DisableApiTermination true setting is creating a new bastion during Kernel update but unable to delete the old bastion

We have bastion hosts managed via the CDK. A pen test required they have DisableApiTermination=true set on them, and we do that via a cloud formation override as so:

var cfnBastion = (CfnInstance) bastion.getNode().getDefaultChild().getNode().getDefaultChild();
cfnBastion.addPropertyOverride("DisableApiTermination", true);```

However, now whenever Amazon update the kernel version cloudformation decides to add a new bastion and delete the old one - which fails because of the api termination protection!

Is there a hook to allow the CDK specifically to allow api termination?

Also asked <How can I enable termination protection for an EC2 Instance managed by the CDK, and still allow the CDK to terminate it in order to replace it? | AWS re:Post AWS re:Post:>

Seems like you have a few options

Disable termination protection and then terminate

Shut down the instance from within the os

Use an asg to manage instance termination/lifecycle


The DisableApiTermination attribute does not prevent Amazon EC2 Auto Scaling from terminating an instance.

The DisableApiTermination attribute does not prevent you from terminating an instance by initiating shutdown from the instance (using an operating system command for system shutdown) when the InstanceInitiatedShutdownBehavior attribute is set

I’m thinking that using an auto scaling group is the best option for a bastion, and then cdk just needs to deal with the autoscaling group configuration and the launch template

And it never needs to touch the instances themselves

But as a quick workaround you can just sequentially disable the termination protection and terminate it, but still spin up new instances with the termination protection enabled :man-shrugging:

Cool, thanks for the ideas