AWS Cloudformation 

Cloud sculpturing the AWS way

Tusa Viktor
Xively

Infrastructure as Code

• Declarative

  • Declarative definition of the resources and their connections in the infrastructure and the code which applies the definition.

• Repeatable

  • Applying the infrastructure definition over-and-over should yield the same result

• Composable

  • Low-level building blocks of the infrastructure which are general enough to be reusable. (Resource-Oriented Infrastructure)

• Verifiable

  • Should be able to test the resources and their connections.

AWS Cloudformation

• Public Cloud = Resources  + Management API
  • Not declarative
• Cloudformation 
  • Declarative format for resource provisioning
• Supports almost every AWS resource

Cloudformation format

• Supports JSON and YAML
• Structured format with some "metaprogramming" capabilities
• Template validation
  • Syntactic and basic semantic validation
• Stacks and templates
  • Stack is the group of the created resources described by the template

Template anatomy

• Format Version, Description, Metadata
• Parameters
  • Typed parameters which can be referenced from the template resources section
• Mappings
  • Specify "dictionaries" where values can be retrieved by a given key.
  • Usage example: Key: region, Values: AMI ids
• Conditions
  • Specify simple conditions to influence resources creation
  • Eg: "IsProduction" : {"Fn::Equals" : [{"Ref" : "Environment"}, "production"]}

Template Anatomy #2

• Transforms
  • Very new, came with the AWS "serverless" solution
  • Acts like a source macro in functional languages
• Resources
  • The main part, which contains the resource descriptions
• Output
  • References resource attributes, available after stack creation finished

Resources

• Typed AWS Resource description JSON object
  • Type means schema here
• DeletionPolicy property
  • Prevents deletion of the actual resource when the stack is deleted
• DependsOn
  • Dependency relation between resources
• Special resource: WaitHandle
  • Waits, until a pre-signed URL is called a specified times
  • pre-signed URL can be created with the WaitConditionHandle resource

Template "Metaprogramming"

• Reference
  • Can reference parameters or other resources
  • Can be used where a value is needed
  • { "Ref": "Environment"}
• Functions
  • Attribute query of resources
  • Basic string manipulation/interpolation
  • Select value from mappings
  • Conditional functions
  • Eg.: { "Fn::GetAttr" : [ "MyEc2Instance", "PublicIp"]}

Other features

• Nested Stacks
  • Can include other template
  • Can reference from other template output 
• Cross-stack reference
  • Can reference resource attributes from other stacks with strong limitations
• Custom resources
  • An AWS Lambda function, which can react to different resource lifecycle events
• Pseudo-variables
  • Predefined AWS-related variables (eg.: region, accountid)

Stack lifecycle

• Create/Update/Delete
• Direct update vs. Change Sets
  • Change sets allow previewing changes
• Resource updates
  • No interruption
  • Partial interruption
  • Replacement (eg.: Changing RDS engine type)
• Failure
  • Rollback or disable rollback

Stack policies

• Controls resource lifecycle behaviour
• Can prevent accidential deletion of resources
•   "Statement" : [ "Effect" : "Allow",
        "Action" : "Update:*",
        "Principal": "*",
        "Resource" : "*"},
  { "Effect" : "Deny",
        "Action" : "Update:*",
        "Principal": "*",
        "Resource"
  "LogicalResourceId/ProductionDatabase"
  }]}

Tips & Tricks

• Use template validation
• Use tags
• Use S3 buckets to store CF templates
  • CLI has a limit when specifying template body
• Several smaller templates
  • Separate data from services
  • Resources with same lifecycle should go into the same template
  • Limited blast radius 

Disadvantages

• No state
  • No way to import resources
• No loop-like construct
• No planning step like terraform
  • Although change sets can help

Praise the Demo God!

Thank you!