By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CloudFormation: Ignore changes

0

Being relatively new to CloudFormation, and having previously used Terraform, is there a way to ignore changes on a resource when performing a drift check?

We create a bastion host in each of our environments, which has a Security Group controlling access based upon IP addresses. Given that we have a home-based workforce, a user's IP address can change frequently. Users are able to mange updating the Security Group (SG) via the console/CLI, but it is too much/too complicated to expect them to manage changes via CloudFormation. Therefore, our bastion host stack is always DRIFTED. Is there anyway, or a better way, of creating the bastion host SG so that it remains IN_SYNC, even though users will come and go and IP addresses will change?

Topics
Management & GovernanceNetworking & Content Delivery
Tags
AWS CloudFormationSecurity Group
Language
English
Glenn Comiskey
asked 10 months ago721 views
2 Answers
2
Accepted Answer

You could consider parameterising the list of IP addresses in your CloudFormation template. That way, the users could simply click the "update" button on the CloudFormation stack, without having even to see the template, and update the current list of IP addresses in the comma-separated list in the parameter to include theirs.

Another simple option would be for you to configure the security group to permit traffic from an IP prefix list, AWS::EC2::PrefixList (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-prefixlist.html). Users could update the prefix list via the console, and the CloudFormation stack could only reference the prefix list ID in the SourcePrefixListId property of the inbound security group rule (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupingress.html#cfn-ec2-securitygroupingress-sourceprefixlistid).

If you want to avoid having to hardcode or parameterise the prefix list ID in your CloudFormation template, you could also place it in a parameter in the SSM parameter store and import the value into the CloudFormation stack: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-pattern

EXPERT
Leo K
answered 10 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed 10 months ago
profile picture
EXPERT
Adeleke Adebowale Julius
reviewed 10 months ago
0

Ooh, I like the idea, Leo K, of using a Prefix List as a way of keeping the bastion host SG IN_SYNC, though assume I'll have to manually create the Prefix List outside CloudFormation as otherwise all I'm doing is moving the issue to another stack.

I'm already considering the need, for Business Continuity/Disaster Recovery purposes, creating a CloudFormation script that will create some resources initially, and then deleting the stack but retaining the resources as they are too dynamic to manage through CloudFormation. Could include the Prefix List and then add the details to SSM which I'm also looking to adopt to predefine parameters so nested scripts will run non-interactively.

This is definitely food for thought. Many thanks.

Glenn Comiskey
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content