How to convert existing AWS environment into infra as code? - aws-cloudformation

When we were building our AWS account, we did not think about using cloud formation or terraform. Now we have our environmemt all setup but don't want to tear down everything and build using cloud formation or terraform. So is there a way we can get our infrastructure to be imported and managed through one of them?
Thanks,

Terraform supports import, but that only supports the present state into state file. You still need to write the code. Cloudformation does not support import.
Something like https://github.com/dtan4/terraforming can be of help but YMMV.

A pretty complete answer could be found at AWS Export configuration as cloudformation template, which also covers Terraform for this purpose.
TL;DR
AWS Import/Export configuration as code (CloudFormationn | Terraform).
Based on our Infrastructure as Code (IaC) experience we found several ways to translate existing manually deployed (from Web Console UI) AWS infra to Cloudformation (CF) and / or Terraform (TF) code. Posible solutions are listed below:
AWS Cloudformation Templates
CF-1 | AWS CloudFormation native import feature
CF-2 | aws cli & manually translate to CF
CF-3 | Former2
CF-4 | AWS CloudFormer
Terraform Code / Modules
TF-1 | Terraforming
TF-2 | CloudCraft + Modules.tf
Related Article: https://medium.com/#exequiel.barrirero/aws-export-configuration-as-code-cloudformation-terraform-b1bca8949bca

As per October 2019, AWS supports importing legacy resources into CloudFormation. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html for examples.

Related

Creating IaC with AWS CDK to just get the CloudFormation equivalent code

I'm working with a customer that wants all the IaC in CloudFormation. I'm not good at CloudFormation. I wonder if it is a common practice to create the IaC using AWS CDK, generate the CloudFormation equivalent, and use it?
Is this something that is commonly done ?

how to setup tables of aws aurora mysql using aws cloudformation or aws cdk?

how to setup tables of aws aurora mysql using aws cloudformation or aws cdk?
in my setup i have a serverless app using lambda for various microservices. the datebase is a serverless aurora mysql database. to provision the aws infrastructure i will use aws CDK. i like to setup the database using some migration tools like liquibase or sequelize.
for the moment i am using a separat lambda function. the lambda function executes liquibase to setup db changes. but i have to execute the function separately after deployment with CDK is succeded.
an execution triggered after the execution of the cloudformation stack (cdk stack) would be optimal?! I would like to avoid a CI / CD stack via code pipeline.
does anyone has best practice to setup database at provision time?
Cloud watch rules
Cloud watch rules based on cloudformation events can be used to route events for processing lambda. Cloud watch rules can be a part of the CDK deployment description.
The triggered function can then execute liquibase, flyway, sequelize or something else to spinup or change db.
---- or ----
Cloudformation custom resource
AWS cloudformation custom ressource can execute a lambda function during cloudformation lifecycle.
The triggered function can then execute liquibase, flyway, sequelize or something else to spinup or change db.
I use Cloudformation custom resources for running database migrations and initial database setup scripts at deployment time.
This is the recommended way for running DB migrations for serverless applications if you don't want to rely on a CI/CD pipeline to do it for you.
Here's a well written blog post by Alex DeBrie about CF custom resources: https://www.alexdebrie.com/posts/cloudformation-custom-resources/

Convert Terraform Templates to Cloudformation Templates

I want to convert the existing terraform templates(hcl) to aws cloudformation templates(json/yaml).
I basically want to find security issues with these templates through CFN_NAG.
An approach that I have already tried was converting HCL to JSON and then passing the template to CFN_NAG but I received a failure since both the templates have different structure.
Can anyone please provide any suggestions here?
A rather convoluted way of achieving this is to use Terraform to stand-up actual AWS environments, and then to use AWS’s CloudFormer to extract CloudFormation templates (JSON or YAML) from what Terraform has built. At which point you can use cfn-nag.
CloudFormer has some limitations, in that not all AWS resources are currently supported (RDS Security Groups for example) , but it will get you all the basic AWS resources.
Don't forget to remove all the environments, including CloudFormer's, to minimise the cost.
You want to use static code analysis to find security issues in your Terraform setup.
Trying to converting Terraform to CloudFormation to later use cfn-nag is one way. However, there exist tools now that directly operate on the Terraform setup.
I would recommend to take a look at terrascan. It is built on terraform_validate.
https://github.com/bridgecrewio/checkov/ runs security scanning for both terraform and cloudformation

Start stopped EC2 instance in AWS via CloudFormation

I have to start EC2 instances which are already stopped in my AWS account. I'm trying to build a CloudFormation script to do it.
Is this possible via CloudFormation without using any Lambda functions?
If not, what are the alternatives?
Thanks.
I'm assuming those instances were created manually (i.e. not via CloudFormation).
None that I'm aware of.
Using Lambda-backed custom resources would be your best bet in my opinion, in case you really want to do it via CloudFormation. If you're open to accomplishing the same task without CloudFormation, it might be easier to do it using the AWS CLI.

Does Terraform allow cross-region snapshots to be configured for Redshift Clusters?

I'm new to Terraform -- I've looked in the documentation here: https://www.terraform.io/docs/providers/aws/r/redshift_cluster.html
...but I don't see an option to enable cross-region snapshots for Redshift clusters using a Terraform template. Seems like a simple option to implement, and a critical feature for us.
Currently not possible. Here's an open issue asking for this feature
If you absolutely need to do this from terraform, you could use a null_resource with a local-exec provisioner and run a local script that calls enable-snapshot-copy