How to use stack policies - Resource Orchestration Service

You can use a stack policy to prevent stack resources from being unintentionally updated or deleted during a stack update. This topic describes how to define, configure, and update a stack policy.

Background information

A stack policy is a JSON or YAML file that defines the update actions that can be performed on specified resources. Users with stack update permissions can update all resources in a stack after the stack is created. Specific resources may require an interruption during an update. After a stack policy is configured, Resource Orchestration Service (ROS) protects all resources in the stack. To allow updates to specific resources, you can specify an Allow statement for the resources in your stack policy.

Note

You can define only one stack policy for each stack. A single stack policy can protect multiple resources.
During a stack update, ROS automatically updates resources that depend on other updated resources. For example, ROS automatically updates a resource that references an updated resource. However, you must have the permissions to update the automatically updated resources that are associated with a stack policy.

A stack policy takes effect only during stack updates. Unlike RAM policies, stack policies do not support access control. A stack policy works only as a fail-safe mechanism that prevents unintentional updates to specific stack resources.

Define a stack policy

If you do not configure a stack policy when you create a stack, all resources in the stack can be updated. To prevent updates to the resources in a stack, you can define a stack policy and configure the policy for the stack. When you create a stack, you can enter the content of your stack policy or specify a text file that contains your stack policy to configure a stack policy. If you do not explicitly allow updates when you configure a stack policy, updates are denied.

A stack policy consists of the following elements: Effect, Action, Principal, Resource, and Condition.

Statement:
  - Effect: Deny_or_Allow
    Action: update_actions
    Principal: '*'
    Resource: LogicalResourceId/resource_logical_ID
    Condition:
      StringEquals_or_StringLike:
        ResourceType:
          - resource_type
          - ...

The following section describes the elements in the policy:

Effect
Specifies whether to deny or allow actions on resources. Valid values: Deny and Allow. Sample code:
```
Effect: Deny
```
Note
If a stack policy includes both Allow and Deny statements, the Deny statement overrides the Allow statement. If you want to protect a resource from an update, use the Deny statement.
Action
The update actions that are denied or allowed. Valid values:
- Update:Modify
  The update action during which resources experience no interruptions or specific interruptions when changes are being applied to the resources.
- Update:Delete
  The update action during which resources are deleted. This action must be specified for updates that completely delete resources from a stack template.
- Update:*
  All update actions. The wildcard character (*) specifies all update actions.
Note
Update:Replace specifies the update action during which resources are replaced. The Update:Replace action is a reserved feature and is not supported.
In the following sample code, the Update:Delete and Update:Modify actions are specified:
```
Action:
  - Update:Modify
  - Update:Delete
```
If you want to allow all update actions except for a specific update action, use NotAction. For example, you can set NotAction to Update:Delete to allow all update actions except for the Update:Delete action.
```
Statement:
  - Effect: Allow
    NotAction: Update:Delete
    Principal: '*'
    Resource: '*'
```
Principal
The principals to which the policy applies. Set the value to the wildcard character (*). The wildcard character (*) indicates that the policy applies to all principals.
Resource
The logical ID of the resource to which the policy applies. If you want to specify resource types, use the Condition element.
If you want to specify a resource, use the logical ID of the resource. Sample code:
```
Resource: - LogicalResourceId/myECS
```
The logical ID can contain the wildcard character (*). For example, if you want to match all logical IDs that have the same prefix, specify the wildcard character (*) after the prefix.
```
Resource: - LogicalResourceId/Prefix*
```
You can append the Not prefix to the Resource element. For example, if you want to allow updates to all resources except for a specific resource, use the NotResource element to protect the resource from being updated.
```
Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    NotResource: LogicalResourceId/WebServers
```
If you do not explicitly allow updates to a specific resource when you configure a stack policy, updates to the resource are denied. If you allow updates to all resources except for the WebServers resource, updates to the WebServers resource are denied.
Condition
The resource type to which the policy applies. If you want to specify the logical IDs of resources, use the Resource element.
For example, you can use the ALIYUN::ECS::Instance and ALIYUN::RDS::DBInstance resource types to specify all Elastic Compute Service (ECS) and ApsaraDB RDS instances.
```
Statement:
  - Effect: Deny
    Principal: '*'
    Action: Update:*
    Resource: '*'
    Condition:
      StringEquals:
        ResourceType:
          - ALIYUN::ECS::Instance
          - ALIYUN::RDS::DBInstance
  - Effect: Allow
    Principal: '*'
    Action: Update:*
    Resource: '*'
```
In the preceding sample code, the Allow statement allows updates to all resources. The Deny statement denies updates to ECS and ApsaraDB RDS instances. The Deny statement overrides the Allow statement.
The resource type can contain the wildcard character (*). For example, you can use the wildcard character (*) to deny updates to all ECS resources, such as ECS instances, security groups, and subnets.
```
Condition:
  StringLike:
    ResourceType:
      - ALIYUN::ECS::*
```
Note
When you use the wildcard character (*), you must specify the StringLike condition.

Configure a stack policy

You can use the ROS console or Alibaba Cloud CLI to apply a stack policy to a stack when you create the stack. You can also use Alibaba Cloud CLI to apply a stack policy to an existing stack. After you apply a stack policy to a stack, you cannot remove the policy from the stack. You can update the policy by using Alibaba Cloud CLI.

Use the ROS console to configure a stack policy when you create a stack
1. Log on to the ROS console.
2. In the left-side navigation pane, click Stacks.
3. In the top navigation bar, select the region where you want to create a stack from the region drop-down list. In this example, China (Hangzhou) is selected.
4. On the Stacks page, click Create Stack and select Use ROS from the drop-down list.
5. In the Select Template step of the Create Stack wizard, specify a template based on your business requirements and click Next.
6. In the Configure Parameters step of the Create Stack wizard, follow the on-screen instructions to configure the Stack Name parameter, and the parameters in the Configure Template Parameters section.
7. In the Configure Stack Settings section, set the Stack Policy parameter to Input Stack Policy.
8. Use one of the following methods to configure a stack policy and click Next.
  - Input Stack Policy: Enter your stack policy.
  - Upload File: Upload a JSON or YAML file that contains your stack policy.
9. In the Compliance Precheck step, complete compliance precheck and click Next.
  Note
  Only specific resources support the compliance precheck feature. For more information, see Compliance precheck of ROS.
  1. In the Evaluate Rules section, add compliance rules.
    You can add compliance rules based on the cloud resources in the ROS template.
  2. Click Evaluate.
    You can modify the template content based on the suggestions that are provided to remediate invalid resources. This ensures the compliance of the resources.
10. Follow the on-screen instructions to complete creating the stack.
Use Alibaba Cloud CLI to configure a stack policy when you create a stack
To configure a stack policy, you can use one of the following methods:
- Call the CreateStack operation.
  Use the aliyun ros CreateStack command and the --StackPolicyBody option to configure a stack policy that allows updates, or use the aliyun ros CreateStack command and the --StackPolicyURL option to specify a file that contains a stack policy.
- Call the CreateChangeSet operation.
  Use the aliyun ros CreateChangeSet command and the --StackPolicyBody option to configure a stack policy that allows updates, or use the aliyun ros CreateChangeSet command and the --StackPolicyURL option to specify a file that contains a stack policy.
Use Alibaba Cloud CLI to configure a stack policy for an existing stack (only Alibaba Cloud CLI supported)
Use the aliyun ros SetStackPolicy command and the --StackPolicyBody option to configure a stack policy that allows updates, or use the aliyun ros SetStackPolicy command and the --StackPolicyURL option to specify a file that contains a stack policy.
Note
To configure a stack policy for an existing stack, you must have the permissions to call the SetStackPolicy operation.

Update protected resources

If you want to update protected resources in a stack, you can create a temporary policy that overrides the existing stack policy and allows updates to the resources. The temporary stack policy does not permanently override the stack policy.

To update protected resources, you must have the permissions to call the SetStackPolicy operation. For more information about how to configure the permissions on ROS, see Use RAM to control access to resources.

Update protected resources by using the ROS console
1. Log on to the ROS console.
2. In the left-side navigation pane, click Stacks.
3. In the top navigation bar, select the region of the desired stack from the region drop-down list. In this example, China (Hangzhou) is selected.
4. On the Stacks page, find the stack and click Update in the Actions column.
5. In the Configure Stack Settings section, follow the on-screen instructions to select Input Stack Policy.
6. Configure a temporary stack policy.
  The temporary stack policy that you configure takes effect only for this update. In the temporary policy, you must specify an Allow statement for the protected resources that you want to update. For example, if you want to update all protected resources, you must specify a temporary policy that allows all updates to the resources.
```
Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'
```
7. Follow the on-screen instructions to complete updating the stack.
Update protected resources by using Alibaba Cloud CLI
To update protected resources, you can use one of the following methods:
- Call the UpdateStack operation.
  Use the aliyun ros UpdateStack command and the --StackPolicyDuringUpdateBody option to configure a temporary stack policy that allows updates, or use the aliyun ros UpdateStack command and the --StackPolicyDuringUpdateURL option to specify a file that contains a temporary stack policy.
- Call the CreateChangeSet operation.
  Use the aliyun ros CreateChangeSet command and the --StackPolicyDuringUpdateBody option to configure a temporary stack policy that allows updates, or use the aliyun ros CreateChangeSet command and the --StackPolicyDuringUpdateURL option to specify a file that contains a temporary stack policy.
Note
ROS applies the temporary policy only during this update. The temporary stack policy does not permanently override the stack policy.

Update a stack policy

If you want to protect new resources or stop protecting existing resources by using a stack policy, you can update the stack policy. For example, if you want to add a database that you want to protect to a stack, add a Deny statement for the database to the stack policy. To update a stack policy, you must have the permissions to call the SetStackPolicy operation.

Update a stack policy by using the ROS console
1. Log on to the ROS console.
2. In the left-side navigation pane, click Stacks.
3. In the top navigation bar, select the region of the desired stack from the region drop-down list. In this example, China (Hangzhou) is selected.
4. On the Stacks page, find the desired stack and click the stack ID in the Stack Name column.
5. In the Stack Policy section of the Stack Information tab, click Edit.
6. In the Modify resource stack policy dialog box, enter the content of your new stack policy.
7. Click OK.
Update a stack policy by using Alibaba Cloud CLI
Use the aliyun ros SetStackPolicy command and the --StackPolicyBody option to configure a stack policy that allows updates, or use the aliyun ros SetStackPolicy command and the --StackPolicyURL option to specify a file that contains a stack policy.
The following policy allows all updates to all resources:
```
Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'
```
Update a stack policy by using Alibaba Cloud CLI when you update a stack
Use the aliyun ros UpdateStack command and the --StackPolicyBody option to configure a stack policy that allows updates, or use the aliyun ros UpdateStack command and the --StackPolicyURL option to specify a file that contains a stack policy.
Use the aliyun ros CreateChangeSet command and the --StackPolicyBody option to configure a stack policy that allows updates, or use the aliyun ros CreateChangeSet command and the --StackPolicyURL option to specify a file that contains a stack policy.

Sample stack policies

The following sample stack policies show how to prevent updates to all or specific stack resources, and prevent specific types of update actions.

Prevent updates to all stack resources
The following policy shows how to specify the Deny statement to prevent all update actions on all stack resources:
```
Statement:
  - Effect: Deny
    Action: Update:*
    Principal: '*'
    Resource: '*'
```
Prevent updates to a single resource (WebServers)
- Example 1: Use the Deny statement to prevent updates to the WebServers resource.
```
Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'
  - Effect: Deny
    Action: Update:*
    Principal: '*'
    Resource: LogicalResourceId/WebServers
```
  The following section describes the elements in the policy:
  - Allow: allows updates to all resources.
  - Deny: denies updates to the resource whose logical ID is WebServers.
  - Principal: the principals to which the policy applies. Only the wildcard character (*) is supported. The wildcard character (*) indicates that the policy applies to all principals.
- Example 2: Use the Allow statement to allow updates to all resources except for the WebServers resource.
```
Statement:
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    NotResource: LogicalResourceId/WebServers
```
  Note
  - If you do not explicitly allow updates to a specific resource when you configure a stack policy, updates to the resource are denied.
  - If you implement the default denial policy, risks may occur. If another Allow statement exists in the policy, such as an Allow statement that contains the wildcard character (*), the update permissions on specific resources may be unintentionally granted. An explicit Deny statement overrides all Allow statements. You can use the Deny statement to ensure that a resource is protected.
Prevent updates to all instances of a resource type
The following policy denies all update actions on ApsaraDB RDS instances. You can use the Allow statement to allow all update actions on all stack resources, except for the resources of the ALIYUN::RDS::DBInstance type. The Allow statement does not apply to ApsaraDB RDS instances because the Deny statement overrides the Allow statement.
```
Statement:
  - Effect: Deny
    Action: Update:*
    Principal: '*'
    Resource: '*'
    Condition:
      StringEquals:
        ResourceType:
          - ALIYUN::RDS::DBInstance
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'
```
Prevent updates to nested stacks
The following policy denies all update actions on ROS nested stacks. You can use the Allow statement to allow all update actions on all stack resources, except for the resources of the ALIYUN::ROS::Stack type. The Allow statement does not apply to ROS stack resources because the Deny statement overrides the Allow statement.
```
Statement:
  - Effect: Deny
    Action: Update:*
    Principal: '*'
    Resource: '*'
    Condition:
      StringEquals:
        ResourceType:
          - ALIYUN::ROS::Stack
  - Effect: Allow
    Action: Update:*
    Principal: '*'
    Resource: '*'
```