I have resources defined in my Cloudformation template file with tags defined like so:
"Properties": {
"Tags": [
{ "Key": "Environment", "Value": {"Ref": "Environment"}},
{ "Key": "Hello", "Value": "World"}
]
}
My IAM username is my.name. I would like to add a key named Creator to the Tags property with value my username (my.name). Moreover, I need this value to reflect the username of whoever runs this Cloudformation template. How can I do it?
I am not aware of any way of referencing the IAM username directly from the template JSON.
However, you can use get-user to get the username (either using the CLI or one of the SDKs), and then pass it on to CloudFormation as a parameter, or, if you are creating the template JSON programmatically, just insert it directly.
You should pass the user ID as a parameter on the create-template API call and add it to the tags using Fn::Join. Cloudformation won't do this for you.
Related
I am trying to use AWS EventBridge Input Transformer to get the tags of an EC2 instance but I am not familiar with this stuff. the event JSON would look like this (Trimming out irrelevant info):
"tags": [{
"key": "Name",
"value": "windows-server-1"
},
{
"key": "Patch Group",
"value": "Windows"
}],
I am able to access different tags using numeric keys like so:
"patchGroup":"$.detail.resource.instanceDetails.tags[1].value"
The issue is the numeric key isnt standard on our instances and I will always need the Patch Group tag. If I were using JS or C# there would be logic I could implement to find this, I am not seeing anything like that in the documentation. Is there a way to easily get a tag with a key I am missing?
I have a CloudFormation template to create a Secret in Secrets Manager. My current template is similar to this (based on aws documentation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html):
{
"Resources": {
"MyCredentials": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "prod/web/api",
"Description": "",
"SecretString": "{
\"Client_id\":\"my_client_id\",
\"Client_secret\":\"a_super_secret_value\"
}"
}
}
}
}
My problem is that I can not use the GenerateSecretString property because the password is defined from an external organization so I can not change or create the value on my own and in this way the secret value can be viewed from the template in CloudFormation.
Is possible to achieve this or I need to create the secrets manually?
You can use AWS SSM Parameter, where the external organization has given permissions to add/update password there or someone in the team do the same.
Once the password is there, you read in your cloudformation template either via dynamic references like below,
The following example uses an ssm-secure dynamic reference to set the password for an IAM user to a secure string stored in Systems Manager Parameter Store. As specified, CloudFormation will use version 10 of the IAMUserPassword parameter for stack and change set operations.
"MyIAMUser": {
"Type": "AWS::IAM::User",
"Properties": {
"UserName": "MyUserName",
"LoginProfile": {
"Password": "{{resolve:ssm-secure:IAMUserPassword:10}}"
}
}
}
Or static reference something like below :
here Accessing the AvailabilityZone param stored in SSM.
"AvailabilityZone": {
"Description": "Amazon EC2 instance Availablity Zone",
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "AvailabilityZone"
}
More examples in Using AWS Systems Manager Parameter Store Secure String parameters in AWS CloudFormation templates
I am trying to find a way to set default VPCs, Subnets and Security Groups in the Cluster.template JSON file.
Is there a way to pass an existing VPC ( or Subnet/Security group) as a parameter to the template using the "Ref" built-in?
This Obviously dones't work:
"Parameters": {
"VpcId": {
"Type": "AWS::EC2::VPC::Id",
"Default": { "Ref" : "vpc-123456789" },
....
}
To inject a VPC id into your template I would do the following. First remove your default value.
"Parameters": {
"VpcId": {
"Type": "AWS::EC2::VPC::Id"
....
}
Next place the value you want to set VpcId to inside a parameters.json file and when you perform a create-stack or update-stack using your cloudformation use the parameters file as the input.
parameters.json
[
{
"ParameterKey": "VpcId",
"ParameterValue": "vpc-123456789"
}
]
Multi-valued Parameters
If you had a parameter that takes a list of values you could represent it as follows
"PrivateEC2Subnets": {
"Type": "CommaDelimitedList",
"Description": "List of private subnets to run your EC2 instances inside. Note that they must be in the same availability zone that your ELB is configured for. May require you to manually create a private subnet with a specific AZ if your VPC isnt auto-configured."
},
Then in your external parameters file pass in a comma separated list like so
{
"ParameterKey": "PrivateEC2Subnets",
"ParameterValue": "subnet-9934670a544,subnet-d74ea349f"
},
For more information on the different parameter types see the AWS doc http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html but beware, people have reported issues when trying to represent lists of complex datatypes in external parameters files. To my knowledge, only CommaDelimitedList works if you want to pass the values in from another json file outside your cloudformation template.
I found out that it's really much simpler than I thought... this worked:
"Parameters": {
"VpcId": {
"Type": "List<AWS::EC2::VPC::Id>",
"Default": "vpc-123456789,vpc-987654123" ,
....
}
I am trying to set up my S3 to notify my SQS Queue for a "PUT" Object Creation Event.
I am able to achieve this using CLI by:
aws --profile QA s3api put-bucket-notification --bucket <BUCKET_NAME> --notification-configuration '{ "QueueConfiguration": { "Id": "<EVENT ID>", "Event": "s3:ObjectCreated:Put", "Queue": "<QUEUE ARN>" } }'
Also able to do the same using Java:
NotificationConfiguration notificationConfiguration = new QueueConfiguration(queueArn, EnumSet.of(S3Event.ObjectCreatedByPut));
BucketNotificationConfiguration bucketNotificationConfiguration = new BucketNotificationConfiguration("DropShipInboundQueueDelivery", notificationConfiguration);
client.setBucketNotificationConfiguration(bucketName, bucketNotificationConfiguration)
However when I tried to something similar using CloudFormation template, I cannot find any way to trigger a notification to SQS. The only option I see that works and is documented is to trigger notification to SNS.
I have referred the Cloud Formation Documentation:
I looked at the AWS::S3::Bucket docs to look at the outer syntax. I saw NotificationConfiguration which I need to set
However the Notification Configuration can only contain a list of TopicConfigurations with was the old constructor in JDK before QueueConfiguration was supported
I tried doing something like this:
"NotificationConfiguration" :{
"QueueConfiguration": {
"Id": "DropshipInboundEventNotification",
"Event": "s3:ObjectCreated:Put",
"Queue": "arn:aws:sqs:*:*:Dropship-Inbound-qa"
}
},
But this as expected threw an error: "Encountered unsupported property QueueConfiguration" from amazon.
Looked at this API documentation
I would like to know if someone has been able to do this using CloudFormation Templates as thats how I am maintaining all the other AWS resources and do not want to do anything special for this particular feature.
Any help is appreciated.
There is no need "Id" in Cloudformation Template ( You can check from QueueConfiguration Doc ) and your second mistake, that is not "QueueConfiguration", it's "QueueConfigurations". Because of that you get an error that says "Encountered unsupported property QueueConfiguration"
It must be something like that.
"S3Bucket":{
"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : String,
"BucketName" : String,
"CorsConfiguration" : CORS Configuration,
"LifecycleConfiguration" : Lifecycle Configuration,
"LoggingConfiguration" : Logging Configuration,
"NotificationConfiguration" :
{ "QueueConfigurations" : [ {
"Event" : "s3:ObjectCreated:Put",
"Queue" : "arn:YOURQUEUEARN"
} ] },
"Tags" : [ Resource Tag, ... ],
"VersioningConfiguration" : Versioning Configuration,
"WebsiteConfiguration" : Website Configuration Type
}
}
While you are reading cloudformation template documents, you must be careful about "Required:" sections. If it is not required, you don't need to fill it, just remove that line from your template if you don't use it( Like S3 Tags ).
Other Docs about it:
S3BucketDocs
NotificationConfigurationDocs
We wanted to use company specific Tags to the resources that we create in AWS for billing purposes. I am using a cloud formation template to spin up our Elasticbeanstalk instance and other project dependent resources. When I use the CloudFormation console to create a stack it asks me for Tags in the page after parameters. I have to manually input the Tags for that stack. However is there a way to specify those Tags (Tags for the stack) with in the cloud formation template itself? That way the Tag gets propagated to the other resources? I know that the cloud formation automatically tags the resources with the stack name. But we need company specific tags to bill separate departments.
In the template anatomy, you can't set stack-level tags directly. However you can create a wrapper template, having a single resource of AWS::CloudFormation::Stack.
You can define stack-level tags on that resource:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "WrapperTemplate",
"Resources": {
"WrappedStackWithStackLevelTags": {
"Type" : "AWS::CloudFormation::Stack",
"Properties" : {
"Tags" : [ { "Key" : "Stage", "Value" : "QA" } ],
"TemplateURL" : "your-original-template-s3-url"
}
}
}
}
When launching AWS CloudFormation, the tags being requested will be applied to the CloudFormation Stack itself and (where possible) will also be propagated to the resources launched by the Stack.
These tags can be passed to the CreateStack API call, or from the CLI:
See: create-stack CLI documentation
These tags are applied to the whole Stack and aren't included in the CloudFormation template.
However, CloudFormation templates can include tags for specific resources that are being created. For example, when launching Amazon EC2 instances, tags can be included in the template:
"MyInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"SecurityGroups" : [{ "Ref" : "MySecurityGroup" }],
"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-20b65349",
"Volumes" : [{
"VolumeId" : { "Ref" : "MyEBS" },
"Device" : "/dev/sdk"
}],
"Tags" : [{
"Key" : "Stage",
"Value" : "QA"
}]
}
}
Contrary to what #lalyos says, you don't need to use nested stacks for this, just provide the tags that should apply to all resources as stack level tags.
These stack-level tags can be specified whether running the stack on the console or via CLI.
CLI example:
aws cloudformation create-stack --stack-name my-stack-name \
--template-body file://path-to-template-file.yaml \
--parameters ParameterKey=param1key,ParameterValue=param1value \
--tags Key=tag1key,Value=tag1value \
Key=tag2key,Value=tag2value \
Key=tag3key,Value=tag3value
... and generally add as many tags as you need, using the same format and allowing spaces between tag key-value pairs
See:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html
You can build and deploy a CloudFormation template using aws-sam-cli. This command reads a samconfig.toml file where you can declare tags for all the resources of the stack (including CloudFormation stack itself)
Your samconfig.toml should look like:
[default.deploy.parameters]
stack_name = "your-application"
s3_bucket = "your-s3-for-cloudformation-stuff"
s3_prefix = "your-folder-name"
...
tags = "Stage=\"QA\""
and then run:
sam build --template <your-cloudformation-template.yml> && sam deploy
You don't need any wrapper..
You can add tags to the stack on when you create/update it:
In Console:
You can also use the aws cli:
aws cloudformation create-stack help
--tags (list)
Key-value pairs to associate with this stack. CloudFormation also
propagates these tags to supported resources in the stack. You can
specify a maximum number of 50 tags.
If you don't specify this parameter, CloudFormation doesn't modify
the stack's tags. If you specify an empty value, CloudFormation re-
moves all associated tags.
(structure)
The Tag type enables you to specify a key-value pair that can be
used to store information about an CloudFormation stack.
Key -> (string)
Required . A string used to identify this tag. You can spec-
ify a maximum of 128 characters for a tag key. Tags owned by
Amazon Web Services (Amazon Web Services) have the reserved
prefix: aws: .
Value -> (string)
Required . A string containing the value for this tag. You
can specify a maximum of 256 characters for a tag value.
Shorthand Syntax:
Key=string,Value=string ...
JSON Syntax:
[
{
"Key": "string",
"Value": "string"
}
...
]