Configuring AWS AppConfig deletion protection
AWS AppConfig provides an account setting to help prevent users from unintentionally deleting actively-used environments and configuration profiles. AWS AppConfig monitors calls to GetLatestConfiguration and GetConfiguration and tracks which configuration profiles and environments have been included in these calls within a 60-minute interval (the default setting). If you enable deletion protection and attempt to delete an active configuration profile or environment, AWS AppConfig returns an error.
Note
Note the following information.
-
Deletion protection is disabled by default.
-
You can increase the default interval to a maximum of 24 hours.
Use the following procedures to enable and configure AWS AppConfig deletion protection.
Before you begin
Update to the latest version of the AWS CLI. For more information, see Install or update to the latest version of the AWS CLI in the AWS Command Line Interface User Guide.
To enable AWS AppConfig deletion protection
-
Use the UpdateAccountSettings API to enable deletion protection. Run the following command in the AWS CLI. This command doesn't specify a value for the
ProtectionPeriodInMinutesparameter, which means the command leaves that setting unchanged.aws appconfig update-account-settings --deletion-protection Enabled=trueRun the following command to specify a different interval.
aws appconfig update-account-settings --deletion-protection Enabled=true,ProtectionPeriodInMinutes=a number between 15 and 1440
Note
To view the current deletion protection setting, run the following command. If you haven't configured deletion protection for your account, this command returns the default settings:
aws appconfig get-account-settings
To help you manage deletion protection, the DeleteEnvironment and
DeleteConfigurationProfile APIs include a parameter called
DeletionProtectionCheck. This parameter supports the following values:
-
BYPASS: Instructs AWS AppConfig to bypass the deletion protection check and delete a configuration profile even if deletion protection would have otherwise prevented it. -
APPLY: Instructs the deletion protection check to run, even if deletion protection is disabled at the account level.APPLYalso forces the deletion protection check to run against resources created in the past hour, which are normally excluded from deletion protection checks. -
ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in theUpdateAccountSettingsAPI.
Note
By default, DeletionProtectionCheck skips configuration profiles and
environments created in the past hour. The default configuration is intended to prevent deletion
protection from interferring with tests and demos that create short-lived resources. You can
override this behavior by passing DeletionProtectionCheck=APPLY when calling
DeleteEnvironment or DeleteConfigurationProfile.
The following simple walkthrough uses sample commands to illustrate how to use the
DeletionProtectionCheck parameter.
-
Call GetLatestConfiguration on a deployed configuration.
aws appconfigdata get-latest-configuration --configuration-token $(aws appconfigdata start-configuration-session --application-identifierID--environment-identifierID--configuration-profile-identifierID--query InitialConfigurationToken) outfile.txt -
Wait 60 seconds for AWS AppConfig to register that the configuration is active.
-
Run the following command to call DeleteEnvironment and apply deletion protection on the environment.
aws appconfig delete-environment --environment-idID--application-idID--deletion-protection-check APPLY -
If you call
DeleteEnvironmentagain within 60 minutes, the call returns an error like the following:An error occurred (BadRequestException) when calling the DeleteEnvironment operation: Environment Beta is actively being used in your application and cannot be deleted. -
Run the following command to bypass deletion protection and delete the environment.
aws appconfig delete-environment --environment-idID--application-idID--deletion-protection-check BYPASS
