Migrate 016-opensearch and 043-mq to CloudFormation for resource creation

mwunderl · mwunderl · commit 3d9eaf1fe732 · 2026-05-01T04:39:48.000Z
Replace CLI create + wait loops with cloudformation deploy. CFN handles
the 15-20 min creation wait, rollback on failure, and guaranteed cleanup
via delete-stack. Eliminates timeout-induced resource leaks.

016-opensearch: cfn-opensearch-domain.yaml (domain + access policy + encryption)
043-amazon-mq: cfn-mq-broker.yaml (broker + user + public access)

Scripts still use CLI for tutorial steps (indexing, messaging). Only the
long-running infrastructure creation moves to CFN.
diff --git a/tuts/016-opensearch-service-gs/cfn-opensearch-domain.yaml b/tuts/016-opensearch-service-gs/cfn-opensearch-domain.yaml
@@ -0,0 +1,65 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: OpenSearch domain for the Getting Started tutorial
+
+Parameters:
+  DomainName:
+    Type: String
+    Description: Name for the OpenSearch domain
+  MasterUserName:
+    Type: String
+    Default: admin
+  MasterUserPassword:
+    Type: String
+    NoEcho: true
+
+Resources:
+  OpenSearchDomain:
+    Type: AWS::OpenSearchService::Domain
+    Properties:
+      DomainName: !Ref DomainName
+      EngineVersion: OpenSearch_2.11
+      ClusterConfig:
+        InstanceType: t3.small.search
+        InstanceCount: 1
+        ZoneAwarenessEnabled: false
+      EBSOptions:
+        EBSEnabled: true
+        VolumeType: gp3
+        VolumeSize: 10
+      NodeToNodeEncryptionOptions:
+        Enabled: true
+      EncryptionAtRestOptions:
+        Enabled: true
+      DomainEndpointOptions:
+        EnforceHTTPS: true
+        TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
+      AdvancedSecurityOptions:
+        Enabled: true
+        InternalUserDatabaseEnabled: true
+        MasterUserOptions:
+          MasterUserName: !Ref MasterUserName
+          MasterUserPassword: !Ref MasterUserPassword
+      AccessPolicies:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            Action:
+              - 'es:ESHttpGet'
+              - 'es:ESHttpPut'
+              - 'es:ESHttpPost'
+              - 'es:ESHttpDelete'
+              - 'es:ESHttpHead'
+            Resource: !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*'
+      Tags:
+        - Key: project
+          Value: doc-smith
+        - Key: tutorial
+          Value: opensearch-service-gs
+
+Outputs:
+  DomainEndpoint:
+    Value: !GetAtt OpenSearchDomain.DomainEndpoint
+  DomainArn:
+    Value: !GetAtt OpenSearchDomain.Arn
diff --git a/tuts/016-opensearch-service-gs/opensearch-service-gs.sh b/tuts/016-opensearch-service-gs/opensearch-service-gs.sh
@@ -112,101 +112,40 @@ echo "This may take 15-30 minutes to complete."
 
 # SECURITY IMPROVED: Use least privilege access policy
 # This policy restricts access to specific actions and should be further restricted to specific principals in production
-ACCESS_POLICY="{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::${ACCOUNT_ID}:root\"},\"Action\":[\"es:ESHttpGet\",\"es:ESHttpPut\",\"es:ESHttpPost\",\"es:ESHttpDelete\",\"es:ESHttpHead\"],\"Resource\":\"arn:aws:es:${AWS_REGION}:${ACCOUNT_ID}:domain/${DOMAIN_NAME}/*\"}]}"
-
-echo "Access policy created for region: $AWS_REGION"
-echo "Access policy: [REDACTED]"
-
-# Create the domain (matches tutorial command exactly)
-echo "Creating domain $DOMAIN_NAME..."
-CREATE_OUTPUT=$(aws opensearch create-domain \
-  --domain-name "$DOMAIN_NAME" \
-  --engine-version "OpenSearch_2.11" \
-  --cluster-config "InstanceType=t3.small.search,InstanceCount=1,ZoneAwarenessEnabled=false" \
-  --ebs-options "EBSEnabled=true,VolumeType=gp3,VolumeSize=10" \
-  --node-to-node-encryption-options "Enabled=true" \
-  --encryption-at-rest-options "Enabled=true" \
-  --domain-endpoint-options "EnforceHTTPS=true,TLSSecurityPolicy=Policy-Min-TLS-1-2-2019-07" \
-  --advanced-security-options "Enabled=true,InternalUserDatabaseEnabled=true,MasterUserOptions={MasterUserName=$MASTER_USER,MasterUserPassword=$MASTER_PASSWORD}" \
-  --access-policies "$ACCESS_POLICY" \
-  --tags "Key=Environment,Value=Tutorial" "Key=Purpose,Value=OpenSearchGettingStarted" "Key=project,Value=doc-smith" "Key=tutorial,Value=opensearch-service-gs" 2>&1)
-
-# Check if domain creation was successful
-if [[ $? -ne 0 ]]; then
-    echo "Failed to create OpenSearch domain:"
-    echo "$CREATE_OUTPUT"
-    handle_error "Domain creation failed"
-fi
-
-# Verify the domain was actually created by checking the output
-if echo "$CREATE_OUTPUT" | grep -q "DomainStatus"; then
-    echo "Domain creation initiated successfully."
-    DOMAIN_CREATED=true
-else
-    echo "Domain creation output:"
-    echo "$CREATE_OUTPUT"
-    handle_error "Domain creation may have failed - no DomainStatus in response"
-fi
-
-# Wait for domain to become active (improved logic)
-echo "Waiting for domain to become active..."
-RETRY_COUNT=0
-MAX_RETRIES=45  # 45 minutes with 60 second intervals
-
-while [[ $RETRY_COUNT -lt $MAX_RETRIES ]]; do
-    echo "Checking domain status... (attempt $((RETRY_COUNT+1))/$MAX_RETRIES)"
-    
-    # Get domain status
-    DOMAIN_STATUS=$(aws opensearch describe-domain --domain-name "$DOMAIN_NAME" 2>&1)
-    
-    if [[ $? -ne 0 ]]; then
-        echo "Error checking domain status:"
-        echo "$DOMAIN_STATUS"
-        
-        # If domain not found after several attempts, it likely failed to create
-        if [[ $RETRY_COUNT -gt 5 ]] && echo "$DOMAIN_STATUS" | grep -q "ResourceNotFoundException"; then
-            handle_error "Domain not found after multiple attempts. Domain creation likely failed."
-        fi
-        
-        echo "Will retry in 60 seconds..."
-    else
-        # Check if domain is no longer processing
-        if echo "$DOMAIN_STATUS" | grep -q '"Processing": false'; then
-            DOMAIN_ACTIVE=true
-            echo "Domain is now active!"
-            break
-        else
-            echo "Domain is still being created. Checking again in 60 seconds..."
-        fi
-    fi
-    
-    sleep 60
-    RETRY_COUNT=$((RETRY_COUNT+1))
-done
-
-# Verify domain is active
-if [[ "$DOMAIN_ACTIVE" != "true" ]]; then
-    echo "Domain creation is taking longer than expected ($((MAX_RETRIES)) minutes)."
-    echo "You can check the status later using:"
-    echo "aws opensearch describe-domain --domain-name $DOMAIN_NAME"
-    handle_error "Domain did not become active within the expected time"
-fi
-
-# Get domain endpoint (matches tutorial)
-echo "Retrieving domain endpoint..."
-DOMAIN_ENDPOINT=$(aws opensearch describe-domain --domain-name "$DOMAIN_NAME" --query 'DomainStatus.Endpoint' --output text)
-
-if [[ $? -ne 0 ]] || [[ -z "$DOMAIN_ENDPOINT" ]] || [[ "$DOMAIN_ENDPOINT" == "None" ]]; then
-    handle_error "Failed to get domain endpoint"
+# Create the domain using CloudFormation (handles the 15-20 min creation wait)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+STACK_NAME="tutorial-opensearch-${RANDOM_ID}"
+
+echo "Creating domain $DOMAIN_NAME via CloudFormation..."
+echo "This typically takes 15-20 minutes. CloudFormation will wait for completion."
+aws cloudformation deploy \
+  --template-file "$SCRIPT_DIR/cfn-opensearch-domain.yaml" \
+  --stack-name "$STACK_NAME" \
+  --parameter-overrides \
+    DomainName="$DOMAIN_NAME" \
+    MasterUserName="$MASTER_USER" \
+    MasterUserPassword="$MASTER_PASSWORD" \
+  --tags project=doc-smith tutorial=opensearch-service-gs \
+  --no-fail-on-empty-changeset 2>&1 || handle_error "CloudFormation stack creation failed"
+
+DOMAIN_CREATED=true
+echo "Domain created successfully via CloudFormation."
+
+# Get domain endpoint from stack outputs
+DOMAIN_ENDPOINT=$(aws cloudformation describe-stacks \
+  --stack-name "$STACK_NAME" \
+  --query 'Stacks[0].Outputs[?OutputKey==`DomainEndpoint`].OutputValue' \
+  --output text)
+
+if [[ -z "$DOMAIN_ENDPOINT" ]] || [[ "$DOMAIN_ENDPOINT" == "None" ]]; then
+    handle_error "Failed to get domain endpoint from CloudFormation outputs"
 fi
 
 echo "Domain endpoint: $DOMAIN_ENDPOINT"
 
-# Wait additional time for fine-grained access control to be fully ready
-echo "Domain is active, but waiting additional time for fine-grained access control to be fully ready..."
-echo "Fine-grained access control can take several minutes to initialize after domain becomes active."
-echo "Waiting 8 minutes for full initialization..."
-sleep 480  # Wait 8 minutes for fine-grained access control to be ready
+# Wait for fine-grained access control to be fully ready
+echo "Waiting for fine-grained access control to initialize..."
+sleep 120
 
 # Verify variables are set correctly (matches tutorial)
 echo "Verifying configuration..."
@@ -534,21 +473,22 @@ CLEANUP_CHOICE="y"
 
 if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then
     echo "Cleaning up resources..."
-    aws opensearch delete-domain --domain-name "$DOMAIN_NAME"
-    echo "✓ Cleanup initiated. Domain deletion may take several minutes to complete."
-    echo ""
-    echo "You can check the deletion status using:"
-    echo "aws opensearch describe-domain --domain-name $DOMAIN_NAME"
-    echo ""
-    echo "When deletion is complete, you'll see a 'Domain not found' error."
+    if [ -n "${STACK_NAME:-}" ]; then
+        echo "Deleting CloudFormation stack $STACK_NAME..."
+        aws cloudformation delete-stack --stack-name "$STACK_NAME"
+        echo "✓ Stack deletion initiated. This may take several minutes."
+        echo "  Monitor: aws cloudformation describe-stacks --stack-name $STACK_NAME"
+    else
+        aws opensearch delete-domain --domain-name "$DOMAIN_NAME" 2>/dev/null
+        echo "✓ Domain deletion initiated."
+    fi
 else
     echo "Resources will NOT be deleted automatically."
     echo ""
-    echo "To delete the domain later, use:"
-    echo "aws opensearch delete-domain --domain-name $DOMAIN_NAME"
+    echo "To delete later:"
+    echo "  aws cloudformation delete-stack --stack-name ${STACK_NAME:-tutorial-opensearch-XXXX}"
     echo ""
     echo "⚠ IMPORTANT: Keeping these resources will incur ongoing AWS charges!"
-    echo "   Estimated cost: ~$0.038/hour (~$0.91/day)"
 fi
 
 # Clean up temporary files (handled by trap)
diff --git a/tuts/043-amazon-mq-gs/amazon-mq-gs.sh b/tuts/043-amazon-mq-gs/amazon-mq-gs.sh
@@ -55,7 +55,12 @@ handle_error() {
 cleanup_resources() {
     echo "Cleaning up resources..."
     
-    if [ -n "${BROKER_ID:-}" ]; then
+    # Prefer CloudFormation stack deletion (handles broker + dependencies)
+    if [ -n "${STACK_NAME:-}" ]; then
+        echo "Deleting CloudFormation stack: $STACK_NAME"
+        aws cloudformation delete-stack --stack-name "$STACK_NAME" 2>/dev/null
+        echo "Stack deletion initiated."
+    elif [ -n "${BROKER_ID:-}" ]; then
         echo "Deleting Amazon MQ broker: $BROKER_ID"
         if ! aws mq delete-broker --broker-id "$BROKER_ID" 2>/dev/null; then
             echo "Warning: Failed to delete broker or broker already deleted"
@@ -132,64 +137,34 @@ echo "Creating Amazon MQ broker: $BROKER_NAME"
 echo "WARNING: Broker is being created with public accessibility for tutorial purposes only"
 echo "In production, use private subnets and proper network controls"
 
-BROKER_RESULT=$(aws mq create-broker \
-  --broker-name "$BROKER_NAME" \
-  --engine-type ACTIVEMQ \
-  --engine-version 5.18 \
-  --host-instance-type mq.t3.micro \
-  --deployment-mode SINGLE_INSTANCE \
-  --authentication-strategy SIMPLE \
-  --users "Username=$MQ_USERNAME,Password=$MQ_PASSWORD,ConsoleAccess=true" \
-  --publicly-accessible \
-  --auto-minor-version-upgrade \
-  --storage-type EFS \
-  --tags project=doc-smith,tutorial=amazon-mq-gs \
-  2>&1)
-
-# Check for errors
-if echo "$BROKER_RESULT" | grep -i "error" > /dev/null; then
-    handle_error "Failed to create broker: $BROKER_RESULT"
-fi
+# Deploy via CloudFormation (handles the 15-20 min creation wait)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+STACK_NAME="tutorial-mq-${RANDOM_ID}"
+
+echo "Deploying broker via CloudFormation. This typically takes 15-20 minutes..."
+aws cloudformation deploy \
+  --template-file "$SCRIPT_DIR/cfn-mq-broker.yaml" \
+  --stack-name "$STACK_NAME" \
+  --parameter-overrides \
+    BrokerName="$BROKER_NAME" \
+    MQUsername="$MQ_USERNAME" \
+    MQPassword="$MQ_PASSWORD" \
+  --tags project=doc-smith tutorial=amazon-mq-gs \
+  --no-fail-on-empty-changeset 2>&1 || handle_error "CloudFormation stack creation failed"
+
+echo "Broker created successfully via CloudFormation."
+
+# Extract broker ID from stack
+BROKER_ID=$(aws cloudformation describe-stacks \
+  --stack-name "$STACK_NAME" \
+  --query 'Stacks[0].Outputs[?OutputKey==`BrokerId`].OutputValue' \
+  --output text)
 
-# Extract broker ID using jq for safer parsing
-BROKER_ID=$(echo "$BROKER_RESULT" | jq -r '.BrokerId // empty')
 if [ -z "$BROKER_ID" ]; then
-    handle_error "Failed to extract broker ID from response"
+    handle_error "Failed to extract broker ID from CloudFormation outputs"
 fi
 
-echo "Broker creation initiated. Broker ID: $BROKER_ID"
-
-# Step 3: Wait for the broker to be in RUNNING state
-echo "Waiting for broker to be in RUNNING state. This may take 15-20 minutes..."
-MAX_ATTEMPTS=120
-ATTEMPT=0
-
-while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do
-    BROKER_STATE=$(aws mq describe-broker --broker-id "$BROKER_ID" --query 'BrokerState' --output text 2>&1)
-    
-    if echo "$BROKER_STATE" | grep -i "error" > /dev/null; then
-        handle_error "Error checking broker state: $BROKER_STATE"
-    fi
-    
-    echo "Current broker state: $BROKER_STATE (Attempt $((ATTEMPT + 1))/$MAX_ATTEMPTS)"
-    
-    if [ "$BROKER_STATE" == "RUNNING" ]; then
-        echo "Broker is now in RUNNING state"
-        break
-    elif [ "$BROKER_STATE" == "CREATION_FAILED" ]; then
-        handle_error "Broker creation failed"
-    fi
-    
-    ATTEMPT=$((ATTEMPT + 1))
-    if [ $ATTEMPT -lt $MAX_ATTEMPTS ]; then
-        echo "Waiting 60 seconds before checking again..."
-        sleep 60
-    fi
-done
-
-if [ $ATTEMPT -eq $MAX_ATTEMPTS ]; then
-    handle_error "Broker did not reach RUNNING state within expected time"
-fi
+echo "Broker ID: $BROKER_ID"
 
 # Step 4: Get broker connection details
 echo "Retrieving broker connection details..."
diff --git a/tuts/043-amazon-mq-gs/cfn-mq-broker.yaml b/tuts/043-amazon-mq-gs/cfn-mq-broker.yaml
@@ -0,0 +1,51 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Amazon MQ broker for the Getting Started tutorial
+
+Parameters:
+  BrokerName:
+    Type: String
+    Description: Name for the MQ broker
+  MQUsername:
+    Type: String
+    Default: tutorialAdmin
+  MQPassword:
+    Type: String
+    NoEcho: true
+    MinLength: 12
+
+Resources:
+  MQBroker:
+    Type: AWS::AmazonMQ::Broker
+    Properties:
+      BrokerName: !Ref BrokerName
+      EngineType: ACTIVEMQ
+      EngineVersion: '5.18'
+      HostInstanceType: mq.t3.micro
+      DeploymentMode: SINGLE_INSTANCE
+      AuthenticationStrategy: SIMPLE
+      PubliclyAccessible: true
+      AutoMinorVersionUpgrade: true
+      StorageType: EFS
+      Users:
+        - Username: !Ref MQUsername
+          Password: !Ref MQPassword
+          ConsoleAccess: true
+      Tags:
+        - Key: project
+          Value: doc-smith
+        - Key: tutorial
+          Value: amazon-mq-gs
+
+Outputs:
+  BrokerId:
+    Value: !Ref MQBroker
+  BrokerArn:
+    Value: !GetAtt MQBroker.Arn
+  AmqpEndpoint:
+    Value: !Select [0, !GetAtt MQBroker.AmqpEndpoints]
+  StompEndpoint:
+    Value: !Select [0, !GetAtt MQBroker.StompEndpoints]
+  OpenWireEndpoint:
+    Value: !Select [0, !GetAtt MQBroker.OpenWireEndpoints]
+  ConsoleURL:
+    Value: !Sub 'https://${MQBroker}.mq.${AWS::Region}.amazonaws.com'
