Protect resources from deletion with `stackPolicy`
DavidWells opened this issue · comments
https://www.alexdebrie.com/posts/understanding-cloudformation-updates/
stackPolicy
Example:
provider:
name: aws
runtime: nodejs8.10
stage: ${opt:stage, 'dev'}
region: us-west-2
profile: fh
stackPolicy:
- Effect: Allow
Principal: "*"
Action: "Update:*"
Resource: "*"
- Effect: Deny
Principal: "*"
Action:
- Update:Replace
- Update:Delete
Resource: "*"
Condition:
StringEquals:
ResourceType:
- AWS::Cognito::UserPool
- AWS::Cognito::UserPoolGroup
- AWS::Cognito::UserPoolClient
- AWS::DynamoDB::Table
- AWS::S3::Bucket
UpdateReplacePolicy
example on the individual resource
resources:
Resources:
CognitoUserPoolMyApp:
Type: AWS::Cognito::UserPool
# policy important to not hose users https://www.alexdebrie.com/posts/understanding-cloudformation-updates/
UpdateReplacePolicy: Retain
Properties:
UserPoolName: ${self:custom.poolName}
# Set email as an alias
UsernameAttributes:
- email
AutoVerifiedAttributes:
- email
# Disable serverside validation. Handling pw validation on client
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false