How to add a Security Group in an existing Athena Interface Endpoint through CloudFormation Template

0

Hi,

I have created an Athena Interface Endpoint through CloudFormation template. I have written the below yaml script to create the same.

But I want add a new security group to athena endpoint which is already exists in the aws account. Basically i need to update the athena endpoint using cloudformation. I tried to search over internet on how to modify an existing athena interface endpoint to add a security but i couldn't find anything.

Could you please help me here?

Thanks

'AWSTemplateFormatVersion': '2010-09-09' 'Transform': 'AWS::Serverless-2016-10-31' 'Description': 'This AWS cloudformation template will setup Athena Interface Endpoint' 'Resources': 'EndpointSG': 'Type': 'AWS::EC2::SecurityGroup' 'Properties': 'GroupDescription': 'test-sg' 'GroupName': 'test-sg' 'SecurityGroupIngress': - 'IpProtocol': 'tcp' 'FromPort': !!int '443' 'ToPort': !!int '443' 'CidrIp': 'Ref': 'LandingServerCidrRange1' 'SecurityGroupEgress': - 'CidrIp': '127.0.0.1/32' 'IpProtocol': '-1' 'VpcId': '{{resolve:ssm:/app/network/VPCId}}' 'AthenaInterfaceEndpoint': 'Type': 'AWS::EC2::VPCEndpoint' 'Properties': 'PolicyDocument': 'Version': '2012-10-17' 'Statement': - 'Effect': 'Allow' 'Action': '' 'Resource': '' 'Principal': 'AWS': 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root' 'Condition': 'StringEquals': 'aws:PrincipalOrgID': '{{resolve:ssm:/core/org/id}}' 'aws:PrincipalAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:ResourceAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:sourceVpc': '{{resolve:ssm:/app/network/VPCId}}' 'VpcId': '{{resolve:ssm:/app/network/VPCId}}' 'ServiceName': 'Fn::Sub': 'com.amazonaws.${AWS::Region}.athena' 'VpcEndpointType': 'Interface' 'PrivateDnsEnabled': !!bool 'true' 'SubnetIds': - 'Ref': 'SubnetParam1' - 'Ref': 'SubnetParam2' - 'Ref': 'SubnetParam3' 'SecurityGroupIds': - 'Ref': 'EndpointSG'

  • please accept the answer if it was helpful

4 Answers
0

Hello.

If the existing VPC endpoint is managed by CloudFormation, I think all you need to do is update the "SecurityGroupIds" of the VPC endpoint in the existing CloudFormation template.
"SecurityGroupIds" is a list, so it is possible to set multiple items as shown below.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html#cfn-ec2-vpcendpoint-securitygroupids

      SecurityGroupIds:
        - !Ref EndpointSG
        - !Ref AddingSecurityGroupId
profile picture
EXPERT
answered 3 months ago
EXPERT
Leo K
reviewed 3 months ago
  • Adding to this, if the VPC endpoint isn't currently managed by CloudFormation, you can import it into a new stack. Note that you shouldn't try to make any changes during the import, but after the resources have been imported successfully into the new stack, changes can be made as usual. The import process is explained here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html

  • Hi,

    Thanks all for the responses.

    Lets say the Athena Interface Endpoint was created initially by some service catalog product or manually from console. During creation someone added attached a security group.

    Now I want to modify the same athena interface endpoint by adding new security group containing ip address of my onprem server so that i can run query on athena from onprem box. This time I need to write a CloudFormation yaml template from the scratch.

    Is there any way I can fetch the existing the athena interface endpoint and add the new security group. May be by using Fn::GetAtt or any other built in function instead of passing the same using parameter.

    Here I cannot use the below script as it will create another athena interface endpoint.

    'AthenaInterfaceEndpoint': 'Type': 'AWS::EC2::VPCEndpoint' 'Properties': 'PolicyDocument': 'Version': '2012-10-17' 'Statement': - 'Effect': 'Allow' 'Action': '' 'Resource': '' 'Principal': 'AWS': 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root' 'Condition': 'StringEquals': 'aws:PrincipalOrgID': '{{resolve:ssm:/core/org/id}}' 'aws:PrincipalAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:ResourceAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:sourceVpc': '{{resolve:ssm:/app/network/VPCId}}' 'VpcId': '{{resolve:ssm:/app/network/VPCId}}' 'ServiceName': 'Fn::Sub': 'com.amazonaws.${AWS::Region}.athena' 'VpcEndpointType': 'Interface' 'PrivateDnsEnabled': !!bool 'true' 'SubnetIds': - 'Ref':

  • CloudFormation does not allow you to directly find an existing VPC endpoint and add a security group to it. Why not try importing existing AWS resources into CloudFormation as @Leo K says? https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html

0

if you want to select the existing security group, which were created manually, create a parameter in your CloudFormation template and use the security group later in your Athena endpoint resource

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  AthenaSecurityGroupId:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: List of your Security Group IDs


  AthenaInterfaceEndpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
.....................................
      SecurityGroupIds:
        - Ref: 'AthenaSecurityGroupId'

or if your Security Group is created by another CloudFormation template, you can Output its ID from the first stack and Import in to the Athena stack https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html

profile picture
EXPERT
answered 3 months ago
0

Hi,

Thanks all for the responses.

Lets say the Athena Interface Endpoint was created initially by some service catalog product or manually from console. During creation someone added attached a security group.

Now I want to modify the same athena interface endpoint by adding new security group containing ip address of my onprem server so that i can run query on athena from onprem box. This change needs to be deployed in higher environment and I need to write a CloudFormation yaml template from the scratch.

Is there any way I can fetch the existing the athena interface endpoint and add the new security group. May be by using Fn::GetAtt or any other built in function instead of passing the same using parameter.

Here I cannot use the below script as it will create another athena interface endpoint.

'AthenaInterfaceEndpoint': 'Type': 'AWS::EC2::VPCEndpoint' 'Properties': 'PolicyDocument': 'Version': '2012-10-17' 'Statement': - 'Effect': 'Allow' 'Action': '' 'Resource': '' 'Principal': 'AWS': 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root' 'Condition': 'StringEquals': 'aws:PrincipalOrgID': '{{resolve:ssm:/core/org/id}}' 'aws:PrincipalAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:ResourceAccount': 'Fn::Sub': '${AWS::AccountId}' 'aws:sourceVpc': '{{resolve:ssm:/app/network/VPCId}}' 'VpcId': '{{resolve:ssm:/app/network/VPCId}}' 'ServiceName': 'Fn::Sub': 'com.amazonaws.${AWS::Region}.athena' 'VpcEndpointType': 'Interface' 'PrivateDnsEnabled': !!bool 'true' 'SubnetIds': - 'Ref': 'SubnetParam1' - 'Ref': 'SubnetParam2' - 'Ref': 'SubnetParam3' 'SecurityGroupIds': - 'Ref': 'EndpointSG'

Apu
answered 3 months ago
0

By far, the simplest and most straightforward solution would be simply to delete the existing endpoint and to create a new one with CloudFormation and your desired configuration. Unless you have hardcoded the IP addresses of the existing endpoint somewhere in static configuration, all traffic will automatically get sent to the new endpoint by Route 53 Resolver's native integration with the DNS names of the endpoint.

The only direct impact would be a short interruption between the old endpoint being deleted and the new one becoming available for use.

If you specifically want to retain the old endpoint, the recommended approach would be to create a new CFN stack that imports the existing VPC endpoint into a CloudFormation stack: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html. After that, you can modify its configuration normally via CloudFormation.

You cannot modify the configuration of a VPC endpoint using CloudFormation without the VPC endpoint being managed by CloudFormation.

EXPERT
Leo K
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions