AWS CDK - how to create bulk thing with certs using CDK - aws-cdk

i can create thing, policy, certificate and connect altogether with these steps similar to https://github.com/aws/aws-cdk/issues/19303
But I want to do that with bulk thing creation, create certs and with policy (have created policy etc)
How do i achieve with CDK ?
i tried using provisioning template, but i am a bit unsure about that.
my code
const iotAssumeRoleWithCertificatePolicy = new iot.CfnPolicy(this, 'iotAssumeRoleWithCertificatePolicy', {
policyName: 'iotAssumeRoleWithCertificatePolicy',
policyDocument: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:AssumeRoleWithCertificate",
"Resource": iotRoleAlias.roleArn.toString(),
}
]
},
});
const provisioningTemplateBody = {
"Parameters": {
"ThingName": {
"Type": "String"
},
"CSR": {
"Type": "String"
},
},
"Resources": {
"thing": {
"Type": "AWS::IoT::Thing",
"Properties": {
"ThingName": { "Ref": "ThingName" },
"ThingTypeName": "server-type",
"ThingGroups": [
"server-group",
]
}
},
"certificate": {
"Type": "AWS::IoT::Certificate",
"Properties": {
"CertificateSigningRequest": { "Ref": "CSR" },
CertificateId: {
Ref: 'AWS::IoT::Certificate::Id',
},
"Status": "ACTIVE"
}
},
"policy": {
"Type": "AWS::IoT::Policy",
"Properties": {
"PolicyName": iotAssumeRoleWithCertificatePolicy.toString(),
}
}
}
}
const provisiongTemplate = new iot.CfnProvisioningTemplate(this, 'iot-provisioning-template', {
provisioningRoleArn: iotProvisioningRole.roleArn,
templateBody: JSON.stringify(provisioningTemplateBody),
});

Related

Cloudformation stacks, then how can I find the reason or log

When deploying from template,
This service is stack as CREATE_IN_PROGRESS
ServiceD69D759B arn:aws:ecs:ap-northeast-1:6781002281XX:service/AdminCluster/CdkFargateStack-ServiceD69D759B-sm274jjTfbP7 AWS::ECS::Service CREATE_IN_PROGRESS Resource creation Initiated -
However I have no idea where to start.
This docker image receive the access from 8011, so in local
it works in local like this
docker run -p 8011:8011 -it st_admin_site:latest
I check CloudWatch but can't find the log.
This is my cdk command
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const cluster = new ecs.Cluster(this, "SampleCluster", {
clusterName: "AdminCluster"
});
const adminImage = ecs.ContainerImage.fromRegistry('st_admin_site:latest');
const taskDefinition = new ecs.FargateTaskDefinition(this, "TaskDef");
const container = taskDefinition.addContainer("DefaultContainer", {
image: adminImage,
memoryLimitMiB: 512,
cpu: 256
});
container.addPortMappings({
containerPort: 8011
});
const ecsService = new ecs.FargateService(this, "Service", {
cluster,
taskDefinition,
desiredCount: 2
});
const lb = new elb.ApplicationLoadBalancer(this, "LB", {
vpc: cluster.vpc,
internetFacing: true
});
const listener = lb.addListener("Listener", { port: 80 });
const targetGroup = listener.addTargets("ECS", {
protocol: elb.ApplicationProtocol.HTTP,
port: 8011,
targets: [ecsService]
});
And it makes the template.
{
"Resources": {
"SampleClusterB4B72990": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterName": "AdminCluster"
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Resource"
}
},
"SampleClusterVpcD1C6ABD9": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsHostnames": true,
"EnableDnsSupport": true,
"InstanceTenancy": "default",
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/Resource"
}
},
"SampleClusterVpcPublicSubnet1SubnetE377A512": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.0.0/18",
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"MapPublicIpOnLaunch": true,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "Public"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Public"
},
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1/Subnet"
}
},
"SampleClusterVpcPublicSubnet1RouteTable7114D244": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1/RouteTable"
}
},
"SampleClusterVpcPublicSubnet1RouteTableAssociation0B5402E3": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "SampleClusterVpcPublicSubnet1RouteTable7114D244"
},
"SubnetId": {
"Ref": "SampleClusterVpcPublicSubnet1SubnetE377A512"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1/RouteTableAssociation"
}
},
"SampleClusterVpcPublicSubnet1DefaultRoute28A82BC4": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "SampleClusterVpcPublicSubnet1RouteTable7114D244"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "SampleClusterVpcIGW21649D5C"
}
},
"DependsOn": [
"SampleClusterVpcVPCGW39AFB859"
],
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1/DefaultRoute"
}
},
"SampleClusterVpcPublicSubnet1EIPD2C3FC83": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1/EIP"
}
},
"SampleClusterVpcPublicSubnet1NATGateway715FE613": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"SubnetId": {
"Ref": "SampleClusterVpcPublicSubnet1SubnetE377A512"
},
"AllocationId": {
"Fn::GetAtt": [
"SampleClusterVpcPublicSubnet1EIPD2C3FC83",
"AllocationId"
]
},
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet1/NATGateway"
}
},
"SampleClusterVpcPublicSubnet2SubnetB88D2B08": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.64.0/18",
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
},
"MapPublicIpOnLaunch": true,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "Public"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Public"
},
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2/Subnet"
}
},
"SampleClusterVpcPublicSubnet2RouteTable8A11EEAD": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2/RouteTable"
}
},
"SampleClusterVpcPublicSubnet2RouteTableAssociation857BF408": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "SampleClusterVpcPublicSubnet2RouteTable8A11EEAD"
},
"SubnetId": {
"Ref": "SampleClusterVpcPublicSubnet2SubnetB88D2B08"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2/RouteTableAssociation"
}
},
"SampleClusterVpcPublicSubnet2DefaultRouteFD4087CF": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "SampleClusterVpcPublicSubnet2RouteTable8A11EEAD"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "SampleClusterVpcIGW21649D5C"
}
},
"DependsOn": [
"SampleClusterVpcVPCGW39AFB859"
],
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2/DefaultRoute"
}
},
"SampleClusterVpcPublicSubnet2EIPCB2281EA": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2/EIP"
}
},
"SampleClusterVpcPublicSubnet2NATGatewayB385D543": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"SubnetId": {
"Ref": "SampleClusterVpcPublicSubnet2SubnetB88D2B08"
},
"AllocationId": {
"Fn::GetAtt": [
"SampleClusterVpcPublicSubnet2EIPCB2281EA",
"AllocationId"
]
},
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PublicSubnet2/NATGateway"
}
},
"SampleClusterVpcPrivateSubnet1Subnet24256A44": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.128.0/18",
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"MapPublicIpOnLaunch": false,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "Private"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Private"
},
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet1"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet1/Subnet"
}
},
"SampleClusterVpcPrivateSubnet1RouteTable55080EB4": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet1"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet1/RouteTable"
}
},
"SampleClusterVpcPrivateSubnet1RouteTableAssociationBC171CD8": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "SampleClusterVpcPrivateSubnet1RouteTable55080EB4"
},
"SubnetId": {
"Ref": "SampleClusterVpcPrivateSubnet1Subnet24256A44"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet1/RouteTableAssociation"
}
},
"SampleClusterVpcPrivateSubnet1DefaultRouteB1C5B147": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "SampleClusterVpcPrivateSubnet1RouteTable55080EB4"
},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "SampleClusterVpcPublicSubnet1NATGateway715FE613"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet1/DefaultRoute"
}
},
"SampleClusterVpcPrivateSubnet2Subnet25DCB36D": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.192.0/18",
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"AvailabilityZone": {
"Fn::Select": [
1,
{
"Fn::GetAZs": ""
}
]
},
"MapPublicIpOnLaunch": false,
"Tags": [
{
"Key": "aws-cdk:subnet-name",
"Value": "Private"
},
{
"Key": "aws-cdk:subnet-type",
"Value": "Private"
},
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet2"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet2/Subnet"
}
},
"SampleClusterVpcPrivateSubnet2RouteTable35B9289E": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet2"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet2/RouteTable"
}
},
"SampleClusterVpcPrivateSubnet2RouteTableAssociationC174EB56": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "SampleClusterVpcPrivateSubnet2RouteTable35B9289E"
},
"SubnetId": {
"Ref": "SampleClusterVpcPrivateSubnet2Subnet25DCB36D"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet2/RouteTableAssociation"
}
},
"SampleClusterVpcPrivateSubnet2DefaultRoute74AE4D72": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "SampleClusterVpcPrivateSubnet2RouteTable35B9289E"
},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "SampleClusterVpcPublicSubnet2NATGatewayB385D543"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/PrivateSubnet2/DefaultRoute"
}
},
"SampleClusterVpcIGW21649D5C": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "CdkFargateStack/SampleCluster/Vpc"
}
]
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/IGW"
}
},
"SampleClusterVpcVPCGW39AFB859": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
},
"InternetGatewayId": {
"Ref": "SampleClusterVpcIGW21649D5C"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/SampleCluster/Vpc/VPCGW"
}
},
"TaskDefTaskRole1EDB4A67": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/TaskDef/TaskRole/Resource"
}
},
"TaskDef54694570": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Cpu": 256,
"Essential": true,
"Image": "st_admin_site:latest",
"Memory": 512,
"Name": "DefaultContainer",
"PortMappings": [
{
"ContainerPort": 8011,
"Protocol": "tcp"
}
]
}
],
"Cpu": "256",
"Family": "CdkFargateStackTaskDef424235B4",
"Memory": "512",
"NetworkMode": "awsvpc",
"RequiresCompatibilities": [
"FARGATE"
],
"TaskRoleArn": {
"Fn::GetAtt": [
"TaskDefTaskRole1EDB4A67",
"Arn"
]
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/TaskDef/Resource"
}
},
"ServiceD69D759B": {
"Type": "AWS::ECS::Service",
"Properties": {
"Cluster": {
"Ref": "SampleClusterB4B72990"
},
"DeploymentConfiguration": {
"MaximumPercent": 200,
"MinimumHealthyPercent": 50
},
"DesiredCount": 2,
"EnableECSManagedTags": false,
"HealthCheckGracePeriodSeconds": 60,
"LaunchType": "FARGATE",
"LoadBalancers": [
{
"ContainerName": "DefaultContainer",
"ContainerPort": 8011,
"TargetGroupArn": {
"Ref": "LBListenerECSGroup1D445DF5"
}
}
],
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"AssignPublicIp": "DISABLED",
"SecurityGroups": [
{
"Fn::GetAtt": [
"ServiceSecurityGroupC96ED6A7",
"GroupId"
]
}
],
"Subnets": [
{
"Ref": "SampleClusterVpcPrivateSubnet1Subnet24256A44"
},
{
"Ref": "SampleClusterVpcPrivateSubnet2Subnet25DCB36D"
}
]
}
},
"TaskDefinition": {
"Ref": "TaskDef54694570"
}
},
"DependsOn": [
"LBListenerECSGroup1D445DF5",
"LBListener49E825B4"
],
"Metadata": {
"aws:cdk:path": "CdkFargateStack/Service/Service"
}
},
"ServiceSecurityGroupC96ED6A7": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "CdkFargateStack/Service/SecurityGroup",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow all outbound traffic by default",
"IpProtocol": "-1"
}
],
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/Service/SecurityGroup/Resource"
}
},
"ServiceSecurityGroupfromCdkFargateStackLBSecurityGroupF16A57958011E231ABAF": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"IpProtocol": "tcp",
"Description": "Load balancer to target",
"FromPort": 8011,
"GroupId": {
"Fn::GetAtt": [
"ServiceSecurityGroupC96ED6A7",
"GroupId"
]
},
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"LBSecurityGroup8A41EA2B",
"GroupId"
]
},
"ToPort": 8011
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/Service/SecurityGroup/from CdkFargateStackLBSecurityGroupF16A5795:8011"
}
},
"LB8A12904C": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"LoadBalancerAttributes": [
{
"Key": "deletion_protection.enabled",
"Value": "false"
}
],
"Scheme": "internet-facing",
"SecurityGroups": [
{
"Fn::GetAtt": [
"LBSecurityGroup8A41EA2B",
"GroupId"
]
}
],
"Subnets": [
{
"Ref": "SampleClusterVpcPublicSubnet1SubnetE377A512"
},
{
"Ref": "SampleClusterVpcPublicSubnet2SubnetB88D2B08"
}
],
"Type": "application"
},
"DependsOn": [
"SampleClusterVpcPublicSubnet1DefaultRoute28A82BC4",
"SampleClusterVpcPublicSubnet2DefaultRouteFD4087CF"
],
"Metadata": {
"aws:cdk:path": "CdkFargateStack/LB/Resource"
}
},
"LBSecurityGroup8A41EA2B": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Automatically created Security Group for ELB CdkFargateStackLBFC3A10CF",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow from anyone on port 80",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
}
],
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/LB/SecurityGroup/Resource"
}
},
"LBSecurityGrouptoCdkFargateStackServiceSecurityGroupB491C33C801194A30A9B": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Fn::GetAtt": [
"LBSecurityGroup8A41EA2B",
"GroupId"
]
},
"IpProtocol": "tcp",
"Description": "Load balancer to target",
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"ServiceSecurityGroupC96ED6A7",
"GroupId"
]
},
"FromPort": 8011,
"ToPort": 8011
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/LB/SecurityGroup/to CdkFargateStackServiceSecurityGroupB491C33C:8011"
}
},
"LBListener49E825B4": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"TargetGroupArn": {
"Ref": "LBListenerECSGroup1D445DF5"
},
"Type": "forward"
}
],
"LoadBalancerArn": {
"Ref": "LB8A12904C"
},
"Port": 80,
"Protocol": "HTTP"
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/LB/Listener/Resource"
}
},
"LBListenerECSGroup1D445DF5": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"Port": 8011,
"Protocol": "HTTP",
"TargetGroupAttributes": [
{
"Key": "stickiness.enabled",
"Value": "false"
}
],
"TargetType": "ip",
"VpcId": {
"Ref": "SampleClusterVpcD1C6ABD9"
}
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/LB/Listener/ECSGroup/Resource"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/31Ry27CMBD8Fu7GBSr1TilFSFUVJYhr5ThbumDWkR9BKMq/184D0lbqaWdn18nMzoLPZ3w2ERc7lcVpqjDndeaEPLFAfdQgLa9XylsHhq0+aYCvwhyEg52wpxf4REKHmuLCb0aTE0hgRlz/NgNToYT4qIcNA7ng9b6UkdwnK5b4XKHMfE7g2sUbSrWPv88V3Pk7t7RWSxSDqHYQwXqbxPIu3CYouIgrSwxWUcztw1sK/gIeFjolfbd04TRfZyDHMpDeoLtujPZlZ+I/YksHA9b+4dct3TAUZ16nurMTaziGEtahVFoUuVCCJNKhCvdZlmU4SmvuLcye21kXz49+vIchNep3Bjya70IkwfKgfNQ2DUvBam+6pMY4ZFu0iTaMdAH8aB+q+ROfP/LF5GgRp8aTwzPwtKvfgpQF22sCAAA="
},
"Metadata": {
"aws:cdk:path": "CdkFargateStack/CDKMetadata/Default"
},
"Condition": "CDKMetadataAvailable"
}
},
TEST
I am checking the log in in aws web console.
Cluster > AdminCluster > service: CdkFargateStack-ServiceD69D759B-cYrAHaRDN4mF
in event tab,
There are log like this
Service tries to start the task every one minutes.
TEST
ECS supports docker-compose style deployment.
So I try this with same image, then it works well
$docker context ls
default * moby Current DOCKER_HOST based configuration unix:///var/run/docker.sock swarm
desktop-linux moby unix:///Users/whitebear/.docker/run/docker.sock
docker-lamp-ecs ecs
$docker context use docker-lamp-ecs
$docker compose docker-compose.yml up
this deployment finished correctly container starts on ECS
However it fails in CDK.
SOLUTION
I found out the solution.
This could work
const adminRepo = ecr.Repository.fromRepositoryArn(this, 'AdminRepository', 'arn:aws:ecr:ap-northeast-1:678100XXXXXX:repository/st_admin_site')
const adminImage = ecs.ContainerImage.fromEcrRepository(adminRepo,"latest");
The previous code,
const adminImage = ecs.ContainerImage.fromRegistry('st_admin_site:latest')
it doesn't mean to get my ecrRepository....
I use ARN instead.
This is stupid mistakes.
However there is not the way to get the log.
So it takes long time to find out.
Thank you for your help.
I had some stacks that took more than 30 minutes in the past :D How long were you waiting ?
What was the resources part looking ? What was already created, what was still "in action" :) ?
Did something crashed while creating and was in multiple retries ?
Not much information to really know what's happening, but IIRC if your container fails to start it will fail to create the ECS service. You can check if the service was actually created in the ECS console, and if it exists, check the event log to see if they aren't failing. If they are failing, you can check the reason in the task.

ARM Template for Importing Azure Key Vault Certificate in Function App

I have a function app which calls another API with a certificate. This certificate (.pfx) file is already present in the key vault. I am using below ARM template to import the certificate to SSL settings of the function app.
Note: the function app gets deployed fine when I remove section "hostNameSslStates". But after adding it, I get -
"Code": "Conflict",
"Message": "The certificate with thumbprint 'XXXXXXXX' does not match the hostname
'blobcreate-eventgridtrigger-functionapp.azurewebsites.net'."
ARM Template resources section-
`
"resources": [
//StorageAccount
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccounts_name')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "[parameters('storageSKU')]",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
}
},
//BlobService
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[variables('blobServiceName')]",
"dependsOn": ["[variables('storageAccountResourceId')]"],
"sku": {
"name": "[parameters('storageSKU')]"//,
// "tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
//function app with server farm
//cert store access policies update-
{
"type": "Microsoft.KeyVault/vaults",
"name": "testARMTemplateKeyVault",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "c29678d0-eceb-4df2-a225-79cf795a6b64",
"accessPolicies": [
{
"tenantId": "tenantIdOfSubscription", //obtained from Get-AzTenant
"objectId": "objectid of Microsoft Azure App Service", //obtained from Get-AzADServicePrincipal
"permissions": {
"keys": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"Backup",
"Restore"
],
"secrets": [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore"
],
"certificates": [
"Get",
"List",
"Update",
"Create",
"Import",
"Delete",
"Recover",
"ManageContacts",
"ManageIssuers",
"GetIssuers",
"ListIssuers",
"DeleteIssuers"
],
"storage": []
}
}
],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": true,
"enableSoftDelete": true
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"name": "[variables('azurefunction_hostingPlanName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Y1",
"tier": "Dynamic"
},
"properties": {
"name": "[variables('azurefunction_hostingPlanName')]",
"computeMode": "Dynamic"
}
},
{
"type": "Microsoft.Web/certificates",
"name": "testingcert",
"apiVersion": "2016-03-01",
"location": "[resourceGroup().location]",
"properties": {
"keyVaultId": "[resourceId('Microsoft.KeyVault/vaults', 'testARMTemplateKeyVault')]",
"keyVaultSecretName": "testingcert",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('azurefunction_hostingPlanName'))]"
}
},
{
"apiVersion": "2018-11-01",
"type": "Microsoft.Web/sites",
"name": "[parameters('functionAppName')]",
"location": "[resourceGroup().location]",
"kind": "functionapp",
"dependsOn": [
"[variables('azureFunction_serverFarmResourceId')]",
"[variables('storageAccountResourceId')]",
"[resourceId('Microsoft.Web/certificates', 'testingcert')]"
],
"properties": {
"serverFarmId": "[variables('azureFunction_serverFarmResourceId')]",
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccounts_name'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),variables('storageAccountApiVersion')).keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccounts_name'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),variables('storageAccountApiVersion')).keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[toLower(parameters('functionAppName'))]"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~2"
},
{
"name": "WEBSITE_NODE_DEFAULT_VERSION",
"value": "~10"
},
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(resourceId('microsoft.insights/components/', parameters('functionApp_applicationInsightsName')), '2015-05-01').InstrumentationKey]"
},
{
"name": "FUNCTIONS_WORKER_RUNTIME",
"value": "dotnet"
},
{
"name": "WEBSITE_LOAD_CERTIFICATES",
"value": "required certificate thumprint"
}
]
},
"hostNameSslStates": [
{
"name": "blobcreate-eventgridtrigger-functionapp.azurewebsites.net",//obtained from custom domains flatform features of the function app
"sslState": "SniEnabled",
"thumbprint": "[reference(resourceId('Microsoft.Web/certificates', 'testingcert')).Thumbprint]",
"toUpdate": true
}
]
}
}
]`
add certificates section in template -
{
"type": "Microsoft.Web/certificates",
"name": "[parameters('CertificateName')]",
"apiVersion": "2019-08-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/serverFarms/', variables('azurefunction_hostingPlanName'))]"
],
"properties": {
"keyVaultId": "[parameters('keyvaultResourceId')]",
"keyVaultSecretName": "[parameters('invoiceApiCertificateKeyVaultSecretName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('azurefunction_hostingPlanName'))]"
}
}
and then add dependsOn for this certificate in the function app-
[resourceId('Microsoft.Web/certificates', parameters('CertificateName'))]
well, the error is quite obvious, you are trying to add a certificate for blobcreate-eventgridtrigger-functionapp.azurewebsites.net but the dns name on the certificate doesnt match that, hence the error. that is probably not the right way to add a certificate unless its going to be used for SSL termination

How to update a Secret in Azure Key Vault only if changed in ARM templates or check if it exists

I have a production keyvault that keeps a reference of secrets that projects can use, but only if deployed using ARM templates such secrets are not handled by people copy pasting them.
When a new project starts, as part of its deployment script, it will create its own keyvault.
I want to be able to run the templates/scripts as part of CI/CD. And this will today result in the same secret having a new version at each run, even though the value did not change.
How to make it only update the keyvault value when the master vault is updated.
In my deployment.sh script I use the following technique.
SendGridUriWithVersion=$((az group deployment create ... assume that the secret exists ... || az group deployment create ... assume that the secret exists ... ) | jq -r '.properties.outputs.secretUriWithVersion.value')
and it works because in the template there is a parameter, if set, that will retrieve the secret and compare it with the new value and only insert if difference. The original problem is that the deployment fails if the secret is not already set (this happens for the first deployment etc).
But then due to Unix ||, the same script is run again without the parameter set and it will use a condition to not try to get the old value and therefore run successful.
Here are the example in dept:
SecretName="Sendgrid"
SourceSecretName="Sendgrid"
SourceVaultName="io-board"
SourceResourceGroup="io-board"
SendGridUriWithVersion=$((az group deployment create -n ${SecretName}-secret -g $(prefix)-$(projectName)-$(projectEnv) --template-uri https://management.dotnetdevops.org/providers/DotNetDevOps.AzureTemplates/templates/KeyVaults/${keyVaultName}/secrets/${SecretName}?sourced=true --parameters sourceVault=${SourceVaultName} sourceResourceGroup=${SourceResourceGroup} sourceSecretName=${SourceSecretName} update=true || az group deployment create -n ${SecretName}-secret -g $(prefix)-$(projectName)-$(projectEnv) --template-uri https://management.dotnetdevops.org/providers/DotNetDevOps.AzureTemplates/templates/KeyVaults/${keyVaultName}/secrets/${SecretName}?sourced=true --parameters sourceVault=${SourceVaultName} sourceResourceGroup=${SourceResourceGroup} sourceSecretName=${SourceSecretName}) | jq -r '.properties.outputs.secretUriWithVersion.value')
The https://management.dotnetdevops.org/providers/DotNetDevOps.AzureTemplates/templates/KeyVaults/{keyvaultName}/secrets/{secretName}?sourced=true returns a template
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string",
"defaultValue": "io-board-data-ingest-dev"
},
"secretName": {
"type": "string",
"metadata": {
"description": "Name of the secret to store in the vault"
},
"defaultValue": "DataStorage"
},
"sourceVaultSubscription": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]"
},
"sourceVault": {
"type": "string",
"defaultValue": "[subscription().subscriptionId]"
},
"sourceResourceGroup": {
"type": "string",
"defaultValue": "[resourceGroup().name]"
},
"sourceSecretName": {
"type": "string"
},
"update": {
"type": "bool",
"defaultValue": false
}
},
"variables": {
"empty": {
"value": ""
},
"test": {
"reference": {
"keyVault": {
"id": "[resourceId(subscription().subscriptionId, resourceGroup().name, 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
},
"secretName": "[parameters('secretName')]"
}
}
},
"resources": [
{
"apiVersion": "2018-05-01",
"name": "AddLinkedSecret",
"type": "Microsoft.Resources/deployments",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat('https://management.dotnetdevops.org/providers/DotNetDevOps.AzureTemplates/templates/KeyVaults/',parameters('keyVaultName'),'/secrets/',parameters('secretName'))]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"existingValue": "[if(parameters('update'),variables('test'),variables('empty'))]",
"secretValue": {
"reference": {
"keyVault": {
"id": "[resourceId(parameters('sourceVaultSubscription'), parameters('sourceResourceGroup'), 'Microsoft.KeyVault/vaults', parameters('sourceVault'))]"
},
"secretName": "[parameters('sourceSecretName')]"
}
}
}
}
}
],
"outputs": {
"secretUriWithVersion": {
"type": "string",
"value": "[reference('AddLinkedSecret').outputs.secretUriWithVersion.value]"
}
}
}
and that template has a nested call to https://management.dotnetdevops.org/providers/DotNetDevOps.AzureTemplates/templates/KeyVaults/{keyvaultName}/secrets/{secretName} which gives the one with the condition
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVaultName": {
"type": "string",
"defaultValue": "io-board-data-ingest-dev",
"metadata": {
"description": "Name of the existing vault"
}
},
"secretName": {
"type": "string",
"metadata": {
"description": "Name of the secret to store in the vault"
},
"defaultValue": "DataStorage"
},
"secretValue": {
"type": "securestring",
"metadata": {
"description": "Value of the secret to store in the vault"
}
},
"existingValue": {
"type": "securestring",
"defaultValue": ""
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"condition": "[not(equals(parameters('existingValue'),parameters('secretValue')))]",
"apiVersion": "2015-06-01",
"name": "[concat(parameters('keyVaultName'), '/', parameters('secretName'))]",
"properties": {
"value": "[parameters('secretValue')]"
}
}
],
"outputs": {
"secretUriWithVersion": {
"type": "string",
"value": "[reference(resourceId(resourceGroup().name, 'Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('secretName')), '2015-06-01').secretUriWithVersion]"
}
}
}

AWS API Gateway api key required not set to 'true' after deployment

I have a .NET solution that uses a SAM template to generate cloudformation to deploy the stack. I am expecting the deployment - once complete - to have API Key Required = true on at least one of the methods. However after deployment, the keys and usage plans are created, but in the console the api key required is still set to false?
See below:
My SAM template:
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Description":"This is a placeholder for the description of this web api",
"Body": {
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"x-amazon-apigateway-api-key-source": "HEADER",
"paths": {
"datagw/general/table/get/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {}
},
"security":[
{
"api_key":[]
}
]},
"securityDefinitions":{
"api_key":{
"type":"apiKey",
"name":"x-api-key",
"in":"header"
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
}
},
"swagger": "2.0"
}
}
},
I am not that familiar with swagger definitions, I know only the basics of SAM and CloudFormation. What am I missing here? I have reviewed other answers on stack overflow and believe I've copied the configuration correctly.
When I check the generated CloudFormation, my entries regarding x-api-key are not even present in the template?
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Body": {
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"paths": {
"datagw/general/table/get/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {}
}
},
"/datagw/general/webhook/ccnotify": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PostClickCollectNotification.Arn}/invocations"
}
},
"responses": {}
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
},
"/datagw/general/post/sohupdate": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PostClickCollectStockUpdate.Arn}/invocations"
}
},
"responses": {}
}
}
},
"swagger": "2.0"
}
}
},
EDIT: This is what I have worked up to, but still API key required is not set to true in the API once the deployment has completed.
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Description":"InSite Web API Version 2.0.0.0",
"Body": {
"swagger": "2.0",
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"x-amazon-apigateway-api-key-source" : "HEADER",
"schemes":["https"],
"paths": {
"tables/query/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {},
"security": [
{
"api_key": []
}
]
}
},
"/products/update/": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PostClickCollectStockUpdate.Arn}/invocations"
}
},
"responses": {}
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
}
},
"securityDefinitions": {
"api_key": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
}
}
}
}
},
So first off, if you are using the SAM framework, then why not try the serverless API (AWS::Serverless::Api) which has an Auth object where you can turn on ApiKeyRequired.
https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessapi
"ServerlessRestApi": {
"Type": "AWS::Serverless::Api",
"Properties": {
"Description":"InSite Web API Version 2.0.0.0",
"Auth": {
"ApiKeyRequired": "true"
},
"DefinitionBody": {
"swagger": "2.0",
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"x-amazon-apigateway-api-key-source" : "HEADER",
"schemes":["https"],
"paths": {
"tables/query/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {},
"security": [
{
"api_key": []
}
]
}
},
"/products/update/": {
"post": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${PostClickCollectStockUpdate.Arn}/invocations"
}
},
"responses": {}
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "GET",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
}
},
"securityDefinitions": {
"api_key": {
"type": "apiKey",
"name": "x-api-key",
"in": "header"
}
}
}
}
},
If for some reason you cannot use the serverless, you might be trying to overload the RestApi (which is fine, but you lose some of the other fine grain options). For full disclosure I do not work with API gateway in this way (I use the serverless transform) so this is all from reading the documentation and not from experiance.
I would try creating a bare bones AWS::ApiGateway::RestApi and then attach an AWS::ApiGateway::Method to the RestApi by reference it though RestApiId.
[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html
I think you are missing the "securityDefinitions":
Body:
swagger: "2.0"
...
...
securityDefinitions:
sigv4:
type: "apiKey"
name: "x-api-key"
in: "header"
x-amazon-apigateway-authorizer:
type: token
You can find here some more examples:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-as-s3-proxy-export-swagger-with-extensions.html

Unable to Consume northwind ODATA service in WEBIDE

I am new to WEBIDE, I am trying to consume northwind odata services, but so far I have been unsuccessful. Please see my code & help.
connection test on destination also was successful. but still I am getting error:
/V3/Northwind/Northwind.svc/$metadata", statusCode: 404, statusText:
"Not Found", headers: Array(0), body: "The resource you are looking
for has been removed,… its name changed, or is temporarily
unavailable."} responseText:"The resource you are looking for has been
removed, had its name changed, or is temporarily unavailable."
statusCode:404 statusText:"Not Found"
proto:Object
any suggestions, what I might be doing wrong?
neo-app.json:
{
"path": "/destinations/northwind",
"target": {
"type": "destination",
"name": "northwind"
},
"description": "Northwind OData Service"
}
manifest.json:
"sap.app": {
"id": "Mod3Act3",
"type": "application",
"i18n": "i18n/i18n.properties",
"title": "{{appTitle}}",
"description": "{{appDescription}}",
"applicationVersion": {
"version": "1.0.0"
},
"dataSources": {
"northwind": {
"uri": "/V3/Northwind/Northwind.svc/",
"type": "OData",
"settings": {
"odataVersion": "2.0"
}
}
}
},
"sap.ui5": {
"rootView": {
"viewName": "Mod3Act3.view.Main",
"type": "XML"
},
"dependencies": {
"minUI5Version": "1.30.0",
"libs": {
"sap.ui.core": {},
"sap.m": {},
"sap.ui.layout": {},
"sap.ushell": {},
"sap.collaboration": {},
"sap.ui.comp": {},
"sap.uxap": {}
}
},
"contentDensities": {
"compact": true,
"cozy": true
},
"models": {
"": {
"dataSource": "northwind"
}
},
"resources": {
"css": [{
"uri": "css/style.css"
}]
}
}
controller
var url = "/V3/Northwind/Northwind.svc";
var oModel1 = new sap.ui.model.odata.ODataModel(url, true);
sap.ui.getCore().setModel(oModel1, "categoryList");
issue was with manifest.json.
"dataSources": {
"northwind": {
"uri": "/destinations/northwind/V3/Northwind/Northwind.svc/",
"type": "OData",
"settings": {"odataVersion": "2.0" }
}
}
this worked
please try the example from the sapui5 walk through:
manifest.json
{
"_version": "1.8.0",
"sap.app": {
...
"ach": "CA-UI5-DOC",
"dataSources": {
"invoiceRemote": {
"uri": "https://services.odata.org/V2/Northwind/Northwind.svc/",
"type": "OData",
"settings": {
"odataVersion": "2.0"
}
}
}
},
"sap.ui": {
...
},
"sap.ui5": {
...
"models": {
"i18n": {
"type": "sap.ui.model.resource.ResourceModel",
"settings": {
"bundleName": "sap.ui.demo.walkthrough.i18n.i18n"
}
},
"invoice": {
"dataSource": "invoiceRemote"
}
}
}
}
controller
...
var oModel = this.getView().getModel("invoice");
...
please be aware of the accepting of the certificate due to the https connection and the same origin policy both mentioned in the linked walk through example.

Resources