You can use a stack policy to prevent stack resources from being unintentionally updated or deleted during a stack update. This topic describes how to define, configure, and update a stack policy.
Background information
A stack policy is a JSON or YAML file that defines the update actions that can be performed on specified resources. Users with stack update permissions can update all resources in a stack after the stack is created. Specific resources may require an interruption during an update. After a stack policy is configured, Resource Orchestration Service (ROS) protects all resources in the stack. To allow updates to specific resources, you can specify an Allow
statement for the resources in your stack policy.
You can define only one stack policy for each stack. A single stack policy can protect multiple resources.
During a stack update, ROS automatically updates resources that depend on other updated resources. For example, ROS automatically updates a resource that references an updated resource. However, you must have the permissions to update the automatically updated resources that are associated with a stack policy.
A stack policy takes effect only during stack updates. Unlike RAM policies, stack policies do not support access control. A stack policy works only as a fail-safe mechanism that prevents unintentional updates to specific stack resources.
Define a stack policy
If you do not configure a stack policy when you create a stack, all resources in the stack can be updated. To prevent updates to the resources in a stack, you can define a stack policy and configure the policy for the stack. When you create a stack, you can enter the content of your stack policy or specify a text file that contains your stack policy to configure a stack policy. If you do not explicitly allow updates when you configure a stack policy, updates are denied.
A stack policy consists of the following elements: Effect
, Action
, Principal
, Resource
, and Condition
.
Statement:
- Effect: Deny_or_Allow
Action: update_actions
Principal: '*'
Resource: LogicalResourceId/resource_logical_ID
Condition:
StringEquals_or_StringLike:
ResourceType:
- resource_type
- ...
The following section describes the elements in the policy:
Effect
Specifies whether to deny or allow actions on resources. Valid values:
Deny
andAllow
. Sample code:Effect: Deny
NoteIf a stack policy includes both Allow and Deny statements, the
Deny
statement overrides theAllow
statement. If you want to protect a resource from an update, use theDeny
statement.Action
The update actions that are denied or allowed. Valid values:
Update:Modify
The update action during which resources experience no interruptions or specific interruptions when changes are being applied to the resources.
Update:Delete
The update action during which resources are deleted. This action must be specified for updates that completely delete resources from a stack template.
Update:*
All update actions. The wildcard character (*) specifies all update actions.
NoteUpdate:Replace
specifies the update action during which resources are replaced. The Update:Replace action is a reserved feature and is not supported.In the following sample code, the Update:Delete and Update:Modify actions are specified:
Action: - Update:Modify - Update:Delete
If you want to allow all update actions except for a specific update action, use
NotAction
. For example, you can setNotAction
toUpdate:Delete
to allow all update actions except for the Update:Delete action.Statement: - Effect: Allow NotAction: Update:Delete Principal: '*' Resource: '*'
Principal
The principals to which the policy applies. Set the value to the wildcard character (*). The wildcard character (*) indicates that the policy applies to all principals.
Resource
The logical ID of the resource to which the policy applies. If you want to specify resource types, use the
Condition
element.If you want to specify a resource, use the logical ID of the resource. Sample code:
Resource: - LogicalResourceId/myECS
The logical ID can contain the wildcard character (*). For example, if you want to match all logical IDs that have the same prefix, specify the wildcard character (*) after the prefix.
Resource: - LogicalResourceId/Prefix*
You can append the
Not
prefix to the Resource element. For example, if you want to allow updates to all resources except for a specific resource, use theNotResource
element to protect the resource from being updated.Statement: - Effect: Allow Action: Update:* Principal: '*' NotResource: LogicalResourceId/WebServers
If you do not explicitly allow updates to a specific resource when you configure a stack policy, updates to the resource are denied. If you allow updates to all resources except for the
WebServers
resource, updates to theWebServers
resource are denied.Condition
The resource type to which the policy applies. If you want to specify the logical IDs of resources, use the
Resource
element.For example, you can use the ALIYUN::ECS::Instance and ALIYUN::RDS::DBInstance resource types to specify all Elastic Compute Service (ECS) and ApsaraDB RDS instances.
Statement: - Effect: Deny Principal: '*' Action: Update:* Resource: '*' Condition: StringEquals: ResourceType: - ALIYUN::ECS::Instance - ALIYUN::RDS::DBInstance - Effect: Allow Principal: '*' Action: Update:* Resource: '*'
In the preceding sample code, the
Allow
statement allows updates to all resources. TheDeny
statement denies updates to ECS and ApsaraDB RDS instances. TheDeny
statement overrides the Allow statement.The resource type can contain the wildcard character (*). For example, you can use the wildcard character (*) to deny updates to all ECS resources, such as ECS instances, security groups, and subnets.
Condition: StringLike: ResourceType: - ALIYUN::ECS::*
NoteWhen you use the wildcard character (*), you must specify the StringLike condition.
Configure a stack policy
You can use the ROS console or Alibaba Cloud CLI to apply a stack policy to a stack when you create the stack. You can also use Alibaba Cloud CLI to apply a stack policy to an existing stack. After you apply a stack policy to a stack, you cannot remove the policy from the stack. You can update the policy by using Alibaba Cloud CLI.
Use the ROS console to configure a stack policy when you create a stack
Log on to the ROS console.
In the left-side navigation pane, click Stacks.
In the top navigation bar, select the region where you want to create a stack from the region drop-down list. In this example, China (Hangzhou) is selected.
On the Stacks page, click Create Stack and select Use ROS from the drop-down list.
In the Select Template step of the Create Stack wizard, specify a template based on your business requirements and click Next.
In the Configure Parameters step of the Create Stack wizard, follow the on-screen instructions to configure the Stack Name parameter, and the parameters in the Configure Template Parameters section.
In the Configure Stack Settings section, set the Stack Policy parameter to Input Stack Policy.
Use one of the following methods to configure a stack policy and click Next.
Input Stack Policy: Enter your stack policy.
Upload File: Upload a JSON or YAML file that contains your stack policy.
In the Compliance Precheck step, complete compliance precheck and click Next.
NoteOnly specific resources support the compliance precheck feature. For more information, see Compliance precheck of ROS.
In the Evaluate Rules section, add compliance rules.
You can add compliance rules based on the cloud resources in the ROS template.
Click Evaluate.
You can modify the template content based on the suggestions that are provided to remediate invalid resources. This ensures the compliance of the resources.
Follow the on-screen instructions to complete creating the stack.
Use Alibaba Cloud CLI to configure a stack policy when you create a stack
To configure a stack policy, you can use one of the following methods:
Call the CreateStack operation.
Use the
aliyun ros CreateStack
command and the--StackPolicyBody
option to configure a stack policy that allows updates, or use thealiyun ros CreateStack
command and the--StackPolicyURL
option to specify a file that contains a stack policy.Call the CreateChangeSet operation.
Use the
aliyun ros CreateChangeSet
command and the--StackPolicyBody
option to configure a stack policy that allows updates, or use thealiyun ros CreateChangeSet
command and the--StackPolicyURL
option to specify a file that contains a stack policy.
Use Alibaba Cloud CLI to configure a stack policy for an existing stack (only Alibaba Cloud CLI supported)
Use the
aliyun ros SetStackPolicy
command and the--StackPolicyBody
option to configure a stack policy that allows updates, or use thealiyun ros SetStackPolicy
command and the--StackPolicyURL
option to specify a file that contains a stack policy.NoteTo configure a stack policy for an existing stack, you must have the permissions to call the
SetStackPolicy
operation.
Update protected resources
If you want to update protected resources in a stack, you can create a temporary policy that overrides the existing stack policy and allows updates to the resources. The temporary stack policy does not permanently override the stack policy.
To update protected resources, you must have the permissions to call the SetStackPolicy
operation. For more information about how to configure the permissions on ROS, see Use RAM to control access to resources.
Update protected resources by using the ROS console
Log on to the ROS console.
In the left-side navigation pane, click Stacks.
In the top navigation bar, select the region of the desired stack from the region drop-down list. In this example, China (Hangzhou) is selected.
On the Stacks page, find the stack and click Update in the Actions column.
In the Configure Stack Settings section, follow the on-screen instructions to select Input Stack Policy.
Configure a temporary stack policy.
The temporary stack policy that you configure takes effect only for this update. In the temporary policy, you must specify an
Allow
statement for the protected resources that you want to update. For example, if you want to update all protected resources, you must specify a temporary policy that allows all updates to the resources.Statement: - Effect: Allow Action: Update:* Principal: '*' Resource: '*'
Follow the on-screen instructions to complete updating the stack.
Update protected resources by using Alibaba Cloud CLI
To update protected resources, you can use one of the following methods:
Call the UpdateStack operation.
Use the
aliyun ros UpdateStack
command and the--StackPolicyDuringUpdateBody
option to configure a temporary stack policy that allows updates, or use thealiyun ros UpdateStack
command and the--StackPolicyDuringUpdateURL
option to specify a file that contains a temporary stack policy.Call the CreateChangeSet operation.
Use the
aliyun ros CreateChangeSet
command and the--StackPolicyDuringUpdateBody
option to configure a temporary stack policy that allows updates, or use thealiyun ros CreateChangeSet
command and the--StackPolicyDuringUpdateURL
option to specify a file that contains a temporary stack policy.
NoteROS applies the temporary policy only during this update. The temporary stack policy does not permanently override the stack policy.
Update a stack policy
If you want to protect new resources or stop protecting existing resources by using a stack policy, you can update the stack policy. For example, if you want to add a database that you want to protect to a stack, add a Deny
statement for the database to the stack policy. To update a stack policy, you must have the permissions to call the SetStackPolicy
operation.
Update a stack policy by using the ROS console
Log on to the ROS console.
In the left-side navigation pane, click Stacks.
In the top navigation bar, select the region of the desired stack from the region drop-down list. In this example, China (Hangzhou) is selected.
On the Stacks page, find the desired stack and click the stack ID in the Stack Name column.
In the Stack Policy section of the Stack Information tab, click Edit.
In the Modify resource stack policy dialog box, enter the content of your new stack policy.
Click OK.
Update a stack policy by using Alibaba Cloud CLI
Use the
aliyun ros SetStackPolicy
command and the--StackPolicyBody
option to configure a stack policy that allows updates, or use thealiyun ros SetStackPolicy
command and the--StackPolicyURL
option to specify a file that contains a stack policy.The following policy allows all updates to all resources:
Statement: - Effect: Allow Action: Update:* Principal: '*' Resource: '*'
Update a stack policy by using Alibaba Cloud CLI when you update a stack
Use the
aliyun ros UpdateStack
command and the--StackPolicyBody
option to configure a stack policy that allows updates, or use thealiyun ros UpdateStack
command and the--StackPolicyURL
option to specify a file that contains a stack policy.Use the
aliyun ros CreateChangeSet
command and the--StackPolicyBody
option to configure a stack policy that allows updates, or use thealiyun ros CreateChangeSet
command and the--StackPolicyURL
option to specify a file that contains a stack policy.
Sample stack policies
The following sample stack policies show how to prevent updates to all or specific stack resources, and prevent specific types of update actions.
Prevent updates to all stack resources
The following policy shows how to specify the
Deny
statement to prevent all update actions on all stack resources:Statement: - Effect: Deny Action: Update:* Principal: '*' Resource: '*'
Prevent updates to a single resource (
WebServers
)Example 1: Use the
Deny
statement to prevent updates to theWebServers
resource.Statement: - Effect: Allow Action: Update:* Principal: '*' Resource: '*' - Effect: Deny Action: Update:* Principal: '*' Resource: LogicalResourceId/WebServers
The following section describes the elements in the policy:
Allow
: allows updates to all resources.Deny
: denies updates to the resource whose logical ID isWebServers
.Principal
: the principals to which the policy applies. Only the wildcard character (*) is supported. The wildcard character (*) indicates that the policy applies to all principals.
Example 2: Use the
Allow
statement to allow updates to all resources except for theWebServers
resource.Statement: - Effect: Allow Action: Update:* Principal: '*' NotResource: LogicalResourceId/WebServers
NoteIf you do not explicitly allow updates to a specific resource when you configure a stack policy, updates to the resource are denied.
If you implement the default denial policy, risks may occur. If another
Allow
statement exists in the policy, such as anAllow
statement that contains the wildcard character (*), the update permissions on specific resources may be unintentionally granted. An explicit Deny statement overrides all Allow statements. You can use theDeny
statement to ensure that a resource is protected.
Prevent updates to all instances of a resource type
The following policy denies all update actions on ApsaraDB RDS instances. You can use the
Allow
statement to allow all update actions on all stack resources, except for the resources of the ALIYUN::RDS::DBInstance type. TheAllow
statement does not apply to ApsaraDB RDS instances because theDeny
statement overrides the Allow statement.Statement: - Effect: Deny Action: Update:* Principal: '*' Resource: '*' Condition: StringEquals: ResourceType: - ALIYUN::RDS::DBInstance - Effect: Allow Action: Update:* Principal: '*' Resource: '*'
Prevent updates to nested stacks
The following policy denies all update actions on ROS nested stacks. You can use the
Allow
statement to allow all update actions on all stack resources, except for the resources of the ALIYUN::ROS::Stack type. TheAllow
statement does not apply to ROS stack resources because theDeny
statement overrides theAllow
statement.Statement: - Effect: Deny Action: Update:* Principal: '*' Resource: '*' Condition: StringEquals: ResourceType: - ALIYUN::ROS::Stack - Effect: Allow Action: Update:* Principal: '*' Resource: '*'