CloudFormation:阻止删除资源
CloudFormation: Block deleting resources
的衍生作品。尝试在更改期间使 cloudformation 模板安全。
有没有办法真正阻止删除角色和table?添加策略会有帮助吗?
给定以下模板摘录:
{
...
"Parameters" : {
"ShouldCreateTable" : {
...
"Description" : "If true then the underlying DynamoDB table will be created with the CloudFormation stack."
},
...
},
"Conditions" : {
"CreateDynamoTable" : {"Fn::Equals" : [{"Ref" : "ShouldCreateTable"}, "true"]},
...
},
"Resources" : {
"Get" : {
"Type" : "AWS::Serverless::Function",
"Properties": {
...
"Role": {"Fn::If" : ["CreateRole", {"Fn::GetAtt":["LambdaRole", "Arn"]}, {"Ref":"RoleARN"}]},
"Environment" : {
"Variables" : {
"AppDynamoTable" : { "Fn::If" : ["CreateDynamoTable", {"Ref":"DynamoTable"}, { "Ref" : "TableName" } ] }
}
},
...
}
},
"LambdaRole":{
"Type":"AWS::IAM::Role",
...
},
"DynamoTable" : {
"Type" : "AWS::DynamoDB::Table",
...
}
},
}
解决方案可能是使用 DeletionPolicy Attribute。您可以轻松地将 "DeletionPolicy" : "Retain" 添加到您想要 "block" 删除的资源中。
AWS CloudFormation keeps the resource without deleting the resource or
its contents when its stack is deleted. You can add this deletion
policy to any resource type.
这在您给定的示例中看起来像这样:
"LambdaRole":{
"Type":"AWS::IAM::Role",
"DeletionPolicy" : "Retain",
...
},
"DynamoTable" : {
"Type" : "AWS::DynamoDB::Table",
"DeletionPolicy" : "Retain",
...
}
有没有办法真正阻止删除角色和table?添加策略会有帮助吗?
给定以下模板摘录:
{
...
"Parameters" : {
"ShouldCreateTable" : {
...
"Description" : "If true then the underlying DynamoDB table will be created with the CloudFormation stack."
},
...
},
"Conditions" : {
"CreateDynamoTable" : {"Fn::Equals" : [{"Ref" : "ShouldCreateTable"}, "true"]},
...
},
"Resources" : {
"Get" : {
"Type" : "AWS::Serverless::Function",
"Properties": {
...
"Role": {"Fn::If" : ["CreateRole", {"Fn::GetAtt":["LambdaRole", "Arn"]}, {"Ref":"RoleARN"}]},
"Environment" : {
"Variables" : {
"AppDynamoTable" : { "Fn::If" : ["CreateDynamoTable", {"Ref":"DynamoTable"}, { "Ref" : "TableName" } ] }
}
},
...
}
},
"LambdaRole":{
"Type":"AWS::IAM::Role",
...
},
"DynamoTable" : {
"Type" : "AWS::DynamoDB::Table",
...
}
},
}
解决方案可能是使用 DeletionPolicy Attribute。您可以轻松地将 "DeletionPolicy" : "Retain" 添加到您想要 "block" 删除的资源中。
AWS CloudFormation keeps the resource without deleting the resource or its contents when its stack is deleted. You can add this deletion policy to any resource type.
这在您给定的示例中看起来像这样:
"LambdaRole":{
"Type":"AWS::IAM::Role",
"DeletionPolicy" : "Retain",
...
},
"DynamoTable" : {
"Type" : "AWS::DynamoDB::Table",
"DeletionPolicy" : "Retain",
...
}