I'm actually using a Cloudformation stack in Francfurt region. I wanted to create 2 SSL certificates, and validate them. I suceeded, however I discovered later that I can't use them with my Cloudfront distribution as they need to be created in N. Virginia.
Now I'm facing this problem. How to create a resource in a different region ? I'm aware that a Cloudformation stack can only create resources in its own region, however, while searching for some solutions, I saw different persons mentioning Cloudformation StackSets.
I took a quick look, but I'm still questioning, can it really solve my issue ?
From what I've read, it seems it allows to create identical resources in different regions. But it doesn't seem that from one stack, create some resources in a region, and some others in another.
Can someone experimented with Cloudformation StackSets notice me if it is possible or not ?
Thank you a lot.
StackSets does not help in this case as it is used to create the same stack in multiple regions.
However, you can use Custom Resources, which provides a way for you to write custom provisioning logic in CloudFormation template. A Lambda function can be triggered by Cloudformation, which creates the certificates in us-east-1 region by using one of the AWS SDKs.
Related
I have created an ec2 instance and configured it as a target behind my load balancer. I want to convert this entire environment as something that can be deployed repeatedly in automation. I have looked at cloudformation but don't know if it can help me with converting this environment to a cloudformation template. Is there any other way to achieve this. If there is an approach outside of Cloudformation, that's fine too.
PS: I am new to AWS and it's capabilities
Thanks
Have a look at Former2.
Former2 allows you to generate Infrastructure-as-Code outputs from your existing resources within your AWS account.
You need an IaC (Infrastructure as Code) tool. Cloudformation is one of them, but there are plenty others. Terraform, Pulumi or even the AWS CDK.
Look at Infrastructure as Code try AWS CDK, Terraform, you should also look at methods for replacing existing infrastructure. Spinning a fresh set of infrastructure along side the existing one and swapping out in DNS is the most common of approach.
I have an existing VPC with a few EC2 instances already created and running with security groups, route tables, NACLs all applied where required. Is there a way to convert a setup like this into a cloudformation stack or a terraform equivalent of configuration files?
Update: A modern substitute for CloudFormer is Former2.
You can use CloudFormer, but it doesn't seem to be maintained much anymore.
See: Using CloudFormer (Beta) to Create AWS CloudFormation Templates from Existing AWS Resources - AWS CloudFormation
While that type of capability might sound like a good idea, it is quite difficult to make a template from running infrastructure. It runs into questions, such as:
Should the definition for an Amazon EC2 instance reference the specific Security Group that currently exists, or should it create another one and reference that new one?
Should it create a new VPC, or launch resources in the existing VPC?
Was an instance created directly, or was it launched by Auto Scaling?
In the end, it's probably easier to just write the CloudFormation template yourself, rather than spend time trying to 'fix' one that is automatically generated.
Some tips for writing CloudFormation templates:
Never write them by hand. Always copy the templates or examples from the documentation.
Copy snippets from your existing templates rather than doing them all from scratch again.
Use YAML rather than JSON (less errors due to unbalanced braces)
I'm new to a large AWS deployment where stuff is mostly deployed through CloudFormation (and some through Terraform). But there are always cases where something has been deployed manually and not through code. Is there a reliable way to quickly figure out if a resource (say, an EC2 instance) already existing in the deployment was deployed through IaC or manually? A CloudFormation-specific answer will be good enough for now.
Going through literally hundreds of CloudFormation stacks manually and looking for the resource is not an option.
You can identify the resources created by cloudformation. Cloudformation applies few default tags as mentioned here
aws:cloudformation:logical-id
aws:cloudformation:stack-id
aws:cloudformation:stack-name
You can run a script to check whether the resource contain one/all of these tags to update your count.
Offical documentation on resource tags
Unfortunately looking at an AWS resource you don't see how it got created. While some resources might have been tagged by CloudFormation indicating that they got created by a CloudFormation stack, that's only valid for a subset of resources.
The only reliable way to figure out whether or not a resource got created via a CloudFormation stack is to go through all CloudFormation stacks and check whether or not the resource in question is a part of it. While that might be cumbersome when doing manually, it's also something you can automate using the AWS CLI.
I have a scenario where I want to enable flow-logs for all the existing VPCs(by existing I mean ones which are not created by Cloud-formation stack) which are there in my AWS Account. For these I would need to describe all the existing VPC from my AWS Account(let say region specific) and get their Vpc-id which then I will fed it to create-flow-log.
Is it even possible to describe existing resources through Cloud Formation Stack, because I didn't find any AWS Documentation for this purpose? Is there any other possibility by which this can be done and still using Cloud-Formation?
Malay - It is possible to refer existing resources which are not created by CFN. But, it's not possible to modify them.
Here's an example to take the existing VPC IDs as an input parameter:
List<AWS::EC2::VPC::Id>
An array of VPC IDs, such as vpc-a123baa3, vpc-b456baa3.
Hope it helps.
I have a deployed a lambda in US EAST region. There is a need to deploy the same lambda in multiple regions. Is there a simple way(in the portal) to do it ? Or do I have to manually create these lambdas in every region ?
Your best bet for this will be to use a stack set in CloudFormation.
AWS CloudFormation StackSets extends the functionality of stacks by
enabling you to create, update, or delete stacks across multiple
accounts and regions with a single operation. Using an administrator
account, you define and manage an AWS CloudFormation template, and use
the template as the basis for provisioning stacks into selected target
accounts across specified regions.
With a stack set, you can specify the accounts and regions to which you want to deploy your lambda. You will likely want to put the lambda code in an S3 bucket that you can then reference from your CloudFormation template.
Then it is easy (and simple) to deploy to a new region--just add that region to the stack set.