Configuring AWS AppConfig deletion protection - AWS AppConfig

Configuring AWS AppConfig deletion protection

AWS AppConfig provides an account setting to help prevent users from unintentionally deleting actively-used environments and configuration profiles. AWS AppConfig monitors calls to GetLatestConfiguration and GetConfiguration and tracks which configuration profiles and environments have been included in these calls within a 60-minute interval (the default setting). If you enable deletion protection and attempt to delete an active configuration profile or environment, AWS AppConfig returns an error.

Note

Note the following information.

  • Deletion protection is disabled by default.

  • You can increase the default interval to a maximum of 24 hours.

Use the following procedures to enable and configure AWS AppConfig deletion protection.

Before you begin

Update to the latest version of the AWS CLI. For more information, see Install or update to the latest version of the AWS CLI in the AWS Command Line Interface User Guide.

To enable AWS AppConfig deletion protection
  • Use the UpdateAccountSettings API to enable deletion protection. Run the following command in the AWS CLI. This command doesn't specify a value for the ProtectionPeriodInMinutes parameter, which means the command leaves that setting unchanged.

    aws appconfig update-account-settings --deletion-protection Enabled=true

    Run the following command to specify a different interval.

    aws appconfig update-account-settings --deletion-protection Enabled=true,ProtectionPeriodInMinutes=a number between 15 and 1440
Note

To view the current deletion protection setting, run the following command. If you haven't configured deletion protection for your account, this command returns the default settings:

aws appconfig get-account-settings

To help you manage deletion protection, the DeleteEnvironment and DeleteConfigurationProfile APIs include a parameter called DeletionProtectionCheck. This parameter supports the following values:

  • BYPASS: Instructs AWS AppConfig to bypass the deletion protection check and delete a configuration profile even if deletion protection would have otherwise prevented it.

  • APPLY: Instructs the deletion protection check to run, even if deletion protection is disabled at the account level. APPLY also forces the deletion protection check to run against resources created in the past hour, which are normally excluded from deletion protection checks.

  • ACCOUNT_DEFAULT: The default setting, which instructs AWS AppConfig to implement the deletion protection value specified in the UpdateAccountSettings API.

Note

By default, DeletionProtectionCheck skips configuration profiles and environments created in the past hour. The default configuration is intended to prevent deletion protection from interferring with tests and demos that create short-lived resources. You can override this behavior by passing DeletionProtectionCheck=APPLY when calling DeleteEnvironment or DeleteConfigurationProfile.

The following simple walkthrough uses sample commands to illustrate how to use the DeletionProtectionCheck parameter.

  1. Call GetLatestConfiguration on a deployed configuration.

    aws appconfigdata get-latest-configuration --configuration-token $(aws appconfigdata start-configuration-session --application-identifier ID --environment-identifier ID --configuration-profile-identifier ID --query InitialConfigurationToken) outfile.txt
  2. Wait 60 seconds for AWS AppConfig to register that the configuration is active.

  3. Run the following command to call DeleteEnvironment and apply deletion protection on the environment.

    aws appconfig delete-environment --environment-id ID --application-id ID --deletion-protection-check APPLY
  4. If you call DeleteEnvironment again within 60 minutes, the call returns an error like the following:

    An error occurred (BadRequestException) when calling the DeleteEnvironment operation: Environment Beta is actively being used in your application and cannot be deleted.
  5. Run the following command to bypass deletion protection and delete the environment.

    aws appconfig delete-environment --environment-id ID --application-id ID --deletion-protection-check BYPASS