Closed str11ngfello closed 1 year ago
@str11ngfello I have found this article from the Knowledge Center of AWS that shows how we can pass values between nested stacks. In your case, Aurora and Bastion for EC2 are two nested stacks. There is also stackoverflow solution for the similar problem that you can take look at.
I haven't tried this solution myself yet, but it looks promising to me. Basically, it mentions that you should follow the below syntax to refer to the parameter from another nested stack.
"BastionHost" : {
Type: 'AWS::EC2::Instance'
"Properties" : {
"SecurityGroupIds:" : {
- "Fn::GetAtt" : [ "Aurora Stack Name Goes Here", "Outputs.<copilot-${App}-${Env}-apiclusterSecurityGroup>" ]
- ...
- ...
},
"TemplateURL" : "https://s3.amazonaws.com/url/templates/publicRouteStack.json",
"TimeoutInMinutes" : "5"
}
}
Do let us know if that works fine for you?
Thanks for the response @paragbhingre , but looking in the console that doesn't seem to be the case. Copilot is creating a single nested stack for ALL addons. I have 5 files in addons directory, including the two resources in question (Bastion and Aurora) as well as others like an S3 bucket, redis database,etc,.
They're all in one nested stack. 🤔
Oh, got it. I think what we can try here is DependsOn attribute of the CloudFomration. Because all the addons are in one stack, we can add DependsOn: apiclusterSecurityGroup
in your bastion template. Can you try that and let us know if that works?
Edit -- You can use !Ref logicalName
directly to access another resource from the same nested stack. It should be accessible by Ref.
This issue is stale because it has been open 60 days with no response activity. Remove the stale label, add a comment, or this will be closed in 14 days.
This issue is closed due to inactivity. Feel free to reopen the issue if you have any further questions!
Hello! Using the latest copilot 1.26.
I have an Aurora cluster in my api workload, created with "copilot storage init" and it has no modifications. Great!
I used to then go into the AWS console and create a micro ec2 for bastion host, open port 22 and add the apiClusterSecurityGroup and EnvironmentSecurityGroup (created by copilot storage init) to the ec2 and bam! - I'd have a simple way to tunnel into Aurora.
I've decided to create a simple addon in the same work load that will automate this ec2 creation. (both ymls are presented in full below)
When it comes to importing the security groups from the aurora addon and applying to my ec2 bastion within my bastion addon, I'm running into the issue where those values aren't available yet. I added the "Export" line to the apiSecurityGroup in Aurora template thinking that if I did that, then in my bastion I could Import it.
I simply added the last Export line to apiclusterSecurityGroup from the yaml generated for Aurora template by copilot.
In my bastion.yml for my ec2, I thought I could use Import now. See the SecurityGroupIds in this part of my bastion.yml. you can see I'm !ImportValue-ing them.
This will not work as evidenced by the error when I try to deploy the workload. I see =>
So the entire stack doesn't deploy. To work around this, I remove my bastion.yml and deployed the stack. Then I add my bastion.yml back in and deploy again. No problems. These Exports and Imports between my two files work if I've already created the stack with Aurora once without bastion. This is obviously a dependency problem between my two addons. I read that Export and Import were really for cross stack referencing but I think copilot puts all the these addons in the same stack. I cruised the CloudFormation docs but not sure if this is a CloudFormation user error on my part, or something in the way Copilot has made assumptions on dependencies between same workload addons.
What's the right way to get values out of addons in the same workload, ie. how do I solve this dependency problem such that the output security groups are available to addons in the same workload?
For reference here are my complete ymls for aurora and ec2.
Thank you!
Aurora cluster template addon from copilot storage init (only thing I've added is the Export of the output)
bastion.yml (you can see the Imports I'm attempting for security groups)