Zero to Sixty: AWS CloudFormation (DMG201) | AWS re:Invent 2013

6,531
-1

Published on

"AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion. In this Zero to Sixty session, learn about CloudFormation's latest features along with best practices for using them, including maintaining complex environments with CloudFormation, template management and re-use, and controlling stack updates. Demos and code samples are available to all session attendees.
Are you new to AWS CloudFormation? Get up to speed for this session by first completing the 60-minute Fundamentals of CloudFormation lab in the Self Paced Lab Lounge."

Published in: Technology, Business
1 Comment
11 Likes
Statistics
Notes
  • For new features / completions, as per release documentation at http://aws.amazon.com/releasenotes/4113373093933882
    Includes (*) Conditional declaration (*) Update resources defeasibility (*) Name type for certain resources (*) Custom resource (*) Account ID (*) Stack action controls
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
6,531
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
170
Comments
1
Likes
11
Embeds 0
No embeds

No notes for slide

Zero to Sixty: AWS CloudFormation (DMG201) | AWS re:Invent 2013

  1. 1. Zero to Sixty: AWS CloudFormation Chetan Dandekar, Senior Product Manager – AWS CloudFormation Capen Brinkley, Software Developer – Intuit November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. AWS CloudFormation Model Click Done Provisioning Instruction Script(s) Instruction Instruction Manual Manual Manual creation order? how long do I pause? what errors can I recover from? what environment config and utilities does my script depend on? can my script be faster? will this script work again?
  3. 3. AWS CloudFormation Version Control Replicate Dev Regions Test Demos Staging Prod Standardization Service Catalog
  4. 4. AWS CloudFormation Template Snippets API Code Config API CloudFormation Build Pipeline Automate SNS Monitor Progress
  5. 5. Intuit’s CloudFormation Story
  6. 6. Key Takeaways • How we use CloudFormation to manage large scale applications • Methodologies and tools you can use to follow a similar path
  7. 7. Infrastructure Design Template Management Stack Management Bootstrapping
  8. 8. Live Community Traffic April 15 Feb. 1
  9. 9. Amazon EC2 Amazon RDS Amazon S3 Elastic Load Balancing
  10. 10. Infrastructure as Code
  11. 11. Web App Server Web App Server Auto Scaling Group App Tier
  12. 12. Service Oriented Architecture Amazon SQS Amazon RDS Amazon CloudFront Amazon Route 53 Amazon S3 Amazon ElastiCache Amazon CloudWatch AWS CloudFormation AWS IAM Amazon SES Amazon EC2 Amazon SNS
  13. 13. Multiple Templates, Loosely Coupled Web App Server SQS Queue Web App Server Auto Scaling Group App Tier
  14. 14. Multiple Templates, Loosely Coupled Easy To Reason About Reusable
  15. 15. Stack Management
  16. 16. Simple Deploy https://github.com/intuit/simple_deploy
  17. 17. Simple Deploy Commands attributes clone create deploy destroy environments events execute instances list outputs parameters protect resources status template update
  18. 18. elb-1 Blue Green app-1 (v1.0.0) app-2 (v1.1.0) Auto Scaling Group Auto Scaling Group
  19. 19. $ simple_deploy environments Default lc_preprod_us_west_1 lc_preprod_us_west_2 lc_preprod_us_east_1 PROD_lc_prod_us_west_1_PROD PROD_lc_prod_us_west_2_PROD PROD_lc_prod_us_east_1_PROD
  20. 20. $ simple_deploy list –-environment lc_preprod_us_west_1 lc-dev-elb-1 lc-dev-app-1 lc-dev-db-master-1 lc-dev-db-parameter-group
  21. 21. simple_deploy create –-environment lc_preprod_us_west_1 –-name lc-dev-app-2 –-template app.json –-input-stack lc-dev-elb-1 –-input-stack lc-dev-db-master-1 –-attribute chef_repo=3f57f9f –-attribute app=bcb68de
  22. 22. simple_deploy clone --environment lc_preprod_us_west_1 --source-stack lc-dev-1-app-1 --name lc-dev-1-app-2 --attribute app=afdac509b --attribute chef_repo=a4531e5ff6
  23. 23. simple_deploy destroy --environment lc_preprod_us_west_1 --name lc-dev-1-app-1
  24. 24. Chef CloudFormation::Init Bootstrapping Userdata Autoscaling CloudFormation Simple Deploy Code / CI / Artifact
  25. 25. "UserData": { "Fn::Base64": { "Fn::Join": ["", [ "#!/bin/bashn", "yum update -y aws-cfn-bootstrapn", "/opt/aws/bin/cfn-init --stack “, { "Ref": "AWS::StackName" }, " --verbose" " --resource InstanceLaunchConfig", " --region=", { "Ref": "AWS::Region" }, " -configsets bootstrap", "n” CloudFormation > GET http://169.254.169.254/latest/user-data #!/bin/bash yum update -y aws-cfn-bootstrap /opt/aws/bin/cfn-init –-stack lc-app-stack -–verbose --resource InstanceLaunchConfig --region=us-west-2 –-configsets bootstrap Instance User Data
  26. 26. CloudFormation::Init Resources Configsets Commands Files Groups Packages Services Sources Users
  27. 27. "configSets”: { "bootstrap”: [ "create_files", "install_packages", "run_chef", "clean_up” ] }
  28. 28. "create_files": { "files": { "/etc/chef/ohai/hints/ec2.json": { "content": "{}", "mode": "000400", "owner": "root", "group": "root" } } }
  29. 29. "install_packages": { "packages": { "yum”: { "chef”: [ "11.6.2-1" ] } } }
  30. 30. "run_chef": { "commands": { "1_download_chef_repo": "2_decrypt_chef_repo": "3_extract_chef_repo": "4_run_chef": } } { { { { ... ... ... ... }, }, }, }
  31. 31. "run_chef": { "commands": { "run_chef": { "command": "/usr/bin/chef-solo –c /var/chef/config/solo.rb –o ", { "Ref", "Role" } } } }
  32. 32. "clean_up" : { "commands": { "1_cleanup_files" : { "command": "rm –rf /var/tmp/chef_repo.tar.gz /var/tmp/chef_repo.tar.gz.gpg" } } }
  33. 33. The Climb
  34. 34. What’s New in AWS CloudFormation
  35. 35. Let’s take an example Scalable Reliable Highly Available
  36. 36. Two Types of Tasks Develop Operate Parallel stack processing Fail-safe stack management Updates without downtime Richer template language Federation and IAM roles
  37. 37. Parallel Stack Processing
  38. 38. Parallel Stack Processing
  39. 39. Richer Template Language
  40. 40. Conditions Dev Prod
  41. 41. Conditions "Parameters" : { "Environment" : { "Description" : "Specifies if this a Dev QA or Prod Environment", "Type" : "String", "Default" : "Dev", "AllowedValues" : [ "Dev", "QA", "Prod"] }, }, ... "Conditions" : { "ProdEnvironment" : { "Fn::Equals" : [ { "Ref" : "Environment" }, "Prod" ]} },
  42. 42. Conditions "DBInstance" : { "Type": "AWS::RDS::DBInstance", "Properties": { "DBName" : { "Ref" : "DBName" }, "Engine" : "MySQL", "MultiAZ" : { "Fn::If" : [ "ProdEnvironment", "true", "false" ] }, "DBSnapshotIdentifier" : { "Fn::If" : [ "ProdEnvironment", { "Ref" : "DBName" }, { "Ref" : "AWS::NoValue" } ] }, ... } },
  43. 43. Conditions "DBStorageAlarm" : { "Condition" : "ProdEnvironment", "Type" : "AWS::CloudWatch::Alarm", "Properties" : { "AlarmDescription" : "Alarm if db size grows beyond a threshold", "Namespace" : "AWS/RDS", "MetricName" : "FreeStorageSpace", ... }, }
  44. 44. Conditions • • • • • Fn::If Fn::Equals Fn::Not Fn::And Fn::Or "Conditions" : { ... "ProdOrLoadTestingEnv" : { "Fn::Or" : [ { "Condition" : "ProdEnvironment"}, { "Fn::Equals" : [ ... ]} ] } } "Fn::If": [{condition}, {value_if_true}, {value_if_false}]
  45. 45. User-Defined Resource Names By default, In addition, • AWS CloudFormation generates unique resource names • Flexibility to use custom • “prodstack20131113DBStorageAlarm19BL0MOXL0TPI” names and still keep them unique • “SalesDataStorageAlarm”
  46. 46. Develop Operate Parallel stack processing Fail-safe stack management Updates without downtime Richer template language Federation and IAM roles
  47. 47. Fail-Safe Stack Management
  48. 48. Stack Protection { } "Effect" : "Allow", "Action" : [ "cloudformation:*" ], "Resource" : "arn:aws:cloudformation:us-west2:123456789012:stack/Dev*" { } "Effect" : "Allow", "Action" : [ "cloudformation:*" ], "Resource" : "*" Dev1 Dev2 Dev3 Prod CloudFormation
  49. 49. Stack Protection { "Effect" : "Deny", "Action" : [ "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource" : "arn:aws:cloudformation:us-west2:123456789012:stack/productionstack/*" }
  50. 50. Stack Protection "Resources" : { "StackProtectionPolicy" : { "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "StackProtectionPolicy", "Groups" : [ { "Ref" : "DenyGrp" } ], "PolicyDocument" : { "Statement" : [ { "Effect" : "Deny", "Action" : [ "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource" : { "Ref" : “AWS::StackId" } }
  51. 51. Resource Protection { "Effect" : "Deny", "Action" : [ "ec2:TerminateInstances" ], "Condition": { "Null": { "ec2:ResourceTag/*cloudformation*" : "true" } }, "Resource" : "*" }
  52. 52. Preventing Updates { } Stack Policy Document "Statement" : [ { "Effect" : "Deny", "Action" : "Update:*", "Principal" : "*", "Resource" : "ResourceType/AWS::RDS::DBInstance" }, { "Effect" : "Allow", "Action" : "Update:*", "Principal" : "*", "Resource" : "*" } ]
  53. 53. Preventing Updates { Fine Grained Stack Policy "Statement" : [ { "Effect" : "Deny", "Action" : "Update:Replace", "Principal" : "*", "Resource" : "LogicalResourceId/MyInstance" }, { "Effect" : "Allow", "Action" : "Update:*", "Principal" : "*", "Resource" : "*" ... Setting Stack Policy > aws cloudformation create-stack -–template-url ... --stack-policy-url ...
  54. 54. Update without Downtime "WebServerGroup" : { "Type" : "AWS::AutoScaling::AutoScalingGroup", "Properties" : { "LaunchConfigurationName" : { "Ref" : "LaunchConfig" }, ... }, "UpdatePolicy" : { "AutoScalingRollingUpdate" : { "MinInstancesInService" : “2", "MaxBatchSize" : “3", "PauseTime" : "PT20M" } } },
  55. 55. Using AWS CloudFormation with Federated Identities 4 Network Architects User accesses broker 1 DB Admins User accesses APIs CloudFormation API and other AWS APIs 4 User redirected to console Identity broker User authenticated 2 Temporary security credentials obtained 3 AWS Management Console Application Developers Corporate identity store AWS Security Token Service
  56. 56. Calling AWS CloudFormation using IAM Roles EC2 Instance 1. The IAM role has permissions to call AWS CloudFormation and provision underlying resources 2. User or script on the EC2 instance calls CloudFormation to provision a stack IAM Role AWS CloudFormation CloudFormation Stack 3. AWS CloudFormation provisions the stack using a template hosted in an S3 bucket inside the VPC
  57. 57. Related Resources • http://aws.amazon.com/cloudformation/ • "Fundamentals of CloudFormation" lab in the Self Paced Lab Lounge • DMG303 - AWS CloudFormation under the Hood • ARC203 - How Adobe Deploys: Refreshing the Entire Stack Every Time • DMG209 - Enterprise Management for the AWS Cloud • Multiple other sessions are presenting CloudFormation samples
  58. 58. Please give us your feedback on this presentation DMG201 As a thank you, we will select prize winners daily for completed surveys!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×