feat: Add configurable ddb delete protection (#633)

Co-authored-by: Maryam Khidir <mkhidir@amazon.de>

Author: maryamkhidir

cli/magic-config.ts

@@ -154,6 +154,7 @@ const embeddingModels: ModelConfig[] = [
       options.prefix = config.prefix;
       options.createCMKs = config.createCMKs;
       options.retainOnDelete = config.retainOnDelete;
+      options.ddbDeletionProtection = config.ddbDeletionProtection;
       options.vpcId = config.vpc?.vpcId;
       options.bedrockEnable = config.bedrock?.enabled;
       options.bedrockRegion = config.bedrock?.region;
@@ -321,6 +322,14 @@ async function processCreateOptions(options: any): Promise<void> {
       initial: options.retainOnDelete ?? true,
       hint: "It reduces the risk of deleting data. It will however not delete all the resources on cleanup (would require manual removal if relevant)",
     },
+    {
+      type: "confirm",
+      name: "ddbDeletionProtection",
+      message:
+        "Do you want to enable delete protection for your DynamoDB tables?",
+      initial: options.ddbDeletionProtection ?? false,
+      hint: "It reduces the risk of accidental deleting your DDB tables. It will however not delete your DDB tables on cleanup.",
+    },
     {
       type: "confirm",
       name: "bedrockEnable",
@@ -1200,6 +1209,7 @@ async function processCreateOptions(options: any): Promise<void> {
     prefix: answers.prefix,
     createCMKs: answers.createCMKs,
     retainOnDelete: answers.retainOnDelete,
+    ddbDeletionProtection: answers.ddbDeletionProtection,
     vpc: answers.existingVpc
       ? {
           vpcId: answers.vpcId.toLowerCase(),

lib/chatbot-api/application-dynamodb-tables/index.ts

@@ -5,6 +5,7 @@ import * as kms from "aws-cdk-lib/aws-kms";
 
 export interface ApplicationDynamoDBTablesProps {
   readonly retainOnDelete?: boolean;
+  readonly deletionProtection?: boolean;
   readonly kmsKey?: kms.Key;
 }
 
@@ -33,6 +34,7 @@ export class ApplicationDynamoDBTables extends Construct {
           ? cdk.RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE
           : cdk.RemovalPolicy.DESTROY,
       pointInTimeRecovery: true,
+      deletionProtection: props.deletionProtection,
     });
 
     this.applicationTable = applicationTable;

lib/chatbot-api/chatbot-dynamodb-tables/index.ts

@@ -5,6 +5,7 @@ import * as kms from "aws-cdk-lib/aws-kms";
 
 export interface ChatBotDynamoDBTablesProps {
   readonly retainOnDelete?: boolean;
+  readonly deletionProtection?: boolean;
   readonly kmsKey?: kms.Key;
 }
 
@@ -34,6 +35,7 @@ export class ChatBotDynamoDBTables extends Construct {
           ? cdk.RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE
           : cdk.RemovalPolicy.DESTROY,
       pointInTimeRecovery: true,
+      deletionProtection: props.deletionProtection,
     });
 
     sessionsTable.addGlobalSecondaryIndex({

lib/chatbot-api/index.ts

@@ -49,6 +49,7 @@ export class ChatBotApi extends Construct {
     const chatTables = new ChatBotDynamoDBTables(this, "ChatDynamoDBTables", {
       kmsKey: props.shared.kmsKey,
       retainOnDelete: props.config.retainOnDelete,
+      deletionProtection: props.config.ddbDeletionProtection,
     });
     const chatBuckets = new ChatBotS3Buckets(this, "ChatBuckets", {
       kmsKey: props.shared.kmsKey,
@@ -60,6 +61,7 @@ export class ChatBotApi extends Construct {
       {
         kmsKey: props.shared.kmsKey,
         retainOnDelete: props.config.retainOnDelete,
+        deletionProtection: props.config.ddbDeletionProtection,
       }
     );
     const loggingRole = new iam.Role(this, "apiLoggingRole", {

lib/rag-engines/index.ts

@@ -41,6 +41,7 @@ export class RagEngines extends Construct {
     const tables = new RagDynamoDBTables(this, "RagDynamoDBTables", {
       kmsKey: props.shared.kmsKey,
       retainOnDelete: props.config.retainOnDelete,
+      deletionProtection: props.config.ddbDeletionProtection,
     });
 
     let sageMakerRagModels: SageMakerRagModels | null = null;

lib/rag-engines/rag-dynamodb-tables/index.ts

@@ -5,6 +5,7 @@ import { Construct } from "constructs";
 
 export interface RagDynamoDBTablesProps {
   readonly retainOnDelete?: boolean;
+  readonly deletionProtection?: boolean;
   readonly kmsKey?: kms.Key;
 }
 
@@ -39,6 +40,7 @@ export class RagDynamoDBTables extends Construct {
         props.retainOnDelete === true
           ? cdk.RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE
           : cdk.RemovalPolicy.DESTROY,
+      deletionProtection: props.deletionProtection,
     });
 
     workspacesTable.addGlobalSecondaryIndex({
@@ -72,6 +74,7 @@ export class RagDynamoDBTables extends Construct {
         props.retainOnDelete === true
           ? cdk.RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE
           : cdk.RemovalPolicy.DESTROY,
+      deletionProtection: props.deletionProtection,
     });
 
     documentsTable.addGlobalSecondaryIndex({

lib/shared/index.ts

@@ -194,10 +194,9 @@ export class Shared extends Construct {
         ) {
           if (props.config.bedrock?.region !== cdk.Stack.of(this).region) {
             throw new Error(
-              `Bedrock is only supported in the same region as the stack when using private website (Bedrock region: ${props
-                .config.bedrock?.region}, Stack region: ${
-                cdk.Stack.of(this).region
-              }).`
+              `Bedrock is only supported in the same region as the stack when using private website (Bedrock region: ${
+                props.config.bedrock?.region
+              }, Stack region: ${cdk.Stack.of(this).region}).`
             );
           }
 

lib/shared/types.ts

@@ -81,6 +81,7 @@ export interface SystemConfig {
   prefix: string;
   createCMKs?: boolean;
   retainOnDelete?: boolean;
+  ddbDeletionProtection?: boolean;
   vpc?: {
     vpcId?: string;
     createVpcEndpoints?: boolean;