Questions tagged with Infrastructure as Code

Hi aws re:Post! I used the AWS Timestream Web App Query Editor while developing my CDK IaC to test certain queries - specifically, I run the following and receive 1000 rows in response: ``` SELECT measure_value::varchar FROM DATABASE.TABLE ORDER BY time LIMIT 1000 ``` However the same exact query sent in NodeJS via `aws-sdk/TimestreamQuery` returns 0 rows in response. If I remove `ORDER BY time` such that my query is: ``` SELECT measure_value::varchar FROM DATABASE.TABLE LIMIT 1000 ``` the NodeJS Query client receives the same data as in the AWS Timestream Web App Query Editor. This is very bizarre behavior- I have not found any mention of it whatsoever in the context of AWS Timestream, and the only contextual results I found on the internet was [MySQL Bug Report #70466](https://bugs.mysql.com/bug.php?id=70466) ([accompanying stack overflow post](https://stackoverflow.com/questions/19086553/query-returns-no-results-only-when-order-by-added)). This really does not seem like a software configuration issue - to reiterate, if I omit `ORDER BY time` my NodeJS client behaves the same as my Web App client. Any insight on how to resolve this would be greatly appreciated!

I have a few team members want to work on different parts of a solution architecture. They should be able to create the following resources in their accounts, consume any updates from other team members updates to the whole solution architecture and test. These are the resources: 1. EventBridge (1 ESB) 2. C# Lambdas (6 Lambdas) 3. Cron Jobs (4 Cron Jobs) 4. On-Prem client applications (1 JavaScript applicaiton) This is our SDLC process: 1. We will use the AWS C# CDK to create the resources and roles. 2. On-Prem Jenkins to create a CI/CD To accomplish smooth development and deployment of the projects, what is the recommended way to split the projects into GitHub repositories? 1. Should the CDK (Infrastructure as Code) to create all the resources be a separate repository? Can this help the developer to deploy the resources in a single execution? 2. Should the CDK (Infrastructure as Code) to create the resource be part of the lambda or cron job itself? Any suggestions appreciated.

I'm looking for sample C# code to create EventBridge Bus, Rules, a few Lambdas and IM Security Roles to access them. I prefer infrastructure as code versus cloud formation script.

I am trying to create Data Stream -> Firehose -> OpenSearch infrastructure using the AWS CDK v2. In my CDK Stack I have created an [OpenSearch `Domain`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html), and am trying to create a Kinesis Firehose [`DeliveryStream`](https://docs.aws.amazon.com/cdk/api/v2/docs/@aws-cdk_aws-kinesisfirehose-alpha.DeliveryStream.html) with that domain as the destination. However, kinesisfirehose-destinations package seems to only have a ready-to-use [construct for S3 buckets](https://docs.aws.amazon.com/cdk/api/v2/docs/@aws-cdk_aws-kinesisfirehose-destinations-alpha.S3BucketProps.html), so there is no obvious way to do this easily. I have tried implementing my own [`IDestination`](https://docs.aws.amazon.com/cdk/api/v2/docs/@aws-cdk_aws-kinesisfirehose-alpha.IDestination.html), but I am at a complete loss since I have no idea how to implement `bind`. So, my questions are: 1. How are you supposed to implement `bind` in `IDestination`? 2. Are there any complete working examples of creating a Firehose to OpenSearch using the non-alpha L1 constructs?

Hi, we are trying to configure phased deployments in CDK for our EMR Cluster stack. Currently, we have set termination protection to false so that during a deployment, all the new clusters will be launched and then, at the end of the successful deployment, all the old clusters will be terminated. This is not very efficient because our accounts will need to have a larger service quota to support 2x our projected fleet size during deployments, as the fleet will effectively be duplicated during the first half of the deployment before the existing clusters are terminated in favor of the new clusters. Are there any phased deployment options available in CDK where we can tear down and create one cluster at a time? This would allow us to avoid a spot increase in service quota usage during deployments. Termination protection reference: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-emr.CfnCluster.JobFlowInstancesConfigProperty.html#terminationprotected

I am using aws cdk using typescript. The aws-cdk version is being used with 1.134.0 fixed. To explain the problem, I made an apigateway using RestApi in aws cdk. In the option value, deploy was set to true, and the meaning of this was explained as follows in the aws cdk document. `Indicates if a Deployment should be automatically created for this API, and recreated when the API model (resources, methods) changes.` It doesn't seem to work properly. The addition and modification of resources, methods seem to work well. However, even if RestApi's method is deleted, it is not deleted from the stage. In addition, my cdk is a simple structure with only the creation of RestApi and the addition of methods through the resource.add method. Did I miss anything?

Hi all, I'm using CloudFormation to manage AWS Firewall Policy. Following the document here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html I have defined `SecurityServicePolicyData` with type `WAFV2`. Example Code ``` "ManagedServiceData": "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}" ``` Now I want to exclude one of the rules within `AWSManagedRulesCommonRuleSet` but I don't see any guidelines or examples to do that. My question is how to exclude one of the rules within `AWSManagedRulesCommonRuleSet` for example with CloudFormation. ? Regards,

Hi, I am trying to get my CDK Stacks deployed automatically via CodePipeline. The pipeline works but it won't get triggered from any commits on my GitHub Repository. I've created an issue for that: https://github.com/aws/aws-cdk/issues/18656 Basically the code looks like that ```ts const githubConnection = pipelines.CodePipelineSource.connection( "org/repo", "main", { connectionArn: ARN triggerOnPush: true, } ); ``` ```ts const pipeline = new pipelines.CodePipeline(this, "CdkPipeline", { synth: new pipelines.ShellStep("Synth", { input: githubConnection, installCommands: ["yarn install --frozen-lockfile"], commands: ["npx cdk synth"], }), }); ```

I'm still studying for the associate arch exam and I am looking for a diagramming tool (along the lines of draw.io, Cloudcraft, etc.) for a tabula rasa workflow to allow me to capture visualizations of what I think would be helpful for me in my learning. Such a (generic, not the AWS definition) workflow would go along these lines: 1. Draw box(es)for a region(s) 2. draw one or more VPCs in the region(s) 3. draw one or more subnets in a/each VPC 4. instantiate EC2, DB, ELB, etc. 5. (ideally, containing artifacts resize automagically as things are put inside) 6. add connecting devices and other artifacts as needed to show connectivity and other relationships amongst the various pieces and with the big, bad world. 7. Ideally, allow me to add configuration data specific to each artifact. It doesn't need to generate anything (i.e. IaaS) from the diagram but it certainly could. Does such a useful thing exist? CloudFormation Designer does not fit the bill nor do draw.io and Cloudcraft from what I could see from a quick tire kick. Appreciate any suggestions.

Acronym legend: * ALB - ApplicationLoadBalancer * ATG - ApplicationTargetGroup aka Target Group * VPC - Virtual Private Cloud **Our situation:** Using the AWS Console manually, it was shown that using Route 53 to an ALB (Application Load Balancer) to a private Interface VPC Endpoint to a private REST API-Gateway to a private Lambda works well. (ALB and a gateway Custom-domain-name exist due to https and the needed Certificate) The ALB needs a Target Group which targets the IP addresses of the Interface VPC Endpoint. (We tried using InstanceIdTarget with the endpoint's vpcEndpointId, but that failed with the error *Instance ID 'vpce-WITHWHATEVERHERE' is not valid* ) Using CDK, we created the following (among other things) using the aws_elasticloadbalancingv2 module: * ApplicationLoadBalancer (ALB) * ApplicationTargetGroup (ATG) aka Target Group We added a listener to the ALB. We added the Target Group to the listener. **It’s not clear how to get the IP addresses from the VPC endpoint. We want to add the IP addresses to the ATG aka Target Group using the targets property.** How to get the IP addresses of the Interface VPC Endpoint via CDK? A sample of resources we've used: * https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2-readme.html * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationTargetGroup.html * https://stackoverflow.com/questions/57267594/how-to-get-privateipaddress-of-vpc-endpoint-in-cdk * https://medium.com/codex/aws-private-api-gateway-with-custom-domain-names-350fee48b406 - The approach we want in general. We're using the latest available as of this writing (AWS CDK 2.5.0)

We use CDK to build infrastructure in the customer's AWS environment. However, It is prohibited to create IAM resources in customer's AWS environment. Therefore, CDKToolkit cannot be deployed because CDKToolkit in CDK v2 contains IAM resources. Is there any way to use CDK without CDKToolkit or in the stack without including IAM in CDKToolkit?