The latest articles on DEV Community by Jay Motka (@jaymotka). https://dev.to/jaymotka https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1138765%2F0c068e87-adb8-49b7-8942-c298f6ea50b7.jpeg https://dev.to/jaymotka en Jay Motka Thu, 31 Aug 2023 09:39:14 +0000 https://dev.to/distinction-dev/datadog-cloudformation-integration-using-serverless-framework-gk1 https://dev.to/distinction-dev/datadog-cloudformation-integration-using-serverless-framework-gk1 <h2> 🤓 Introduction </h2> <p><a href="https://www.datadoghq.com/">Datadog</a> is a cloud monitoring service provider which helps to track and analyse your cloud services from a health and operations perspective and providing support for debugging issues.</p> <p>Datadog provides different integrations with multiple cloud providers like AWS, GCP, and Azure. In this blog we will be seeing Datadog integration with AWS using one of the AWS <a href="https://docs.aws.amazon.com/cloudformation/index.html">Cloudformation service</a> with the help of Serverless framework.</p> <h1> 📄 Pre Requisites </h1> <p>You will need AWS and Datadog account and knowledge of AWS services like IAMRole, Cloudformation and Serverless framework.</p> <blockquote> <p>Note: <em>Here we are using Serverless framework with TypeScript and <a href="https://www.serverless.com/framework/docs/guides/compose"><code>Serverless Compose</code></a> to deploy multiple different stack.</em></p> </blockquote> <h1> 🛠 Datadog Cloudformation Setup </h1> <p>In order to create Datadog Resources using Cloudformation, Datadog needs Cloudformation Extension Plugins to be activated, so our first step is to start with adding an activation stack to our Serverless application. These extension plugins needs IAM roles to be attached in order to execute the Cloudformation events. You can find more details regarding this in <a href="https://docs.datadoghq.com/integrations/guide/amazon_cloudformation/">Datadog Amazon Cloudformation Documentation</a></p> <blockquote> <p>Note: <em>Here you can find a basic setup guide for Datadog-Cloudformation Integration</em></p> <p>We'll create two service stack in the Serverless application, one for the <code>Extensions Activation</code> which contains Cloudformation extension activation (as we'll only deploy it once because we can not deploy it multiple times to activate the same resources) and one for the <code>Infra Resources</code> (To create different Datadog monitors and dashboards).</p> </blockquote> <h1> 🧩 Setting Up the Extension Activation Stack </h1> <p>Let's create a IAM Role for the Role Delegation and Extensions Executions Role.</p> <h3> 🧮 Setting Up the IAM Role </h3> <p>We are providing access to Datadog AWS account (<code>464622532012</code>) using <a href="https://docs.datadoghq.com/integrations/guide/aws-manual-setup/?tab=roledelegation">Role Delegation</a> to our <strong>IAMRole</strong> with necessary permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">DatadogExecutionRole</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS::IAM::Role</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Properties</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="nx">RoleName</span><span class="p">:</span> <span class="s2">`DatadogAWSIntegrationRole`</span><span class="p">,</span> <span class="nx">Description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">IAM Role to integrate Datadog using Cloudformation</span><span class="dl">"</span><span class="p">,</span> <span class="nx">MaxSessionDuration</span><span class="p">:</span> <span class="mi">8400</span><span class="p">,</span> <span class="nx">AssumeRolePolicyDocument</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Statement</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Principal</span><span class="p">:</span> <span class="p">{</span> <span class="na">AWS</span><span class="p">:</span> <span class="dl">"</span><span class="s2">arn:aws:iam::464622532012:root</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sts:AssumeRole</span><span class="dl">"</span><span class="p">,</span> <span class="na">Condition</span><span class="p">:</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">sts:ExternalId</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">${ssm:/datadog/integration/externalId}</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Principal</span><span class="p">:</span> <span class="p">{</span> <span class="na">Service</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">hooks.cloudformation.amazonaws.com</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">resources.cloudformation.amazonaws.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="p">},</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sts:AssumeRole</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="nx">Policies</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">PolicyName</span><span class="p">:</span> <span class="s2">`DatadogIntegrationRolePolicy`</span><span class="p">,</span> <span class="na">PolicyDocument</span><span class="p">:</span> <span class="p">{</span> <span class="na">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="na">Statement</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Sid</span><span class="p">:</span> <span class="dl">"</span><span class="s2">VisualEditor0</span><span class="dl">"</span><span class="p">,</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Action</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">health:DescribeAffectedEntities</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">budgets:ViewBudget</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">logs:DeleteSubscriptionFilter</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">states:ListStateMachines</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">states:DescribeStateMachine</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">tag:GetTagValues</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">logs:DescribeSubscriptionFilters</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cloudtrail:GetTrailStatus</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">codedeploy:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">es:ListTags</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cloudwatch:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">elasticmapreduce:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">dynamodb:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">route53:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">elasticloadbalancing:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">logs:FilterLogEvents</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cloudfront:GetDistributionConfig</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">apigateway:GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ses:Get*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cloudtrail:LookupEvents</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">fsx:ListTagsForResource</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">support:DescribeTrustedAdvisor*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">events:CreateEventBus</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">lambda:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">dynamodb:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:GetBucketNotification</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cloudtrail:DescribeTrails</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:PutBucketNotification</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">organizations:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">organizations:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">logs:PutSubscriptionFilter</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">fsx:DescribeFileSystems</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">kinesis:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">codedeploy:BatchGet*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">autoscaling:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:GetBucketTagging</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">tag:GetResources</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">logs:DescribeLogStreams</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">rds:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:GetBucketLogging</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">tag:GetTagKeys</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">elasticmapreduce:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">backup:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">sns:Publish</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">elasticache:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">redshift:DescribeLoggingStatus</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cloudwatch:Get*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">support:RefreshTrustedAdvisorCheck</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">elasticfilesystem:DescribeFileSystems</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">es:DescribeElasticsearchDomains</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">xray:GetTraceSummaries</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ecs:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">health:DescribeEvents</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">sqs:ListQueues</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">logs:DescribeLogGroups</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">kinesis:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ecs:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">health:DescribeEventDetails</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cloudwatch:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">logs:TestMetricFilter</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">elasticfilesystem:DescribeAccessPoints</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">elasticache:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">sns:List*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">xray:BatchGetTraces</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ec2:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">directconnect:Describe*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">es:ListDomainNames</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">elasticfilesystem:DescribeTags</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:ListAllMyBuckets</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cloudfront:ListDistributions</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">redshift:DescribeClusters</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">s3:GetBucketLocation</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">lambda:GetPolicy</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">secretsmanager:CreateSecret</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">secretsmanager:DeleteSecret</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">secretsmanager:DescribeSecret</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="na">Resource</span><span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Note: <em>This role will work as extension execution role as well, if you need to have separate roles than you can create separate roles as well.</em></p> </blockquote> <p>Now we'll create four <strong>AWS::CloudFormation::TypeActivation</strong> resources to attach to Activation Stack which will include.</p> <ol> <li> <code>Datadog::Dashboards::Dashboard</code> - to create and manage Datadog Dashboards</li> <li> <code>Datadog::Monitors::Monitor</code> - to create and manage Datadog Monitors</li> <li> <code>Datadog::Monitors::Downtime</code> - to create and manage Monitors Downtime</li> <li> <code>Datadog::Integrations::AWS</code> - to create integration between AWS and Datadog</li> </ol> <blockquote> <p><em>Please refer to the <a href="https://dev.to/distinction-dev/cloudformation-extension-activation-guide-59gj">Cloudformation Extension - Activation Guide</a> on how to activate the Cloudformation extensions</em></p> </blockquote> <p>If we deploy this <code>Activation Stack</code> we will be able to create the IAMRole along with the Cloudformation Extension Activation. <em>(Note: We'll need to deploy this stack only once)</em></p> <blockquote> <p>To use the activated extensions, you will need to set the Type Configurations for each extensions plugins using below code block. Also helpful if you are creating different stages and account for deployment with same AWS account.</p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation set-type-configuration <span class="nt">--type-name</span> <span class="s2">"Datadog::Monitors::Monitor"</span> <span class="nt">--type</span> RESOURCE <span class="nt">--configuration-alias</span> ConfigurationName <span class="nt">--configuration</span> <span class="s1">'{"DatadogCredentials": {"ApiKey": "DATADOG_API_KEY_PROD", "ApplicationKey": "DATADOG_APPLICATION_KEY_PROD", "ApiURL": "https://api.datadoghq.eu" }}'</span> </code></pre> </div> <p>Now we move on to creating the Datadog Resources such as Integration, Monitors and Dashboards.</p> <h1> 🏗 Creating Infra Stack </h1> <p>We'll create a different Serverless service stack to deploy the datadog resources.</p> <h3> ⚙️ Datadog AWS Integration </h3> <p>Here you will need to provide your AWS Account ID so that Datadog account can do the integration between the two AWS accounts.</p> <p><code>RoleName</code> would be the same as we have created in the <code>Activation Stack</code> before.</p> <blockquote> <p>Note:- <em><code>ExternalIDSecretName</code> should be unique in your account Secret Manager and will be used to store the external ID by the extension.</em></p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">DatadogAWSIntegration</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Datadog::Integrations::AWS</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Properties</span><span class="p">:</span> <span class="p">{</span> <span class="nl">AccountID</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS_ACCOUNT_ID</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// your AWS account ID</span> <span class="nx">ExternalIDSecretName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DatadogIntegrationExternalID</span><span class="dl">"</span><span class="p">,</span> <span class="nx">RoleName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DatadogAWSIntegrationRole</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> </code></pre> </div> <h3> 📊 Datadog Dashboards </h3> <p>Dashboards are helpful to monitor the services and different widgets for any services. Find more about Dashboards in <a href="https://docs.datadoghq.com/dashboards/"><code>Datadog Dashboards Documentation</code></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">Dashboard</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Datadog::Dashboards::Dashboard</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Properties</span><span class="p">:</span> <span class="p">{</span> <span class="nl">DashboardDefinition</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="c1">// stringified object with dashboard configurations and definitions.</span> <span class="p">},</span> <span class="p">},</span> </code></pre> </div> <h3> ⏱ Datadog Monitor </h3> <p>Monitors are to create and capture events for any particular services. You can find more about monitors in <a href="https://docs.datadoghq.com/monitors/"><code>Datadog Monitors Documentation</code></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">Monitor</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Datadog::Monitors::Monitor</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Properties</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">event-v2 alert</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// type of the monitor</span> <span class="nx">Query</span><span class="p">:</span> <span class="dl">"</span><span class="s2">defines the query of the monitor to capture specific triggered events</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">monitor-name</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">message body which will be sent to the communication channel</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Tags</span><span class="p">:</span> <span class="p">[],</span> <span class="c1">// array of tags assigned to the monitor</span> <span class="nx">Options</span><span class="p">:</span> <span class="p">{</span> <span class="nl">NotifyAudit</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="nx">Locked</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="nx">EnableLogsSample</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="nx">Thresholds</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Critical</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="nx">CriticalRecovery</span><span class="p">:</span> <span class="mf">0.5</span><span class="p">,</span> <span class="nx">Warning</span><span class="p">:</span> <span class="mf">0.75</span><span class="p">,</span> <span class="p">},</span> <span class="nx">NewHostDelay</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="nx">NotifyNoData</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="nx">IncludeTags</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">EscalationMessage</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="p">},</span> <span class="nx">Priority</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// priority level - critical</span> <span class="p">}</span> </code></pre> </div> <p>Hope this has been a worthwhile reading! ✨</p> <p>Furthermore you can explore many more solutions and services that Datadog provides like <a href="https://docs.datadoghq.com/logs/guide/forwarder/?tab=cloudformation">Logs Forwarding</a>, Cloud Security, Tracing, etc.</p> datadog aws serverless Jay Motka Tue, 22 Aug 2023 11:28:11 +0000 https://dev.to/distinction-dev/cloudformation-extension-activation-guide-59gj https://dev.to/distinction-dev/cloudformation-extension-activation-guide-59gj <h1> <strong>📖</strong> Cloudformation Registry </h1> <p>Cloudformation Provides registry extensions to use in the Cloudformation template through which we can create custom resources, manage or view resource configuraitons at the build time of the Cloudformation stack. More on the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html">AWS Cloudformation Docs</a></p> <p>The CloudFormation registry lets you manage extensions, both public and private, such as resources, modules, and hooks that are available for use in your AWS account. Currently, you can use the following extension types in the AWS registry: <a href="https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-types.html"><code>resources types</code></a>, <a href="https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/modules.html"><code>modules</code></a>, and <a href="https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks.html"><code>hooks</code></a>. The registry makes it easier to discover and provision extensions in your AWS CloudFormation templates in the same manner you use AWS-provided resources.</p> <p>In this guide, we will be using Serverless framework to write the CF template.</p> <blockquote> <p><em>Note: We can only deploy the activation resources once as we can only Activate the extension one time in a single AWS Account. Deploying same after the extension is activated might throw error in the Cloudformation.</em></p> </blockquote> <h1> <strong>🛠</strong> Extension Setup &amp; Configurations </h1> <p>Cloudformation Extensions require <code>Execution Role</code> which can help extension perform certain actions for the resource we want to create or manage.</p> <p>Additionally we can provide the <code>Logging Config</code> which can help log the events from the extensions. We can also pass <code>Extention Configurations</code> to have any additional configurations added to the extension at run time.</p> <h1> <strong>💡</strong>Extension Activation </h1> <p>In this article we will try to activate public third party extensions of different types. </p> <p>First we will create execution role which can be used by the Extensions to perform actions on Cloudformation Resources.</p> <h3> <strong>🔐</strong> Execution Role </h3> <p>You can define more permissions in the role policy if you need to attach other service policies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">ExecutionRole</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS::IAM::Role</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Properties</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="nx">RoleName</span><span class="p">:</span> <span class="s2">`ExtensionExecutionRule`</span><span class="p">,</span> <span class="nx">Description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">IAM Role Execution role for Cloudformation Extension</span><span class="dl">"</span><span class="p">,</span> <span class="nx">MaxSessionDuration</span><span class="p">:</span> <span class="mi">8400</span><span class="p">,</span> <span class="nx">AssumeRolePolicyDocument</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Statement</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Principal</span><span class="p">:</span> <span class="p">{</span> <span class="na">Service</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">hooks.cloudformation.amazonaws.com</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">resources.cloudformation.amazonaws.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="p">},</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sts:AssumeRole</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <h3> Resource Type </h3> <p><a href="https://eu-west-1.console.aws.amazon.com/cloudformation/home?region=eu-west-1#/registry/public-extensions/details/configuration?arn=arn%3Aaws%3Acloudformation%3Aeu-west-1%3A%3Atype%2Fhook%2Fe1238fdd31aee1839e14fb3fb2dac9db154dae29%2FGeneric-SecretsProtection-Hook"><code>Github::Repository::Secret</code></a> is a public third party RESOURCE type extension.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">GithubRepoSecretExtensionActivation</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS::CloudFormation::TypeActivation</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Properties</span><span class="p">:</span> <span class="p">{</span> <span class="nl">AutoUpdate</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">ExecutionRoleArn</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Fn::GetAtt</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">ExecutionRole</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Arn</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="nx">LoggingConfig</span><span class="p">:</span> <span class="p">{</span> <span class="nl">LogGroupName</span> <span class="p">:</span> <span class="p">{</span> <span class="na">Ref</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GithubRepoSecretExtensionLogGroup</span><span class="dl">"</span> <span class="p">},</span> <span class="nx">LogRoleArn</span> <span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">ExtensionLogRole</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Arn</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> <span class="nl">PublicTypeArn</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Fn::Join</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">""</span><span class="p">,</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">arn:aws:cloudformation:</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">Ref</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS::Region</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">::type/resource/c830e97710da0c9954d80ba8df021e5439e7134b/GitHub-Repositories-Secret</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="p">},</span> <span class="nx">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">RESOURCE</span><span class="dl">"</span><span class="p">,</span> <span class="nx">TypeName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GitHub::Repositories::Secret</span><span class="dl">"</span><span class="p">,</span> <span class="nx">VersionBump</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MAJOR</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <h3> Module Type </h3> <p><a href="https://eu-west-1.console.aws.amazon.com/cloudformation/home?region=eu-west-1#/registry/public-extensions/details/schema?arn=arn%3Aaws%3Acloudformation%3Aeu-west-1%3A%3Atype%2Fmodule%2F06ff50c2e47f57b381f874871d9fac41796c9522%2FJFrog-Vpc-MultiAz-MODULE"><code>JFrog::Vpc::MultiAz::MODULE</code></a> is a public third party MODULE resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">JFrogModuleExtensionActivation</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS::CloudFormation::TypeActivation</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Properties</span><span class="p">:</span> <span class="p">{</span> <span class="nl">AutoUpdate</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">ExecutionRoleArn</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Fn::GetAtt</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">ExecutionRole</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Arn</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="nx">LoggingConfig</span><span class="p">:</span> <span class="p">{</span> <span class="nl">LogGroupName</span> <span class="p">:</span> <span class="p">{</span> <span class="na">Ref</span><span class="p">:</span> <span class="dl">"</span><span class="s2">JFrogModuleExtensionLogGroup</span><span class="dl">"</span> <span class="p">},</span> <span class="nx">LogRoleArn</span> <span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">ExtensionLogRole</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Arn</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> <span class="nl">PublicTypeArn</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Fn::Join</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">""</span><span class="p">,</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">arn:aws:cloudformation:</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">Ref</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS::Region</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">::type/module/06ff50c2e47f57b381f874871d9fac41796c9522/JFrog-Vpc-MultiAz-MODULE</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="p">},</span> <span class="nx">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MODULE</span><span class="dl">"</span><span class="p">,</span> <span class="nx">TypeName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">JFrog::Vpc::MultiAz::MODULE</span><span class="dl">"</span><span class="p">,</span> <span class="nx">VersionBump</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MAJOR</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <h3> Hooks Type </h3> <p><a href="https://eu-west-1.console.aws.amazon.com/cloudformation/home?region=eu-west-1#/registry/public-extensions/details/configuration?arn=arn%3Aaws%3Acloudformation%3Aeu-west-1%3A%3Atype%2Fhook%2Fe1238fdd31aee1839e14fb3fb2dac9db154dae29%2FGeneric-SecretsProtection-Hook"><code>Generic::SecretsProtection::Hook</code></a> is a third party HOOK resource type.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">GenericSecretsProtectionHookExtensionActivation</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS::CloudFormation::TypeActivation</span><span class="dl">"</span><span class="p">,</span> <span class="nx">Properties</span><span class="p">:</span> <span class="p">{</span> <span class="nl">AutoUpdate</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">ExecutionRoleArn</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Fn::GetAtt</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">ExecutionRole</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Arn</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="nx">LoggingConfig</span><span class="p">:</span> <span class="p">{</span> <span class="nl">LogGroupName</span> <span class="p">:</span> <span class="p">{</span> <span class="na">Ref</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GenericSecretsProtectionHookExtensionLogGroup</span><span class="dl">"</span> <span class="p">},</span> <span class="nx">LogRoleArn</span> <span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">ExtensionLogRole</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Arn</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> <span class="nl">PublicTypeArn</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Fn::Join</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">""</span><span class="p">,</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">arn:aws:cloudformation:</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">Ref</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AWS::Region</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">::type/hook/e1238fdd31aee1839e14fb3fb2dac9db154dae29/Generic-SecretsProtection-Hook</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> <span class="p">},</span> <span class="nx">Type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">HOOK</span><span class="dl">"</span><span class="p">,</span> <span class="nx">TypeName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Generic::SecretsProtection::Hook</span><span class="dl">"</span><span class="p">,</span> <span class="nx">VersionBump</span><span class="p">:</span> <span class="dl">"</span><span class="s2">MAJOR</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p>In addition to these fields you can pass <code>TypeNameAlias</code> properties which can be set to any custom values developer wants. And can be used in Cloudformation using that Alias Name. You can find all the properties for <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-typeactivation.html"><code>Cloudformation TypeActivation</code></a> in AWS Docs.</p> <h1> <strong>⚙️</strong> Setting up Extension Configurations </h1> <p>If the extension needs any additional configurations needed then we can set them using an AWS CLI command<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation set-type-configuration <span class="nt">--type-name</span> <span class="s2">"GitHub::Repositories::Secret"</span> <span class="nt">--type</span> RESOURCE <span class="nt">--configuration-alias</span> ConfigurationName <span class="nt">--configuration</span> <span class="s1">'{"Credentials": {"ApiKey": "abc", "ApplicationKey": "abc"}}'</span> </code></pre> </div> <blockquote> <p>Note: <em>If you specify TypeNameAlias field when extension activation, you’ll need to enter that Alias as <code>--type-name</code> while executing above command to set type configurations.</em></p> </blockquote> <p>Hope this help a developer in need! 🎁</p> aws serverless