Security News
PyPI Introduces Digital Attestations to Strengthen Python Package Security
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
@humanmade/cf-to-tf
Advanced tools
A cli tool to generate a Terraform CloudFormation resource and state from an existing CloudFormation stack
CloudFormation to Terraform A simple cli tool for generating Terraform configuration for existing CloudFormation templates. | |
A Human Made project. Maintained by @nathanielks. |
This node CLI tool is used for generating both Terraform configuration files as well as Terraform state so that you can use Terraform to manage CloudFormation templates. To further clarify, it does not generate terraform configuration for the individual resources CloudFormation provisions, it generates an aws_cloudformation_stack
resource so that you can manage your existing CloudFormation stacks with Terraform instead of or in conjunction with the AWS Console and CLI.
npm i -g @humanmade/cf-to-tf
As this was designed to generate Terraform resources, it'd be a good idea to install terraform
. You can install the binary by itself or use a tool like brew
to manage it for you.
It's also recommended to install json2hcl
as this will assist in processing output from cf-to-tf
later.
Let's use the following CloudFormation Stack response as an example:
{
"Stacks": [
{
"StackId": "arn:aws:cloudformation:eu-central-1:123456789012:stack/foobarbaz/255491f0-71b8-11e7-a154-500c52a6cefe",
"Description": "FooBar Stack",
"Parameters": [
{
"ParameterValue": "bar",
"ParameterKey": "foo"
},
{
"ParameterValue": "baz",
"ParameterKey": "bar"
},
{
"ParameterValue": "qux",
"ParameterKey": "baz"
}
],
"Tags": [
{
"Value": "bar",
"Key": "foo"
},
{
"Value": "qux",
"Key": "baz"
}
],
"Outputs": [
{
"Description": "Foobarbaz",
"OutputKey": "FooBarBaz",
"OutputValue": "output value"
}
],
"CreationTime": "2017-07-26T04:08:57.266Z",
"Capabilities": [
"CAPABILITY_IAM"
],
"StackName": "foobarbaz",
"NotificationARNs": [],
"StackStatus": "CREATE_COMPLETE",
"DisableRollback": true
}
]
}
Running cf-to-tf --stack foobarbaz config | json2hcl | cf-to-tf clean-hcl | terraform fmt -
will generate the following config:
resource "aws_cloudformation_stack" "network" {
capabilities = ["CAPABILITY_IAM"]
disable_rollback = true
name = "foobarbaz"
parameters = {
foo = "bar"
bar = "baz"
baz = "qux"
}
tags = {
foo = "bar"
baz = "qux"
}
}
Usage: cf-to-tf [options] [command]
Options:
-s, --stack <stack> The CloudFormation stack to import
-r, --resource-name <resourceName> The name to assign the terraform resource
-h, --help output usage information
Commands:
config Generates Terraform configuration in JSON
state Generates Terraform state file in JSON
template Prints the CloudFormation Stack Template
clean-hcl Cleans generated HCL according to my preferences
This tool is designed to be used in conjunction with other tools. It will only output the data to STDOUT
and is designed to be piped to another program to write the file to a location. For example, to generate a configuration file for a stack named lambda-resources
, we could do the following:
cf-to-tf -s lambda-resources config | tee main.tf.json
This command will fetch a CloudFormation stack named lambda-resources
and generate the required Terraform configuration for it. We then pipe the output to tee
which will write to a file named main.tf.json
. Because HCL is JSON compatible, Terraform can read the main.tf.json
natively.
To generate the associated Terraform state for this CloudFormation stack, you would run the following:
cf-to-tf -s lambda-resources state | tee terraform.tfstate
This will create a state file from scratch. It assumes you don't already have an existing state file in place. I'm considering updating the tool to write just the resource portion of the state so it can be added to an existing state file, but that wasn't an immediate priority.
Both of these commands will generate compressed JSON output, meaning whitespace has been stripped. To pretty print the output for enhanced readability, you could pipe the output to jq
, and then to tee
:
cf-to-tf -s lambda-resources config | jq '.' | tee main.tf.json
cf-to-tf -s lambda-resources state | jq '.' | tee terraform.tfstate
It's also possible to use a tool called json2hcl
to generate HCL:
cf-to-tf -s lambda-resources config | json2hcl | tee main.tf
Unfortunately, while json2hcl
outputs valid HCL, it's not in the format I like. To solve that problem, the clean-hcl
command is also available. To output HCL in the format you'll normally see, you can execute this chain:
cf-to-tf -s lambda-resources config | json2hcl | cf-to-tf clean-hcl | terraform fmt - | tee main.tf
We're doing the same thing we were doing before, but now we're also piping the result to cf-to-tf clean-hcl
which formats the file a certain way, then piping it to terraform fmt -
which formats the file further (primarily, this tool aligns =
and adds newlines where necessary).
It's also possible to have cf-to-tf
read stack data from STDIN
. For example, if you have the JSON response from the aws-cli
call stored in a variable for re-use, you can do the following:
JSON="$(aws cloudformation describe-stacks --stack-name lambda-resources)"
echo "$JSON" | cf-to-tf -s - config
The command uses the AWS SDK under the hood to retrieve the CloudFormation stack details, so set your authentication credentials as you would normally (~/.aws/credentials
, AWS_PROFILE
, AWS_REGION
, etc).
For an example of how to use this script in batch operations importing multiple stacks in multiple regions, refer to this gist.
FAQs
A cli tool to generate a Terraform CloudFormation resource and state from an existing CloudFormation stack
The npm package @humanmade/cf-to-tf receives a total of 1 weekly downloads. As such, @humanmade/cf-to-tf popularity was classified as not popular.
We found that @humanmade/cf-to-tf demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.