Open jkruse14 opened 2 months ago
Hi @jkruse14!
Thank you for evaluating this sample hook. The values for URL-related properties, that today are not matching the updated values in the relevant file in this repository, are not impacting the ability for the hook to evaluate its described target AWS::RDS::DBInstance
resource type on preCreate
and preUpdate
invocation points.
I've tested the AWSSamples::RdsEncrypt::Hook
sample hook as follows: first, I've chosen to activate it in my AWS account for the us-east-1
region, I've configured the sample hook with a failure mode of FAIL
, and tested as follows:
I've created a test AWS::RDS::DBInstance
resource with StorageEncrypted: true
set in the template; the hook succeeded with message: Successfully invoked HookHandler for target AWS::RDS::DBInstance. Resource encrypted as expected
;
I've tested without StorageEncrypted: true
, and the hook failed as expected, with message: Failed Hook due to missing or non-encrypted AWS::RDS::DBInstance resource.
;
I've created a test AWS::RDS::DBCluster
resource with StorageEncrypted: true
set in the template: in this case, the sample AWSSamples::RdsEncrypt::Hook
was not being invoked, as this sample hook targets only AWS::RDS::DBInstance
resources. For this test, I've chosen to use aurora-mysql
as a value for the Engine
property of the cluster I described in my template.
I've created another test AWS::RDS::DBCluster
resource with StorageEncrypted: true
set in the template - this time I changed the engine to use mysql
, and added additional required properties - and also in this case, the sample AWSSamples::RdsEncrypt::Hook
was not being invoked. The resulting stack created by me via CloudFormation only had the RDS DBCluster: when I visited then the RDS console, I saw the cluster and 3 DB instances for it (in my case, I had one writer instance and two reader instances): these instances were not mapped to the CloudFormation stack (that is, not showing as stack resources); thus, the hook was not triggered as well for those as are handled by the cluster I described in my template.
The example logic for the sample AWSSamples::RdsEncrypt::Hook
hook is the same for preCreate
and preUpdate
invocation points: the example hook checks if the RDS instance class (the value you specify in your template for DBInstanceClass
) is part of an exclusion list (in this case, the hook succeeds), or if the StorageEncrypted
property you specify in the template is not set to 'true'
or is missing (in these case, the hook fails; or succeeds otherwise).
Hope the above helps with the ongoing troubleshooting on your side; as per the URL mismatch, I'll relay the feedback to the team.
Let us know if you have any questions!
This hook started failing recently for us, but I'm not sure what is to blame. The source URL in the CloudFormation console does not match this repository:
It links to an non-existent repo here
However, the code links properly:
Also, this hook was failing on the update of
AWS::RDS::DBCluster
. TheKmsKeyId
configuration is set so encryption can be provided to instances in the cluster. I assume this resource is creating underlying instances on which this hook is run - is that correct?