I wish to keep instance type / VPC etc private for users using my cloudformation script. Does anyone know of a way to hide these parameters during the stack creation wizard?
I know echo keeps the values private, but is there a way for it all to not be displayed on screen.
Ideally it would ask for Stack name and the rest of the page would be blank.
For sensitive parameter values (such as passwords), set the NoEcho property to true. That way, whenever anyone describes your stack, the parameter value is shown as asterisks (*****).
Although in your case, this cannot prevent the user of checking the instance type inside their respective tabs. Probably is a better idea to restrict the access of users to confidential information using IAM policies.
You can use cloud formation macro do such thing, Macro will help you to transform your template at runtime.
https://github.com/awslabs/aws-cloudformation-templates/tree/master/aws/services/CloudFormation/MacrosExamples/Public-and-Private-Subnet-per-AZ
Related
Is there any way to enforce the addition of labels while creating resources? If not, is there a way to automatically label resources when creating said resources in GCP?
My use case: I need this to investigate the price in Data Studio.
Thanks.
No, you can't enforce any one to put labels on resources on GCP (same for projects). BUT you can enforce TAG automatically by inheritance. (You can't oblige a user to use them, but, by default there is a tag).
The TAG are still in preview and were named "label next gen" during the Alpha period. So, you can use them like labels, but you can enforce authorization on them (who can up view/update/delete them). This feature is very interesting because today, anyone with admin/owner roles can update/change/delete labels and you lost the control and the monitoring of your resources.
You can also put IAM condition on them and enforce organization policies accordingly.
You can't enforce users to do so. However you can:
Create a log sink if a resource is created
Use that log sink to call a cloud function that will create an alert or give a default label
If you use infrastructure as code for example Terraform, you can put a CI/CD job that will check if a label is placed, and if not reject the PR.
Using serverless to deploy to AWS.
I created a Cognito user pool via serverless then realised I wanted to change it's attributes.
I couldn't deploy because you can't update attributes on an existing user pool.
"No problem - I'll just delete it and make it again" I thought. So I did.
But I had created two Outputs that referencing Client ID and Pool ID so now I get this:
Export alpha-UserPoolId cannot be deleted as it is in use by alpha-Stack
I can't see any way to remove theese references manually via the AWS console.
Anyone know what I can do to remove these dead references?
There's no option to manually remove an Output and I tried editing the template but it didn't seem to actually do anything.
Thanks
[EDIT: Check comments for full details on solution]
You have to edit the importing stack to not rely on these values, afterwards you can remove them.
As long as there is an Fn::ImportValue somewhere, it won't let you delete the export.
From the docs:
The following restrictions apply to cross stack references
...
You can't delete a stack if another stack references one of its outputs.
You can't modify or remove an output value that is referenced by another stack.
Beginning with a new stack I get the error message as in the title.
I am using SAM, and I am confused, why it wants to update the macro.
I thought, this macro is provided by aws and I wonder why it is requesting to modify it.
My template spins up a lambda, a database and a REST api, but does even try to touch existing macros.
My template did contain the TableName tag for a DynamoDb.
As I am aware, named tables cannot be updated, if resource replacement required. I was not trying to do updates on that resource though.
The table existed before I cloudformed that new stack though.
So say my request url to get all the Users at Location 4 is something like
./Location/Users?locationId=4 or ./Location/Users/4
but we would of course prefer to structure the request url like this:
./Location/4/Users
however, every single AWS help document and help question I can find on here uses the first syntax, so I am unsure how to proceed. It seems like there should be a way to do this, as it is a very common design pattern, but AWS seems to lock you in to only being able to append to the ./Users path instead of being able to prepend the argument.
To be clear, the first request syntax is working, but I'm not sure how to adjust the syntax to a more industry-standard way of doing it since embedding the parameter in the middle of the url instead of at the end would fundamentally change the Amazon Resource Name.
There's probably something simple that I'm missing here though.
Api gateway indeed supports URl like Location/{locationId}/Users. You first need to create locationId as a child resource and then create users as a child resource under that.
Steps
Click Location, and goto actions and click create resource.
fill the details of your new resource
resource name - give a meaningful name
resource path - {locationId}
repeat the same to add Users under LocationId
I tried to create new AWS key pairs and the option to create disappeared
Does anyone know why?
It would be worth checking the IAM permissions associated with the User who is trying to create the key pair. Contact the Administrator (presumably you?) and investigate. I would suggest creating a Group with Permissions and adding them to that.
I performed an experiment and added aDeny policy to my IAM User that prevented me from being able to create a keypair.
I then tried to launch an instance and the option to create a keypair (in the dialog box you show above) was still available. So, the display does not vary according to permissions.
Therefore, something else is causing your situation. I would recommend trying it in a different browser. Also, check the underlying HTML to see whether the option is coded on the web page. Something is causing it to disappear.