Can't migrate Metadata (AWS::CloudFormation::Init) section of existing CloudFormation template into AWS CDK

2
votes

I'm setting up an ADFS EC2 instance using AWS CDK.

I can't find any understandable information regarding metadata in the documentation.

I tried cdk-dasm tool to reverse engineer it, but it misses out on the metadata section.

How can I add sections under AWS::CloudFormation::Init?

I'm reffering the aws-quickstart repo:

https://github.com/aws-quickstart/quickstart-microsoft-activedirectory/blob/master/templates/Template_1_AD_2012R2.template

Below is the section I'm trying to convert, will appreciate any help!

    DomainController1:
    Type: AWS::EC2::Instance
    Metadata:
      AWS::CloudFormation::Init:
        configSets:
          config:
          - setup
          - rename
          - installADDS
          - configureSites
          - installADCS
          - finalize
        setup:
          files:
            c:\cfn\cfn-hup.conf:
              content:
                Fn::Join:
                - ''
                - - "[main]\n"
                  - stack=
                  - Ref: AWS::StackName
                  - "\n"
                  - region=
                  - Ref: AWS::Region
                  - "\n"
            c:\cfn\hooks.d\cfn-auto-reloader.conf:
              content:
                Fn::Join:
                - ''
                - - "[cfn-auto-reloader-hook]\n"
                  - 'triggers=post.update\n'
                  - 'path=Resources.DomainController1.Metadata.AWS::CloudFormation::Init\n'
                  - 'action=cfn-init.exe -v -c config -s '
                  - Ref: AWS::StackId
                  - " -r DomainController1"
                  - " --region "
                  - Ref: AWS::Region
                  - "\n"
            c:\cfn\scripts\Set-StaticIP.ps1:
              content:
                Fn::Join:
                - ''
                - - "$netip = Get-NetIPConfiguration;"
                  - "$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};"
                  - Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;
                  - Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress
                    $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength
                    -DefaultGateway $netip.IPv4DefaultGateway.NextHop;
                  - Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses;
                  - "\n"
            c:\cfn\scripts\bootstrap.ps1:
              content:
                Fn::Join:
                - ''
                - - "Import-Module GroupPolicy"
                  - "\n"
                  - 'try{ Invoke-WebRequest https://s3-us-gov-west-1.amazonaws.com/vocera-boxes-ic5vda9lly/open/DefaultDomainPolicy.zip -OutFile c:\DefaultDomainPolicy.zip'
                  - "\n"
                  - 'powershell.exe -command c:\cfn\scripts\Unzip-Archive.ps1 -Source "c:\DefaultDomainPolicy.zip" -Destination "C:\" }'
                  - "\n"
                  - 'catch {}'
                  - "\n"
                  - 'import-gpo -BackupGpoName "Default Domain Policy" -TargetName "Default Domain Policy" -path C:\DefaultDomainPolicy'
                  - "\n"
                  - 'gpupdate /force'
                  - "\n"
            c:\cfn\scripts\cis_changes.ps1:
              source: https://url.com/cis_changes.ps1
            'c:\Program Files\Amazon\Ec2ConfigService\Settings\config.xml':
              source: https://url.com/cis_config.xml
            c:\cfn\scripts\ConvertTo-EnterpriseAdmin.ps1:
              source: https://url.com/ConvertTo-EnterpriseAdmin.ps1
            c:\cfn\scripts\New-CertificateAuthority.ps1:
              source: https://url.com/New-CertificateAuthority.ps1
            c:\cfn\modules\xAdcsDeployment_0.1.0.0.zip:
              source: https://url.com/xAdcsDeployment_0.1.0.0.zip
            c:\cfn\scripts\Unzip-Archive.ps1:
              source: https://url.com/Unzip-Archive.ps1
          services:
            windows:
              cfn-hup:
                enabled: 'true'
                ensureRunning: 'true'
                files:
                - c:\cfn\cfn-hup.conf
                - c:\cfn\hooks.d\cfn-auto-reloader.conf
          commands:
            a-allow-hostname-update:
              command:
                Fn::Join:
                - ''
                - - powershell.exe -Command c:\cfn\scripts\cis_changes.ps1
              waitAfterCompletion: '45'
            a-disable-win-fw:
              command:
                Fn::Join:
                - ''
                - - powershell.exe -Command "Get-NetFirewallProfile | Set-NetFirewallProfile
                    -Enabled False"
              waitAfterCompletion: '0'
            b-set-execution-policy:
              command: powershell.exe -command Set-ExecutionPolicy RemoteSigned -Force
              waitAfterCompletion: '0'
            c-unpack-dsc-resource:
              command: powershell.exe -command c:\cfn\scripts\Unzip-Archive.ps1 -Source
                c:\cfn\modules\xAdcsDeployment_0.1.0.0.zip -Destination 'C:\Program
                Files\WindowsPowerShell\Modules'
              waitAfterCompletion: '0'
        rename:
          commands:
            a-set-static-ip:
              command:
                Fn::Join:
                - ''
                - - powershell.exe -ExecutionPolicy RemoteSigned -Command c:\cfn\scripts\Set-StaticIP.ps1
              waitAfterCompletion: '45'
            b-execute-powershell-script-RenameComputer:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe Rename-Computer -NewName '
                  - 'DC1'
                  - " -Restart"
              waitAfterCompletion: forever
        installADDS:
          commands:
            1-install-prereqs:
              command:
                Fn::Join:
                - ''
                - - powershell.exe -Command "Install-WindowsFeature AD-Domain-Services,
                    rsat-adds -IncludeAllSubFeature"
              waitAfterCompletion: '0'
            2-install-adds:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe -Command '
                  - "\"Install-ADDSForest -DomainName "
                  - Ref: DomainDNSName
                  - " "
                  - "-SafeModeAdministratorPassword (ConvertTo-SecureString "
                  - "'"
                  - Ref: VcaADPassword
                  - "'"
                  - " -AsPlainText -Force) "
                  - "-DomainMode Win2012R2 "
                  - "-DomainNetbiosName "
                  - Ref: DomainNetBIOSName
                  - " "
                  - "-ForestMode Win2012R2 "
                  - "-Confirm:$false "
                  - -Force"
              waitAfterCompletion: forever
            3-restart-service:
              command:
                Fn::Join:
                - ''
                - - powershell.exe -Command Restart-Service NetLogon -EA 0
              waitAfterCompletion: '30'
            4-create-adminuser:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe -Command '
                  - "\"New-ADUser "
                  - "-Name "
                  - Ref: ADUSER
                  - " "
                  - "-UserPrincipalName "
                  - Ref: ADUSER
                  - "@"
                  - Ref: DomainDNSName
                  - " "
                  - "-AccountPassword (ConvertTo-SecureString "
                  - "'"
                  - Ref: VcaADPassword
                  - "'"
                  - " -AsPlainText -Force) "
                  - "-Enabled $true "
                  - -PasswordNeverExpires $true"
              waitAfterCompletion: '0'
            5-update-adminuser:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe -ExecutionPolicy RemoteSigned -Command c:\cfn\scripts\ConvertTo-EnterpriseAdmin.ps1
                    -Members '
                  - Ref: ADUSER
              waitAfterCompletion: '0'
        configureSites:
          commands:
            a-rename-default-site:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe '
                  - "\""
                  - Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext
                    -filter {Name -eq 'Default-First-Site-Name'} | Rename-ADObject -NewName
                    AZ1
                  - "\""
              waitAfterCompletion: '0'
            b-create-site-2:
              command:
                Fn::Join:
                - ''
                - - powershell.exe New-ADReplicationSite AZ2
              waitAfterCompletion: '0'
            c-create-publicsubnet-1:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe -Command New-ADReplicationSubnet -Name '
                  - 172.30.209.0/24
                  - " -Site AZ1"
              waitAfterCompletion: '0'
            d-create-publicsubnet-2:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe -Command New-ADReplicationSubnet -Name '
                  - 172.30.210.0/24
                  - " -Site AZ2"
              waitAfterCompletion: '0'
            e-create-privatesubnet-1:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe -Command New-ADReplicationSubnet -Name '
                  - 172.30.212.0/24
                  - " -Site AZ1"
              waitAfterCompletion: '0'
            f-create-privatesubnet-2:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe -Command New-ADReplicationSubnet -Name '
                  - 172.30.213.0/24
                  - " -Site AZ2"
              waitAfterCompletion: '0'
            g-set-site-link:
              command:
                Fn::Join:
                - ''
                - - powershell.exe -Command "
                  - Get-ADReplicationSiteLink -Filter * | Set-ADReplicationSiteLink
                    -SitesIncluded @{add='AZ2'} -ReplicationFrequencyInMinutes 15"
              waitAfterCompletion: '0'
        installADCS:
          commands:
            a-install-ca:
              command:
                Fn::Join:
                - ''
                - - 'powershell.exe -Command c:\cfn\scripts\New-CertificateAuthority.ps1
                    -Username '
                  - Ref: ADUSER
                  - " -Password "
                  - "'"
                  - Ref: ADPassword
                  - "'"
                  - " -DomainDNSName "
                  - Ref: DomainDNSName
              waitAfterCompletion: '0'
            b-update-gpo:
              command: powershell.exe -command c:\cfn\scripts\bootstrap.ps1
              waitAfterCompletion: '0'
    Properties:
      DisableApiTermination: False
      ImageId:
        Fn::FindInMap:
        - AmiMap
        - Ref: AWS::Region
        - win2012r2
      InstanceType: t2.large
      IamInstanceProfile:
        Ref: ADProfile
      SubnetId: subnet-11111111
      Tags:
      - Key: Name
        Value:
          Fn::Join: [ "_", [ "ee" , Ref: EnvironmentType,"AD","1" ] ]
      -
        Key: "Product"
        Value: 
          Ref: Product
      - 
        Key: "Environment"
        Value: 
          Ref: EnvironmentType
      - 
        Key: "Role"
        Value: 
          Ref: Role
      BlockDeviceMappings:
      - DeviceName: "/dev/sda1"
        Ebs:
          VolumeSize: '150'
          VolumeType: gp2
      SecurityGroupIds:
      - Ref: DomainControllerSG
      - sg-0000
      PrivateIpAddress:
        Ref: Server1PrivateIP
      KeyName:
        Ref: SSHkeyPair
      UserData:
        Fn::Base64:
          Fn::Join:
          - ''
          - - "<script>\n"
            - 'cfn-init.exe -v -c config -s '
            - Ref: AWS::StackId
            - " -r DomainController1"
            - " --region "
            - Ref: AWS::Region
            - "\n"
            - "</script>\n"
2
amazon-web-servicesamazon-cloudformationaws-cdk

2 Answers

2
votes

To attach metadata that is synthesized and attached to resources, you need to add it as an explicit override. The .addMetadata method only adds internal CDK metadata that is not synthesized.

Eg:

instance.addOverride('Metadata.AWS::CloudFormation::Init', {
  config: {
    files: {
      '/root/run-iperf.sh': {
        content: runIperfScript,
        mode: '000755',
        owner: 'root',
        group: 'root'
      }
    }
  }
});
1
votes

You can add metadata to a CDK construct by accessing the underlying node.

const instance = new ec2.Instance(this, "MyInstance", {...});
instance.node.addMetadata("key", "value");

Here is the documentation for ConstructNode.addMetadata

https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.ConstructNode.html#add-wbr-metadatatype-data-from