This command line application generates all the aws api calls invoked by the create/update/delete cloudformation handlers. It sets up a cloudtrail trail to log the cloudtrail event logs & processes them to extract the api calls.
- Sets up a cloudTrail trail to log cloudtrail events into an s3 bucket
- Runs the cloudformation handlers via the input stacks.
- Polls for notifications for events logs' availability in s3 bucket setup in step1. notifications are generated by cloudtrail.
- Processes the event logs from s3 bucket & extracts handler api calls & displays them.
As mentioned in the description, this cli in-directly invokes a resource handler via cloudformation stack. Hence if you want to record the Aws API calls invoked by legacy handlers during migration of your resourc type, ensure that resource type that is registered is the legacy type.
You can check this by running describe-type and checking the ProvisioningType field value.
For example:-
aws cloudformation describe-type --type-name AWS::S3::Bucket
--type RESOURCE --region us-east-1 | jq .ProvisioningType
"NON_PROVISIONABLE"
If the provisioning type is NOT NON_PROVISIONABLE, then use deregister-type cloudformation cli command to de-register all existing versions of resource type.
Example Output:-
{
"delete-handler-events" : [ "DeleteBucket" ],
"create-handler-events" : [ "GetBucketAnalyticsConfiguration", "GetBucketLogging", "GetBucketInventoryConfiguration", "GetBucketMetricsConfiguration", "GetBucketNotification", "GetAccelerateConfiguration", "GetBucketEncryption", "GetBucketObjectLockConfiguration", "GetBucketIntelligentTieringConfiguration", "GetBucketCors", "GetBucketLifecycle", "GetBucketOwnershipControls", "GetBucketPublicAccessBlock", "GetBucketReplication", "GetBucketTagging", "GetBucketVersioning", "GetBucketWebsite", "CreateBucket" ],
"update-handler-events" : [ "PutBucketTagging", "GetBucketAnalyticsConfiguration", "GetBucketEncryption", "GetAccelerateConfiguration", "GetBucketCors", "GetBucketIntelligentTieringConfiguration", "GetBucketInventoryConfiguration", "GetBucketMetricsConfiguration", "GetBucketLifecycle", "GetBucketLogging", "GetBucketNotification", "GetBucketPublicAccessBlock", "GetBucketObjectLockConfiguration", "GetBucketTagging", "GetBucketVersioning", "GetBucketReplication", "GetBucketWebsite", "GetBucketOwnershipControls" ]
}
- Create an input dir structure like below that contains all the create/update stack templates(these should cover 100% of the properties of the resource).
These are usually the contract test inputs(converted to cfn templates)
inputs
└── input1
├── create.json
└── update.json
...
- Run the cli.
From the package root:
mvn package
java -jar target/handler-permission-getter.jar --region <region> --templates-root-dir <root path of the stack templates>
Ex:-
java -jar target/handler-permission-getter.jar -r us-east-1 --d /Users/alexark/inputs