I am trying to create the glue security configuration using cloudformation script but I am getting the following error:
Property validation failure: [Value of property {/EncryptionConfiguration/S3Encryptions} does not match type {Array}]
What is the right way to give the S3encryption?
AWSTemplateFormatVersion: 2010-09-09
Description: Script creates resources for GlueSecurityConfiguration
Resources:
GlueSecurityConfiguration:
Type: AWS::Glue::SecurityConfiguration
Properties:
EncryptionConfiguration:
S3Encryptions:
KmsKeyArn: !Ref KMSArn
S3EncryptionMode: SSE-KMS
JobBookmarksEncryption:
KmsKeyArn: !Ref KMSArn
CloudWatchEncryption:
KmsKeyArn: !Ref KMSArn
Name: !Sub '${SystemValue}-${SubSystemValue}'
I think it should be
- KmsKeyArn: !Ref KMSArn
S3EncryptionMode: SSE-KMS
since S3Encryptions expects an array.
Related
Parameters:
ClusterName:
Type: String
ClusterVersion:
Type: Number
AllowedValues: [1.21, 1.20, 1.19, 1.18]
RoleArnValue:
Type: String
ListOfSubnetIDs:
Description: Array of Subnet IDs
Type: List<AWS::EC2::Subnet::Id>
ListOfSecurityGroupIDs:
Description: Array of security group ids
Type: List<AWS::EC2::SecurityGroup::Id>
Resources:
EKSCluster:
Type: AWS::EKS::Cluster
Properties:
Name: !Sub ${ClusterName}
Version: !Sub ${ClusterVersion}
RoleArn: !Sub ${RoleArnValue}
ResourcesVpcConfig:
SecurityGroupIds:
- !Sub ${ListOfSecurityGroupIDs}
SubnetIds:
- !Sub ${ListOfSubnetIDs}
Above is the .yaml clouldformation template I have created so i can spin up eks cluster. Then i am using aws cli to spin up the cluster using the following command.
aws cloudformation deploy --template-file eks.yaml --stack-name cluster-test --parameter-overrides ClusterName=Dev ClusterVersion=1.21 ListOfSubnetIDs=subnet-11111d11b11b011f4,subnet-99999d237f87f11d7,subnet-222222c110c7e4be7,subnet-88888884de8d25176 ListOfSecurityGroupIDs=sg-01111111a21221 RoleArnValue=arn:aws:iam::123456546456:role/cluster-ServiceRole-WMIC72AOWSP0 --capabilities CAPABILITY_NAMED_IAM
I get the following error
An error occurred (ValidationError) when calling the CreateChangeSet operation: Template error: variable ListOfSecurityGroupIDs in Fn::Sub expression does not resolve to a string
I am not sure why. Am i using !sub in correctly? Would really appreciate input on this.
Since you want to reference the parameters you provided the template as they are, you should use the Ref function.
Here's an example of a valid template:
Parameters:
ClusterName:
Type: String
RoleArnValue:
Type: String
ListOfSubnetIDs:
Description: Array of Subnet IDs
Type: List<AWS::EC2::Subnet::Id>
ListOfSecurityGroupIDs:
Description: Array of security group ids
Type: List<AWS::EC2::SecurityGroup::Id>
Resources:
EKSCluster:
Type: AWS::EKS::Cluster
Properties:
Name: !Ref ClusterName
RoleArn: !Ref RoleArnValue
ResourcesVpcConfig:
SecurityGroupIds: !Ref ListOfSecurityGroupIDs
SubnetIds: !Ref ListOfSubnetIDs
and here's how I deployed it:
aws cloudformation deploy --template-file eks.yml --stack-name cluster-test --parameter-overrides ClusterName=Dev ListOfSubnetIDs=subnet-be0a99c4,subnet-c71046ae ListOfSecurityGroupIDs=sg-009690ac6b3bff6df,sg-009a3f1cb63943941 -RoleArnValue=...
Sub should be used when you want to perform string manipulation. Checkout the examples from the documentation.
Im trying to add auto scaling to the Provisioned Concurrency configuration for our Lambdas on AWS.
Im having trouble with the DependsOn: value for the Lambda target it doesnt seem recognize the resource im passing in and says its null. In the example from AWS its using AutoPublishAlias which isnt an option for me. https://aws.amazon.com/blogs/aws/new-provisioned-concurrency-for-lambda-functions/
Am I referencing incorrectly?
**LambdaAlias:**
Type: AWS::Lambda::Alias
Properties:
Description: Adds provisioned concurrency for lambda using alias on arn
FunctionName: !Ref Lambda
FunctionVersion: !GetAtt LambdaVersion.Version
Name: live
ProvisionedConcurrencyConfig:
ProvisionedConcurrentExecutions: !Ref ProvisionedConcurrentExecutions
LambdaTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 100
MinCapacity: 1
ResourceId: !Sub function:${Lambda}:live # You need to specify an alis or version here
RoleARN: !Ref IamRoleArn
ScalableDimension: lambda:function:ProvisionedConcurrency
ServiceNamespace: lambda
**DependsOn: LambdaAlias** # This is your function logical ID + "Alias" + what you use for AutoPublishAlias
LambdaTrackingScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: utilization
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref LambdaTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 0.70 # Any value between 0.1 and 0.9 can be used here
PredefinedMetricSpecification:
PredefinedMetricType: LambdaProvisionedConcurrencyUtilization
Adding Resource Snippet
Resources:
Lambda:
Type: AWS::Lambda::Function
Properties:
!If
- EnableVpcConfig
- FunctionName: !Ref FunctionName
Description: !Ref FunctionDescription
Code:
S3Bucket: !Ref CodeSourceBucket
S3Key: !Sub 'api-packages/${CodeFile}'
Handler: !Ref Handler
Environment:
Variables:
APP_ID: !If [ UsesPublicKeyAPI, !Ref AppId, !Ref
Solution
Answer was to reference the logical id of the AWS::Lambda::Alias resource I created which in this case was
DependsOn: LambdaAlias
The doc was using AutoPublishAlias which didnt require the creation of a resource AWS::Lambda::Alias so config needed is slightly different
Have you tried just using the name of the resource for the LambdaAlias
I feel DependsOn: LambdaAlias should do the trick
You are using plain Cloudformation where the article you refer to is using AWS SAM.
since you are not using any AutoPublishAlias the format
{functionLogicalResourceName}Alias{aliasName}
should work for you..
In the sample you have provided. You have not provided the part which is deploying Lambda so if we assume your lambda logical id is MyLambda you should
DependsOn: MyLambdaAliaslive
I want to create a simple rds proxy. I use the attached cloudformation template. However aws cannot create resource "AWS::RDS::DBProxyTargetGroup". The error info is not enough for debugging: "Resource timed out waiting for completion". Please anyone provide me anwser?
Target group was created, but info was not updated in cloudformation event
rds_proxy_console
CF_event
failed event
Resources:
RDSProxy:
Type: "AWS::RDS::DBProxy"
Properties:
Auth:
- AuthScheme: SECRETS
IAMAuth: DISABLED
SecretArn: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretsManagerName}"
DBProxyName: !Ref ProxyName
EngineFamily: !Ref ProxyEngineFamily
RoleArn: !GetAtt SecretsManagerRole.Arn
VpcSecurityGroupIds: !Ref ProxyVpcSecurityGroupIds
VpcSubnetIds: !Ref ProxyVpcSubnetIds
RDSProxyTargetGroup:
Type: "AWS::RDS::DBProxyTargetGroup"
Properties:
DBClusterIdentifiers: !Ref ProxyTargetDBClusterIdentifiers
DBProxyName: !Ref RDSProxy
TargetGroupName: default
I am trying to create a database on glue using cloud formation but it fails with the below error. Am I missing something?
Property validation failure: [The property {/DatabaseInput} is required, The property {/CatalogId} is required]
This is how my template code block looks like
GlueDatabase:
Type: AWS::Glue::Database
Properties:
CatalogId: !Ref AWS::AccountId
DatabaseInput: !Ref TeamName
According to the docs the DatabaseInput should have the following structure:
GlueDatabase:
Type: AWS::Glue::Database
Properties:
CatalogId: !Ref AWS::AccountId
DatabaseInput:
Description: String
LocationUri: String
Name: String
Parameters: Json
Thus the question is, what TeamName is in your tempalte?
I am trying to create a ec2 instance using the launch template :
So I have created a launch template with below data.
LaunchTemplateVerybasic:
When I am trying to run a cloud formation template like below :
AWSTemplateFormatVersion: 2010-09-09
Resources:
TestTemplate:
Type: 'AWS::EC2::Instance'
Properties:
LaunchTemplate:
LaunchTemplateSpecification:
LaunchTemplateId: lt-00d9f13eea240e524
LaunchTemplateName: Testtemplate
Version: '1'
I get this error:
Encountered unsupported property LaunchTemplateSpecification, whereas
in designer it shows that instance can be created.
What is that I am missing? I checked the documentation and this is a property supported by AWS::EC2::instance..
Let me know if there is something I am missing in understanding and in yaml
Since the EC2 is not being launched from the launch template via auto-scaling group, rather its via a resource definition, you need first to remove the and have the config as follows
HostA:
Type: AWS::EC2::Instance
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref HostALaunchTemplate
Version: !GetAtt HostALaunchTemplate.LatestVersionNumber
Launch Template example
When launching a launch template via auto-scaling group, usually there is no need to specify a network interface within the launch template because the auto-scaling group will take care of it.
Inside your launch template, remove the SecurityGroupIds at the LaunchTemplateData
HostALaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: HostALaunchTemplate
LaunchTemplateData:
SecurityGroupIds:
- !ImportValue MyASG
And add security group via network interface like so
HostALaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: HostALaunchTemplate
NetworkInterfaces:
- DeviceIndex: 0
Groups:
- !ImportValue MyASG
SubnetId: !ImportValue MySubnet
The CloudFormation Linter
catches this with:
E3002 Invalid Property Resources/TestTemplate/Properties/LaunchTemplate/LaunchTemplateSpecification
template.yaml:7:9
Try removing LaunchTemplateSpecification:
AWSTemplateFormatVersion: 2010-09-09
Resources:
TestTemplate:
Type: 'AWS::EC2::Instance'
Properties:
LaunchTemplate:
LaunchTemplateId: lt-00d9f13eea240e524
LaunchTemplateName: Testtemplate
Version: '1'
AWS::EC2::Instance.LaunchTemplate documentation