AWS CloudFormation Hooks Present Proactive Validation of CloudFormation Operations


AWS announced the general availability of AWS CloudFormation hooks that allow custom logic before a create, update, or delete operation on the CloudFormation stack. CloudFormation hooks support versioning, public and private distribution, and can be published to multiple AWS accounts and regions.

CloudFormation hooks provide proactive validation of CloudFormation operations by examining the resources being provisioned. If a non-compliant resource is encountered, either a warning can be returned or execution can be halted by causing the operation to fail. Examples of use cases range from verifying that security groups have the appropriate rules for inbound and outbound traffic, to restricting the use of more expensive EC2 instances, to enforcing automatic backups being enabled for RDS instances.

The CloudFormation CLI is used to develop CloudFormation hooks. CloudFormation Hooks are a supported extension type within the AWS CloudFormation Registry. Developer plugins for hooks are available in Java and python.

The AWS CloudFormation registry enables management of extensions, including hooks, as both public and private resources. Public extensions are published either by AWS or by other third parties. Extensions from AWS are always public and their versioning is controlled by AWS. Registered private extensions can be used for custom hooks and made available to required AWS accounts by registering them. Publishing an expansion to multiple regions can be done with AWS CloudFormation StackSets.

Generating the required hook project code can be done using CloudFormation CLI by running the cfn init command. The next step is to generate the hook schema, which is a JSON formatted text file that defines the properties and attributes for the hook. The hook handler code is then written in one of the supported developer plugin languages. Registering the hook with the private registry can be done with cfn submit –set-default .

Once complete, the hook can be activated as follows:

aws cloudformation set-type-configuration –configuration “{“CloudFormationConfiguration”:{“HookConfiguration”:{“TargetStacks”:”ALL”,”FailureMode”:”FAIL” ,”Properties”:{“SsmKey”: “compliant-imageid-x86″}}}}” –type-arn $HOOK_TYPE_ARN

If TargetStacks is set to ALL, the hook applies to all stacks in the account during any CREATE, UPDATE, or DELETE operation. FailureMode can be set to either WARN or FAIL. The Properties object is where hook runtime properties are exposed as defined in the hook schema.

AWS has released a number of sample hook in both Python and Java. For example the AWSSamples::S3BucketEncrypt::Hook sample ensures server-side encryption with KMS keys is enabled during CREATE or UPDATE operations. If FailureMode is set to FAIL, the following CloudFormation template is not allowed to continue because it does not specify encryption properties:

AWSTemplateFormatVersion: “2010-09-09” Resources: S3Bucket: Type: AWS::S3::Bucket Properties: {}

CloudFormation hooks run on all CloudFormation stacks, including stacks built by CDK, SAM, AWS Amplify, and AWS Elastic Beanstalk. CloudFormation hook invocation events can be subscribed to Amazon EventBridge by creating an event bridge rule.

More information can be found within the AWS documentation. There are quotas that limit the number of hooks per account to 100, hooks per resource to 100, and the number of versions of each hook to 100 load by tick, based on the number and duration of requests.