Using a Condition in the DeletionPolicy of a resource is deemed invalid.

[dambrogia]

I have a (previously) working stack template that includes the following conditional:

Conditions:
  IsProduction: !Equals [ !Ref IsMaster, "true" ]

During production, I would like to retain AutoScalingGroups rather than delete them (on staging, I want them deleted). To achieve that I am attempting to use the following:

WebServerGroup:
  Type: 'AWS::AutoScaling::AutoScalingGroup'
  DeletionPolicy: !If [ 'IsProduction', 'Retain', 'Delete' ]

This will return the following error:

An error occurred (ValidationError) when calling the UpdateStack operation: Template format error: Every DeletionPolicy member must be a string.

This is the only DeletionPolicy setting I'm using within my stack and I am returning a string (from my conditional statement).

My expected behavior would be to be able to use a conditional statement that returns a string for my DeletionPolicy setting.

[JordonPhillips]

This seems to be a known limitation in cloudformation, based on this forum post. Basically it only accepts a raw string, no references or functions. Their suggestion is to have two copies of the object and use the Condition to control which one you send.

[dambrogia]

@JordonPhillips Not the answer I wanted, but an answer none the less. Thanks!

[JordonPhillips]

So the drawback to the above is that you have to wholesale copy things over, which is annoying. What you could to to make that slightly less painful is use a yaml anchor to copy over the properties and just overwrite what you need, like so:

AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  IsMaster:
    Type: String
    AllowedValues:
      - 'true'
      - 'false'
Conditions:
  IsProduction: !Equals [ !Ref IsMaster, "true" ]
  IsTest: !Equals [ !Ref IsMaster, "false" ]
Resources:
  ProdExampleQueue: &queue-config
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Join [ '', [ !Ref 'AWS::StackName', !If [IsProduction, "ProdQueue", "TestQueue"] ] ]
    DeletionPolicy: 'Retain'
    Condition: IsProduction
  TestExampleQueue:
    <<: *queue-config
    DeletionPolicy: 'Delete'
    Condition: IsTest

The catch is that cloudformation doesn't support anchors, so you would need to pre-process them away. We could probably update the package command to support doing that since it's not entirely trivial due to needing to support the special tags that cloudformation provides.

[jthomerson]

I requested this on the CloudFormation roadmap: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/162

[mrowles]

This has a high level of user experience, automation, cost and security implications. This was first raised in 2014 and we, as paying customers, still have no way to set DeletionPolicy dynamically.

[ohadbenita]

Is there any update on this? This is a real important issue as mentioned above.

[MalikAtalla-AWS]

Hi all, the CloudFormation Team is prioritizing this issue. We have recently published a github repo dedicated to collecting feedback on the CloudFormation template language. It includes an RFC which proposes to support certain intrinsic functions and pseudo parameters in DeletionPolicies and UpdateReplacePolicies. You're welcome to add feedback here:

RFC: https://github.com/aws-cloudformation/cfn-language-discussion/pull/21/files
Tracking Issue: aws-cloudformation/cfn-language-discussion#11
Customer-created issue: aws-cloudformation/cfn-language-discussion#58

[mrowles]

@MalikAtalla-AWS Thanks for the response and, although it was 3 years later on GH and 8 years later in total, I do appreciate that things change, people move, priorities shift etc. In particular with this one, it is sounding like it was out of your hands for the most part and possibly pained you as much as it does us (from a security POV).

However, I don't think closing it HERE is okay. I think leaving by leaving it open here, we as customers can hold the teams accountable. I don't mean this in a mean spirited way, rather, I just want to help ensure that we get this over the line. I fear that it's been forgotten about too many times for far too long.

[MalikAtalla-AWS]

Hey @mrowles, I can understand your frustration. I'm a CFN user myself and would love to be able use this feature in my own infrastructure.

I suspect the issue was closed here because it was tracked in a more appropriate repo. This week we have moved it to the cfn-language-discussion repo which is the right place for it. We are aware that many customers are asking for this and are using upvotes (among other things) for prioritization. So, we invite you to comment or +1 any of the issues you see in that repo.

[MalikAtalla-AWS]

Hi all, really appreciate all the feedback and I'm happy to share that intrinsic functions such as Fn::If are supported now with the launch of AWS::LanguageExtensions transform. Please feel free to try it out and leave your feedback in the cfn-language-discussion repo.

[mrowles]

Thanks mate @MalikAtalla-AWS