Skip to content

docs(deployment): add AWS CLI recovery path for DNS Query Log replacement cascade #272

Description

@isadeks

Background

PR #270 (closes #269) documented the UPDATE_FAILED on AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation that hits stacks deployed before #222 (tag-exclusion fix). The current guide offers two recovery options:

  • Option A — manual disassociate + delete via the Route 53 Resolver console
  • Option B — two-phase deploy (comment out DnsFirewall, deploy, uncomment, redeploy)

Gap

For users who can't / don't want to click through the Route 53 console, there's no scripted recovery path. The console flow also doesn't copy-paste cleanly into a runbook.

Proposal

Add a third option using the AWS CLI. Already validated on a real stuck stack:

# 1. Find the association for your VPC
aws route53resolver list-resolver-query-log-config-associations \
  --region us-east-1 \
  --query "ResolverQueryLogConfigAssociations[?ResourceId=='<vpc-id>']"

# 2. Disassociate
aws route53resolver disassociate-resolver-query-log-config \
  --resolver-query-log-config-id <rqlc-id> \
  --resource-id <vpc-id> \
  --region us-east-1

# 3. Redeploy — CFN recreates both resources without the orphan tags
mise //cdk:deploy

Reorder so the CLI flow is Option A (fastest, scriptable), keep the two-phase deploy as Option B, and move the console steps to Option C (for users without CLI access). Update both docs/guides/DEPLOYMENT_GUIDE.md and the Starlight mirror at docs/src/content/docs/getting-started/Deployment-guide.md.

Acceptance criteria

  • Three labeled recovery options in the "DNS Query Log Config replacement cascade" subsection (CLI, two-phase deploy, console)
  • CLI option includes the list-resolver-query-log-config-associations lookup, the disassociate-resolver-query-log-config call, and the mise //cdk:deploy follow-up
  • Note clarifying whether the orphaned ResolverQueryLoggingConfig itself needs an explicit delete-resolver-query-log-config call, or whether CFN cleans it up on the next deploy
  • mise //docs:sync run so the Starlight mirror matches
  • No code changes — docs only

Related

Metadata

Metadata

Assignees

Labels

approvedWhen an issue has been approved and readydocumentationImprovements or additions to documentationenhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions