(dvo304) aws cloudformation best practices

Download (DVO304) AWS CloudFormation Best Practices

Post on 12-Jan-2017

6.531 views

Category:

Technology

4 download

Embed Size (px)

TRANSCRIPT

  • 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

    Abhishek Lal, Product Manager

    Chris Whitaker, Development Manager

    October 2015

    DVO304

    AWS CloudFormation Best

    Practices

  • AWS CloudFormation

    Create templates of the infrastructure

    CloudFormation provisions AWS resources in order

    Version control/replicate/update with infrastructure-as-code

    Integrates with development, CI/CD, management tools

  • AWS CloudFormation Designer

  • Introducing AWS CloudFormation Designer

    Visualize template

    resources

    Modify template with drag-

    and-drop gestures

    Customize sample

    templates

  • AWS CloudFormation Designer

    demo Visualize templates

  • AWS CloudFormation Designer

    Make updates

  • AWS CloudFormation Designer

    Authoring

  • CloudFormation Designer toolbar

    Toolbar Navigation

    Open: Local files/S3/stack

    Save: Local files/launch stack

    Validation: AWS resource

    schema

    Refresh: Synchronize JSON

    text changes

  • CloudFormation Designer Resources

    All supported resources

    Organized by service

    Drag and drop onto canvas

    Color-coded icons

  • CloudFormation Designer canvas

    Container Resources

    e.g. EC2 VPCs, subnets

    Connections between

    resources

    e.g. Ref, DependsOn, GetAtt

    Contextual Resource menu

    Code/Clone/Delete/Docs

  • CloudFormation Designer JSON Editor

    Ctrl+Space : Within the Properties key of a

    resource, lists all the available properties

    for the resource

    Ctrl+F : Search for a value in the JSON

    editor.

    Ctrl+\ : Formats the text with proper

    indentation and new lines

    Ctrl+Shift+\ : Removes all white space

  • New AWS Services Supported

    by AWS CloudFormation

  • Use a wide range of AWS services

    Amazon EC2

    Amazon EC2 Container Service

    AWS Lambda (including event sources New)

    Auto Scaling (including Spot Fleet - New)

    Amazon VPC

    Elastic Load Balancing

    Amazon Route 53

    Amazon CloudFront

    Amazon SimpleDB

    Amazon RDS

    Amazon Redshift

    Amazon DynamoDB

    Amazon ElastiCache

    Amazon RDS for Aurora (New)

    Amazon S3

    AWS IAM (including managed policies)

    Simple AD (New)

    Amazon Kinesis

    Amazon SNS

    Amazon SQS

    AWS CloudTrail

    Amazon CloudWatch

    AWS Data Pipeline

    AWS Elastic Beanstalk

    AWS OpsWorks

    AWS CodeDeploy (New)

    Amazon WorkSpaces (New)

  • AWS CloudFormation in Your

    Organization

  • Managing your costs with budgets

    https://console.aws.amazon.com/billing/home?region=us-east-1/budgets#/

    ow.ly/T84qv

    http://ow.ly/T84qv

  • Audit logs for all operationsStore/ Archive

    Troubleshoot

    Monitor and Alarm

    You are making API

    calls...

    On a growing set of AWS

    services around the world...

    CloudTrail is continuously

    recording API calls

  • AWS CloudFormation Advanced

    Concepts

  • AWS CloudFormation language features

  • Extending AWS CloudFormation

  • Security group

    Auto Scaling group

    EC2

    instance

    Elastic Load

    Balancing

    ElastiCache

    Memcached cluster

    Software pkgs,

    config, & dataCloudWatch alarms

    Web Analytics

    ServiceAWS

    CloudFormation

    Provision

    AWS resources

    Create, Update,

    Rollback, or Delete

    Extend with stack events

    Worker

    Amazon

    SNS Topic

    Stack Events

  • Security group

    Auto Scaling group

    EC2

    instance

    Elastic Load

    Balancing

    ElastiCache

    Memcached cluster

    Software pkgs,

    config, & dataCloudWatch alarms

    Web Analytics

    ServiceAWS

    CloudFormation

    Provision

    AWS Resources

    "Resources" : {

    "WebAnalyticsTrackingID" : {

    "Type" : "Custom::WebAnalyticsService::TrackingID",

    "Properties" : {

    "ServiceToken" : "arn:aws:sns:...",

    "Target" : {"Fn::GetAtt" : ["LoadBalancer", "DNSName"]},

    "Plan" : "Gold"

    }

    },

    ...

    Success + Metadata

    Create, Update, Rollback, or Delete

    + Metadata

    Extend with custom resources

    ow.ly/DiSXp

    http://ow.ly/DiSXp

  • AWS Lambda-backed custom resources

    Security group

    Auto Scaling group

    EC2

    instance

    Elastic Load

    Balancing

    ElastiCache

    memcached cluster

    Software pkgs,

    config, & dataCloudWatch alarms

    Your AWS CloudFormation stack

    // Implement custom logic here

    Look up an AMI ID

    Your AWS Lambda functions

    Look up an VPC ID and Subnet ID

    Reverse an IP address

    Lambda-powered

    custom resources

  • Security Best Practices

  • Security Restricting user access

    Only allow specific templates and stack policies

    {

    "Effect":"Allow,

    "Action":[

    "cloudformation:CreateStack",

    "cloudformation:UpdateStack

    ],

    "Condition":{

    "ForAllValues:StringLike":{

    "cloudformation:TemplateUrl":

    ["https://.amazonaws.com/TestBucket/*"]

    }

    }

    }

    {

    "Effect":"Allow,

    "Action":[

    "cloudformation:UpdateStack

    ],

    "Condition":{

    "ForAllValues:StringEquals":{

    "cloudformation:StackPolicyUrl":

    ["https://.amazonaws.com/TestBucket/Foo.json"]

    }

    }

    }

    https://s3-us-west-2.amazonaws.com/amanda-test-bucket/AuthEC2.jsonhttps://s3-us-west-2.amazonaws.com/amanda-test-bucket/AuthEC2.json

  • Security Restricting user access

    Only allow specific resource types

    {

    "Effect":"Allow,

    "Action":[

    "cloudformation:CreateStack

    ],

    "Condition":{

    "ForAllValues:StringEquals":{

    "cloudformation:ResourceType":

    [AWS::EC2::Instance]

    }

    }

    }

    {

    "Effect":"Allow,

    "Action":[

    "cloudformation:CreateStack

    ]

    },

    {

    "Effect":Deny,

    "Action":[

    "cloudformation:CreateStack

    ]

    "Condition":{

    "ForAnyValue:StringLike":{

    "cloudformation:ResourceType":

    [AWS::IAM::*"]

    }

    }

    }

    https://s3-us-west-2.amazonaws.com/amanda-test-bucket/AuthEC2.jsonhttps://s3-us-west-2.amazonaws.com/amanda-test-bucket/AuthEC2.jsonhttps://s3-us-west-2.amazonaws.com/amanda-test-bucket/AuthEC2.json

  • Security Controlling resource types

    Programmatically restrict access to resource types

    CreateStack and UpdateStack take a new parameter

    Restrict the set of resources that can be created

    Independent of any user policies

    $ aws cloudformation create-stack --resource-types=[AWS::EC2::*, AWS::RDS::DBInstance, Custom::MyCustomResource]

  • Best Practices for Templates

  • Reusing templates across AWS regions

    Consider environmental or regional differences

    Amazon EC2 image IDs

    VPC environment or classic environment

    Available instance types

    IAM policy principals

    Endpoint names

    Amazon Resource Names (ARNs)

  • Reusable templates Pseudo-parameters

    Use pseudo-parameters to retrieve

    environmental data

    Account ID

    Region

    Stack Name and ID

    "LogsBucketPolicy": {"Type": "AWS::S3::BucketPolicy","Properties": {

    "Bucket": {"Ref": "LogsBucket},"PolicyDocument": {

    "Version": "2008-10-17","Statement": [{"Sid": "ELBAccessLogs","Effect": "Allow","Resource": {"Fn::Join": [ "", [ arn:aws:s3:::",

    { "Ref": "LogsBucket" }, "/", "Logs", "/AWSLogs/", { "Ref": "AWS::AccountId" }, "/*

    ] ]},"Principal": ,"Action": [ "s3:PutObject" ]

    }

  • Reusable templates Using mappings

    Use mappings to define variables

    Single place for configuration

    Reusable within the template"LogsBucketPolicy": {"Type": "AWS::S3::BucketPolicy","Properties": {

    "Bucket": {"Ref": "LogsBucket},"PolicyDocument": {"Version": "2008-10-17","Statement": [{

    "Sid": "ELBAccessLogs","Effect": "Allow","Resource": {"Fn::Join": [ "", [

    { "Fn::FindInMap" : ["RegionalConfig", {"Ref" : "AWS::Region"},"ArnPrefix]},

    "s3:::, { "Ref": "LogsBucket" }, "/", "Logs", "/AWSLogs/,

    { "Ref": "AWS::AccountId" }, "/*" ] ]},"Principal": {"AWS": { "Fn::FindInMap": [ "RegionalConfig",

    { "Ref": "AWS::Region" },ELBAccountId" ] } },

    "Action": [ "s3:PutObject" ]}]

    Mappings : {RegionalConfig : {

    us-east-1 : {AMI : ami-

    12345678,ELBAccountId":

    "127311923021,ArnPrefix :

    arn:aws:},us-west-1 : {

    AMI : ami-98765432ELBAccountId":

    027434742980"ArnPrefix :

    arn:aws:},:

    }}

  • Re-usable Templates Using conditionals

    Use conditionals to customize

    resources and parameters

    "DBEC2SG": {"Type": "AWS::EC2::SecurityGroup","Condition" : "Is-EC2-VPC","Properties" : {

    :}

    },

    "DBSG": {"Type": "AWS::RDS::DBSecurityGroup","Condition" : "Is-EC2-Classic","Properties": {

    :}

    },

    "MySQLDatabase": {"Type": "AWS::RDS::DBInstance","Properties": {

    :"VPCSecurityGroups": { "Fn::If" : [ "Is-EC2-VPC",

    [ { "Fn::GetAtt": [ "DBEC2SG", "GroupId" ] } ],

    { "Ref" : "AWS::NoValue"}]},

    "DBSecurityGroups": { "Fn::If" : [ "Is-EC2-Classic", [ { "Ref": "DBSG" } ],{ "Ref" :

    "AWS::NoValue"}]}

    "Conditions" : {"Is-EC2-VPC : { "Fn::Or" : [

    {"Fn::Equals" : [{"Ref" : "AWS::Region"}, "eu-central-