoDeleteObjects) to avoid bootstrap asset dependencies and ensure compatibility with all synthesis modes, including BootstraplessSynthesizer.

CloudFormation impact: Adds DeletionPolicy: Delete to the S3 bucket resource in cross-region support stacks. Existing stacks can be updated without issues.

Describe any new or updated permissions being added

N/A - No IAM permissions changes. This change only affects CloudFormation resource deletion behavior.

Description of how you validated changes

  • Unit tests: Added 2 new test cases (8 total executions via parameterization):
    • "support stack bucket has DeletionPolicy Delete" - Verifies CloudFormation template includes DeletionPolicy: Delete
    • "bucket has DeletionPolicy Delete matching KMS key pattern" - Ensures lifecycle consistency
  • Test coverage: All synthesis modes tested (legacy/modern × with/without Stage)
  • Regression testing: All 366 existing tests continue to pass
  • CloudFormation validation: Template generation verified to include DeletionPolicy: Delete on S3 bucket resource

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

fix(codepipeline): prevent S3 bucket orphaning in cross-region suppor…
077b3d7 
…t stacks

Add removalPolicy: DESTROY to the S3 replication bucket in
CrossRegionSupportConstruct to enable proper cleanup during cdk destroy.
This aligns with the existing KMS key lifecycle pattern and enables
clean teardown of preview/ephemeral environments.

Fixes aws#35654
@aws-cdk-automation aws-cdk-automation requested a review from a team October 7, 2025 22:53
@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Oct 7, 2025
aws-cdk-automation
aws-cdk-automation requested changes Oct 7, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

@pahud pahud self-assigned this Oct 8, 2025
@pahud pahud marked this pull request as draft October 8, 2025 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@pahud pahud

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(cdk pipelines): cdk pipeline support stacks should delete and not orphan s3 buckets

3 participants

@ychjamie @aws-cdk-automation @pahud