Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Black Belt Online Seminar AWS CloudFormation アップデート

40,002 views

Published on

AWS公式オンラインセミナー: https://amzn.to/JPWebinar
過去資料: https://amzn.to/JPArchive

Published in: Technology
  • Be the first to comment

AWS Black Belt Online Seminar AWS CloudFormation アップデート

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Webinar https://amzn.to/JPWebinar https://amzn.to/JPArchive
  2. 2. 2
  3. 3. • • 3
  4. 4. • • • • 4
  5. 5. • • • • • • • 5
  6. 6. • • • • • • • 6
  7. 7. • • • • 7
  8. 8. 8 • • • StackTemplate 作成/変更/削除 作成するリソースの定義 リソースの集合 VPCリソースの 作成/変更/削除
  9. 9. • • • • • • 9
  10. 10. 10                           
  11. 11. 11
  12. 12. 12
  13. 13. 13
  14. 14. • • • • • • • 14
  15. 15. 15 Stack Template
  16. 16. • • • • • 16 AWSTemplateFormatVersion: 2010-09-09 Description: Sample Parameters: KeyName: Description: "Sample key" Type: String Mappings: RegionMap: ap-northeast-1: ”AMI": "ami-xxxxxxxxxx" Resources: Ec2Instance: Type: "AWS::EC2::Instance" Properties: SubnetId: "subnet-xxxxxxxxxx" SecurityGroupIds: - “sg-xxxxxxxxxx” KeyName: !Ref KeyName ImageId: !FindInMap [ RegionMap, !Ref "AWS::Region", AMI ]
  17. 17. 17 AWSTemplateFormatVersion: "version date" Description: String Metadata: template metadata Parameters: set of parameters Mappings: set of mappings Conditions: set of conditions Transform: set of transforms Resources: set of resources Outputs: set of outputs
  18. 18. 18 • • • • Resources: MyInstance: Type: "AWS::EC2::Instance" Properties: SubnetId: "subnet-xxxxxxxxxx" SecurityGroupIds: - !GetAtt InstanceSecurityGroup.GroupId KeyName: !Ref KeyName ImageId: !FindInMap [ RegionMap, !Ref "AWS::Region", 64 ]
  19. 19. • • • • • • • 19 Resources: MyEC2Instance: Type: "AWS::EC2::Instance” Properties: SubnetId: "subnet-xxxxxxxxxxxxxxxx" Outputs: MyEC2PhysicalID: Value: !Ref MyEC2Instance
  20. 20. 20 • • Resources: MyInstance: Type: "AWS::EC2::Instance” Metadata: MyInstance: Description: "Information about the instance" Database: Description: "Information about the database"
  21. 21. 21 • • • Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Network Configuration" Parameters: - VPCID - ApplicationSubnetId - Label: default: "EC2 Configuration" Parameters: - KeyName
  22. 22. 22 • • Parameters: Age: Description: "input your age." Type: Number Default : 30 MinValue: 20 MaxValue: 60 FirstName: Description: "input your first name." Type: String KeyName: Description: "Sample key" Type: String
  23. 23. 23
  24. 24. 24 • • • Resources: Ec2Instance: Type: "AWS::EC2::Instance" Properties: KeyName: !Ref KeyName Tags: - Key: OwnerAge Value: !Ref: Age - Key: OwnerName Value: !Ref: FirstName
  25. 25. 25 • • • • • • • • •
  26. 26. • • • • • • Resources: Ec2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !FindInMap [ RegionMap, !Ref "AWS::Region", AMI ] Outputs: ApplicationURL: Value: !Join ["", [ "http://", !GetAtt Ec2Instance.PublicDnsName , "/index.html"] ] 26
  27. 27. 27 • • • • • • • Resources: Ec2Instance: Type: "AWS::EC2::Instance" Properties: KeyName: !Ref "AWS::StackName" Tags: - Key: region Value: !Ref “AWS::Region”
  28. 28. 28 • • • Mappings: RegionMap: us-east-1: "KEYPAIR": "myKey-east" us-west-1: "KEYPAIR": "myKey-west” ap-northeast-1: "KEYPAIR": "myKey-tokyo"
  29. 29. 29 • • Resources: Ec2Instance: Type: "AWS::EC2::Instance" Properties: KeyName: !FindInMap [ RegionMap, !Ref "AWS::Region", KEYPAIR ] Mappings: RegionMap: us-east-1: "KEYPAIR": "myKey-east" us-west-1: "KEYPAIR": "myKey-west” ap-northeast-1: "KEYPAIR": "myKey-tokyo"
  30. 30. • • • • Parameters: EnvType: Description: "Environment type." Default: "development" Type: String AllowedValues: ["production", "staging", "development"] ConstraintDescription: "must specify." Conditions: CreateProdResources: {"Fn::Equals" : [{"Ref" : "EnvType"}, “production"]} Resources: Ec2Instance: Type: "AWS::EC2::Instance" Condition: "CreateProdResources" 30
  31. 31. 31 • • • • • • • Transform: AWS::Serverless-2016-10-31 Resources: MyServerlessFunctionLogicalID: Transform: Name: 'AWS::Include' Parameters: Location: 's3://MyAmazonS3BucketName/MyFileName.yaml' Transform: [EchoMacro] Resources: FancyTable:
  32. 32. • • • 32 Resources: Ec2Instance: Outputs: PublicDNS: Description: EC2 public DNS Value: !GetAtt Ec2Instance.PublicDnsName Outputs: TSSG: Value: !Ref TroubleShootingSG Export: Name: AccountSG
  33. 33. 33 • • • •
  34. 34. 34 Template Stack
  35. 35. 35 • • • DB App Server Web Server Hosted zoneS3 Stack
  36. 36. 36 • • • • • • • • • • •
  37. 37. • • • • • • • 37
  38. 38. • • • • • • • • • • 38
  39. 39. • • • • • • 39
  40. 40. • • 40 Stack Stack Stack Stack Stack
  41. 41. • • 41 VPC Public subnet 1 Availability zone 1 Private subnet 1 Availability zone 2 Public subnet 2 Private subnet 2 Stack DB Instance AP Server Auto Scaling group
  42. 42. 42 Outputs: SecGrpWebID: Description: Security Group for Web Value: !Ref SecGrpWeb Export: Name: !Sub ${AWS::StackName}-SecGrpWeb Resources: BastionSrv: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref OSImage InstanceType: t2.micro KeyName: !Ref KeyPair NetworkInterfaces: - DeleteOnTermination: true Description: Primary network interface DeviceIndex: 0 SubnetId: Fn::ImportValue: !Sub ${BaseStackName}-PubSub1 GroupSet: - Fn::ImportValue: !Sub {SecStackName}-SecGrpWeb
  43. 43. 43 • • • • • • • • • • • • •
  44. 44. • • • 44 AWSTemplateFormatVersion: '2010-09-09’ Transform: AWS::Serverless-2016-10-31
  45. 45. • • • 45
  46. 46. • • 46 AWSTemplateFormatVersion: "2010-09-09" Resources: Macro: Type: "AWS::CloudFormation::Macro" Properties: FunctionName: arn:aws:lambda:us-east-1:1234567:function:EchoFunction Name: EchoMacro AWSTemplateFormatVersion: '2010-09-09' Transform: [EchoMacro, 'AWS::Serverless-2016-10-31'] Resources: FancyTable: Type: AWS::Serverless::SimpleTable
  47. 47. • • 47 Parameter Store Template • •
  48. 48. 48 MyIAMUser: Type: AWS::IAM::User Properties: UserName: 'MyUserName' LoginProfile: Password: '{{resolve:ssm-secure:IAMUserPassword-A:1}}' •
  49. 49. • • 49 Parameters : LatestAmiId : Type : 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2’ Resources : Instance : Type : 'AWS::EC2::Instance' Properties : ImageId : !Ref LatestAmiId
  50. 50. 50 • • • • • • Template
  51. 51. • 51 const cdk = require('@aws-cdk/cdk'); const s3 = require('@aws-cdk/aws-s3'); class MyStack extends cdk.Stack { constructor(parent, id, props) { super(parent, id, props); new s3.Bucket(this, 'MyFirstBucket', { versioned: true }); } }
  52. 52. • • • • • • • • • • 52
  53. 53. • • • 53
  54. 54. • • • • のマネージドルールにより、差分が発生したらすぐに検知可能 • テンプレートに記載されていないプロパティについては差分をチェックしない 54 Template Stack
  55. 55. • • 55
  56. 56. • 56 1 Stack Template 2 Stack 3 Stack 1 Stack 2 Stack 3 Stack StackSet AWS Region - A AWS Region - B
  57. 57. • • • • 57
  58. 58. • • 58
  59. 59. • • 59
  60. 60. • • 60 Template DB Instance Instance Instance
  61. 61. • 61 { "Statement" : [ { "Effect" : "Deny", "Action" : "Update:*", "Principal": "*", "Resource" : "*", "Condition" : { "StringEquals" : { "ResourceType" : ["AWS::RDS::DBInstance"] } } }, { "Effect" : "Allow", "Action" : "Update:*", "Principal": "*", "Resource" : "*" } ] }
  62. 62. • • 62 AWSTemplateFormatVersion: '2010-09-09' Resources: myS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain
  63. 63. • • 63 { "Effect":"Allow", "Action":["cloudformation:CreateStack"] }, { "Effect":"Deny", "Action":["cloudformation:CreateStack"] “Condition”:{ ‘ForAnyValue:StringLike”:{ “cloudformation:ResourceType”: [“AWS::IAM::*”] } } }
  64. 64. • • • • • • • 64
  65. 65. • • • • 65
  66. 66. 66 Cross Stack Reference
  67. 67. IAM • • • • • • • • • • • • • • • 67
  68. 68. • • • • • • • • • • • • • • • • 68
  69. 69. 69 VPC Public subnet 1 Availability zone 1 Private subnet 1 Availability zone 2 Public subnet 2 Private subnet 2 Stack DB Instance AP Server Role Auto Scaling group Role
  70. 70. • 70
  71. 71. • 71
  72. 72. 72
  73. 73. • 73
  74. 74. 74 • •
  75. 75. • 75
  76. 76. • • • • • • • • • 76
  77. 77. • • • 77
  78. 78. • • ./cfn-validate.sh yaml-eip.yaml ./cfn-update.sh create yaml-stack-r53 yaml-r53.yaml ./cfn-update.sh create yaml-stack-eip yaml-eip.yaml R53StackName=yaml-stack-r53 ./cfn-status.sh yaml-stack-eip -v 78
  79. 79. 79
  80. 80. 80
  81. 81. 81
  82. 82. 82 AWS CloudFormation AWS CloudFormation
  83. 83. • • • • • • • • • • 83
  84. 84. { "Version": "2012-10-17", "Statement": [ { "Sid": "ClodFormationResourceManagementPolicy", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack" ], "Resource": "*", "Condition": { "StringLike": { "cloudformation:TemplateUrl": "https://<S3 endpoint>.amazonaws.com/<bucket>/*" } } }, { "Sid": "PermissionDelegation", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::xxxxxxxxxxxx:role/CloudFormationServiceRole" } ] } 84 AWS CloudFormation S3 AWS CloudFormation
  85. 85. • • • • • • • 85
  86. 86. • • • 86
  87. 87. 87
  88. 88. 88
  89. 89. • • 89
  90. 90. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Webinar https://amzn.to/JPWebinar https://amzn.to/JPArchive

×