aws.cfn

Filters

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

Actions

delete

Action to delete cloudformation stacks

It is recommended to use a filter to avoid unwanted deletion of stacks

If you enable the force option, it will automatically disable termination protection if required. This is useful because you cannot filter on EnableTerminationProtection since that field is only included by AWS when the DescribeStacks API is called with a specific stack name or id.

example:

policies:
  - name: cloudformation-delete-failed-stacks
    resource: cfn
    filters:
      - StackStatus: ROLLBACK_COMPLETE
    actions:
      - type: delete
        force: true
properties:
  force:
    default: false
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - cloudformation:DeleteStack, cloudformation:UpdateStack

set-protection

Action to disable termination protection

It is recommended to use a filter to avoid unwanted deletion of stacks

example:

policies:
  - name: cloudformation-disable-protection
    resource: cfn
    filters:
      - StackStatus: CREATE_COMPLETE
    actions:
      - type: set-protection
        state: False
properties:
  state:
    default: false
    type: boolean
  type:
    enum:
    - set-protection
required:
- type

Permissions - cloudformation:UpdateStack