By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to call cloud formation from lambda

0

There is requirement to call cloud formation template from Lambda function.

  • I am trying to schedule dev environment using cloud formation & lambda function.

Query: This code is running perfectly via AWS console. Now I have stored this code in S3 as .yaml file and calling via lambda function as snippet in attached image. I have key pair already created in AWS console that I need to pass as parameter in the following code and what will be value for capabilities section. Request you to please suggest. I am struggling to find the solution for it.

Lambda Function Code

import boto3 cf = boto3.client('cloudformation') def lambda_handler(event, context): res = cf.create_stack( StackName=('SampleStack'), TemplateURL='https://YourObjectUrl', ** Parameters=[ { 'ParameterKey': 'A Parameter', 'ParameterValue': 'A Value' }, ], Capabilities=[ 'CAPABILITY_IAM', 'CAPABILITY_NAMED_IAM',, ] ** )

Enter image description here

Cloud formation .yaml file code

**--- Parameters: SecurityGroupDescription: Description: Security Group Description Type: String KeyName: Description: Key Pair for EC2 Type: 'AWS::EC2::KeyPair::KeyName'

Resources: EC2Instance1: Type: AWS::EC2::Instance Properties: AvailabilityZone: us-east-1a ImageId: ami-051f7e7f6c2f40dc1 InstanceType: t2.micro SecurityGroups: - !Ref EC2SecurityGroup KeyName: !Ref KeyName UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y httpd systemctl start httpd systemctl enable httpd #echo "<h1>Hello from Region us-east-2a</h1>" > /var/www/html/index.html

EC2Instance2: Type: AWS::EC2::Instance Properties: AvailabilityZone: us-east-1b ImageId: ami-051f7e7f6c2f40dc1 InstanceType: t2.micro SecurityGroups: - !Ref EC2SecurityGroup KeyName: !Ref KeyName UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y httpd systemctl start httpd systemctl enable httpd #echo "<h1>Hello from Region us-east-2b</h1>" > /var/www/html/index.html

security group

ELBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ELB Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0

EC2SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: !Ref SecurityGroupDescription SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: Fn::GetAtt: - ELBSecurityGroup - GroupId - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0

Load Balancer for EC2

LoadBalancerforEC2: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: [us-east-1a, us-east-1b] Instances: - !Ref EC2Instance1 - !Ref EC2Instance2 Listeners: - LoadBalancerPort: '80' InstancePort: '80' Protocol: HTTP HealthCheck: Target: HTTP:80/ HealthyThreshold: '3' UnhealthyThreshold: '5' Interval: '30' Timeout: '5' SecurityGroups: - !GetAtt ELBSecurityGroup.GroupId**

  • secondabhi_aws EXPERT
    9 months ago

    Can you mention the error from lambda logs please?

Topics
ServerlessComputeManagement & Governance
Tags
AWS LambdaAWS CloudFormation
Language
English
navya
asked 9 months ago252 views
1 Answer
1

Hi Navya,

Please refer capabilities section at AWS create stack synopsis, where it says:

    --capabilities (list)

     In some cases, you must explicitly acknowledge that your stack template contains certain capabilities in order for CloudFormation to create the stack.

    CAPABILITY_IAM and CAPABILITY_NAMED_IAM Some stack templates might include resources that can affect permissions in your Amazon Web Services account; for example, by creating new Identity and Access Management (IAM) users. For those stacks, you must explicitly acknowledge this by specifying one of these capabilities. The following IAM resources require you to specify either the CAPABILITY_IAM or CAPABILITY_NAMED_IAM capability.
     If you have IAM resources, you can specify either capability.
     If you have IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM .
     If you don't specify either of these capabilities, CloudFormation returns an InsufficientCapabilities error.

Also, make sure that your lambda execution role has sufficient permissions for that s3 bucket location, where template is placed.

Edit:

Just pass CAPABILITY_IAM for capabilities. For key pair, include that in your cloudformation template as below:

  Resources:
    NewKeyPair:
      Type: 'AWS::EC2::KeyPair'
      Properties: 
        KeyName: new-key-pair
    Ec2Instance:
      Type: 'AWS::EC2::Instance'
      Properties:
        ImageId: ami-02b92c281a4d3dc79
        KeyName: !Ref NewKeyPair

Refer Examples section at AWS::EC2::KeyPair and create key pair

It'd be helpful if you mention the error message once you try.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 9 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 2 months ago
  • navya
    9 months ago

    Initially I was getting an exception of permission but later it all removed as I have added all required permission to lambda but now the challenge is to pass existing key pair value in cloud formation parameter and define capabilities section. I would be grateful if you would share any working example that would quickly sort out the issue.

  • secondabhi_aws EXPERT
    9 months ago

    Hi Navya,

    Please refer Edit section in my answer and let me know if you have further questions, happy to assist.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content