Stack Creation fails when dependent stack has protection

[sopeters]

When I launch or create a stack that has a dependency on another stack output (via !stack_output resolver) on a stack that has protect: true I get the error:

Cannot perform action on '': Stack protection is currently enabled

How can I launch a stack with a reference to another protected stack?

[zaro0508]

This use case is not supported with sceptre core. It will probably require a custom hook. I would image that you can enumerate all the dependent stacks in the hook then turn off protection in a before_create or before_update hook call. Once the stack is deployed you can turn protection back on in after_create or after_update hook call.

hooks:
  before_create:
    - !stack_termination_protection 'disabled' 
  before_update:
    - !stack_termination_protection 'disabled' 
  after_create:
    - !stack_termination_protection 'enabled' 
  after_update:
    - !stack_termination_protection 'enabled' 

Take a look at https://github.com/zaro0508/sceptre-stack-termination-protection-hook to get started. That hook currently only enables/disables protection on the current stack but it can probably be modified to do the same thing on a list of dependent stacks.

[sopeters]

Thanks - will have a look and see if I can extend the hook.

[sopeters]

Hi @zaro0508 - The hook deals with StackProtection in AWS.

I'm referencing to sceptre/sceptre/plan/actions.py -> def _protect_execution(self) which checks the config parameter "protect: true" and prevents create, update and launch.

Any dependent stacks that reference any output will fail to execute (I believe already when building the plan).

[jmourelos]

Hi @sopeters - I was thinking on the possibility of adding a --skip-protected flag. The idea is that it would remove from the execution plan those stacks with "protect: True". Would it be useful for your use case? Our case is that we want to delete and recreate most of our stacks on a daily basis, but not the protected ones.

[sopeters]

Thanks Jacob - that would help. Trying to do the same thing as you.

[ngfgrant]

A —skip-protected would be a welcome addition!

[ngfgrant]

I just update the update action by adding a simple try/except. Doing something similar in launch might solve this by allowing the exception to be handled more gracefully and continue with execution ... just noting this down quickly before I forget!

[jmourelos]

@ngfgrant I had added the flag (with name --ignore-protected-stacks) as we had mentioned originally to a personal branch currently used by my team.

It is working well for us, but I must say that a simple try/catch seems like an easier solution.