CloudFormation
Use CloudFormation as one way to create AWS resources for ChaosSearch.
AWS CloudFormation is a provisioning and configuration service that can ease AWS access and configuration. ChaosSearch has created some CloudFormation templates to help automate the configuration of AWS S3 access policies for ChaosSearch indexing and querying.
This topic describes how to use CloudFormation to configure your AWS S3 storage infrastructure for use with ChaosSearch.
Getting Started
The prerequisites required for this section are:
- A ChaosSearch account and external ID
- An AWS account
Using the CloudFormation Access Setup
To use CloudFormation to set up access for the ChaosSearch indexing services:
- Log in to the ChaosSearch console using your account.
- Click your account name in the top right corner, and select the Settings/Help menu.
- Click AWS Credentials in the left menu.
- On the AWS Credentials page, click Open CloudFormation.
- Log in using your AWS account. The Quick create stack page appears.
- In the Stack name field, type a unique stack name for your setup.
- Scroll down to the Parameters section and specify/verify the following information:
- Verify or specify (if not present) the external ID for your ChaosSearch instance.
- In the CSAccountID field, verify or specify your account ID.
- In the CSBucketName field, type the name(s) of the desired bucket(s). You can use
*for all buckets. - In the CSRecoveryAccountID, note the recovery account ID used for backup and possible recovery of the primary account.
- Scroll down to the Capabilities section and select I acknowledge that AWS CloudFormation might create IAM resources.
- Click Create stack.
AWS creates the ChaosSearch stack for your resources. A sample stack window follows.
- Click the Resources tab and wait for the stack to be created.
NOTE: If the create stack process fails, contact ChaosSearch for assistance.
- Once complete, click the Physical ID hyperlink for CHAOSSEARCHRole. The Summary page appears.
- Copy the Role ARN for your new AWS stack.
- In the ChaosSearch Settings/Help > AWS Credentials window, paste the role ARN value into the AWS Role ARN field.
- Click Update to save the role ARN.
- Make sure that a check icon is displayed to verify the ARN value.
CloudFormation Template
The following is the definition of the standard CloudFormation template. The resources used in this template are:
- CHAOSSEARCH Account ID
- CHAOSSEARCH External ID
- AWS IAM Role
- AWS IAM Policy
- AWS S3
- AWS SQS
- AWS SNS
---
AWSTemplateFormatVersion: '2010-09-09'
Description: CHAOSSEARCH AWS Integration
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: CHAOSSEARCH Authentication
Parameters:
- CSExternalID
ParameterLabels:
CSExternalID:
default: What is your provided CHAOSSEARCH External ID?
CSBucketName:
default: What bucket for CHAOSSEARCH access?
CSAccountID:
default: CHAOSSEARCH account that is allowed to assume this role.
CSRecoveryAccountID:
default: (Optional) CHAOSSEARCH recovery account used for backup that is allowed to assume this role.
Parameters:
CSExternalID:
Description: The provided CHAOSSEARCH External ID
Type: String
CSBucketName:
Description: The desired name for the S3 bucket CHAOSSEARCH will be indexing. Lowercase names only.
Type: String
CSAccountID:
Description: CHAOSSEARCH account that is allowed to assume this role.
Type: String
CSRecoveryAccountID:
Description: (Optional) CHAOSSEARCH recovery account used for backup and is allowed to assume this role.
Default: "079363773741"
Type: String
Conditions:
RecoveryDisabled: !Equals [!Ref 'CSRecoveryAccountID', '']
Resources:
CHAOSSEARCHRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
Fn::If:
- RecoveryDisabled
- - Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: CSAccountID
- ':root'
- arn:aws:iam::515570774723:root
- - Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: CSAccountID
- ':root'
- Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: CSRecoveryAccountID
- ':root'
- arn:aws:iam::515570774723:root
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId:
Ref: CSExternalID
CHAOSSEARCHPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CHAOSSEARCHPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:DeleteMessage
- sqs:DeleteMessageBatch
- sqs:ReceiveMessage
- sqs:GetQueueUrl
- sqs:GetQueueAttributes
Resource: !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*'
- Effect: Allow
Action:
- s3:ListAllMyBuckets
- s3:GetBucketLocation
- s3:GetBucketTagging
Resource: "*"
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: CSBucketName
- Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectTagging
- s3:PutObjectTagging
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: CSBucketName
- "/*"
- Effect: Allow
Action:
- s3:GetObjectTagging
- s3:PutObjectTagging
- s3:ListBucket
- s3:CreateBucket
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::cs-'
- Ref: CSExternalID
- Fn::Join:
- ''
- - 'arn:aws:s3:::cs-'
- Ref: CSExternalID
- "/*"
Roles:
- Ref: CHAOSSEARCHRole
Outputs:
RoleARN:
Description: The ARN of the new CHAOSSEARCH Role
Value:
Fn::GetAtt:
- CHAOSSEARCHRole
- Arn
S3Bucket:
Description: The name of the CHAOSSEARCH S3 bucket that was created
Value:
Ref: CSBucketName
Updated 5 months ago