AWS CloudFormation可帮助用户管理云资源，简化基础设施管理，但其资源配置与其他服务的管理衔接存在挑战。CloudFormation事件可发送至Amazon EventBridge，用于设置额外工作流，如创建OpsItems等，文中还介绍了设置EventBridge规则的步骤。

🎯AWS CloudFormation是一项将基础设施视为代码的服务，每周有超过一百万活跃客户使用，它能简化基础设施管理，快速将环境复制到多个AWS区域，并方便控制和跟踪基础设施的变化。

💡使用CloudFormation创建各种AWS资源来设置工作负载环境时，在资源配置与其他相关AWS和非AWS服务的资源管理行动之间无法顺利交接，存在挑战，如资源配置后还需进行添加成本分配标签等额外任务。

📣CloudFormation事件提供了一种强大的方式来跟踪堆栈生命周期中单个资源的状态，可将其发送到Amazon EventBridge，基于这些事件设置额外工作流，如创建OpsItems，还可添加Amazon Simple Notification Service（SNS）Topic来通知Ops团队。

🛠️文中详细介绍了设置EventBridge规则的步骤，包括在AWS控制台中导航到EventBridge，选择创建规则，设置事件源、事件模式、目标等，并可选择添加标签，创建规则后，可在OpsCenter查看相关事件。

<section class="blog-post-content"><p>Over one million active customers manage application resources with <a href="https://aws.amazon.com/cloudformation/&quot; target="_blank" rel="noopener noreferrer">AWS CloudFormation</a> every week. CloudFormation is a service that helps you model, provision, and manage your cloud resources by treating Infrastructure as Code (IaC). It can simplify infrastructure management, quickly replicate your environment to multiple AWS regions with a single turn-key solution, and let you easily control and track changes in your infrastructure.</p><p>You can create various AWS resources using CloudFormation to setup an environment for your workloads. You continue to interact with and manage those resources throughout the workload lifecycle to make sure the resource configuration is aligned with business objectives such as adhering to security compliance standards, meeting required reliability targets, and aligning with budget requirements. The inability to perform a hand-off between resource provisioning actions in CloudFormation and resource management actions in other relevant AWS and non-AWS services poses a challenge. For example, after provisioning of resources, customers might need to perform additional tasks to manage these resources such as adding cost allocation tags, populating resource inventory database or trigger downstream processes.</p><p>While they are able to obtain the logical resource grouping that is tied to a workload or a workload component with a CloudFormation stack, that context does not extend beyond CloudFormation for the most part when they use various AWS and non-AWS services to conduct post-provisioning resource management. These AWS and non-AWS services typically offer a resource level view, or in some cases offer basic aggregated views such as supporting a tag group, or an account level abstraction to see all resources in a given account. For a CloudFormation customer, the inability to not have the context of a stack beyond resource provisioning provides a disjointed experience given there is no hand-off between resource provisioning actions in CloudFormation and resource management actions in other relevant AWS and non-AWS services. The various management actions customers take with their workload resources through out their lifecycle are</p><p>CloudFormation events provide a robust way to track the status of individual resources during the lifecycle of a stack. You can send CloudFormation events to <a href="https://aws.amazon.com/eventbridge/&quot; target="_blank" rel="noopener noreferrer">Amazon EventBridge</a> whenever a create, update,  or drift detection action is performed on your stack. Then you can set up additional workflows based on those events from EventBridge. For example, by tagging the resources automatically, you can reference that tag group when using <a href="https://aws.amazon.com/premiumsupport/technology/trusted-advisor/&quot; target="_blank" rel="noopener noreferrer">AWS Trusted Advisor</a>, and continue your resource management experience post-provisioning. CloudFormation sends these events to EventBridge automatically so that you don’t need to do anything. One real-world use case is to use these events to create actionable tasks for your teams to troubleshoot issues. CloudFormation events published to EventBridge can be used to create <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-working-with-OpsItems.html&quot; target="_blank" rel="noopener noreferrer">OpsItems</a> within AWS Systems Manager <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html&quot;&gt;OpsCenter&lt;/a&gt;. OpsItems are the work items created in OpsCenter for engineers to view, investigate and remediate tasks/issues. This enables teams to respond and resolve any issues more efficiently.</p><h2>Walkthrough</h2><p>To set up the EventBridge rule, go to the <a href="https://aws.amazon.com/console/&quot; target="_blank" rel="noopener noreferrer">AWS console</a> and navigate to <a href="https://us-east-1.console.aws.amazon.com/events/home&quot; target="_blank" rel="noopener noreferrer">EventBridge</a>. Select on <code>Create Rule</code> to get started. Enter Name, description and select Next:</p><p><img class="alignnone size-full wp-image-13515" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/create-rule.jpg&quot; alt="Create Rule" width="985" height="727" /></p><p>On the next screen, select AWS events in the <code>Event source</code> section.</p><p><img class="alignnone size-full wp-image-13519" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/Event-source.jpg&quot; alt="" width="863" height="327" /></p><p>This sample event is for the CREATE_COMPLETE event. It contains the source, AWS account number, AWS region, event type, resources and details about the event.</p><p>On the same page in the <code>Event pattern</code> section:</p><p>Select <code>Custom patterns (JSON editor)</code> and enter the following event pattern. This will match any events when a resource fails to create, update, or delete. Learn more about EventBridge <a href="https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html&quot; target="_blank" rel="noopener noreferrer">event patterns</a>.</p><pre class="lang-json">{ "source": [ "aws.cloudformation" ], "detail-type": [ "CloudFormation Resource Status Change" ], "detail": { "status-details": { "status": [ "CREATE_FAILED", "UPDATE_FAILED", "DELETE_FAILED" ] } }}</pre><p><img class="alignnone size-full wp-image-13518" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/Custom-patterns-JSON-editor.jpg&quot; alt="Custom patterns - JSON editor" width="831" height="619" /></p><p>Select Next. On the Target screen, select AWS service, then select System Manager OpsItem as the target for this rule.</p><p><img class="alignnone size-full wp-image-13522" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/Target-1.jpg&quot; alt="Target 1" width="1672" height="1122" /></p><p>Add a second target – an <a href="https://aws.amazon.com/sns/&quot; target="_blank" rel="noopener noreferrer">Amazon Simple Notification Service (SNS)</a> Topic – to notify the Ops team whenever a failure occurs and an OpsItem has been created.</p><p><img class="alignnone size-full wp-image-13523" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/Target-2.jpg&quot; alt="Target 2" width="1666" height="932" /></p><p>Select Next and optionally add tags.</p><p><img class="alignnone size-full wp-image-13521" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/tags.jpg&quot; alt="" width="822" height="374" /></p><p>Select next to review the selections, and select <code>Create rule</code>.</p><p>Now your rule is created and whenever a stack failure occurs, an OpsItem gets created and a notification is sent out for the operators to troubleshoot and fix the issue. The OpsItem contains operational data, such as the resource that failed, the reason for failure, as well as the stack to which it belongs, which is useful for troubleshooting the issue. Operators can take manual actions or use runbooks codified as Systems Manager Documents to take corrective actions. From the AWS Console you can go to <a href="https://us-east-1.console.aws.amazon.com/systems-manager/opsitems&quot; target="_blank" rel="noopener noreferrer">OpsCenter</a> to see the events:</p><p><img class="alignnone size-full wp-image-13520" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/operational-data.jpg&quot; alt="operational data" width="1894" height="1120" /></p><p>Once the issues have been addressed, operators can mark the OpsItem as resolved, and retry the stack operation that failed, resulting in a swift resolution of the issue, and preventing duplication of efforts.</p><p>This walkthrough is for the Console but you can use <a href="https://aws.amazon.com/cli/&quot; target="_blank" rel="noopener noreferrer">AWS Command Line Interface</a> (AWS CLI), <a href="https://aws.amazon.com/developer/tools/&quot; target="_blank" rel="noopener noreferrer">AWS SDK</a> or even CloudFormation to accomplish all of this. Refer to <a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/events/index.html&quot; target="_blank" rel="noopener noreferrer">AWS CLI documentation</a> for more information on creating EventBridge rules through CLI. Furthermore, refer to <a href="https://docs.aws.amazon.com/eventbridge/latest/userguide/example_eventbridge_PutRule_section.html&quot; target="_blank" rel="noopener noreferrer">AWS SDK documentation</a> for creating EventBridge rules through AWS SDK. You can use following CloudFormation template to deploy the EventBridge rules example used as part of the walkthrough in this blog post:</p><pre class="lang-json">{ "Parameters": { "SNSTopicARN": { "Type": "String", "Description": "Enter the ARN of the SNS Topic where you want stack failure notifications to be sent." } }, "Resources": { "CFNEventsRule": { "Type": "AWS::Events::Rule", "Properties": { "Description": "Event rule to capture CloudFormation failure events", "EventPattern": { "source": [ "aws.cloudformation" ], "detail-type": [ "CloudFormation Resource Status Change" ], "detail": { "status-details": { "status": [ "CREATE_FAILED", "UPDATE_FAILED", "DELETE_FAILED" ] } } }, "Name": "cfn-stack-failure-test", "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Sub": "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:opsitem" }, "Id": "opsitems", "RoleArn": { "Fn::GetAtt": [ "TargetInvocationRole", "Arn" ] } }, { "Arn": { "Ref": "SNSTopicARN" }, "Id": "sns" } ] } }, "TargetInvocationRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "events.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "Policies": [ { "PolicyName": "createopsitem", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:CreateOpsItem" ], "Resource": "*" } ] } } ] } }, "AllowSNSPublish": { "Type": "AWS::SNS::TopicPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Sid": "grant-eventbridge-publish", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "sns:Publish" ], "Resource": { "Ref": "SNSTopicARN" } } ] }, "Topics": [ { "Ref": "SNSTopicARN" } ] } } }}</pre><h2>Summary</h2><p>Responding to CloudFormation stack events becomes easy with the integration between CloudFormation and EventBridge. CloudFormation events can be used to perform post-provisioning actions on workload resources. With the variety of targets available to EventBridge rules, various actions such as adding tags and, troubleshooting issues can be performed. This example above uses Systems Manager and Amazon SNS but you can have numerous targets including, Amazon <a href="https://aws.amazon.com/api-gateway/&quot; target="_blank" rel="noopener noreferrer">API gateway</a>, AWS <a href="https://aws.amazon.com/lambda/&quot; target="_blank" rel="noopener noreferrer">Lambda</a>, Amazon Elastic Container Service (Amazon ECS) <a href="https://aws.amazon.com/pm/ecs/&quot; target="_blank" rel="noopener noreferrer">task</a>, Amazon <a href="https://aws.amazon.com/kinesis/&quot; target="_blank" rel="noopener noreferrer">Kinesis services</a>, Amazon <a href="https://aws.amazon.com/redshift/&quot; target="_blank" rel="noopener noreferrer">Redshift</a>, Amazon <a href="https://aws.amazon.com/sagemaker/pipelines/&quot; target="_blank" rel="noopener noreferrer">SageMaker pipeline</a>, and many more. These events are available for free in EventBridge.</p><p>Learn more about <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks-event-bridge.html&quot;&gt;Managing events with CloudFormation and EventBridge</a>.</p><h2>About the Author</h2><p><img class="alignleft wp-image-13539" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/vivek.jpg&quot; alt="" width="105" height="124" /></p><p>Vivek is a Solutions Architect at AWS based out of New York. He works with customers providing technical assistance and architectural guidance on various AWS services. He brings more than 25 years of experience in software engineering and architecture roles for various large-scale enterprises.</p><p><img class="alignleft wp-image-13525" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/Mahanth.jpg&quot; alt="" width="105" height="124" /></p><p>Mahanth is a Solutions Architect at Amazon Web Services (AWS). As part of the AWS Well-Architected team, he works with customers and AWS Partner Network partners of all sizes to help them build secure, high-performing, resilient, and efficient infrastructure for their applications. He spends his free time playing with his pup Cosmo, learning more about astronomy, and is an avid gamer.</p><p><img class="alignleft wp-image-13526" src="https://d2908q01vomqb2.cloudfront.net/7719a1c782a1ba91c031a682a0a2f8658209adbf/2022/09/29/sukh.jpg&quot; alt="" width="105" height="124" /></p><p>Sukhchander is a Solutions Architect at Amazon Web Services. He is passionate about helping startups and enterprises adopt the cloud in the most scalable, secure, and cost-effective way by providing technical guidance, best practices, and well architected solutions.</p></section>