nSights Talks

CloudFormation Custom Resources

Tutorial Highlights & Transcript

00:00 - What are CloudFormation Custom Resources
Hi my name is Maz Nafees and the topic for today’s demo is CloudFormation custom resources. To start with the presentation, what is custom resource? Custom resources basically enable you to provision custom logic for your resource in CloudFormation. Whenever you create, update, or delete your stack, CloudFormation will run that custom logic for you. Basically, custom resources, extend the capabilities of CloudFormation. CloudFormation can do things that it normally cannot do. You have the custom resource provisioning logic in your hand, so you can do anything you want.
00:54 - When to Use Custom Resources
Why would we need custom resources? The first scenario is when there are multiple resources that are not supported by CloudFormation like Storage Gateway, or RDS Global Cluster. You can provision that resource to CloudFormation custom resources and handle the provisioning logic in Lambda, or SNS topic. The second scenario is you can, if you want to, use a third party resource, and you want it in a single stack view. You can provision that non AWS resource to a custom resource. The third scenario is if you want to provision steps that is not related to infrastructure, like you want to run some type of script to migrate your database, or you create a table before deployment. You can do this too, with custom resource.
02:00 - How Custom Resources Works
Moving forward, how do custom resources work? Basically, when we deploy our stack from CloudFormation, it generates a JSON request, and it’s sent to the Lambda function. The Lambda function sees the JSON request and will create resources according to the request. After creating the resource, it will send back the response to CloudFormation about the state, whether it failed or succeeded. The same scenario will be for the update and delete signals. That’s how CloudFormation custom resources cycle works.
02:42 - CloudFormation Code
How do we write custom resources CloudFormation stack? We can write our custom resources like any other AWS resource, but the difference is the type. The type will be the custom and the name of the resource, whichever you want to give. Custom resources require one property, which is service token. It is basically the ARN of our Lambda, where custom logic will be handled. We can pass as many properties as we want for additional. We can use these properties in our Lambda function.
03:25 - Lambda Handler
How do we write Lambda? We handle our custom resource logic. In Lambda function, we can get the request from CloudFormation, which can check the request type of the CloudFormation request. There are three types of requests, which which are create, update, and delete. If the request type is create, we can run the Create logic for it. If the request type is update, so we can handle it accordingly. So the same goes for the Delete. We will send back the response to the CloudFormation. It is important to send back the response, because if we fail to send back the response back to the CloudFormation, it will wait for a long period of time. We can send a response by creating ourselves, but AWS recommends we use CFN response library to send back the response. We can send a state of the resource and the reason of its failure always succeed.
04:43 - Demo
Let me give you a little demo. I already deployed my custom resource stack here. You can see my S3 bucket here. Its type is custom. I have a Lambda function, which will handle that custom resource. I have that provision roles and policy for Lambda. Again, let me show you the logs of the Lambda function. It receives the request from CloudFormation in JSON format. It has different information in it like request type, CloudFormation stack ID and URL, and the properties which we pass in CloudFormation stack. Let me update the system resource. It will update our system resource. It basically sends requests to our Lambda function. Lambda function checks if the request type is update, it will update our bucket name. It updated successfully. Let me check the logs again. Here you can see it receives the request for update, and it called our update function in Lambda. Basically, here is my Lambda function. I will just create three functions for it. If the request type is create, it will run the create function. If the request type is update, it will update my bucket name and if the request type is delete, it will delete my bucket. I’m using S3 client to perform all these operations. CloudFormation allows us custom resource permission. It allows us to extend our capabilities to handle resources that cannot be provisioned normally with CloudFormation. But yeah, great power comes with great responsibility. We have to manage all this custom logic carefully.
Jasmeet Singh

Maaz Nafees

DevOps Engineer


Maaz is a DevOps Engineer at nClouds and has a technical certification in AWS Certified Solutions Architect - Associate.