Saturday, 10 March 2018

AWS CloudFormation

Overview
  • Infrastructure as code

Model
  • Stack - see CloudFormation (Stack)
  • Template - see CloudFormatoin (Template)
  • CF Service - backend service
    • Creates resources in the proper order
  • CF Deamon - agent running on an instance

Extensibility
  • Stack event - see CloudFormation (Stack)
  • Custom Resources - see CloudFormation (Resource Types)
  • Custom resource initialization - see CloudFormation (init)

CloudFormation Designer
  • Allows to view/edit all resources
  • Quick modifications

Restricting User Access
  • IAM user must have
    • CloudFormation permissions
    • Underlying resources permissions
  • IAM Policy Condition 
    • cloudFormation:templateUrl - template must come from specific location
    • cloudFormation:StackPolicyUrl - use specific stack policy
    • cloudFormation:resourceType
  • CreateStack/UpdateStack take parameter
    • restrict resource-types

Intrinsic Functions
  • Built-in functions to retrieve values at runtime
  • Can be used in
    • resource properties
    • metadata resourece attribute
    • update policy resource attribute
  • Arguments
    • literal: "arg"
    • list: [ "MyLoadBalancer", "DNSName" ]
    • return value from other function: {  "Ref" : "AWS::Region" }
  • Types
    • Fn::Base64 - encode as Base64
      • e.g. Typically used in UserData
    • Fn::GetAtt - return attribute of a resource
      • e.g. "Fn::GetAtt" : [ "MyLB" , "DNSName" ]
      • attribute depends on the resource type (around 40 different total)
    • Fn::FindInMap - get value from a map declared in Mappings
      • e.g. "Fn::FindInMap" : [ "MapName", "TopLevelKey", "SecondLevelKey"]
    • Fn::GetAZs - list of AZ for customer
      • may specify region 
      • for VPC returns only AZs with default subnet are returned
    • Fn::Join - concatenates a string with delimiter
      • e.g. "Fn::Join" : [ ":", [ "a", "b", "c" ] ] -> a:b:c
    • Fn::Select - return object at index
      • e.g. { "Fn::Select" : [ "1", [ "apples", "grapes", "oranges", ] ] } -> grapes
    • Ref - returns value of specified parameter or resource
      • Parameter - value of parameter
      • Resources - typically physcialId but not always
        • AWS::EC2::EIP -> ip address
        • AQS::SQS::Queue -> queue URL
    • Condition functions
      • Used to conditionally create resources
      • Associated with: Resources, Resource Properties, Outputs
      • Types
        • Fn::If
        • Fn::Equals
        • Fn::Not
        • Fn::And
        • Fn::Or

CloudFormation Helper Scripts
  • Written in Python, based on cloud-init
  • Used to install and start services
  • Run on EC2 instance as part of stack creation
  • Installed by default on A-Linux
  • Can be passed via "UserData" property
  • Helpers
    • cfn-init
      • retrieve and interpret resource metadata, install packages, start services
    • cfn-signal
      • signal CreationPolicy, UpdatePolicy (WaitOnResourceSignals) or WaitCondition
      • published to "Stack Events"
      • Often used with cfn-init
      • Resource signaling
        • resource
        • stack
        • url
      • WaitConditionHandle signaling
        • data
        • reason
        • waitconditionhandle.url
    • cfn-get-metada
      • retrieve metadata associated with resource and print to std-out
      • either whole or sub-tree
    • cfn-hup
      • daemon to check for updates in metadata and execute custom hooks
      • periodically calls actions in hooks.conf
      • allows you to make configuration updates on running Amazon EC2 instances through the UpdateStack API
      • detects a change in Metadata key and performs arbitrary action
      • Files
        • cfn-hup.conf - stores name of the Stack and credentials
        • hooks.conf - contains actions to be run
          • Loaded at daemon start-up 
          • May be split into multiple files in hooks.d directory

Best Practices
  • Organize by lifecycle and/or ownership
    • Networking Team
    • Payments Team
  • Use nested stacks (AWS::CloudFormation::Stack)
    • Reusability
    • Role specialization (different people manage different templates)
  • Do not embed credentials
    • use input parameters with NoEcho
  • Use AWS specific parameters if possible
    • validations, auto-complete
  • Use parameter constraints
  • Use ValidateTemplate (API)
  • Do not modify resources outside CF (configuration drift)
  • Use AWS CloudTrail to track execution
  • Use AWS Config for history of changes
  • Version control templates (git)
  • Enable termination protection
  • Reuse templates
    • Account for regional differences
      • AMI
      • Endpoints (e.g. S3)
      • Instance Types
      • AZs
      • ARNs format
      • IAM policies
    • Use
      • Pseudo-parameters
      • Mappings
      • Conditionals

Serverless Application Model
  • Used to deploy Serverless applications
  • Nativley supported by CloudFormation

References
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)