From bf07e6af403fdaeaacf8e1a417f58f25b11e4aea Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com> Date: Fri, 29 May 2026 22:39:10 +0000 Subject: [PATCH 1/2] fix(cdk): exclude ResolverQueryLoggingConfig from resource tags (#221) CfnResolverQueryLoggingConfig treats tag changes as requiring replacement, cascading to the per-VPC association which fails due to the one-association-per-VPC uniqueness constraint. Co-Authored-By: Claude Opus 4.6 (1M context) --- cdk/src/main.ts | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/cdk/src/main.ts b/cdk/src/main.ts index bf1c1a45..808fc75e 100644 --- a/cdk/src/main.ts +++ b/cdk/src/main.ts @@ -43,7 +43,14 @@ const stack = new AgentStack( ); const computeType = app.node.tryGetContext('compute_type') ?? 'agentcore'; -Tags.of(stack).add('compute_type', computeType); + +// CfnResolverQueryLoggingConfig treats ALL property changes (including tags) as +// requiring replacement. Replacement cascades to the per-VPC association, which +// fails because Route53 Resolver enforces a one-association-per-VPC constraint +// and CF's Create-before-Delete ordering can't satisfy it. +const excludeResourceTypes = ['AWS::Route53Resolver::ResolverQueryLoggingConfig']; + +Tags.of(stack).add('compute_type', computeType, { excludeResourceTypes }); const githubTagKeys = [ 'sha', @@ -63,7 +70,7 @@ const githubTagKeys = [ for (const key of githubTagKeys) { const value = app.node.tryGetContext(`github:${key}`); - Tags.of(stack).add(`github:${key}`, value || 'none'); + Tags.of(stack).add(`github:${key}`, value || 'none', { excludeResourceTypes }); } app.synth(); From 7ce5cf960cc85863eae1e6582c06351d5792f972 Mon Sep 17 00:00:00 2001 From: bgagent <345885+scottschreckengaust@users.noreply.github.com> Date: Mon, 1 Jun 2026 20:51:27 +0000 Subject: [PATCH 2/2] fix(cdk): also exclude ResolverQueryLoggingConfigAssociation from tags The Association depends on the Config's physical ID. Even though PR #221 excluded the Config from tagging (preventing its replacement), the Association's CloudFormation state still references a stale Config ID from a prior failed replacement. Adding it to excludeResourceTypes prevents any future tag-induced update attempt on either resource. Part of #221, parent issue #229. Co-Authored-By: Claude Opus 4.6 (1M context) --- cdk/src/main.ts | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/cdk/src/main.ts b/cdk/src/main.ts index 808fc75e..724f8696 100644 --- a/cdk/src/main.ts +++ b/cdk/src/main.ts @@ -44,11 +44,14 @@ const stack = new AgentStack( const computeType = app.node.tryGetContext('compute_type') ?? 'agentcore'; -// CfnResolverQueryLoggingConfig treats ALL property changes (including tags) as -// requiring replacement. Replacement cascades to the per-VPC association, which -// fails because Route53 Resolver enforces a one-association-per-VPC constraint -// and CF's Create-before-Delete ordering can't satisfy it. -const excludeResourceTypes = ['AWS::Route53Resolver::ResolverQueryLoggingConfig']; +// Route53 Resolver resources where tag changes trigger replacement cascades. +// Config: treats ANY property change (including tags) as requiring replacement. +// Association: depends on Config's physical ID; if Config is replaced, the +// Association update fails on the one-association-per-VPC constraint. +const excludeResourceTypes = [ + 'AWS::Route53Resolver::ResolverQueryLoggingConfig', + 'AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation', +]; Tags.of(stack).add('compute_type', computeType, { excludeResourceTypes });