从this question衍生出来。尝试在更改期间使云信息模板安全。
有没有办法实际阻止删除角色和表格?会添加政策帮助吗?
给出以下模板摘录:
{
...
"Parameters" : {
"ShouldCreateTable" : {
...
"Description" : "If true then the underlying DynamoDB table will be created with the CloudFormation stack."
},
...
},
"Conditions" : {
"CreateDynamoTable" : {"Fn::Equals" : [{"Ref" : "ShouldCreateTable"}, "true"]},
...
},
"Resources" : {
"Get" : {
"Type" : "AWS::Serverless::Function",
"Properties": {
...
"Role": {"Fn::If" : ["CreateRole", {"Fn::GetAtt":["LambdaRole", "Arn"]}, {"Ref":"RoleARN"}]},
"Environment" : {
"Variables" : {
"AppDynamoTable" : { "Fn::If" : ["CreateDynamoTable", {"Ref":"DynamoTable"}, { "Ref" : "TableName" } ] }
}
},
...
}
},
"LambdaRole":{
"Type":"AWS::IAM::Role",
...
},
"DynamoTable" : {
"Type" : "AWS::DynamoDB::Table",
...
}
},
}
答案 0 :(得分:2)
解决方案可能是使用DeletionPolicy Attribute
。您可以轻松地将"DeletionPolicy" : "Retain"
添加到要阻止删除的资源中。
AWS CloudFormation保留资源而不删除资源或 删除堆栈时的内容。您可以添加此删除 任何资源类型的政策。
这将在您的给定示例中看起来像这样:
"LambdaRole":{
"Type":"AWS::IAM::Role",
"DeletionPolicy" : "Retain",
...
},
"DynamoTable" : {
"Type" : "AWS::DynamoDB::Table",
"DeletionPolicy" : "Retain",
...
}