AWS CloudFormation - technical introduction

Transcript

1. © 2023, Amazon Web Services, Inc. or its Affiliates. Matteo

   Rinaudo Sr. Developer Advocate, AWS CloudFormation Twitter: @mrinaudo AWS CloudFormation Technical introduction

2. © 2023, Amazon Web Services, Inc. or its Affiliates. Agenda

   • Infrastructure-as-code • AWS CloudFormation • CloudFormation fundamentals • Demo • Call to action • Q&A

3. © 2023, Amazon Web Services, Inc. or its Affiliates. Infrastructure-as-code

4. © 2023, Amazon Web Services, Inc. or its Affiliates. Infrastructure-as-code

   • Describe your infrastructure like you would with a software program • Benefits include: • Scalability • Predictable & repeatable deployments across lifecycle environments • Lower chances of human errors • Code review, audit changes • Codify best practices • Test code for errors and compliance checks • Orchestrate code with Continuous Integration and delivery pipelines

5. © 2023, Amazon Web Services, Inc. or its Affiliates. AWS

   CloudFormation Introduction

6. © 2023, Amazon Web Services, Inc. or its Affiliates. AWS

   CloudFormation • AWS service - infrastructure as code • Announced on February 25, 2011 • Model, provision, and manage AWS and third-party resources • Scale your infrastructure worldwide • Manage resources across AWS accounts and regions with a single operation • Extend CloudFormation: • Include cloud resources published in the CloudFormation Registry • Extensions available today: Modules, Resource Types, Hooks AWS CloudFormation

7. © 2023, Amazon Web Services, Inc. or its Affiliates. How

   it works Workstation User Amazon Simple Storage Service (Amazon S3) AWS CloudFormation Template Stack Resources Codify your Infrastructure (YAML or JSON templates) Check out your code Locally or upload to an S3 bucket Create a stack (collection of resources) with browser console, command line, or APIs CloudFormation provisions and configures resources from your code

8. © 2023, Amazon Web Services, Inc. or its Affiliates. AWS

   CloudFormation Fundamentals

9. © 2023, Amazon Web Services, Inc. or its Affiliates. Template

10. © 2023, Amazon Web Services, Inc. or its Affiliates. Infrastructure

    as code: choose between YAML or JSON --- AWSTemplateFormatVersion: "version date" Description: String Metadata: template metadata Parameters: set of parameters Rules: set of rules Mappings: set of mappings Conditions: set of conditions Transform: set of transforms Resources: set of resources Outputs: set of outputs • Resources: required section; other sections: optional • Template max size: • 51,200 bytes (CreateStack, UpdateStack, ValidateTemplate) • 1 MB (Amazon S3 object) • Regardless of template max size, organize your code by lifecycle and ownership https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html Template

11. © 2023, Amazon Web Services, Inc. or its Affiliates. Stack

12. © 2023, Amazon Web Services, Inc. or its Affiliates. Stack:

    collection of resources • Codify your infrastructure in templates • Use a template to create a stack • A stack manages resources on your behalf • Create, update, delete a stack: resource lifecycle • Update a stack directly, or create and execute a Change Set • Import resources and drift detection • Manage stacks with: Stack AWS Management Console AWS Command Line Interface (AWS CLI) AWS Tools and SDKs

13. © 2023, Amazon Web Services, Inc. or its Affiliates. Demo

14. © 2023, Amazon Web Services, Inc. or its Affiliates. Parameters

15. © 2023, Amazon Web Services, Inc. or its Affiliates. Key

    to reusability • Describe template parameters (max 200) in the Parameters section • Consume a parameter with the Ref intrinsic function • Can be of type String, Number, List<Number>, CommaDelimitedList • You can specify: • Allowed patterns • Allowed values • Min/max length • Min/max value • You can specify a default value for a parameter (constraints you describe apply)

16. © 2023, Amazon Web Services, Inc. or its Affiliates. Declaring

    a parameter: example Parameters: InstanceTypeParameter: Type: String Default: t2.micro AllowedValues: - t2.micro - m1.small - m1.large Description: Enter t2.micro, m1.small, or m1.large.

17. © 2023, Amazon Web Services, Inc. or its Affiliates. Consuming

    a parameter: example Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: InstanceType: !Ref 'InstanceTypeParameter' [...other properties...]

18. © 2023, Amazon Web Services, Inc. or its Affiliates. More

    on parameters and best practices • AWS-specific (e.g., AWS::EC2::VPC::Id), SSM Parameter Types also available • Use NoEcho to mask input when using the CloudFormation Console • Note: NoEcho doesn’t mask content in Metadata and Outputs • Strongly recommended: • Don’t use NoEcho for passwords and secrets • Use, instead dynamic references for: • AWS Secrets Manager • AWS Systems Manager Parameter Store

19. © 2023, Amazon Web Services, Inc. or its Affiliates. Dynamic

    references: example with secure string parameter Resources: MyIAMUser: Type: AWS::IAM::User Properties: UserName: 'MyUserName' LoginProfile: Password: '{{resolve:ssm-secure:IAMUserPassword:10}}’ • Also available: • resolve:secretsmanager (Secrets Manager secrets) • resolve:ssm (like ssm-secure but plaintext)

20. © 2023, Amazon Web Services, Inc. or its Affiliates. Pseudo

    parameters • Predefined by CloudFormation • You use them as you use parameters you define • Example pseudo parameters: • AWS::AccountId (returns the account ID; e.g., 111122223333) • AWS::Partition (returns the partition; e.g., aws, aws-cn, aws-us- gov) • AWS::Region (returns the region; e.g., us-east-1) • AWS::NoValue (removes a resource property, used with conditions) • ... and more

21. © 2023, Amazon Web Services, Inc. or its Affiliates. Intrinsic

    functions

22. © 2023, Amazon Web Services, Inc. or its Affiliates. Intrinsic

    functions • CloudFormation’s built-in functions, that you can currently use: • In resource properties • In Outputs • In metadata attributes • In update policy attributes • To conditionally create stack resources • Intrinsic functions include Ref (that you have already seen), and: • Fn::GetAtt (similar to Ref, get a defined resource attribute) • Fn::Join, Fn::Sub (concatenate values), Fn::Split (split into a list of strings) • Fn::ImportValue (import an exported value from another stack) • ... and more

23. © 2023, Amazon Web Services, Inc. or its Affiliates. Resources

24. © 2023, Amazon Web Services, Inc. or its Affiliates. Resources

    • Describe resources (max 500) in the required Resources section • Specify: • The Logical ID: (A-Za-z0-9), and must be unique in the template • Use the Logical ID to reference the resource in the template • The resource type (e.g., AWS::EC2::Instance), resource properties • Update behaviors: depending which resource property you change: • No Interruption (e.g., Tags for AWS::CloudTrail::Trail) • Some Interruption (e.g., InstanceType for AWS::EC2::Instance) • Replacement (e.g., ImageId for AWS::EC2::Instance )

25. © 2023, Amazon Web Services, Inc. or its Affiliates. Resource

    example Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: InstanceType: !Ref 'InstanceTypeParameter’ ImageId: ami-0123abcd BlockDeviceMappings: - DeviceName: /dev/sdm Ebs: VolumeType: io1 [...other properties...]

26. © 2023, Amazon Web Services, Inc. or its Affiliates. Outputs

27. © 2023, Amazon Web Services, Inc. or its Affiliates. Outputs

    • Describe outputs (max 200) in the Outputs section • Declare outputs to: • Easily find values relevant to resources you described in the template • Export values in the current account and region Outputs: InstanceId: Description: The ID of the EC2 instance. Value: !Ref 'Ec2Instance'

28. © 2023, Amazon Web Services, Inc. or its Affiliates. Exporting

    a stack’s output • Goal: export a value from Stack A, import it in stack B • Stack A export: Outputs: PublicSubnet: Description: The ID of an example public subnet Value: Ref: PublicSubnet Export: Name: 'Fn::Sub': '${AWS::StackName}-SubnetID'

29. © 2023, Amazon Web Services, Inc. or its Affiliates. Importing

    a stack’s exported value • Stack B import: Resources: WebServerInstance: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro ImageId: ami-0123abcd NetworkInterfaces: - GroupSet: SubnetId: !ImportValue 'Fn::Sub': '${NetworkStackNameParameter}-SubnetID’ [...]

30. © 2023, Amazon Web Services, Inc. or its Affiliates. Mappings

31. © 2023, Amazon Web Services, Inc. or its Affiliates. Mappings

    • Describe mappings (max 200) in the Mappings section • Create a map with: • A key (string, (A-Za-z0-9)), and • Values (string or list) • You can't include parameters, pseudo parameters, or intrinsic functions

32. © 2023, Amazon Web Services, Inc. or its Affiliates. Mappings

    example Mappings: RegionMap: us-east-1: "HVM64": "ami-0000111122223333a" "HVMG2": "ami-0000111122223333b” us-west-1: "HVM64": "ami-aaaabbbbccccdddd0” "HVMG2": "ami-aaaabbbbccccdddd1” [...]

33. © 2023, Amazon Web Services, Inc. or its Affiliates. Consuming

    values from Mappings with Fn::FindInMap Mappings: RegionMap: us-east-1: "HVM64": "ami-0000111122223333a" [...] Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", HVM64] InstanceType: m1.small

34. © 2023, Amazon Web Services, Inc. or its Affiliates. Conditions

35. © 2023, Amazon Web Services, Inc. or its Affiliates. Conditions

    • You can, based on conditions: • Create resources or outputs, and/or • Specify resource property values • Condition functions: Fn::If, Fn::And, Fn::Equals, Fn::Not, Fn::Or • If your condition statement evaluates to true: • Your resource or output is created, and/or • CloudFormation sets a specific value to a given property

36. © 2023, Amazon Web Services, Inc. or its Affiliates. Conditions:

    creating resources/outputs Parameters: EnvType: Description: Environment type. Type: String AllowedValues: - prod - test Conditions: CreateProdResources: !Equals - !Ref EnvType - prod Resources: EC2Instance: Type: AWS::EC2::Instance Properties: ImageId: ami-0123abcd ProdMountPoint: Type: AWS::EC2::VolumeAttachment Condition: CreateProdResources Properties: InstanceId: !Ref EC2Instance VolumeId: !Ref ProdVolume Device: /dev/sdh ProdVolume: Type: AWS::EC2::Volume Condition: CreateProdResources Properties: Size: 100 [...]

37. © 2023, Amazon Web Services, Inc. or its Affiliates. Conditionally

    specifying a property value [...] SecurityGroups: - !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref ExistingSecurityGroup] [...]

38. © 2023, Amazon Web Services, Inc. or its Affiliates. Change

    Sets

39. © 2023, Amazon Web Services, Inc. or its Affiliates. Change

    Sets • Preview how changes you wish to apply will affect resources • Example: which changes will delete or replace resources • You create a change set, then you execute the change set if you choose so Existing Stack Updated Template Change set Change set Updated Stack Review Change Set Template Editor Create Change Set

40. © 2023, Amazon Web Services, Inc. or its Affiliates. Best

    practices • Use lifecycle and ownership criteria when describing resources in templates • Test early, fail fast • cfn-lint: https://github.com/aws-cloudformation/cfn-lint • TaskCat: https://github.com/aws-ia/taskcat • Use cross-stack references, parameters, pseudo parameters • Don’t make out-of-band changes to avoid drifts • Validate user input • ... And more: • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html

41. © 2023, Amazon Web Services, Inc. or its Affiliates. Call

    to action

42. © 2023, Amazon Web Services, Inc. or its Affiliates. Next

    steps • CloudFormation documentation: • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html • Template reference: • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-reference.html • AWS CloudFormation Workshop • https://catalog.workshops.aws/cfn101/ • Contribute to the CloudFormation language discussion: • https://github.com/aws-cloudformation/cfn-language-discussion

43. © 2023, Amazon Web Services, Inc. or its Affiliates. Q&A

    Matteo Rinaudo

44. © 2023, Amazon Web Services, Inc. or its Affiliates. Thank

    you! Matteo Rinaudo Twitter: @mrinaudo