问题
A spinoff from this question. Trying to make a cloudformation template safe during changes.
Is there a way to actually block the deletion of the role and table? Would adding a policy help?
Given the following template excerpt:
{
...
"Parameters" : {
"ShouldCreateTable" : {
...
"Description" : "If true then the underlying DynamoDB table will be created with the CloudFormation stack."
},
...
},
"Conditions" : {
"CreateDynamoTable" : {"Fn::Equals" : [{"Ref" : "ShouldCreateTable"}, "true"]},
...
},
"Resources" : {
"Get" : {
"Type" : "AWS::Serverless::Function",
"Properties": {
...
"Role": {"Fn::If" : ["CreateRole", {"Fn::GetAtt":["LambdaRole", "Arn"]}, {"Ref":"RoleARN"}]},
"Environment" : {
"Variables" : {
"AppDynamoTable" : { "Fn::If" : ["CreateDynamoTable", {"Ref":"DynamoTable"}, { "Ref" : "TableName" } ] }
}
},
...
}
},
"LambdaRole":{
"Type":"AWS::IAM::Role",
...
},
"DynamoTable" : {
"Type" : "AWS::DynamoDB::Table",
...
}
},
}
回答1:
The solution could be to use DeletionPolicy Attribute. You can easily add "DeletionPolicy" : "Retain" to your resources where you want to "block" the deletion.
AWS CloudFormation keeps the resource without deleting the resource or its contents when its stack is deleted. You can add this deletion policy to any resource type.
This would look in your given example like this:
"LambdaRole":{
"Type":"AWS::IAM::Role",
"DeletionPolicy" : "Retain",
...
},
"DynamoTable" : {
"Type" : "AWS::DynamoDB::Table",
"DeletionPolicy" : "Retain",
...
}
来源:https://stackoverflow.com/questions/50322859/cloudformation-block-deleting-resources