"AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion. In this Zero to Sixty session, learn about CloudFormation's latest features along with best practices for using them, including maintaining complex environments with CloudFormation, template management and re-use, and controlling stack updates. Demos and code samples are available to all session attendees. Are you new to AWS CloudFormation? Get up to speed for this session by first completing the 60-minute Fundamentals of CloudFormation lab in the Self Paced Lab Lounge."

1. Zero to Sixty:
AWS CloudFormation
Chetan Dandekar, Senior Product Manager – AWS CloudFormation
Capen Brinkley, Software Developer – Intuit
November 13, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. AWS CloudFormation
Model
Click
Done
Provisioning
Instruction
Script(s)
Instruction
Instruction
Manual
Manual
Manual
creation order?
how long do I pause?
what errors can I recover from?
what environment config and
utilities does my script depend on?
can my script be faster?
will this script work again?

3. AWS CloudFormation
Version
Control
Replicate
Dev
Regions
Test
Demos
Staging
Prod
Standardization
Service Catalog

4. AWS CloudFormation
Template
Snippets
API
Code
Config
API
CloudFormation
Build Pipeline
Automate
SNS
Monitor Progress

5. Intuit’s CloudFormation Story

6. Key Takeaways
• How we use CloudFormation to manage large
scale applications
• Methodologies and tools you can use to follow a
similar path

7. Infrastructure Design
Template Management
Stack Management
Bootstrapping

9. Live Community Traffic
April 15
Feb. 1

10. Amazon EC2
Amazon RDS
Amazon S3
Elastic Load
Balancing

11. Infrastructure as Code

12. Web
App
Server
Web
App
Server
Auto Scaling Group
App Tier

14. Service Oriented Architecture
Amazon SQS
Amazon RDS
Amazon
CloudFront
Amazon Route 53
Amazon S3
Amazon
ElastiCache
Amazon
CloudWatch
AWS
CloudFormation
AWS IAM
Amazon SES
Amazon EC2
Amazon SNS

15. Multiple Templates, Loosely Coupled
Web
App
Server
SQS Queue
Web
App
Server
Auto Scaling Group
App Tier

16. Multiple Templates, Loosely Coupled
Easy To Reason About
Reusable

17. Stack Management

18. Simple Deploy
https://github.com/intuit/simple_deploy

19. Simple Deploy Commands
attributes
clone
create
deploy
destroy
environments
events
execute
instances
list
outputs
parameters
protect
resources
status
template
update

20. elb-1
Blue
Green
app-1 (v1.0.0)
app-2 (v1.1.0)
Auto Scaling
Group
Auto Scaling
Group

21. $ simple_deploy environments
Default
lc_preprod_us_west_1
lc_preprod_us_west_2
lc_preprod_us_east_1
PROD_lc_prod_us_west_1_PROD
PROD_lc_prod_us_west_2_PROD
PROD_lc_prod_us_east_1_PROD

22. $ simple_deploy list
–-environment lc_preprod_us_west_1
lc-dev-elb-1
lc-dev-app-1
lc-dev-db-master-1
lc-dev-db-parameter-group

23. simple_deploy create
–-environment lc_preprod_us_west_1
–-name lc-dev-app-2
–-template app.json
–-input-stack lc-dev-elb-1
–-input-stack lc-dev-db-master-1
–-attribute chef_repo=3f57f9f
–-attribute app=bcb68de

24. simple_deploy clone
--environment lc_preprod_us_west_1
--source-stack lc-dev-1-app-1
--name lc-dev-1-app-2
--attribute app=afdac509b
--attribute chef_repo=a4531e5ff6

25. simple_deploy destroy
--environment lc_preprod_us_west_1
--name lc-dev-1-app-1

26. Chef
CloudFormation::Init
Bootstrapping
Userdata
Autoscaling
CloudFormation
Simple Deploy
Code / CI / Artifact

27. "UserData": { "Fn::Base64": { "Fn::Join": ["",
[
"#!/bin/bashn",
"yum update -y aws-cfn-bootstrapn",
"/opt/aws/bin/cfn-init --stack “,
{ "Ref": "AWS::StackName" },
" --verbose"
" --resource InstanceLaunchConfig",
" --region=", { "Ref": "AWS::Region" },
" -configsets bootstrap", "n”
CloudFormation
> GET http://169.254.169.254/latest/user-data
#!/bin/bash
yum update -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init –-stack lc-app-stack
-–verbose --resource InstanceLaunchConfig
--region=us-west-2 –-configsets bootstrap
Instance User Data

28. CloudFormation::Init
Resources
Configsets
Commands
Files
Groups
Packages
Services
Sources
Users

29. "configSets”: {
"bootstrap”: [ "create_files",
"install_packages",
"run_chef",
"clean_up” ]
}

30. "create_files": {
"files": {
"/etc/chef/ohai/hints/ec2.json": {
"content": "{}",
"mode": "000400",
"owner": "root",
"group": "root"
}
}
}

31. "install_packages": {
"packages": {
"yum”: {
"chef”: [ "11.6.2-1" ]
}
}
}

32. "run_chef": {
"commands": {
"1_download_chef_repo":
"2_decrypt_chef_repo":
"3_extract_chef_repo":
"4_run_chef":
}
}
{
{
{
{
...
...
...
...
},
},
},
}

33. "run_chef": {
"commands": {
"run_chef": {
"command": "/usr/bin/chef-solo
–c /var/chef/config/solo.rb
–o ", { "Ref", "Role" }
}
}
}

34. "clean_up" : {
"commands": {
"1_cleanup_files" : {
"command": "rm –rf
/var/tmp/chef_repo.tar.gz
/var/tmp/chef_repo.tar.gz.gpg"
}
}
}

35. The Climb

36. What’s New in
AWS CloudFormation

37. Let’s take an example
Scalable
Reliable
Highly Available

38. Two Types of Tasks
Develop
Operate
Parallel stack processing
Fail-safe stack
management
Updates without
downtime
Richer template
language
Federation and IAM roles

39. Parallel Stack Processing

40. Parallel Stack Processing

41. Richer Template Language

42. Conditions
Dev
Prod

43. Conditions
"Parameters" : {
"Environment" : {
"Description" : "Specifies if this a Dev QA or Prod Environment",
"Type" : "String",
"Default" : "Dev",
"AllowedValues" : [ "Dev", "QA", "Prod"]
},
},
...
"Conditions" : {
"ProdEnvironment" : { "Fn::Equals" : [ { "Ref" : "Environment" }, "Prod"
]}
},

44. Conditions
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName"
: { "Ref" : "DBName" },
"Engine"
: "MySQL",
"MultiAZ"
: {
"Fn::If" : [ "ProdEnvironment", "true", "false" ]
},
"DBSnapshotIdentifier" : {
"Fn::If" : [ "ProdEnvironment", { "Ref" : "DBName" },
{ "Ref" : "AWS::NoValue" } ]
},
...
}
},

45. Conditions
"DBStorageAlarm" : {
"Condition" : "ProdEnvironment",
"Type" : "AWS::CloudWatch::Alarm",
"Properties" : {
"AlarmDescription" : "Alarm if db size grows beyond a threshold",
"Namespace" : "AWS/RDS",
"MetricName" : "FreeStorageSpace",
...
},
}

46. Conditions
•
•
•
•
•
Fn::If
Fn::Equals
Fn::Not
Fn::And
Fn::Or
"Conditions" : {
...
"ProdOrLoadTestingEnv" : {
"Fn::Or" : [
{ "Condition" : "ProdEnvironment"},
{ "Fn::Equals" : [ ... ]}
]
}
}
"Fn::If": [{condition}, {value_if_true},
{value_if_false}]

47. User-Defined Resource Names
By default,
In addition,
• AWS CloudFormation
generates unique resource
names
• Flexibility to use custom
• “prodstack20131113DBStorageAlarm19BL0MOXL0TPI”
names and still keep them
unique
• “SalesDataStorageAlarm”

48. Develop
Operate
Parallel stack processing
Fail-safe stack
management
Updates without
downtime
Richer template
language
Federation and IAM roles

49. Fail-Safe Stack Management

50. Stack Protection
{
}
"Effect" : "Allow",
"Action" : [ "cloudformation:*" ],
"Resource" :
"arn:aws:cloudformation:us-west2:123456789012:stack/Dev*"
{
}
"Effect" : "Allow",
"Action" : [ "cloudformation:*" ],
"Resource" : "*"
Dev1
Dev2
Dev3
Prod
CloudFormation

51. Stack Protection
{
"Effect" : "Deny",
"Action" : [
"cloudformation:DeleteStack",
"cloudformation:UpdateStack" ],
"Resource" :
"arn:aws:cloudformation:us-west2:123456789012:stack/productionstack/*"
}

52. Stack Protection
"Resources" : {
"StackProtectionPolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "StackProtectionPolicy",
"Groups" : [ { "Ref" : "DenyGrp" } ],
"PolicyDocument" : {
"Statement" : [
{
"Effect" : "Deny",
"Action" : [ "cloudformation:DeleteStack",
"cloudformation:UpdateStack" ],
"Resource" : { "Ref" : “AWS::StackId" }
}

53. Resource Protection
{
"Effect" : "Deny",
"Action" : [
"ec2:TerminateInstances"
],
"Condition": {
"Null": {
"ec2:ResourceTag/*cloudformation*" :
"true" }
},
"Resource" : "*"
}

54. Preventing Updates
{
}
Stack Policy Document
"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:*",
"Principal" : "*",
"Resource" :
"ResourceType/AWS::RDS::DBInstance"
},
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal" : "*",
"Resource" : "*"
}
]

55. Preventing Updates
{
Fine Grained Stack Policy
"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:Replace",
"Principal" : "*",
"Resource" :
"LogicalResourceId/MyInstance"
},
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal" : "*",
"Resource" : "*"
...
Setting Stack Policy
> aws cloudformation create-stack
-–template-url ...
--stack-policy-url ...

56. Update without Downtime
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
...
},
"UpdatePolicy" : {
"AutoScalingRollingUpdate" : {
"MinInstancesInService" : “2",
"MaxBatchSize" : “3",
"PauseTime" : "PT20M"
}
}
},

57. Using AWS CloudFormation with Federated
Identities
4
Network
Architects
User accesses broker
1
DB Admins
User accesses APIs
CloudFormation API
and other AWS APIs
4
User redirected to console
Identity broker
User authenticated
2
Temporary security
credentials obtained
3
AWS Management
Console
Application
Developers
Corporate
identity store
AWS Security Token
Service

58. Calling AWS CloudFormation using IAM
Roles
EC2 Instance
1. The IAM role has
permissions to call
AWS CloudFormation
and provision
underlying resources
2. User or script on the EC2
instance calls CloudFormation to
provision a stack
IAM
Role
AWS
CloudFormation
CloudFormation
Stack
3. AWS CloudFormation
provisions the stack using a
template hosted in an S3 bucket
inside the VPC

59. Related Resources
•
http://aws.amazon.com/cloudformation/
•
"Fundamentals of CloudFormation" lab in the Self Paced Lab Lounge
•
DMG303 - AWS CloudFormation under the Hood
•
ARC203 - How Adobe Deploys: Refreshing the Entire Stack Every Time
•
DMG209 - Enterprise Management for the AWS Cloud
•
Multiple other sessions are presenting CloudFormation samples

60. Please give us your feedback on this
presentation
DMG201
As a thank you, we will select prize
winners daily for completed surveys!