CloudFormation

Basics

Infrastructure as code, create template and CloudFormation care the provision & configuration, allow management of a collection of resources as single unit. Also since template is just text files it's easy to track, compare with existing version control tools.

Create: CloudFormation works by calling services (you must have the permissions). AWS CloudFormation Designer helps edit the template. Edit the template and save it somewhere (S3). Before create, make sure the resource is available in the region (to be created by CloudFormation and existing ones) and creator has the permissions. Then give the location to CLoudFormation to create the stack. If create fails, rollback by deleting created resources.

Update: modify template or input parameter, CloudFormation create change set, review change set and understand the actions CloudFormation will perform (especially on critical resources), then carry on the change. Update can interrupt service, even drop database! so be very careful. If update fails AWS roll back change.

Delete: possible to retain certain service with a deletion policy.

Permission: IAM permission on CloudFormation can be fine grind with condition - such as only allow certain template URL. CloudFormation itself by default uses user's credential for stack operation; alternatively can specify a role for CloudFormation to use.

Logging: to CloudTrail

Concepts: template, stack

Template - JSON/YAML describe resources and properties; can use input parameter for something to be decided when creating stack; there are many samples, snippets to start with; also see reference here; see an example with 6 top sections used in the user guide here;

Custom Resource: see below

Stack - resources provided by AWS according to template, can be created/updated/deleted; work with through console, API & CLI; before update to a running stack can first generate a change set to review the changes to the running resources for safety (name change database result in drop of old one...);

Stack set - further expand stack to cross-region cross-account stack set as a unit

Template

Top sections: AWSTemplateFormatVersion, Description, Parameters, Mappings, Resources (*required), and Outputs

Parameters:

• To pass information to template at stack creation time, especially for sensitive information
• Or pseudo parameters "AWS::Region"
• "Parameters":{"ParName1":{"Description":"...","Type":"AWS::...", "Default":...}, "ParName2"...}
  • Parameter properties:
    • Description
    • Type (*required) - can be AWS type (like key name, will be verified for existence) or simple "String", "Number"
    • ConstraintDescription
    • Default
    • AllowedValues
    • NoEcho - for passwords
  • Using in Resource properties: {"Ref":"KeyName"} rather than "TheKeyNameValue"

Resources (*required):

• "Resources":{ "ResourceName1":{"Type":"AWS::ProductIdentifier::ResourceType","Properties":{....}}, "ResourceName2"....}
• Resource can be referenced then as {"Ref":"ResourceName1"}, see Ref function here
• Existing resource does not need to be defined in Resources section, just refer with their name "MyExistingResourceName"
• Name is a Logical Name, when created in stack, resource has a physical name which is LogicalName+StackName+UniqueID
• A stack can be a resource of another stack

Mappings

• "Mappings":{"MapName1":{"Key1":{"SubKey1":"Value1"...},"Key2"...}, "MapName2"...}
• Usage: "Fn::FindInMap": [ "MapName1", {"Ref": "AWS::Region"}, "SubKey1"]
  • there's a reference above as key, and simply string as sub key
• Useful for conditional value for something like region etc.

Transform

• Can use to specify the version of SAM (Serverless Application Model) to use
• AWS::Include to include another template snippet

Metadata

• Can put any JSON/YAML object here

Outputs

• Define return values, from resources in the stack, such as resource URL

Template Elements

When invoke function, use [] array to specify parameters

Ref Function : Often refer to resource (physical name), but also id such as IP address, ARN, etc.

Fn::GetAtt : Get attribute of a resource

Constructed Values: Use function such as Fn::Join

DependsOn: One resource must be created after another

DeletionPolicy: how to handle deletion of resource

MetaData: specify structural data with resource

Tools

AWS CLI

Sometimes the CLI can retrieve a descriptor of a resource that is very similar to the cloudformation template, so if a resource is created with web console, can use CLI to retrieve the descriptor as reference for the cloudformation template. For example:

 aws appsync list-resolvers --api-id xxxxxxx --type-name Mutation

Designer

Edit, enforce some validity rules, validate, put size/position etc in meta data. Recommended.

Resources are shown as containers which can be resized and contains other objects (drag valid resource into), or square objects (can connect with other valid resource depending on the type). Contain / connection can be reflected in a Ref in template. If a valid resource is placed in a container the designer actually creates a connection but for decluttering purpose when it's in a container the connection line is not shown. If move the resource outside of the container the connection will be shown as a line. To determine if a resource can be meaningfully placed in a container? Place it and then drag out to see if a link & property reference is created. Not all connection / associations can be drag-created. Some need to be coded in template and will then reflected in canvas. Right click on resource shows resource menu including quick access to reference document. Ctrl+space autocomplete property in a resource. Ctrl-F finds. Alt-Enter then highlights all finds.

CloudFormer

Tool to create template based on resource in user's account. Good to use as starting point. Need to create stack, use, then delete stack. Still in beta.

Sceptre

A tool to drive CloudFormation. https://sceptre.cloudreach.com/latest/about.html

Custom Resource

Example:

This example uses in-line lambda code ("ZipFile").

https://github.com/arminhammer/cloudformation-templates/blob/master/custom-cognito-userpool.json

It uses a "cfn-response" module to send back response (only available using "ZipFile"). See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-code.html#cfn-lambda-function-code-cfnresponsemodule

Here's a blog: http://2ndwatch.com/blog/a-step-by-step-guide-on-using-aws-lambda-backed-custom-resources-with-amazon-cfts/

Here's another example, it uses "https" to send back response

https://community.alfresco.com/community/platform/blog/2016/10/13/how-a-lambda-backed-custom-resource-saved-the-day

Below is a very nicely written article about custom resource

http://anders.janmyr.com/2015/07/extending-cloudformation-with-lambda.html

Continual Delivery

CD - automatic build, test, prepare for production. Use AWS pipeline.