Amazon AWS SysOps – CloudFormation for SysOps
- CloudFormation Resources
Let’s talk about resources. So resources, they’re your core of your confirmation templates and they’re mandatory. Your confirmation template cannot work without the resources block. And the resources as the name indicates, represent the different apex components. It’s just a synonym that will be created and configured and the resources are declared and they can reference each other. So you can link the resources together. For example, you can link a security group and an EC two instance AWS will figure out the creation updates and deletion of the resources for us, which is super nice. And you should know there are over 224 types of resources.
So I cannot teach you all of them, right? But any resource have the following form the AWS, then the product name and then the data type name. So usually reading this Identifier you’re able to figure out what they were going to create. So how do I find all these resources? Documentation? Well, there’s this great link that has all of them. So I can’t teach you all the resources, but I can teach you how to find a link that resources that shows them. And so then you just read the doc and for example we’re going to read the doc together just for the EC Two instance just to get a feeling for it. So the first web page I referenced to you is called the AWS resource type references and this contains all the references that are supported by cloud formation. And the resource naming convention is here. And if you scroll down you can see there are a lot of resources. Honestly you could count them too many. So we can see that we can create a resource for pretty much everything. Let’s scroll down and see if there is something we know. Yes, auto scaling.
We’ve know how to create auto scaling group. We’re able to create auto scaling group scaling policies, launch configuration all through this confirmation resources. If we scroll down we’re able to do good builds code, commit, could deploy good pipeline. So all these things we’ve seen before, we’re able to do them. And if we scroll down we can see there is the EC two instances, the elastic IP and then the security group. So let’s have a look at EC two instance because I think that’s the one we’re the most familiar with. So the AWS EC Two instance creates an easy to instance because that’s pretty obvious. Now basically we can scroll down and look at the syntax of how to declare this easy to instance. We have a JSON form which to me is a little bit unreadable. But we scroll down and we get the YAML form which to me is much clearer.
So this is the YAML form for an easy two instance. It must be of type AWS, EC two and an instance and it will have some properties. So when you create a resource, must have a type, must have properties and properties are going to be key value pairs. So, as you can see here, you can customize a lot of things for your EC two instance. For example, if you wanted to customize the IAM instance profile, we click on this and we get teleported to the documentation for that and it says, okay, you need a string, it’s not required. And if you update this, there’s no interruption.
So that means that your EC Two instance won’t get terminated and recreated, it will just attach the instance profile to it. But if we change the image ID, for example, which is also string but not required, then we in terms, if we update it, basically it will do a replacement. That means that it will terminate the old instance and replace it with a new one. So let’s go scroll back up. And so here we understand that there are so many things we can customize and to know what we should specify, we should just look through the documentation. Now, if we look at what we created from before, let’s just take an example as just EC Two. We have an availability zone, an image ID and an instance type. And so basically I knew how to fill those because if you click on AZ, then you see that you have to specify the name of the AZ where the instance is located. And so this is quite great and you can just keep on going with this as much as you want. So now we understand basically how this was created. For fun, you could go into the resources here and see we have an easy to instance, but also we have an EIP. And so if we look at EIP so let’s go back one up and then search for EIP on this page.
Here we go. We have EIP here we can see that the syntax is much shorter. We have an instance ID and a domain. And so the instance ID is what I have specified and the domain I have not specified. So here when we go back to our EIP, we can see that, yeah, it makes sense. I did specify the type to be an AWS EC two EIP. And in terms of properties, I only have specified the instance ID. We’ll see what this ref means in a second. Okay, but so the idea is that we are able to link the documentation to what we want to do. And so obviously for a security group, we need to provide the security group rules for ingress traffic. And because we can have many rules, they’re an array.
So let’s go to security group documentation just to prove that point security group is right here and we go to YAML. And if we look at security group ingress, we can see there is a list of Amazon EC Two group rules. And so if we click on easy to group rule and we click on it, we go to YAML, we get all the parameters that are available. So going back to the syntax, we get this little hyphen here that defines it to be an array and here we get the first rule and here we get the second rule. And so yeah, what we get out of this is that everything we configure through the UI can be written as code into your cloud formation templates. And this is how you know how to redact your cloud formation templates. So that’s it for resources.
That’s honestly all you need to know. Just remember, there’s a type and there’s properties and all of this goes below the block called resources. So you need to make sure there is a small indent underneath resources every time you declare a resource. Now the frequently asked questions for resources can I create a dynamic amount of resources? No, you cannot. Everything has to be declared so you cannot perform code generation, you can have dynamic type of code generation. And is every service supported? The answer is almost. There’s only a few small ones that are not there yet. And you can work around that using the AWS Lambda custom resources. Just a little bit of trivia here, just need to know about it. We will not write to customer Resources Lambda in this course. So that’s it for resources. Hope you enjoyed it, I hope that makes more sense now and I will see you in the next lecture.
- CloudFormation Mappings
Now let’s talk about mappings. Mappings are fixed variables within your cloud formation template. They have to be hard coded. They’re very handy if you need to hardcore some values based on different environments you’re in. So dev versus prod or regions such as exist regions or AMI types, etc. And as I said, all the values must be written out explicitly in your template. As an example, here is a mapping and this is how you write it. So you have a mappings section and then you have the name of the mapping. Then you have a key and underneath you have keys called name and values. So it’s quite a low level type of architecture. And so to make it more concrete, we may have a region map to map regions to Amis. And so we’re saying, okay, within US east one, UST west one or EU west one based on if you choose a 32 bit or 64 bit type of architecture, here is the AMI ID you should be using.
So overall this is just a hard coding saying okay, based on where the template is being run, this is the AMI I want to use. So when we use mapping and parameters, well, mappings are great when you know in advance all the values that can be taken. So for example, amid and so you can deduce them from variables such as region, AZ, list, account environment, et cetera, whatever you can think of.
To me they allow safer control over the templates. But if you need the values to be really user specific and the user should input a value and you don’t know in advance what it can be, then you should use the parameters. Now to access the mapping values, there is this function called FN find in Map and basically it returns a value from a specific key. And the shorthand syntax is this one. We use Finding Map with the little exclamation point and we have to give the map name, then the top level key and the second level key. So three parameters right here. And so that’s something you should know for the exam, just the syntax of it, okay? And so if we look at this little confirmation template, we can see we have a region map that we have defined from before.
And so if we want to create an easy to instance and reference get the right AMI ID, then we use the Find in Map function for the image ID. And so the first one is the map name. So we’ll use region map because here it’s called region map. The second is that we want a reference to the AOS region we’re in. So we’re going to use this pseudo parameter we just talked about and the ref function. So we reference the AIS region the confirmation template is running in. So for example, say we’re running a newest east one, then we are in this block and then we say 32 as the second level key. So we look at the 32 key and we get the value from it. We’ll get this AMI 6411 e 20 D. So this is the one that will be selected. So this is all you should know about mapping. Just remember the syntax with the find in map function and the fact that mappings have to be written out explicitly in your templates.
- CloudFormation Outputs
So outputs, let’s talk about outputs. And that’s actually a very popular exam question, so pay attention. The output section is optional, but we can declare optional outputs. And if we export these outputs, we’ll be able to import their values into other stacks. And by stack, I mean cloud formation templates. So you can start linking your confirmation templates. We can also view the outputs in the AIS console or using the Aoscli. So it allows us to quickly retrieve the value of an output straight from using the UI.
In terms of example, for example, you can have a network cloud formation template, and then you would export outputs that would be, for example, the VPC ID and the subnet IDs, and you would reuse those into other confirmation templates. And so it enables to do a cross stack collaboration where you let the experts handle their own parts of the VPC and the subnet.
And you as an app developer, you just reference these values out of the box. Something you should know though, is that if you start using the cloud formation outputs and they start being referenced from another confirmation tax stack, you cannot delete a stack that still has outputs being referenced somewhere else. So it’s just something to know. Now, if you look at an example of the outputs in this one, we are creating an SSH Security Group as part of the templates. And so we export that value as an output, okay, and basically other templates will be able to get the value of that security group ID. So the syntax is pretty easy.
We have the output section right here, and we have the name of the security group, and we have the description. So the SSH Security Group for our company, here’s the value. So we provide a reference of the security group that was created within the resources. And then we have to specify this export block right here. Okay, this is an optional block. If you don’t specify it, then the value does not get exported and it will not be able to be imported. So when we specify the export value, we can say, okay, this value, this SSH Security Group ID, is going to be exported as the name SSH Security Group. So now how do we import that value while using a cross tack reference?
And so we’ll create a second template that leverages the security group. And for this, we’ll use the FN import value function, interesting function, and we can’t delete again the previous tack until all this tag will be deleted. So if we look at this little snippet of code right here, we can see that for the security groups, at the very bottom, there’s a shorthand syntax for import value. And then we reference the exact same name as before, called SSH Security Group.
So just a reminder, before, we exported the value as SSH Security Group, and here we import the value SSH Security Group. So outputs and exports are a very popular question at the exam, especially if they start asking you how do you link Cloud Formation templates or reach you the value from one to another. So you should know about it, you should know about the syntax and you should know about the import value function. So I hope that was helpful and I will see you in the next lecture.
- CloudFormation Conditions
Finally we’re going to talk about the conditions. And so conditions are used to control the creation of resources or outputs based on some statements, logical statements. And the conditions can be whatever you want them to be. But the common ones are that maybe you want to say if you’re in Dev or if you’re in Test or if you’re in prod, create or don’t create that resource. Maybe it can be based on the region, maybe based on the parameter value.
And so each condition can, can reference another condition parameter value or mapping so you can compose them. And so to define them, to make it a bit more concrete, here is a condition that I’ve created under the block conditions. And so here we say, okay, do we want to create the production resources? And for this you need to have the environment type and that may be a parameter. This environment type right here we need to have the reference so the value of this parameter to be equal to string prod. And so here basically this whole thing is going to be true only if the environment is equal to prod.
And so using this prod resources we’re able to basically define and condition other resources. So it’s up to you how you want to choose it. And so all the functions you can use in there are going to be and equals, if not or, or. And so these are logical functions and you can compose them as much as you want. Now, how do we use a condition? Well, you can apply it, as I said, to resources, outputs, et cetera. And so if we look at a resource, for example, my mount point, the type of it is AOS EC, two volume attachment. And this only gets created if the condition creates prod resources from before is true. So that gives you an idea of how conditions are used basically on the same level as the type right here underneath the name of the resource.
So that’s it for conditions. I think they’re pretty much advanced, I’m not sure they ask at the exam, but for you it’s still good to know about them that they exist and you can have some a little bit more logic in your confirmation templates. I hope that was helpful and I will you in the next lecture.