My goal is to write a Lambda function to attach a role to a EC2 instance based on tags. So whenever a new Ec2 instance is created, a role has to be attached to it automatically. I am looking to trigger a lambda function based on EC2 instance state change (running), and I also want to pass parameters of the IAM role to attch to EC2 for which I would have to use Custom Resources (IAM role creation is part of the same template).
Could someone help me with the best approach?
You question answer already contains the answer.
What you want to achieve can be done using custom resources.
To develop a custom resources, AWS's crhelper is very useful. It saves you from coding a lot of details that are needed for custom resources.
Related
Reading from the documentation, the suggestion for passing values between CDK Stacks within an app is to simply pass the value.
If the two stacks are in the same AWS CDK app, just pass a reference between the two stacks. For example, save a reference to the resource's construct as an attribute of the defining stack (this.stack.uploadBucket = myBucket), then pass that attribute to the constructor of the stack that needs the resource.
But it seems this only works if the CDK stacks are within one account.
Upon checking the generated templates, it generates a stack Output and Input and uses that for the passing values. And stack input and outputs does not work beyond the account they are created on.
What's the recommended way to pass values from stacks deployed in different accounts?
I don't think you can think about this as being a single CDK application. Such a single application is intended to be deployed in a single account. What you are trying to do is use this application construct to deploy two different stacks in two different environments and share data between them. However, you are bound to the same restrictions that CloudFormation itself has when it comes to sharing data from services that have been deployed in the stack. So you'll have to work around this issue.
So I don't think there is any recommended way of doing this, but maybe you can create some cross-account roles that allow writing/reading from the SSM parameter store and combine this with custom resource lambdas to read/write the data from/in the SSM store of the other account. Given this, it might be easier to just write some CICD tooling that does this without needing any AWS services and which just passes on the value from the output of one stack to the input of the other stack during deployment.
I've got a cluster with a number of already existing namespaces, and an automatization process that creates (and manages) new namespaces using Terraform.
The service account used for TF got the roles with permission to all namespaces - as I believe this is the only possible solution (TF needs them to manage namespaces).
But due to that, it is also able to modify (& delete) the namespaces that were created before, outside the Terraform processing - and this is something I'd like to prevent/block.
So here's my question - is it possible to restrict this automatization process from modifying already existing namespaces?
The idea to distinguish between old and new namespace is to simply add labels to the new ones created by TF, but I am not aware of any mechanism that could then prohibit modifications based on such labels...
*Admission controllers seem remotely suitable, but I'm completely new to that topic and not sure if those can be used for such purposes.
Is there a way to reference an existing resource in cloudformation. I am looking for something similar to terraform’s datasource facility where I can find a resource by tag, etc. and then use a property such as Id.
I have an existing security group with a consistent name across accounts. If I could look up this SG in the template I could use the ID.
Azure does this. terraform does this.
something similar to terraform’s datasource facility where
Sadly, there is no such functionality in plain CFN. You would have to create a custom resource in a form of a lambda function. The function would use AWS SDK to query your existing resources and return their IDs or any other information you require back to your stack for further use.
Spending more than a day I doubt the answer is Yes.
Want to double check though.
Creating Lambda functions is possible with REST APIs. But I need it with GraphQL. As I understand, currently creating Lambda function from CLI for GraphQl is not supported - right ?
In my app one party places an order => mutates DynamoDB table Orders => DynamoDB triggers a Lambda function that in turn mutates DynamoDB table Offers (changes offer's status). This change should notify subscribed parties.
I could do it in a separate Lambda function or in a Lambda function that serves as a Resolver. But either way I do not see a way of doing it using AWS Amplify.
Resolver Lambda function should also be manually added in console (providing Lambda ARN). Is there a way of adding it using CLI or config files or nesting a CloudFormation stack template ?
I know I can do all manually in console. But I need to find a way using AWS Amplify so that I have a parent and nested CloudFormation stack templates.
Possible workaround I see is:
setting up GraphQL API using AWS Amplify;
setting up rest of the serverless environment with AWS SAM or Serverless Framework;
have to manually connect (in console) Lambda and SQS with AppSync's DynamoDB.
Is my understanding correct? Is there a better way than this workaround ?
I am building my front end app in React. This AWS Amplify page shows how resources such as SQS can be created for iOS. Is there anything similar for React ?
Thank you
For bill tracking purpose, given we have other solutions on AWS, we are asked to add a custom tag to all tagable resources created by Terraform AWS EKS, something like Tag key = "platform" tag value = "k8s". Practically a static tag that shows it is a kubernetes resource.
We are modeling our solution after this guide:
https://github.com/terraform-providers/terraform-provider-aws/tree/master/examples/eks-getting-started
It seems though as many resources on aws provider for eks on terraform do not provide the option for custom tags.
Is there any way we can get a custom tag across the board?
I'm still going through AWS EKS and Terraform AWS EKS guides but haven't been able that would help answer my question.
Any direction is highly appreciated!
Greg
Try here: https://github.com/terraform-aws-modules/terraform-aws-eks
Under the inputs of "terraform-aws-eks" you can find "Tags" - A map of tags to add to all resources.
Good luck.
What kind of custom tags you're looking for? If in case a Static tag. Modify the below AWS provided lambda function according to your need and add a hard coded value (key:value pair) inside the lambda function.
Look at this blog post, if you're looking for custom tags based on API calls.
https://aws.amazon.com/blogs/security/how-to-automatically-tag-amazon-ec2-resources-in-response-to-api-events/