How to add ALB Rule to existing Serverless template

amazon-cloudformation

So I am trying to add a rule for /synchrony/* which would point to the 'synchrony' target group.

Here is my existing template.

ConfluenceALB:
  Properties:
    Scheme: internal
    SecurityGroups:
    - Ref: ConfluenceAlbSg
    - Ref: ConfluenceAsgSg
    Subnets:
      - Fn::ImportValue: ${self:custom.${opt:stage}-VpcName, self:custom.${self:provider.stage}-VpcName}-PrivateSubnet1Id
      - Fn::ImportValue: ${self:custom.${opt:stage}-VpcName, self:custom.${self:provider.stage}-VpcName}-PrivateSubnet2Id
      - Fn::ImportValue: ${self:custom.${opt:stage}-VpcName, self:custom.${self:provider.stage}-VpcName}-PrivateSubnet3Id
    Tags:
    - Key: Name
      Value:
          Fn::Join: [ "-", [ Ref: "AWS::StackName", "confluencealb" ] ]
  Type: "AWS::ElasticLoadBalancingV2::LoadBalancer"

ConfluenceAlbListener:
  Properties:
    Certificates:
      - CertificateArn: ${self:custom.${opt:stage}-SSLCertId, self:custom.${self:provider.stage}-SSLCertId}
    DefaultActions:
    - Type: forward
      TargetGroupArn:
        Ref: ConfluenceTargetGroup
    LoadBalancerArn:
      Ref: ConfluenceALB
    Port: 443
    Protocol: HTTPS
  Type: AWS::ElasticLoadBalancingV2::Listener

ConfluenceTargetGroup:
  Properties:
    HealthCheckIntervalSeconds: 60
    UnhealthyThresholdCount: 10
    HealthCheckPath: /
    Name: "confluence" 
    Port: 8080
    Protocol: HTTP
    VpcId:
      Fn::ImportValue: ${self:custom.${opt:stage}-VpcName, self:custom.${self:provider.stage}-VpcName}-VpcId
  Type: AWS::ElasticLoadBalancingV2::TargetGroup

SynchronyTargetGroup:
  Properties:
    Name: "synchrony" 
    Port: 8091
    Protocol: HTTP
    VpcId:
      Fn::ImportValue: ${self:custom.${opt:stage}-VpcName, self:custom.${self:provider.stage}-VpcName}-VpcId
  Type: AWS::ElasticLoadBalancingV2::TargetGroup

I'm not sure how to add this and AWS documentation (cloudformation) appears to be sparse. Do I add this under the listener block?

Best Answer

Have been investigating how this is done for a new project and came across this example: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-ecs.html (as great as the AWS docs are, sometimes they're almost obfuscated!)

This the relevant section for you I think:

ECSALBListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
DependsOn: ALBListener
Properties:
  Actions:
  - Type: forward
    TargetGroupArn: !Ref 'ECSTG'
  Conditions:
  - Field: path-pattern
    Values: [/]
  ListenerArn: !Ref 'ALBListener'
  Priority: 1

Whereby it refers to both the Listener resource 'ALBListener' and the Security Group 'ECSTG'. The example is about ECS but don't think it really matters for the answer you were after.

Related Solutions

Cloud Formation template add ingress rule to existing security group

Yes, it can be done.

You need to pass the security group identifier (for Security Group A) into the template for Template B as a parameter. From there, you can reference Security Group A in a AWS::EC2::SecurityGroupIngress resource.

{
    "AWSTemplateFormatVersion" : "2010-09-09",
    "Parameters" : {
        "SecurityGroupA" : {
            "Description" : "Security group to add Ingress rule to",
            "Type"        : "AWS::EC2::SecurityGroup::Id"
        }
    },
    "Resources" : {
        "LocalSecurityGroup": {
            "Type": "AWS::EC2::SecurityGroup"
        },
        "InboundRule": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties":{
                "IpProtocol": "tcp",
                "FromPort": "80",
                "ToPort": "80",
                "SourceSecurityGroupId": {
                    "Fn::GetAtt": [ "LocalSecurityGroup", "GroupId" ]
                },
                "GroupId": {
                    "Fn::GetAtt": [ "SecurityGroupA", "GroupId" ]
                }
            }
        }
    }
}

Note that this example uses the security group ID, which is the case when your security groups are in a VPC. If they are in EC2-Classic, then you would use the GroupName instead.

Referring to an existing resource in CF Template

I recently had to do this for some layered deployments which referenced shared services. In addition to parameters, here are some other options:

Named exports: this is a good option if you have some resources which were created by a separate CloudFormation stack and you just want to reference them (e.g. an infrastructure admin sets up the lower-level portion for the application team to deploy on top of).
Substitution: in many cases you might simply need to reference a well-known name which is constant but the ARN varies depending on the AWS account ID. You can use Fn::Sub to expand a few “pseudo-parameters” such as the account ID or region:

"TaskRoleArn": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/YourSharedServiceTaskRole" }
SSM parameters: you can have a dynamic reference which retrieves an SSM property. This is handy for being completely abstracted from the source of that value – it could be created by CloudFormation but could literally also be someone running a one-off command line script and it supports secure storage of passwords and other secrets which can be configured to prevent retrieval by anyone other than the target service (e.g. an EC2 / ECS IAM instance role) — for example, I used this to store SES credentials:

aws ssm put-parameter --type String --name "/project/mail/EmailHost" --value email-smtp.us-east-1.amazonaws.com aws ssm put-parameter --type String --name "/project/mail/EmailUser" --value <SES_ACCESS_KEY> aws ssm put-parameter --type SecureString --key-id alias/your-well-known-iam-kms-alias --name "/project/mail/EmailPassword" --value <SES PASSWORD>`
Macros: this was recently announced and is a very powerful mechanism where you can have a Lambda function which returns arbitrary JSON for inclusion in the template. That could do almost anything from provisioning extra resources which the CloudFormation stack creator doesn't have direct permission to create to looking up values in a database and returning a template configured with, for example, VPC CIDR allocations out of a larger reservation pool which is managed by the parent organization.

Best Answer

Related Solutions

Cloud Formation template add ingress rule to existing security group

Referring to an existing resource in CF Template

Related Topic