Skip to content

Stack Policy

Jump to bottom
Michael Neil edited this page Sep 28, 2018 · 1 revision

Supported in version 1.5.4+

Stack Policy

By default mu adds a stack policy to stacks that create database or kms resources. These policies will deny stack changes that replace or delete a database or kms resource. If you need to allow mu to replace or delete these resources you can pass the --allow-data-loss flag.

Default Policy

{
  "Statement" : [
    {
      "Effect" : "Deny",
      "Action" : [
        "Update:Replace",
        "Update:Delete"
      ],
      "Principal": "*",
      "Resource": "*",
      "Condition" : {
        "StringEquals" : {
          "ResourceType" : [
            "AWS::RDS::DBInstance",
            "AWS::KMS::Key"
          ]
        }
      }
    },
    {
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    }
  ]
}

Commands

# Allow CloudFormation to replace or update a database or kms key
> mu --allow-data-loss
Clone this wiki locally