Feature Request: support DeletionPolicy

[huribeir]

This is a feature request to cover the implementation of support to using DeletionPolicy statements on AWS SAM resources. The result of specifying a DeletionPolicy attribute on a SAM resource should be the resulting CloudFormation resources also having that attribute

[shwetaskatdare]

Thanks for the request. We'll look into it.

[jfpaccini]

As per https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resource-attributes.html, only 'DependsOn' resource attribute is supported accross the board and DeletionPolicy is only supported for LayerVersion.

It would be very useful to support it for DynamoDb tables (aka AWS::Serverless::SimpleTable), as we do not want to delete a database table for some sensitive environments.

thanks

[PatMyron]

UpdateReplacePolicy and Metadata too

---

Without supporting DeletionPolicy and UpdateReplacePolicy, AWS::Serverless resources cannot be easily protected

Without supporting Metadata, resource level cfn-lint / cfn-nag ignores fail, and deployment safety Cloudformation Linter rules are ignored for entire templates, endangering other resource types too:

aws-cloudformation/cfn-lint#1265

---

More Metadata support thoughts

[mhart]

I'm not sure if this is the same issue, but it looks like UpdateReplacePolicy is actually removed from an S3 bucket in the transformed output:

Original template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Resources:

  Bucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain

  Function:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs12.x
      Events:
        ObjectCreated:
          Type: S3
          Properties:
            Bucket: !Ref Bucket
            Events: s3:ObjectCreated:*

Transformed template (just the bucket portion):

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Bucket:
    DeletionPolicy: Retain
    DependsOn:
    - FunctionObjectCreatedPermission
    Properties:
      NotificationConfiguration:
        LambdaConfigurations:
        - Event: s3:ObjectCreated:*
          Function:
            Fn::GetAtt:
            - Function
            - Arn
    Type: AWS::S3::Bucket

Note the DeletionPolicy is present, but the UpdateReplacePolicy has been removed. If I remove the function, the bucket stays as-is.

Let me know if I should file a separate issue for this.

[rocifier]

How can I add DeletionPolicy: Retain onto the actual function itself?

[mndeveci]

Closing this issue since it is been released with SAM v1.36.0 and SAM CLI v1.24.0.

You can read more about how resource level attributes are handled in SAM via our updated documentation; https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resource-attributes.html

Thanks!