Reasoning behind replacing resources on updates (example of Description property of AWS::IAM::ManagedPolicy)

2

As described in Best practice guidance to avoid "CloudFormation cannot update a stack when a custom-named resource requires replacing" I ran into the same issue when doing updates to AWS::IAM::ManagedPolicy.

However, what is not intuitive is that the update of Description is causing the need to replace the resource and an error as a result, while the update of PolicyDocument is not.

Is there any reason behind choosing what properties could be causing this errors? With the list of resources that support custom names being quite large, the chance of stepping into this issue is high. In some cases, like here with the description of managed policies, I don't understand the reason behind the need to replace the resource on the update. In other cases, the general mechanism is, as described in the linked post from the beginning, not easy to work with from the automation perspective.

1 Answer
2

Generally the documentation says when update of a property requires replacement or not, see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html for example. I've seen cases where requiring replacement was a bug, and there was discussion about on the CloudFormation Coverage Roadmap https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues. But in this case it appears to be by design - "The policy description is immutable. After a value is assigned, it cannot be changed.". I don't know why it's immutable; if it's a security issue it's not obvious to me.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions