- Newest
- Most votes
- Most comments
Hello.
If the existing VPC endpoint is managed by CloudFormation, I think all you need to do is update the "SecurityGroupIds" of the VPC endpoint in the existing CloudFormation template.
"SecurityGroupIds" is a list, so it is possible to set multiple items as shown below.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html#cfn-ec2-vpcendpoint-securitygroupids
SecurityGroupIds:
- !Ref EndpointSG
- !Ref AddingSecurityGroupId
Adding to this, if the VPC endpoint isn't currently managed by CloudFormation, you can import it into a new stack. Note that you shouldn't try to make any changes during the import, but after the resources have been imported successfully into the new stack, changes can be made as usual. The import process is explained here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html
Hi,
Thanks all for the responses.
Lets say the Athena Interface Endpoint was created initially by some service catalog product or manually from console. During creation someone added attached a security group.
Now I want to modify the same athena interface endpoint by adding new security group containing ip address of my onprem server so that i can run query on athena from onprem box. This time I need to write a CloudFormation yaml template from the scratch.
Is there any way I can fetch the existing the athena interface endpoint and add the new security group. May be by using Fn::GetAtt or any other built in function instead of passing the same using parameter.
Here I cannot use the below script as it will create another athena interface endpoint.
'AthenaInterfaceEndpoint': 'Type': 'AWS::EC2::VPCEndpoint' 'Properties': 'PolicyDocument': 'Version': '2012-10-17' 'Statement': - 'Effect': 'Allow' 'Action': '' 'Resource': '' 'Principal': 'AWS': 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root' 'Condition': 'StringEquals': 'aws:PrincipalOrgID': '{{resolve:ssm:/core/org/id}}' 'aws:PrincipalAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:ResourceAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:sourceVpc': '{{resolve:ssm:/app/network/VPCId}}' 'VpcId': '{{resolve:ssm:/app/network/VPCId}}' 'ServiceName': 'Fn::Sub': 'com.amazonaws.${AWS::Region}.athena' 'VpcEndpointType': 'Interface' 'PrivateDnsEnabled': !!bool 'true' 'SubnetIds': - 'Ref':
CloudFormation does not allow you to directly find an existing VPC endpoint and add a security group to it. Why not try importing existing AWS resources into CloudFormation as @Leo K says? https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html
if you want to select the existing security group, which were created manually, create a parameter in your CloudFormation template and use the security group later in your Athena endpoint resource
AWSTemplateFormatVersion: 2010-09-09
Parameters:
AthenaSecurityGroupId:
Type: List<AWS::EC2::SecurityGroup::Id>
Description: List of your Security Group IDs
AthenaInterfaceEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
.....................................
SecurityGroupIds:
- Ref: 'AthenaSecurityGroupId'
or if your Security Group is created by another CloudFormation template, you can Output its ID from the first stack and Import in to the Athena stack https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html
Hi,
Thanks all for the responses.
Lets say the Athena Interface Endpoint was created initially by some service catalog product or manually from console. During creation someone added attached a security group.
Now I want to modify the same athena interface endpoint by adding new security group containing ip address of my onprem server so that i can run query on athena from onprem box. This change needs to be deployed in higher environment and I need to write a CloudFormation yaml template from the scratch.
Is there any way I can fetch the existing the athena interface endpoint and add the new security group. May be by using Fn::GetAtt or any other built in function instead of passing the same using parameter.
Here I cannot use the below script as it will create another athena interface endpoint.
'AthenaInterfaceEndpoint': 'Type': 'AWS::EC2::VPCEndpoint' 'Properties': 'PolicyDocument': 'Version': '2012-10-17' 'Statement': - 'Effect': 'Allow' 'Action': '' 'Resource': '' 'Principal': 'AWS': 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root' 'Condition': 'StringEquals': 'aws:PrincipalOrgID': '{{resolve:ssm:/core/org/id}}' 'aws:PrincipalAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:ResourceAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:sourceVpc': '{{resolve:ssm:/app/network/VPCId}}' 'VpcId': '{{resolve:ssm:/app/network/VPCId}}' 'ServiceName': 'Fn::Sub': 'com.amazonaws.${AWS::Region}.athena' 'VpcEndpointType': 'Interface' 'PrivateDnsEnabled': !!bool 'true' 'SubnetIds': - 'Ref': 'SubnetParam1' - 'Ref': 'SubnetParam2' - 'Ref': 'SubnetParam3' 'SecurityGroupIds': - 'Ref': 'EndpointSG'
By far, the simplest and most straightforward solution would be simply to delete the existing endpoint and to create a new one with CloudFormation and your desired configuration. Unless you have hardcoded the IP addresses of the existing endpoint somewhere in static configuration, all traffic will automatically get sent to the new endpoint by Route 53 Resolver's native integration with the DNS names of the endpoint.
The only direct impact would be a short interruption between the old endpoint being deleted and the new one becoming available for use.
If you specifically want to retain the old endpoint, the recommended approach would be to create a new CFN stack that imports the existing VPC endpoint into a CloudFormation stack: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html. After that, you can modify its configuration normally via CloudFormation.
You cannot modify the configuration of a VPC endpoint using CloudFormation without the VPC endpoint being managed by CloudFormation.
Relevant content
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
please accept the answer if it was helpful