Serverless-application-model: Feature Request: support DeletionPolicy

Created on 30 May 2018  路  4Comments  路  Source: aws/serverless-application-model

This is a feature request to cover the implementation of support to using DeletionPolicy statements on AWS SAM resources. The result of specifying a DeletionPolicy attribute on a SAM resource should be the resulting CloudFormation resources also having that attribute

typfeature
Source
picture huribeir
👍9

Most helpful comment

UpdateReplacePolicy and Metadata as well

Without full support for DeletionPolicy and UpdateReplacePolicy, AWS::Serverless resources cannot be easily protected

Without support for Metadata, resource level cfn-lint / cfn-nag ignores can't work, and these deployment safety Cloudformation Linter rules are forced to be ignored for entire templates, endangering other resource types as well:

https://github.com/aws-cloudformation/cfn-python-lint/issues/1265

More thoughts on Metadata support here

picture PatMyron on 12 Jun 2020
👍6

All 4 comments

Thanks for the request. We'll look into it.

shwetaskatdare picture shwetaskatdare on 30 Jul 2018

As per https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resource-attributes.html, only 'DependsOn' resource attribute is supported accross the board and DeletionPolicy is only supported for LayerVersion.

It would be very useful to support it for DynamoDb tables (aka AWS::Serverless::SimpleTable), as we do not want to delete a database table for some sensitive environments.

thanks

jfpaccini picture jfpaccini on 16 Dec 2019

UpdateReplacePolicy and Metadata as well

Without full support for DeletionPolicy and UpdateReplacePolicy, AWS::Serverless resources cannot be easily protected

Without support for Metadata, resource level cfn-lint / cfn-nag ignores can't work, and these deployment safety Cloudformation Linter rules are forced to be ignored for entire templates, endangering other resource types as well:

https://github.com/aws-cloudformation/cfn-python-lint/issues/1265

More thoughts on Metadata support here

PatMyron picture PatMyron on 12 Jun 2020
👍6

I'm not sure if this is the same issue, but it looks like UpdateReplacePolicy is actually removed from an S3 bucket in the transformed output:

Original template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Resources:

  Bucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain

  Function:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs12.x
      Events:
        ObjectCreated:
          Type: S3
          Properties:
            Bucket: !Ref Bucket
            Events: s3:ObjectCreated:*

Transformed template (just the bucket portion):

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Bucket:
    DeletionPolicy: Retain
    DependsOn:
    - FunctionObjectCreatedPermission
    Properties:
      NotificationConfiguration:
        LambdaConfigurations:
        - Event: s3:ObjectCreated:*
          Function:
            Fn::GetAtt:
            - Function
            - Arn
    Type: AWS::S3::Bucket

Note the DeletionPolicy is present, but the UpdateReplacePolicy has been removed. If I remove the function, the bucket stays as-is.

Let me know if I should file a separate issue for this.

mhart picture mhart on 19 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

polovi picture polovi  路  3Comments
voigt picture voigt  路  3Comments
rhboyd picture rhboyd  路  3Comments
sanjP10 picture sanjP10  路  3Comments
jiravani picture jiravani  路  3Comments