We are used to working with Infra-as-Code tools, but do we fully understand what they capable of? What we should and, not to forget, should NOT use? In this session, I will go through 3 same yet so different AWS' tools, explaining their features, well known and not-so-well-known. How do you do unit testing for CDK in Python? What are Globals in SAM? Is it possible to disable rollbacks in CloudFormation? What happens if you delete the CFN Service role? In this session, I will answer these and other questions!

1. Can they really do that???
October 27, 2020
CFN, SAM and CDK tips and tricks

2. © 2020 EPAM Systems, Inc.
Agenda
1 C L O U D F O R M A T I O N
2
3
S A M
C D K
2
4 Q & A

3. © 2020 EPAM Systems, Inc.
CLOUDFORMATION
3

4. © 2020 EPAM Systems, Inc.
CFN SERVICE ROLES
4

5. © 2020 EPAM Systems, Inc.
1. CloudFormation Service Roles
5
• Using your own credentials for Stack operations is insecure
• Service roles allow CloudFormation to only have certain privileges to manage resources
• Roles are assigned to the stack.
• Keep the service roles secure!

6. © 2020 EPAM Systems, Inc.
CFN STACK POLICY
6

7. © 2020 EPAM Systems, Inc.
2. CloudFormation Stack Policy
7
• Is similar to Service Role, but affects only resources created with the stack
• Is mutable
• Use Logical Ids as “Resource” field.

8. © 2020 EPAM Systems, Inc.
2. CloudFormation Stack Policy examples
8

9. © 2020 EPAM Systems, Inc.
CFN CONDITIONS
9

10. © 2020 EPAM Systems, Inc.
3. CloudFormation Conditions
10
• Make templates universal defining if resources are needed or not
• Or a certain resource property is different depending on a condition

11. © 2020 EPAM Systems, Inc.
CFN AWS-SPECIFIC
PARAMETERS
11

12. © 2020 EPAM Systems, Inc.
4. CloudFormation AWS-Specific parameters
12
• Not just a String, but SubnetId, AMI,
KeyPair Name, etc.
• Additional validation, checking if the
resource supplied in parameter exists.

13. © 2020 EPAM Systems, Inc.
CFN STACKSETS IN
ORGANIZATIONS
13

14. © 2020 EPAM Systems, Inc.
5. CloudFormation StackSets in Organizations
14
• You can deploy Stack Instances not to just a list of accounts, but whole Org. Unit
• Handy when you have projects as OUs and environments as separate accounts in OU
• Or you need to centrally manage all the Accounts in the Organization

15. © 2020 EPAM Systems, Inc.
5. CloudFormation StackSets in Organizations
15

16. © 2020 EPAM Systems, Inc.
CFN HELPER SCRIPTS
16

17. © 2020 EPAM Systems, Inc.
6. CloudFormation Helper scripts
17
You can use helper scripts to:
• Manage your EC2 resources from the template declaration
• Use daemons for continuous updates
• Let CloudFormation know that configuration is finished (or failed)
Helper scripts don’t need IAM permissions (to talk to CloudFormation)!

18. © 2020 EPAM Systems, Inc.
6. CloudFormation Helper scripts
18

19. © 2020 EPAM Systems, Inc.
CFN INCLUDE MACRO
19

20. © 2020 EPAM Systems, Inc.
7. CloudFormation Include Macro
20
• Use it for the boilerplate code!
• Include template must be stored on S3
• It is possible to pass template parameters to the included template
• It is possible to use the returned values from the included template
• If you do something wrong, you will get validation error

21. © 2020 EPAM Systems, Inc.
7. CloudFormation Include Macro
21

22. © 2020 EPAM Systems, Inc.
CFN DISABLE ROLLBACK
22

23. © 2020 EPAM Systems, Inc.
8. CloudFormation Disable Rollback
23
• We all love CFN’s self-healing ability
• But sometimes we want to ignore it for the sake of performance
• Helpful when you develop and debug the template
• With Rollbacks disable the stack will remain in ”CREATE_FAILED” state until it receives
another stack operation

24. © 2020 EPAM Systems, Inc.
8. CloudFormation Disable Rollback
24

25. © 2020 EPAM Systems, Inc.
SAM
25

26. © 2020 EPAM Systems, Inc.
SAM GLOBALS
26

27. © 2020 EPAM Systems, Inc.
9. SAM Globals
27
• Define one property for all resources in the
template
• Can still be overridden

28. © 2020 EPAM Systems, Inc.
SAM WITH CFN
RESOURCE TYPES
28

29. © 2020 EPAM Systems, Inc.
10. SAM template with CloudFormation resource types
29

30. © 2020 EPAM Systems, Inc.
CDK
30

31. © 2020 EPAM Systems, Inc.
CDK ASSETS
31

32. © 2020 EPAM Systems, Inc.
11. CDK Assets
32
• Bundle your source code in your infrastructure code!
• Docker containers for ECS, deployment packages for Lambda

33. © 2020 EPAM Systems, Inc.
CDK MULTI-STACK
33

34. © 2020 EPAM Systems, Inc.
12. CDK Multi-Stack
34

35. © 2020 EPAM Systems, Inc.
CDK TESTING
35

36. © 2020 EPAM Systems, Inc.
13. CDK Testing
36

37. © 2020 EPAM Systems, Inc.
13. CDK Testing
37

38. © 2020 EPAM Systems, Inc.
THANK YOU!
38

39. © 2020 EPAM Systems, Inc.
Q&A?
39