You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/DEPLOYMENT_GUIDE.md
+61Lines changed: 61 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -161,6 +161,67 @@ Triggers via `workflow_run` when `build.yml` completes successfully. The pipelin
161
161
-**Allowlist compute types**: Edit `ALLOWED_COMPUTE_TYPES` in `deploy.yml`.
162
162
-**Deploy via PR label**: Add the `deploy:<type>` label to a PR (e.g., `deploy:agentcore`).
163
163
164
+
## Known deployment issues
165
+
166
+
### DNS Query Log Config replacement cascade (upgrading from pre-v0.5)
167
+
168
+
**Affects:** Stacks deployed *before* the tag-exclusion fix ([#222](https://github.com/aws-samples/sample-autonomous-cloud-coding-agents/pull/222)). Stacks created after this fix are not affected.
169
+
170
+
**Symptom:**`UPDATE_FAILED` on `AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation` with error `InvalidRequest: Cannot create association — one already exists for this VPC`.
171
+
172
+
**Root cause:** The `ResolverQueryLoggingConfig` resource is *create-only* in CloudFormation — any property change (including Tags) triggers a full replacement. Pre-fix stacks have `github:sha` and other tags on this resource. Although the new code excludes it from future tag applications, CloudFormation still attempts to *remove* the now-excluded tags from the existing resource during the update, triggering the replacement cascade:
173
+
174
+
1. Config is replaced → new physical resource ID
175
+
2. Association detects `ResolverQueryLogConfigId` changed → triggers its own replacement
176
+
3. CloudFormation attempts Create-before-Delete on the association → Route53 Resolver rejects (one association per VPC) → `InvalidRequest`
3. Run `mise //cdk:deploy` — CloudFormation recreates both the config and association without the orphan tags. The pre-existing `ResolverQueryLoggingConfig` is replaced as part of the same update, so an explicit `delete-resolver-query-log-config` is not required.
Copy file name to clipboardExpand all lines: docs/src/content/docs/getting-started/Deployment-guide.md
+61Lines changed: 61 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -165,6 +165,67 @@ Triggers via `workflow_run` when `build.yml` completes successfully. The pipelin
165
165
-**Allowlist compute types**: Edit `ALLOWED_COMPUTE_TYPES` in `deploy.yml`.
166
166
-**Deploy via PR label**: Add the `deploy:<type>` label to a PR (e.g., `deploy:agentcore`).
167
167
168
+
## Known deployment issues
169
+
170
+
### DNS Query Log Config replacement cascade (upgrading from pre-v0.5)
171
+
172
+
**Affects:** Stacks deployed *before* the tag-exclusion fix ([#222](https://github.com/aws-samples/sample-autonomous-cloud-coding-agents/pull/222)). Stacks created after this fix are not affected.
173
+
174
+
**Symptom:**`UPDATE_FAILED` on `AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation` with error `InvalidRequest: Cannot create association — one already exists for this VPC`.
175
+
176
+
**Root cause:** The `ResolverQueryLoggingConfig` resource is *create-only* in CloudFormation — any property change (including Tags) triggers a full replacement. Pre-fix stacks have `github:sha` and other tags on this resource. Although the new code excludes it from future tag applications, CloudFormation still attempts to *remove* the now-excluded tags from the existing resource during the update, triggering the replacement cascade:
177
+
178
+
1. Config is replaced → new physical resource ID
179
+
2. Association detects `ResolverQueryLogConfigId` changed → triggers its own replacement
180
+
3. CloudFormation attempts Create-before-Delete on the association → Route53 Resolver rejects (one association per VPC) → `InvalidRequest`
3. Run `mise //cdk:deploy` — CloudFormation recreates both the config and association without the orphan tags. The pre-existing `ResolverQueryLoggingConfig` is replaced as part of the same update, so an explicit `delete-resolver-query-log-config` is not required.
0 commit comments