From 640ce2df1ccf1d55a55cd13f57a5bf69b187bc6b Mon Sep 17 00:00:00 2001
From: akash1810 <akash1810@users.noreply.github.com>
Date: Fri, 23 Jan 2026 11:59:37 +0000
Subject: [PATCH] feat(GuCertificate): Remove `DeletionPolicy` and
 `UpdateReplacePolicy`

Typically, the `DeletionPolicy` is set to support CloudFormation imports.
The `AWS::CertificateManager::Certificate` resource does not yet support CFN imports.

See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html.
---
 .changeset/itchy-swans-jump.md                         | 10 ++++++++++
 .../acm/__snapshots__/certificate.test.ts.snap         |  4 ----
 src/constructs/acm/certificate.ts                      |  2 --
 .../patterns/__snapshots__/ec2-app.test.ts.snap        |  2 --
 src/patterns/__snapshots__/api-lambda.test.ts.snap     |  2 --
 src/patterns/ec2-app/__snapshots__/base.test.ts.snap   |  4 ----
 6 files changed, 10 insertions(+), 14 deletions(-)
 create mode 100644 .changeset/itchy-swans-jump.md

diff --git a/.changeset/itchy-swans-jump.md b/.changeset/itchy-swans-jump.md
new file mode 100644
index 0000000000..33bab8059e
--- /dev/null
+++ b/.changeset/itchy-swans-jump.md
@@ -0,0 +1,10 @@
+---
+"@guardian/cdk": minor
+---
+
+feat(GuCertificate): Remove `DeletionPolicy` and `UpdateReplacePolicy`
+
+Typically, the `DeletionPolicy` is set to support CloudFormation imports.
+The `AWS::CertificateManager::Certificate` resource does not yet support CFN imports.
+
+See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html.
diff --git a/src/constructs/acm/__snapshots__/certificate.test.ts.snap b/src/constructs/acm/__snapshots__/certificate.test.ts.snap
index 7d2bb97fb5..acbf94268f 100644
--- a/src/constructs/acm/__snapshots__/certificate.test.ts.snap
+++ b/src/constructs/acm/__snapshots__/certificate.test.ts.snap
@@ -11,7 +11,6 @@ exports[`The GuCertificate class should create a new certificate (which requires
   },
   "Resources": {
     "CertificateTesting28FCAC6D": {
-      "DeletionPolicy": "Retain",
       "Properties": {
         "DomainName": "domain-name-for-your-application.example",
         "Tags": [
@@ -43,7 +42,6 @@ exports[`The GuCertificate class should create a new certificate (which requires
         "ValidationMethod": "DNS",
       },
       "Type": "AWS::CertificateManager::Certificate",
-      "UpdateReplacePolicy": "Retain",
     },
   },
 }
@@ -60,7 +58,6 @@ exports[`The GuCertificate class should create a new certificate when hosted zon
   },
   "Resources": {
     "CertificateTesting28FCAC6D": {
-      "DeletionPolicy": "Retain",
       "Properties": {
         "DomainName": "domain-name-for-your-application.example",
         "DomainValidationOptions": [
@@ -98,7 +95,6 @@ exports[`The GuCertificate class should create a new certificate when hosted zon
         "ValidationMethod": "DNS",
       },
       "Type": "AWS::CertificateManager::Certificate",
-      "UpdateReplacePolicy": "Retain",
     },
   },
 }
diff --git a/src/constructs/acm/certificate.ts b/src/constructs/acm/certificate.ts
index 846ff9b3f6..88d360638f 100644
--- a/src/constructs/acm/certificate.ts
+++ b/src/constructs/acm/certificate.ts
@@ -1,4 +1,3 @@
-import { RemovalPolicy } from "aws-cdk-lib";
 import { Certificate, CertificateValidation } from "aws-cdk-lib/aws-certificatemanager";
 import type { CertificateProps } from "aws-cdk-lib/aws-certificatemanager/lib/certificate";
 import { HostedZone } from "aws-cdk-lib/aws-route53";
@@ -32,6 +31,5 @@ export class GuCertificate extends GuAppAwareConstruct(Certificate) {
       app,
     };
     super(scope, "Certificate", awsCertificateProps);
-    this.applyRemovalPolicy(RemovalPolicy.RETAIN);
   }
 }
diff --git a/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap b/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap
index 0a90642955..9fa5f1bd42 100644
--- a/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap
+++ b/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap
@@ -207,7 +207,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = `
       },
     },
     "CertificateTestguec2app86EE2D42": {
-      "DeletionPolicy": "Retain",
       "Properties": {
         "DomainName": "domain-name-for-your-application.example",
         "Tags": [
@@ -239,7 +238,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = `
         "ValidationMethod": "DNS",
       },
       "Type": "AWS::CertificateManager::Certificate",
-      "UpdateReplacePolicy": "Retain",
     },
     "DescribeEC2PolicyFF5F9295": {
       "Properties": {
diff --git a/src/patterns/__snapshots__/api-lambda.test.ts.snap b/src/patterns/__snapshots__/api-lambda.test.ts.snap
index 8198a48cd7..04f3cce7e6 100644
--- a/src/patterns/__snapshots__/api-lambda.test.ts.snap
+++ b/src/patterns/__snapshots__/api-lambda.test.ts.snap
@@ -49,7 +49,6 @@ exports[`The GuApiLambda pattern should allow us to link a domain name to a Lamb
   },
   "Resources": {
     "CertificateTesting28FCAC6D": {
-      "DeletionPolicy": "Retain",
       "Properties": {
         "DomainName": "code.theguardian.com",
         "DomainValidationOptions": [
@@ -87,7 +86,6 @@ exports[`The GuApiLambda pattern should allow us to link a domain name to a Lamb
         "ValidationMethod": "DNS",
       },
       "Type": "AWS::CertificateManager::Certificate",
-      "UpdateReplacePolicy": "Retain",
     },
     "DNS": {
       "Properties": {
diff --git a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
index a4f9f3ea1c..c51753da8c 100644
--- a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
+++ b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap
@@ -145,7 +145,6 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi
       "Type": "AWS::AutoScaling::AutoScalingGroup",
     },
     "CertificateTestguec2app86EE2D42": {
-      "DeletionPolicy": "Retain",
       "Properties": {
         "DomainName": "domain-name-for-your-application.example",
         "Tags": [
@@ -177,7 +176,6 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi
         "ValidationMethod": "DNS",
       },
       "Type": "AWS::CertificateManager::Certificate",
-      "UpdateReplacePolicy": "Retain",
     },
     "DescribeEC2PolicyFF5F9295": {
       "Properties": {
@@ -1035,7 +1033,6 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a
       "Type": "AWS::AutoScaling::AutoScalingGroup",
     },
     "CertificateTestguec2app86EE2D42": {
-      "DeletionPolicy": "Retain",
       "Properties": {
         "DomainName": "domain-name-for-your-application.example",
         "Tags": [
@@ -1067,7 +1064,6 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a
         "ValidationMethod": "DNS",
       },
       "Type": "AWS::CertificateManager::Certificate",
-      "UpdateReplacePolicy": "Retain",
     },
     "DescribeEC2PolicyFF5F9295": {
       "Properties": {