(app304) aws cloudformation best practices | aws re:invent 2014
DESCRIPTION
"With AWS CloudFormation you can model, provision, and update the full breadth of AWS resources. You can manage anything from a single Amazon EC2 instance to a multi-tier application. If you are familiar with AWS CloudFormation or using it already, this session is for you. If you are familiar with AWS CloudFormation, you may have questions such as ''How do I plan my stacks?', ''How do I deploy and bootstrap software on my stacks?' and ''Where does AWS CloudFormation fit in a DevOps pipeline?' If you are using AWS CloudFormation already, you may have questions such as ''How do I manage my templates at scale?', ''How do I safely update stacks?', and ''How do I audit changes to my stack?' This session is intended to answer those questions. If you are new to AWS CloudFormation, get up to speed for this session by completing the Working with CloudFormation lab in the self-paced Labs Lounge."TRANSCRIPT
November 13, 2014 | Las Vegas, NV
Chetan Dandekar, Senior Product Manager, Amazon Web Services
Effectiveness
SafetyVisibility
Design
Templates
App code
Stacks
Iterate
Frontend Services
• Consumer Website, Seller Website, Mobile Backend
Backend Services
• Search, Payments, Reviews, Recommendations
Shared Services
• CRM DBs, Common Monitoring /Alarms, Subnets, Security Groups
Base Network
• VPCs, Internet Gateways, VPNs, NATs
Identity • IAM Users, Groups, Roles
Food Catalog website
Ordering website
Customer DB service
Inventory service
Recommendations service
Analytics service Fulfillment
service
Payment
service
Food Catalog website
Customer DB service
“Outputs” : {
“CustDBEndPoint”
}
“Parameters” : {
“CustDBEndPoint”
}
Website1
“Resources” : {“ELB”,“AutoScaling”,“RDS”
}Website2
“Resources” : {“ELB”,“AutoScaling”,“DynamoDB”
}
ELB_AND_AS
“Resources” : {“ELB”,“AutoScaling”
}
Website1
“Resources” : {“NestedStack”,“RDS”
}
Website2
“Resources” : {“NestedStack”,“DynamoDB”
}
AWS::EC2::VPC::Id
List<AWS::EC2::Subnet::Id>
List<AWS::EC2::SecurityGroup::Id>
AWS::EC2::KeyPair::KeyName
Param
validation
Stack creation workflow
App
instances
MinLength
MaxLength
AllowedPattern
User/RoleAWS
CloudFormation
Amazon EC2
Amazon RDS
AmazonElastiCache
Etc.
Permissions to call AWS
CloudFormation
Permissions to create ALL
resources specified in a template
AccountAWS
CloudFormation
Amazon EC2
Amazon RDS
ElastiCache
Etc.
# of AWS CloudFormation stacks
# of EC2 instances, total
Amazon RDS storage, etc.
Metadata
AWS::CloudFormation::Init
Declarative
Reusable
Grouping & Ordering
Debug-able
Updatable
Highly Secure
BIOT™ (Bring In Other Tools)
ow.ly/DiNCm
"packages" : {}, "sources" : {}, "files" : {}, "groups" : {}, "users" : {},"commands" : {}, "services" : {}
UserData
Get the latest
Trigger CloudFormation::Init
Signal completion
awslogs
awslogs
cfn-logs.conf
file = /var/log/cfn-init.loglog_stream_name = {instance_id}/cfn-init.log
file = /var/log/cfn-hup.loglog_stream_name = {instance_id}/cfn-hup.log
ow.ly/E0zO3
ow.ly/E0zO3
arn:aws:cloudformation:us-west-2:123456789:stack/BaseNet*
arn:aws:cloudformation:us-west-2:123456789:stack/FrontEnd*
Frontend Services
• Consumer Website, Seller Website, Mobile Backend
Backend Services
• Search, Payments, Reviews, Recommendations
Shared Services
• CRM DBs, Common Monitoring /Alarms, Subnets, Security Groups
Base Network
• VPCs, Internet Gateways, VPNs, NATs
Identity • IAM Users, Groups, Roles
{"Effect" : "Deny","Action" : [ "ec2:TerminateInstances"
],"Condition": {"Null": {
"ec2:ResourceTag/*cloudformation*" : "true" }},"Resource" : "*"
}
Description
Metadata
Comment
Faster
Cost-efficient
Simpler state and
data migration
No touching of a
working stack
Textual diff
Refs and Fn::GetAtts
No Interruption Some Interruption Replacement
IAM permissions
drift
AWS Config CloudFormer
“Do not update the databases”
"Effect" : "Deny",
"Principal" : "*",
"Action" : "Update:*",
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::RDS::DBInstance",
"AWS::Redshift::Cluster"]
}
}
“Okay to update, unless the update requires replacement”
"Effect" : "Deny",
"Principal": "*",
"Action" : "Update:Replace",
"Resource" : "LogicalResourceId/MyInstance"
ow.ly/E0Njj
ow.ly/E9nLm
security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
Memcached cluster
Software pkgs,
config, & dataCloudWatch
alarmsWeb Analytics
ServiceAWS
CloudFormation
Provision
AWS Resources
“Create, Update,
Rollback, or Delete”
Worker
Amazon
SNS Topic
Stack Events
security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
Memcached cluster
Software pkgs,
config, & dataCloudWatch
alarmsWeb Analytics
ServiceAWS
CloudFormation
Provision
AWS Resources
“Success” + Metadata
“Create, Update, Rollback, or Delete”
+ Metadata
ow.ly/DiSXp
https://console.aws.amazon.com/cost-reports/home?#/custom
ow.ly/E0Ny9
AWS CloudFormationIssue Tracker
App Developers
DevOps Engineers,Infrastructure Developers,
Systems Engineers
Dev Env Code Repo
App Pkgs, AWS CloudFormation Templates, Etc.
CI Server
Test
Staging
ProdCode Review
"Infra-as-Code"
App Code & Templates
http://bit.ly/awsevals
ow.ly/Ec28a ow.ly/EdMyk