{"id":4335,"date":"2021-04-18T21:44:19","date_gmt":"2021-04-18T19:44:19","guid":{"rendered":"http:\/\/miro.borodziuk.eu\/?p=4335"},"modified":"2021-06-27T17:40:46","modified_gmt":"2021-06-27T15:40:46","slug":"cloudformation-6","status":"publish","type":"post","link":"http:\/\/miro.borodziuk.eu\/index.php\/2021\/04\/18\/cloudformation-6\/","title":{"rendered":"CloudFormation – 6 – DependsOn, Lambda"},"content":{"rendered":"

<\/p>\n

DependsOn<\/span><\/p>\n

DependsOn is a way to say that some resource can’t be created before other resource is created.\u00a0 Consider a template::<\/p>\n

AWSTemplateFormatVersion: '2010-09-09'\r\nMappings:\r\n  AWSRegionArch2AMI:\r\n    us-east-1:\r\n      HVM64: ami-6869aa05\r\n    us-west-2:\r\n      HVM64: ami-7172b611\r\n    us-west-1:\r\n      HVM64: ami-31490d51\r\n    eu-west-1:\r\n      HVM64: ami-f9dd458a\r\n    eu-central-1:\r\n      HVM64: ami-ea26ce85\r\n    ap-northeast-1:\r\n      HVM64: ami-374db956\r\n    ap-northeast-2:\r\n      HVM64: ami-2b408b45\r\n    ap-southeast-1:\r\n      HVM64: ami-a59b49c6\r\n    ap-southeast-2:\r\n      HVM64: ami-dc361ebf\r\n    ap-south-1:\r\n      HVM64: ami-ffbdd790\r\n    us-east-2:\r\n      HVM64: ami-f6035893\r\n    sa-east-1:\r\n      HVM64: ami-6dd04501\r\n    cn-north-1:\r\n      HVM64: ami-8e6aa0e3\r\n\r\nResources:\r\n  Ec2Instance:\r\n    Type: AWS::EC2::Instance\r\n    Properties:\r\n      ImageId: !FindInMap [AWSRegionArch2AMI, !Ref 'AWS::Region', HVM64]\r\n    DependsOn: MyDB\r\n\r\n  MyDB:\r\n    Type: AWS::RDS::DBInstance\r\n    Properties:\r\n      AllocatedStorage: '5'\r\n      DBInstanceClass: db.t2.micro\r\n      Engine: MySQL\r\n      EngineVersion: \"5.7.22\"\r\n      MasterUsername: MyName\r\n      MasterUserPassword: MyPassword\r\n    # Readme - note: Added a DeletionPolicy (not shown in the video)\r\n    # This ensures that the RDS DBInstance does not create a snapshot when it's deleted\r\n    # Otherwise, you would be billed for the snapshot :)\r\n    DeletionPolicy: Delete\r\n<\/pre>\n
EC2 instance will not be created until MyDB resource is successfully created.<\/p>\n
Let’s run the template:<\/p>\n
CloudFormation -> Stacks -> Create stack<\/code><\/p>\n
\"\"<\/p>\n
Next -> Next -> Create Stack<\/code><\/p>\n
As we see the MyDB is beeing created as a first resource in the stack:<\/p>\n
\"\"<\/p>\n
 <\/p>\n
Deploying Lambda Functions<\/span><\/p>\n
First way of defining a lambda function in CloudFormation is Inline.<\/p>\n
Consider such a template:<\/p>\n
Resources: \r\n  LambdaExecutionRole:\r\n    Type: AWS::IAM::Role\r\n    Properties:\r\n      AssumeRolePolicyDocument:\r\n        Version: '2012-10-17'\r\n        Statement:\r\n        - Effect: Allow\r\n          Principal:\r\n            Service:\r\n            - lambda.amazonaws.com\r\n          Action:\r\n          - sts:AssumeRole\r\n      Path: \"\/\"\r\n      Policies:\r\n      - PolicyName: root\r\n        PolicyDocument:\r\n          Version: '2012-10-17'\r\n          Statement:\r\n          - Effect: Allow\r\n            Action:\r\n            - \"s3:*\"\r\n            Resource: \"*\"\r\n          - Effect: Allow\r\n            Action:\r\n            - \"logs:CreateLogGroup\"\r\n            - \"logs:CreateLogStream\"\r\n            - \"logs:PutLogEvents\"\r\n            Resource: \"*\"\r\n\r\n  ListBucketsS3Lambda: \r\n    Type: \"AWS::Lambda::Function\"\r\n    Properties: \r\n      Handler: \"index.handler\"\r\n      Role: \r\n        Fn::GetAtt: \r\n          - \"LambdaExecutionRole\"\r\n          - \"Arn\"\r\n      Runtime: \"python3.7\"\r\n      Code: \r\n        ZipFile: |\r\n          import boto3\r\n\r\n          # Create an S3 client\r\n          s3 = boto3.client('s3')\r\n\r\n          def handler(event, context):\r\n            # Call S3 to list current buckets\r\n            response = s3.list_buckets()\r\n\r\n            # Get a list of all bucket names from the response\r\n            buckets = [bucket['Name'] for bucket in response['Buckets']]\r\n\r\n            # Print out the bucket list\r\n            print(\"Bucket List: %s\" % buckets)\r\n\r\n            return buckets<\/pre>\n
Let’s run the template:<\/p>\n
CloudFormation -> Stacks -> Create stack<\/code><\/p>\n
\"\"<\/p>\n
Next -> Next -> Create stack -> Requires capabilities : [CAPABILITY_IAM] ->\u00a0 Review LambdaInline<\/code><\/p>\n
\"\"<\/p>\n
Create stack -><\/code><\/p>\n
As we see the lambda function has been created:<\/p>\n
\"\"<\/p>\n
Let’s test the lambda function:<\/p>\n
\"\"<\/p>\n
Lambda function simply list all s3 buckets which we have in AWS account.<\/p>\n
A second way of defining a lambda function in CloudFormation is to use a zip from S3.<\/p>\n
First we need to zip an index.py<\/code> file:<\/p>\n
import boto3\r\n\r\n# Create an S3 client\r\ns3 = boto3.client('s3')\r\n\r\ndef handler(event, context):\r\n    # Call S3 to list current buckets\r\n    response = s3.list_buckets()\r\n\r\n    # Get a list of all bucket names from the response\r\n    buckets = [bucket['Name'] for bucket in response['Buckets']]\r\n\r\n    # Print out the bucket list\r\n    print(\"Bucket List: %s\" % buckets)\r\n\r\n    return buckets<\/pre>\n
And then upload the zip file to the S3 service.<\/p>\n
\"\"<\/p>\n
Upload-><\/code><\/p>\n
In CloudFormation template file we need to reference to the uploaded zip file:<\/p>\n
Parameters:\r\n  S3BucketParam:\r\n    Type: String\r\n  S3KeyParam:\r\n    Type: String\r\n\r\nResources: \r\n  LambdaExecutionRole:\r\n    Type: AWS::IAM::Role\r\n    Properties:\r\n      AssumeRolePolicyDocument:\r\n        Version: '2012-10-17'\r\n        Statement:\r\n        - Effect: Allow\r\n          Principal:\r\n            Service:\r\n            - lambda.amazonaws.com\r\n          Action:\r\n          - sts:AssumeRole\r\n      Path: \"\/\"\r\n      Policies:\r\n      - PolicyName: root\r\n        PolicyDocument:\r\n          Version: '2012-10-17'\r\n          Statement:\r\n          - Effect: Allow\r\n            Action:\r\n            - \"s3:*\"\r\n            Resource: \"*\"\r\n          - Effect: Allow\r\n            Action:\r\n            - \"logs:CreateLogGroup\"\r\n            - \"logs:CreateLogStream\"\r\n            - \"logs:PutLogEvents\"\r\n            Resource: \"*\"\r\n\r\n  ListBucketsS3Lambda: \r\n    Type: \"AWS::Lambda::Function\"\r\n    Properties: \r\n      Handler: \"index.handler\"\r\n      Role: \r\n        Fn::GetAtt: \r\n          - \"LambdaExecutionRole\"\r\n          - \"Arn\"\r\n      Runtime: \"python3.7\"\r\n      Code: \r\n        S3Bucket: !Ref S3BucketParam\r\n        S3Key: !Ref S3KeyParam\r\n<\/pre>\n
Now let’s create a stack:<\/p>\n
\"\"<\/p>\n
Next -><\/code><\/p>\n
\"\"<\/p>\n
Next -> Next -><\/code><\/p>\n
\"\"<\/p>\n
Create stack -><\/code><\/p>\n
A new lambda function has been created:<\/p>\n
\"\"<\/p>\n
The code of new function is the same as old code because CloudFormation retrieved zip file and unziped it.<\/p>\n
\"\"<\/p>\n
What if we want to upload a new version of lambda-function.zip. We can change  S3Bucket: !Ref S3BucketParam<\/code> or S3Key: !Ref S3KeyParam<\/code> but better way is to use a template with versioning:<\/p>\n
Parameters:\r\n  S3BucketParam:\r\n    Type: String\r\n  S3KeyParam:\r\n    Type: String\r\n  S3ObjectVersionParam:\r\n    Type: String\r\n\r\nResources: \r\n  LambdaExecutionRole:\r\n    Type: AWS::IAM::Role\r\n    Properties:\r\n      AssumeRolePolicyDocument:\r\n        Version: '2012-10-17'\r\n        Statement:\r\n        - Effect: Allow\r\n          Principal:\r\n            Service:\r\n            - lambda.amazonaws.com\r\n          Action:\r\n          - sts:AssumeRole\r\n      Path: \"\/\"\r\n      Policies:\r\n      - PolicyName: root\r\n        PolicyDocument:\r\n          Version: '2012-10-17'\r\n          Statement:\r\n          - Effect: Allow\r\n            Action:\r\n            - \"s3:*\"\r\n            Resource: \"*\"\r\n          - Effect: Allow\r\n            Action:\r\n            - \"logs:CreateLogGroup\"\r\n            - \"logs:CreateLogStream\"\r\n            - \"logs:PutLogEvents\"\r\n            Resource: \"*\"\r\n\r\n  ListBucketsS3Lambda: \r\n    Type: \"AWS::Lambda::Function\"\r\n    Properties: \r\n      Handler: \"index.handler\"\r\n      Role: \r\n        Fn::GetAtt: \r\n          - \"LambdaExecutionRole\"\r\n          - \"Arn\"\r\n      Runtime: \"python3.7\"\r\n      Code: \r\n        S3Bucket: \r\n          Ref: S3BucketParam\r\n        S3Key: \r\n          Ref: S3KeyParam\r\n        S3ObjectVersion:\r\n          Ref: S3ObjectVersionParam<\/pre>\n
Let’s upload the same lambda-function.zip file to the S3 bucket and check the version-id:<\/p>\n
\"\"<\/p>\n
Now let’s update the stack:<\/p>\n
\"\"<\/p>\n
Next -><\/code><\/p>\n
\"\"<\/p>\n
Next -><\/p>\n
\"\"<\/p>\n
Update stack -><\/code><\/p>\n
 <\/p>\n
Custom Resources<\/span><\/p>\n
You can define a Custom Resource in CloudFormation to address any of these use cases:<\/p>\n
    \n
  • An AWS resource is yet not covered (new service for example)<\/li>\n
  • An On-Premise resource<\/li>\n
  • Emptying an S3 bucket before being deleted<\/li>\n
  • Fetch an AMI id<\/li>\n
  • Anything you want…!<\/li>\n<\/ul>\n
    \"\"<\/p>\n
    CloudFormation Custom Resources (Lambda)<\/p>\n
      \n
    • The Lambda Function will get invoked only if there is a Create, Update or Delete event, not every time you run the template<\/li>\n<\/ul>\n
      { \r\n  \"RequestType\" : \"Create\", \r\n  \"ResponseURL\" : \"http:\/\/pre\u2014signed\u2014S3\u2014url\u2014for\u2014response\", \r\n  \"StackId\" : \"arn:aws:cloudformation:us\u2014west-2:123456789012:stack\/stack\u2014name\/guid\", \r\n  \"RequestId\" : \"unique id for this create request\", \r\n  \"ResourceType\" : \"Custom::TestResource\", \r\n  \"LogicalResourceId\" : \"MyTestResource\", \r\n  \"ResourceProperties\" : { \r\n     \"Name\" : \"Value\", \r\n     \"List\" : [ \"1\", \"2\", \"3\" ]\r\n     } \r\n} \r\n<\/pre>\n
      Consider a yaml tamplate, this is an inline method:<\/p>\n
      Resources: \r\n  LambdaExecutionRole:\r\n    Type: AWS::IAM::Role\r\n    Properties:\r\n      AssumeRolePolicyDocument:\r\n        Version: '2012-10-17'\r\n        Statement:\r\n        - Effect: Allow\r\n          Principal:\r\n            Service:\r\n            - lambda.amazonaws.com\r\n          Action:\r\n          - sts:AssumeRole\r\n      Path: \"\/\"\r\n      Policies:\r\n      - PolicyName: root\r\n        PolicyDocument:\r\n          Version: '2012-10-17'\r\n          Statement:\r\n          - Effect: Allow\r\n            Action:\r\n            - \"s3:*\"\r\n            Resource: \"*\"\r\n          - Effect: Allow\r\n            Action:\r\n            - \"logs:CreateLogGroup\"\r\n            - \"logs:CreateLogStream\"\r\n            - \"logs:PutLogEvents\"\r\n            Resource: \"*\"\r\n\r\n  EmptyS3BucketLambda: \r\n    Type: \"AWS::Lambda::Function\"\r\n    Properties: \r\n      Handler: \"index.handler\"\r\n      Role: \r\n        Fn::GetAtt: \r\n          - \"LambdaExecutionRole\"\r\n          - \"Arn\"\r\n      Runtime: \"python3.7\"\r\n      # we give the function a large timeout \r\n      # so we can wait for the bucket to be empty\r\n      Timeout: 600\r\n      Code: \r\n        ZipFile: |\r\n          #!\/usr\/bin\/env python\r\n          # -*- coding: utf-8 -*-\r\n          import json\r\n          import boto3\r\n          from botocore.vendored import requests\r\n\r\n          def handler(event, context):\r\n              try:\r\n                  bucket = event['ResourceProperties']['BucketName']\r\n\r\n                  if event['RequestType'] == 'Delete':\r\n                      s3 = boto3.resource('s3')\r\n                      bucket = s3.Bucket(bucket)\r\n                      for obj in bucket.objects.filter():\r\n                          s3.Object(bucket.name, obj.key).delete()\r\n\r\n                  sendResponseCfn(event, context, \"SUCCESS\")\r\n              except Exception as e:\r\n                  print(e)\r\n                  sendResponseCfn(event, context, \"FAILED\")\r\n\r\n\r\n          def sendResponseCfn(event, context, responseStatus):\r\n              response_body = {'Status': responseStatus,\r\n                              'Reason': 'Log stream name: ' + context.log_stream_name,\r\n                              'PhysicalResourceId': context.log_stream_name,\r\n                              'StackId': event['StackId'],\r\n                              'RequestId': event['RequestId'],\r\n                              'LogicalResourceId': event['LogicalResourceId'],\r\n                              'Data': json.loads(\"{}\")}\r\n\r\n              requests.put(event['ResponseURL'], data=json.dumps(response_body))\r\n\r\nOutputs:\r\n  StackSSHSecurityGroup:\r\n    Description: The ARN of the Lambda function that empties an S3 bucket\r\n    Value: !GetAtt EmptyS3BucketLambda.Arn\r\n    Export:\r\n      Name: EmptyS3BucketLambda\r\n<\/pre>\n
      Let’s create a stack:<\/p>\n
      \"\"<\/p>\n
      Next -><\/code><\/p>\n
      \"\"<\/p>\n
      Next -><\/code><\/p>\n
      \"\"<\/p>\n
      Create stack -><\/code><\/p>\n
      Labda funcion has been created:<\/p>\n
      \"\"<\/p>\n
      Consider a yaml template with custom resource:<\/p>\n
      ---\r\nAWSTemplateFormatVersion: '2010-09-09'\r\n\r\nResources:\r\n  myBucketResource:\r\n    Type: AWS::S3::Bucket\r\n\r\n  LambdaUsedToCleanUp:\r\n    Type: Custom::cleanupbucket\r\n    Properties:\r\n      ServiceToken: !ImportValue EmptyS3BucketLambda\r\n      BucketName: !Ref myBucketResource<\/pre>\n
      Now let’s create a stack with custom recource:<\/p>\n
      \"\"<\/p>\n
      Next -><\/p>\n
      \"\"<\/p>\n
      Next -> Create stack<\/code><\/p>\n
      After th new stack has been created we can go to the rosurces and see that S3 bucket has been created also:<\/p>\n
      \"\"<\/p>\n
      We can\u00a0 go to this 33 bucket and upload a random file here:<\/p>\n
      \"\"<\/p>\n
      Upload -><\/code><\/p>\n
      Now let’s delete the stack.<\/p>\n
       <\/p>\n
      \"\"<\/p>\n
      When the stack has been deleted the lambda funcion cleaned up the S3 Bucket.<\/p>\n
      \"\"<\/p>\n
       <\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/4335"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=4335"}],"version-history":[{"count":30,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/4335\/revisions"}],"predecessor-version":[{"id":4399,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/4335\/revisions\/4399"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=4335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=4335"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=4335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}