Skip to content

fix(cdk): exclude ResolverQueryLoggingConfig from resource tags#222

Merged
krokoko merged 2 commits into
mainfrom
fix/221-exclude-querylog-from-tags
Jun 1, 2026
Merged

fix(cdk): exclude ResolverQueryLoggingConfig from resource tags#222
krokoko merged 2 commits into
mainfrom
fix/221-exclude-querylog-from-tags

Conversation

@scottschreckengaust
Copy link
Copy Markdown
Contributor

@scottschreckengaust scottschreckengaust commented May 29, 2026

Summary

  • Excludes AWS::Route53Resolver::ResolverQueryLoggingConfig from stack-level Tags.of() calls
  • Fixes UPDATE_FAILED on every deploy where github:sha (or any tag value) changes

Problem

CfnResolverQueryLoggingConfig is a create-only resource — ALL property changes (including Tags) trigger CloudFormation replacement. This cascades:

  1. Config replaced → new physical ID
  2. Association detects changed ResolverQueryLogConfigId → triggers replacement
  3. CF tries Create-before-Delete on association → Route53 Resolver rejects (one-association-per-VPC constraint) → InvalidRequest

Trade-off

This one resource type won't have tag parity with the rest of the stack. The associated LogGroup, VPC, and all other resources still get full tags. The QueryLogConfig is identifiable by its fixed Name property (agent-dns-query-log).

Test plan

  • npx tsc --noEmit — clean compile
  • jest dns-firewall — 19/19 tests pass
  • cdk synth — confirms DnsFirewallQueryLogConfig4CCCED66 has no Tags property
  • Deploy to dev account — verify no UPDATE_FAILED

Closes #221

🤖 Generated with Claude Code

scottschreckengaust and others added 2 commits June 1, 2026 20:50
@scottschreckengaust @claude
fix(cdk): exclude ResolverQueryLoggingConfig from resource tags (#221)
bf07e6a 
CfnResolverQueryLoggingConfig treats tag changes as requiring
replacement, cascading to the per-VPC association which fails due to
the one-association-per-VPC uniqueness constraint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
fix(cdk): also exclude ResolverQueryLoggingConfigAssociation from tags
7ce5cf9 
The Association depends on the Config's physical ID. Even though PR #221
excluded the Config from tagging (preventing its replacement), the
Association's CloudFormation state still references a stale Config ID
from a prior failed replacement. Adding it to excludeResourceTypes
prevents any future tag-induced update attempt on either resource.

Part of #221, parent issue #229.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust scottschreckengaust force-pushed the fix/221-exclude-querylog-from-tags branch from 0fdf9d2 to 7ce5cf9 Compare June 1, 2026 20:51
@scottschreckengaust scottschreckengaust marked this pull request as ready for review June 1, 2026 22:14
@scottschreckengaust scottschreckengaust requested a review from a team as a code owner June 1, 2026 22:14
@krokoko krokoko added this pull request to the merge queue Jun 1, 2026
Merged via the queue into main with commit 5c38092 Jun 1, 2026
7 checks passed
@krokoko krokoko deleted the fix/221-exclude-querylog-from-tags branch June 1, 2026 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krokoko krokoko krokoko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(cdk): exclude ResolverQueryLoggingConfig from resource tags

2 participants

@scottschreckengaust @krokoko