CloudFormation

Use CloudFormation as one way to create AWS resources for ChaosSearch.

AWS CloudFormation is a provisioning and configuration service that can ease AWS access and configuration. ChaosSearch has created some CloudFormation templates to help automate the configuration of AWS S3 access policies for ChaosSearch indexing and querying.

This topic describes how to use CloudFormation to configure your AWS S3 storage infrastructure for use with ChaosSearch.

250

Getting Started

The prerequisites required for this section are:

  • A ChaosSearch account and external ID
  • An AWS account

Using the CloudFormation Access Setup

To use CloudFormation to set up access for the ChaosSearch indexing services:

  1. Log in to the ChaosSearch console using your account.
  2. Click your account name in the top right corner, and select the Settings/Help menu.
  3. Click AWS Credentials in the left menu.
863
  1. On the AWS Credentials page, click Open CloudFormation.
  2. Log in using your AWS account. The Quick create stack page appears.
  3. In the Stack name field, type a unique stack name for your setup.
713
  1. Scroll down to the Parameters section and specify/verify the following information:
  • Verify or specify (if not present) the external ID for your ChaosSearch instance.
  • In the CSAccountID field, verify or specify your account ID.
  • In the CSBucketName field, type the name(s) of the desired bucket(s). You can use * for all buckets.
  • In the CSRecoveryAccountID, note the recovery account ID used for backup and possible recovery of the primary account.
696
  1. Scroll down to the Capabilities section and select I acknowledge that AWS CloudFormation might create IAM resources.
  2. Click Create stack.
1015

AWS creates the ChaosSearch stack for your resources. A sample stack window follows.

2974
  1. Click the Resources tab and wait for the stack to be created.

NOTE: If the create stack process fails, contact ChaosSearch for assistance.

  1. Once complete, click the Physical ID hyperlink for CHAOSSEARCHRole. The Summary page appears.
1970
  1. Copy the Role ARN for your new AWS stack.
  2. In the ChaosSearch Settings/Help > AWS Credentials window, paste the role ARN value into the AWS Role ARN field.
  3. Click Update to save the role ARN.
  4. Make sure that a check icon is displayed to verify the ARN value.
877

CloudFormation Template

The following is the definition of the standard CloudFormation template. The resources used in this template are:

  • CHAOSSEARCH Account ID
  • CHAOSSEARCH External ID
  • AWS IAM Role
  • AWS IAM Policy
  • AWS S3
  • AWS SQS
  • AWS SNS
---
AWSTemplateFormatVersion: '2010-09-09'
Description: CHAOSSEARCH AWS Integration
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: CHAOSSEARCH Authentication
      Parameters:
      - CSExternalID
    ParameterLabels:
      CSExternalID:
        default: What is your provided CHAOSSEARCH External ID?
      CSBucketName:
        default: What bucket for CHAOSSEARCH access?
      CSAccountID:
        default: CHAOSSEARCH account that is allowed to assume this role.
      CSRecoveryAccountID:
        default: (Optional) CHAOSSEARCH recovery account used for backup that is allowed to assume this role.
Parameters:
  CSExternalID:
    Description: The provided CHAOSSEARCH External ID
    Type: String
  CSBucketName:
    Description: The desired name for the S3 bucket CHAOSSEARCH will be indexing. Lowercase names only.
    Type: String
  CSAccountID:
    Description: CHAOSSEARCH account that is allowed to assume this role.
    Type: String
  CSRecoveryAccountID:
    Description: (Optional) CHAOSSEARCH recovery account used for backup and is allowed to assume this role.
    Default: "079363773741"
    Type: String
Conditions:
  RecoveryDisabled: !Equals [!Ref 'CSRecoveryAccountID', '']
Resources:
  CHAOSSEARCHRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS:
              Fn::If:
              - RecoveryDisabled
              - - Fn::Join:
                  - ''
                  - - 'arn:aws:iam::'
                    - Ref: CSAccountID
                    - ':root'
                - arn:aws:iam::515570774723:root
              - - Fn::Join:
                  - ''
                  - - 'arn:aws:iam::'
                    - Ref: CSAccountID
                    - ':root'
                - Fn::Join:
                  - ''
                  - - 'arn:aws:iam::'
                    - Ref: CSRecoveryAccountID
                    - ':root'
                - arn:aws:iam::515570774723:root
          Action: sts:AssumeRole
          Condition:
            StringEquals:
              sts:ExternalId:
                Ref: CSExternalID
  CHAOSSEARCHPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CHAOSSEARCHPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - sqs:DeleteMessage
          - sqs:DeleteMessageBatch
          - sqs:ReceiveMessage
          - sqs:GetQueueUrl
          - sqs:GetQueueAttributes
          Resource: !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*'
        - Effect: Allow
          Action:
          - s3:ListAllMyBuckets
          - s3:GetBucketLocation
          - s3:GetBucketTagging
          Resource: "*"
        - Effect: Allow
          Action:
          - s3:ListBucket
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSBucketName
        - Effect: Allow
          Action:
          - s3:GetObject
          - s3:GetObjectTagging
          - s3:PutObjectTagging
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSBucketName
              - "/*"
        - Effect: Allow
          Action: 
          - s3:GetObjectTagging
          - s3:PutObjectTagging
          - s3:ListBucket
          - s3:CreateBucket
          - s3:GetObject
          - s3:PutObject
          - s3:DeleteObject
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::cs-'
              - Ref: CSExternalID
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::cs-'
              - Ref: CSExternalID
              - "/*"
      Roles:
      - Ref: CHAOSSEARCHRole
Outputs:
  RoleARN:
    Description: The ARN of the new CHAOSSEARCH Role
    Value:
      Fn::GetAtt:
      - CHAOSSEARCHRole
      - Arn
  S3Bucket:
    Description: The name of the CHAOSSEARCH S3 bucket that was created
    Value:
      Ref: CSBucketName