From fc19732384920859b497ec0d46ce7c12683427d7 Mon Sep 17 00:00:00 2001
From: Chris Kalafarski <chris@farski.com>
Date: Tue, 5 Nov 2024 12:26:40 -0500
Subject: [PATCH] Add docs

---
 spire/cd/template.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/spire/cd/template.yml b/spire/cd/template.yml
index 563ca631..98acc39b 100644
--- a/spire/cd/template.yml
+++ b/spire/cd/template.yml
@@ -175,6 +175,13 @@ Resources:
                   - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}-root-production/*
                   - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:changeSet/*
                   - !Sub arn:aws:cloudformation:${AWS::Region}:aws:transform/Serverless-2016-10-31
+              # This is disabled for now, since we do sometimes remove nested
+              # stacks, and AWS changed how permissions work on nested stacks.
+              # There may be a way to have some policy that allows deletes on
+              # nested stacks, without allowing everything?
+              # - Action: cloudformation:DeleteStack
+              #   Effect: Deny
+              #   Resource: "*"
             Version: "2012-10-17"
           PolicyName: StackManipulationPolicy
         # Need to CRUD all resources included in root and nested stacks