CloudFormation

avatar
Created by
PositiveRat85680

Cards (23)

  • CloudFormation Best Practices:
    Planning and organizing
    • Shorten the feedback loop to improve delivery velocity
    • Organize your stacks by lifecycle and ownership
    • Use cross-stack references to export shared resources
    • Use IAM to control access
    • Reuse templates to replicate stacks in multiple environments
    • Verify quotas for all resource types
    • Use modules to reuse resource configurations
  • CloudFormation Best Practices:
    Creating templates
    • Do not embed credentials in your templates
    • Use AWS-specific parameter types
    • Use parameter constraints
    • Use pseudo parameters to promote portability
    • Use AWS::CloudFormation::Init to deploy software applications on Amazon EC2 instances
    • Use the latest helper scripts
    • Validate templates before using them
  • CloudFormation Best Practices:
    Managing stacks
    • Manage all stack resources through AWS CloudFormation
    • Create change sets before updating your stacks
    • Use stack policies
    • Use AWS CloudTrail to log AWS CloudFormation calls
    • Use code reviews and revision controls to manage your templates
    • Update your Amazon EC2 instances regularly
  • CloudFormation:
    • Instead, use cross-stack references to export resources from a stack so that other stacks can use them. Stacks can use the exported resources by calling them using the Fn::ImportValue function.
    • For example, you might have a network stack that includes a VPC, a security group, and a subnet. You want all public web applications to use these resources. By exporting the resources, you allow all stacks with public web applications to use them. 
  • By default, you can only launch 2000 CloudFormation stacks per region in your AWS account. 
    • Reuse templates to replicate stacks in multiple environmentsAfter you have your stacks and resources set up, you can reuse your templates to replicate your infrastructure in multiple environments. For example, you can create environments for development, testing, and production so that you can test changes before implementing them into production. To make templates reusable, use the parameters, mappings, and conditions sections so that you can customize your stacks when you create them.
  • Use modules to reuse resource configurations
    • As your infrastructure grows, common patterns can emerge in which you declare the same components in each of your templates. Modules are a way for you to package resource configurations for inclusion across stack templates, in a transparent, manageable, and repeatable way. Modules can encapsulate common service configurations and best practices as modular, customizable building blocks for you to include in your stack templates.
    • Use modules to reuse resource configurationsThese building blocks can be for a single resource, like best practices for defining an Amazon Elastic Compute Cloud (Amazon EC2) instance, or they can be for multiple resources, to define common patterns of application architecture. These building blocks can be nested into other modules, so you can stack your best practices into higher-level building blocks.
  • CloudFormation modules are available in the CloudFormation registry, so you can use them just like a native resource. When you use a CloudFormation module, the module template is expanded into the consuming template, which makes it possible for you to access the resources inside the module using a Ref or Fn::GetAtt.
  • Use parameter constraints
    • With constraints, you can describe allowed input values so that CloudFormation catches any not valid values before creating a stack. You can set constraints such as a minimum length, maximum length, and allowed patterns. For example, you can set constraints on a database user name value so that it must be a minimum length of eight character and contain only alphanumeric characters.
  • Use AWS::CloudFormation::Init to deploy software applications on Amazon EC2 instances
    • When you launch stacks, you can install and configure software applications on Amazon EC2 instances by using the cfn-init helper script and the AWS::CloudFormation::Init resource. By using AWS::CloudFormation::Init, you can describe the configurations that you want rather than scripting procedural steps. You can also update configurations without recreating instances. And if anything goes wrong with your configuration, CloudFormation generates logs that you can use to investigate issues.
  • Use AWS::CloudFormation::Init to deploy software applications on Amazon EC2 instances
    • In your template, specify installation and configuration states in the AWS::CloudFormation::Init resource. For a walkthrough that shows how to use cfn-init and AWS::CloudFormation::Init
  • Use the latest helper scripts
    • The helper scripts are updated periodically. Be sure you include the following command in the UserData property of your template before you call the helper scripts to ensure that your launched instances get the latest helper scripts:
    yum install -y aws-cfn-bootstrap
  • Validate templates before using them
    • Before you use a template to create or update a stack, you can use CloudFormation to validate it. Validating a template can help you catch syntax and some semantic errors, such as circular dependencies, before CloudFormation creates any resources. If you use the CloudFormation console, the console automatically validates the template after you specify input parameters. For the AWS CLI or CloudFormation API, use the aws cloudformation validate-template command or ValidateTemplate operation.
  • Validate templates before using them
    • During validation, CloudFormation first checks if the template is valid JSON. If it isn't, CloudFormation checks if the template is valid YAML. If both checks fail, CloudFormation returns a template validation error.
  • Validate templates for organization policy compliance
    • You can also validate your template for compliance to organization policy guidelines. AWS CloudFormation Guard (cfn-guard) is an open-source command line interface (CLI) tool that provides a policy-as-code language to define rules that can check for both required and prohibited resource configurations. It then enables you to validate your templates against those rules. For example, administrators can create rules to ensure that users always create encrypted Amazon S3 buckets.
  • Validate templates for organization policy compliance
    • You can use cfn-guard either locally, while editing templates, or automatically as part of a CI/CD pipeline to stop deployment of non-compliant resources.
    • Additionally, cfn-guard includes a feature, rulegen, that enables you to extract rules from existing compliant CloudFormation templates.
  • Manage all stack resources through AWS CloudFormation
    • After you launch a stack, use the CloudFormation consoleAPI, or AWS CLI to update resources in your stack. Don't make changes to stack resources outside of CloudFormation. Doing so can create a mismatch between your stack's template and the current state of your stack resources, which can cause errors if you update or delete the stack
  • Create change sets before updating your stacks
    • Change sets allow you to see how proposed changes to a stack might impact your running resources before you implement them. CloudFormation doesn't make any changes to your stack until you run the change set, allowing you to decide whether to proceed with your proposed changes or create another change set.
    • Use change sets to check how your changes might impact your running resources, especially for critical resources.
    • Create change sets before updating your stacksFor example, if you change the name of an Amazon RDS database instance, CloudFormation will create a new database and delete the old one; you will lose the data in the old database unless you've already backed it up. If you generate a change set, you will see that your change will replace your database. This can help you plan before you update your stack.
  • Use stack policies
    • Stack policies help protect critical stack resources from unintentional updates that could cause resources to be interrupted or even replaced. A stack policy is a JSON document that describes what update actions can be performed on designated resources. Specify a stack policy whenever you create a stack that has critical resources.
    • During a stack update, you must explicitly specify the protected resources that you want to update; otherwise, no changes are made to protected resources.
  • Use code reviews and revision controls to manage your templates
    • Your stack templates describe the configuration of your AWS resources, such as their property values. To review changes and to keep an exact history of your resources, use code reviews and revision controls. These methods can help you track changes between different versions of your templates, which can help you track changes to your stack resources. Also, by maintaining a history, you can always revert your stack to a certain version of your template.
  • Update your Amazon EC2 instances regularly
    • On all your Amazon EC2 Windows instances and Amazon EC2 Linux instances created with CloudFormation, regularly run the yum update command to update the RPM package. This ensures that you get the latest fixes and security updates.