How to manage custom CloudFormation resources with Lambda

CloudFormation supports a lot of resources out of the box. But sometimes they are not enough.

9 mins
I have a lot of challenges when it comes to AWS, but I bet your pain points are entirely different than mine. I'd love to hear what keeps you up at night. It would be great to hear from you by filling out this form. Thanks in advance!

Background

CloudFormation is a powerful tool, and has broad support to other AWS services. Essentially, it is the main part of the infrastructure-as-code concept within the AWS environment.

It is great and supports many services out of the box. But what if you need something that it has no support?

This is when custom resources come in handy. They let you define a Lambda function that handles the lifecycle of the resource, be it any type, even outside AWS.

Let’s see how to make it work and a minimal config that you’ll need to get started with custom resources!

The resource

To define a custom resource, use the prefix Custom:: and give it a name. It can have parameters and outputs, just like any other regular resource:

Resources:
  Custom:
    Type: Custom::CustomResource
    Properties:
      Param1: val1
      Param2: val2

Until now, it looks like a regular resource with a logical name (resource name) of Custom and a type of Custom::CustomResource.

Let’s see what you’ll need to make a Lambda function manage its lifecycle!

The Lambda function

CloudFormation

On the CloudFormation side, you’ll need a Lambda function and an execution role for it. This part is the same as any other Lambda function.

The first part, the execution role defines the trust policy that allows the Lambda service to assume it, as well as a set of policies the function has access to:

Resources:
  CustomResourceLambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Policies:
      - PolicyName: allow-logs
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - 'logs:*'
            Resource: arn:aws:logs:*:*:*

This part is standard for all kinds of functions.

Then we need the Lambda resource itself, defining the Runtime, the Role, the Code, and the Handler:

Resources:
  CustomResourceLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Handler: handler.index
      Role: !GetAtt CustomResourceLambdaExecutionRole.Arn
      Code: function/
      Runtime: nodejs8.10

As the code is defined as a local path, you’ll need to run aws cloudformation package ... to zip and upload the code to S3.

Until this point, this is exactly how you’d define any Lambda function.

To connect the function to the custom resource, pass its Arn as the ServiceToken parameter:

Resources:
  Custom:
    Type: Custom::CustomResource
    Properties:
      ServiceToken: !GetAtt CustomResourceLambdaFunction.Arn
        ...

This is the part that wires the resource to the function.

The Lambda code

Now that we have everything set up on the CloudFormation side, let’s move on to the actual code.

An important concept is that the resource handling is asynchronous. The function gets a responseURL and it needs to send a PUT with some required parameters. This signals CloudFormation that the resource is ready (or there is a problem).

At the bare minimum, you’ll need to send the request with these parameters:

  • Status: “SUCCESS” or “FAILED”
  • PhysicalResourceId: This identifies the underlying resource
  • Data: The Output of the function
  • and you need to pass back some parameters: StackId, RequestId, and LogicalResourceId

For the full code on how to send the request and provide all the parameters, see here. It is based on the AWS sample code.

Handling lifecycle

Now that everything required is in place, let’s see how to handle each lifecycle transition!

Create

When the resource is created, for example the first time you deploy the template, it gets a Create event. In this case, the event looks like this:

{
	"RequestType": "Create",
	"ServiceToken": "...",
	"ResponseURL": "...",
	"StackId": "...",
	"RequestId": "...",
	"LogicalResourceId": "Custom",
	"ResourceType": "Custom::CustomResource",
	"ResourceProperties": {
		"ServiceToken": "...",
		"Param2": "val2",
		"Param1": "val1"
	}
}

The "RequestType": "Create" is what makes it a Create event.

Also, take a look at the ResourceProperties section. It contains the Properties from the CloudFormation template. The !Ref-s and other functions are resolved by the time the Lambda is called, so if you referenced other resources in the template, you can use them here. As an example, this is how you’d reference an S3 bucket.

Delete

When you remove the resource from the template, the lifecycle event is a “Delete”. The event is almost the same as the “Create”, but the RequestType is “Delete”. Use this to remove any underlying resource that is associated with this custom resource.

Update

When there is a change in the template for the custom resource, you’ll get an “Update”. In this step, you’ll not only get the current Properties, but also the previous ones, so you know what is changed.

For example, by changing Param2 from val2 to val3:

"ResourceProperties": {
	"ServiceToken": "...",
	"Param2": "val3",
	"Param1": "val1"
},
"OldResourceProperties": {
	"ServiceToken": "...",
	"Param2": "val2",
	"Param1": "val1"
}

Use the OldResourceProperties to know what is modified.

In some cases, you can simply delete the old resource and handle the event as a Create. This is usually the case for stateless resources that can not be changed.

Handling outputs

If you send some values with the response in the Data object, those will be available in the template.

For example, if you want to send a parameter named Out, use Data: {Out: ...}. Then you can reference it in the template with the !GetAtt Custom.Out function:

Outputs:
  File:
    Value: !GetAtt Custom.Out

PhysicalResourceId

This is the underlying identifier of the resource. It is important to understand how it works as it can cause a lot of unexpected behavior.

As a rule of thumb, it should be different for different underlying resources. For example, if you have a GitHub repository, it should be the name. If you manage an S3 object, it should be the full path. For both cases, the id uniquely represents the resource and makes sure that different ones make different ids.

You also need to send it back when you send back the response.

Its lifecycle is the following:

  • For “Create”, you return a PhysicalResourceId.
  • For “Update”, you have a choice:
    • If you send the same, nothing else happens
    • If you send a different one, there will be a “Delete” event for the old resource

Let’s see an example!

Our custom resource has 2 parameters:

Resources:
  Custom:
    Type: Custom::CustomResource
    Properties:
      Param1: val1
      Param2: val2

Let’s calculate the PhysicalResourceId from only Param1:

PhysicalResourceId: `${Param1}`,

In this case, changing Param2 updates the same resource, but changing Param1 creates a new one (from CloudFormation’s perspective). This is roughly the case when you have an S3 Object and Param1 is the key, while Param2 is the contents.

By chaning Param2 to val3, there will an “Update”:

"ResourceProperties": {
	"ServiceToken": "...",
	"Param2": "val3",
	"Param1": "val1"
},
"OldResourceProperties": {
	"ServiceToken": "...",
	"Param2": "val2",
	"Param1": "val1"
}

But setting Param1: val4, after this “Update”:

"ResourceProperties": {
	"ServiceToken": "...",
	"Param2": "val3",
	"Param1": "val4"
},
"OldResourceProperties": {
	"ServiceToken": "...",
	"Param2": "val3",
	"Param1": "val1"
}

There will also be a “Delete” with the old parameters:

"ResourceProperties": {
	"ServiceToken": "...",
	"Param2": "val3",
	"Param1": "val1"
},

Keep this in mind when you decide on a PhysicalResourceId.

What should you use then?

It should be different for a different resource, and same for the same resource. If you manage an S3 Object, it can be the bucket and the key of the object. If the resource is a GitHub gist, use the id returned from GitHub.

Conclusion

Custom resources are powerful additions to CloudFormation. They open support for all sorts of resources, and not just what it supports out of the box.

Handled with care, you can define any resource type, even third-party ones. They require some boilerplate, especially considering the Lambda function, and should be tested extensively.

But using them gives you the freedom to define anything. Want to create a Mailchimp campaign from CloudFormation? Or a GitHub repository? A Slack channel? These are all possible, and they can be made first-class citizens.

Did you know we have a free guide on AWS security basics?

Do you have an AWS account? Of course you do, you've just read an article about AWS. But do you know how to secure it?

As a certified security specialist I'm familiar with most of the security controls AWS offers. I've compiled this guide so you don't have to take a month off to learn all that.

5 quick and easy steps to avoid the rookie mistakes and reduce the risk of costly events down the road.

Download the free guide here:

25 December 2018