I´m using AWS cloud formation, and I could not find in any documentation information about this. When I use cloudformation with AWS CLI the information sent to AWS it´s encrypted?.
Regards.
The information is sent over HTTPS, so the communication between your client and AWS servers is secure. On the other hand, if you are providing sensitive information with parameters you can enable NoEcho parameter to prevent them from being displayed on AWS Console. The NoEcho property is set to true to prevent describe stack calls, such as the aws cloudformation describe-stacks AWS CLI command, from returning the parameter value
"Parameters" : {
"DBPort" : {
"Default" : "3306",
"Description" : "TCP/IP port for the database",
"Type" : "Number",
"MinValue" : "1150",
"MaxValue" : "65535"
},
"DBPwd" : {
"NoEcho" : "true",
"Description" : "The database admin account password",
"Type" : "String",
"MinLength" : "1",
"MaxLength" : "41",
"AllowedPattern" : "[a-zA-Z0-9]*"
}
}
Related
Is it possible to pass a list of email addresses as the endpoint for an SNS subscription?
I've got something like this
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources" : {
"EmailSNSTopic": {
"Type" : "AWS::SNS::Topic",
"Properties" : {
"DisplayName" : "${display_name}"
}
},
"MySubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"TopicArn" : { "Ref" : "EmailSNSTopic" },
"Endpoint" : "foo#foo.com"
"Protocol" : "email"
}
}
},
"Outputs" : {
"ARN" : {
"Description" : "Email SNS Topic ARN",
"Value" : { "Ref" : "EmailSNSTopic" }
}
}
}
But what I'd like to do is pass a number of email addresses instead of just one.
As per the documentation
Endpoint should be a string
Cloudformation doesn't allow you to pass a list.
You dont want to have a custom resource as well.
There is one more way Running bash commands in AWS CloudFormation templates
You just run awscli command like below
Resources:
Command:
Type: 'AWSUtility::CloudFormation::CommandRunner'
Properties:
Command: aws s3 ls > /command-output.txt
Role: String
LogGroup: String #Optional
SubnetId: String #Optional
SecurityGroupId: String #Optional
KeyId: String #Optional
I don’t thing it is possible using native syntax.
You might want to try aws cloud formation custom resource and pass list to lambda for execution one by one.
I'm trying to create a CloudFormation template that'll deploy a Lambda function, And I need the security options to be optional parameters.
I was able to partially accomplish this using the question here:
How to make a whole object in CloudFormation templates optional?
Interestingly, that method worked great to make the VpcConfig property optional in the AWS GUI Console, but it did NOT work to make it optional for the CLI. And unfortunately, I need it to work in the CLI, since I'll be using CodeBuild to call and deploy this template's resources.
Here are the relevant parameters:
"SecurityGroupIds" : {
"Type" : "CommaDelimitedList",
"Description" : "A list of one or more security groups IDs in the VPC that includes the resources to which your Lambda function requires access."
},
"SubnetIds" : {
"Type" : "CommaDelimitedList",
"Description" : "A list of one or more subnet IDs in the VPC that includes the resources to which your Lambda function requires access."
}
And conditions:
"HasVPC": {"Fn::And": [{"Fn::Not": [{"Fn::Equals": [{"Fn::Join": ["", {"Ref": "SubnetIds"}]}, ""]}]}, {"Fn::Not": [{"Fn::Equals": [{"Fn::Join": ["", {"Ref": "SecurityGroupIds"}]}, ""]}]}]}
And here's where that condition is used in the Lambda resource being defined in the Resources section of the template:
"VpcConfig": {
"Fn::If": [
"HasVPC",
{
"SecurityGroupIds" : {"Ref": "SecurityGroupIds"},
"SubnetIds" : {"Ref": "SubnetIds"}
},
{ "Ref":"AWS::NoValue" }
]
},
When I issue the command to deploy this stack in the CLI, I get the following error:
An error occurred (ValidationError) when calling the CreateChangeSet
operation: Parameters: [SecurityGroupIds, SubnetIds] must have values
Here's the AWS CLI command I'm issuing, from the same directory in which the template is located. Note: the ARN values have all been heavily modified to not be real values from my account, but I kept them in the right format so you can see the real format of the command:
aws cloudformation deploy --template-file lambda-template.json --stack-name "CLI-lambda-stack" --parameter-overrides S3BucketName="myBucket" S3FileLocation="lambda_function.zip" S3ObjectVersion="ZuB0iueEghOyh5q00.DiykLNudujdsc5" DeadLetterArn="arn:aws:sns:us-west-2:577898337216:CloudFormationTests" EnvironmentVariable="testing" KmsKeyArn="arn:aws:kms:us-west-2:504398934246:key/b24e7b72-a94d-6a3e-b848-165115c86212" HandlerFunctionName="lambda_function.lambda_handler" MemorySize="128" Role="arn:aws:iam::102893937243:role/serverless-test-default-us-east-1-lambdaRole" FuncName="myCLILambda"
You are not providing SecurityGroupIds neither SubnetIds default values and your are not providing them on your --parameter-overrides. Therefore, CloudFormation doesn't know how to process them if no values are provided.
Adding the Default statement should do the trick:
{
"Parameters" : {
"SecurityGroupIds" : {
"Type" : "CommaDelimitedList",
"Description" : "A list of one or more security groups IDs in the VPC that includes the resources to which your Lambda function requires access.",
"Default" : ""
},
"SubnetIds" : {
"Type" : "CommaDelimitedList",
"Description" : "A list of one or more subnet IDs in the VPC that includes the resources to which your Lambda function requires access.",
"Default" : ""
}
}
Any suggestions why this AWS CloudFormation keeps rolling back?
{
"Description" : "Single Instance",
"Resources" : {
"EC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-b73b63a0",
"InstanceType" : "t2.micro",
"KeyName" : "aws-key-here",
"Tags" : [
{
"Key" : "Name",
"Value" : "test"
}
],
"SubnetId" : {
"Fn::Select" : [ "0", { "Ref" : "Subnets" } ]
}
}
}
},
"Parameters": {
"Subnets": {
"Type": "List<AWS::EC2::Subnet::Id>",
"Description": "The list of SubnetIds, for at least two Availability Zones in the region in your Virtual Private Cloud (VPC)"
}
}
}
The specific error seems to be about the Subnets Ref:
Parameter validation failed: parameter value for parameter name Subnets does not exist. Rollback requested by user.
I have already created 1 valid Subnet in my AWS Management Console and tested that it works when spinning up an EC2 Instance manually.
Or is there a way of debugging this / getting more detailed output?
The Subnets Parameter in your template has a type List<AWS::EC2::Subnet::Id>, which requires a reference to a list of valid Subnet IDs. The error you are seeing means that you passed at least one invalid Subnet ID to the Subnet parameter.
If you're deploying your stack from the AWS CLI using aws cloudformation create-stack, you need to pass a valid parameter value using the --parameters ParameterKey=Subnets,ParameterValue=subnet-12345678 option.
If you're deploying from the Management Console, you need to specify stack parameters using the provided dialog, and select a Subnet ID from the drop-down list.
I faced the same problem. In my case I created the Key with name "mykey" in Mumbai Region. But when I actually started creating a Cloud Formation Infrastructure I changed the region to US-East. Now in my Cloud Formation Infrastructure I provided the name of Key as "mykey". Now the problem is the key "mykey" was created in Mumbai Region.
Hence I create the Key once again in "US-East" region and my problem vanished.
Regards
Hitesh
In my case it was a problem on credentials key and access key. My default values were another accounts one and I was trying to create a stack on a wrong account.
I use a CloudFormation template to deploy an instance to the environment. I want the template to pick up the default EC2 instance profile for the instance which is something like "arn:aws:iam::12345678910:role/EC2InstanceProfile-InstanceRole-14F2A0ATJNUO1"
I would like to use the same template for every AWS accounts I have. However, the problem is that the instance profile name is different in every account. A randomly generated suffix is attached to the name (in this example 14F2A0ATJNUO1). How can I workaround this problem to make the template reusable in every account. Please provide the code if possible.
"EC2InstanceProfile" : {
"Description" : "The default instance profile",
"Type": "String",
"ConstraintDescription" : "must be the name of an existing defualt EC2 instance profile."
},
"IamInstanceProfile": { "Ref": "EC2InstanceProfile" }
Get your instance profile from the role name using the below cloudformation.
"InstanceProfile" : {
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"Path" : "/",
"Roles" : ["your-role-name"]
}
}
"IamInstanceProfile": {"Fn::GetAtt" : ["InstanceProfile", "Arn"] },
I can't find any examples on creating a SQL Server RDS instance in CloudFormation, so I took an educated guess using an example for MySQL. Here's what I came up with:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier" : "test-db",
"Engine" : "sqlserver-ex",
"Port" : "1433",
"DBInstanceClass" : "db.t1.micro",
"AllocatedStorage" : "30",
"MasterUsername" : "sa",
"MasterUserPassword" : "password"
}
}
}
}
Unfortunately this doesn't work (CREATE_FAILED). Can anyone tell me why?
In addition to Peter H's response... DBInstanceIdentifier is not a supported property. I would consult the cloudformation docs for which properties are and are not supported as well as the required properties.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html
Also... CloudFormation will tell you the reason it fails in the "Events" tab. One thing CloudFormation is really good at is telling you exactly why it failed.
You are missing EngineVersion - "EngineVersion" : "11.00.2100.60.v1",
Also - you'll need DBSecurityGRoups to be added.