Questions tagged with AWS CloudFormation

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How to Parametrize Mappings and PermissionBoundary with aws cloudformation template effictively

I have below CFN template which is working fine, however as i am stiull learning and want my `Mappings` to be parametrized that's i'm not getting the way to do it. Secondly, the `PermissionBoundary` parameter i am not able to use it like `Default: !Sub arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary` as it probably doesn't like the `!Sub` function to be called and then referenced in the `AWS::IAM::Role` hence i am for now directly using it like `PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary' which indeed works well. Can someone please help me on .. 1) get the `Mapping` to be parametrized and 2) How to to use `PermissionBoundary` parameter as a reference while using `${AWS::AccountId}` in it. below is the working code and commented portion is the one which doesn't work. ``` AWSTemplateFormatVersion: "2010-09-09" Description: > This AWS Backup template deploys AWS backup-Plan for the FSx cloud resources. Parameters: FsxIAMBackupRole: Type: String Default: 'test-fsx-backup-role' Description: 'IAM Role for FsxN backup Service.' FsxBackupVaultName: Type: String Default: 'test-fsx-backup-vault' Description: 'Provide the name of the backup-vault.' FsxBackupPlanName: Type: String Default: 'test-fsx-backup-plan' Description: 'Provide the name of the backup-plan.' FsxBackupRuleName: Type: String Default: 'test-fsx-backup-rule' Description: 'Provide the name of the backup-rule.' FsxBackupSelectionName: Type: String Default: 'test-fsx-backup-selection' Description: 'Provide the name of the backup-selection.' FsxBackupDeleteAfterDays: Type: Number Default: 22 Description: 'Days to expire backups from vault.' FsxVaultMinRetentionDays: Type: Number Default: 21 Description: 'Retention period in days that the vault retains backup data.' FsxVaultChangeableForDays: Type: Number Default: 3 Description: 'Number of days before the vault lock. After this period, Vault Lock becomes immutable and cannot be changed or deleted.' # PermissionBoundary: # Type: String # #Default: !Sub arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary # Description: 'Provide Permission Boundary Name' # Mappings: RegionMap: us-east-1: schedulexpr: "cron(00 19 * * ? *)" us-west-1: schedulexpr: "cron(00 18 * * ? *)" eu-west-1: schedulexpr: "cron(00 17 * * ? *)" ap-southeast-1: schedulexpr: "cron(00 16 * * ? *)" ap-northeast-1: schedulexpr: "cron(00 15 * * ? *)" Resources: FSxBackupIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - backup.amazonaws.com Action: - 'sts:AssumeRole' Description: Create IAM role for backup service ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores Path: "/" PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary' RoleName: !Ref FsxIAMBackupRole FSxBackupsVault: Type: "AWS::Backup::BackupVault" Properties: BackupVaultName: !Ref FsxBackupVaultName FSxBackupPlan: Type: "AWS::Backup::BackupPlan" Properties: BackupPlan: BackupPlanName: !Ref FsxBackupPlanName BackupPlanRule: - RuleName: !Ref FsxBackupRuleName TargetBackupVault: !Ref FSxBackupsVault ScheduleExpression: !Ref FsxBackupScheduleExpression StartWindowMinutes: 240 ScheduleExpression: !FindInMap - RegionMap - !Ref 'AWS::Region' - schedulexpr Lifecycle: DeleteAfterDays: !Ref FsxBackupDeleteAfterDays FsxTagBasedBackupSelection: Type: AWS::Backup::BackupSelection Properties: BackupPlanId: Fn::GetAtt: - FSxBackupPlan - BackupPlanId BackupSelection: IamRoleArn: Fn::GetAtt: - FSxBackupIAMRole - Arn Conditions: StringEquals: - ConditionKey: aws:ResourceTag/storage ConditionValue: backup-production Resources: - arn:aws:fsx:* SelectionName: !Ref FsxBackupSelectionName ```
1
answers
0
votes
57
views
Karn
asked a month ago

Why does Cloud Formation Drift generate false negatives?

Cloudformation Drift is not detecting changes to S3 Lifecycle policies. If I modify the lifecycle policies Drift Detection replies that the stack is "IN_SYNK" [cloudshell-user@ip-10-0-5-107 ~]$ aws cloudformation deploy --template-file create_s3.yaml \ > --stack-name test-drift \ > --parameter-overrides Name="erase-just-a-test" Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - test-drift [cloudshell-user@ip-10-0-5-107 ~]$ [cloudshell-user@ip-10-0-5-107 ~]$ aws s3api get-bucket-lifecycle-configuration --bucket "erase-just-a-test" An error occurred (NoSuchLifecycleConfiguration) when calling the GetBucketLifecycleConfiguration operation: The lifecycle configuration does not exist [cloudshell-user@ip-10-0-5-107 ~]$ aws s3api put-bucket-lifecycle-configuration --bucket erase-just-a-test --lifecycle-configuration file://lifecycle.json [cloudshell-user@ip-10-0-5-107 ~]$ aws s3api get-bucket-lifecycle-configuration --bucket "erase-just-a-test" { "Rules": [ { "Expiration": { "Days": 248 }, "ID": "ExpireAfter8Months", "Filter": { "Prefix": "" }, "Status": "Enabled" } ] } [cloudshell-user@ip-10-0-5-107 ~]$ [cloudshell-user@ip-10-0-5-107 ~]$ aws cloudformation detect-stack-drift --stack-name test-drift { "StackDriftDetectionId": "e97c08f0-5971-11ed-9f65-02bf9621f869" } [cloudshell-user@ip-10-0-5-107 ~]$ aws cloudformation describe-stack-resource-drifts --stack-name test-drift { "StackResourceDrifts": [ { "StackId": "arn:aws:cloudformation:us-west-2:645905195459:stack/test-drift/b40eaab0-5971-11ed-b543-066d6464f449", "LogicalResourceId": "S3Bucket", "PhysicalResourceId": "erase-just-a-test", "ResourceType": "AWS::S3::Bucket", "ExpectedProperties": "{\"BucketName\":\"erase-just-a-test\"}", "ActualProperties": "{\"BucketName\":\"erase-just-a-test\"}", "PropertyDifferences": [], "StackResourceDriftStatus": "IN_SYNC", "Timestamp": "2022-10-31T23:15:31.094000+00:00" } ] } [cloudshell-user@ip-10-0-5-107 ~]$
1
answers
0
votes
14
views
asked a month ago

FS "does not have mount targets created in all availability zones the function will execute in" (but it does)

I'm getting this error > Resource handler returned message: "EFS file system arn:aws:elasticfilesystem:us- west-2:999999999999:file- system/fs-0389f6268bc5e61a8 referenced by access point arn:aws:elasticfilesystem:us- west-2:999999999999:access- point/fsap-0ee6de7a6069fda4a does not have mount targets created in all availability zones the function will execute in. Please create EFS mount targets in availability zones where the function has a corresponding subnet provided. (Service: Lambda, Status Code: 400, Request ID: 5c4b694a-ba28-4a9f-8e1a-f1fde134f398)" (RequestToken: 85c51e18-d780-d8df-44d2-54c1194cea9f, HandlerErrorCode: InvalidRequest) But I don't understand because clearly I have setup the 3 AZs. Here's my template in its entirety: ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- pouchdb-sam-app Transform: - AWS::Serverless-2016-10-31 Parameters: FileSystemName: Type: String Default: TestFileSystem Resources: MountTargetVPC: Type: AWS::EC2::VPC Properties: CidrBlock: 172.31.0.0/16 EnableDnsHostnames: True EnableDnsSupport: True MountTargetSubnetOne: Type: AWS::EC2::Subnet Properties: CidrBlock: 172.31.1.0/24 VpcId: !Ref MountTargetVPC AvailabilityZone: !Sub "${AWS::Region}a" MountTargetSubnetTwo: Type: AWS::EC2::Subnet Properties: CidrBlock: 172.31.2.0/24 VpcId: !Ref MountTargetVPC AvailabilityZone: !Sub "${AWS::Region}b" MountTargetSubnetThree: Type: AWS::EC2::Subnet Properties: CidrBlock: 172.31.3.0/24 VpcId: !Ref MountTargetVPC AvailabilityZone: !Sub "${AWS::Region}c" FileSystemResource: Type: 'AWS::EFS::FileSystem' Properties: PerformanceMode: maxIO Encrypted: true FileSystemTags: - Key: Name Value: !Ref FileSystemName FileSystemPolicy: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "elasticfilesystem:ClientMount" Principal: AWS: "*" MountTargetResource1: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref FileSystemResource SubnetId: !Ref MountTargetSubnetOne SecurityGroups: - !GetAtt MountTargetVPC.DefaultSecurityGroup MountTargetResource2: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref FileSystemResource SubnetId: !Ref MountTargetSubnetTwo SecurityGroups: - !GetAtt MountTargetVPC.DefaultSecurityGroup MountTargetResource3: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref FileSystemResource SubnetId: !Ref MountTargetSubnetThree SecurityGroups: - !GetAtt MountTargetVPC.DefaultSecurityGroup AccessPointResource: Type: 'AWS::EFS::AccessPoint' Properties: FileSystemId: !Ref FileSystemResource PosixUser: Uid: "1000" Gid: "1000" RootDirectory: CreationInfo: OwnerGid: "1000" OwnerUid: "1000" Permissions: "0777" Path: "/data" getAllItemsFunction: Type: AWS::Serverless::Function Properties: Handler: src/handlers/get-all-items.getAllItemsHandler Runtime: nodejs16.x Architectures: - x86_64 MemorySize: 128 Timeout: 100 Events: Api: Type: Api Properties: Path: /{proxy+} Method: ANY VpcConfig: SecurityGroupIds: - !GetAtt MountTargetVPC.DefaultSecurityGroup SubnetIds: [ !Ref MountTargetSubnetOne, !Ref MountTargetSubnetTwo, !Ref MountTargetSubnetThree ] FileSystemConfigs: - Arn: !GetAtt AccessPointResource.Arn LocalMountPath: "/mnt/data" Policies: - Statement: - Sid: AWSLambdaVPCAccessExecutionRole Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - ec2:CreateNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DeleteNetworkInterface Resource: "*" - Sid: AmazonElasticFileSystemClientFullAccess Effect: Allow Action: - elasticfilesystem:ClientMount - elasticfilesystem:ClientRootAccess - elasticfilesystem:ClientWrite - elasticfilesystem:DescribeMountTargets Resource: "*" Outputs: WebEndpoint: Description: "API Gateway endpoint URL for Prod stage" Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/" ```
1
answers
0
votes
24
views
Alex1
asked a month ago