How to specify name of RDS snapshot upon CloudFormation stack deletion? - aws-cloudformation

AWS CloudFormation has a deletion policy that enables the automatic creation of an RDS snapshot upon stack deletion. This can done by setting deletionPolicy to Snapshot. But how does one specify a customized name for the snapshot to be created?

Related

VolumeAttachement can't be updated

I have a stack
In this stack there is an EC2 instance with a root device and with another volume created and attached using VolumeAttachement.
I want to be able to change the EC2 AMI without loosing my attached EBS. When I try to change the AMI even if I have manually detach the volume, the update failed due to:
UPDATE_FAILED Update to resource type AWS::EC2::VolumeAttachment is not supported.
How can I change my EC2 AMI without loosing my secondary EBS ? Do I need to update my stack first by removing the VolumeAttachement and recreate it after AMI changed ?
Any help would be appriciated.

Can I use an AWS Cloudformation template to create and modify tables in AWS Aurora (Postgres flavour)?

I am looking for a way to manage schema changes to my AWS Aurora Postgres instance.
My whole AWS stack is set up using a Cloudformation template which is used to automatically deploy the stack when a change is detected in the source control. The Cloudformation template is built, a change set is prepared and finally excecuted on the stack.
I was hoping that the table definition of my Aurora instance could go inside the Cloudformation template somehow, so the schema migrations could be a part of the change set. Is this possible?
Note, I have seen this recommendation: https://aws.amazon.com/blogs/opensource/rds-code-change-deployment/
For anything custom like that use a Custom Resource Lambda that you can include in your Cloud Formation stack. The Lambda will need a layer for your postgress driver and it needs to include the migration script in the Lambda.
See the answer at this link, you will get 3 different options how you can trigger the Lambda.
Is it possible to trigger a lambda on creation from CloudFormation template

Policy for Cloudformation stack creation

I'm putting together a role/policy for running cloudformation/sam to limit access as much as I can. Is there a general set of policy actions that should be used to run create-stack?
This is for a codebuild which I'm using to create infrastructure using a cloudformation template during runtime of my application.
At the moment I've got a policy which allows full access, because it needs to create the infrastructure within the stack.
But there are only a subset of actions which cloudformation can actually perform and it doesn't need full access. For example, CF can't put items into a dynamodb table.
So this led me to think that maybe there's a basic role/policy that is limited to only the actions which cloudformation is able to perform.
If you're having to assign a role to a service (such as CodePipeline or CodeBuild) to deploy a stack, you do not only need to assign the necessary CloudFormation permissions (such as cloudformation:CreateStack or cloudformation:ExecuteChangeSet) but also permissions necessary for the deployment of the CloudFormation stack itself.
When you are deploying a stack manually, CloudFormation will use your user permissions to verify access to the services you are deploying/updating. When you're initiating the action from another AWS service, the same thing happens, but with the services from the service role. (Unless you are specifically assigning a role to the CloudFormation stack, documentation).
Keep in mind if you're constructing such a role, that CloudFormation might need more permissions than you think, such as extra read permissions, permissions to add tags to resources, permissions to delete and/or update those resources when you're deleting/updating the resources etc.

GCP Cloud SQL failed to delete instance because `deletion_protection` is set to true - gcloud toggle?

Error message:
terraform destroy
module.application.google_sql_database_instance.sql-db-xxx: Destroying... [id=db-xxx]
Error: Error, failed to delete instance because deletion_protection is set to true. Set it to false to proceed with instance deletion
The terraform solution is here:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance
On newer versions of the provider, you must explicitly set deletion_protection=false (and run terraform >apply to write the field to state) in order to destroy an instance. It is recommended to not set this >field (or set it to true) until you're ready to destroy the instance and its databases.
Question:
I do NOT want to make changes to the terraform script. I would rather toggle the deletion protection flag via gcloud, then destroy as per usual.
For gcloud VMs there is a deletion protection flag I can toggle. However, I cannot find the corresponding flag for the database:
cloud sql instances describe db-xxx
Is this deletion_protection flag meta data within terraform itself?
If not, what is the gcloud command to toggle it?
If so, how can I override it via terraform without modifying the code; ie command line parameter?
I have insufficient 'points' to add to the existing thread of a similar title.
To answer your questions:
From Terraform docs:
deletion_protection - Whether or not to allow Terraform to destroy the instance.
So yes, this is within Terraform itself. Deletion protection flag on GCP is currently only available on Compute Engine instances, not Cloud SQL instances.
Currently, deletion protection can only be toggled on a Compute Engine Instance.
You may consider using input variables like this:
terraform apply -var="deletion_protection=false"
terraform destroy
There are also other ways to use input variables. For more reference, here's the link.

AWS Aurora RDS PostgreSql create global database for existing cluster through cloud formation script

We already have a cluster and instance of Aurora PostgreSql in abc region. Now as part of disaster recovery strategy, we are trying to create a read replica in a xyz region.
I was able to create it manually by clicking on "Add Region" in AWS web console. As explained here.
As part of it, following as been created.
1. A global database to the existing cluster
2. Secondary region cluster
3. Secondary region instance.
Everything is fine. Now I have to implement this through cloud formation script.
My first question is, can we do this through Cloud formation script without losing data if primary cluster and instance already created ?
If possible, please share aws doc for cloud formation scripts.
Please see the other post on this subject: CloudFormation templates for Global Aurora Database
The API that is required for setting up the GlobalCluster is AWS::RDS::GlobalCluster and this is currently not listed in CloudFormation documentation.
I was able to do the same using Terraform and that is documented for PostgreSQL here: Getting Aurora PostgreSQL Global Database setup using Terraform