AWS CloudFormation 删除资源

AWS CloudFormation delete resources

我有以下 cloudformation 模板:

Parameters:
  SizeCondition1:
    Type: String
    Default: SizeCondition1
    Description: >-
      Enter the name of the size condition. Note names cannot be modified after
      creation and must be alphanumeric without spaces.
  SizeURI1:
    Type: String
    Default: '8192'
    Description: Enter the size limit of the URI.
  SizeQuery1:
    Type: String
    Default: '8192'
    Description: Enter the size limit of the query string.
Resources:
  WAFSizeCondition1:
    Type: 'AWS::WAF::SizeConstraintSet'
    Properties:
      Name: !Ref SizeCondition1
      SizeConstraints:
        - FieldToMatch:
            Type: QUERY_STRING
          ComparisonOperator: GT
          Size: !Ref SizeQuery1
          TextTransformation: NONE
        - FieldToMatch:
            Type: URI
          ComparisonOperator: GT
          Size: !Ref SizeURI1
          TextTransformation: NONE
  WafRule:
    Type: 'Custom::CustomResource'
    Properties:
      ServiceToken: !Join 
        - ''
        - - 'arn:aws:lambda:'
          - !Ref 'AWS::Region'
          - ':'
          - !Ref 'AWS::AccountId'
          - ':function:WafLambdaTest'
      Name: WAFRateTest1
      RateLimit: '2000'
      MetricName: WAFRateTest1
      Predicates:
        - DataId: !Ref WAFSizeCondition1
          Negated: false
          Type: SizeConstraint

当我触发 DELETE 事件时,我看到以下内容:

问题:

  1. 为什么WafRule先删除?当它不能被删除之前 WAFSizeCondition1?我如何在模板中声明依赖关系以使 WAFSizeCondition1 先删除?
  2. 为什么WAFSizeCondition1不能删除?它引用了哪个资源?如何在这里正确处理资源删除?
  1. Cloudformation 将根据一些内部逻辑选择一个顺序。要影响其顺序,您可以使用 DependsOn 属性指定某种形式的依赖关系。例如:

WAFSizeCondition1:

类型:'AWS::WAF::SizeConstraintSet'

取决于:WafRule

  1. 您的自定义资源中存在一个错误,您没有说明您是如何编写函数的,我怀疑您没有采取正确的步骤来删除它。根据 the waf.delete_web_acl docs:

Permanently deletes a WebACL . You can't delete a WebACL if it still contains any Rules .

To delete a WebACL , perform the following steps:

Update the WebACL to remove Rules , if any. For more information, see UpdateWebACL .

Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a DeleteWebACL request. Submit a DeleteWebACL request.