[CLOUDS-7349] Prevent deletion when using CFT for existing account#277
Open
[CLOUDS-7349] Prevent deletion when using CFT for existing account#277
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note: Please remember to review the contribution guidelines
if you have not yet done so.
What does this PR do?
When deploying a CloudFormation stack/StackSet to an AWS account that already has a Datadog integration registered, the Lambda handler blindly POSTs to the Datadog API, gets a 409 Conflict, reports FAILED to CloudFormation, which triggers a rollback. The rollback sends a Delete event that removes the pre-existing integration. A similar effect occurs when using the same IAMRoleName.
Changes:
On Create, before blindly POSTing to the Datadog API, we now call GET to check if the account is already registered. If it is, we use PATCH (update) instead of POST (create), avoiding the 409 conflict.
When we detect a pre-existing integration and PATCH it, we set the CloudFormation PhysicalResourceId to "PREEXISTING". On the Delete handler (which fires during rollback), we check this ID — if it's "PREEXISTING", we skip the delete and return SUCCESS, preserving the customer's existing integration.
These two cases should prevent account deletion during unintentional rollbacks from the stack.
Motivation
What inspired you to submit this pull request?
Testing Guidelines
Tested in my
sbx-david-playgroundaccount in staging.Test 1: deployed the template using the same role name -
In this case, the first stack succeeds and the integration is created (verified on the main AWS tile). Then, I tried deploying again using the same role name. While this time the stack fails, the account is not deleted and kept with the same integration role name before.
Test 2: deployed the template using different role name -
Like in the first test, the first stack succeeds and the integration is created with no issue. Running the template again with a different role name updates the previous integration/account with the updated role name.
Additional Notes
Anything else we should know when reviewing?