© 2023, Amazon Web Services, Inc. or its Affiliates. Matteo Rinaudo Sr. Developer Advocate, AWS CloudFormation Twitter: @mrinaudo AWS CloudFormation Technical introduction

© 2023, Amazon Web Services, Inc. or its Affiliates. Agenda • Infrastructure-as-code • AWS CloudFormation • CloudFormation fundamentals • Demo • Call to action • Q&A

© 2023, Amazon Web Services, Inc. or its Affiliates. Infrastructure-as-code

© 2023, Amazon Web Services, Inc. or its Affiliates. Infrastructure-as-code • Describe your infrastructure like you would with a software program • Benefits include: • Scalability • Predictable & repeatable deployments across lifecycle environments • Lower chances of human errors • Code review, audit changes • Codify best practices • Test code for errors and compliance checks • Orchestrate code with Continuous Integration and delivery pipelines

© 2023, Amazon Web Services, Inc. or its Affiliates. AWS CloudFormation Introduction

© 2023, Amazon Web Services, Inc. or its Affiliates. AWS CloudFormation • AWS service - infrastructure as code • Announced on February 25, 2011 • Model, provision, and manage AWS and third-party resources • Scale your infrastructure worldwide • Manage resources across AWS accounts and regions with a single operation • Extend CloudFormation: • Include cloud resources published in the CloudFormation Registry • Extensions available today: Modules, Resource Types, Hooks AWS CloudFormation

© 2023, Amazon Web Services, Inc. or its Affiliates. How it works Workstation User Amazon Simple Storage Service (Amazon S3) AWS CloudFormation Template Stack Resources Codify your Infrastructure (YAML or JSON templates) Check out your code Locally or upload to an S3 bucket Create a stack (collection of resources) with browser console, command line, or APIs CloudFormation provisions and configures resources from your code

© 2023, Amazon Web Services, Inc. or its Affiliates. AWS CloudFormation Fundamentals

© 2023, Amazon Web Services, Inc. or its Affiliates. Template

© 2023, Amazon Web Services, Inc. or its Affiliates. Infrastructure as code: choose between YAML or JSON --- AWSTemplateFormatVersion: "version date" Description: String Metadata: template metadata Parameters: set of parameters Rules: set of rules Mappings: set of mappings Conditions: set of conditions Transform: set of transforms Resources: set of resources Outputs: set of outputs • Resources: required section; other sections: optional • Template max size: • 51,200 bytes (CreateStack, UpdateStack, ValidateTemplate) • 1 MB (Amazon S3 object) • Regardless of template max size, organize your code by lifecycle and ownership https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html Template

© 2023, Amazon Web Services, Inc. or its Affiliates. Stack

© 2023, Amazon Web Services, Inc. or its Affiliates. Stack: collection of resources • Codify your infrastructure in templates • Use a template to create a stack • A stack manages resources on your behalf • Create, update, delete a stack: resource lifecycle • Update a stack directly, or create and execute a Change Set • Import resources and drift detection • Manage stacks with: Stack AWS Management Console AWS Command Line Interface (AWS CLI) AWS Tools and SDKs

© 2023, Amazon Web Services, Inc. or its Affiliates. Demo

© 2023, Amazon Web Services, Inc. or its Affiliates. Parameters

© 2023, Amazon Web Services, Inc. or its Affiliates. Key to reusability • Describe template parameters (max 200) in the Parameters section • Consume a parameter with the Ref intrinsic function • Can be of type String, Number, List, CommaDelimitedList • You can specify: • Allowed patterns • Allowed values • Min/max length • Min/max value • You can specify a default value for a parameter (constraints you describe apply)

© 2023, Amazon Web Services, Inc. or its Affiliates. Declaring a parameter: example Parameters: InstanceTypeParameter: Type: String Default: t2.micro AllowedValues: - t2.micro - m1.small - m1.large Description: Enter t2.micro, m1.small, or m1.large.

© 2023, Amazon Web Services, Inc. or its Affiliates. Consuming a parameter: example Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: InstanceType: !Ref 'InstanceTypeParameter' [...other properties...]

© 2023, Amazon Web Services, Inc. or its Affiliates. More on parameters and best practices • AWS-specific (e.g., AWS::EC2::VPC::Id), SSM Parameter Types also available • Use NoEcho to mask input when using the CloudFormation Console • Note: NoEcho doesn’t mask content in Metadata and Outputs • Strongly recommended: • Don’t use NoEcho for passwords and secrets • Use, instead dynamic references for: • AWS Secrets Manager • AWS Systems Manager Parameter Store

© 2023, Amazon Web Services, Inc. or its Affiliates. Dynamic references: example with secure string parameter Resources: MyIAMUser: Type: AWS::IAM::User Properties: UserName: 'MyUserName' LoginProfile: Password: '{{resolve:ssm-secure:IAMUserPassword:10}}’ • Also available: • resolve:secretsmanager (Secrets Manager secrets) • resolve:ssm (like ssm-secure but plaintext)

© 2023, Amazon Web Services, Inc. or its Affiliates. Pseudo parameters • Predefined by CloudFormation • You use them as you use parameters you define • Example pseudo parameters: • AWS::AccountId (returns the account ID; e.g., 111122223333) • AWS::Partition (returns the partition; e.g., aws, aws-cn, aws-us- gov) • AWS::Region (returns the region; e.g., us-east-1) • AWS::NoValue (removes a resource property, used with conditions) • ... and more

© 2023, Amazon Web Services, Inc. or its Affiliates. Intrinsic functions

© 2023, Amazon Web Services, Inc. or its Affiliates. Intrinsic functions • CloudFormation’s built-in functions, that you can currently use: • In resource properties • In Outputs • In metadata attributes • In update policy attributes • To conditionally create stack resources • Intrinsic functions include Ref (that you have already seen), and: • Fn::GetAtt (similar to Ref, get a defined resource attribute) • Fn::Join, Fn::Sub (concatenate values), Fn::Split (split into a list of strings) • Fn::ImportValue (import an exported value from another stack) • ... and more

© 2023, Amazon Web Services, Inc. or its Affiliates. Resources

© 2023, Amazon Web Services, Inc. or its Affiliates. Resources • Describe resources (max 500) in the required Resources section • Specify: • The Logical ID: (A-Za-z0-9), and must be unique in the template • Use the Logical ID to reference the resource in the template • The resource type (e.g., AWS::EC2::Instance), resource properties • Update behaviors: depending which resource property you change: • No Interruption (e.g., Tags for AWS::CloudTrail::Trail) • Some Interruption (e.g., InstanceType for AWS::EC2::Instance) • Replacement (e.g., ImageId for AWS::EC2::Instance )

© 2023, Amazon Web Services, Inc. or its Affiliates. Resource example Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: InstanceType: !Ref 'InstanceTypeParameter’ ImageId: ami-0123abcd BlockDeviceMappings: - DeviceName: /dev/sdm Ebs: VolumeType: io1 [...other properties...]

© 2023, Amazon Web Services, Inc. or its Affiliates. Outputs

© 2023, Amazon Web Services, Inc. or its Affiliates. Outputs • Describe outputs (max 200) in the Outputs section • Declare outputs to: • Easily find values relevant to resources you described in the template • Export values in the current account and region Outputs: InstanceId: Description: The ID of the EC2 instance. Value: !Ref 'Ec2Instance'

© 2023, Amazon Web Services, Inc. or its Affiliates. Exporting a stack’s output • Goal: export a value from Stack A, import it in stack B • Stack A export: Outputs: PublicSubnet: Description: The ID of an example public subnet Value: Ref: PublicSubnet Export: Name: 'Fn::Sub': '${AWS::StackName}-SubnetID'

© 2023, Amazon Web Services, Inc. or its Affiliates. Importing a stack’s exported value • Stack B import: Resources: WebServerInstance: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro ImageId: ami-0123abcd NetworkInterfaces: - GroupSet: SubnetId: !ImportValue 'Fn::Sub': '${NetworkStackNameParameter}-SubnetID’ [...]

© 2023, Amazon Web Services, Inc. or its Affiliates. Mappings

© 2023, Amazon Web Services, Inc. or its Affiliates. Mappings • Describe mappings (max 200) in the Mappings section • Create a map with: • A key (string, (A-Za-z0-9)), and • Values (string or list) • You can't include parameters, pseudo parameters, or intrinsic functions

© 2023, Amazon Web Services, Inc. or its Affiliates. Mappings example Mappings: RegionMap: us-east-1: "HVM64": "ami-0000111122223333a" "HVMG2": "ami-0000111122223333b” us-west-1: "HVM64": "ami-aaaabbbbccccdddd0” "HVMG2": "ami-aaaabbbbccccdddd1” [...]

© 2023, Amazon Web Services, Inc. or its Affiliates. Consuming values from Mappings with Fn::FindInMap Mappings: RegionMap: us-east-1: "HVM64": "ami-0000111122223333a" [...] Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", HVM64] InstanceType: m1.small

© 2023, Amazon Web Services, Inc. or its Affiliates. Conditions

© 2023, Amazon Web Services, Inc. or its Affiliates. Conditions • You can, based on conditions: • Create resources or outputs, and/or • Specify resource property values • Condition functions: Fn::If, Fn::And, Fn::Equals, Fn::Not, Fn::Or • If your condition statement evaluates to true: • Your resource or output is created, and/or • CloudFormation sets a specific value to a given property

© 2023, Amazon Web Services, Inc. or its Affiliates. Conditions: creating resources/outputs Parameters: EnvType: Description: Environment type. Type: String AllowedValues: - prod - test Conditions: CreateProdResources: !Equals - !Ref EnvType - prod Resources: EC2Instance: Type: AWS::EC2::Instance Properties: ImageId: ami-0123abcd ProdMountPoint: Type: AWS::EC2::VolumeAttachment Condition: CreateProdResources Properties: InstanceId: !Ref EC2Instance VolumeId: !Ref ProdVolume Device: /dev/sdh ProdVolume: Type: AWS::EC2::Volume Condition: CreateProdResources Properties: Size: 100 [...]

© 2023, Amazon Web Services, Inc. or its Affiliates. Conditionally specifying a property value [...] SecurityGroups: - !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref ExistingSecurityGroup] [...]

© 2023, Amazon Web Services, Inc. or its Affiliates. Change Sets

© 2023, Amazon Web Services, Inc. or its Affiliates. Change Sets • Preview how changes you wish to apply will affect resources • Example: which changes will delete or replace resources • You create a change set, then you execute the change set if you choose so Existing Stack Updated Template Change set Change set Updated Stack Review Change Set Template Editor Create Change Set

© 2023, Amazon Web Services, Inc. or its Affiliates. Best practices • Use lifecycle and ownership criteria when describing resources in templates • Test early, fail fast • cfn-lint: https://github.com/aws-cloudformation/cfn-lint • TaskCat: https://github.com/aws-ia/taskcat • Use cross-stack references, parameters, pseudo parameters • Don’t make out-of-band changes to avoid drifts • Validate user input • ... And more: • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html

© 2023, Amazon Web Services, Inc. or its Affiliates. Call to action

© 2023, Amazon Web Services, Inc. or its Affiliates. Next steps • CloudFormation documentation: • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html • Template reference: • https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-reference.html • AWS CloudFormation Workshop • https://catalog.workshops.aws/cfn101/ • Contribute to the CloudFormation language discussion: • https://github.com/aws-cloudformation/cfn-language-discussion

© 2023, Amazon Web Services, Inc. or its Affiliates. Q&A Matteo Rinaudo

© 2023, Amazon Web Services, Inc. or its Affiliates. Thank you! Matteo Rinaudo Twitter: @mrinaudo