ACM.62 Eliminate unnamed and unnecessary route tables and set the main route table after deploying an CloudFormation VPC stack
This is a continuation of my series of posts on Automating Cybersecurity Metrics.
~~~~~~
Unfortunately still dealing with this:
~~~~~
In my last post I explained how creating route tables for VPCs with CloudFormation does not allow you to override the main route table. What you end up with is a route table with a name you want and an extraneous no-name route table.
In this post I explain how to automate removing the primary route table so you are only left with your named route table associated with our VPC.
Should You Call Functions in CloudFormation?
There are other methods to fix this problem besides what I am going to show you. You can create a Lambda function and call it — but I personally don’t like adding executable code to what is supposed to be a description of resources so I have yet to add a custom function to a CloudForamtion template. CloudFormation is more like data or configuration. It is used by executable code but it does not, itself, execute or trigger executions. I like to keep data or configuration and executable code separate. Ideally AWS just fixes this, but there are gaps in CloudFormation here and there and we have to find a work around.
Although I can manually fix it, it causes problems due to CloudFormation drift. You should manually delete any route tables prior to trying to delete the CloudFormation stack if you take this approach.
Replacing and deleting the main route table
We can fix this problem with a few CLI commands (or we could use Python later in a batch job) with the replace-route-table-association CLI command.
We’re also going to need to get our VPC ID:
And then get our main route table ID and the ID of the route table we added to the VPC:
The we’ll delete the main route table (as long as it’s not already set to the correct route table).
I added a new function to my network_functions.sh file:
Then I added a call to this new function to the end of the deploy_vpc function:
Note that when you go to delete your route CloudFormation stack after this change it will fail. Try again, check the box, and then you can delete it. If the route table ID below exists it will still be listed in your list of route tables and you will need to delete it separately.
Hope that helps. Really hope AWS fixes the problem above.
Stay tuned as I get back to deploying the subnets and security groups for our VPCs.
Teri Radichel
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2022
All the posts in this series:
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
