aws cloudformation best practices at 99designs

Download AWS CloudFormation Best Practices at 99designs

Post on 20-Jun-2015

1.092 views

Category:

Engineering

5 download

Embed Size (px)

DESCRIPTION

How we use AWS CloudFormation at 99designs

TRANSCRIPT

  • 1. TextCloudFormation at99designs@lox / @99designs

2. How we use CFNEach product team has their own formations in their productgit repository.Some teams use it to provision Docker environments, someuse it to provision complete production serversIncreasingly, more teams are using it to provision all of theAWS resources that make up a web stack, and document thatprocess in an OPS readme.Infrastructure as code, versioned templates side-by-side withcode 3. PrinciplesBuild a hierarchy of loosely-coupled stacksGroup resources that are strongly coupledTemplate inputs for things that are dependencies(databases, AMIs, external ELBs, Route53 zones)Template outputs should make up inputs to otherstacksDesign based around things that change at the sametime, e.g. split ELBs and auto-scaling app servergroups 4. PrinciplesKeep it simpleAutomate the building of pieces that can beassembled by humansInvest the most automation in parts of the systemthat change the most frequently.JSON is hard to read, keep templates short 5. Layers on LayersLots of tools for managing, transforming andgenerating CFN templateshttps://github.com/cloudtools/tropospherehttps://github.com/cotdsa/cumulusAt present we dont use any of these, but might infuture 6. Best Practice:Use WaitHandle, WaitConditionand DependsOnWaitHandles wait forresources to finishprovisioningEnforce ordering withDependsOnErrors in UserData shouldsignal the WaitHandleimmediately. Failing fastmeans quicker iterating ontemplates."WaitHandle" : {"Type" : "AWS::CloudFormation::WaitConditionHandle"},"WaitCondition" : {"Type" : "AWS::CloudFormation::WaitCondition","DependsOn" : "AppServers","Properties" : {"Handle" : { "Ref" : "WaitHandle" },"Timeout" : "300","Count" : { "Ref" : "NumberOfAppServers" }}}"# signal to the waithandlen","cfn-signal -e $? -r "Setup complete" '", { "Ref" :"WaitHandle" }, "'n" 7. Best Practice:Use aws-cfn-bootstrap to keepuserdata shortUserdata is the hardestpart to read, so keep itshortA single call to cfn-initmeans consolidated errorhandlingConfigure resourcesdeclaratively viaMetadata"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", ["#!/bin/bash -xn","exec &>/home/ubuntu/boot.logn","tail -F /var/log/cfn-init.log &n","# install cfn-bootstrapn","apt-get -y install python-setuptoolsn","easy_install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gzn","cfn-init -v "," --region ", { "Ref" : "AWS::Region" }," --resource LaunchConfig"," --stack ", { "Ref" : "AWS::StackName" },"n","# signal to the waithandlen","cfn-signal -e $? -r "Setup complete" '", { "Ref" :"WaitHandle" }, "'n"]]} 8. Best Practice:Use AWS metadata for init andauthenticationDownload private setupfiles from S3Install packages viayum/aptExecute ad-hoccommandsKeeps error handling toa minimum, DRY code"LaunchConfig" : {"Type" : "AWS::AutoScaling::LaunchConfiguration","Metadata" : {"AWS::CloudFormation::Authentication" : {"S3AccessCreds" : {"type" : "S3","roleName" : { "Ref" : "IAMRole" },"buckets" : [ "my-secrets" ]}},"AWS::CloudFormation::Init" : {"config" : {"sources" : {"/root/provision" : {"Fn::Join" : ["", ["https://s3.amazonaws.com/my-secrets/",{ "Ref" : "ScriptsTarball" } ]]}}}}}} 9. Best Practice:Security groups for sharedaccess, instance roles foreverything elseFor inter-templatesecurity groups, usenamed security groupsUsing instance rolesprovides token basedcredentials to theinstance, compatiblewith aws cli toolsAvoid leakingcredentials via templates"Parameters" : {"RDSAccessSecurityGroup" : {"Description" : "Security group to connect to RDS via","Type" : "String","Default" : "rds-access"},"BeanstalkdAccessSecurityGroup" : {"Description" : "Security group to connect to beanstalkdvia","Type" : "String","Default" : "beanstalkd-access"},"RedisAccessSecurityGroup" : {"Description" : "Security group to connect toelasticache/redis","Type" : "String","Default" : redis-access"},} 10. Best Practice:Bootstrap instances fromscripts in private s3 bucketsRather thanchecking out a gitrepo, when youcreate a stack, linkit to a tarball ofscriptsEasy to iterate,consistent instancelaunches for futureauto-scale events"LaunchConfig" : {"Type" : "AWS::AutoScaling::LaunchConfiguration","Metadata" : {"AWS::CloudFormation::Authentication" : {"S3AccessCreds" : {"type" : "S3","roleName" : { "Ref" : "IAMRole" },"buckets" : [ "secret-stuff" ]}},"AWS::CloudFormation::Init" : {"config" : {"sources" : {"/root/provision" : {"Fn::Join" : ["", ["https://s3.amazonaws.com/secret-stuff/",{ "Ref" : "ProvisionSlug" } ]]}},}}}} 11. Best Practice:Automate monitoringCloudWatch isgreat, use itAutomate alarms,dont leave them asan afterthoughGood clouds areones withmonitoring!"SNSTopic" : {"Type" : "AWS::SNS::Topic","Properties" : {"Subscription" : [{"Endpoint" : { "Ref": "AlertEmailAddress" },"Protocol" : "email"}]}},"CPUAlarmDB" : {"Type" : "AWS::CloudWatch::Alarm","Properties" : {"AlarmDescription": { "Fn::Join" : ["", [{ "Ref" :"RDSInstance" }, "DB CPU Utilization"]]},"MetricName": "CPUUtilization",..."AlarmActions": [ { "Ref": "SNSTopic" } ],"Dimensions": [{ "Name": "DBInstanceIdentifier","Value": { "Ref": "RDSInstance" } }],"ComparisonOperator":"GreaterThanOrEqualToThreshold"}}, 12. Best Practice:NoEcho property forpasswordsPrevent informationleak for sensitiveparameters"DockerPassword": {"NoEcho": "true","Description" : Docker index password","Type": "String","MinLength": "1","MaxLength": "41"} 13. Questions we haveReuse beyond copy/paste?Elegant AMI selection using Fn::select?Update stacks, or destroy/recreate?CFN for Route53? 14. Future plansCloudWatch streaming logs, seehttp://blogs.aws.amazon.com/application-management/post/TxPYD8JT4CB5UY/View-CloudFormation-Logs-in-the-ConsoleNested templates to manage dependent templatesElastic Beanstalk 15. Questions? 16. Resourceshttps://gist.github.com/lox/66a78542b2c14a3f773dhttp://blogs.aws.amazon.com/application-management/blog/tag/CloudFormationhttp://harish11g.blogspot.com.au/2014/08/amazon-cloudformation-templates-automation-Amazon-CFT-AWS-top-best-practices-tips.htmlhttp://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-authentication.htmlhttp://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html