aws.cfn
Filters
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
Actions
delete
Action to delete cloudformation stacks
It is recommended to use a filter to avoid unwanted deletion of stacks
If you enable the force option, it will automatically disable termination protection if required. This is useful because you cannot filter on EnableTerminationProtection since that field is only included by AWS when the DescribeStacks API is called with a specific stack name or id.
- example:
policies:
- name: cloudformation-delete-failed-stacks
resource: cfn
filters:
- StackStatus: ROLLBACK_COMPLETE
actions:
- type: delete
force: true
properties:
force:
default: false
type: boolean
type:
enum:
- delete
required:
- type
Permissions - cloudformation:DeleteStack, cloudformation:UpdateStack
set-protection
Action to disable termination protection
It is recommended to use a filter to avoid unwanted deletion of stacks
- example:
policies:
- name: cloudformation-disable-protection
resource: cfn
filters:
- StackStatus: CREATE_COMPLETE
actions:
- type: set-protection
state: False
properties:
state:
default: false
type: boolean
type:
enum:
- set-protection
required:
- type
Permissions - cloudformation:UpdateStack