aws-cloudformation-samples icon indicating copy to clipboard operation
aws-cloudformation-samples copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

Source URL appears to be broken

Open jkruse14 opened this issue 3 months ago • 1 comments

This hook started failing recently for us, but I'm not sure what is to blame. The source URL in the CloudFormation console does not match this repository: image

It links to an non-existent repo here

However, the code links properly: image

Also, this hook was failing on the update of AWS::RDS::DBCluster. The KmsKeyId configuration is set so encryption can be provided to instances in the cluster. I assume this resource is creating underlying instances on which this hook is run - is that correct?

jkruse14 avatar Apr 21 '24 12:04 jkruse14

Hi @jkruse14!

Thank you for evaluating this sample hook. The values for URL-related properties, that today are not matching the updated values in the relevant file in this repository, are not impacting the ability for the hook to evaluate its described target AWS::RDS::DBInstance resource type on preCreate and preUpdate invocation points.

I've tested the AWSSamples::RdsEncrypt::Hook sample hook as follows: first, I've chosen to activate it in my AWS account for the us-east-1 region, I've configured the sample hook with a failure mode of FAIL, and tested as follows:

  • I've created a test AWS::RDS::DBInstance resource with StorageEncrypted: true set in the template; the hook succeeded with message: Successfully invoked HookHandler for target AWS::RDS::DBInstance. Resource encrypted as expected;

  • I've tested without StorageEncrypted: true, and the hook failed as expected, with message: Failed Hook due to missing or non-encrypted AWS::RDS::DBInstance resource.;

  • I've created a test AWS::RDS::DBCluster resource with StorageEncrypted: true set in the template: in this case, the sample AWSSamples::RdsEncrypt::Hook was not being invoked, as this sample hook targets only AWS::RDS::DBInstance resources. For this test, I've chosen to use aurora-mysql as a value for the Engine property of the cluster I described in my template.

  • I've created another test AWS::RDS::DBCluster resource with StorageEncrypted: true set in the template - this time I changed the engine to use mysql, and added additional required properties - and also in this case, the sample AWSSamples::RdsEncrypt::Hook was not being invoked. The resulting stack created by me via CloudFormation only had the RDS DBCluster: when I visited then the RDS console, I saw the cluster and 3 DB instances for it (in my case, I had one writer instance and two reader instances): these instances were not mapped to the CloudFormation stack (that is, not showing as stack resources); thus, the hook was not triggered as well for those as are handled by the cluster I described in my template.

The example logic for the sample AWSSamples::RdsEncrypt::Hook hook is the same for preCreate and preUpdate invocation points: the example hook checks if the RDS instance class (the value you specify in your template for DBInstanceClass) is part of an exclusion list (in this case, the hook succeeds), or if the StorageEncrypted property you specify in the template is not set to 'true' or is missing (in these case, the hook fails; or succeeds otherwise).

Hope the above helps with the ongoing troubleshooting on your side; as per the URL mismatch, I'll relay the feedback to the team.

Let us know if you have any questions!

mrinaudo-aws avatar Apr 22 '24 15:04 mrinaudo-aws