Questions tagged with AWS CloudFormation

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Update Existing Cognito User Pool Group via CDK

Hi, I have a Cognito User Pool with a user group. This simple configuration deploys fine the first time. Any subsequent attempts to run `cdk deploy` with or without changes errors out with `group already exists in stack` error. I'm using Java for my CDK Here's the code I'm using to create the user poll + group ``` public void generateStack() { // Create User Pool UserPool userPool = Builder.create(scope, "some-id") .accountRecovery(AccountRecovery.EMAIL_ONLY) .autoVerify(AutoVerifiedAttrs.builder() .email(true) .phone(false) .build()) .email(UserPoolEmail.withCognito(REPLY_TO_EMAIL)) .enableSmsRole(false) .mfa(Mfa.OFF) .passwordPolicy(PasswordPolicy.builder() .minLength(8) .requireDigits(true) .requireLowercase(true) .requireUppercase(true) .tempPasswordValidity(Duration.days(TEMP_PWD_VALIDITY_IN_DAYS)) .build()) .removalPolicy(RemovalPolicy.RETAIN) .selfSignUpEnabled(true) .signInAliases(SignInAliases.builder() .email(true) .phone(false) .preferredUsername(false) .username(false) .build()) .signInCaseSensitive(false) .standardAttributes(StandardAttributes.builder() .email(StandardAttribute.builder() .mutable(false) .required(true) .build()) .givenName(StandardAttribute.builder() .mutable(true) .required(true) .build()) .familyName(StandardAttribute.builder() .mutable(true) .required(true) .build()) .phoneNumber(StandardAttribute.builder() .mutable(true) .required(true) .build()) .build()) .userPoolName("some-pool-name") .build(); Role adminRole = Role.Builder.create(scope, "role-id") .roleName("admin-role") .assumedBy(new AccountRootPrincipal()) .description("This is a full access admin role for Ops Team") .maxSessionDuration(Duration.hours(12)) .managedPolicies(List.of(ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess"))) .build(); // Add admin group new CfnUserPoolGroup(scope, "admin-users", CfnUserPoolGroupProps.builder() .description("Admin group for the Ops team") .groupName("admin-ops") .precedence(0) .roleArn(adminRole.getRoleArn()) .userPoolId(userPool.getUserPoolId()) .build()); } ``` Is there a way to stop CDK from trying to create a group if it already exists in the stack? Thanks Kunal
0
answers
0
votes
14
views
asked 13 days ago

Failure in Cloudformation template [ CommandRunenr] while running CLI command for Cloudtrail

Hi Guys, I am trying to run CLI command to update a CloudTrail but stack is getting failed. Requirement is to apply advanced data events to existing CloudTrail. Please find below details of CF template: 1. CF template AWSTemplateFormatVersion: 2010-09-09 Resources: UpdateTrail: Type: AWSUtility::CloudFormation::CommandRunner Properties: Role: ec2-role-name SubnetId: subnet-XXXXXXXXX LogGroup: log-group-name Command: aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX \ --advanced-event-selectors.... 2. Error Resource handler returned message: "Either the command failed to execute, the value written to /command-output.txt was invalid or the Subnet specified did not have internet access. The value written to /command-output.txt must be a non-empty single word value without quotation marks. Check cloud-init.log in the LogGroup specified for more information." 3. CLI command aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX --advanced-event-selectors '[ { "Name": "S3EventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["PutObject","DeleteObject"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::XX","arn:aws:s3:::XX"] } ] } ]' Note : Command runs successfully in CLI. pre-requisites for commandRunner is installed. Also, Subnet specified does have internet access. I sense, it might be the issue with command format or may be something else. Any assistance would be appreciated. Thanks
1
answers
0
votes
45
views
Pradnya
asked 14 days ago

AWS Elastic beanstalk

I am facing an error "Service:AmazonCloudFormation, Message:Template error: instance of Fn::GetAtt references undefined resource AWSEBLoadBalancer" in AWS Elastic beanstalk. **Scenario:** * To implement CI/CD, I am using multiple services: Bitbucket, Codepipeline, codebuild. * In Codebuild, I have been using AWS CLI command to deploy the artifact from S3 bucket to one of the beanstalk environment. * As AWS elastic beanstalk uses different Cloudformation Template for every environment to update it, this error log which i am getting in beanstalk environment is related to Cloudformation. * I prefer experimenting new things in my personal account rather than company's account, keeping that in context here, I created the IAM user and provided the required permissions to run the whole architecture, and its running successfully using that account. *I faced this error in my company's IAM Account for the first time, so i created this same error in my personal Account's IAM account. * As the error log in newly created beanstalk environment was related to Cloudformation template, so i checked the logs in environment and got to know the status for this template was *"CREATE_COMPLETE"*. * So I then checked out the status of Cloudformation template of old environment in which the whole CI/CD was working absolutely fine, and I found that status was *"UPDATE_COMPLETE"*. * In order to make the status of newly created beanstalk environment as "UPDATE_COMPLETE", I manually uploaded an artifact to this environment which changed the status of cloudformation template as "UPDATE_COMPLETE". * And then when I ran the CI/CD, whole architecture worked very well. * So this worked in my personal account's IAM account, but when I am trying to do the same in my Company's account IAM account(account provided to me by them), its showing the same error in beanstalk evironment even after providing the same IAM permissions and following the same drill. *Can someone help me to figure out this scenario that what could be the possible reasons?* ![Please refer this image for the exact error](/media/postImages/original/IMB4vvrfujRyy6ILN8KpTt8A)
0
answers
0
votes
18
views
asked 16 days ago

How to get ip addresses of apigateway vpce using cdk?

**Background context / End goal:** I am trying to use cdk to create a target group that consists of the ip addresses that are associated with a vpc endpoint (for apigateway) as per this [AWS blog.][1] Ideally, I would like to be able to just lookup the associated ips using just the fact that the vpce is for the service of apigateway OR potentially using the vpce id. **Problem** I cannot find a way to get the network interface ids & ip addresses for the vpc endpoint. **Attempts** 1. I tried to use the cdk [InterfaceVpcEndpoint construct][2] static method using the fromInterfaceVpcEndpointAttributes (filtering by service). It did return the desired vpce, but unfortunately it returns [in the format of IInterfaceVpcEndpoint][3] which does not have the vpceNetworkInterfaceIds attribute that the InterfaceVpcEndpoint construct has 2. I was able to use [AwsCustomResource][4] (after consulting a stack overflow post that referenced [this example][5]) to look up the ip addresses for a given array of vpce network interface ids: ``` const vpceNetworkInterfaceIds = =['eniId1', 'eniId2']; const getEniIps = new AwsCustomResource(scope, `GetEndpointIps`, { onUpdate: { service: "EC2", action: "describeNetworkInterfaces", parameters: { NetworkInterfaceIds: vpceNetworkInterfaceIds }, physicalResourceId: PhysicalResourceId.of(Date.now().toString()) }, policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }), }); const privateIpAddresses: string[] = []; for(let i = 0; i< vpceNetworkInterfaceIds.length; i++){ const privateIpAddress: string = getNetworkInterfaceIpAddresses.getResponseField(`NetworkInterfaces.${i}.PrivateIpAddress`).toString(); privateIpAddresses.push(privateIpAddress); } return privateIpAddresses; } ``` 3. I tried to make a similar sdk call ([describeVpcEndpoints][6]), but then I encountered issues retrieving the array of NetworkInterfaceIds. ``` const getNetworkInterfaceIpAddresses = new AwsCustomResource(scope, `GetVpceNetworkInterfaceIds`, { onUpdate: { service: "EC2", action: "describeVpcEndpoints", parameters: { Filters: [ { Name: "service-name", Values: ["com.amazonaws.us-east-1.execute-api"] } ] }, physicalResourceId: PhysicalResourceId.of(Date.now().toString()) }, policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }), }); return getNetworkInterfaceIpAddresses.getResponseFieldReference(`VpcEndpoints.0.NetworkInterfaceIds`).toJSON(); ``` I tried variations of using the [Reference][7] methods of toJson, toString, Token.asXXX but was not able to figure out how to get the array of values from this custom resource. One of the errors that I got was "Vendor response doesn't contain VpcEndpoints.0.NetworkInterfaceIds key in object ....." but when I made the describeVpcEndpoints call via cli, I can definitely see that there is a VpcEndpoints.0.NetworkInterfaceIds value that should be populated. **Questions** 1. How can you get an array from the sdk call of a aws custom resource? 2. How can you debug cdk aws custom resources that make sdk calls? Logging locally only yields the tokens which is not helpful. 3. Is there a more straight forward way to get the vpceNetworkInterfaceIds of a given vpce? 4. Is there a more straight forward way to get the ip addresses for a given vpce? [1]: https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-an-aws-api-gateway-via-static-ip-addresses-provided-by-aws-global-accelerator/ [2]: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-ec2.InterfaceVpcEndpoint.html#vpcendpointnetworkinterfaceids [3]: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-ec2.IInterfaceVpcEndpoint.html [4]: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources.AwsCustomResource.html#getwbrresponsewbrfielddatapath [5]: https://github.com/taimos/cdk-constructs/blob/master/lib/serverless/internal-rest-api.ts#L117 [6]: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/EC2.html#describeVpcEndpoints-property [7]: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.Reference.html#towbrstringwbrlist
1
answers
0
votes
65
views
asked 17 days ago