{"id":1478,"date":"2023-04-22T12:02:29","date_gmt":"2023-04-22T17:02:29","guid":{"rendered":"https:\/\/cloudlearning365.com\/?p=1478"},"modified":"2023-04-28T15:59:31","modified_gmt":"2023-04-28T20:59:31","slug":"import-existing-resources-into-cloudformation-template","status":"publish","type":"post","link":"https:\/\/cloudlearning365.com\/?p=1478","title":{"rendered":"Import existing resources into CloudFormation template"},"content":{"rendered":"\n

Aviatrix developed Migration Toolkit<\/a> to help customer migrate from existing AWS\/ Azure environment to Aviatrix Transit and Spoke Multi-Cloud Networking Architecture (MCNA). I have discussed the process in blog: Migrate from Azure vNet hub and spoke architecture to Aviatrix Transit<\/a>. The AWS migration process is similar, where the toolkit make copies of existing route tables, when Aviatrix Spoke is attached to Aviatrix Transit, we are using these copied route tables, hence no traffic interruption would happen. During the traffic switching phrase, subnets will be associated with the copied route table, and in TGW we disable the migrating VPC router advertisement, so the traffic would swing over to Aviatrix Spoke\/Transit.<\/p>\n\n\n\n

Some of our customers are using CloudFormation to manage the deployment of their environment, while Aviatrix Controller will handle bulk of the work such as populating RFC1918 and\/or default route in the route table and\/or non-RFC1918 routes from External connections, they still would like to have the ability to continue to use CloudFormation to manage endpoint routes. This created a split brain scenario, how do we handle this?<\/p>\n\n\n\n\n\n\n\n

If you are familiar with Terraform, you would understand anything declared in .tf file is called desired state, when you run terraform apply and found current state in the cloud isn’t matching the desired state, terraform will try to correct current state to match desired state declared. If things are not declared in the terraform file, terraform will not manage these and will not make corrections. The same concept applies to CloudFormation template.<\/p>\n\n\n\n

For example, let’s use following CloudFormation template create a VPC. The VPC have one public subnet and one private subnet, where the public subnet route table has 0.0.0.0\/0 point to internet gateway.<\/p>\n\n\n\n

Resources:\n  MyVPC:\n    Type: AWS::EC2::VPC\n    Properties:\n      CidrBlock: \"10.0.0.0\/16\"\n      Tags:\n        - Key: Name\n          Value: my-vpc\n\n  PublicSubnet:\n    Type: AWS::EC2::Subnet\n    Properties:\n      VpcId: !Ref MyVPC\n      CidrBlock: \"10.0.1.0\/24\"\n      AvailabilityZone:\n        Fn::Select: \n        - 0\n        - Fn::GetAZs: \"\"\n      Tags:\n        - Key: Name\n          Value: public-subnet\n\n  PrivateSubnet:\n    Type: AWS::EC2::Subnet\n    Properties:\n      VpcId: !Ref MyVPC\n      CidrBlock: \"10.0.2.0\/24\"\n      AvailabilityZone: \n        Fn::Select: \n        - 0\n        - Fn::GetAZs: \"\"\n      Tags:\n        - Key: Name\n          Value: private-subnet\n\n  PublicRouteTable:\n    Type: AWS::EC2::RouteTable\n    Properties:\n      VpcId: !Ref MyVPC\n      Tags:\n        - Key: Name\n          Value: public-route-table\n\n  PrivateRouteTable:\n    Type: AWS::EC2::RouteTable\n    Properties:\n      VpcId: !Ref MyVPC\n      Tags:\n        - Key: Name\n          Value: private-route-table\n\n  InternetGateway:\n    Type: AWS::EC2::InternetGateway\n    Properties:\n      Tags:\n        - Key: Name\n          Value: my-igw\n\n  GatewayAttachment:\n    Type: AWS::EC2::VPCGatewayAttachment\n    Properties:\n      VpcId: !Ref MyVPC\n      InternetGatewayId: !Ref InternetGateway\n\n  PublicRoute:\n    Type: AWS::EC2::Route\n    DependsOn: GatewayAttachment\n    Properties:\n      RouteTableId: !Ref PublicRouteTable\n      DestinationCidrBlock: \"0.0.0.0\/0\"\n      GatewayId: !Ref InternetGateway\n\n  PublicSubnetRouteTableAssociation:\n    Type: AWS::EC2::SubnetRouteTableAssociation\n    Properties:\n      SubnetId: !Ref PublicSubnet\n      RouteTableId: !Ref PublicRouteTable\n\n  PrivateSubnetRouteTableAssociation:\n    Type: AWS::EC2::SubnetRouteTableAssociation\n    Properties:\n      SubnetId: !Ref PrivateSubnet\n      RouteTableId: !Ref PrivateRouteTable\n<\/code><\/pre>\n\n\n\n
Public Route table shown in AWS Console<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Explore resources created by the CloudFormation template:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Assume we created another public route table in AWS Console, simulating the copied route table via Aviatrix Migration Toolkit<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Assume we create a default route in new-public-route-table point to IGW in AWS Console<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Let’s see how we import the new-public-route-table<\/p>\n\n\n\n
For import to work, all resources in the CloudFormation template must have DeletionPolicy <\/a>set.<\/p>\n\n\n\n
First add following resource declaration into existing CloudFormation template, this is to tell CloudFormation to manage a new route table of a Logic Resource ID of NewPublicRouteTable<\/p>\n\n\n\n
  NewPublicRouteTable:\n    Type: AWS::EC2::RouteTable\n    DeletionPolicy: Delete\n    Properties:\n      VpcId: !Ref MyVPC\n      Tags:\n        - Key: Name\n          Value: new-public-route-table<\/code><\/pre>\n\n\n\n
The new-public-route-table has a unique Resource Identifier of: rtb-0ebd453646fdff442<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We need to tell CloudFormation how to link the Logical Resource ID and the unique Resource Identifier, by creating a json file:<\/p>\n\n\n\n
[\n  {\n      \"ResourceType\":\"AWS::EC2::RouteTable\",\n      \"LogicalResourceId\":\"NewPublicRouteTable\",\n      \"ResourceIdentifier\": {\n        \"RouteTableId\":\"rtb-0ebd453646fdff442\"\n      }\n  }\n]<\/code><\/pre>\n\n\n\n
The structure of the json file is described in this article<\/a><\/p>\n\n\n\n
[\n  {\n    \"ResourceType\": \"string\",\n    \"LogicalResourceId\": \"string\",\n    \"ResourceIdentifier\": {\"string\": \"string\"\n      ...}\n  }\n  ...\n]<\/code><\/pre>\n\n\n\n
To get the format of ResourceType, LogicalResourceId and ResourceIdentifier, run following command, note the highlighted section.<\/p>\n\n\n\n
aws cloudformation get-template-summary --stack-name myvpc\n\n{\n    \"Parameters\": [],\n    \"ResourceTypes\": [\n        \"AWS::EC2::InternetGateway\",\n        \"AWS::EC2::VPC\",\n        \"AWS::EC2::RouteTable\",\n        \"AWS::EC2::RouteTable\",\n        \"AWS::EC2::VPCGatewayAttachment\",\n        \"AWS::EC2::Subnet\",\n        \"AWS::EC2::RouteTable\",\n        \"AWS::EC2::Subnet\",\n        \"AWS::EC2::Route\",\n        \"AWS::EC2::SubnetRouteTableAssociation\",\n        \"AWS::EC2::Route\",\n        \"AWS::EC2::SubnetRouteTableAssociation\"\n    ],\n    \"Version\": \"2010-09-09\",\n    \"ResourceIdentifierSummaries\": [\n        {\n            \"ResourceType\": \"AWS::EC2::VPC\",\n            \"LogicalResourceIds\": [\n                \"MyVPC\"\n            ],\n            \"ResourceIdentifiers\": [\n                \"VpcId\"\n            ]\n        },\n        {\n            \"ResourceType\": \"AWS::EC2::RouteTable\",\n            \"LogicalResourceIds\": [\n                \"PublicRouteTable\",\n                \"PrivateRouteTable\",\n                \"NewPublicRouteTable\"\n            ],\n            \"ResourceIdentifiers\": [\n                \"RouteTableId\"\n            ]\n        },<\/mark>\n        {\n            \"ResourceType\": \"AWS::EC2::SubnetRouteTableAssociation\",\n            \"LogicalResourceIds\": [\n                \"PrivateSubnetRouteTableAssociation\",\n                \"PublicSubnetRouteTableAssociation\"\n            ],\n            \"ResourceIdentifiers\": [\n                \"Id\"\n            ]\n        },\n        {\n            \"ResourceType\": \"AWS::EC2::InternetGateway\",\n            \"LogicalResourceIds\": [\n                \"InternetGateway\"\n            ],\n            \"ResourceIdentifiers\": [\n                \"InternetGatewayId\"\n            ]\n        },\n        {\n            \"ResourceType\": \"AWS::EC2::Subnet\",\n            \"LogicalResourceIds\": [\n                \"PrivateSubnet\",\n                \"PublicSubnet\"\n            ],\n            \"ResourceIdentifiers\": [\n                \"SubnetId\"\n            ]\n        }\n    ]\n}<\/code><\/pre>\n\n\n\n
The new template would looks like this now:<\/p>\n\n\n\n
Resources:\n  MyVPC:\n    Type: AWS::EC2::VPC\n    DeletionPolicy: Delete\n    Properties:\n      CidrBlock: \"10.0.0.0\/16\"\n      Tags:\n        - Key: Name\n          Value: my-vpc\n\n  PublicSubnet:\n    Type: AWS::EC2::Subnet\n    DeletionPolicy: Delete\n    Properties:\n      VpcId: !Ref MyVPC\n      CidrBlock: \"10.0.1.0\/24\"\n      AvailabilityZone:\n        Fn::Select: \n        - 0\n        - Fn::GetAZs: \"\"\n      Tags:\n        - Key: Name\n          Value: public-subnet\n\n  PrivateSubnet:\n    Type: AWS::EC2::Subnet\n    DeletionPolicy: Delete\n    Properties:\n      VpcId: !Ref MyVPC\n      CidrBlock: \"10.0.2.0\/24\"\n      AvailabilityZone: \n        Fn::Select: \n        - 0\n        - Fn::GetAZs: \"\"\n      Tags:\n        - Key: Name\n          Value: private-subnet\n\n  PublicRouteTable:\n    Type: AWS::EC2::RouteTable\n    DeletionPolicy: Delete\n    Properties:\n      VpcId: !Ref MyVPC\n      Tags:\n        - Key: Name\n          Value: public-route-table\n\n  PrivateRouteTable:\n    Type: AWS::EC2::RouteTable\n    DeletionPolicy: Delete\n    Properties:\n      VpcId: !Ref MyVPC\n      Tags:\n        - Key: Name\n          Value: private-route-table\n\n  InternetGateway:\n    Type: AWS::EC2::InternetGateway\n    DeletionPolicy: Delete\n    Properties:\n      Tags:\n        - Key: Name\n          Value: my-igw\n\n  GatewayAttachment:\n    Type: AWS::EC2::VPCGatewayAttachment\n    DeletionPolicy: Delete\n    Properties:\n      VpcId: !Ref MyVPC\n      InternetGatewayId: !Ref InternetGateway\n\n  PublicRoute:\n    Type: AWS::EC2::Route\n    DeletionPolicy: Delete\n    DependsOn: GatewayAttachment\n    Properties:\n      RouteTableId: !Ref PublicRouteTable\n      DestinationCidrBlock: \"0.0.0.0\/0\"\n      GatewayId: !Ref InternetGateway\n\n  PublicSubnetRouteTableAssociation:\n    Type: AWS::EC2::SubnetRouteTableAssociation\n    DeletionPolicy: Delete\n    Properties:\n      SubnetId: !Ref PublicSubnet\n      RouteTableId: !Ref PublicRouteTable\n\n  PrivateSubnetRouteTableAssociation:\n    Type: AWS::EC2::SubnetRouteTableAssociation\n    DeletionPolicy: Delete\n    Properties:\n      SubnetId: !Ref PrivateSubnet\n      RouteTableId: !Ref PrivateRouteTable\n\n  NewPublicRouteTable:\n    Type: AWS::EC2::RouteTable\n    DeletionPolicy: Delete\n    Properties:\n      VpcId: !Ref MyVPC\n      Tags:\n        - Key: Name\n          Value: new-public-route-table<\/code><\/pre>\n\n\n\n
Upload both modified template and the json file to CloudShell<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Run following command for the change set<\/p>\n\n\n\n
aws cloudformation create-change-set --stack-name myvpc --change-set-name ImportChangeSet --change-set-type IMPORT --resources-to-import file:\/\/import.json --template-body file:\/\/vpc.yaml<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Validate change set in AWS Console, then Execute change set<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Upon completion, validate Resources under stack and find the route table is now been managed<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This is great, then how about import the routes? In above screenshot, we can see that the PublicRoute have a physical id of myvpc-Publi-1O66C3YL5SCJE<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It can be obtained via cloudformation cli:<\/p>\n\n\n\n
[cloudshell-user@ip-10-4-89-56 ~]$ aws cloudformation describe-stack-resources --stack-name myvpc --query 'StackResources[?ResourceType==`AWS::EC2::Route`]'\n[\n    {\n        \"StackName\": \"myvpc\",\n        \"StackId\": \"arn:aws:cloudformation:us-east-1:<account-id>:stack\/myvpc\/99dde040-e06f-11ed-b816-12c48b848691\",\n        \"LogicalResourceId\": \"PublicRoute\",\n        \"PhysicalResourceId\": \"myvpc-Publi-1O66C3YL5SCJE\",\n        \"ResourceType\": \"AWS::EC2::Route\",\n        \"Timestamp\": \"2023-04-21T18:10:02.288000+00:00\",\n        \"ResourceStatus\": \"CREATE_COMPLETE\",\n        \"DriftInformation\": {\n            \"StackResourceDriftStatus\": \"NOT_CHECKED\"\n        }\n    }\n]<\/code><\/pre>\n\n\n\n
But it appears to be impossible to obtain this physical ID for a route created outside of CloudFormation, as each route doesn’t really have a unique ID:<\/p>\n\n\n\n
[cloudshell-user@ip-10-4-89-56 ~]$ aws ec2 describe-route-tables --route-table-id rtb-0bfc1da00ea922888\n{\n    \"RouteTables\": [\n        {\n            \"Associations\": [\n                {\n                    \"Main\": false,\n                    \"RouteTableAssociationId\": \"rtbassoc-002eb5d86d30c4067\",\n                    \"RouteTableId\": \"rtb-0bfc1da00ea922888\",\n                    \"SubnetId\": \"subnet-0a792e7973a2fbad7\",\n                    \"AssociationState\": {\n                        \"State\": \"associated\"\n                    }\n                }\n            ],\n            \"PropagatingVgws\": [],\n            \"RouteTableId\": \"rtb-0bfc1da00ea922888\",\n            \"Routes\": [\n                {\n                    \"DestinationCidrBlock\": \"10.0.0.0\/16\",\n                    \"GatewayId\": \"local\",\n                    \"Origin\": \"CreateRouteTable\",\n                    \"State\": \"active\"\n                },\n                {\n                    \"DestinationCidrBlock\": \"0.0.0.0\/0\",\n                    \"GatewayId\": \"igw-082f5b8803aa503e2\",\n                    \"Origin\": \"CreateRoute\",\n                    \"State\": \"active\"\n                }\n            ],<\/mark>\n            \"Tags\": [\n                {\n                    \"Key\": \"aws:cloudformation:logical-id\",\n                    \"Value\": \"PublicRouteTable\"\n                },\n                {\n                    \"Key\": \"Name\",\n                    \"Value\": \"public-route-table\"\n                },\n                {\n                    \"Key\": \"aws:cloudformation:stack-id\",\n                    \"Value\": \"arn:aws:cloudformation:us-east-1:<account-id>:stack\/myvpc\/99dde040-e06f-11ed-b816-12c48b848691\"\n                },\n                {\n                    \"Key\": \"aws:cloudformation:stack-name\",\n                    \"Value\": \"myvpc\"\n                }\n            ],\n            \"VpcId\": \"vpc-0023fa5f554d32f7c\",\n            \"OwnerId\": \"<account-id>\"\n        }\n    ]\n}<\/code><\/pre>\n\n\n\n
Turned out not route cannot be imported<\/p>\n\n\n\n
An error occurred (ValidationError) when calling the CreateChangeSet operation: ResourceTypes [AWS::EC2::Route] are not supported for Import<\/code><\/pre>\n\n\n\n
If tried to append following in the CloudFormation template:<\/p>\n\n\n\n
  NewPublicRoute:\n    Type: AWS::EC2::Route\n    DependsOn: GatewayAttachment\n    Properties:\n      RouteTableId: !Ref NewPublicRouteTable1\n      DestinationCidrBlock: \"0.0.0.0\/0\"\n      GatewayId: !Ref InternetGateway<\/code><\/pre>\n\n\n\n
Run stack update, and it will fail as the default route already exist<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
Based on above testing, Customer need to perform the task of make copy of the route table, then Aviatrix would utilize the copied route table for traffic switching.<\/p>\n\n\n\n
Once the traffic switch is completed, the copied route table would be associated with the subnet, need to be able to update the CloudFormation to reflect this association change.<\/p>\n\n\n\n
Edit public subnet association in AWS Console<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Switch from public-route-table to new-public-route-table1<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Update CloudFormation template, from:<\/p>\n\n\n\n
  PublicSubnetRouteTableAssociation:\n    Type: AWS::EC2::SubnetRouteTableAssociation\n    DeletionPolicy: Delete\n    Properties:\n      SubnetId: !Ref PublicSubnet\n      RouteTableId: !Ref PublicRouteTable<\/mark><\/code><\/pre>\n\n\n\n
To: <\/p>\n\n\n\n
  PublicSubnetRouteTableAssociation:\n    Type: AWS::EC2::SubnetRouteTableAssociation\n    DeletionPolicy: Delete\n    Properties:\n      SubnetId: !Ref PublicSubnet\n      RouteTableId: !Ref NewPublicRouteTable<\/mark><\/code><\/pre>\n\n\n\n
Stack -> Update and replace current template:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Note: If selected preserve successfully provisioned resources in Stack failure options<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The update would fail, as it was trying to replace the deployed association<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
Aviatrix developed Migration Toolkit to help customer migrate from existing AWS\/ Azure environment to Aviatrix Transit and Spoke Multi-Cloud Networking Architecture (MCNA). I have discussed the process in blog: Migrate from Azure vNet hub and spoke architecture to Aviatrix Transit. … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1478","post","type-post","status-publish","format-standard","hentry","category-aws"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/1478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1478"}],"version-history":[{"count":9,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/1478\/revisions"}],"predecessor-version":[{"id":1520,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=\/wp\/v2\/posts\/1478\/revisions\/1520"}],"wp:attachment":[{"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudlearning365.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}