search

aws / serverless-application-model

The AWS Serverless Application Model (AWS SAM) transform is a AWS CloudFormation macro that transforms SAM templates into CloudFormation templates.
https://aws.amazon.com/serverless/sam
Apache License 2.0
9.29k stars 2.38k forks source link

Feature Request: support DeletionPolicy #450

Closed huribeir closed 3 years ago

huribeir commented 6 years ago

This is a feature request to cover the implementation of support to using DeletionPolicy statements on AWS SAM resources. The result of specifying a DeletionPolicy attribute on a SAM resource should be the resulting CloudFormation resources also having that attribute

shwetaskatdare commented 5 years ago

Thanks for the request. We'll look into it.

jfpaccini commented 4 years ago

As per https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resource-attributes.html, only 'DependsOn' resource attribute is supported accross the board and DeletionPolicy is only supported for LayerVersion.

It would be very useful to support it for DynamoDb tables (aka AWS::Serverless::SimpleTable), as we do not want to delete a database table for some sensitive environments.

thanks

PatMyron commented 4 years ago

UpdateReplacePolicy and Metadata too

Without supporting DeletionPolicy and UpdateReplacePolicy, AWS::Serverless resources cannot be easily protected

Without supporting Metadata, resource level cfn-lint / cfn-nag ignores fail, and deployment safety Cloudformation Linter rules are ignored for entire templates, endangering other resource types too:

https://github.com/aws-cloudformation/cfn-python-lint/issues/1265

More Metadata support thoughts

mhart commented 3 years ago

I'm not sure if this is the same issue, but it looks like UpdateReplacePolicy is actually removed from an S3 bucket in the transformed output:

Original template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Resources:

  Bucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain

  Function:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs12.x
      Events:
        ObjectCreated:
          Type: S3
          Properties:
            Bucket: !Ref Bucket
            Events: s3:ObjectCreated:*

Transformed template (just the bucket portion):

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Bucket:
    DeletionPolicy: Retain
    DependsOn:
    - FunctionObjectCreatedPermission
    Properties:
      NotificationConfiguration:
        LambdaConfigurations:
        - Event: s3:ObjectCreated:*
          Function:
            Fn::GetAtt:
            - Function
            - Arn
    Type: AWS::S3::Bucket

Note the DeletionPolicy is present, but the UpdateReplacePolicy has been removed. If I remove the function, the bucket stays as-is.

Let me know if I should file a separate issue for this.

rocifier commented 3 years ago

How can I add DeletionPolicy: Retain onto the actual function itself?

mndeveci commented 3 years ago

Closing this issue since it is been released with SAM v1.36.0 and SAM CLI v1.24.0.

You can read more about how resource level attributes are handled in SAM via our updated documentation; https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resource-attributes.html

Thanks!