0021. Environment-aware removal policies for CDK-managed resources

Status: Accepted Date: 2026-03-27 Context: CDK RemovalPolicy must balance destroy vs retain by environment and resource type without orphans or data loss.

Context

AWS CDK resources support a RemovalPolicy that determines whether resources are deleted or retained when a stack is destroyed or a resource is replaced.

A blanket policy (e.g. RETAIN for all production resources) can lead to:

Orphaned infrastructure
Increased operational overhead
Naming conflicts on redeploy

Conversely, using DESTROY universally risks irreversible data loss for stateful resources.

Decision

Adopt an environment-sensitive and resource-type-aware removal policy strategy:

1. Environment Rules

Non-production (dev/test):
- Default: DESTROY *
Production:
- Use RETAIN only for stateful resources
- Use DESTROY for stateless infrastructure

2. Resource Classification

Stateful (RETAIN in production):

Databases (RDS, DynamoDB)
Object storage (S3)
Identity systems (Cognito User Pools)
Persistent volumes (EFS)
Search/indexing (OpenSearch)
Encryption keys (KMS)

Stateless (DESTROY in production):

Compute (Lambda, ECS)
API layers (API Gateway, ALB)
IAM roles/policies
Eventing (EventBridge)
Networking components

3. Additional Safeguards

Enable CloudFormation termination protection on production stacks
Restrict deletion via IAM policies where appropriate

Consequences

Positive

Protects critical production data from accidental deletion
Keeps non-prod environments disposable and cost-efficient
Avoids unnecessary retention of reproducible infrastructure

Negative

Retained resources become orphaned if stacks are deleted
Manual cleanup or import may be required
Requires discipline in correctly classifying resources

Notes

Retention is a data protection mechanism, not a substitute for:

Backups
Disaster recovery
Access control

Stack deletion in production should be considered an exceptional operation.