(dvo304) aws cloudformation best practices
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Abhishek Lal, Product Manager
Chris Whitaker, Development Manager
October 2015
DVO304
AWS CloudFormation Best
Practices
AWS CloudFormation
Create templates of the infrastructure
CloudFormation provisions AWS resources in order
Version control/replicate/update with infrastructure-as-code
Integrates with development, CI/CD, management tools
AWS CloudFormation Designer
Introducing AWS CloudFormation Designer
• Visualize template
resources
• Modify template with drag-
and-drop gestures
• Customize sample
templates
AWS CloudFormation Designer
demo – Visualize templates
AWS CloudFormation Designer
– Make updates
AWS CloudFormation Designer
– Authoring
CloudFormation Designer toolbar
Toolbar Navigation
Open: Local files/S3/stack
Save: Local files/launch stack
Validation: AWS resource
schema
Refresh: Synchronize JSON
text changes
CloudFormation Designer Resources
All supported resources
Organized by service
Drag and drop onto canvas
Color-coded icons
CloudFormation Designer canvas
Container Resources
e.g. EC2 VPCs, subnets
Connections between
resources
e.g. Ref, DependsOn, GetAtt
Contextual Resource menu
Code/Clone/Delete/Docs
CloudFormation Designer JSON Editor
Ctrl+Space : Within the Properties key of a
resource, lists all the available properties
for the resource
Ctrl+F : Search for a value in the JSON
editor.
Ctrl+\ : Formats the text with proper
indentation and new lines
Ctrl+Shift+\ : Removes all white space
New AWS Services Supported
by AWS CloudFormation
Use a wide range of AWS services
Amazon EC2
Amazon EC2 Container Service
AWS Lambda (including event sources – New)
Auto Scaling (including Spot Fleet - New)
Amazon VPC
Elastic Load Balancing
Amazon Route 53
Amazon CloudFront
Amazon SimpleDB
Amazon RDS
Amazon Redshift
Amazon DynamoDB
Amazon ElastiCache
Amazon RDS for Aurora (New)
Amazon S3
AWS IAM (including managed policies)
Simple AD (New)
Amazon Kinesis
Amazon SNS
Amazon SQS
AWS CloudTrail
Amazon CloudWatch
AWS Data Pipeline
AWS Elastic Beanstalk
AWS OpsWorks
AWS CodeDeploy (New)
Amazon WorkSpaces (New)
AWS CloudFormation in Your
Organization
Managing your costs with budgets
https://console.aws.amazon.com/billing/home?region=us-east-1/budgets#/
ow.ly/T84qv
Audit logs for all operationsStore/ Archive
Troubleshoot
Monitor and Alarm
You are making API
calls...
On a growing set of AWS
services around the world...
CloudTrail is continuously
recording API calls
AWS CloudFormation Advanced
Concepts
AWS CloudFormation language features
Extending AWS CloudFormation
Security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
Memcached cluster
Software pkgs,
config, & dataCloudWatch
alarmsWeb Analytics
ServiceAWS
CloudFormation
Provision
AWS resources
“Create, Update,
Rollback, or Delete”
Extend with stack events
Worker
Amazon
SNS Topic
Stack Events
Security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
Memcached cluster
Software pkgs,
config, & dataCloudWatch
alarmsWeb Analytics
ServiceAWS
CloudFormation
Provision
AWS Resources
"Resources" : {
"WebAnalyticsTrackingID" : {
"Type" : "Custom::WebAnalyticsService::TrackingID",
"Properties" : {
"ServiceToken" : "arn:aws:sns:...",
"Target" : {"Fn::GetAtt" : ["LoadBalancer", "DNSName"]},
"Plan" : "Gold"
}
},
...
“Success” + Metadata
“Create, Update, Rollback, or Delete”
+ Metadata
Extend with custom resources
ow.ly/DiSXp
AWS Lambda-backed custom resources
Security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
memcached cluster
Software pkgs,
config, & dataCloudWatch
alarms
Your AWS CloudFormation stack
// Implement custom logic here
Look up an AMI ID
Your AWS Lambda functions
Look up an VPC ID and Subnet ID
Reverse an IP address
Lambda-powered
custom resources
Security Best Practices
Security – Restricting user access
• Only allow specific templates and stack policies
{
"Effect":"Allow”,
"Action":[
"cloudformation:CreateStack",
"cloudformation:UpdateStack”
],
"Condition":{
"ForAllValues:StringLike":{
"cloudformation:TemplateUrl":
["https://.amazonaws.com/TestBucket/*"]
}
}
}
{
"Effect":"Allow”,
"Action":[
"cloudformation:UpdateStack”
],
"Condition":{
"ForAllValues:StringEquals":{
"cloudformation:StackPolicyUrl":
["https://.amazonaws.com/TestBucket/Foo.json"]
}
}
}
Security – Restricting user access
• Only allow specific resource types
{
"Effect":"Allow”,
"Action":[
"cloudformation:CreateStack”
],
"Condition":{
"ForAllValues:StringEquals":{
"cloudformation:ResourceType":
[”AWS::EC2::Instance”…]
}
}
}
{
"Effect":"Allow”,
"Action":[
"cloudformation:CreateStack”
]
},
{
"Effect":”Deny”,
"Action":[
"cloudformation:CreateStack”
]
"Condition":{
"ForAnyValue:StringLike":{
"cloudformation:ResourceType":
[”AWS::IAM::*"]
}
}
}
Security – Controlling resource types
• Programmatically restrict access to resource types
• CreateStack and UpdateStack take a new parameter
• Restrict the set of resources that can be created
• Independent of any user policies
$ aws cloudformation create-stack … --resource-types=“[AWS::EC2::*, AWS::RDS::DBInstance, Custom::MyCustomResource]”
Best Practices for Templates
Reusing templates across AWS regions
• Consider environmental or regional differences
• Amazon EC2 image IDs
• VPC environment or “classic” environment
• Available instance types
• IAM policy principals
• Endpoint names
• Amazon Resource Names (ARNs)
Reusable templates – “Pseudo-parameters”
Use “pseudo-parameters” to retrieve
environmental data
• Account ID
• Region
• Stack Name and ID
"LogsBucketPolicy": {"Type": "AWS::S3::BucketPolicy","Properties": {
"Bucket": {"Ref": "LogsBucket”},"PolicyDocument": {
"Version": "2008-10-17","Statement": [{"Sid": "ELBAccessLogs","Effect": "Allow","Resource": {"Fn::Join": [ "", [ “arn:aws:s3:::",
{ "Ref": "LogsBucket" }, "/", "Logs", "/AWSLogs/", { "Ref": "AWS::AccountId" }, "/*”
] ]},"Principal": …,"Action": [ "s3:PutObject" ]
}
Reusable templates – Using mappings
Use mappings to define variables
• Single place for configuration
• Reusable within the template"LogsBucketPolicy": {"Type": "AWS::S3::BucketPolicy","Properties": {
"Bucket": {"Ref": "LogsBucket”},"PolicyDocument": {"Version": "2008-10-17","Statement": [{
"Sid": "ELBAccessLogs","Effect": "Allow","Resource": {"Fn::Join": [ "", [
{ "Fn::FindInMap" : ["RegionalConfig", {"Ref" : "AWS::Region"},"ArnPrefix”]},
"s3:::”, { "Ref": "LogsBucket" }, "/", "Logs", "/AWSLogs/”,
{ "Ref": "AWS::AccountId" }, "/*" ] ]},"Principal": {"AWS": { "Fn::FindInMap": [ "RegionalConfig",
{ "Ref": "AWS::Region" },”ELBAccountId" ] } },
"Action": [ "s3:PutObject" ]}]
“Mappings” : {“RegionalConfig” : {
“us-east-1” : {“AMI” : “ami-
12345678”,”ELBAccountId":
"127311923021”,“ArnPrefix” :
“arn:aws:”},“us-west-1” : {
“AMI” : “ami-98765432””ELBAccountId":
“027434742980"“ArnPrefix” :
“arn:aws:”},:
}}
Re-usable Templates – Using conditionals
Use conditionals to customize
resources and parameters
"DBEC2SG": {"Type": "AWS::EC2::SecurityGroup","Condition" : "Is-EC2-VPC","Properties" : {
:}
},
"DBSG": {"Type": "AWS::RDS::DBSecurityGroup","Condition" : "Is-EC2-Classic","Properties": {
:}
},
"MySQLDatabase": {"Type": "AWS::RDS::DBInstance","Properties": {
:"VPCSecurityGroups": { "Fn::If" : [ "Is-EC2-VPC",
[ { "Fn::GetAtt": [ "DBEC2SG", "GroupId" ] } ],
{ "Ref" : "AWS::NoValue"}]},
"DBSecurityGroups": { "Fn::If" : [ "Is-EC2-Classic", [ { "Ref": "DBSG" } ],{ "Ref" :
"AWS::NoValue"}]}
"Conditions" : {"Is-EC2-VPC” : { "Fn::Or" : [
{"Fn::Equals" : [{"Ref" : "AWS::Region"}, "eu-central-1" ]},
{"Fn::Equals" : [{"Ref" : "AWS::Region"}, "cn-north-1" ]}]},
"Is-EC2-Classic" : { "Fn::Not" : [{ "Condition" : "Is-EC2-VPC"}]}},
Thank you!
Abhishek Lal, Product Manager
Chris Whitaker, Development Manager
Remember to complete
your evaluations!
Related Sessions