Translating Cloudformation Resources to API Calls

aws-cloudformation / cloudformation-resource-schema

The CloudFormation Resource Schema defines the shape and semantic for resources provisioned by CloudFormation. It is used by provider developers using the CloudFormation RPDK.

Apache License 2.0

95 stars 38 forks source link

Translating Cloudformation Resources to API Calls #99

Closed eitens-mak closed 4 years ago

eitens-mak commented 4 years ago

I want to read a Cloudformation template and translate the resources into the API calls needed to create them. Can I use this package somehow to do this?

PatMyron commented 4 years ago

Parsing the create handler permissions from the respective hosted resource provider schemas should find the maximum possible API permissions required. Not all create handler API permissions listed in the schema may be required in all scenarios though

There are some similar projects around this space as well: https://github.com/stelligent/cfn-leaprog https://github.com/iann0036/aws-leastprivilege

eitens-mak commented 4 years ago

I was thinking more along the lines of converting a Cloudformation template to API calls or AWS CLI commands.

PatMyron commented 4 years ago

I was thinking more along the lines of converting a Cloudformation template to API calls or AWS CLI commands.

This wouldn't be deterministic from a CloudFormation template alone. The API calls required depend on the previous CloudFormation stack state in some cases if updating a stack rather than creating. Assuming the simpler case of creating a new stack, the CreateHandlers themselves are beginning to be open sourced (along with the other handlers as well). As a specific example, handleRequest in AWS::Logs::LogGroup's CreateHandler can be viewed as an entry point to creating AWS::Logs::LogGroup resources