Amplify Cloudformation templates - amazon-web-services

My understanding of Amplify is that on amplify push, it somehow processes the separate cloudformation templates for each service (including the parameters.json) and deploys the app. Where does this "master" cloudformation template get stored. For example in the API resource, there is an api-params.json file specifying the endpoint restrictions based on auth roles, but I do not see those in the api cloudformation template. How would I see the final template with the auth restrictions applied to the API Gateway resources?

You can see your nested Stack and all the templates in the AWS Console -> CloudFormation.
You can see the templates in your code repository locally after performing amplify pull in the amplify/backend/#current-cloud-backend
You can see the templates stored in S3 in your deployment bucket e.g., s3://amplify-appName-envName-someId-deployment/amplify-cfn-templates

Related

AWS: How to find out minimum required IAM permissions for GitHub Actions integration

I need to create a CloudFormation SAM template that creates multiple resources. I also need to integrate GitHub Actions so code gets auto deployed on push. The problem is this requires that I give GitHub a lot of IAM permissions to do the necessary work. Note that I'm using an Open ID identity provider for GitHub as opposed to api keys.
How do I find out which IAM permissions are needed at minimum so I don't give GitHub more than what is necessary? Is there an AWS tool that can parse the deployment template and tell me which permissions are needed for both deployments and rollbacks?
No, there's no such tool. You can however look at the Cloudtrail logs to see which actions are being invoked by CloudFormation, and based on that you could put together the list of required policies.
Alternatively, you could replicate what the CloudFormation template is doing by using the AWS CLI. That way, you could use iamlive to generate the IAM policies required for those CLI commands.

Migrate SQS and SNS configuration

We have a few different AWS accounts and I am looking to migrate the SNS configuration from one AWS account to another. Is that possible to migrate?
Many thanks for considering my request.
AWS does not have a 'migrate' capability.
A best-practice is to deploy "infrastructure as code" using CloudFormation or Terraform. Then, when you wish to deploy the same infrastructure to a different AWS Account, simply use the same template to deploy it.
If you did not deploy your initial infrastructure via a template, you might want to use https://former2.com/ to create a template based on existing infrastructure. You can then use that template to deploy the same resources in a different AWS Account.

CloudFormation - obtaining template from a repo

Can someone list for me the steps needed in order to obtain a template from Azure DevOps repo and have AWS Cloud Formation use it to build a stack.
Interested in best practices and some high-level steps please / requirements E.G. do I need AWS Pipelines? AWS Azure Toolkit?
One of the cleaner ways that I could think of doing this is integrating your DevOps repository with an S3 bucket and then triggering AWS CodePipeline to deploy the stack from the S3 bucket.
The flow would be something like,
Create a bucket in S3 to hold the cf template
Create a service connection request in DevOps repo, this should push the template to S3 every time changes are deployed
Create an AWS CodePipeline workflow that takes the template as input from S3 and deploys it to CloudFormation

AWS Cloudformation tying Amplify to bitbucket Repo

I am using CloudFormation to deploy a multilayer application that includes APIGateways, Lambdas, and all the resources created in Amplify and EB. We built each part of the stack manual. Now we are trying to tie them together in one CloudFormation Template. Where we are tripped up is tying the AWS::Amplify::App to our repository in Bitbucket. The account token setting seems not to be available in our bitbucket instance. Is there another way to tie the amplifying part of the CFN template to that repo? or S3?

AWS Serverless : Migrating from serverless to SAM

We are using Serverless framework for deploying our applications on AWS.
The applications are written using Lambda, Cognito, API gateway, DynamoDB, etc.
We want make use of SAM local, as we want to test the applications locally ( with local DynamoDb) , before deploying to AWS Cloud.
Is there any simpler way, by which I can migrate my serverless.yml file to the yml file required by SAM?
I have a complex serverless.yml file ( API Gateway, custom and cognito authorizers, CORS, Lambda, DynamoDB, IAM roles and policies, IOT rules, S3 buckets and policies, etc.) and creating a SAM template by hand will be complex.
I found one node.js plugin - https://github.com/sapessi/serverless-sam
Looks like this plugin, has some issues. It didn't migrate all parts of the serverless.yml file correctly.
The serverless.yml file deployment creates a Cloudformation template.
Can this template be used for generating SAM yml file? Or can this template be migrated or enhanced to the template needed by SAM?