Support Functions as DeletionPolicy/UpdateReplacePolicy Values #58
Comments
|
It would be nice if the |
PatMyron
changed the title
|
A workaround until proper support is having multiple duplicate resources with different policies and using Conditions to create only resources with correct policies |
PatMyron
changed the title
|
Yeah, @PatMyron, that works, but I'm sure you'd agree that "copy and paste your resources and hope you always remember to keep them in sync" is a pretty bad pattern. 😜 Glad you added "until this is properly supported" ... that gives me hope! |
|
That work around is really bad if you have an resources that have dependencies (DependsOn) on the resources. |
|
I think that a better work around is to use It does mean you have to have snippets for all possible values (and a separate set for |
|
@danieljamesscott due to |
|
The AWS::Include that @danieljamesscott mentioned is a better work around than having duplicate resources but as @PatMyron mentioned is not available in all regions. |
|
I've also just discovered that you can't use that work around for multiple policies ( If AWS would just let us parameterise the policies it would save all this craziness... :) |
|
@danieljamesscott duplicate resources should have different Logical IDs And agreed, temporary workarounds are not to say this isn't still a most important feature request :) |
|
@PatMyron I'll admit that I haven't tested it for 'real' (my editor and cfn-lint complained) but is this really valid CF? |
|
This has a high level of user experience, automation, cost and security implications. This was first raised in 2014 and we, as paying customers, still have no way to set DeletionPolicy dynamically. |
|
Has there been any feedback from AWS on this topic and at least a tentative target date for completion? |
I'm not sure if using 2 transforms like this is necessary or works, I'm doing something similar and combining both policies in one include like so: Resources:
Instance:
Type: 'AWS::RDS::DBInstance'
Fn::Transform:
Name: AWS::Include
Parameters:
Location: !Sub 's3://${S3SourceBucketName}/${CPVersion}/templates/customer/rds-instance-${StackType}-policy.yaml'
Properties:
Engine: MySQL
EngineVersion: '5.7'
...and then in the rds-instance-dev-policy.yaml: DeletionPolicy: Delete
UpdateReplacePolicy: Deleteand all seems to work fine. I am however getting an error with Also as an aside in that issue I linked there is the processed json template directly from the CF ui so you can see definitively that those directives are being included properly. |
|
@zetas Instance:
Type: AWS::RDS::DBInstance
Metadata:
cfn-lint:
config:
ignore_checks:
- E3001 |
|
@PatMyron omg you are amazing, thank you so much! That worked great. |
|
It would be important to fix this issue soon, since many customer projects required parametrize the deletion policies, and making "copies" with conditional is not an option when cfn template increases in size beyond the limit |
|
Kinda hacky workaround: specify 'Retain' for your DeletionPolicy, then use a custom resource to delete the resource(s) on stack deletion when desired. This avoids duplication and works without any transforms. E.g.: Table:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
...
CleanupTableOnStackDelete:
Type: AWS::Serverless::Function
Condition: ShouldDeleteTableOnStackDelete
Properties:
InlineCode:
!Sub |
import json, boto3, logging, uuid
import cfnresponse
logger = logging.getLogger()
logger.setLevel(logging.INFO)
def lambda_handler(event, context):
logger.info("event: {}".format(event))
try:
tableName = event['ResourceProperties']['TableName']
logger.info("tableName: {}, event['RequestType']: {}".format(tableName,event['RequestType']))
if event['RequestType'] == 'Delete':
dynamodb = boto3.client('dynamodb')
dynamodb.delete_table(TableName=tableName)
sendResponseCfn(event, context, cfnresponse.SUCCESS)
except Exception as e:
logger.info("Exception: {}".format(e))
sendResponseCfn(event, context, cfnresponse.FAILED)
def sendResponseCfn(event, context, responseStatus):
responseData = {}
responseData['Data'] = {}
physicalResourceId = event.get('PhysicalResourceId', str(uuid.uuid4()))
cfnresponse.send(event, context, responseStatus, responseData, physicalResourceId)
Handler: "index.lambda_handler"
Runtime: python3.8
MemorySize: 128
Timeout: 60
Role: "arn:aws:iam::...:role/DeleteTestTableRole"
DoCleanupTableOnStackDelete:
Type: Custom::CleanupTableOnStackDelete
Condition: ShouldDeleteTableOnStackDelete
Properties:
ServiceToken: !GetAtt CleanupTableOnStackDelete.Arn
TableName: !Ref Table
DependsOn:
- Table
- CleanupTableOnStackDelete
|
|
@mariaines Your approach is very helpful 🥇 , but I feel this is very complex for future maintenance because the behavior depends on the other resource that is the lambda, and maybe this produces a little confuses between other developers 😬 but right now is a good option |
|
I have a hard time imagining how the back end code for cloudformation could have been written that makes this such a difficult feature (bug fix in my opinion) to implement. This is one of the oldest feature requests on the cloudformation coverage roadmap with one of the top number of thumbs up, yet there has been no response from AWS to even acknowledge that they are looking at it and give an idea of why it can't be implemented in any kind of reasonable time period. |
|
Please get this fixed, this causes a huge amount of wasted effort and time. |
|
Agreed, this has to be addressed ASAP by the AWS CloudFormation team... c'mon |
|
Still waiting on this.... |
|
Would love some sort of response from AWS/CloudFormation team! |
|
@jthomerson Thank you very much for your feedback! Since this repository is focused on resource coverage, I'm transferring this issue over to a new GitHub repository dedicated to CloudFormation template language issues. FYI, We have an RFC #74 proposed that allows intrinsic function in |
muneebar
added
feature request
|
Hi all, really appreciate all the feedback and I'm happy to share that intrinsic functions such as |
|
This functionality is now available, so we can close this issue. |
|
Hopefully this issue is just isolated to my environment. Let me know if anyone else experiences this problem with the new AWS::LanguageExtensions Transform. Potential Bug : When combining the transform with the
Produces the error:
This error occurs when creating the ChangeSet, indicating that the
Produces the error:
This error is referring to a role that previously deployed successfully, which appears to indicate that the If others can confirm that the Minimal Template Which Reproduces BugSorry for being lazy, here's a functional template which displays the issue: |
|
Hey @lukepafford , thank you for submitting this issue! The issue should be fixed now and please give it another try and let us know if you still have any questions. |
|
@lukepafford Note, you must put the |
|
If this is known for AWS transforms, does it make sense for CloudFormation to even accept a template with the transforms out of order? |
|
@benkehoe Thanks for the feedback. We've had internal discussions on how to help guide customers here. First step is documentation. We're also planning to add a rule to cfn-lint to check for this. We'll discuss the possibility of a server-side check. |
|
ooh, adding it to cfn-lint is a great idea! |
|
@jlhood @lejiati Thanks for the quick turnaround!
|
and others
Currently the
DeletionPolicyattribute for any resource can only be a string. This means we can't use functions like!If [ IsProduction, 'Retain', 'Delete' ].I'd expect to be able to use conditions and other CloudFormation functions as a value for a
DeletionPolicythe same as I can elsewhere in the template.Others who have asked the same thing:
The text was updated successfully, but these errors were encountered: