(APP304) AWS CloudFormation Best Practices | AWS re:Invent 2014

November 13, 2014 | Las Vegas, NV

Chetan Dandekar, Senior Product Manager, Amazon Web Services

Effectiveness

SafetyVisibility

Design

Templates

App code

Stacks

Iterate

Frontend Services

• Consumer Website, Seller Website, Mobile Backend

Backend Services

• Search, Payments, Reviews, Recommendations

Shared Services

• CRM DBs, Common Monitoring /Alarms, Subnets, Security Groups

Base Network

• VPCs, Internet Gateways, VPNs, NATs

Identity • IAM Users, Groups, Roles

Food Catalog website

Ordering website

Customer DB service

Inventory service

Recommendations service

Analytics service Fulfillment

service

Payment

service

Food Catalog website

Customer DB service

“Outputs” : {

“CustDBEndPoint”

}

“Parameters” : {

“CustDBEndPoint”

}

Website1

“Resources” : {“ELB”,“AutoScaling”,“RDS”

}Website2

“Resources” : {“ELB”,“AutoScaling”,“DynamoDB”

}

ELB_AND_AS

“Resources” : {“ELB”,“AutoScaling”

}

Website1

“Resources” : {“NestedStack”,“RDS”

}

Website2

“Resources” : {“NestedStack”,“DynamoDB”

}

AWS::EC2::VPC::Id

List<AWS::EC2::Subnet::Id>

List<AWS::EC2::SecurityGroup::Id>

AWS::EC2::KeyPair::KeyName

Param

validation

Stack creation workflow

App

instances

MinLength

MaxLength

AllowedPattern

User/RoleAWS

CloudFormation

Amazon EC2

Amazon RDS

AmazonElastiCache

Etc.

Permissions to call AWS

CloudFormation

Permissions to create ALL

resources specified in a template

AccountAWS

CloudFormation

Amazon EC2

Amazon RDS

ElastiCache

Etc.

# of AWS CloudFormation stacks

# of EC2 instances, total

Amazon RDS storage, etc.

Metadata

AWS::CloudFormation::Init

Declarative

Reusable

Grouping & Ordering

Debug-able

Updatable

Highly Secure

BIOT™ (Bring In Other Tools)

ow.ly/DiNCm

"packages" : {}, "sources" : {}, "files" : {}, "groups" : {}, "users" : {},"commands" : {}, "services" : {}

commands

recipe[wordpress]

ow.ly/DiNkz

Securely download

Choose auth type.

IAM Role is

recommended

ow.ly/DqkrB

UserData

Get the latest

Trigger CloudFormation::Init

Signal completion

awslogs

awslogs

cfn-logs.conf

file = /var/log/cfn-init.loglog_stream_name = {instance_id}/cfn-init.log

file = /var/log/cfn-hup.loglog_stream_name = {instance_id}/cfn-hup.log

ow.ly/E0zO3

ow.ly/E0zO3

arn:aws:cloudformation:us-west-2:123456789:stack/BaseNet*

arn:aws:cloudformation:us-west-2:123456789:stack/FrontEnd*

Frontend Services

• Consumer Website, Seller Website, Mobile Backend

Backend Services

• Search, Payments, Reviews, Recommendations

Shared Services

• CRM DBs, Common Monitoring /Alarms, Subnets, Security Groups

Base Network

• VPCs, Internet Gateways, VPNs, NATs

Identity • IAM Users, Groups, Roles

{"Effect" : "Deny","Action" : [ "ec2:TerminateInstances"

],"Condition": {"Null": {

"ec2:ResourceTag/*cloudformation*" : "true" }},"Resource" : "*"

}

Description

Metadata

Comment

Faster

Cost-efficient

Simpler state and

data migration

No touching of a

working stack

Textual diff

Refs and Fn::GetAtts

No Interruption Some Interruption Replacement

IAM permissions

drift

AWS Config CloudFormer

“Do not update the databases”

"Effect" : "Deny",

"Principal" : "*",

"Action" : "Update:*",

"Resource" : "*",

"Condition" : {

"StringEquals" : {

"ResourceType" : ["AWS::RDS::DBInstance",

"AWS::Redshift::Cluster"]

}

}

“Okay to update, unless the update requires replacement”

"Effect" : "Deny",

"Principal": "*",

"Action" : "Update:Replace",

"Resource" : "LogicalResourceId/MyInstance"

ow.ly/E0Njj

ow.ly/E9nLm

security group

Auto Scaling group

EC2

instance

Elastic Load

Balancing

ElastiCache

Memcached cluster

Software pkgs,

config, & dataCloudWatch

alarmsWeb Analytics

ServiceAWS

CloudFormation

Provision

AWS Resources

“Create, Update,

Rollback, or Delete”

Worker

Amazon

SNS Topic

Stack Events

security group

Auto Scaling group

EC2

instance

Elastic Load

Balancing

ElastiCache

Memcached cluster

Software pkgs,

config, & dataCloudWatch

alarmsWeb Analytics

ServiceAWS

CloudFormation

Provision

AWS Resources

“Success” + Metadata

“Create, Update, Rollback, or Delete”

+ Metadata

ow.ly/DiSXp

https://console.aws.amazon.com/cost-reports/home?#/custom

ow.ly/E0Ny9

AWS CloudFormationIssue Tracker

App Developers

DevOps Engineers,Infrastructure Developers,

Systems Engineers

Dev Env Code Repo

App Pkgs, AWS CloudFormation Templates, Etc.

CI Server

Test

Staging

ProdCode Review

"Infra-as-Code"

App Code & Templates

http://bit.ly/awsevals

ow.ly/Ec28a ow.ly/EdMyk