CloudFormation Annoyances (and work arounds)

Thu, Feb 23, 2017

AWS::CloudFront::Distribution only has one parameter - DistributionConfig - which is a huge object of parameters. Why not put this at the root level of CloudFormation

CloudFront requires a us-east-1 certificate but my stack is in ap-southeast-2

  • Workaround: Create a Lambda custom resource to spin up the certificate

OpsWorks Instances don’t have an attribute that gives their IP address or instance ID

  • Workaround: Create a Lambda custom resource to get details of the instance

OpsWorks can’t attach an RDS layer in CloudFormation

  • Workaround: Lambda custom resource to attach the DB

OpsWorks doesn’t suppoort deployments or commands via CloudFormation

  • Workaround: You guessed it, Lambda custom resource to deploy out custom commands

RDS SQL Server lists m3.medium as an instance type but fails on deploy saying instance isn’t avaliable

  • Workaround: Select 12 for engine version of the RDS instance

  • Maybe this should be a required parameter

On freshly spun up S3 bucket that’s outside us-east-1 and CloudFront in front, the S3 bucket will send a 302 which CloudFront will pass to the client and redirect the user to a origin bucket

  • Workaround: wait a couple of hours for Amazons internal DNS to propogate

You can’t set empty values though sometimes required (eg in CloudFront config)

  • Workaround: use !Ref "AWS::NoValue"

RDS snapshots will attempt to restore with snapshots option group even if that’s assigned to a VPC

  • Workaround: Set the option group to a default (eg default:sqlserver-web-12-00)

Security group rules using security group name don’t work

  • This is because you must use IDs when working inside a VPC - use SourceSecurityGroupId: !GetAtt [RESOURCENAME,GroupId]

When deleting stacks ACM certificates seem to try to delete before they get removed from ELBs

  • Workaround: Not sure, just hit delete again until it works

OpsWorks needs an SSH key even when it’s being used with CodeCommit

  • Workaround: Make it a CloudFormation parameter with NoEcho set

No multiline parameters in CloudFormation

  • Workaround: Make a seperator character and then use !Join ["\n", !Split ["#", !Ref SSHKey]]

CloudFront did not stabilize error message on stack update

  • Occurs when CloudFront takes awhile to finish updating

  • Workaround: Try again until it works

CloudWatch Chron requires a string “ENABLED”

  • Why not true or false no one will ever know

Cognito missing from CloudFormation

  • It’s been out since 2014….

  • Workaround: Employee an internet to set it up or Lamba custom resource

!Ref is inconsistent. It would be nice if !GetAtt RESOURCE.Arn worked for everything that has an ARN

RDS will accept uppercase but silently turn it to lower case

  • Workaround: use lower case for RDS instance name properties