Skip to content

docs(deployment): document DNS Query Log Config replacement cascade upgrade path#270

Merged
scottschreckengaust merged 1 commit into
aws-samples:mainfrom
isadeks:docs/269-dns-replacement-cascade
Jun 5, 2026
Merged

docs(deployment): document DNS Query Log Config replacement cascade upgrade path#270
scottschreckengaust merged 1 commit into
aws-samples:mainfrom
isadeks:docs/269-dns-replacement-cascade

Conversation

@isadeks

@isadeks isadeks commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Closes #269

Summary

  • Add a Known deployment issues section to docs/guides/DEPLOYMENT_GUIDE.md documenting the UPDATE_FAILED on AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation that hits stacks deployed before fix(cdk): exclude ResolverQueryLoggingConfig from resource tags #222 when they pick up the tag-exclusion fix on a subsequent deploy.
  • Two resolution paths covered: Option A (manual disassociate via Route 53 console — recommended) and Option B (two-phase deploy: comment-out DnsFirewall, deploy, uncomment, redeploy).
  • Starlight mirror regenerated via node docs/scripts/sync-starlight.mjs.

Docs only, no code changes.

Test plan

  • New ## Known deployment issues section sits between ### For administrators and ## Related docs
  • Both resolution options documented with concrete steps
  • Root cause (create-only resource + tag-removal-still-counts-as-property-change) clearly explained
  • docs/src/content/docs/getting-started/Deployment-guide.md regenerated alongside the source
  • No code touched

Add a 'Known deployment issues' section to DEPLOYMENT_GUIDE.md documenting
the UPDATE_FAILED that hits stacks deployed before aws-samples#222 (tag-exclusion fix)
when they pick up the fix on a subsequent deploy.

Both resolution paths covered:
- Option A (recommended): manual disassociate + delete via Route53 console
- Option B: comment-out DnsFirewall, deploy, uncomment, redeploy

Closes aws-samples#269
@isadeks isadeks requested a review from a team as a code owner June 5, 2026 18:31
@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@bc94972). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #270   +/-   ##
=======================================
  Coverage        ?   86.09%           
=======================================
  Files           ?      167           
  Lines           ?    39535           
  Branches        ?     3512           
=======================================
  Hits            ?    34036           
  Misses          ?     5499           
  Partials        ?        0           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@isadeks

isadeks commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

Two open questions on this — happy to push a follow-up commit either way:

1. Section placement. The issue specifies adding a ## Known deployment issues section to DEPLOYMENT_GUIDE.md itself, which is what this PR does. My take: keep it here. Operators upgrading hit this while reading the deployment guide, the existing For administrators subsection already carries operational concerns, and a separate troubleshooting doc would split deploy-time symptoms from deploy-time setup. If the known-issues list grows past 2–3 entries we can lift it to its own page; one item doesn't justify the split today.

2. Add a third resolution option using the AWS CLI? The PR currently has Option A (Route 53 console) and Option B (two-phase deploy with DnsFirewall comment-out). I'd like to add a third using the CLI:

aws route53resolver list-resolver-query-log-config-associations \
  --region us-east-1 \
  --query "ResolverQueryLogConfigAssociations[?ResourceId=='<vpc-id>']"

aws route53resolver disassociate-resolver-query-log-config \
  --resolver-query-log-config-id <rqlc-id> --resource-id <vpc-id> --region us-east-1

mise //cdk:deploy

This is what I actually used to recover the dev stack last week. Proposed ordering: CLI as Option A (recommended — reproducible, paste-able, works for SSO-only / CI/CD operators), console as Option B (more discoverable for first-time operators), two-phase deploy as Option C (no-AWS-access fallback).

Let me know on either and I'll push the update.

@scottschreckengaust scottschreckengaust left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@scottschreckengaust scottschreckengaust added this pull request to the merge queue Jun 5, 2026
Merged via the queue into aws-samples:main with commit 1ec9edd Jun 5, 2026
2 checks passed
@scottschreckengaust

Copy link
Copy Markdown
Contributor

2. Add a third resolution option using the AWS CLI? The PR currently has Option A (Route 53 console) and Option B (two-phase deploy with DnsFirewall comment-out). I'd like to add a third using the CLI:

aws route53resolver list-resolver-query-log-config-associations \
  --region us-east-1 \
  --query "ResolverQueryLogConfigAssociations[?ResourceId=='<vpc-id>']"

aws route53resolver disassociate-resolver-query-log-config \
  --resolver-query-log-config-id <rqlc-id> --resource-id <vpc-id> --region us-east-1

mise //cdk:deploy

This is what I actually used to recover the dev stack last week. Proposed ordering: CLI as Option A (recommended — reproducible, paste-able, works for SSO-only / CI/CD operators), console as Option B (more discoverable for first-time operators), two-phase deploy as Option C (no-AWS-access fallback).

Let me know on either and I'll push the update.

I like adding the CLI version - post a fast followup referencing the closed item #269

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

docs: document DNS Query Log Config replacement cascade upgrade path

3 participants