forked from aws-cloudformation/cfn-lint
-
Notifications
You must be signed in to change notification settings - Fork 0
/
BothUpdateReplacePolicyDeletionPolicyNeeded.py
29 lines (24 loc) · 1.58 KB
/
BothUpdateReplacePolicyDeletionPolicyNeeded.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
from cfnlint.rules import CloudFormationLintRule
from cfnlint.rules import RuleMatch
class UpdateReplacePolicyDeletionPolicy(CloudFormationLintRule):
"""Check resources with UpdateReplacePolicy/DeletionPolicy have both"""
id = 'W3011'
shortdesc = 'Check resources with UpdateReplacePolicy/DeletionPolicy have both'
description = 'Both UpdateReplacePolicy and DeletionPolicy are needed to protect resources from deletion'
source_url = 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html'
tags = ['resources', 'updatereplacepolicy', 'deletionpolicy']
def match(self, cfn):
"""Check resources with UpdateReplacePolicy/DeletionPolicy have both"""
matches = []
for r_name, r_values in cfn.get_resources().items():
if r_values.get('Type') not in ['AWS::Lambda::Version', 'AWS::Lambda::LayerVersion']:
# pylint: disable=too-many-boolean-expressions
if r_values.get('DeletionPolicy') and r_values.get('DeletionPolicy') != 'Delete' and not r_values.get('UpdateReplacePolicy') or not r_values.get('DeletionPolicy') and r_values.get('UpdateReplacePolicy') and r_values.get('UpdateReplacePolicy') != 'Delete':
path = ['Resources', r_name]
message = 'Both UpdateReplacePolicy and DeletionPolicy are needed to protect %s from deletion' % '/'.join(path)
matches.append(RuleMatch(path, message))
return matches