set removal policy for resources to destroy in sandbox deployments (#2242)

Author: rtpascual

.changeset/hip-yaks-remain.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/backend': patch
+---
+
+set removal policy for resources to destroy in sandbox deployments

packages/backend/src/engine/amplify_stack.test.ts

@@ -4,11 +4,19 @@ import { AmplifyStack } from './amplify_stack.js';
 import { Template } from 'aws-cdk-lib/assertions';
 import assert from 'node:assert';
 import { FederatedPrincipal, Role } from 'aws-cdk-lib/aws-iam';
+import { BackendIdentifier } from '@aws-amplify/plugin-types';
+import { Bucket } from 'aws-cdk-lib/aws-s3';
+
+const branchBackendId: BackendIdentifier = {
+  namespace: 'testId',
+  name: 'testBranch',
+  type: 'branch',
+};
 
 void describe('AmplifyStack', () => {
   void it('renames nested stack logical IDs to non-redundant value', () => {
     const app = new App();
-    const rootStack = new AmplifyStack(app, 'test-id');
+    const rootStack = new AmplifyStack(app, branchBackendId);
     new NestedStack(rootStack, 'testName');
 
     const rootStackTemplate = Template.fromStack(rootStack);
@@ -23,7 +31,7 @@ void describe('AmplifyStack', () => {
 
   void it('allows roles with properly configured cognito trust policies', () => {
     const app = new App();
-    const rootStack = new AmplifyStack(app, 'test-id');
+    const rootStack = new AmplifyStack(app, branchBackendId);
     new Role(rootStack, 'correctRole', {
       assumedBy: new FederatedPrincipal(
         'cognito-identity.amazonaws.com',
@@ -43,7 +51,7 @@ void describe('AmplifyStack', () => {
 
   void it('throws on roles with cognito trust policy missing amr condition', () => {
     const app = new App();
-    const rootStack = new AmplifyStack(app, 'test-id');
+    const rootStack = new AmplifyStack(app, branchBackendId);
     new Role(rootStack, 'missingAmrCondition', {
       assumedBy: new FederatedPrincipal(
         'cognito-identity.amazonaws.com',
@@ -64,7 +72,7 @@ void describe('AmplifyStack', () => {
 
   void it('throws on roles with cognito trust policy missing aud condition', () => {
     const app = new App();
-    const rootStack = new AmplifyStack(app, 'test-id');
+    const rootStack = new AmplifyStack(app, branchBackendId);
     new Role(rootStack, 'missingAudCondition', {
       assumedBy: new FederatedPrincipal(
         'cognito-identity.amazonaws.com',
@@ -82,4 +90,32 @@ void describe('AmplifyStack', () => {
         'Cannot create a Role trust policy with Cognito that does not have a StringEquals condition for cognito-identity.amazonaws.com:aud',
     });
   });
+
+  void it('keeps default removal policy of retain for resources in branch deployments', () => {
+    const app = new App();
+    const rootStack = new AmplifyStack(app, branchBackendId);
+    // bucket has default removal policy to retain
+    new Bucket(rootStack, 'testBucket', { enforceSSL: true });
+    const template = Template.fromStack(rootStack);
+
+    template.hasResource('AWS::S3::Bucket', {
+      DeletionPolicy: 'Retain',
+    });
+  });
+
+  void it('sets removal policy to destroy for resources in sandbox deployments', () => {
+    const app = new App();
+    const rootStack = new AmplifyStack(app, {
+      namespace: 'testId',
+      name: 'testSandbox',
+      type: 'sandbox',
+    });
+    // bucket has default removal policy to retain
+    new Bucket(rootStack, 'testBucket', { enforceSSL: true });
+    const template = Template.fromStack(rootStack);
+
+    template.hasResource('AWS::S3::Bucket', {
+      DeletionPolicy: 'Delete',
+    });
+  });
 });

packages/backend/src/engine/amplify_stack.ts

@@ -1,5 +1,16 @@
-import { AmplifyFault } from '@aws-amplify/platform-core';
-import { Aspects, CfnElement, IAspect, Stack } from 'aws-cdk-lib';
+import {
+  AmplifyFault,
+  BackendIdentifierConversions,
+} from '@aws-amplify/platform-core';
+import { BackendIdentifier } from '@aws-amplify/plugin-types';
+import {
+  Aspects,
+  CfnElement,
+  CfnResource,
+  IAspect,
+  RemovalPolicy,
+  Stack,
+} from 'aws-cdk-lib';
 import { Role } from 'aws-cdk-lib/aws-iam';
 import { Construct, IConstruct } from 'constructs';
 
@@ -10,9 +21,13 @@ export class AmplifyStack extends Stack {
   /**
    * Default constructor
    */
-  constructor(scope: Construct, id: string) {
-    super(scope, id);
+  constructor(scope: Construct, backendId: BackendIdentifier) {
+    super(scope, BackendIdentifierConversions.toStackName(backendId));
     Aspects.of(this).add(new CognitoRoleTrustPolicyValidator());
+
+    if (backendId.type === 'sandbox') {
+      Aspects.of(this).add(new SandboxRemovalPolicyDestroyAspect());
+    }
   }
   /**
    * Overrides Stack.allocateLogicalId to prevent redundant nested stack logical IDs
@@ -93,3 +108,12 @@ class CognitoRoleTrustPolicyValidator implements IAspect {
     }
   };
 }
+
+// This aspect sets removal policy of all resources to destroy for sandbox deployments
+class SandboxRemovalPolicyDestroyAspect implements IAspect {
+  visit(node: IConstruct): void {
+    if (CfnResource.isCfnResource(node)) {
+      node.applyRemovalPolicy(RemovalPolicy.DESTROY);
+    }
+  }
+}

packages/backend/src/project_environment_main_stack_creator.ts

@@ -2,7 +2,6 @@ import { BackendIdentifier, MainStackCreator } from '@aws-amplify/plugin-types';
 import { Construct } from 'constructs';
 import { Stack, Tags } from 'aws-cdk-lib';
 import { AmplifyStack } from './engine/amplify_stack.js';
-import { BackendIdentifierConversions } from '@aws-amplify/platform-core';
 
 /**
  * Creates stacks that are tied to a given project environment via an SSM parameter
@@ -22,10 +21,7 @@ export class ProjectEnvironmentMainStackCreator implements MainStackCreator {
    */
   getOrCreateMainStack = (): Stack => {
     if (this.mainStack === undefined) {
-      this.mainStack = new AmplifyStack(
-        this.scope,
-        BackendIdentifierConversions.toStackName(this.backendId)
-      );
+      this.mainStack = new AmplifyStack(this.scope, this.backendId);
     }
 
     const deploymentType = this.backendId.type;