Created
April 13, 2020 16:36
-
-
Save toddlers/b6b26d27d1fa3bb85bf819d4901b516f to your computer and use it in GitHub Desktop.
apply nested stack policy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function protect_nested_stacks() { | |
| local parent_stack=$1 stack_policy_file=$2 | |
| local nested_stacks=$(aws cloudformation list-stack-resources \ | |
| --stack-name ${parent_stack} \ | |
| --query "StackResourceSummaries[?ResourceType=='AWS::CloudFormation::Stack'].[PhysicalResourceId]" \ | |
| --output text | |
| ) | |
| for stack in ${nested_stacks}; do | |
| aws cloudformation set-stack-policy --stack-name ${stack} --stack-policy-body file://${stack_policy_file} | |
| protect_nested_stacks ${stack} ${stack_policy_file} | |
| done | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Statement" : [ | |
| { | |
| "Effect" : "Allow", | |
| "Action" : "Update:*", | |
| "Principal": "*", | |
| "Resource" : "*" | |
| }, | |
| { | |
| "Effect" : "Deny", | |
| "Action" : ["Update:Replace", "Update:Delete"], | |
| "Principal": "*", | |
| "Resource" : "*", | |
| "Condition": { | |
| "StringEquals" : { | |
| "ResourceType" : ["AWS::RDS::DBInstance"] | |
| } | |
| } | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment