I describe existing AWS Lambda function in CloudFormation template and I face with the next issue. In our Lambda we configured few test events which helps us to verify some usecases (I mean functionality from the screenshot below).
But I don't see any abilities to add these test events to the CloudFormation template. AWS documentation don't help me with that. Is that possible at all or are there any workarounds how to export and import Lambda function test events?
Lambda test functionality is available only in the UI console, You can use Cloudformation Custom Resource to invoke a function from a cloudformation template. Resource properties allow AWS CloudFormation to create a custom payload to send to the Lambda function.
Sample code:
Resources:
EnableLogs:
Type: Custom::EnableLogs
Version: '1.0'
Properties:
ServiceToken: arn:aws:lambda:us-east-1:acc:function:rds-EnableRDSLogs-1O6XLL6LWNR5Z
DBInstanceIdentifier: mydb
the event parameter provides the resource properties. ex:
event['ResourceProperties']['DBInstanceIdentifier']
Related
I have set up CI/CD for an AWS Lambda function such that the new version is automatically deployed using GitHub actions. By default, AWS creates a new Lambda ID (and thus URL) for this lambda function. This means that the front-end portion of my code will need to be updated to contain the updated URL. Is there a way to automatically perform such updating? By e.g. saving the URL as an environment variable and inserting it in the code with a GitHub action?
Or is there alternatively a way to re-use the old Lambda function URL for new deployments?
You can get the updated Lambda URL by using SAM template outputs as follows:
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Outputs:
MyFunctionUrlEndpoint:
Description: "My Lambda Function URL Endpoint"
Value: !GetAtt MyFunctionUrl.FunctionUrl
Then you can access the output as described in this answer:
aws cloudformation describe-stacks --stack-name stack_name --query 'Stacks[0].Outputs[?OutputKey==`MyFunctionUrlEndpoint`].OutputValue' --output text
which can then be further processed in e.g. your front-end code.
There may be easier methods, but this should work!
TestTopicSubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint: testn#email.com
Protocol: email
TopicArn: !Ref TestSnsTopic
How to add subscription for multiple email ids(eg:test1#email.com,test2#email.com) to the above list?
There are no loops in CloudFormation, and AWS::SNS::Subscription does not take any lists.
So your choices are:
Use AWS CLI or SDK to programmatically create a number of stacks based on a single template. The template would be parameterized, where the parameter would be your endpoint. Thus, using bash or python, for instance, you would have to iterate over your list and create corresponding subscriptions.
Creating a custom resource in CloudFormation to take your list of emails and create corresponding subscription. The resource would be in the form of a lambda function which would use AWS SDK to create needed subscriptions.
Instead of custom resource, you could also create macro in CloudFormation.
Manually copy-and-paste the subscriptions template, if you have only few of them in a single template.
I have this usecase where I need to trigger a lambda every time my cloudformation stack updates/deletes. Cloudformation does not emit any cloudwatch metrics. Is there a way to get the cloudformation events to trigger a lambda. Any existing examples I can refer to.
What you can do is add reference your lambda function within the cloudformation script as a custom resource. You can then have the custom resource run (which executes your Lambda) on every update of the stack.
Basic syntax is:
MyCustomResource:
Type: "Custom::TestLambdaCrossStackRef"
Properties:
ServiceToken:
!Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaFunctionName}
StackName:
Ref: "NetworkStackName"
More information here:
AWS Documentation
Configure an SNS Topic as a Notification Option in the CFT via https://docs.aws.amazon.com/en_pv/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html. Have your lambda be a subscriber to that topic.
For an automatic deployment workflow, I want to start a cloudformation deployment and trigger a lambda function when done.
I know, I can add a cloudwatch event that triggers whenever an event occurs on cloudformation in my account. But I do not want to trigger the lambda on any cloudformation template being deployed, but only on templates, where I decide on deployment that the lambda should be triggered.
I could add code to the lambda function, making it decide for itself if it was supposed to be triggered. That would probably work, but I wonder if there is a better more direct solution?
Ideas?
Custom resources enable you to write custom provisioning logic in
templates that AWS CloudFormation runs anytime you create, update
Ex: Custom Lambda resource to enable RDS logs after the RDS DB is created.
Resources:
EnableLogs:
Type: Custom::EnableLogs
Version: '1.0'
Properties:
ServiceToken: arn:aws:lambda:us-east-1:acc:function:rds-EnableRDSLogs-1O6XLL6LWNR5Z
DBInstanceIdentifier: mydb
See my python gist here
I've created some CloudFormation templates to deploy Inspector Templates/Targets and associated Lambda functions that parse the outputs and deliver findings to Slack. Is it possible to include in the CF template for Inspector an SNS Topic association as is done when creating a template in the Inspector portal?
It is not an available parameter of AWS::Inspector::AssessmentTemplate. Is this something I will just have to add manually via the portal?
I see the SNS option is available only in the UI and CLI/API, I guess the UI/CLI creates Cloudwatch Events rule for you in the background, you create your own rule using AWS::Events::Rule
Reference: Event Patterns
EventRule:
Type: "AWS::Events::Rule"
Properties:
Description: "EventRule"
EventPattern:
source:
- "aws.inspector"
detail-type:
- "AWS API Call via CloudTrail"
resources:
- arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-7sbz2Kz0
detail:
eventSource:
- "inspector.amazonaws.com"
eventName:
- "ASSESSMENT_RUN_COMPLETED"
State: "ENABLED"
Targets:
- arn:aws:sns:us-west-2:123456789012:exampletopic
This is how I did it. I used the cloud formation template to create the assessment target, assessment resource group, and assessment template. Also, included a cloudwatch event rule to trigger assessment runs on a weekly basis.
As of today, there is no support for adding an SNS Topic through the Inspector Assessment template cloud formation resource, I went through the boto3 API for event subscription. Refer the API here: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/inspector.html#Inspector.Client.subscribe_to_event
If you refer the above API Doc you will be able to develop a small python lambda function to subscribe your inspector assessment template to the SNS topic. Then call that lambda function using a custom resource as follows in the same template where the assessment template is provisioned or defined.
Custom resource would look something like below:
SubscribeToEvent:
Type: "Custom::<whatever_name>"
Version: "1.0"
Properties:
ServiceToken: !GetAtt <Lambda function logical name>.Arn
AssessmentTemplateArn: !GetAtt <Assessment template logical name>.Arn
topicArn: !Sub arn:aws:sns:${AWS::Region}:${account number}:<Nameofthetopic>
If you are trying to refer a cross-account topic or a topic which exist in another account, in that case, you need to update the topic policy to grant publish topic permissions to AWS Inspector Account. To find the AWS Account numbers refer here : https://docs.aws.amazon.com/inspector/latest/userguide/inspector_assessments.html#sns-topic