Closed huribeir closed 3 years ago
Thanks for the request. We'll look into it.
As per https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resource-attributes.html, only 'DependsOn' resource attribute is supported accross the board and DeletionPolicy is only supported for LayerVersion.
It would be very useful to support it for DynamoDb tables (aka AWS::Serverless::SimpleTable), as we do not want to delete a database table for some sensitive environments.
thanks
UpdateReplacePolicy
and Metadata
too
Without supporting DeletionPolicy
and UpdateReplacePolicy
, AWS::Serverless
resources cannot be easily protected
Without supporting Metadata
, resource level cfn-lint
/ cfn-nag
ignores fail, and deployment safety Cloudformation Linter rules are ignored for entire templates, endangering other resource types too:
https://github.com/aws-cloudformation/cfn-python-lint/issues/1265
I'm not sure if this is the same issue, but it looks like UpdateReplacePolicy
is actually removed from an S3 bucket in the transformed output:
Original template:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Function:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs12.x
Events:
ObjectCreated:
Type: S3
Properties:
Bucket: !Ref Bucket
Events: s3:ObjectCreated:*
Transformed template (just the bucket portion):
AWSTemplateFormatVersion: '2010-09-09'
Resources:
Bucket:
DeletionPolicy: Retain
DependsOn:
- FunctionObjectCreatedPermission
Properties:
NotificationConfiguration:
LambdaConfigurations:
- Event: s3:ObjectCreated:*
Function:
Fn::GetAtt:
- Function
- Arn
Type: AWS::S3::Bucket
Note the DeletionPolicy
is present, but the UpdateReplacePolicy
has been removed. If I remove the function, the bucket stays as-is.
Let me know if I should file a separate issue for this.
How can I add DeletionPolicy: Retain
onto the actual function itself?
Closing this issue since it is been released with SAM v1.36.0 and SAM CLI v1.24.0.
You can read more about how resource level attributes are handled in SAM via our updated documentation; https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resource-attributes.html
Thanks!
This is a feature request to cover the implementation of support to using DeletionPolicy statements on AWS SAM resources. The result of specifying a DeletionPolicy attribute on a SAM resource should be the resulting CloudFormation resources also having that attribute