in packages/aws-rfdk/lib/lambdas/nodejs/x509-certificate/acm-handlers.ts [87:140]
public async doDelete(physicalId: string): Promise<void> {
const resourceTable = await this.getResourceTable();
await Promise.all([
this.databasePermissionsCheck(resourceTable),
]);
const resources = await resourceTable.query(physicalId);
const maxAttempts = 10;
for (const [key, resource] of Object.entries(resources)) {
const arn: string = resource.ARN;
let inUseByResources = [];
const backoffGenerator = new BackoffGenerator({
base: 1000,
jitterDivisor: 4,
maxAttempts,
maxIntervalMs: 30000,
});
do {
const { Certificate: cert } = await this.acmClient.send(new DescribeCertificateCommand({
CertificateArn: arn,
}));
inUseByResources = cert!.InUseBy || [];
if (inUseByResources.length) {
console.log(`Sleeping -- Resource ${arn} in use by ${inUseByResources.join(', ')}`);
await backoffGenerator.backoff();
} else {
break;
}
} while (backoffGenerator.shouldContinue());
if (inUseByResources.length) {
throw new Error(`Response from describeCertificate did not contain an empty InUseBy list after ${maxAttempts} attempts.`);
}
console.log(`Deleting resource for '${key}'`);
try {
await this.acmClient.send(new DeleteCertificateCommand({ CertificateArn: arn }));
} catch (e) {
// AccessDeniedException can happen if either:
// a) We do not have the required permission to delete the Certificate (unlikely)
// b) The Certificate has already been deleted (more likely)
if (e instanceof AccessDeniedException) {
console.warn(`Could not delete Certificate ${arn}. Please ensure it has been deleted.`);
}
throw e; // Rethrow so the custom resource handler will error-out.
}
await resourceTable.deleteItem({
primaryKeyValue: physicalId,
sortKeyValue: key,
});
}
}