SlideShare a Scribd company logo

CloudFormation techniques from the Dutch trenches (DVC07) - AWS re:Invent 2018

M
Martijn van Dongen

Create Custom Resources to extend the support of resources and other extensions in CloudFormation. Build Custom Rules for cfn-lint to use the tool as a compliance control, and together with taskcat to fail fast.

Technology
1 of 29
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudFormation techniques from the Dutch trenches Martijn van Dongen Chief AWS Technology / AWS APN Ambassador Binx.io (proudly part of Xebia) D V C 0 7
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda CloudFormation Custom Resources Cfn-lint Custom Rules Taskcat
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Build if event['RequestType'] == 'Create' or event['RequestType'] == 'Update’: client = boto3.client('iam’) response = client.tag_role( RoleName=event['ResourceProperties']['RoleName’], Tags=event['ResourceProperties']['Tags’] ) cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, "NA") elif event['RequestType'] == 'Delete’: cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Add IAMTaggingFunction: Type: AWS::Serverless::Function Properties: Handler: lambda.lambda_handler Timeout: 30 Role: !GetAtt 'IAMTaggingFunctionRole.Arn’ Runtime: python3.7 CodeUri: ./build/iamtagging.zip IAMTaggingFunctionRole: Type: AWS::IAM::Role ...
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Package $ tree ├── build ├── src │ └── iamtagging │ ├── cfnresponse.py │ ├── lambda.py │ └── requirements.txt $ docker run -v $(pwd)/src:/src -v $(pwd)/build:/build binxio/python-lambda-packager:3.7
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use TeamRoleTags: Type: Custom::IAMTagging Properties: ServiceToken: !GetAtt IAMTaggingFunction.Arn RoleName: !Ref TeamRedRole Tags: - Key: Project Value: Alexa - Key: CostCenter Value: 382
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy $ aws cloudformation package --template-file template.yml --s3-bucket mys3bucket --output-template-file packaged.yml ... $ aws cloudformation deploy --template-file packaged.yml --capabilities CAPABILITY_IAM --stack-name iamtag
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 1 2 3
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. To Production TeamRoleTags: Type: AWS::IAM::Tags Properties: ServiceToken: !GetAtt IAMTaggingFunction.Arn RoleName: !Ref TeamRedRole Tags: - Key: Project Value: Alexa - Key: CostCenter Value: 0382
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example Extension: Secret Provider DBPassword: Type: Custom::Secret Properties: Name: /demo/PGPASSWORD KeyAlias: alias/aws/ssm Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 Length: 30 ReturnSecret: true ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:secret-provider' https://github.com/binxio/cfn-secret-provider
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer Workflow Stack TemplateDevelopers eu-west-1 eu-west-3 Stack Bucket Ops CI/CD
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom Rule from typing import List from cfnlint import CloudFormationLintRule from cfnlint import RuleMatch, Template class S3BucketsNotEncrypted(CloudFormationLintRule): """Check if S3 Bucket is not encrypted""" id = 'E9S3BucketEncryption’ shortdesc = 'S3 Buckets must always be encrypted’ description = 'S3 Buckets should always have BucketEncryption’ def match(self, cfn: Template) -> List[RuleMatch]: <your custom rule here>
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom Rule def match(self, cfn: Template) -> List[RuleMatch]: matches: List[RuleMatch] = [] recordsets = cfn.get_resources(['AWS::S3::Bucket’]) for name, recordset in recordsets.items(): path = ['Resources', name, 'Properties’] full_path = ('/'.join(str(x) for x in path)) if isinstance(recordset, dict): props = recordset.get('Properties’) if 'BucketEncryption' not in props: message = "Property BucketEncryption not set in {0}" matches.append(RuleMatch(path, message.format(full_path))) return matches
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom Rule $ cfn-lint -a ../cfn-compliancy-check/rules/s3 -t badtemplate.yml E9S3BucketEncryption Property BucketEncryption not set in Resources/S3Bucket/Properties badtemplate.yml:4:5 E3012 Property Resources/S3Bucket/Properties/BucketName should be of type String badtemplate.yml:5:7
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Taskcat $ cat ci/config.yml global: owner: martijn@binx.io qsname: dcv07 regions: - eu-west-1 - eu-west-3 tests: scenario-1: template_file: stack.yml parameter_input: parameters.json $ taskcat -c ci/config.yml ... Deploying and generating reports ...
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer Workflow Stack TemplateDevelopers eu-west-1 eu-west-3 Stack Bucket cfn-lint DevOps IAM Policies / cloud-custodian
My goals for 2019…
100+ set of custom cfn-lint rules, to achieve a significant set of compliancy coverage, across many AWS services
Every service or feature is supported in CloudFormation, within 24h after the launch
… and I need your help!
Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Martijn van Dongen martijn@binx.io
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

AWS CloudFormation Deep Dive and Recent Enhancements
AWS CloudFormation Deep Dive and Recent EnhancementsAWS CloudFormation Deep Dive and Recent Enhancements
AWS CloudFormation Deep Dive and Recent Enhancements
Amazon Web Services
 
Deep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormationDeep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormation
Amazon Web Services
 
Intro to AWS Batch & How AQR Capital leverages AWS to Identify New Investment...
Intro to AWS Batch & How AQR Capital leverages AWS to Identify New Investment...Intro to AWS Batch & How AQR Capital leverages AWS to Identify New Investment...
Intro to AWS Batch & How AQR Capital leverages AWS to Identify New Investment...
Amazon Web Services
 
Build AWS CloudFormation Custom Resources (DEV417-R2) - AWS re:Invent 2018
Build AWS CloudFormation Custom Resources (DEV417-R2) - AWS re:Invent 2018Build AWS CloudFormation Custom Resources (DEV417-R2) - AWS re:Invent 2018
Build AWS CloudFormation Custom Resources (DEV417-R2) - AWS re:Invent 2018
Amazon Web Services
 
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Amazon Web Services
 
Automatically scaling Kubernetes workloads - SVC215-S - New York AWS Summit
Automatically scaling Kubernetes workloads - SVC215-S - New York AWS SummitAutomatically scaling Kubernetes workloads - SVC215-S - New York AWS Summit
Automatically scaling Kubernetes workloads - SVC215-S - New York AWS Summit
Amazon Web Services
 
Lambda Layers & Runtime API
Lambda Layers & Runtime APILambda Layers & Runtime API
Lambda Layers & Runtime API
Amazon Web Services
 
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...
Amazon Web Services
 

Recommended

AWS CloudFormation Deep Dive and Recent Enhancements
AWS CloudFormation Deep Dive and Recent EnhancementsAWS CloudFormation Deep Dive and Recent Enhancements
AWS CloudFormation Deep Dive and Recent Enhancements
Amazon Web Services
 
Deep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormationDeep Dive on AWS CloudFormation
Deep Dive on AWS CloudFormation
Amazon Web Services
 
Intro to AWS Batch & How AQR Capital leverages AWS to Identify New Investment...
Intro to AWS Batch & How AQR Capital leverages AWS to Identify New Investment...Intro to AWS Batch & How AQR Capital leverages AWS to Identify New Investment...
Intro to AWS Batch & How AQR Capital leverages AWS to Identify New Investment...
Amazon Web Services
 
Build AWS CloudFormation Custom Resources (DEV417-R2) - AWS re:Invent 2018
Build AWS CloudFormation Custom Resources (DEV417-R2) - AWS re:Invent 2018Build AWS CloudFormation Custom Resources (DEV417-R2) - AWS re:Invent 2018
Build AWS CloudFormation Custom Resources (DEV417-R2) - AWS re:Invent 2018
Amazon Web Services
 
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Amazon Web Services
 
Automatically scaling Kubernetes workloads - SVC215-S - New York AWS Summit
Automatically scaling Kubernetes workloads - SVC215-S - New York AWS SummitAutomatically scaling Kubernetes workloads - SVC215-S - New York AWS Summit
Automatically scaling Kubernetes workloads - SVC215-S - New York AWS Summit
Amazon Web Services
 
Lambda Layers & Runtime API
Lambda Layers & Runtime APILambda Layers & Runtime API
Lambda Layers & Runtime API
Amazon Web Services
 
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...
Amazon Web Services
 
Hybrid Cloud Processing & Data Distribution with File Gateway & Amazon S3 (ST...
Hybrid Cloud Processing & Data Distribution with File Gateway & Amazon S3 (ST...Hybrid Cloud Processing & Data Distribution with File Gateway & Amazon S3 (ST...
Hybrid Cloud Processing & Data Distribution with File Gateway & Amazon S3 (ST...
Amazon Web Services
 
Care and Feeding of Amazon Linux (CON404-R1) - AWS re:Invent 2018
Care and Feeding of Amazon Linux (CON404-R1) - AWS re:Invent 2018Care and Feeding of Amazon Linux (CON404-R1) - AWS re:Invent 2018
Care and Feeding of Amazon Linux (CON404-R1) - AWS re:Invent 2018
Amazon Web Services
 
Containers State of the Union I AWS Dev Day 2018
Containers State of the Union I AWS Dev Day 2018Containers State of the Union I AWS Dev Day 2018
Containers State of the Union I AWS Dev Day 2018
AWS Germany
 
AWS Immersion Day - Image Data Insights & Analytics Specialist Session - June...
AWS Immersion Day - Image Data Insights & Analytics Specialist Session - June...AWS Immersion Day - Image Data Insights & Analytics Specialist Session - June...
AWS Immersion Day - Image Data Insights & Analytics Specialist Session - June...
Amazon Web Services
 
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Amazon Web Services
 
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
AWS Germany
 
Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
Amazon Web Services
 
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
Amazon Web Services
 
Automatically Scaling Your Kubernetes Workloads - SVC209-S - Anaheim AWS Summit
Automatically Scaling Your Kubernetes Workloads - SVC209-S - Anaheim AWS SummitAutomatically Scaling Your Kubernetes Workloads - SVC209-S - Anaheim AWS Summit
Automatically Scaling Your Kubernetes Workloads - SVC209-S - Anaheim AWS Summit
Amazon Web Services
 
Building Serverless Analytics Solutions with Amazon QuickSight (ANT391) - AWS...
Building Serverless Analytics Solutions with Amazon QuickSight (ANT391) - AWS...Building Serverless Analytics Solutions with Amazon QuickSight (ANT391) - AWS...
Building Serverless Analytics Solutions with Amazon QuickSight (ANT391) - AWS...
Amazon Web Services
 
The Best Practices and Hard Lessons Learned of Serverless Applications
The Best Practices and Hard Lessons Learned of Serverless ApplicationsThe Best Practices and Hard Lessons Learned of Serverless Applications
The Best Practices and Hard Lessons Learned of Serverless Applications
Amazon Web Services LATAM
 
Migrating Your Data Warehouse to Amazon Redshift (DAT337) - AWS re:Invent 2018
Migrating Your Data Warehouse to Amazon Redshift (DAT337) - AWS re:Invent 2018Migrating Your Data Warehouse to Amazon Redshift (DAT337) - AWS re:Invent 2018
Migrating Your Data Warehouse to Amazon Redshift (DAT337) - AWS re:Invent 2018
Amazon Web Services
 
Encryption for Everyone - AWS Summit Sydney 2018
Encryption for Everyone - AWS Summit Sydney 2018Encryption for Everyone - AWS Summit Sydney 2018
Encryption for Everyone - AWS Summit Sydney 2018
Amazon Web Services
 
Disaster Recovery Options with AWS (with Live Demos) - AWS Online Tech Talks
Disaster Recovery Options with AWS (with Live Demos) - AWS Online Tech TalksDisaster Recovery Options with AWS (with Live Demos) - AWS Online Tech Talks
Disaster Recovery Options with AWS (with Live Demos) - AWS Online Tech Talks
Amazon Web Services
 
Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM
Amazon Web Services
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Amazon Web Services
 
AWS CodeStar 및 Cloud9을 통한 서버리스(Serverless) 앱 개발 길잡이 - 윤석찬 (AWS 테크에반젤리스트)
AWS CodeStar 및 Cloud9을 통한 서버리스(Serverless) 앱 개발 길잡이 - 윤석찬 (AWS 테크에반젤리스트)AWS CodeStar 및 Cloud9을 통한 서버리스(Serverless) 앱 개발 길잡이 - 윤석찬 (AWS 테크에반젤리스트)
AWS CodeStar 및 Cloud9을 통한 서버리스(Serverless) 앱 개발 길잡이 - 윤석찬 (AWS 테크에반젤리스트)
Amazon Web Services Korea
 
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
Amazon Web Services
 
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky..."Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
Provectus
 
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
Amazon Web Services
 
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS SummitAWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
Amazon Web Services
 
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Amazon Web Services
 

More Related Content

What's hot

Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
Amazon Web Services
 
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
Amazon Web Services
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Amazon Web Services
 
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
Amazon Web Services
 
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky..."Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
Provectus
 
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
Amazon Web Services
 

What's hot (20)

Hybrid Cloud Processing & Data Distribution with File Gateway & Amazon S3 (ST...
Hybrid Cloud Processing & Data Distribution with File Gateway & Amazon S3 (ST...Hybrid Cloud Processing & Data Distribution with File Gateway & Amazon S3 (ST...
Hybrid Cloud Processing & Data Distribution with File Gateway & Amazon S3 (ST...
 
Care and Feeding of Amazon Linux (CON404-R1) - AWS re:Invent 2018
Care and Feeding of Amazon Linux (CON404-R1) - AWS re:Invent 2018Care and Feeding of Amazon Linux (CON404-R1) - AWS re:Invent 2018
Care and Feeding of Amazon Linux (CON404-R1) - AWS re:Invent 2018
 
Containers State of the Union I AWS Dev Day 2018
Containers State of the Union I AWS Dev Day 2018Containers State of the Union I AWS Dev Day 2018
Containers State of the Union I AWS Dev Day 2018
 
AWS Immersion Day - Image Data Insights & Analytics Specialist Session - June...
AWS Immersion Day - Image Data Insights & Analytics Specialist Session - June...AWS Immersion Day - Image Data Insights & Analytics Specialist Session - June...
AWS Immersion Day - Image Data Insights & Analytics Specialist Session - June...
 
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
Running SQL Server on Amazon RDS and Migrating to MySQL (DAT306-R1) - AWS re:...
 
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
 
Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
Architecting Next Generation Serverless SaaS Solutions on AWS (ARC324-R1) - A...
 
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
From One to Many: Diving Deeper into Evolving VPC Design (ARC310-R2) - AWS re...
 
Automatically Scaling Your Kubernetes Workloads - SVC209-S - Anaheim AWS Summit
Automatically Scaling Your Kubernetes Workloads - SVC209-S - Anaheim AWS SummitAutomatically Scaling Your Kubernetes Workloads - SVC209-S - Anaheim AWS Summit
Automatically Scaling Your Kubernetes Workloads - SVC209-S - Anaheim AWS Summit
 
Building Serverless Analytics Solutions with Amazon QuickSight (ANT391) - AWS...
Building Serverless Analytics Solutions with Amazon QuickSight (ANT391) - AWS...Building Serverless Analytics Solutions with Amazon QuickSight (ANT391) - AWS...
Building Serverless Analytics Solutions with Amazon QuickSight (ANT391) - AWS...
 
The Best Practices and Hard Lessons Learned of Serverless Applications
The Best Practices and Hard Lessons Learned of Serverless ApplicationsThe Best Practices and Hard Lessons Learned of Serverless Applications
The Best Practices and Hard Lessons Learned of Serverless Applications
 
Migrating Your Data Warehouse to Amazon Redshift (DAT337) - AWS re:Invent 2018
Migrating Your Data Warehouse to Amazon Redshift (DAT337) - AWS re:Invent 2018Migrating Your Data Warehouse to Amazon Redshift (DAT337) - AWS re:Invent 2018
Migrating Your Data Warehouse to Amazon Redshift (DAT337) - AWS re:Invent 2018
 
Encryption for Everyone - AWS Summit Sydney 2018
Encryption for Everyone - AWS Summit Sydney 2018Encryption for Everyone - AWS Summit Sydney 2018
Encryption for Everyone - AWS Summit Sydney 2018
 
Disaster Recovery Options with AWS (with Live Demos) - AWS Online Tech Talks
Disaster Recovery Options with AWS (with Live Demos) - AWS Online Tech TalksDisaster Recovery Options with AWS (with Live Demos) - AWS Online Tech Talks
Disaster Recovery Options with AWS (with Live Demos) - AWS Online Tech Talks
 
Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM
 
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
Deploying Microservices using AWS Fargate (CON315-R1) - AWS re:Invent 2018
 
AWS CodeStar 및 Cloud9을 통한 서버리스(Serverless) 앱 개발 길잡이 - 윤석찬 (AWS 테크에반젤리스트)
AWS CodeStar 및 Cloud9을 통한 서버리스(Serverless) 앱 개발 길잡이 - 윤석찬 (AWS 테크에반젤리스트)AWS CodeStar 및 Cloud9을 통한 서버리스(Serverless) 앱 개발 길잡이 - 윤석찬 (AWS 테크에반젤리스트)
AWS CodeStar 및 Cloud9을 통한 서버리스(Serverless) 앱 개발 길잡이 - 윤석찬 (AWS 테크에반젤리스트)
 
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
Replicate & Manage Data Using Managed Databases & Serverless Technologies (DA...
 
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky..."Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
"Automating AWS Infrastructure with PowerShell", Martin Beeby, AWS Dev Day Ky...
 
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
[NEW LAUNCH!] Lambda Layers (SRV375) - AWS re:Invent 2018
 

Similar to CloudFormation techniques from the Dutch trenches (DVC07) - AWS re:Invent 2018

Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Amazon Web Services
 
Building Serverless Applications Using AWS AppSync and Amazon Neptune (SRV307...
Building Serverless Applications Using AWS AppSync and Amazon Neptune (SRV307...Building Serverless Applications Using AWS AppSync and Amazon Neptune (SRV307...
Building Serverless Applications Using AWS AppSync and Amazon Neptune (SRV307...
Amazon Web Services
 
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps_Fest
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Amazon Web Services
 

Similar to CloudFormation techniques from the Dutch trenches (DVC07) - AWS re:Invent 2018 (20)

AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS SummitAWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
AWS CloudFormation macros: Coding best practices - MAD201 - New York AWS Summit
 
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
 
AWS CLI: 2017 and Beyond - DEV307 - re:Invent 2017
AWS CLI: 2017 and Beyond - DEV307 - re:Invent 2017AWS CLI: 2017 and Beyond - DEV307 - re:Invent 2017
AWS CLI: 2017 and Beyond - DEV307 - re:Invent 2017
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
 
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
 
Protecting Your Greatest Asset (Your Data): Security Best Practices on Dynamo...
Protecting Your Greatest Asset (Your Data): Security Best Practices on Dynamo...Protecting Your Greatest Asset (Your Data): Security Best Practices on Dynamo...
Protecting Your Greatest Asset (Your Data): Security Best Practices on Dynamo...
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...
 
Beyond the Basics: Advanced Infrastructure as Code Programming on AWS (DEV327...
Beyond the Basics: Advanced Infrastructure as Code Programming on AWS (DEV327...Beyond the Basics: Advanced Infrastructure as Code Programming on AWS (DEV327...
Beyond the Basics: Advanced Infrastructure as Code Programming on AWS (DEV327...
 
Building Serverless Applications Using AWS AppSync and Amazon Neptune (SRV307...
Building Serverless Applications Using AWS AppSync and Amazon Neptune (SRV307...Building Serverless Applications Using AWS AppSync and Amazon Neptune (SRV307...
Building Serverless Applications Using AWS AppSync and Amazon Neptune (SRV307...
 
Taking serverless to the edge
Taking serverless to the edgeTaking serverless to the edge
Taking serverless to the edge
 
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
 
Introduction to Version 3 of the AWS SDK for JavaScript (TypeScript) (DEV379-...
Introduction to Version 3 of the AWS SDK for JavaScript (TypeScript) (DEV379-...Introduction to Version 3 of the AWS SDK for JavaScript (TypeScript) (DEV379-...
Introduction to Version 3 of the AWS SDK for JavaScript (TypeScript) (DEV379-...
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
 
Optimizing Lambda@Edge for Performance and Cost Efficiency (CTD405-R2) - AWS ...
Optimizing Lambda@Edge for Performance and Cost Efficiency (CTD405-R2) - AWS ...Optimizing Lambda@Edge for Performance and Cost Efficiency (CTD405-R2) - AWS ...
Optimizing Lambda@Edge for Performance and Cost Efficiency (CTD405-R2) - AWS ...
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

CloudFormation techniques from the Dutch trenches (DVC07) - AWS re:Invent 2018

  • 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudFormation techniques from the Dutch trenches Martijn van Dongen Chief AWS Technology / AWS APN Ambassador Binx.io (proudly part of Xebia) D V C 0 7
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda CloudFormation Custom Resources Cfn-lint Custom Rules Taskcat
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Build if event['RequestType'] == 'Create' or event['RequestType'] == 'Update’: client = boto3.client('iam’) response = client.tag_role( RoleName=event['ResourceProperties']['RoleName’], Tags=event['ResourceProperties']['Tags’] ) cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, "NA") elif event['RequestType'] == 'Delete’: cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Add IAMTaggingFunction: Type: AWS::Serverless::Function Properties: Handler: lambda.lambda_handler Timeout: 30 Role: !GetAtt 'IAMTaggingFunctionRole.Arn’ Runtime: python3.7 CodeUri: ./build/iamtagging.zip IAMTaggingFunctionRole: Type: AWS::IAM::Role ...
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Package $ tree ├── build ├── src │ └── iamtagging │ ├── cfnresponse.py │ ├── lambda.py │ └── requirements.txt $ docker run -v $(pwd)/src:/src -v $(pwd)/build:/build binxio/python-lambda-packager:3.7
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use TeamRoleTags: Type: Custom::IAMTagging Properties: ServiceToken: !GetAtt IAMTaggingFunction.Arn RoleName: !Ref TeamRedRole Tags: - Key: Project Value: Alexa - Key: CostCenter Value: 382
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploy $ aws cloudformation package --template-file template.yml --s3-bucket mys3bucket --output-template-file packaged.yml ... $ aws cloudformation deploy --template-file packaged.yml --capabilities CAPABILITY_IAM --stack-name iamtag
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 1 2 3
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. To Production TeamRoleTags: Type: AWS::IAM::Tags Properties: ServiceToken: !GetAtt IAMTaggingFunction.Arn RoleName: !Ref TeamRedRole Tags: - Key: Project Value: Alexa - Key: CostCenter Value: 0382
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example Extension: Secret Provider DBPassword: Type: Custom::Secret Properties: Name: /demo/PGPASSWORD KeyAlias: alias/aws/ssm Alphabet: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 Length: 30 ReturnSecret: true ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:secret-provider' https://github.com/binxio/cfn-secret-provider
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer Workflow Stack TemplateDevelopers eu-west-1 eu-west-3 Stack Bucket Ops CI/CD
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom Rule from typing import List from cfnlint import CloudFormationLintRule from cfnlint import RuleMatch, Template class S3BucketsNotEncrypted(CloudFormationLintRule): """Check if S3 Bucket is not encrypted""" id = 'E9S3BucketEncryption’ shortdesc = 'S3 Buckets must always be encrypted’ description = 'S3 Buckets should always have BucketEncryption’ def match(self, cfn: Template) -> List[RuleMatch]: <your custom rule here>
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom Rule def match(self, cfn: Template) -> List[RuleMatch]: matches: List[RuleMatch] = [] recordsets = cfn.get_resources(['AWS::S3::Bucket’]) for name, recordset in recordsets.items(): path = ['Resources', name, 'Properties’] full_path = ('/'.join(str(x) for x in path)) if isinstance(recordset, dict): props = recordset.get('Properties’) if 'BucketEncryption' not in props: message = "Property BucketEncryption not set in {0}" matches.append(RuleMatch(path, message.format(full_path))) return matches
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom Rule $ cfn-lint -a ../cfn-compliancy-check/rules/s3 -t badtemplate.yml E9S3BucketEncryption Property BucketEncryption not set in Resources/S3Bucket/Properties badtemplate.yml:4:5 E3012 Property Resources/S3Bucket/Properties/BucketName should be of type String badtemplate.yml:5:7
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Taskcat $ cat ci/config.yml global: owner: martijn@binx.io qsname: dcv07 regions: - eu-west-1 - eu-west-3 tests: scenario-1: template_file: stack.yml parameter_input: parameters.json $ taskcat -c ci/config.yml ... Deploying and generating reports ...
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer Workflow Stack TemplateDevelopers eu-west-1 eu-west-3 Stack Bucket cfn-lint DevOps IAM Policies / cloud-custodian
  • 24. My goals for 2019…
  • 25. 100+ set of custom cfn-lint rules, to achieve a significant set of compliancy coverage, across many AWS services
  • 26. Every service or feature is supported in CloudFormation, within 24h after the launch
  • 27. … and I need your help!
  • 28. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Martijn van Dongen martijn@binx.io
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.