I am trying to launch a stack via AWS CloudFormation using these provided sample stack(s) for WAF:
https://s3.amazonaws.com/solutions-reference/aws-waf-security-automations/latest/aws-waf-security-automations.template
https://s3.amazonaws.com/cloudformation-examples/community/common-attacks.json
I want to launch these stacks in us-east-1 region and I am doing so by going to this URL :
https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new
Still when the WAF ACL and rules are created they are part of Global (Cloudfront) instead of us-east-1 region. I have tried this a few times and it works like this.
To launch these stacks in a specific region do I need to do some thing more?
AWS now provides two CloudFormation templates. One for CloudFront (Global) and the other for ELB (Regional).
https://aws.amazon.com/answers/security/aws-waf-security-automations/
Related
I'm attempting to achieve the following through CloudFormation.
From a stack created in EU region I want to create (and verify) a public certificate against Route53 in US-EAST-1 due to using Cloudfront. Aiming to have zero actions performed in the console or AWS CLI.
The new CloudFormation support for ACM was a little sketchy last week but seems to be working now.
Certifcate
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Sub "${Env}.domain.cloud"
ValidationMethod: DNS
DomainValidationOptions:
-
DomainName: !Sub "${Env}.domain.cloud"
HostedZoneId: !Ref HostedZoneId
All I need to do is use Cloudformation to deploy this into the US-EAST-1 region from stack in a different region. Everything else is ready for this.
I thought that using Codepipeline's cross region support would be great so I started to look into [this documentation][1] after getting setting things up in my template I met the following error message...
An error occurred while validating the artifact bucket {...} The bucket named is not located in the `us-east-1` AWS region.
To me this makes no sense as it seems that you already need at least a couple of resources to exist in target region for it to work. Cart before the horse kind of behavior. To test this I create an artifact bucket in the target region by hand and things worked fine, but requires using CLI or the console when I'm aiming for a CloudFormation based solution.
Note: I'm running out of time to write this so I'll update it when I can in a few hours time. any help before I can do that would be great though
Sadly, that's required for cross-region CodePipeline. From docs:
When you create or edit a pipeline, you must have an artifact bucket in the pipeline Region and then you must have one artifact bucket per Region where you plan to execute an action.
If you want to fully automate this through CloudFormation, you either have to use custom resource to create buckets in all the regions in advance or look at stack sets to deploy one template bucket in multiple regions.
p.s.
Your link does not work, thus I'm not sure if you refer to the same documentation page.
As per the AWS Cloudformation documentation
it is mentioned that Cloudformation automatically provides stack-level tags to resources.
aws:cloudformation:logical-id
aws:cloudformation:stack-id
aws:cloudformation:stack-name
I could see that for resources like EC2, S3, etc.
But when it comes to EMR I couldn’t see those tags. I need aws:cloudformation:stack-id tag value, so that I can later identify stackId without any hustle.
Isn’t it supported for EMR?
If not what could be workaround? I need to add CF stackId using which I can easily identify the stack for other use.
Note: aws cloudformation describe-stack-resources --physical-resource-id j-XXXXXXXXXXX this is not an option to get stackId because of not having enough IAM politics.
How I'm creating EMR cluster: I have one lambda which invokes CloudFormation using boto3, which then created the cluster.
I checked that on my EMR cluster and CloudFormation. You are correct. Tags are no where to be seen.
Could be oversight on AWS part, as they explicitly write in the docs that only EBS volumes don't have such tags:
All stack-level tags, including automatically created tags, are propagated to resources that AWS CloudFormation supports. Currently, tags are not propagated to Amazon EBS volumes that are created from block device mappings.
The only workaround I can think of is to "manually" create such tags, e.g. using custom resources. Or as you are already using lambda, do it in your lambda after EMR cluster creation.
I want to deploy a lambda function in us-east-1 region by using a cloudformation stack which is in eu-west-1 region. I don't want to use custom resource. So is there any way to do this using some property or except custom resource (custom resource will be my last option).
Do you want to deploy the same stack in a different region?
Or do you want to deploy a stack in another region which will be reusing some resources from another stack?
You need to upload your functions to a S3 bucket and then create a stack for each region to deploy the same function from S3 inside each region. Also you can upload the cloudformation template to a S3 bucket, then from AWS CLI deploy it in all the regions where you need the functions
I'm trying to understand the behavior of CloudFormation with respect to applying tags to the resources it creates.
As per their documentation - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html
In addition to any tags you define, AWS CloudFormation automatically creates the following stack-level tags with the prefix aws::
aws:cloudformation:logical-id
aws:cloudformation:stack-id
aws:cloudformation:stack-name
I created a DynamoDB table from CloudFormation and I visited the DynamoDB console and selected the tags tab and couldn't find any specific tag being added. I also did not find the aws:cloudformation:logical:id tag being added.
I then tried to create a S3 bucket using CloudFormation. That seems to work and I was able to visit the S3 console and find the aws:cloudformation:logical-id tag for the S3 bucket.
Is this some kind of inconsistency? Is there any specific documentation I can follow to find the list of AWS resources to which CloudFormation applies the tags prefixed with aws: as mentioned in the documentation?
Any help would be appreciated. Thanks!
I've had to recently contact AWS Enterprise support about this
Commonly requested services that aren't receiving tags from cloud formation include
DynamoDB
Elasticache
IAM resources
ECS clusters
Cloudfront distributions
Glue jobs
SQS
Firehose Delivery stream
There is an internal feature request open, however their suggested action was to just manually tag the resources.
Do you have any other resource besides DynamoDB in the same CFT? If yes, is that resource getting tagged by CF?
If you do not have any other resource, you may add an EC2 instance resource to validate if this is a resource specific issue or a template wide issue.
From what you posted, it seems that the stack creation is successful. Though it sounds silly, you may try once with the CLI - aws cloudformation create-stack --stack-name Name-of-your-stack --template-body file://your_template.json --tags Key=Name,Value=Your_Tag_Value --profile default --region region --capabilities CAPABILITY_NAMED_IAM
You can skip --capabilities CAPABILITY_NAMED_IAM if you do not have IAM resources in your CFT.
I have never experienced any issues tagging through CF, may want to check these sample templates.
I have a CloudFormation template that creates an AWS::ElasticBeanstalk::Environment and an AWS::ElasticLoadBalancingV2::TargetGroup
I would like to associate the AutoScalingGroup that beanstalk creates with the TargetGroup created in my template.
My end goal is doing path-based routing via an ALB to a bunch of beanstalk applications from a single domain (i.e., www.domain.com/foo routes to ebapp1 and www.domain.com/bar routes to ebapp2)
I can actually accomplish what I wish via the CLI:
aws autoscaling attach-load-balancer-target-groups --auto-scaling-group-name "<asg-name>" --target-group-arns "<arn-for-target-group>"
However, I would like to have this association created automatically when I launch my new beanstalk environment via CloudFormation.
I am having trouble figuring out how to translate this into my CloudFormation template. Any pointers?
Your CLI command is related to AWS::AutoScaling::AutoScalingGroup, and if you want to get result as same as your CLI command you can use TargetGroupARNs parameter on AWS::AutoScaling::AutoScalingGroup.
Use the Reference function to get the value of target group arn parameter.
If this is not what you need, and if your command really works, you can call it using UserData or metadata in an instance that you have created on your template to run your CLI command.