Developers live by their tools. In this chalk talk, we build an AWS CloudFormation template authoring environment by reviewing various IDEs, validation plugins, source control, and testing tools in order to improve your productivity.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Assembling an AWS CloudFormation
Authoring Tool Chain
D E V 3 6 8
Ryan Lohan
Software Dev Engineer
AWS CloudFormation
Chuck Meyer
Sr. Dev Advocate
AWS CloudFormation
Olivier Munn
Sr. Prod Manager
AWS CloudFormation

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Setting up your IDE (VS Code)
Code completion
Validation (IDE/pre-commit)
Testing

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation at a glance
Code in YAML or
JSON directly or use
sample templates
Upload local files
or from an Amazon
S3 bucket
Create stack
using console,
API or CLI
Stacks and
resources are
provisioned
Enables provisioning and management of your
infrastructure as code

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The challenge
If this is ”infrastructure as code” why are we still testing by continually
deploying and fixing failures?
Our goal: Catch errors early to reduce authoring time.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How you validate a template
aws cloudformation validate-template
Note
The aws cloudformation validate-template command is designed to
check only the syntax of your template. It does not ensure that the
property values that you have specified for a resource are valid for that
resource. Nor does it determine the number of resources that will exist
when the stack is created.
(https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-validate-template.html)

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But, we are living in a golden age of tools!
• cfn-lint
• Validate AWS CloudFormation yaml/json templates against the AWS CloudFormation spec
and additional checks
• cfn_nag
• Look for patterns in AWS CloudFormation templates that may indicate insecure
infrastructure.
• Taskcat
• Catch problems that aren’t obvious in a single template/stack
• Cloud Development Kit
• Define cloud infrastructure in code and provision it through AWS CloudFormation
• DSLs
• Troposphere/SparkleFormation/GoFormation

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Code completion
• JSON Schema for AWS CloudFormation templates
• Code complete and IntelliSense
• In-place documentation links
• IDE integration (VSCode, PyCharm, etc.)
• Works for JSON and YAML templates

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Code completion

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Validation
• Validate syntax: cfn-lint
• Validate governance/business logic: cfn_nag
• IDE integration (cfn-lint)
• Pre-commit hook

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cfn-lint

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cfn-lint
https://github.com/awslabs/cfn-python-lint
pip install cfn-lint
cfn-lint –t simple-vpc.yaml
GitHub
306 Stars
290 PRs merged
153 Issues closed
61 Forks
Current release: v.0.9.1
Pypi
6,905 installs this week
23,232 installs this month
55,871 installs since release

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cfn-nag
• Validate governance/business logic: cfn_nag
• IAM rules that are too permissive (wildcards)
• Security group rules that are too permissive (wildcards)
• Access logs that aren't enabled
• Encryption that isn't enabled

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Testing – Taskcat
• Catch problems that aren’t obvious in a single template/stack
• TaskCat tests your templates by creating a stack in multiple AWS
Regions simultaneously
• Generates a report with a pass/fail grade for each region
https://docs.aws.amazon.com/quickstart/latest/cicd-taskcat

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Taskcat results
·[0;37;44m[taskcat]·[0m |GENERATING REPORTS·[1;41;0m
·[0;30;43m[INFO ]·[0m :Creating report in [taskcat_outputs]
·[0;30;43m[INFO ]·[0m :Collecting CloudFormation Logs
·[0;30;43m[INFO ]·[0m :Collecting logs for tCaT-tag-vpc-test-889778e5"
|StackName: tCaT-tag-vpc-test-889778e5
|Region: us-east-2
|Logging to: taskcat_outputs/tCaT-tag-vpc-test-889778e5-us-east-2-cfnlogs.txt
|Tested on: Wednesday, 31. October 2018 02:45PM
--------------------------------------------------------------------------------------
ResourceStatusReason:
Stack launch was successful

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Higher level languages
• Cloud Development Kit
• Author in TypeScript
• L2 constructs
• Simplify definitions using
abstractions
• Domain specific languages
• Write in a familiar language
• Troposphere (Python)
• SparkleFormation (Ruby)
• GOFormation (Golang)
• …
• Maps closely to AWS CloudFormation

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CDK (Cloud Development Kit) in dev preview
CDK application
Stack(s)
Construct(s)
CDK
CLI
AWS CloudFormation
Templates“compiler”
“assembly
language”
“processor”

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CDK

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tools we mentioned
cfn-lint https://git.io/vhGFK
cfn_nag https://git.io/fpe1K
taskcat https://git.io/fpe1X
CDK https://git.io/fpcjh

24. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.