Background
PR #270 (closes #269) documented the UPDATE_FAILED on AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation that hits stacks deployed before #222 (tag-exclusion fix). The current guide offers two recovery options:
- Option A — manual disassociate + delete via the Route 53 Resolver console
- Option B — two-phase deploy (comment out
DnsFirewall, deploy, uncomment, redeploy)
Gap
For users who can't / don't want to click through the Route 53 console, there's no scripted recovery path. The console flow also doesn't copy-paste cleanly into a runbook.
Proposal
Add a third option using the AWS CLI. Already validated on a real stuck stack:
# 1. Find the association for your VPC
aws route53resolver list-resolver-query-log-config-associations \
--region us-east-1 \
--query "ResolverQueryLogConfigAssociations[?ResourceId=='<vpc-id>']"
# 2. Disassociate
aws route53resolver disassociate-resolver-query-log-config \
--resolver-query-log-config-id <rqlc-id> \
--resource-id <vpc-id> \
--region us-east-1
# 3. Redeploy — CFN recreates both resources without the orphan tags
mise //cdk:deploy
Reorder so the CLI flow is Option A (fastest, scriptable), keep the two-phase deploy as Option B, and move the console steps to Option C (for users without CLI access). Update both docs/guides/DEPLOYMENT_GUIDE.md and the Starlight mirror at docs/src/content/docs/getting-started/Deployment-guide.md.
Acceptance criteria
Related
Background
PR #270 (closes #269) documented the
UPDATE_FAILEDonAWS::Route53Resolver::ResolverQueryLoggingConfigAssociationthat hits stacks deployed before #222 (tag-exclusion fix). The current guide offers two recovery options:DnsFirewall, deploy, uncomment, redeploy)Gap
For users who can't / don't want to click through the Route 53 console, there's no scripted recovery path. The console flow also doesn't copy-paste cleanly into a runbook.
Proposal
Add a third option using the AWS CLI. Already validated on a real stuck stack:
Reorder so the CLI flow is Option A (fastest, scriptable), keep the two-phase deploy as Option B, and move the console steps to Option C (for users without CLI access). Update both
docs/guides/DEPLOYMENT_GUIDE.mdand the Starlight mirror atdocs/src/content/docs/getting-started/Deployment-guide.md.Acceptance criteria
list-resolver-query-log-config-associationslookup, thedisassociate-resolver-query-log-configcall, and themise //cdk:deployfollow-upResolverQueryLoggingConfigitself needs an explicitdelete-resolver-query-log-configcall, or whether CFN cleans it up on the next deploymise //docs:syncrun so the Starlight mirror matchesRelated