cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard
verified publisher icon aws-cloudformation

Add "Force" flag to the Destination Policy property in a AWS::Logs::Destination resource

Open amisfari opened this issue 3 years ago • 1 comments

Name of the resource

AWS::Logs::Destination

Resource name

No response

Description

A "Force" flag is requested for the "DestinationPolicy" property in AWS::Logs::Destination resource. Currently CloudFormation does not support the update of existing Destinations using a policy that specifies an OrgID principal, such in this example : { "Version" : "2012-10-17", "Statement" : [ { "Sid" : "", "Effect" : "Allow", "Principal" : { "AWS": "*" }, "Action" : "logs:PutSubscriptionFilter", "Resource" : "arn:aws:logs:region:999999999999:destination:testDestination", "Condition": { "StringEquals" : { "aws:PrincipalOrgID" : ["o-1234567890"] } } } ] }

Currently, the use of this policy in a cloudformation stack is only possible when creating a new Destination and it is not possible for updating existing Destinations that used to accept (*) or account ID as a principal instead of OrgID principal.

Customers currently are not able to update their stacks because of this matter, instead, they have to use CLI : aws logs put-destination-policy \ --destination-name "testDestination" \ --access-policy file://~/AccessPolicy.json \ --force

Please consider adding this flag.

Other Details

No response

amisfari avatar Dec 01 '22 10:12 amisfari

Just got into this issue as well, we use centralized firehose for a control tower setup. and we need a way to force update when new account join our control tower

jk2l avatar Jun 19 '24 02:06 jk2l