销毁 AWS-CDK 中的堆栈时不要删除现有资源
[英]Do not delete existing resources when destroying a stack in AWS-CDK
问题描述
often times one must import existing resources into a stack when working with aws-cdk.
使用 aws-cdk 时,通常必须将现有资源导入堆栈。 When we "destroy" the stack we take it for granted that the existing resources we imported are not deleted along with everything else.当我们“销毁”堆栈时,我们理所当然地认为我们导入的现有资源不会与其他所有资源一起被删除。
Is it possible to explicitly not destroy a resource during the destroy process?是否可以在销毁过程中明确不销毁资源?
2 个解决方案
解决方案1
2 已采纳 2021-04-27 18:05:21
Imported resources won't actually be a part of your new stack (ie they won't be resources in the generated CloudFormation).导入的资源实际上不会成为新堆栈的一部分(即它们不会是生成的 CloudFormation 中的资源)。 So if you are only concerned with those resources you don't need to worry.因此,如果您只关心这些资源,则无需担心。
If you are wanting to make sure something in the stack is not being deleted when the stack is deleted you can call the applyRemovalPolicy(RemovalPolicy.RETAIN) on the resource.如果您想确保在删除堆栈时不会删除堆栈中的某些内容,您可以在资源上调用applyRemovalPolicy(RemovalPolicy.RETAIN) 。
解决方案2
1 2021-04-28 05:25:09
Jason Wadsworth gives a good answer above re applyRemovalPolicy() . Jason Wadsworth 在applyRemovalPolicy()上面给出了一个很好的答案。
You can apply policies at the resource level and at the stack level.您可以在资源级别和堆栈级别应用策略。
You can also take care to set appropriate IAM policies for your users (including perhaps the API user that you use for the cdk) such that they couldn't delete your protected resources even if they wanted to.您还可以注意为您的用户(可能包括您用于 cdk 的 API 用户)设置适当的 IAM 策略,以便他们即使想要删除您的受保护资源也无法删除。
You might want to look into the --enable-termination-protection flag supported by aws-cli.您可能需要查看 aws-cli 支持的--enable-termination-protection标志。
Finally, a cheap and easy way to ensure that a given resource won't get inadvertently deleted that requires minimal aws knowledge + cdk experience is to simply define the resource outside the cdk, eg via the console, aws-cli, etc.最后,一种确保给定资源不会被无意删除且需要最少的 aws 知识 + cdk 经验的廉价且简单的方法是简单地定义 cdk 之外的资源,例如通过控制台、aws-cli 等。
Starting out, this might help offer some peace of mind that you or a colleague won't accidentally return something like an EIP to Amazon's pool if, for example, there were a bunch of external dependencies and considerations like whitelists and third-party firewall rules tied to it.开始时,这可能有助于让您或同事放心,例如,如果存在大量外部依赖项和考虑因素(例如白名单和第三方防火墙规则),您或同事不会意外将 EIP 之类的东西返回到 Amazon 的池中绑在它上面。
Welcome to StackOverflow, don't forget to "accept" the answer that you feel provides the best solution to your problem:).欢迎来到 StackOverflow,不要忘记“接受”您认为可以为您的问题提供最佳解决方案的答案:)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.