CloudFormation:阻止删除资源

时间:2018-05-14 03:50:11

标签: amazon-web-services amazon-cloudformation

this question衍生出来。尝试在更改期间使云信息模板安全。

有没有办法实际阻止删除角色和表格?会添加政策帮助吗?

给出以下模板摘录:

{
  ...

  "Parameters" : {
    "ShouldCreateTable" : {
      ...
      "Description" : "If true then the underlying DynamoDB table will be created with the CloudFormation stack."
    },  
    ...
  },

  "Conditions" : {
    "CreateDynamoTable" : {"Fn::Equals" : [{"Ref" : "ShouldCreateTable"}, "true"]},
    ...
  },

  "Resources" : {

    "Get" : {
      "Type" : "AWS::Serverless::Function",
      "Properties": {
        ...
        "Role": {"Fn::If" : ["CreateRole", {"Fn::GetAtt":["LambdaRole", "Arn"]}, {"Ref":"RoleARN"}]},
        "Environment" : {
          "Variables" : {
            "AppDynamoTable" : { "Fn::If" : ["CreateDynamoTable", {"Ref":"DynamoTable"}, { "Ref" : "TableName" } ] }
          }
        },
        ...
      }
    },

    "LambdaRole":{
        "Type":"AWS::IAM::Role",
         ...
    },

    "DynamoTable" : {
        "Type" : "AWS::DynamoDB::Table",
        ...
    }
  },

}

1 个答案:

答案 0 :(得分:2)

解决方案可能是使用DeletionPolicy Attribute。您可以轻松地将"DeletionPolicy" : "Retain"添加到要阻止删除的资源中。

  

AWS CloudFormation保留资源而不删除资源或   删除堆栈时的内容。您可以添加此删除   任何资源类型的政策。

这将在您的给定示例中看起来像这样:

"LambdaRole":{
  "Type":"AWS::IAM::Role",
  "DeletionPolicy" : "Retain",
  ...
},
"DynamoTable" : {
  "Type" : "AWS::DynamoDB::Table",
  "DeletionPolicy" : "Retain",
  ...
}