Skip to main content

guard_hooks

Creates, updates, deletes or gets a guard_hook resource or lists guard_hooks in a region

Overview

Nameguard_hooks
TypeResource
DescriptionThis is a CloudFormation resource for activating the first-party AWS::Hooks::GuardHook.
Idaws.cloudformation.guard_hooks

Fields

NameDatatypeDescription
rule_locationobjectS3 Source Location for the Guard files.
log_bucketstringS3 Bucket where the guard validate report will be uploaded to
hook_statusstringAttribute to specify which stacks this hook applies to or should get invoked for
target_operationsarrayWhich operations should this Hook run against? Resource changes, stacks or change sets.
failure_modestringAttribute to specify CloudFormation behavior on hook failure.
target_filtersobjectAttribute to specify which targets should invoke the hook
stack_filtersobjectFilters to allow hooks to target specific stack attributes
aliasstringThe typename alias for the hook.
hook_arnstringThe Amazon Resource Name (ARN) of the activated hook
execution_rolestringThe execution role ARN assumed by hooks to read Guard rules from S3 and write Guard outputs to S3.
options
regionstringAWS region.

For more information, see AWS::CloudFormation::GuardHook.

Methods

NameAccessible byRequired Params
create_resourceINSERTRuleLocation, HookStatus, TargetOperations, FailureMode, Alias, ExecutionRole, region
delete_resourceDELETEdata__Identifier, region
update_resourceUPDATEdata__Identifier, data__PatchDocument, region
list_resourcesSELECTregion
get_resourceSELECTdata__Identifier, region

SELECT examples

Gets all guard_hooks in a region.

SELECT
region,
rule_location,
log_bucket,
hook_status,
target_operations,
failure_mode,
target_filters,
stack_filters,
alias,
hook_arn,
execution_role,
options
FROM aws.cloudformation.guard_hooks
WHERE region = 'us-east-1';

Gets all properties from an individual guard_hook.

SELECT
region,
rule_location,
log_bucket,
hook_status,
target_operations,
failure_mode,
target_filters,
stack_filters,
alias,
hook_arn,
execution_role,
options
FROM aws.cloudformation.guard_hooks
WHERE region = 'us-east-1' AND data__Identifier = '<HookArn>';

INSERT example

Use the following StackQL query and manifest file to create a new guard_hook resource, using stack-deploy.

/*+ create */
INSERT INTO aws.cloudformation.guard_hooks (
RuleLocation,
HookStatus,
TargetOperations,
FailureMode,
Alias,
ExecutionRole,
region
)
SELECT
'{{ RuleLocation }}',
'{{ HookStatus }}',
'{{ TargetOperations }}',
'{{ FailureMode }}',
'{{ Alias }}',
'{{ ExecutionRole }}',
'{{ region }}';

DELETE example

/*+ delete */
DELETE FROM aws.cloudformation.guard_hooks
WHERE data__Identifier = '<HookArn>'
AND region = 'us-east-1';

Permissions

To operate on the guard_hooks resource, the following permissions are required:

Create

cloudformation:ActivateType,
cloudformation:DescribeType,
cloudformation:ListTypes,
cloudformation:SetTypeConfiguration,
cloudformation:BatchDescribeTypeConfigurations,
iam:PassRole

Read

cloudformation:DescribeType,
cloudformation:BatchDescribeTypeConfigurations

Update

cloudformation:BatchDescribeTypeConfigurations,
cloudformation:DescribeType,
cloudformation:SetTypeConfiguration,
iam:PassRole

Delete

cloudformation:BatchDescribeTypeConfigurations,
cloudformation:DescribeType,
cloudformation:DeactivateType,
cloudformation:SetTypeConfiguration

List

cloudformation:ListTypes,
cloudformation:DescribeType,
cloudformation:BatchDescribeTypeConfigurations