Protect resources from deletion with `stackPolicy`

Question

Protect resources from deletion with `stackPolicy`

DavidWells opened this issue 5 years ago · comments

https://www.alexdebrie.com/posts/understanding-cloudformation-updates/

stackPolicy Example:

provider:
  name: aws
  runtime: nodejs8.10
  stage: ${opt:stage, 'dev'}
  region: us-west-2
  profile: fh
  stackPolicy:
    - Effect: Allow
      Principal: "*"
      Action: "Update:*"
      Resource: "*"
    - Effect: Deny
      Principal: "*"
      Action:
        - Update:Replace
        - Update:Delete
      Resource: "*"
      Condition:
        StringEquals:
          ResourceType:
            - AWS::Cognito::UserPool
            - AWS::Cognito::UserPoolGroup
            - AWS::Cognito::UserPoolClient
            - AWS::DynamoDB::Table
            - AWS::S3::Bucket

UpdateReplacePolicy example on the individual resource

resources:
  Resources:
    CognitoUserPoolMyApp:
      Type: AWS::Cognito::UserPool
      # policy important to not hose users https://www.alexdebrie.com/posts/understanding-cloudformation-updates/
      UpdateReplacePolicy: Retain
      Properties:
        UserPoolName: ${self:custom.poolName}
        # Set email as an alias
        UsernameAttributes:
          - email
        AutoVerifiedAttributes:
          - email
        # Disable serverside validation. Handling pw validation on client
        Policies:
          PasswordPolicy:
            MinimumLength: 8
            RequireLowercase: false
            RequireNumbers: false
            RequireSymbols: false
            RequireUppercase: false