AWS Cloudformation 

Cloud sculpturing the AWS way

Tusa Viktor
Xively

Infrastructure as Code

  • Declarative

    • Declarative definition of the resources and their connections in the infrastructure and the code which applies the definition.

  • Repeatable

    • Applying the infrastructure definition over-and-over should yield the same result

  • Composable

    • Low-level building blocks of the infrastructure which are general enough to be reusable. (Resource-Oriented Infrastructure)

  • Verifiable

    • Should be able to test the resources and their connections.

AWS Cloudformation

  • Public Cloud = Resources  + Management API
    • Not declarative
  • Cloudformation 
    • Declarative format for resource provisioning
  • Supports almost every AWS resource

Cloudformation format

  • Supports JSON and YAML
  • Structured format with some "metaprogramming" capabilities
  • Template validation
    • Syntactic and basic semantic validation
  • Stacks and templates
    • Stack is the group of the created resources described by the template

Template anatomy

  • Format Version, Description, Metadata
  • Parameters
    • Typed parameters which can be referenced from the template resources section
  • Mappings
    • Specify "dictionaries" where values can be retrieved by a given key.
    • Usage example: Key: region, Values: AMI ids
  • Conditions
    • Specify simple conditions to influence resources creation
    • Eg: "IsProduction" : {"Fn::Equals" : [{"Ref" : "Environment"}, "production"]}

Template Anatomy #2

 

  • Transforms
    • Very new, came with the AWS "serverless" solution
    • Acts like a source macro in functional languages
  • Resources
    • The main part, which contains the resource descriptions
  • Output
    • References resource attributes, available after stack creation finished

Resources

  • Typed AWS Resource description JSON object
    • Type means schema here
  • DeletionPolicy property
    • Prevents deletion of the actual resource when the stack is deleted
  • DependsOn
    • Dependency relation between resources
  • Special resource: WaitHandle
    • Waits, until a pre-signed URL is called a specified times
    • pre-signed URL can be created with the WaitConditionHandle resource

Template "Metaprogramming"

 

  • Reference
    • Can reference parameters or other resources
    • Can be used where a value is needed
    • { "Ref": "Environment"}
  • Functions
    • Attribute query of resources
    • Basic string manipulation/interpolation
    • Select value from mappings
    • Conditional functions
    • Eg.: { "Fn::GetAttr" : [ "MyEc2Instance", "PublicIp"]}

Other features

 

  • Nested Stacks
    • Can include other template
    • Can reference from other template output 
  • Cross-stack reference
    • Can reference resource attributes from other stacks with strong limitations
  • Custom resources
    • An AWS Lambda function, which can react to different resource lifecycle events
  • Pseudo-variables
    • Predefined AWS-related variables (eg.: region, accountid)

Stack lifecycle

  • Create/Update/Delete
  • Direct update vs. Change Sets
    • Change sets allow previewing changes
  • Resource updates
    • No interruption
    • Partial interruption
    • Replacement (eg.: Changing RDS engine type)
  • Failure
    • Rollback or disable rollback

Stack policies

  • Controls resource lifecycle behaviour
  • Can prevent accidential deletion of resources
  •   "Statement" : [ "Effect" : "Allow",
          "Action" : "Update:*",
          "Principal": "*",
          "Resource" : "*"},
    { "Effect" : "Deny",
          "Action" : "Update:*",
          "Principal": "*",
          "Resource"
    "LogicalResourceId/ProductionDatabase"
    }]}

Tips & Tricks

  • Use template validation
  • Use tags
  • Use S3 buckets to store CF templates
    • CLI has a limit when specifying template body
  • Several smaller templates
    • Separate data from services
    • Resources with same lifecycle should go into the same template
    • Limited blast radius 

Disadvantages

  • No state
    • No way to import resources
  • No loop-like construct
  • No planning step like terraform
    • Although change sets can help

Praise the Demo God!

Thank you!

Made with Slides.com