In AWS Cloudformation there are special resources that can't be updated directly. They are getting replaced with aws cloudformation update-stack command instead. This works fine as long as you don't want to keep these resources after an update.
In my example, I want to keep all updated versions of AWS::AutoScaling::LaunchConfiguration resources for manual switching of LaunchConfigurations in the AutoScalingGroup (for testing purposes or emergency rollback). I need to do that, because web interface users are not able to use Cloudformation, nor are they authorized to do so.
So i created a template which creates/updates a LaunchConfiguration resource by setting a custom LaunchConfigurationName with including current date/time.
This works for fine, but:
after UPDATE_COMPLETE_CLEANUP_IN_PROGRESS state the old version of AWS::AutoScaling::LaunchConfiguration resource always gets deleted. To avoid that i tried to setup a set-stack-policy:
{
"Statement" : [
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
},
{
"Effect" : "Deny",
"Action" : "Update:Delete",
"Principal" : "*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::AutoScaling::LaunchConfiguration"]
}
}
}
]
}
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/protect-stack-resources.html
Update:Delete
Specifies update actions during which resources are removed.
Updates that completely remove resources from a stack template require this action.
result: The resource still gets deleted after updating the AutoScalingGroup (UPDATE_COMPLETE_CLEANUP_IN_PROGRESS state).
Do you have an idea how to keep old versions?
