AWS Cloudformation: Managing Infrastructure as code

Published in

tajawal

6 min readMay 13, 2016

CloudFormation allows you to create, update and delete the AWS infrastructure. Using CF you can automate any service on AWS by writing the CF templates.

Manual Infrastructure Drawbacks:

The high cost(manpower and time)
Low Quality(Failure and outages during updating of services)
Low Flexibility(Changing Infra is difficult and generally avoided)

Automation with CF:

Speed up the process of infrastructure provisioning
Easy to perform the test(testing Infra like testing the software)
Documentation(Code Document how to manage Infra)
AWS native APIs help to achieve this.

Why CF or any other IaaS tool(Terraform) is better than writing scripts in some Bash, Python, Ansible?

It’s hard to manage the dependencies with the scripts.
Updating Scripts is a big overhead.

So, How CF works:

In CF we made a blueprint of the Infrastructure and write the blueprint in a JSON file.
Once our JSON is at the place we give this JSON to the CF and CF will run and create the Stack of resources for us.
It automatically resolves the dependencies and state.
One Template can be used to create multiple stacks of Infrastructure Services(Production, Testing, Staging).

Anatomy of CF template :

A minimal CF template consists of mainly 3 parts:

Template Version(valid value 2010–09–09)
Description (Description of resources)
Resources (EC2, ECS ,EMR ,DP ,SG ,DB)

Key Points:

One Resources section contains one or multiple resources each having a unique name(Resource name).
Each name is having a valid type (AWS::EC2::Instances)
Based on the resource name we have a property tag where we define the property of the resource such as in case of EC2 its Instance type, AMI ID, SG.

For managing the dependencies in between the resources we use the Ref keyword.

Example - We have to spin up the EC2 instance, attach an SG to that instance and assign an Elastic IP.

Here is the picture:

EC2 instance depends on SG and EIP depends on the EC2 instance.

So, here we created different resources and then we refer the dependencies with the Ref keyword.

Here I refer the SG in EC2

Here I refer the EC2 instance in Elastic IP

First, our SG is Created by CF then an Ec2 instance and at last, it will create an elasticIP and assign that IP to the EC2 instance.

Let’s talk about the other sections of the template for making the template more useful and robust.

Like the necessary sections of CF template(Version, Description, Resources) we have more sections for making the template more powerful.

The two useful sections are :

Parameter
Output

Parameter: This section is useful to make the CF template generic for multiple environments or with different configurations for the same resources.

The parameter section is basically the input section for the template.
In the parameter section, we can declare the resource, put on the validations, put restrictions on the resources and we can set the default value the resources.

How Parameter works :

We declare the input parameter in the parameter section for elements used inside the resource we want to take the input from the command line during executing the template.
When we run the temperate we have to pass the input parameters with their values.
We can pass any valid value and can run one template with different values according to the uses.

Example :

In the above example, I am putting restrictions on the access key that are going to be used by the EC2 resources.

Description: It is shown when creating or updating the template.

Type: AWS type provided by AWS for various resources.

There are various general-purpose parameter types available:

String Vaibhav
Number 1
List<number> [1 , 2, 3]
CommaDelimitedList 1, 2, 3

AWS Specific parameter types:

AWS: :EC2: :Image: :Id ami-123awd89
AWS: :EC2: :Instance: :Id i-akjs12
AWS: :EC2: :SecutityGroup: :Id sg-123edf
AWS: :Route53: :HostedZone: :Id Z2Hzons3hdsk

We can also put the input validations :

Example:

We can also set the default value to the resource :

Property of default :

The default value is not mandatory to pass, If you pass the default value and did not pass the value at run time via CLI, then it will take the default and if you pass during run time it will override the default.

This is how we reference a Parameter inside the resource:

This is how we pass the parameter input values at run time via CLI :

Here, I am creating the AWS cloudformation stack with — stack-name ssh-bastion-host giving providing the path to the CF template from my file system and passing the parameter with the — parameter tag and key and value to the parameters.

Let’s talk about another section :

Output: This section is used to get the resultant output of the resources created. The output section is used to integrate the CF with the other tools or using the API’s on the resources.

Whatever we write in the output section we can fetch it either via API REST call to the resource which is useful when you are writing some Programs/Scripts for the Infrastructure or we can use the output in some other tool.

Overview: Output section execute after the stack is created:

This is how we write an output section:

Sample Example of Output:

Te get the specific value from a resource we use the AWS defined tag FN: :GetAtt

Example: Here I am fetching the Private Ip of the EC2 resource:

This is what I will get in the Output:

Mapping section :

Some advanced concepts include the mapping section. In brief, it is used in scenarios where we have to choose the one option out of different.

Ex: We want to create the generic CF template using which we want to spin up the EC2 instance in a different region with different Image Id depending on the region passed by the user.

This he how we write the Mapping Section: