How to pass values between CDK stacks deployed in different accounts within a CDK app? - aws-cloudformation

Reading from the documentation, the suggestion for passing values between CDK Stacks within an app is to simply pass the value.
If the two stacks are in the same AWS CDK app, just pass a reference between the two stacks. For example, save a reference to the resource's construct as an attribute of the defining stack (this.stack.uploadBucket = myBucket), then pass that attribute to the constructor of the stack that needs the resource.
But it seems this only works if the CDK stacks are within one account.
Upon checking the generated templates, it generates a stack Output and Input and uses that for the passing values. And stack input and outputs does not work beyond the account they are created on.
What's the recommended way to pass values from stacks deployed in different accounts?

I don't think you can think about this as being a single CDK application. Such a single application is intended to be deployed in a single account. What you are trying to do is use this application construct to deploy two different stacks in two different environments and share data between them. However, you are bound to the same restrictions that CloudFormation itself has when it comes to sharing data from services that have been deployed in the stack. So you'll have to work around this issue.
So I don't think there is any recommended way of doing this, but maybe you can create some cross-account roles that allow writing/reading from the SSM parameter store and combine this with custom resource lambdas to read/write the data from/in the SSM store of the other account. Given this, it might be easier to just write some CICD tooling that does this without needing any AWS services and which just passes on the value from the output of one stack to the input of the other stack during deployment.

Related

Restricting access to namespaces based on labels

I've got a cluster with a number of already existing namespaces, and an automatization process that creates (and manages) new namespaces using Terraform.
The service account used for TF got the roles with permission to all namespaces - as I believe this is the only possible solution (TF needs them to manage namespaces).
But due to that, it is also able to modify (& delete) the namespaces that were created before, outside the Terraform processing - and this is something I'd like to prevent/block.
So here's my question - is it possible to restrict this automatization process from modifying already existing namespaces?
The idea to distinguish between old and new namespace is to simply add labels to the new ones created by TF, but I am not aware of any mechanism that could then prohibit modifications based on such labels...
*Admission controllers seem remotely suitable, but I'm completely new to that topic and not sure if those can be used for such purposes.

Cloudformation custom resources trigger

My goal is to write a Lambda function to attach a role to a EC2 instance based on tags. So whenever a new Ec2 instance is created, a role has to be attached to it automatically. I am looking to trigger a lambda function based on EC2 instance state change (running), and I also want to pass parameters of the IAM role to attch to EC2 for which I would have to use Custom Resources (IAM role creation is part of the same template).
Could someone help me with the best approach?
You question answer already contains the answer.
What you want to achieve can be done using custom resources.
To develop a custom resources, AWS's crhelper is very useful. It saves you from coding a lot of details that are needed for custom resources.

What access is necessary to update a CloudFormation stack with nested stacks

Using nested stacks is a best practice in AWS CloudFormation, and indeed they solve many problems (code reuse, stack limits, etc).
It's also generally a good idea to do any sort of updates with the minimal access necessary for that update (using the RoleARN of the UpdateStack command). I can't seem to find any documentation on exactly IAM access is necessary to update a stack that has nested stacks.
As described here, a stack update will always get the template for the nested stack again.
(in addition to any rights necessary for the resources that are to be changed),s3:GetObject (or s3:GetObjectVersion if a versioned url is used) is necessary for the location where the template for the nested stack is hosted.
In addition (and I'm not sure why), an iam:GetRole is necessary for role to self-inspect (so the Resource should be the Arn of the role itself).

Do CloudFormation target name or resources?

I am currently pending between using terraform and CloudFormation.
There is a question I haven't seen the answer yet (or maybe, I just haven't found it yet).
In terraform, you give a precise name to everything. This will delete the targets with those names.
But what about CF? If we already have an architecture in place and I want to add/delete an instance and use CF, how will this work? How will it know after which one to target?
I hope this question makes sense! I've already used terraform, but never before CloudFormation.
CloudFormation uses two mechanisms to identify its resources. The CFN template has a list of resources it created, it uses the actual ID, not a pretty name, and CFN also tags the resources (that support tags) with the stack ID.
CFN cannot be used to delete the resources in a different stack, only the stack that created them can manage them. Terraform allows you to import resources created by anything else into a new stack where they will be managed.
I used CFN for a year before converting to Terraform (also for a year now) and I'll never go back to CFN. Terraform offers many advantages over CFN that make CFN really hard to use now. Features such as plan before apply, re-usable modules, resource imports, granular output (CFN is mostly a black box), and generally faster AWS feature support (usually APIs are released at launch day and Terraform support follows soon after, /usually/ faster than CFN but not always).

can I add custom nested CloudFormation stack to AWS Amplify OR can I create a custom Lambda function/SQS with GraphQL/AppSync?

Spending more than a day I doubt the answer is Yes.
Want to double check though.
Creating Lambda functions is possible with REST APIs. But I need it with GraphQL. As I understand, currently creating Lambda function from CLI for GraphQl is not supported - right ?
In my app one party places an order => mutates DynamoDB table Orders => DynamoDB triggers a Lambda function that in turn mutates DynamoDB table Offers (changes offer's status). This change should notify subscribed parties.
I could do it in a separate Lambda function or in a Lambda function that serves as a Resolver. But either way I do not see a way of doing it using AWS Amplify.
Resolver Lambda function should also be manually added in console (providing Lambda ARN). Is there a way of adding it using CLI or config files or nesting a CloudFormation stack template ?
I know I can do all manually in console. But I need to find a way using AWS Amplify so that I have a parent and nested CloudFormation stack templates.
Possible workaround I see is:
setting up GraphQL API using AWS Amplify;
setting up rest of the serverless environment with AWS SAM or Serverless Framework;
have to manually connect (in console) Lambda and SQS with AppSync's DynamoDB.
Is my understanding correct? Is there a better way than this workaround ?
I am building my front end app in React. This AWS Amplify page shows how resources such as SQS can be created for iOS. Is there anything similar for React ?
Thank you