CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformation
Efren
Efren

Reputation: 4887

CloudFormation: Block deleting resources

A spinoff from this question. Trying to make a cloudformation template safe during changes.

Is there a way to actually block the deletion of the role and table? Would adding a policy help?

Given the following template excerpt:

{
  ...

  "Parameters" : {
    "ShouldCreateTable" : {
      ...
      "Description" : "If true then the underlying DynamoDB table will be created with the CloudFormation stack."
    },  
    ...
  },

  "Conditions" : {
    "CreateDynamoTable" : {"Fn::Equals" : [{"Ref" : "ShouldCreateTable"}, "true"]},
    ...
  },

  "Resources" : {

    "Get" : {
      "Type" : "AWS::Serverless::Function",
      "Properties": {
        ...
        "Role": {"Fn::If" : ["CreateRole", {"Fn::GetAtt":["LambdaRole", "Arn"]}, {"Ref":"RoleARN"}]},
        "Environment" : {
          "Variables" : {
            "AppDynamoTable" : { "Fn::If" : ["CreateDynamoTable", {"Ref":"DynamoTable"}, { "Ref" : "TableName" } ] }
          }
        },
        ...
      }
    },

    "LambdaRole":{
        "Type":"AWS::IAM::Role",
         ...
    },

    "DynamoTable" : {
        "Type" : "AWS::DynamoDB::Table",
        ...
    }
  },

}

Upvotes: 2

Views: 1258

Answers (1)

MaiKaY
MaiKaY

Reputation: 4482

The solution could be to use DeletionPolicy Attribute. You can easily add "DeletionPolicy" : "Retain" to your resources where you want to "block" the deletion.

AWS CloudFormation keeps the resource without deleting the resource or its contents when its stack is deleted. You can add this deletion policy to any resource type.

This would look in your given example like this:

"LambdaRole":{
  "Type":"AWS::IAM::Role",
  "DeletionPolicy" : "Retain",
  ...
},
"DynamoTable" : {
  "Type" : "AWS::DynamoDB::Table",
  "DeletionPolicy" : "Retain",
  ...
}

Upvotes: 2

Related Questions