Does anyone know, if there's an option to use some kind of 'existingDBUser' and 'existingDBPassword parameter while describing DBUser and DBPassword in a Cloudformation template?
I don't want to use 'Default' params and when deploying template via cli it asks me for DBUser and DBPassword.
In my case if I specify that and it's different than ones assigned already to DBCluster it creates a new cluster instead of updating existing one.
There's a way to upload the template via AWS Console, where you can check the 'use existing' boxes.
How can I do that from CLI perspective?
Thanks for replies.
Yes, this is possible. You don't define this in the template, you specify this when you call the update stack command from the SDK or CLI.
You need to specify the "UsePreviousValue" attribute of the parameter when calling the UpdateStack.
Here is an example of how you would do it on the AWS CLI but the SDKs should also provide a similar functionality:
aws cloudformation update-stack \
--stack-name mystack \
--template-url https://s3.amazonaws.com/sample/updated.template \
--parameters ParameterKey=DBUser,UsePreviousValue=true \
ParameterKey=DBPassword,UsePreviousValue=true
Related
I'm creating a new user pool in AWS Cognito. As you might know, CF support is missing for a lot of the features in Cognito, so I´ve resorted to using the CLI for Cognito. But I still want to use CloudFormation for other resources like API Gateway that will need to reference the new user pool.
Is there any way I can create parameters with the CLI that I can use in CloudFormation?
Yes, if you have Parameters in your template, then you can use the CloudFormation Deploy command to do exactly this.
For example, you can call aws cloudformation deploy --template-file <file_path> --stack-name <stack_name> --parameter-overrides ParameterKey1=ParameterValue1 ParameterKey2=ParameterValue2 ... where <file_path> is the path to your CloudFormation Template, and <stack_name> is the name of your CloudFormation Stack. If this stack doesn't exist yet, Deploy will create it, but if it does exist, Deploy will update it.
A little confused about how to do this or if its possible.
THis is not a nested stack. I want to set tags in my CF template that apply to all resources in the template. AWS::CloudFormation::Stack resource can do that, but I don't need/want a nested stack i just have one stack and one template.
Use command deploy with --tags:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name MyStack \
--tags Key1=Value1 Key2=Value2
Docs:
--tags (list) A list of tags to associate with the stack that is created or updated. AWS CloudFormation also propagates these tags to resources in the stack if the resource supports it. Syntax: TagKey1=TagValue1 TagKey2=TagValue2 ...
You can solve that with a kind of a workaround.
You can create another CF template that will include only the "AWS::CloudFormation::Stack" resource.
In the parameters, provide the tags that you want, and in the "TemplateURL" property, provide the URL of a template that specifies the stack that you want to create as a resource.
Note that the template must be stored on an Amazon S3 bucket, so the URL must have the form:
https://s3.amazonaws.com/.../TemplateName.extension
For more details:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html#cfn-cloudformation-stack-templateurl
I'm trying to understand the behavior of CloudFormation with respect to applying tags to the resources it creates.
As per their documentation - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
In addition to any tags you define, AWS CloudFormation automatically creates the following stack-level tags with the prefix aws::
aws:cloudformation:logical-id
aws:cloudformation:stack-id
aws:cloudformation:stack-name
I created a DynamoDB table from CloudFormation and I visited the DynamoDB console and selected the tags tab and couldn't find any specific tag being added. I also did not find the aws:cloudformation:logical:id tag being added.
I then tried to create a S3 bucket using CloudFormation. That seems to work and I was able to visit the S3 console and find the aws:cloudformation:logical-id tag for the S3 bucket.
Is this some kind of inconsistency? Is there any specific documentation I can follow to find the list of AWS resources to which CloudFormation applies the tags prefixed with aws: as mentioned in the documentation?
Any help would be appreciated. Thanks!
I've had to recently contact AWS Enterprise support about this
Commonly requested services that aren't receiving tags from cloud formation include
DynamoDB
Elasticache
IAM resources
ECS clusters
Cloudfront distributions
Glue jobs
SQS
Firehose Delivery stream
There is an internal feature request open, however their suggested action was to just manually tag the resources.
Do you have any other resource besides DynamoDB in the same CFT? If yes, is that resource getting tagged by CF?
If you do not have any other resource, you may add an EC2 instance resource to validate if this is a resource specific issue or a template wide issue.
From what you posted, it seems that the stack creation is successful. Though it sounds silly, you may try once with the CLI - aws cloudformation create-stack --stack-name Name-of-your-stack --template-body file://your_template.json --tags Key=Name,Value=Your_Tag_Value --profile default --region region --capabilities CAPABILITY_NAMED_IAM
You can skip --capabilities CAPABILITY_NAMED_IAM if you do not have IAM resources in your CFT.
I have never experienced any issues tagging through CF, may want to check these sample templates.
Is there any way to use a simple JSON file (of my instance details) to configure a Cloud Formation template?
That's basically what a CloudFormation template provides you. Since it is a template, you can also pass in parameters as variables.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html
Details on passing parameters from a config file:
https://aws.amazon.com/blogs/devops/passing-parameters-to-cloudformation-stacks-with-the-aws-cli-and-powershell/
You can have CFT parameters populated however you like. If you want to run / load the CFT from AWS console - add the parameters as either default or options within the CFT and choose them while creating the stack.
If you want to load them from a properties file - you can use any programming language of your choice to do so. A bash script that loads the properties or whatever, it's upto you and your use case. If you are using AWS cli to run the CFT use bash shell or power shell, if you are using AWS SDK to run your CFT - use the same language as your SDK etc.
If you are using just aws cli, you can do something like this with a json parameters file:
aws cloudformation create-stack --stackname startmyinstance
--template-body file:///some/local/path/templates/startmyinstance.json
--parameters file:///some/local/path/params/startmyinstance-parameters.json
I've got a question around using parameters in Cloudformation and more generally best practices around using secrets in Clouformation.
I have a template that defines our CI servers in an autoscaling group. We could in theory stand up many of these stacks. The templates are stored in source control along with parameters.json files use to specify the details of the stack (e.g. instance type, autoscaling conditions etc.). One of those parameters is a token that allows the CI server to interact with our CI provider, I don't want to store the token in source control. I want someone to be prompted for it or be forced to pass it when creating or updating the stack.
Ideally what I'm imagining is something like this, but obviously this is invalid
aws cloudformation create-stack --stack-name <name> --template-body file://<template> --parameters file://<parameters-file.json> TokenParameter=xxxyyyzzz
Does anyone have any suggestions?
Many Thanks
Hopefully this helps someone 2+ years later...
I solved this will a little help of jq. I'm on a mac, so that's a simple brew install jq
My goal was to use a default file of parameters, but wanted to pass my github oauth as a secret this one time. To the point above of storing secrets in other / better places, that's ideal, but I believe can be overkill for all situations. Mine for example was just lab based work.
aws cloudformation create-stack --stack-name "codepipeline-test"
--template-body file://codepipeline-test.yml
--parameters $(cat codepipeline-test-params.json | jq -r '.[]
| "ParameterKey=" + .ParameterKey + ",ParameterValue=" + .ParameterValue')
ParameterKey="GitHubOAuthToken",
ParameterValue="1234567890826xxxxxxxxxx753dde68858ac2169"
--tags '[{"Key": "Name","Value": "codedepipeline-test"},
{"Key": "Owner","Value": "username"}]' --capabilities CAPABILITY_NAMED_IAM
FYI in the CF Template I define the github oath param to be a secret (hide in GUI) as follows:
GitHubOAuthToken:
Description: A valid access token for GitHub that has admin access to the GitHub Repo you specify
Type: String
NoEcho: true
MinLength: 40
MaxLength: 40
AllowedPattern: '[a-z0-9]*'
For any sort of token/secret type interaction, I would actually go on the side of recommend using Systems Manager Parameter Store. The advantage is it centralizes your credential store so that if you need to rotate credentials for any reason it's just one place to change. You can also encrypt the creds for additional security.
As this is an AWS service you can use the SDK/CLI to pull the value. This could either be a user data script with an IAM role that allows systems manager access (as well as all other access) to pull the parameter and place it in the respective file. Another option is to utilize the SDK to pull down credential on demand, though that would require support in your CI code for pulling that off.
One caveat to this is that you would need the parameter setup ahead of time before launching the auto scaling group, which would make including the parameter as part of the CF template a bit difficult.