guard_hooks
Creates, updates, deletes or gets a guard_hook resource or lists guard_hooks in a region
Overview
| Name | guard_hooks |
| Type | Resource |
| Description | This is a CloudFormation resource for activating the first-party AWS::Hooks::GuardHook. |
| Id | awscc.cloudformation.guard_hooks |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
rule_location | object | S3 Source Location for the Guard files. |
log_bucket | string | S3 Bucket where the guard validate report will be uploaded to |
hook_status | string | Attribute to specify which stacks this hook applies to or should get invoked for |
target_operations | array | Which operations should this Hook run against? Resource changes, stacks or change sets. |
failure_mode | string | Attribute to specify CloudFormation behavior on hook failure. |
target_filters | object | Attribute to specify which targets should invoke the hook |
stack_filters | object | Filters to allow hooks to target specific stack attributes |
alias | string | The typename alias for the hook. |
hook_arn | string | The Amazon Resource Name (ARN) of the activated hook |
execution_role | string | The execution role ARN assumed by hooks to read Guard rules from S3 and write Guard outputs to S3. |
options | object | |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
hook_arn | string | The Amazon Resource Name (ARN) of the activated hook |
region | string | AWS region. |
For more information, see AWS::CloudFormation::GuardHook.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | guard_hooks | INSERT | RuleLocation, HookStatus, TargetOperations, FailureMode, Alias, ExecutionRole, region |
delete_resource | guard_hooks | DELETE | Identifier, region |
update_resource | guard_hooks | UPDATE | Identifier, PatchDocument, region |
list_resources | guard_hooks_list_only | SELECT | region |
get_resource | guard_hooks | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual guard_hook.
SELECT
region,
rule_location,
log_bucket,
hook_status,
target_operations,
failure_mode,
target_filters,
stack_filters,
alias,
hook_arn,
execution_role,
options
FROM awscc.cloudformation.guard_hooks
WHERE
region = 'us-east-1' AND
Identifier = '{{ hook_arn }}';
Lists all guard_hooks in a region.
SELECT
region,
hook_arn
FROM awscc.cloudformation.guard_hooks_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new guard_hook resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.cloudformation.guard_hooks (
RuleLocation,
HookStatus,
TargetOperations,
FailureMode,
Alias,
ExecutionRole,
region
)
SELECT
'{{ rule_location }}',
'{{ hook_status }}',
'{{ target_operations }}',
'{{ failure_mode }}',
'{{ alias }}',
'{{ execution_role }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.cloudformation.guard_hooks (
RuleLocation,
LogBucket,
HookStatus,
TargetOperations,
FailureMode,
TargetFilters,
StackFilters,
Alias,
ExecutionRole,
Options,
region
)
SELECT
'{{ rule_location }}',
'{{ log_bucket }}',
'{{ hook_status }}',
'{{ target_operations }}',
'{{ failure_mode }}',
'{{ target_filters }}',
'{{ stack_filters }}',
'{{ alias }}',
'{{ execution_role }}',
'{{ options }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: guard_hook
props:
- name: rule_location
value:
uri: '{{ uri }}'
version_id: '{{ version_id }}'
- name: log_bucket
value: '{{ log_bucket }}'
- name: hook_status
value: '{{ hook_status }}'
- name: target_operations
value:
- '{{ target_operations[0] }}'
- name: failure_mode
value: '{{ failure_mode }}'
- name: target_filters
value: {}
- name: stack_filters
value:
filtering_criteria: '{{ filtering_criteria }}'
stack_names:
include:
- '{{ include[0] }}'
exclude:
- null
stack_roles:
include:
- '{{ include[0] }}'
exclude:
- null
- name: alias
value: '{{ alias }}'
- name: execution_role
value: '{{ execution_role }}'
- name: options
value: null
UPDATE example
Use the following StackQL query and manifest file to update a guard_hook resource, using stack-deploy.
/*+ update */
UPDATE awscc.cloudformation.guard_hooks
SET PatchDocument = string('{{ {
"RuleLocation": rule_location,
"LogBucket": log_bucket,
"HookStatus": hook_status,
"TargetOperations": target_operations,
"FailureMode": failure_mode,
"TargetFilters": target_filters,
"StackFilters": stack_filters,
"Options": options
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ hook_arn }}';
DELETE example
/*+ delete */
DELETE FROM awscc.cloudformation.guard_hooks
WHERE
Identifier = '{{ hook_arn }}' AND
region = 'us-east-1';
Permissions
To operate on the guard_hooks resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
cloudformation:ActivateType,
cloudformation:DescribeType,
cloudformation:ListTypes,
cloudformation:SetTypeConfiguration,
cloudformation:BatchDescribeTypeConfigurations,
iam:PassRole
cloudformation:DescribeType,
cloudformation:BatchDescribeTypeConfigurations
cloudformation:BatchDescribeTypeConfigurations,
cloudformation:DescribeType,
cloudformation:SetTypeConfiguration,
iam:PassRole
cloudformation:BatchDescribeTypeConfigurations,
cloudformation:DescribeType,
cloudformation:DeactivateType,
cloudformation:SetTypeConfiguration
cloudformation:ListTypes,
cloudformation:DescribeType,
cloudformation:BatchDescribeTypeConfigurations