Reasoning behind replacing resources on updates (example of Description property of AWS::IAM::ManagedPolicy)
As described in Best practice guidance to avoid "CloudFormation cannot update a stack when a custom-named resource requires replacing" I ran into the same issue when doing updates to AWS::IAM::ManagedPolicy.
However, what is not intuitive is that the update of Description is causing the need to replace the resource and an error as a result, while the update of PolicyDocument is not.
Is there any reason behind choosing what properties could be causing this errors? With the list of resources that support custom names being quite large, the chance of stepping into this issue is high. In some cases, like here with the description of managed policies, I don't understand the reason behind the need to replace the resource on the update. In other cases, the general mechanism is, as described in the linked post from the beginning, not easy to work with from the automation perspective.
- Newest
- Most votes
- Most comments
Generally the documentation says when update of a property requires replacement or not, see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html for example. I've seen cases where requiring replacement was a bug, and there was discussion about on the CloudFormation Coverage Roadmap https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues. But in this case it appears to be by design - "The policy description is immutable. After a value is assigned, it cannot be changed.". I don't know why it's immutable; if it's a security issue it's not obvious to me.
Relevant content
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated a year ago
