I am trying to create a CloudFormation template that deploys my OpsWorks stack and layers and some other AWS resources. I would like to manage the users of my OpsWorks instances using the Permissions feature they offer.
I have been able to manage those users using the UI and the CLI, however I cannot find anywhere how to that with CloudFormation. I have been reading through the documentation and it seems there is no resource specified for it. Does CloudFormation not have access to all resources in the AWS APIs?
CloudFormation doesn't support OpsWorks user. But it's still possible, you can use CloudFormation custom resource to create opsworks user: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html
Related
The CloudFormation documentation for Security Hub is very limited.
I wonder if it is possible to do the following in CloudFormation
Enable Security Hub in specified accounts or all accounts for an
organization.
There’s a sample script to automate enabling Security Hub for multiple accounts but no CloudFormation implementation can be found:
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-enable.html#securityhub-enable-multiaccount-script
Enable finding aggregation
It seems you can enable finding aggregation using console, CLI or API:
https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html
Specify Delegated Administrator by account id
Yes, you can do all these things through a custom resource in CloudFormation in the form of a lambda function.
I am creating a config rule which uses a custom lambda function that checks if a configuration item has tags in it. I want the rule to run for all resources but I am finding that some resources such as IAM groups, roles, users, etc. cannot be tagged. Nevertheless, the configuration items for these resources have a tags attribute which makes it difficult to distinguish between resources that can be tagged but are not and resources that cannot be tagged at all.
Does anyone have any ideas on how I can filter out the resources which cannot be tagged?
I realize I could just identify what resources currently do not support tags by looking at the documentation and statically ignoring these types in the lambda but I would like a more dynamic solution which doesn't require me to update my lambda every time a new resource is discovered/released which does not support tags.
A little late to the party perhaps - better late than never! ;-)
Resources you can use with AWS Resource Groups and Tag Editor
You can use the AWS Management Console or the AWS CLI to create
resource groups and then interact with the member resources through
those groups. You can add tags to many AWS resources and then use
those tags to manage group membership. This topic describes the AWS
resources that you can include in resource groups by using AWS
Resource Groups, and the AWS resources that you can tag by using Tag
Editor...
Note: Adding tags to a AWS CloudFormation stack causes an update of the stack.
https://docs.aws.amazon.com/ARG/latest/userguide/supported-resources.html
AWS Resource Groups Tagging API Reference
AWS supports tagging on all core infrastructure resources that incur
charges. Most other AWS resources also support tagging. Some resources
support tagging only through that service's native tagging operations,
and don't yet support this API. See the documentation for an
individual service for information about that service's native tagging
operations…
You can use the Resource Groups Tagging API operations to complete the
following tasks:
Tag and untag supported resources located in the specified Region for the AWS account.
Use tag-based filters to search for resources located in the specified Region for the AWS account.
List all existing tag keys in the specified Region for the AWS account.
List all existing values for the specified key in the specified Region for the AWS account.
To use Resource Groups Tagging API operations, you must add the
following permissions to your IAM policy:
tag:GetResources
tag:TagResources
tag:UntagResources
tag:GetTagKeys
tag:GetTagValues
You'll also need permissions to access the resources of individual
services so that you can tag and untag those resources.
https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/overview.html
Services that support the Resource Groups Tagging API
You can use the Resource Groups Tagging API to tag resources for the
AWS services listed at the URL linked below.3
Note: The list includes only those AWS services that work with the
Resource Groups Tagging API.
If an AWS service isn't listed, you might still be able to tag that
service's resources by using the service's native tagging operations
instead of using the Resource Groups Tagging API operations. See the
documentation for an individual service for information about that
service's native tagging operations.
This lets you tag resources by using the AWS CLI version of the
service's operation. For example, you could tag an IAM user by using a
command similar to the following example:
$ aws iam tag-user --user-name kristy --tags Key=CostCenter,Value=1234
https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html
I am trying to clone my aws account(prod) to another account(test) with all resources and configuration I have set up on prod. Is there any best practice to replicate the aws account to another?
This is not possible.
Nor is there an easy way to list all resources in an AWS account.
Each AWS Service (eg EC2, S3, Lambda) have their own API calls to list resources and describe configurations. There is no universal way to request this information.
Best Practice is to only create resources using AWS CloudFormation templates, thereby having full documentation of resources created and the ability to deploy similar infrastructure in other AWS accounts or regions.
Some third-party services (eg https://www.hava.io/) can extract configuration information and automatically create AWS CloudFormation templates. However, these templates only record the configuration of AWS resources -- they do not replicate the content of storage on disks, Amazon S3 or databases.
I wanted to create an AWS Dashboard using cloudformation but did find a way.
Guess AWS has not yet added support for that.
As an alternative is it possible to create that using AWS CLI
AWS just announced support for this.
https://aws.amazon.com/blogs/aws/new-api-cloudformation-support-for-amazon-cloudwatch-dashboards/
CloudFormation documentation is also available: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-dashboard.html
If I'm correct your question is concerns Resource Groups. It is not possible at this time to create Resource Group in Cloud Formation Templates or via the awscli.
Resource Groups are tied to a User, not an account - so it's not possible to define them at an account level and allow Users to access them.
It's possible for a User to 'Share' a Resource Group they've created by passing a URL to another User.
Does AWS CloudFormation allow creating templated for AWS Elastic Transcoder?
PS: I tried creating a DataPipeline, but no that is not the same as Transcoder pipeline
Not yet. The following page shows all available resource types for AWS Cloudformation:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
You could use a python lambda function wrapped in a custom resource. With Lambda support in custom resources, services/features not currently supported can be accommodated in the template.
This github project shows how
https://github.com/mazerte/aws-cloudformation-elastic-transcoder-pipeline