I'm trying to use CloudFormation AddOn template in the following scenario:
Service 1
creates an SNS Topic and a Managed Policy that has all the necessary permissions to publish to it. The SNS Topic will collect "Activity" records and then fan them out to multiple subscribers.
A common code library abstracts away the usage of SNS - any applications that need to post activity messages do so without any knowledge that SNS is being used underneath the covers.
Service N needs to publish activity messages using the common code library and needs whatever permissions are necessary.
So service 1 writes the Managed Policy ARN out as an exported output to the AddOn stack like so:
Outputs:
activityPublishPolicy:
Description: "Activity Publish Policy ARN"
Value: !Ref activitySnsTopicPublishPolicy
Export:
Name: !Sub ${App}-${Env}-activity-publish-policy
Then in service N, I was hoping to import the ARN of the publishing policy and get it attached to the task role:
Outputs:
activityPublishAccessPolicy:
Description: "The IAM::ManagedPolicy to attach to the task role."
Value: !ImportValue
'Fn::Sub': '${App}-${Env}-activity-publish-policy'
The ARN is imported just fine and written out to the Cloud Formation stack of Service N; however, the Task Role does not get the Managed Policy attached to it.
I did a quick test to see if adding the policy directly to the AddOn stack would attach and that does indeed work.
Outputs:
activityPublishAccessPolicy:
Description: "The IAM::ManagedPolicy to attach to the task role."
Value: !Ref activityPolicy
This leads me to believe that Copilot only attaches ManagedPolicies to the Task Role that are created in its own AddOn Stack, but that's just a guess.
I'd prefer not to write a new policy in every service to do this, and I'd prefer not to open up the topic policy our whole VPC if possible.
Is there a better way of doing this?
Thanks!
This is because Copilot scans the Addons template to determine the type of the resource you're outputting. There are several "magic" outputs for addons. They are:
Security Groups
Managed Policies
Secrets
To detect these outputs, we scan the template looking for the logical ID of the referenced resource. This means that we don't currently have a way of deriving the resource type of the results of Fn::ImportValue calls, since they don't refer to a logical ID defined in that addons template!
I'm sorry this is causing you problems--it seems like you may need to add the managed policy to the addons stack of each service you want to grant this access to. This is something we might be able to do something about, though, and would love if if you could cut us a Github issue so we can prioritize and gather feedback on a proposal.
Related
What is the best way to access the ARN of the CloudWatch RUM monitor? I need to create an IAM policy in CDK to restrict permissions to just a single CloudWatch RUM monitor but the CfnAppMonitor construct has no accessible property for it
Nor is there any property for it in the CFN itself - so doing cfnAppMonitor.getAtt("Arn") doesn’t return any ARN
Sources: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rum.CfnAppMonitor.html#cfnproperties
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rum-appmonitor-appmonitorconfiguration.html
I ended up just constructing the ARN myself.
arn:aws:rum:${process.env.CDK_DEFAULT_REGION}:${process.env.CDK_DEFAULT_ACCOUNT}:appmonitor/${props.rumId}
In the docs I referenced there's a callout for resource.arn: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rum.CfnAppMonitor.html#getwbrattattributename
but I found the above approach works just as well. If someone else has ever had a need for getting the ARN in that manner and has an example deff send it my way!
I'm attempting to achieve the following through CloudFormation.
From a stack created in EU region I want to create (and verify) a public certificate against Route53 in US-EAST-1 due to using Cloudfront. Aiming to have zero actions performed in the console or AWS CLI.
The new CloudFormation support for ACM was a little sketchy last week but seems to be working now.
Certifcate
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Sub "${Env}.domain.cloud"
ValidationMethod: DNS
DomainValidationOptions:
-
DomainName: !Sub "${Env}.domain.cloud"
HostedZoneId: !Ref HostedZoneId
All I need to do is use Cloudformation to deploy this into the US-EAST-1 region from stack in a different region. Everything else is ready for this.
I thought that using Codepipeline's cross region support would be great so I started to look into [this documentation][1] after getting setting things up in my template I met the following error message...
An error occurred while validating the artifact bucket {...} The bucket named is not located in the `us-east-1` AWS region.
To me this makes no sense as it seems that you already need at least a couple of resources to exist in target region for it to work. Cart before the horse kind of behavior. To test this I create an artifact bucket in the target region by hand and things worked fine, but requires using CLI or the console when I'm aiming for a CloudFormation based solution.
Note: I'm running out of time to write this so I'll update it when I can in a few hours time. any help before I can do that would be great though
Sadly, that's required for cross-region CodePipeline. From docs:
When you create or edit a pipeline, you must have an artifact bucket in the pipeline Region and then you must have one artifact bucket per Region where you plan to execute an action.
If you want to fully automate this through CloudFormation, you either have to use custom resource to create buckets in all the regions in advance or look at stack sets to deploy one template bucket in multiple regions.
p.s.
Your link does not work, thus I'm not sure if you refer to the same documentation page.
I am faced with the following situation:
There is an EC2 instance on say eu-west-1.
When selecting Snapshots on the EC2 service, I see that periodically, every 7 days on the exact same time, a snapshot is taken from the particular image.
The problem is I cannot find:
any related policy on Lifecycle Manager service
any relevant Lambda function that could carry out such a task.
Via what other (managed) means could such a process be carried out periodically with such an accuracy on time?
edit: The corresponding CloudTrail log entry is:
(actual values regarding user, event and request id have been scrambled of course)
AWS access key:
AWS region: eu-west-1
Error code:
Event ID: 454g0236-x4e6-43c1-3565-4xb6d541c2h1
Event name: CreateSnapshot
Event source: ec2.amazonaws.com
Event time: 2019-11-23, 05:00:44 AM
Read only: false
Request ID: zedfbc42-2513-459e-3241-ffcb8442ba44
Source IP address: events.amazonaws.com
User name: g45tg34m3l53mmm53333421knbb43
There are multiple other options,
Check Cloudwatch events, if there is any event triggering. Most probably this one is in your case.
Cronjob on an EC2 instance.
If i understood you question you are looking for a way to know if Lifecycle Manager is available for EC2 snapshots.
Below given links should be able to help you on the same.
For enabling a custom Snapshot Lifecycle policy manually refer Snapshot Lifecycle
For automating a solution for the same please referautomation of snapshot lifecycle
I see that, in TaskDefinition properties, one can define 2 kind of roles: ExecutionRoleArn and TaskRole Arn
I tried to understand from documentation about both:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html
But still I don’t understand the reasoning behind having two? Can someone explain why it is done so this way?
TaskRoleArn refers to the arn of that role which will be utilized to call other AWS services or access AWS resources such as permissions needed for writing data into DynamoDB table, read information from any S3 bucket, etc.
ExecutionRoleArn refers to the arn of the role which will take care of permissions required for publishing logs to CloudWatch as well as push and pull Docker images from Amazon ECR.
I'm working with AWS API Gateway and AWS Lambda. Often I face this type of error message when attempt to deploy API. The error message says to select a deployment stage. But I still selecting and trying to deploy! but same error occur!
In this API I have multiple resources with multiple methods. Previously I succeed to deploy this same API with the same way. But now I can't deploy it.
Please anyone help me to fix it. For addition: I don't use AWS CLI tool, just use AWS web dashboard.
I talked with customer service center of AWS. The problem was:
In this API there was an unintegrated method. Suppose there are a resource image and I create a POST method for this resource. But I forgot to integrate it to any AWS Lambda Function or HTTP. So the API cannot be deployed.
If the method is unnecessary then delete the method. OR you can integrate it as Mock endpoint. You can change this endpoint anytime.
Note: For this unintegration problem AWS gives this type of wrong error message. They should update their message to save developer's time.
I was getting same error but when creating API using CloudFormation.
It turned out that in my AWS::ApiGateway::Deployment resource, I needed to include DependsOn attribute that "depends" on all my API methods.
For example, when building API with two AWS::ApiGateway::Method resources, AWS::ApiGateway::Deployment needs to depend on both these methods:
MyFirstApiMethod:
Type: AWS::ApiGateway::Method
Properties:
<your properties>
MySecondApiMethod:
Type: AWS::ApiGateway::Method
Properties:
<your properties>
MyDeployment:
Type: AWS::ApiGateway::Deployment
DependsOn: [MyFirstApiMethod, MySecondApiMethod] # <-- REQUIRED
Properties:
RestApiId: !Ref MyRestApi
Without the DependOn attribute on all the API methods, CloudFormation may be
creating them after the deployment resource, resulting in No integration defined for method error.
If you have another resource which is not completed to configuration it will read as well. In short, if you haven't given them a lambda function, the api itself is not allowed to be deployed until you finish the rest.
I encountered the same error with deploying via Terraform. The reason was I defined an IAM role for my API and I didn't include the role resource to triggers when deploying the API. Just make sure all resources that are defined before deploying are included in triggers.
Just integrate Lambda function in every method you created.
Make sure every resource and method is configured properly.
Let's say your api-gateway is hierarchy is like:
/
R1
R2
M1
M2
R3
M3
so every resource(R1,R2,R3) and every method(M1,M2,M3) should be configured properly.
I deployed using CDK with --no-rollback (this should work for any cloudformation though)
In my case, the API was created and I could inspect it in the AWS Console, and only the "AWS::ApiGateway::Deployment" failed to create. It turns out I had a bad value for service attribute (I was using StepFunctions, which was not working)
THEN I see that I have a dangling resouce/method that is broken - so my deployment was failing due to garbage in AWS, not my CDK/template.