Merge pull request #4534 from helgi/aws-stack-policy

carmstrong · carmstrong · commit d6be99a3c310 · 2015-09-25T09:29:57.000-07:00
ref(aws): Ensure CloudFormation does not replace running instances on AMI changes.
diff --git a/contrib/aws/provision-aws-cluster.sh b/contrib/aws/provision-aws-cluster.sh
@@ -52,6 +52,7 @@ aws cloudformation create-stack \
     --template-body "$($THIS_DIR/gen-json.py --channel $COREOS_CHANNEL --version $COREOS_VERSION)" \
     --stack-name $STACK_NAME \
     --parameters "$(<$THIS_DIR/cloudformation.json)" \
+    --stack-policy-body "$(<$THIS_DIR/stack_policy.json)" \
     $EXTRA_AWS_CLI_ARGS
 
 # loop until the instances are created
diff --git a/contrib/aws/stack_policy.json b/contrib/aws/stack_policy.json
@@ -0,0 +1,21 @@
+{
+  "Statement" : [
+    {
+      "Effect" : "Deny",
+      "Principal" : "*",
+      "Action" : "Update:Replace",
+      "Resource" : "*",
+      "Condition" : {
+        "StringEquals" : {
+          "ResourceType" : ["AWS::EC2::Instance"]
+        }
+      }
+    },
+    {
+      "Effect" : "Allow",
+      "Principal" : "*",
+      "Action" : "Update:*",
+      "Resource" : "*"
+    }
+  ]
+}
diff --git a/contrib/aws/update-aws-cluster.sh b/contrib/aws/update-aws-cluster.sh
@@ -35,6 +35,7 @@ aws cloudformation update-stack \
     --template-body "$($THIS_DIR/gen-json.py --channel $COREOS_CHANNEL --version $COREOS_VERSION)" \
     --stack-name $NAME \
     --parameters "$(<$THIS_DIR/cloudformation.json)" \
+    --stack-policy-body "$(<$THIS_DIR/stack_policy.json)" \
     $EXTRA_AWS_CLI_ARGS
 
 echo_green "Your Deis cluster on AWS CloudFormation has been successfully updated."
