We have bastion hosts managed via the CDK. A pen test required they have DisableApiTermination=true set on them, and we do that via a cloud formation override as so:
var cfnBastion = (CfnInstance) bastion.getNode().getDefaultChild().getNode().getDefaultChild();
cfnBastion.addPropertyOverride("DisableApiTermination", true);```
However, now whenever Amazon update the kernel version cloudformation decides to add a new bastion and delete the old one - which fails because of the api termination protection!
Is there a hook to allow the CDK specifically to allow api termination?