CloudFormation

Use CloudFormation as one way to create AWS resources for ChaosSearch.

AWS CloudFormation is a provisioning and configuration service that can ease AWS access and configuration. ChaosSearch has created some CloudFormation templates to help automate the configuration of AWS S3 access policies for ChaosSearch indexing and querying.

This topic describes how to use CloudFormation to configure your AWS S3 storage infrastructure for use with ChaosSearch.

Getting Started

The prerequisites required for this section are:

  • A ChaosSearch account and external ID
  • An AWS account

Using the CloudFormation Access Setup

To use CloudFormation to set up access for the ChaosSearch indexing services:

  1. Log in to the ChaosSearch console using your account.
  2. Click your account name in the top right corner, and select the Settings/Help menu.
  3. Click AWS Credentials in the left menu.
  1. On the AWS Credentials page, click Open CloudFormation.
  2. Log in using your AWS account. The Quick create stack page appears.
  3. In the Stack name field, type a unique stack name for your setup.
  1. Scroll down to the Parameters section and specify/verify the following information:
  • Verify or specify (if not present) the external ID for your ChaosSearch instance.
  • In the CSAccountID field, verify or specify your account ID.
  • In the CSBucketName field, type the name(s) of the desired bucket(s). You can use * for all buckets.
  • In the CSRecoveryAccountID, note the recovery account ID used for backup and possible recovery of the primary account.
  1. Scroll down to the Capabilities section and select I acknowledge that AWS CloudFormation might create IAM resources.
  2. Click Create stack.

AWS creates the ChaosSearch stack for your resources. A sample stack window follows.

  1. Click the Resources tab and wait for the stack to be created.

NOTE: If the create stack process fails, contact ChaosSearch for assistance.

  1. Once complete, click the Physical ID hyperlink for CHAOSSEARCHRole. The Summary page appears.
  1. Copy the Role ARN for your new AWS stack.
  2. In the ChaosSearch Settings/Help > AWS Credentials window, paste the role ARN value into the AWS Role ARN field.
  3. Click Update to save the role ARN.
  4. Make sure that a check icon is displayed to verify the ARN value.

CloudFormation Template

The following is the definition of the standard CloudFormation template. The resources used in this template are:

  • CHAOSSEARCH Account ID
  • CHAOSSEARCH External ID
  • AWS IAM Role
  • AWS IAM Policy
  • AWS S3
  • AWS SQS
  • AWS SNS
---
AWSTemplateFormatVersion: '2010-09-09'
Description: CHAOSSEARCH AWS Integration
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: CHAOSSEARCH Build
      Parameters:
      - CSAccountID
      - CSExternalID
      - CSBucketName
      - CSQueueName
      - CSTopicName
      - S3Event
    ParameterLabels:
      CSAccountID:
        default: The Chaossearch Account
      CSExternalID:
        default:  Add your Chaossearch External ID
      CSBucketName:
        default:  Name of the S3 bucket
      CSQueueName:
        default:  Name of the SQS Queue
      CSTopicName:
        default:  Name of the Topic
      S3Event:
        default: Only Objects Created
Parameters:
  CSAccountID:
    Description: The provided Chaossearch Account ID
    Type: String
    Default: 515570774723
  CSExternalID:
    Description:  The provided CHAOSSEARCH External ID
    Type: String
  CSBucketName: 
    Description:  The desired CHAOSSEARCH S3 bucket name. lower-case names only
    Type: String
  CSQueueName:
    Description:  Input the name of the SQS Queue
    Type: String
  CSTopicName:  
    Description:  SNS topic name for S3 subscription
    Type: String
  S3Event:
    Description:  SNS topic event to monitor for S3 subscription
    Type: String
    Default: s3:ObjectCreated:*
Resources:
  ChaosSQSQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName:
        Ref: CSQueueName
      VisibilityTimeout: 300
  MySQSQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Version: '2008-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS: "*"
          Action:
          - SQS:SendMessage
          Resource: "*"
          Condition:
            ArnEquals:
              aws:SourceArn:
                Ref: S3SNSTopic
      Queues:
      - Ref: ChaosSQSQueue
  S3SNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
      - Endpoint:
          Fn::GetAtt:
          - ChaosSQSQueue
          - Arn
        Protocol: sqs
      TopicName:
        Ref: CSTopicName
  MyTopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Id: MyTopicPolicy
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: s3.amazonaws.com
          Action:
          - SNS:Publish
          Resource: "*"
          Condition:
            ArnLike:
              aws:SourceArn:
                Fn::Join:
                - ''
                - - 'arn:aws:s3:*:*:'
                  - Ref: CSBucketName
      Topics:
      - Ref: S3SNSTopic
  ChaosS3Bucket:
    Type: AWS::S3::Bucket
    DependsOn: MyTopicPolicy
    Properties:
      BucketName:
        Ref: CSBucketName
      NotificationConfiguration:
        TopicConfigurations:
        - Event:
            Ref: S3Event
          Topic:
            Ref: S3SNSTopic
  CHAOSSEARCHRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS:
              Fn::Join:
              - ''
              - - 'arn:aws:iam::'
                - Ref: CSAccountID
                - ":root"
          Action: sts:AssumeRole
          Condition:
            StringEquals:
              sts:ExternalId:
                Ref: CSExternalID
  CHAOSSEARCHPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CHAOSSEARCHPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - s3:ListAllMyBuckets
          - s3:GetBucketLocation
          Resource: "*"
        - Effect: Allow
          Action:
          - s3:List*
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSBucketName
              - "/*"
        - Effect: Allow
          Action:
          - s3:Get*
          - s3:PutObjectTagging
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSBucketName
              - "/*"
        - Effect: Allow
          Action: "*"
          Resource:
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSExternalID
          - Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: CSExternalID
              - "/*"
      Roles:
      - Ref: CHAOSSEARCHRole
Outputs:
  SQSSource:
    Description: The name of the Chaossearch SQS Queue
    Value: 
      Fn::GetAtt:
      - ChaosSQSQueue
      - QueueName
  RoleARN:
    Description: The ARN of the new CHAOSSEARCH Role
    Value:
      Fn::GetAtt:
      - CHAOSSEARCHRole
      - Arn
  S3Bucket:
    Description: The name of the CHAOSSEARCH S3 bucket that was created
    Value:
      Ref: CSBucketName

Did this page help you?