CloudFormation Launch configuration with encrypted boot volume - amazon-web-services

I have a CloudFormation template that created the required infrastructure to host a web application in my environment. This includes an AutoScaling group and Launch Configuration:
"LaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"AssociatePublicIpAddress": false,
"IamInstanceProfile": {
"Ref": "InstanceRoleInstanceProfile"
},
"ImageId": {
"Ref": "WindowsImage"
},
"InstanceType": {
"Ref": "InstanceType"
},
"SecurityGroups": [
{
...
}
],
"KeyName": {
"Ref": "KeyPairName"
},
"UserData": {
...
},
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeType": "gp2"
}
}
]
},
"Metadata": {
...
}
}
A vulnerability scanner flagged a risk due to the boot volume of the instance coming out of the above launch configuration not being encrypted.
When I try to encrypt the boot volume by changing its configuration in the template as follows:
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"Encrypted": true,
"VolumeType": "gp2"
}
}
]
I get the following error:
Launching a new EC2 instance. Status Reason: the encrypted flag cannot
be specified since device /dev/sda1 has a snapshot specified.
Launching EC2 instance failed.
I read you can encrypt boot volumes by
spin up a server from the base AMI
take a snapshot
copy that snapshot with encryption
create a custom AMI based on that copy of the snapshot
then spin up new servers based on my encrypted AMI
cleanup of all the servers, snapshots, and custom AMI created
I need CloudFormation to create EC2 instances that are already encrypted. Any idea if this is possible at all?

Related

How can I instruct an AWS CloudFormation template to create resources in a specific region?

I am new to CloudFormation templates. I have basic template in yaml that creates an EC2 Instance. Every time I create a stack and use this template, the EC2 Instance is ALWAYS created on US East N. Virginia region. I am trying to change this so that the EC2 Instance resides in US-WEST-2 region. After some research, it appears that this is something that is not specified within the template. Instead, I need to change the region to us-west-2 in AWS console and then create a new stack. Is my understanding correct?
Unfortunately, you can't specify the region in a cloudformation template.
You should either pass region as a command line argument
aws --region eu-west-1 cloudformation create-stack --stack-name ...
or, specify the default region in aws cli config file ~/.aws/config
[default]
region=eu-west-1
What am I missing here? I am sure we can specify region where the stack is created in CFN template using parameters and we do have active templates which creates our stack in respective region based on the parameter value.
The AWS::Region pseudo parameter is a value that AWS CloudFormation resolves as the region where the stack is created.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/gettingstarted.templatebasics.html
Here is a sub-section of sample template
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"InstanceType": {
"Description": "Instance Type",
"Type": "String",
"Default": "t2.xlarge"
},
"SubnetUSEAST1": {
"Description": "Subnet on which Ec2 instance needs to be created",
"Type": "String",
"Default": "subnet-xxxxxxxx"
},
"SubnetUSWEST2": {
"Description": "Subnet on which Ec2 instance needs to be created",
"Type": "String",
"Default": "subnet-yyyyyyyy"
}
},
"Conditions": {
"useast1": {
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-1"
]
},
"uswest2": {
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-2"
]
}
},
"Resources": {
"EC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": {
"Ref": "InstanceType"
},
"NetworkInterfaces": [
{
"SubnetId": {
"Fn::If": [
"useast1",
{
"Ref": "SubnetUSEAST1"
},
{
"Ref": "SubnetUSWEST2"
}
]
},
"AssociatePublicIpAddress": "false",
"DeviceIndex": "0"
}
]
}
}
}
}
If you are able to split your template into parts, you could deploy to different regions at once via some orchestration and StackSets.

Developing an app to create a stack from a cloudformation template

I am new to AWS and am currently working on simple tasks.
I have created a free tier EC2 instance using a cloudformation template. Now my next task is to write a simple application that uses respective AWS SDK to call CloudFormation API to create a stack from the template.
Here is the cloudformation template:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Ec2 Template",
"Metadata": {
"Copyright":[
"Copyright 2017, All rights reserved"
],
"Comments":[
"Create an EC2"
]
},
"Parameters": {
"KeyName": {
"Type": "AWS::EC2::KeyPair::KeyName",
"Description": "Name of an existing EC2 KeyPair to enable access to join ECS instances."
},
"InstanceTypeParameter":{
"Type": "String",
"Default": "t2.micro",
"AllowedValues": [
"t2.micro",
"m1.small",
"m1.large"
],
"Description": "Enter t2.micro, m1.small, or m1.large. Default is t2.micro."
},
"EcsSecurityGroupLb":{
"Type": "AWS::EC2::SecurityGroup::Id",
"Description":"The ECS ELB Security Group."
},
"vpcid":{
"Type": "AWS::EC2::VPC::Id"
},
"mySubnetIDs": {
"Description":"Subnet IDs",
"Type":"AWS::EC2::Subnet::Id"
}
},
"Resources":{
"Ec2Instance":{
"Type":"AWS::EC2::Instance",
"Properties":{
"ImageId": "ami-bf4193c7",
"KeyName": {
"Ref": "KeyName"
},
"InstanceType":{
"Ref": "InstanceTypeParameter"
},
"NetworkInterfaces":[
{
"AssociatePublicIpAddress":"true",
"DeviceIndex":"0",
"SubnetId":{
"Ref":"mySubnetIDs"
},
"GroupSet":[
{
"Ref": "EcsSecurityGroupLb"
}
]
}
],
"BlockDeviceMappings":[
{
"DeviceName": "/dev/sdc",
"VirtualName":"ephemeral0"
}
]
}
}
},
"Outputs":{
"Ec2Instance":{
"Description": "InstanceId of newly created EC2 instance",
"Value": {
"Ref": "Ec2Instance"
}
},
"InstanceIPAddress":{
"Value":{ "Fn::GetAtt": ["Ec2Instance", "PublicIp"]},
"Description": "Public IP address of instance"
}
}
}
I have gone through a lot of documentation but haven't really understood as to how to proceed. I would like to know if there are any good tutorials on this.
Looking for suggestions with respect to the steps as well.
Thanks!
Since you have to (as a task requirement) write the application yourself, you'll need to use one of the AWS SDKs that are available.
The SDK you choose will depend on what programming language you are most comfortable using (or required by your task).
Roughly, your program will need to do the following:
With the AWS SDK, create an AWS session which uses your IAM user's API keys.
Grab the Cloudformation template off of your local system.
With the AWS SDK, invoke Cloudformation to create the resource stack with your template.
(Optionally) Wait until the stack is complete and output a report on the stack status.
Good luck!

AWS Cloudformation failing to acknowledge AutoScalingGroup

While using CloudFormation to create EC2 instance along with an autoscaling group, I face the error:
The following resource(s) failed to create: [WebsInstanceServerGroup].
image of CloudFormation Group output
The failure is seen while creating auto scaling group, but when I check the auto scaling group console, it says that the creation was 'successful.' (The 'in-progress' deletion happens after a 15 minute time out value from CloudFormation).
image of AutoScaling output
What could be the reason CloudFormation is not acknowledging that the AutoScale group is created successfully?
The error also says something about WebInstanceServerGroup, so I checked my template for that, but saw nothing suspicious.
"WebsInstanceServerGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"AvailabilityZones": {
"Fn::GetAZs": "AWS::Region"
},
"VPCZoneIdentifier": {
"Ref": "WebsELBSubnetId"
},
"LoadBalancerNames": [
{
"Ref": "WebsELB"
}
],
"LaunchConfigurationName": {
"Ref": "WebsEC2Instance"
},
"Cooldown": 300,
"HealthCheckGracePeriod": 600,
"HealthCheckType": "EC2",
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "WebsInstanceName"
},
"PropagateAtLaunch": "true"
},
{
"Key": "Service",
"Value": {
"Ref": "ServiceTag"
},
"PropagateAtLaunch": "true"
}
],
"MinSize": {
"Ref": "ASGMin"
},
"DesiredCapacity": {
"Ref": "ASGDesired"
},
"MaxSize": {
"Ref": "ASGMax"
}
},
"CreationPolicy": {
"ResourceSignal": {
"Count": {
"Ref": "ASGMin"
},
"Timeout": "PT15M"
}
}
}
Please let me know if more information is required, thanks in advance.
Looks like your EC2 instances in your autoscaling group are not sending the required success signals.
CloudFormation will wait for you to send ASGMin signals before considering your WebsInstanceServerGroup to be successfully created. So if ASGMin is set to 3, each of your 3 EC2 instances should send a signal.
To send the signal you can either use the cfn-signal helper, or with the AWS CLI:
aws cloudformation signal-resource \
--stack-name {your stack name here} \
--status SUCCESS \
--logical-resource-id WebsInstanceServerGroup \
--unique-id {the instance ID for the EC2 instance that is sending the signal}
Use this command at the end of your User Data script, when you consider your EC2 instance to be fully provisioned and ready to go.

AWS EC2 goes to stopped state when creating it

I am creating an AWS EC2 instance in a VPC with internet access using cloudformation. I am able to create the EC2 as expected based on the JSON. But it seems like the instance state goes to stopped soon after creating the EC2. I was expecting the EC2 to be up and in running state as soon as created.
Has anyone faced this problem?
I am able to go to the AWS console and manually make the instance to running state successfully though.
Here is the JSON for EC2
"PublicEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": ["AWSRegionArch2AMI", {
"Ref": "AWS::Region"
},
"64"
]
},
"InstanceType": {
"Ref": "InstanceType"
},
"KeyName": {
"Ref": "KeyPair"
},
"BlockDeviceMappings": [{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": "8"
}
}, {
"DeviceName": "/dev/sdm",
"Ebs": {
"VolumeSize": "8"
}
}],
"Tags": [{
"Key": "Name",
"Value": "Sample-PublicEC2"
}],
"UserData": {
"Fn::Base64": {
"Ref": "WebServerPort"
}
},
"NetworkInterfaces": [{
"AssociatePublicIpAddress": "true",
"DeleteOnTermination": "true",
"DeviceIndex": "0",
"SubnetId": {
"Ref": "PublicSubnet"
},
"GroupSet": [{
"Ref": "PublicSecurityGroup"
}]
}]
}
}
The UserData in your template looks invalid. It's possible that the instance startup aborts on invalid data. Try removing this property and creating the stack again.
If this doesn't solve the problem, you can try looking at the console output of the stopped instance for more information. See Getting Console Output and Rebooting Instances for instructions on how to do this using the AWS Management Console.

Cloning infrastructure from one region to another: AWS CloudFormation

I have existing infrastructure in us-east-1 region which needed to be cloned exactly to us-east-2 region. Used AWS CloudFormer to generate the JSON template from existing us-east-1 region, replaced all the us-east-1 with us-east-2 and started creating the stack but getting errors saying "Resource creation cancelled", specifically for all the EC2 instances
A snapshot of the template (only EC2 instance):
"instancei071dd59b": {
"Type": "AWS::EC2::Instance",
"Properties": {
"DisableApiTermination": "false",
"InstanceInitiatedShutdownBehavior": "stop",
"ImageId": "ami-1a41b377",
"InstanceType": "t2.medium",
"KeyName": "MyServer",
"Monitoring": "false",
"Tags": [
{
"Key": "MyServer OS",
"Value": "Windows Server"
},
{
"Key": "Name",
"Value": "MyServer_WEB_TEST_2"
}
],
"Volumes": [
{
"Device": "xvdb",
"VolumeId": {
"Ref": "volumevol9124b841"
}
}
],
"NetworkInterfaces": [
{
"DeleteOnTermination": "true",
"DeviceIndex": 0,
"SubnetId": {
"Ref": "subnet24031c0f"
},
"PrivateIpAddresses": [
{
"PrivateIpAddress": "172.31.53.184",
"Primary": "true"
}
],
"GroupSet": [
{
"Ref": "sgMyServerWEB"
}
],
"AssociatePublicIpAddress": "true"
}
]
}
},
"volumevol9124b841": {
"Type": "AWS::EC2::Volume",
"Properties": {
"AvailabilityZone": "us-east-2b",
"Size": "30",
"SnapshotId": "snap-95288b92",
"VolumeType": "gp2"
}
}
Before going with cloudformation template you will need to make sure you have following things in place :
Move your instance AMI to us-east-2 region then replace the snapshot id and AMI id in your template
Create a security group replace the security group id in your template
Replace subnet ID in your CF template with the one in us-east-2 region
The reason you will have to do this is every resource on AWS has unique IDs which cannot be replicated, if you want to replicate same you will need different Ids for that you need to create seperate resources and use them in your template.
If your doing this for a single instance only then you might do it manually by exporting AMI to us-east-2 region.
For collecting AMI ID in different region, I'd recommend to use the image name instead the AMI ID as the key.
To build resources to be placed in different regions, definitely is better to use CloudFormation. In this case you can use the lambda cli2cloudformation (https://github.com/lucioveloso/cli2cloudformation).
Using it, you can get the AMI ID across all regions and whatever other information that you are able to get using CLI.
To collect the AMI ID, create a lambda with cli2cloudformation and inside your template, create a custom resource as bellow:
"imageIdNameBased": {
"Type": "Custom::cli2cfnLambda",
"Properties": {
"ServiceToken": "arn:aws:lambda:eu-west-1:123456789012:function:cli2cfnLambda",
"CliCommandCreate": "ec2 describe-images --filters 'Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2' --query 'Images[0]'"
}
}
In this case, I'm getting the AMI ID to the Image named 'amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2'. You can change to your image name.
After that, you can retrieve it in any point of your CloudFormation stack.
"Fn::GetAtt" : ["imageIdNameBased", "ImageId"]