aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

Add stack policy document support to `aws cloudformation deploy`

Open EdouardMYOB opened this issue 1 year ago • 2 comments

Describe the feature

Add a --stack-policy <local-json-file> parameter to the aws cloudformation deploy command-line arguments so a Stack Policy Document can be applied idempotently alongside the template, in order for user to benefit from the protections that a Policy Document gives.

Use Case

I'd like to perform gitops with cloudformation templates and optional stack policy json files side-by-side. This would prevent accidental resource updates, replacement, deletions etc if an appropriate policy document exists. If the intention really is to affect the protected resource, then the stack policy document would also be updated (making an accident less likely, as modifying the policy document strongly implies intent).

Proposed Solution

aws cloudformation deploy helps simplify scripting, esp in automated CI/CD pipelines, replacing the need to do all the steps (testing whether a stack already exists, checking the changeset isn't empty, etc)

Stack Policies help with safety, so that some resources can be protected from accidental updates that might, for example, replace a production database.

It would be great if aws cloudformation deploy could add the capability to work with Stack Policies.

Ideal behaviour would be:

  • If the stack doesn't exists, and a --stack-policy <local-json-file> is supplied, then it invoke aws cloudformation create-stack passing --stack-policy-body with the contents of the policy file
  • If the stack already exists, and a --stack-policy <local-json-file> is supplied, then it first calls aws cloudformation set-stack-policy with the contents of the policy file, then does it normal change-set creation, and aws cloudformation update-stack if the changeset in non-empty.

Other Information

No response

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

CLI version used

2.08

Environment details (OS name and version, etc.)

macOS 12.6

EdouardMYOB avatar Oct 11 '22 01:10 EdouardMYOB

Thanks @EdouardMYOB for the feature request. I think it sounds reasonable based on the use case you provided but the team owning CloudFormation customizations will have to review this and confirm. In the meantime others can 👍 your post and share their use cases here as well if they are also interested in this.

tim-finnigan avatar Oct 11 '22 22:10 tim-finnigan

To be able to update resources on purpose with an only temporarily changed stack policy it would be helpful to have the "--stack-policy-during-update-body " option as well with "aws cloudformation deploy".

PIfM1 avatar Feb 13 '24 15:02 PIfM1