cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

Support StackPolicy for nested stacks

Open DucQuach opened this issue 2 years ago • 1 comments

Name of the resource

AWS::CloudFormation::Stack

Resource name

No response

Description

Currently, if I have a CloudFormation stack that include a nested stack. For example:

NestedStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./path/to/template.yaml

And there are Stack Policies applied to the Root Stack

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : ["Update:Replace", "Update:Delete"],
      "Principal": "*",
      "Resource" : "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : [
            "AWS::RDS::DBInstance"
          ]
        }
      }
    },
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

These policies are NOT applied to the nested stack. As your infrastructure grows, it's a best practice to use Nested Stacks, and in this case, having Stack Policies applied to the Root Stack makes them useless because all of the resources are in the nested stacks. Can we have a way to set the Stack Policies for AWS::CloudFormation::Stack resource? Either using JSON or inherit from the root stack?

Other Details

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html

DucQuach avatar Feb 08 '23 10:02 DucQuach

+1

redaLaanait avatar Dec 29 '23 19:12 redaLaanait