aws synthetics: cleanup canary resources

[lukasnagl]

Describe the feature

Upon stack deletion I noticed that Canary constructs left behind not only lambda functions, but S3 buckets (containing screenshots) as well. I would have expected all resources created by the canary to be deleted automatically, or at least having a retention option on the Canary construct.

Use Case

On deletion of a Canary construct, all resources (lambdas, s3 buckets,…) created for it should be deleted by default.

Proposed Solution

I believe #26580 went for a solution approach, but is limited to the lambda function for the canary. Maybe this can be extended to all resources, or even made the default instead of a separate cleanup configuration?

Other Information

I saw similar efforts in #18448, which added lambda deletion but did not resolve s3 bucket deletion to my knowledge.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.130.0

Environment details (OS name and version, etc.)

irrelevant

[pahud]

Yes we probably can do that from here

aws-cdk/packages/aws-cdk-lib/aws-synthetics/lib/canary.ts

Lines 318 to 320 in 0fee99b

	if (props.cleanup === Cleanup.LAMBDA) {
	this.cleanupUnderlyingResources();
	}

Making this a p2 feature-request, please help us prioritize with 👍 .

[sigJoe]

I was just about to create the same feature request, but in my mind the real issue is Log Groups rather than S3 buckets.

Here's my thoughts on the matter with a TLDR at the end:

S3 Buckets

When creating a Canary via CDK the stack output include an AWS::S3::Bucket object named MyCanaryArtifactsBucket... but it has DeletionPolicy: Retain so it doesn't get deleted by CFN. This isn't a good fit for the cleanupUnderlyingResources() function which is a separate Lambda, as that is for resources not created by the CloudFormation stack.

A workaround would be if you create the S3 Bucket separately then set the Canary artifactsBucketLocation parameter, you can specify the DeletionPolicy and retention of your choice. It would be a nice feature to pass Canary some logging properties and have it create a bucket with desired configuration.

Log Groups

Unlike S3 buckets and IAM roles, there's no workaround to manually create the log group. CDK can't do it because AWS doesn't allow it and the name isn't deterministic. The only way to handle this currently would be to add log group removal to that cleanup function.

Related issue: #23718

TLDR

• Canary cleanup should include log groups
• Canary cleanup has a workaround for deleting S3 buckets, but I agree there could be room for improvement
• Other resources (IAM roles) are already handled appropriately.

(updated twice)