Stack policies for nested stacks

[jamesallardice]

The Serverless framework has native support for CloudFormation stack policies to prevent potentially dangerous updates to resources. When using this plugin, defining a stackPolicy under the provider configuration will result in a stack policy that applies only to the top-level stack. There does not appear to be any mechanism to instruct this plugin to apply a stack policy to any of the resulting nested stacks.

Do you think this is something that would be a useful addition? I'm not fully clear on the best approach should something like this be a viable addition to the plugin - it's a a possibility that different stack policies would apply to different nested stacks which would likely be a large configuration burden compared to offering a single option to apply an existing stack policy to all nested stacks. Happy to help on a PR but wanted to hear more thoughts first!

[dougmoscrop]

Absolutely would love support for this and I think it would be useful, but I agree there's an experience part of it that I don't have a strong opinion of.. I'd guess a first good step would just be inheriting the policy from the provider, like:

custom:
  splitStacks:
    policy: true

followed by the ability to specify a policy inline (policy becomes an object)
maybe a policies object that can override per-stack policies, so like:

custom:
  splitStacks:
   poilcy: false # default value, no inherit, if true, then any nested stacks not in policies would inherit provider
   policies:
     FooNestedStack:
      CustomPolicyInlineHere

I'm totally open to something else, but hopefully that helps get the ball rolling for you?