Add docs

PRX · Nov 5, 2024 · fc19732 · fc19732
1 parent 64afb22
commit fc19732
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/spire/cd/template.yml b/spire/cd/template.yml
@@ -175,6 +175,13 @@ Resources:
                   - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}-root-production/*
                   - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:changeSet/*
                   - !Sub arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31
+              # This is disabled for now, since we do sometimes remove nested
+              # stacks, and AWS changed how permissions work on nested stacks.
+              # There may be a way to have some policy that allows deletes on
+              # nested stacks, without allowing everything?
+              # - Action: cloudformation:DeleteStack
+              #   Effect: Deny
+              #   Resource: "*"
             Version: "2012-10-17"
           PolicyName: StackManipulationPolicy
         # Need to CRUD all resources included in root and nested stacks