[toc]
M.m.p
m
release: Carefully read the release notes, changes might cause interruptions in the service.p
release: Bugfixes, introduction of new features that can normally be used without any interruption or rebuild of resources.
Setting the option object_ownership
will set the bucket ACLs on (or off)
Possible values are:
ObjectWriter
Enables ACLs and puts owner of new objects to the writerBucketOwnerPreferred
Enabled ACLs and puts owner of new object preferably to the owner, unless ACLs change thisBucketOwnerEnforced
Disables ACLs and enforces bucket owner as owner of all files
s3:
- name: mybucket
cfn_name: MyBucket
access_control: Private
object_ownership: ObjectWriter
static_website_hosting: no
versioning: {Enabled|Suspended}
skip_output: {true|false}
lifecycle_configuration: |
Rules:
- ExpirationInDays: 14
cors:
allowed_headers:
- '*'
allowed_methods:
- 'GET'
- 'PUT'
allowed_origins:
- '*'
tags:
- key: "ass:s3:backup-and-empty-bucket-on-stop"
value: "yes"
- key: "ass:s3:backup-and-enpty-bucket-on-stop-acl"
value: "private"
- key: "..."
value: "..."
0.6.37
(20230120): Grant ecr:DescribeImages
permissions to accounts with pull permissions for an ECR repo
Setting the property skip_user_creation: true
will skip the creation of functional
AWS users in:
ECSMgmt
ECR
Cloudfront
To enable this:
- Add
skip_user_creation: true
in the configuration YAML file - Update the
GITTAG
default value indockerwrapper
- Run the command
ANSIBLE_TAGS=ecs,cloudfront.ecsmgmt ./dockerwrapper
Add one or both properties to the account's config file to skip the creation of the related resource:
Add one or both properties to the account's config file to skip the creation of the related resource:
vpc:
skip_natgw: true
skip_igw: true
Fix condition in logic to skip deploy user creation (again)
- Default: remove after 14 days
- Set
logging.expiration_in_days
property in the cloudfront definition to override that setting
The cross_account_access.lambda
property in the ECR repo definition will add a statement
to the ECR policy that allows all Lambda's in the specified AWS accounts to pull the
ECR image. Also see this AWS blog post.
ecr:
- name: "repoName"
cfn_name: RepoName
cross_account_access:
push:
- 000000000000
pull:
- 111111111111
- 222222222222
lambda:
- 333333333333
applicationconfig:
- name: "myservice"
...
ecs:
...
autoscaling:
- name: MyMetric
type: custom
scale_in_cooldown: 60
scale_out_cooldown: 60
target_value: 75
custom_metric:
dimensions:
- dim1
- dim2
metric_name: MyMetric
namespace: MyNameSpace
statistic: Sum
Fix condition in logic to skip deploy user creation
Fix autoscaling mincapacity
Allow to skip deploy user creation based on a cloudfront or a global property.
Adding ACM certificates to a ALB in ECS2 failed because of an indentation error. This version fixes that error.
The AMI used for the bastion host is updated to the latest version.
- Transfer files to an EFS volume more easily without having to log in to the bastion account.
- Uploading the files to the S3 bucket will automatically transfer the files to the s3 bucket.
efs:
- cfn_name: MyS3ToEFSCopy
s3_to_efs_copy:
lambda_key: aws-lambda-s3-trigger-to-efs-c78524de709fb97bce19e0e5b4bda04329a0f082.zip
- Only if
app.launchtype == "FARGATE"
applicationconfig:
- name: "myservice"
...
ecs:
...
autoscaling:
- name: cpu
scale_in_cooldown: 60
scale_out_cooldown: 60
target_value: 75
predefined_metric_type: "ECSServiceAverageCPUUtilization"
- name: memory
scale_in_cooldown: 60
scale_out_cooldown: 60
target_value: 75
predefined_metric_type: "ECSServiceAverageMemoryUtilization"
- Fix: The Lambda LambdaCumulativeReservationMetric was not updated in ECS2
- Feature: exclude ADAG alarms with
ecsmgmt.monitoring.adag_alarm_exclude_list
property
- Add (optional) creation of EFS access points.
- Add tags to AWS::ECS::Service resources
- Update Bastion AMIs in the BastionHost module
- Update S3 key for a lambda function in the ECS module
Fix name of IAM role that should have been correct in v0.6.6
Implicitly create the role ECSExecutionRoleAwsCfnGen
and use it as the
ExecutionRoleArn
in the task definitions if no execution_role_arn
is defined
in the service configuration.
Allow multiple certificates on 1 ALB HTTPS listener (fixes #53)
AWS decided to stop support for their case error in FileSystemId
, so we are
forced to follow and change to FilesystemId
.
The old case string will result in stacks failing as from March 1, 2021, as stated in CloudFormation event logs:
Stack operations on resource TaskDistribution would fail starting from
03/01/2021 as the template has invalid properties. Please refer to the
resource documentation to fix the template. Properties validation failed
for resource TaskDistribution with message:
#/Volumes/0/EFSVolumeConfiguration:required key [FilesystemId] not found
You can now skip linter checks using the Ansible --skip-tags
option.
Available tags:
linter
orcfn-lint
to skip all lint checks- Resource specific tags in the form
lint-<resource>
:linter-vpc
linter-vpcendpoints
linter-sgrules
linter-kms
linter-secretemanager
linter-rdsparametergroups
linter-rds
linter-chatnotifications
linter-bastion
linter-ecr
linter-ecsmgmt
linter-route53delegation
linter-iam
linter-lambda
linter-lambdacloudfront
linter-cloudwatch
linter-efs
linter-dynamodb
linter-loadbalancers
linter-sns
linter-s3
linter-cloudfront
linter-route53
linter-ecs
linter-ecs2
linter-wafassociations
- Update Policy version from
2008-10-17
to2012-10-17
to satisfy linter check
Upgrading to this version will possibly cause downtime because new AMI's will be used
- Default TLS policies for ALB and CloudFront are updated to
ELBSecurityPolicy-FS-1-2-Res-2019-08
andTLSv1.2_2019
respectively - AMI's for Bastion and ECS cluster are updated
- Only Amazon2 linux AMI's are allowed for EC2 based ECS clusters and Bastion hosts
Bugfixes in CloudFormation lint checker
Bugfixes in CloudFormation lint checker
Add cfn-lint
check after template generation, but before template deploy
Fix indentation bug in ECSMgmt.yml
Fix issue where ECS EC2 instances are added to the cluster even when all
services are configured as FARGATE
service.
- Block all public access on bucket where template is uploaded
- Remove start/stop metric filter and cw alarm from ecs service cloudwatch loggroups
- Allow cross account ECR push for selected accounts
A new module SGRules to add ingress rule to existing security groups.
sgrules:
- cfn_name: AddTcp8080ToSGInternal
type: "ingress"
sg_id: "sg_123456789"
source_sg_id: "sg_123456789"
description: "Allow intra SG traffic to port 8080"
protocol: "tcp"
from_port: "8080"
to_port: "8080"
Re-assign required AmazonEC2ContainerRegistryFullAccess to ecr-push user
ECS2: Remove obsolete outputs
Bugfix in multiline yaml string in ECS2
A new template that combines ALB and ECS to avoid circular dependencies and problems when changing or removing services.
Uses ecs2
and loadbalancer2
top-level properties in the config files. When using ecs2
, service
names are not defined in the cloudformation template and will vary. Keep this into account when
changing from ecs
to ecs2
as this will require ci/cd pipelines to be updated as well.
bastion.eip
creates an EIP and attaches it to the bastion hostbastion.encrypt_ebs
will encrypt the bastion storage
- Set the top-level property
iam_accesskey_serial
to re-create access keys in following templates:CloudFront
ECR
ECSMgmt
IAM
- Stop using inline policies in favor of group, policies and group membership in
following templates:
CloudFront
ECR
bucket.public_access_block_configuration
can be used to block public bucket access:
s3:
- name: myBucket
...
bucket.public_access_block_configuration: true
s3:
- name: myBucket
...
bucket.public_access_block_configuration:
block_public_acls: true
block_public_policy: true
ignore_public_acls: true
restrict_public_buckets: true
bucket.send_create_events_to_lambda_import
can be used to run a Lambda ons3:ObjectCreated:*
bucket events../
- Force TLS on internal LBs with
force_tls
loadbalancers:
- name ALBInt
...
force_tls: true
- Allow fixed responses in ALB listener rules
loadbalancers:
- name: myAlb
...
fixed_responses:
- cfn_name: "FixedResponse001"
path_pattern: "/path"
priority: 5
status_code: "404"
content_type: "text/html"
message_body: "<h1>404 - page not found</h1>"
- End to End TLS when
applicationconfig[n].lb.protocol
isHTTPS
- Make all health check settings configurable
- S3 origins with OAI and bucket policy for cloudfront access
cloudfront_oai:
- myOai
cloudfront_distributions:
- name: c19distributionmyDistribution
...
origins_and_cachebehaviors:
- origin_name: myOrigin
...
oai: "myOai"
Add waf_associations
to associate an existing (manually created) web acl to a
loadbalancer.
waf_associations:
# The WebACL needs to be created manually for now. Only the association of the WebACL with the external
# LoadBalancer is automatic.
- name: WafToAlbExt
waf_arn: "arn:aws:wafv2:{{ target_account.region }}:{{ target_account.account_id }}:regional/webacl/{{ target_account.waf_alb.name }}/{{ target_account.waf_alb.id }}"
arn_import: "{{ app_cfn }}{{ env_cfn }}ECS2-ALBExt"
ecs.cluster.encrypt_ebs
will encrypt the ECS cluster instance storageapplicationconfig[n].launchtype
can be set toFARGATE
to run the service on a FARGATE cluster. If all services areFARGATE
services, no cluster instances will be created.
- Add VPC interface endpoint support
vpc_interface_endpoints:
- cfn_name: "SSM"
aws_service: "com.amazonaws.eu-central-1.ssm"
subnet_imports:
- "VPCFor{{ app_and_env_cfn }}-PrivateSubnetAZ1"
- "VPCFor{{ app_and_env_cfn }}-PrivateSubnetAZ2"
- "VPCFor{{ app_and_env_cfn }}-PrivateSubnetAZ3"
sg_imports:
- "VPCFor{{ app_and_env_cfn }}-SGAPP"
vpc_import: "VPCFor{{ app_and_env_cfn }}-VPC"
- cfn_name: "SecretsManager"
aws_service: "com.amazonaws.eu-central-1.secretsmanager"
subnet_imports:
- "VPCFor{{ app_and_env_cfn }}-PrivateSubnetAZ1"
- "VPCFor{{ app_and_env_cfn }}-PrivateSubnetAZ2"
- "VPCFor{{ app_and_env_cfn }}-PrivateSubnetAZ3"
sg_imports:
- "VPCFor{{ app_and_env_cfn }}-SGAPP"
vpc_import: "VPCFor{{ app_and_env_cfn }}-VPC"
- Add task definition and ECS service permissions to
ecr-push
user
ecsmgmt.ass.disable
skips the creation ofASS
resources.
- Add template to add resources that subscribe to the monitoring SNS topic to send notifications. Works for Slack and Google chat.
chat_notifications:
- host: "hooks.slack.com"
path: "{{ target_account.slack_notifications_path }}"
cfn_name: "Slack{{ app_and_env_cfn }}"
Optionally set CORS rules on the bucket.
Use amzami
or amz2ami
to override the default AMI:
- Use the ECS AMI
- Use the AMI for the region you are deploying in
Update the ECS AMI's to the latest version.
Downtime Warning: Using this version for the first time will cause the ECS cluster to be rebuild because of the new AMI's.
- Add
ssl_policy
property to loadbalancer to determine the SSL policy to use on the HTTPS listener.
ECSMgmt
: make memory and cpu for fargate tasks configurable
- The S3 module now exports outputs for the created resources,
- Quote principals in KMS IAM to avoid failure when account-id starts with zero
- Set deletion tag on cloudfront resources, default is 0 (no deletion), change to non-zero in environment config to instruct ASS to delete the CloudFront stack
- Fix failure when cw property is not defined
- Add
aws-cfn-gen
version to the CloudFormation stack description
- Add Golang
- Source account not allowed in invoke permission for CW Event rule
- Environment variable values can be an exported CloudFormation output
lambda_functions:
- name: mylambdafunction
function_name: MyLambdaFunction
...
environment:
- name: ENVVAR_FROM_IMPORT
value_from_import: "NameOfTheImport"
- Allow Event Rule creation with free event pattern
- Add some extra checks on property existence and validity
- The CloudWatch stack is unconditionally created because it contains resources other stacks depend on
This is a minor release, updating to this release might cause service interruptions because of the support for AMZN2 images in the ECS module.
ECS
: ECS AMZN2 support, setecs.cluster.amzn2
totrue
to enableCloudFront
: Add propertycloudfront.default_root_object
ECSMgmt
: Add custom scheduled tasks to the management ECS cluster
- RDS Cluster Parameter Group creation
- Allow cross account ECR repository pulls for selected AWS accounts
- RDS Instance module
applicationconfig:
- name: myapp
...
lb:
name: mylb
...
targetgroup_attributes:
- key: deregistration_delay.timeout_seconds
value: 0
- key: ...
value: ...
Setting the property targetgroup_attributes
will add the target group attributes to
the target group for the application. Consult the AWS CloudFormation documentation for
AWS:ElasticLoadBalancerV2::TargetGroup
for accepted values.
Run without updating resources, only creating change sets and printing a basic report at the end of the playbook run.
This can be achieved by adding the commandline switch --extra-vars create_changeset=yes
to the ansible-playbook
commandline.
- Allow definition of CORS rules for S3 origins (see example)
- Make
ViewerProtocolPolicy
customizable with propertyviewer_protocol_policy
- Make
MaxTTL
,MinTTL
andDefaultTTL
customixable with the propertiesmax_ttl
,min_ttl
anddefault_ttl
.
cloudfront_distributions:
- name: my-distributions
cfn_name: MyDistribution
cnames:
- "dist.acme.com"
certificate_arn: "arn:aws:acm:us-east-1:{{ target_account.account_id }}:certificate/{{ certificate }}"
logging: true
origins_and_cachebehaviors:
- origin_name: "origin-1"
origin_cors_rules:
allowed_headers: [ 'access-token', 'content-type', 'cache-control', 'pragma' ]
allowed_methods: [ 'PUT', 'GET', 'POST', 'DELETE' ]
allowed_origins: [ '*' ]
max_age: 300
forward_headers:
- Origin
priority: 100
path_pattern: "/static/*"
allowed_http_methods: options
viewer_protocol_policy: "allow-all"
default_ttl: 300
It is now possible to set the memory_reservation
property in the ecs
part of
an application definition. This will allow the running container to exceed the
memory limit set by the property, but only when the ECS cluster node has
memory to spare. When another container requires memory within its memory
settings, the ECS Agent will try to reclaim the memory from containers that
exceed their MemoryReservation
first.
This property is stronger than the memory
property.
- name: "servicename"
cfn_name: ServiceName
target: "ecs"
...
ecs:
image: "123456789012.dkr.ecr.eu-central-1.amazonaws.com/example/service:latest"
containerport: 8080
memory_reservation: 2048
cpu: 512
desiredcount: 2
...
This is a patch release, with only minor and non-disrupitve changes.
Fix case where ECS template fails when no bastion
data is present in the
project configuration file. An extra test was added to skip the part where
the variable was referenced.
This is a minor release, updating to this release might cause service interruptions because of:
- a change in the ECS Launchconfiguration (install SSM Agent on ECS instances)
- Update AMI to version
- Add installation of SSM Agent to the ECS LaunchConfiguration. This is required to allow for the automatic installation of the Amazon CloudWatch Agent on ECS AMI based instances
- Add SNS topic subscription filter support
- Introduce possibility to specify a endpoint arn for sns topic subscriptions
- Add cross account topic policies
- Add scheduled tasks from config for existing task definitions
- Add Lambda invoke permissions and subscriptions for other AWS accounts
- Add
stack_deletion_order
logic forvpc
andvpcendpoints
- Prerequisites for CloudWatch Agent installation on ECS instances and bastion hosts
- Reduce nr of metrics in CloudWatch Agent config file
- New version of start/stop resources, will exist together with the old version (for now).
Enable versioning by default.
- Possibility to customize timeout and memory configuration
- Add service based lambda permissions by defining invoke permissions as shown below.
lambda:
- name: MyLambda
invoke_permissions:
- type: "service"
principal: "apigateway.amazonaws.com"
source_arn: "arn:aws:execute-api:eu-central-1:123456789012:dj48dhw934g/*/*/fanout-setup"
name: "fanout_setup"
- Upgrade to latest AMZ2 image
- Fix typo in the Lambda function key
- Fix confusing lambda permission naming
- Use variable for
dm.basesize
instead of fixed 20G
Use ecs.task_change_state_rule
to enable or disable ECS Service State
Change alerts. Allowed values are ENABLED
and DISABLED
(default).
Use applicationconfig[n].monitoring.alarm_actions_enabled
to control
alarm action execution. Allowed values are true
and false
(default).
Create Route53 Record Sets for all the distribution's cname
s if
route53.public_hosted_zoned
is defined and it contains an element
where the public hosted zone name equals the name of the DNS domain
of the distribution's cname
.
An example:
cw:
scheduled_rules:
- name: MyDaily6AMSchedule
description: "Trigger daily at 6 AM"
schedule_expression: "cron(0 6 * * ? *)"
targets:
- type: import
value: MyCloudformationTemplate-MyLambdaFunction
The optional cfn_name_suffix
in applicationconfig[n].domains[n]
can be used
if 2 service endpoints within the same parent domain should be directed to this
service's target group.
The value of the property will be appended to the CloudFormation resource name for the Route53 recordset.
The property is optional to guarantee backward compatibility with existing environments.
For example:
application_config:
- name: myapp
...
domains:
- name: acme.com
cfn_name: AcmeCom
cfn_name_suffix: ep1
listener_rule_host_header: ep1.acme.com
priority: 1
- name: acme.com
cfn_name: AcmeCom
cfn_name_suffix: ep2
listener_rule_host_header: ep2.acme.com
priority: 2
Possibility to assign fixed name to Lambda function, if the property
lambda[n].function_name
is present. Changing this name will cause the
resource to be re-created (and the old resource to be removed). This is
at risk of the user.
This new module creates roles, poliicies and Lambda's in the CloudWatch biotope. This first version provides all elements to automatically onboard newly create CW log groups in the chosen log subscription setup, for example to integrate with a log forwarder (DataDogHQ, ...)
Checkout the README.md
for moe information.
Separate CW log group creation from CW log group subscription for loadbalancer access
logs. Before this change, all configuration was done in cw_logs_subscription_filter
,
this has been changed to:
cw_logs
for the log group creationcw_logs_subscription_filter
for the subscription related configuration.
Set stack_deletion_oder
to 0
if env == 'prd'
Do not create RecordSet when domain is same as Route53 hosted zone name. This would otherwise fail, because it should be a APEX RecordSet.
Add redirect rule as default action for HTTP listener for external loadbalancers.
- Add test on domain match when creating Route53 RecordSets in private hosted zones
- Introduce
skiproute53public
andskiproute53private
This functionality was moved from aws-route53
to aws-cfn-gen
.
See the README file for more details.
When the property ecsmgmt
is set, these resources will be created:
- a ECS FARGATE cluster. This cluster is not backed by EC2 instances and does not add to your AWS bill unless a FARGATE service is run
- an execution role
- a task role
- 2 task definitions
tryxcom/aws-delete-tagged-cfn-stacks:latest
tryxcom/aws-create-deleted-tagged-cfn-stacks:latest
See these github repositories for more information on what these images do:
- https://github.com/rik2803/aws-create-deleted-tagged-cfn-stacks
- https://github.com/rik2803/aws-delete-tagged-cfn-stacks
When access_logs
is defined and state
is enabled
,
following resources are created:
- A S3 bucket named
{{application }}-{{ env }}-accesslogs-{{ lbname }}
- An lifecycle rule that expires the access logs after
log_expiry_days
days - A bucket policy that allows the AWS ALB account in the current region to write to that bucket
- A
s3.ObjectCreated
trigger to a lambda function ifaccesslogs.s3_objectcreated_lambda_import
is defined. That Lambda function can, for example, be used to ship the S3 logs to CloudWatch.
This functionality was finally available in CloudFormation and now allows the create a redirection rule in the loadbalancer configuration.
sns:
- display_name: mytopic
topic_name: mytopic
subscriptions:
- name: subscr01
endpoint_export: mysubscriptionexport
subscription_protocol: lambda
See the README file for more details.
vpc:
stackname: "MyVPCCFNStackName"
name: "MyVPC"
safe_ssh_01: "1.2.3.4/32"
safe_ssh_02: "1.2.3.5/32"
create_rds_subnets: true
nfs_for_sg_app: true
environment: "dev"
cidr: 10.121
nr_of_azs: 3
application: "myapp"
See README.md for more details.
Enable (Enabled
) or disable (Suspended
) bucket versioning.
s3:
- name: mybucket
...
versioning: Enabled
cloudfront_distributions:
- name: redirect-test
cfn_name: RedirectTest
cnames:
- "redirect.acme.com"
certificate_arn: "arn:aws:acm:us-east-1:{{ target_account.account_id }}:certificate/xxxxxxxx"
origins_and_cachebehaviors:
- origin_name: "redirect-test"
forward_headers:
- Origin
priority: 100
origin_bucket_redirects:
- routing_rule_condition:
type: http_error_code_returned_equals
value: 404
redirect_rule:
hostname: www.acme.com
http_redirect_code: 301
protocol: https
replace_key_with: "index.html"
Add the origin_path
property to the origin configuration.
This is path that CloudFront uses to request content from an S3 bucket or custom origin. The combination of the DomainName and OriginPath properties must resolve to a valid path. The value must start with a slash mark (/) and cannot end with a slash mark.
See here for more information.
Allow Lambda functions to be associated with a cloudfront distribution. This requires
Lambda functions to be deployed to us-east-1
.
dynamodb:
- table_name: mytable
backup: true
...
dynamodb:
- table_name: mytable
...
billing_mode: PROVISIONED | PAY_PER_REQUEST
provisioned_throughput:
read_capacity_units: 5
write_capacity_units: 5
lambda_functions:
- name: aws-lambda-s3-logs-to-cloudwatch
vpc: true
The function will be in the (private) application subnets defined by vpc_privatesubnet_az*
and
the associated Security Group will be vpc_sg_app
.
Sometimes, the same function needs to be used more than once, for example if there are different triggers or a different set onf environment variables that influence the execution and the result of the function.
To achieve this, create identical blocks (with different envvars or whatever changes), and the
name
should have a suffix that starts with un underscore.
If the name contains an underscore, the part before the underscore is used to determine the function name, and the complete string is used, after some CFN related transformation, as the CloudFormation resource name.
Before 0.1.5
, managed policies for iam_users
were interpreted as a policy name and
extended to arn:aws:iam::123456789012:policy/<name>
. From version 0.1.5
, the full
arn
can also be specified.
Use role/ecsEventsRole
if task_role_arn
is not specified for a ecs_scheduled_task
.
Do not create a bucket policy if no policy doment is defined in the project configuration.
Downtime Warning: Using this version for the first time will cause the ECS cluster (if any) to be rebuild.
- Setting the property
ecs.cluster.dm_basesize
configures the Docker devicemapper storage to assign that amount of thin-provisioned storage to every container on the ECS instance. Specify the unit (i.e.G
) - Setting the property
ecs.cluster.ebs_size
changes the size of the volume attached to the ECS instance for the DeviceMapper LVOL. Use numbers only, the unit isGB
.
Downtime Warning: Changing these settings will cause the launch configuration to change and will consequently spawn new ECS instances.
Downtime Warning: Using this version for the first time will cause the ECS cluster to be rebuild.
Update the ECS AMI's to the latest version.
Downtime Warning: Using this version for the first time will cause the ECS cluster to be rebuild because of the new AMI's.
Make generated files directory configurable to enable to retain those files when using dockerwrapper (ixor/ansible-aws-cfn-gen docker image).
Because the template size limit was hit for some projects, the CloudFormation templates have to be installed from a location on S3.
The bucket is created by the playbooks, a signed URL with limited validity in time in generated and uses to access the template on S3. That way, the bucket can remain private.
Introduce lifecycle rules. Refer to the README.md for details on how to use lifecycle rules.
s3:
- name: mybucket
cfn_name: MyBucket
access_control: Private
static_website_hosting: no
lifecycle_configuration: |
Rules:
- ExpirationInDays: 14
Enable or disable ALB access logs by adding this to the ALB definition:
loadbalancers:
- name: ALBInt
...
accesslogs:
state: enabled
log_expiry_days: 14
It creates:
- A S3 bucket named
{{application }}-{{ env }}-accesslogs-{{ lbname }}
- An lifecycle rule that expires the access logs after
log_expiry_days
days - A bucket policy that allows the AWS ALB account in the current region to write to that bucket
Misc documentation updates
Before this enhancement, ManagedPolicyArns
in a role could only be specified by the
name of the role, not by the full ARN. To be able to alse attach AWS Managed policies
to a role, the policy can now also be defined by its full ARN:
awsroles:
- name: MyAWSRole
policy_arns:
- MyCustomPolicy
- arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
assumerole_policy_document:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
Allow the creation of Lambda functions. lambda_functions
is a list of functions to be created. The
function code should be available from a S3 bucket where the CloudFormation template has access to.
lambda_functions:
- name: aws-lambda-datadog-logshipper
handler: lambda_handler
runtime: python2.7
code:
s3_bucket: "{{ lambda_function_bucket_name }}"
s3_key: aws-lambda-datadog-logshipper-4c4579dfe5ab32ca8c5b9ecd8eb06b1281e5a5b7.zip
environment:
- name: APPLICATION
value: MyAppName
- name: ENVIRONMENT
value: "{{ env }}"
- name: DD_API_KEY
value: 123456789123456789
invoke_permissions:
- type: predefined
name: logs
The invoke_permissions
only support type: predefined
. Future requirements allow the mechanism
to be extended.
Offers the possibility to create DynamoDB tables. Does not support Global Secondary Indexes yet.
An example:
dynamodb:
- table_name: snapshots
attributes:
- attribute_name: par
attribute_type: S
- attribute_name: seq
attribute_type: N
- attribute_name: ts
attribute_type: N
key_schema:
- attribute_name: par
key_type: HASH
- attribute_name: seq
key_type: RANGE
local_secondary_indexes:
- index_name: ts-idx
key_schema:
- attribute_name: par
key_type: HASH
- attribute_name: ts
key_type: RANGE
projection:
projection_type: ALL
provisioned_throughput:
read_capacity_units: 5
write_capacity_units: 5
- By specifying
ecs.cluster.spot_price
in the configuration file, the ECS cluster will run on Spot Instances. - The
extra_portmappings
inapplicationconfig.ecs
can be used to expose extra ports from the container, for example to allow debuggers to attach to the corresponding host port over a ssh tunnel. Onlycontainer_port
is required. Default forprotocol
istcp
and default forhost_port
is for it to be dynamic.
applicationconfig:
- name: myapp
...
ecs:
...
extra_portmappings:
- container_port: 8002
protocol: tcp
...
...
Possibility to attach Subscription Filters to a CloudWatch Log Group. This requires a
lambda function and a new attribute for the application
configuration.
See above on how to create a Lambda function.
And using that Lambda function as the log subscription filter:
applicationconfig:
- name: "myapp"
cfn_name: MyApp
target: "ecs"
logs_subscription_filter:
type: lambda
### lambda_cfn_export_name only has to contain the last part (after the dash) of the export.
### The first part is (cfn_project) prepended by the templates
lambda_cfn_export_name: AwsLambdaDatadogLogshipperArn
filter_pattern: "-DEBUG"
Set the property forward_cookies
in the list of origins_and_cachebehaviors
for a
dictribution to forward cookies to the origin.
The forward
property can have all
or whitelist
as the value. In case of whitelist
,
a list whitelisted_names
is required.
cloudfront_distributions:
- name: my-cloudfront
origins_and_cachebehaviors:
- origin_name: "my-cloudfront"
forward_cookies:
forward: whitelist
whitelisted_names:
- cookie1
- cookie2
An example:
cloudfront_distributions:
- name: my-cloudfront
...
origins_and_cachebehaviors:
- origin_name: "my-cloudfront"
...
forward_cookies:
forward: all
...
...
S3 bucket name was incorrectly referenced in the AWS::CloudFront::Distribution
definition.
- Add warning about the valid characters in the name of an application
- Introduce
priority
incloudfront_distributions[*].origins_and_cachebehaviors[*]
to order the cachebehaviours, lower number is higher priority. The behaviors are processed in order of creation, the list gets sorted on thepriority
attribute. Default value is999
. - The string
asterisk
incloudfront_distributions[*].origins_and_cachebehaviors[*]
results['*']
and in all headers being forwarded to the Origin. - Add
protocol_policy
tocloudfront_distributions[*].origins_and_cachebehaviors[*]
. Default value ishttp-only
. Possible values are:http-only
match-viewer
https-only
- Add
domain
property tocloudfront_distributions[*].origins_and_cachebehaviors[*]
to determine the type of the origin. If missing, a S3 bucket is assumed and implicitely created. Thedomain
is a dict with 2 keys:type
andname
. Type can be any ofs3
orimport
.name
is the name of an existing S3 bucket (for types3
) or the name of a variable to import (the CloudFormation way). - Add
custom_error_responses
tocloudfront_distributions[*]
. This defines what to do in case a (any) origin returns a certain HTTP code
An example of the new functionalities:
cloudfront_distributions:
origins_and_cachebehaviors:
- origin_name: "myOrigin"
domain:
type: import
name: LarsTstLBALBExt-ALBExtDNS
forward_headers:
- 'asterisk'
allowed_http_methods: options
protocol_policy: "match-viewer"
priority: 100
- The CloudFront changes introduced a new dependency (possibility to define a LB as an origin). Therefor, LB's must be created before the CloudFront distributions.
- Update documentation