With AWS CloudFormation, you can model your entire infrastructure with text files. In this way, you can treat your infrastructure as code and apply software development best practices, such as putting it under version control, or reviewing architectural changes with your team before deployment.
Sometimes AWS resources initially created using the console or the AWS Command Line Interface (CLI) need to be managed using CloudFormation. For example, you (or a different team) may create an IAM role, a Virtual Private Cloud, or an RDS database in the early stages of a migration, and then you have to spend time to include them in the same stack as the final application. In such cases, you often end up recreating the resources from scratch using CloudFormation, and then migrating configuration and data from the original resource.
To make these steps easier for our customers, you can now import existing resources into a CloudFormation stack!
It was already possible to remove resources from a stack without deleting them by setting the DeletionPolicy
to Retain
. This, together with the new import operation, enables a new range of possibilities. For example, you are now able to:
To import existing resources into a CloudFormation stack, you need to provide:
DeletionPolicy
attribute in the template. This enables easy reverting of the operation in a completely safe manner.During the resource import operation, CloudFormation checks that:
The resource import operation does not check that the template configuration and the actual configuration are the same. Since the import operation supports the same resource types as drift detection, I recommend running drift detection after importing resources in a stack.
Importing Existing Resources into a New Stack
In my AWS account, I have an S3 bucket and a DynamoDB table, both with some data inside, and I’d like to manage them using CloudFormation. In the CloudFormation console, I have two new options:
In this case, I want to start from scratch, so I create a new stack. The next step is to provide a template with the resources to import.
I upload the following template with two resources to import: a DynamoDB table and an S3 bucket.
AWSTemplateFormatVersion: "2010-09-09"
Description: Import test
Resources:
ImportedTable:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
BillingMode: PAY_PER_REQUEST
AttributeDefinitions:
- AttributeName: id
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ImportedBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
In this template I am setting DeletionPolicy
to Retain
for both resources. In this way, if I remove them from the stack, they will not be deleted. This is a good option for resources which contain data you don’t want to delete by mistake, or that you may want to move to a different stack in the future. It is mandatory for imported resources to have a deletion policy set, so you can safely and easily revert the operation, and be protected from mistakenly deleting resources that were imported by someone else.
I now have to provide an identifier to map the logical IDs in the template with the existing resources. In this case, I use the DynamoDB table name and the S3 bucket name. For other resource types, there may be multiple ways to identify them and you can select which property to use in the drop-down menus.
In the final recap, I review changes before applying them. Here I check that I’m targeting the right resources to import with the right identifiers. This is actually a CloudFormation Change Set that will be executed when I import the resources.
When importing resources into an existing stack, no changes are allowed to the existing resources of the stack. The import operation will only allow the Change Set action of Import. Changes to parameters are allowed as long as they don’t cause changes to resolved values of properties in existing resources. You can change the template for existing resources to replace hard coded values with a Ref
to a resource being imported. For example, you may have a stack with an EC2 instance using an existing IAM role that was created using the console. You can now import the IAM role into the stack and replace in the template the hard coded value used by the EC2 instance with a Ref
to the role.
Moving on, each resource has its corresponding import events in the CloudFormation console.
When the import is complete, in the Resources tab, I see that the S3 bucket and the DynamoDB table are now part of the stack.
To be sure the imported resources are in sync with the stack template, I use drift detection.
All stack-level tags, including automatically created tags, are propagated to resources that CloudFormation supports. For example, I can use the AWS CLI to get the tag set associated with the S3 bucket I just imported into my stack. Those tags give me the CloudFormation stack name and ID, and the logical ID of the resource in the stack template:
$ aws s3api get-bucket-tagging --bucket danilop-toimport
{
"TagSet": [
{
"Key": "aws:cloudformation:stack-name",
"Value": "imported-stack"
},
{
"Key": "aws:cloudformation:stack-id",
"Value": "arn:aws:cloudformation:eu-west-1:123412341234:stack/imported-stack/..."
},
{
"Key": "aws:cloudformation:logical-id",
"Value": "ImportedBucket"
}
]
}
Available Now
You can use the new CloudFormation import operation via the console, AWS Command Line Interface (CLI), or AWS SDKs, in the following regions: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Canada (Central), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland), EU (London), EU (Paris), and South America (São Paulo).
It is now simpler to manage your infrastructure as code, you can learn more on bringing existing resources into CloudFormation management in the documentation.
— Danilo
Source: AWS News