guard_hooks
Creates, updates, deletes or gets a guard_hook
resource or lists guard_hooks
in a region
Overview
Name | guard_hooks |
Type | Resource |
Description | This is a CloudFormation resource for activating the first-party AWS::Hooks::GuardHook. |
Id | aws.cloudformation.guard_hooks |
Fields
Name | Datatype | Description |
---|---|---|
rule_location | object | S3 Source Location for the Guard files. |
log_bucket | string | S3 Bucket where the guard validate report will be uploaded to |
hook_status | string | Attribute to specify which stacks this hook applies to or should get invoked for |
target_operations | array | Which operations should this Hook run against? Resource changes, stacks or change sets. |
failure_mode | string | Attribute to specify CloudFormation behavior on hook failure. |
target_filters | object | Attribute to specify which targets should invoke the hook |
stack_filters | object | Filters to allow hooks to target specific stack attributes |
alias | string | The typename alias for the hook. |
hook_arn | string | The Amazon Resource Name (ARN) of the activated hook |
execution_role | string | The execution role ARN assumed by hooks to read Guard rules from S3 and write Guard outputs to S3. |
options |
| |
region | string | AWS region. |
For more information, see AWS::CloudFormation::GuardHook
.
Methods
Name | Accessible by | Required Params |
---|---|---|
create_resource | INSERT | RuleLocation, HookStatus, TargetOperations, FailureMode, Alias, ExecutionRole, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT
examples
Gets all guard_hooks
in a region.
SELECT
region,
rule_location,
log_bucket,
hook_status,
target_operations,
failure_mode,
target_filters,
stack_filters,
alias,
hook_arn,
execution_role,
options
FROM aws.cloudformation.guard_hooks
WHERE region = 'us-east-1';
Gets all properties from an individual guard_hook
.
SELECT
region,
rule_location,
log_bucket,
hook_status,
target_operations,
failure_mode,
target_filters,
stack_filters,
alias,
hook_arn,
execution_role,
options
FROM aws.cloudformation.guard_hooks
WHERE region = 'us-east-1' AND data__Identifier = '<HookArn>';
INSERT
example
Use the following StackQL query and manifest file to create a new guard_hook
resource, using stack-deploy
.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.cloudformation.guard_hooks (
RuleLocation,
HookStatus,
TargetOperations,
FailureMode,
Alias,
ExecutionRole,
region
)
SELECT
'{{ RuleLocation }}',
'{{ HookStatus }}',
'{{ TargetOperations }}',
'{{ FailureMode }}',
'{{ Alias }}',
'{{ ExecutionRole }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.cloudformation.guard_hooks (
RuleLocation,
LogBucket,
HookStatus,
TargetOperations,
FailureMode,
TargetFilters,
StackFilters,
Alias,
ExecutionRole,
Options,
region
)
SELECT
'{{ RuleLocation }}',
'{{ LogBucket }}',
'{{ HookStatus }}',
'{{ TargetOperations }}',
'{{ FailureMode }}',
'{{ TargetFilters }}',
'{{ StackFilters }}',
'{{ Alias }}',
'{{ ExecutionRole }}',
'{{ Options }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: guard_hook
props:
- name: RuleLocation
value:
Uri: '{{ Uri }}'
VersionId: '{{ VersionId }}'
- name: LogBucket
value: '{{ LogBucket }}'
- name: HookStatus
value: '{{ HookStatus }}'
- name: TargetOperations
value:
- '{{ TargetOperations[0] }}'
- name: FailureMode
value: '{{ FailureMode }}'
- name: TargetFilters
value: {}
- name: StackFilters
value:
FilteringCriteria: '{{ FilteringCriteria }}'
StackNames:
Include:
- '{{ Include[0] }}'
Exclude:
- null
StackRoles:
Include:
- '{{ Include[0] }}'
Exclude:
- null
- name: Alias
value: '{{ Alias }}'
- name: ExecutionRole
value: null
- name: Options
value: null
DELETE
example
/*+ delete */
DELETE FROM aws.cloudformation.guard_hooks
WHERE data__Identifier = '<HookArn>'
AND region = 'us-east-1';
Permissions
To operate on the guard_hooks
resource, the following permissions are required:
Create
cloudformation:ActivateType,
cloudformation:DescribeType,
cloudformation:ListTypes,
cloudformation:SetTypeConfiguration,
cloudformation:BatchDescribeTypeConfigurations,
iam:PassRole
Read
cloudformation:DescribeType,
cloudformation:BatchDescribeTypeConfigurations
Update
cloudformation:BatchDescribeTypeConfigurations,
cloudformation:DescribeType,
cloudformation:SetTypeConfiguration,
iam:PassRole
Delete
cloudformation:BatchDescribeTypeConfigurations,
cloudformation:DescribeType,
cloudformation:DeactivateType,
cloudformation:SetTypeConfiguration
List
cloudformation:ListTypes,
cloudformation:DescribeType,
cloudformation:BatchDescribeTypeConfigurations