Aws-cli: Using a Condition in the DeletionPolicy of a resource is deemed invalid.
I have a (previously) working stack template that includes the following conditional:
Conditions:
IsProduction: !Equals [ !Ref IsMaster, "true" ]
During production, I would like to retain AutoScalingGroups rather than delete them (on staging, I want them deleted). To achieve that I am attempting to use the following:
WebServerGroup:
Type: 'AWS::AutoScaling::AutoScalingGroup'
DeletionPolicy: !If [ 'IsProduction', 'Retain', 'Delete' ]
This will return the following error:
An error occurred (ValidationError) when calling the UpdateStack operation: Template format error: Every DeletionPolicy member must be a string.
This is the only DeletionPolicy setting I'm using within my stack and I am returning a string (from my conditional statement).
My expected behavior would be to be able to use a conditional statement that returns a string for my DeletionPolicy setting.
dambrogia
All 6 comments
This seems to be a known limitation in cloudformation, based on this forum post. Basically it only accepts a raw string, no references or functions. Their suggestion is to have two copies of the object and use the Condition to control which one you send.
JordonPhillips
on 3 Jan 2019
@JordonPhillips Not the answer I wanted, but an answer none the less. Thanks!
dambrogia
on 3 Jan 2019
So the drawback to the above is that you have to wholesale copy things over, which is annoying. What you could to to make that slightly less painful is use a yaml anchor to copy over the properties and just overwrite what you need, like so:
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
IsMaster:
Type: String
AllowedValues:
- 'true'
- 'false'
Conditions:
IsProduction: !Equals [ !Ref IsMaster, "true" ]
IsTest: !Equals [ !Ref IsMaster, "false" ]
Resources:
ProdExampleQueue: &queue-config
Type: AWS::SQS::Queue
Properties:
QueueName: !Join [ '', [ !Ref 'AWS::StackName', !If [IsProduction, "ProdQueue", "TestQueue"] ] ]
DeletionPolicy: 'Retain'
Condition: IsProduction
TestExampleQueue:
<<: *queue-config
DeletionPolicy: 'Delete'
Condition: IsTest
The catch is that cloudformation doesn't support anchors, so you would need to pre-process them away. We could probably update the package command to support doing that since it's not entirely trivial due to needing to support the special tags that cloudformation provides.
JordonPhillips
on 3 Jan 2019
I requested this on the CloudFormation roadmap: https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/162
jthomerson
on 6 Sep 2019
This has a high level of user experience, automation, cost and security implications. This was first raised in 2014 and we, as paying customers, still have no way to set DeletionPolicy dynamically.
mrowles
on 1 May 2020
Is there any update on this? This is a real important issue as mentioned above.
ohadbenita
on 4 Jun 2020
Related issues
matt-sexton
路
3Comments
alexejk
路
3Comments
braddr
路
3Comments
pawelkilian
路
3Comments
KimberleySDU
路
3Comments
Most helpful comment
This has a high level of user experience, automation, cost and security implications. This was first raised in 2014 and we, as paying customers, still have no way to set DeletionPolicy dynamically.