CloudFormation Flashcards
What does AWS CloudFormation do?
It declares and deploys infrastructure from a declarative template syntax.
What file formats are accepted by CloudFormation?
JSON & YAML
Name two key benefits over procedural scripting?
Infrastructure is now repeatable and versionable.
Name the CloudFormation concepts.
Stacks, change sets, permissions, templates, and instinct function
What is a CloudFormation Stack?
A stack represents a collection of resources to deploy and manage by AWS CloudFormation.
Does modifying the stack alter the underlying resources?
Yes, e.g. removing a resources from the stack and updating the stack, terminates the resource.
Can manual updates of resources in a stack cause future stack operations to fail?
Yes, because of inconsistencies in state that CloudFormation expects and the actual resource state.
What are CloudFormation Change Sets?
A change set is a description of the changes that will occur to a stack, should the changes be submitted.
When to use CloudFormation Change Sets?
to know what changes will occur to resources, before the update actually occurs.
What if Change Sets modifications are acceptable?
The change set can execute on the stack and implement the proposed modifications.
Under which role does CloudFormation function?
The user or role that invokes the stack action.
What to do if there is a need to restrict a user’s general permissions?
A service role can be provided, that the stack uses for the create, update, delete actions. It even has a default time out increase. Make sure that the role as a trust policy allows cloudformation.amazonaws,com to assume the role.
What permission are required by the user passing the service role to CloudFormation?
The iam:PassRole permission. Not needed for updates, though.
Where does the template have to be when submitting?
Local file or S3
Where is the template stored after submitting?
And what permissions are required for storage?
On S3 on our behalf. Required permissions for user or service role have to include:
cloudformation: CreateUploadBucket
s3: PutObject
s3: ListBucket
s3: GetObject
s3: CreateBucket
What is a high-level structure of template with all properties?
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "String Description",
"Metadata": { },
"Parameters": { },
"Mappings": { },
"Conditions": { },
"Transform": { },
"Resources": { },
"Outputs": { }
}What sections are required by CloudFormation in a template?
Only the “Resources” section is required.
What does the Metadata section do in a template?
Allows to provide structural details about the template. Metadata provided is accessible for reference in other sections and on EC2 instances being provisioned by CloudFormation.
"Metadata": {
"ApplicationLayer": {
"Description": "Information about resources in the app
layer."
},
"DatabaseLayer": {
"Description": "Information about resources in the DB
layer."
}
}
What does the Parameters section do in a template?
Can provide inputs to a template, either during creating the stack or updating the stack.
Which 2 things have to be provided for a parameter in a template?
A logical ID (aka Name) & a value, either default or provided during execution.
Can parameters outside a single template be referenced?
No.
Parameter in template example with reference:
This example defines a String parameter named InstanceTypeParameter with a default value of t2.micro. The parameter allows t2.micro, m1.small, or m1.large. The Allowed- Values section specifies what options you can select for this parameter in the AWS CloudFormation console. AWS CloudFormation will throw an error if you add a value not in AllowedValues.
“Parameters”: {
“InstanceTypeParam”: {
“Type”: “String”,
“Default”: “t2.micro”,
“AllowedValues”: [ “t2.micro”, “m1.small”, “m1.large” ],
“Description”: “Enter t2.micro, m1.small, or m1.large.
Default is t2.micro.”
}
}
Once you specify a parameter, you can use it within the template using the Ref intrinsic function. When AWS CloudFormation evaluates it, the Ref statement converts it to the value of the parameter.
“EC2Instance”: {
“Type”: “AWS::EC2::Instance”,
“Properties”: {
“InstanceType”: { “Ref”: “InstanceTypeParam” },
“ImageId”: “ami-12345678”
}
}
What parameter types does CloudFormation support?
String Number List of numbers Comma-delimited list AWS parameter types AWS Systems Manager Parameter Store (Systems Manager) parameter types (state key)
What does the Mappings section do in a template?
Creates rudimentary lookup tables that can be referenced in other sections of my template.
How to query values within a mapping?
Use the Fn::FindInMap intrinsic function.
What does the Conditions section do in a template?
Make use of intrinsic functions to evaluate multiple inputs against each other.
What does the Transforms section do in a template?
Allows to reuse templates within another template.
What are the two type of Transforms?
AWS::Include Transform
AWS::Serverless Transform
How does AWS::Include Transform work?
Acts as a tool to import snippets from Amazon S3 buckets into the template being developed.
At what template levels can AWS::Include Transform be called?
Top level, declared as “Transform”
{
"Transform" : {
"Name" : "AWS::Include",
"Parameters" : {
"Location" :
"s3://MyAmazonS3BucketName/MyFileName.json"
}
}
}
and in nested sections declared as “Fn::Transform”
{
"Fn::Transform" : {
"Name" : "AWS::Include",
"Parameters" : {
"Location" :
"s3://MyAmazonS3BucketName/MyFileName.json"
}
}
}
How does AWS::Serverless Transform work?
Converts AWS Serverless Application Model (SAM) templates to valid CloudFormation templates.
SAM can be used with Lambda, API Gateway, and DynamoDB.
What does the Resources section do in a template?
Declares the actual resources to be provisioned and their properties. Each resource needs a logical ID.
{
"Resources": {
"MyBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "MyBucketName1234" }
} }
}
Types of resource properties.
Each one can be optional or required:
String List of strings Boolean References to parameters or pseudoparameters Intrinsic functions
What does the Outputs section do in a template?
Outputs are values that can be made available to use outside a single stack.
"Outputs" : {
"BackupLoadBalancerDNSName" : {
"Description": "The DNSName of the backup load
balancer",
"Value" : { "Fn::GetAtt" : [ "BackupLoadBalancer",
"DNSName" ]}
}
}
How to refer to outputs of a template?
Cross-stack references
Nested stacks
Describe-stack API calls
AWS CloudFormation console
Why use intrinsic functions in a templste?
To add dynamic functionality to a template.
Name intrinsic functions
Fn::Base64
{ “Fn::Base64”: valueToEncode }
Fn::Cidr
{ “Fn::Cidr”: [ ipBlock, count, sizeMask ] }
Fn::FindInMap
{ “Fn::FindInMap”: [ “MapName”, “TopLevelKey”, “SecondLevelKey” ] }
Consider the following Mappings section. The Fn::FindInMap call would return ami-c9c7978c.
“Mappings” :
{ “RegionMap” : {
“us-east-1” : { “32” : “ami-6411e20d”, “64” : “ami-7a11e213” },
“us-west-1” : { “32” : “ami-c9c7978c”, “64” : “ami-cfc7978a” },
“eu-west-1” : { “32” : “ami-37c2f643”, “64” : “ami-31c2f645” }
} }
.. .
{ “Fn::FindInMap” : [ “RegionMap”, { “Ref” : “AWS::Region” }, “32” ] }
Fn::GetAtt
{ “Fn::GetAtt” : [ “logicalIDOfResource”, “attributeName” ] }
Fn::GetAZs
{ “Fn::GetAZs” : “region” }
Fn::Join
Fn::Select
{ “Fn::Select” : [ index, listOfObjects ] }
Fn::Split
{ “Fn::Split” : [ “delimiter”, “source string” ] }
Fn::Sub
{
“Fn::Sub”: [ “arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}”, { “vpc”: { “Ref”: “MyVPC” }
} }
Ref
{ “Ref” : “logicalName” }
Name conditional functions
Other than Fn::If, you must use all other condition functions within the Conditions section of a template. The Fn::If intrinsic function allows you to pass different data to resource properties depending on the state of the referenced condition.
“Fn::And”: [{condition}, {…}]
“Fn::Equals” : [“value_1”, “value_2”]
“Fn::If”: [condition_name, value_if_true, value_if_false]
“Fn::Not”: [{condition}]
“Fn::Or”: [{condition}, {…}]
What are the 3 built-in Metadata Keys of a template’s metadata section?
AWS::CloudFormation:Init
AWS::CloudFormation::Interface
AWS::CloudFormation::Designer
Example of AWS::CloudFormation:Init Metadata and its config keys
"Resources": {
"MyInstance": {
"Type": "AWS::EC2::Instance", "Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : { },
"groups" : { },
"users" : { },
"sources" : { },
"files" : { },
"commands" : { },
"services" : { }
"Properties": { }
}
}What does Metadata’s AWS::CloudFormation::Init do?
Defines what operations the cfn-init helper script performs on EC2 instances provisioned by AWS CloudFormation
What does Metadata’s AWS::CloudFormation:Init package config key do?
Allows installation of packages on the system by one of the supported package managers: yum, apt, python and others. Package, package & version, or URL can be provided.
"packages": {
"rpm" : {
"epel" : "http://download.fedoraproject.org/pub/epel/5/i386/ epel-release-5-4.noarch.rpm"
},
"yum" : {
"httpd" : [],
"php" : [],
"wordpress" : []
} }
What does Metadata’s AWS::CloudFormation:Init groups config key do?
Generates Linux/UNIX groups on the target instance. Group name is mandatory, group id is optional
“groups” : {
“groupOne” : {},
“groupTwo” : { “gid” : “45” }
}
What does Metadata’s AWS::CloudFormation:Init users config key do?
Creates Linux/UNIX users on the instance. Users are by default non-interactive, can be changed afterwards.
default user shell is set to /sbin/nologon
"users" : {
"myUser" : {
"groups" : ["groupOne", "groupTwo"],
"uid" : "50",
"homeDir" : "/tmp"
} }
What does Metadata’s AWS::CloudFormation:Init sources config key do?
Downloads files from remote locations AND (unlike FILES) also unpacking archives.
“sources” : {
“/etc/myapp” :
“https://s3.amazonaws.com/mybucket/myapp.tar.gz”
}
What does Metadata’s AWS::CloudFormation:Init files config key do?
Creates files from inline commands or URLs.
“files” : { “/tmp/setup.mysql” : {
“content” : { “Fn::Join” : [ “”, [
“CREATE DATABASE “, { “Ref” : “DBName” }, “;\n”,
“CREATE USER ‘”, { “Ref” : “DBUsername” }, “’@’localhost’ IDENTIFIED BY ‘”,
{ “Ref” : “DBPassword” }, “’;\n”,
“GRANT ALL ON “, { “Ref” : “DBName” }, “.* TO ‘”, { “Ref” : “DBUsername” },
“’@’localhost’;\n”,
“FLUSH PRIVILEGES;\n” ]]},
“mode” : “000644”, “owner” : “root”, “group” : “root”
} }
What does Metadata’s AWS::CloudFormation:Init commands config key do?
Allows the execution of arbitrary commands on an EC2 instance. Commands run in alphabetical order.
"commands" : {
"test" : {
"command" : "echo \"$MAGIC\" > test.txt",
"env" : { "MAGIC" : "I come from the environment!" },
"cwd" : "~",
"test" : "test ! -e ~/test.txt",
"ignoreErrors" : "false"
},
}
What does Metadata’s AWS::CloudFormation:Init services config key do?
Defines which services are enabled or disabled. Linux uses sysvinit and windows uses Service Manager.
Services can be configured to restart when dependencies update, such as files or packages.
"services" : {
"sysvinit" : {
"nginx" : {
"enabled" : "true",
"ensureRunning" : "true",
"files" : ["/etc/nginx/nginx.conf"],
"sources" : ["/var/www/html"]
} }
}
What does Metadata’s AWS::CloudFormation:Init commands configsets key do?
We can organize config keys into configsets which allow to call groups of configurations at different times during an instance’s setup process and change the order of execution.
"AWS::CloudFormation::Init" : {
"configSets" : {
"ascending" : [ "config1" , "config2" ],
"descending" : [ "config2" , "config1" ] },
"config1" : {
"commands" : {
"test" : {
"command" : "echo \"$CFNTEST\" > test.txt", "
env" : { "CFNTEST" : "I come from config1." },
"cwd" : "~"
} }
},
"config2" : {
"commands" : {
"test" : {
"command" : "echo \"$CFNTEST\" > test.txt",
"env" : { "CFNTEST" : "I come from config2" },
"cwd" : "~"
} }
} }
How to enforce AWS::CloudFormation::INIT metadata?
To enforce the metadata section, instances provisioned by the template must call the cfn-init helper script as part of UserData execution, either in the AWS::EC2::Instance UserData property or the UserData property of AWS::AutoScaling::LaunchConfiguration.
UserData must be passed in Base64 format.
Stack name and resource logical ID have to be provided.
Optionally, configSet or list of configSets can be executed in the call.
“UserData” : { “Fn::Base64” :
{ “Fn::Join” : [””, [
“#!/bin/bash -xe\n”,
“# Install the files and packages from the metadata\n”, “/opt/aws/bin/cfn-init -v “,
“ –stack “, { “Ref” : “AWS::StackName” },
“ –resource WebServerInstance “,
“ –configsets InstallAndRun “,
“ –region “, { “Ref” : “AWS::Region” }, “\n” ]]}
}
What does Metadata’s AWS::CloudFormation::Interface do?
Details how to modify the ordering and presentation of parameters in the AWS CloudFormation console. By default, parameters display alphabetically.
Only for visual appearance in the CloudFormation console.
"Metadata" : {
"AWS::CloudFormation::Interface" : {
"ParameterGroups" : [ ParameterGroup, ... ],
"ParameterLabels" : ParameterLabel }
}
What are the two child keys of Metadata’s AWS::CloudFormation::Interface?
ParameterGroups & ParameterLabels
What do Metadata’s AWS::CloudFormation::Interface ParameterGroups do?
Organize sets of parameters into logical groupings, which are separated by a horizontal line in the console.
Each entry in ParameterGroups is defined as an object with a label key and parameter key.
“ParameterGroups” : [ {
“Label” : { “default” : “Network Configuration” },
“Parameters” : [ “VPCID”, “SubnetId”, “SecurityGroupID” ] }
}
What do Metadata’s AWS::CloudFormation::Interface ParameterLabels do?
Define friendly names for parameters in the console.
“ParameterLabels” : {
“VPCID” : { “default” : “Which VPC should this be deployed to?” }
}
What does Metadata’s AWS::CloudFormation::Designer do?
Specifies the visual layout of resources when designing templates in CloudFormation Designer. A web-based gui using drag and drop.
Which AWS services help CloudFormation to provision and configure custom resources?
CloudFormation uses two custom resource providers.
AWS Lambda and Amazon SNS topic.
How does CloudFormation actually provide custom resources?
- In the custom resource declaration, there has to be a ServiceToken property along with optional ones.
The service token acts as a reference to where custom requests are sent. The service token references either a Lambda function or an SNS topic.
Any input parameters are sent with the request body. - The resource provider, after processing the request, sends either a SUCCESS or FAILED result to an S3 URL that was specified in the request body.
- CloudFormation monitors this bucket and may start processing once it has an answer.
Can custom resources be accessed as outputs in CloudFormation?
Yes, the properties can be accessed with Fn::GetAtt and the logical ID of the resource.
Why use CloudFormation custom resources?
Some resources are not accessible by CloudFormation (AWS and non-AWS) but still required by the app.
AWS Lambda backed custom resources:
Custom resource has to be able to handle, create, update, and delete actions.
"AMIInfo": {
"Type": "Custom::AMIInfo",
"Properties": {
"ServiceToken": { "Fn::GetAtt" : ["AMIInfoFunction", "Arn"] }, "Region": { "Ref": "AWS::Region" },
"OSName": { "Ref": "WindowsVersion" }
}
}
Which permissions does the role require that executes the custom resources Lambda function, at minimum?
logs: CreateLogGroup
logs: CreateLogStream
logs: PutLogEvents
What is the difference between Lambda and SNS backed custom resources?
Lambda function have a limit of 15 minutes execution time, afterwards the function will exit prematurely.
When custom resources take a long time to provision or update use SNS.
With SNS notifications are sent to SNS whenever the custom resource triggers.
What happens if a custom resource does not provide a response to an update action?
Custom resource provider needs to respond to every action type, create, delete, update. Both successful and unsuccessful. Otherwise the entire action will fail.
How can we ensure that one resource is only created after another specific resource?
Use the “DependsOn”-attribute and the resource’s logical ID.
{
“Resources” : {
“Ec2Instance” : {
“Type” : “AWS::EC2::Instance”, “Properties” : {
“ImageId” : {
“Fn::FindInMap” : [ “RegionMap”, { “Ref” : “AWS::Region” }, “AMI” ]
} },
“DependsOn” : “myDB” },
“myDB” : {
“Type” : “AWS::RDS::DBInstance”, “Properties” : {
How can a developer configure that a resource is created successfully?
Using CreationPolicy attribute.
CloudFormation will not mark the resource as complete until the resource itself fulfils the defined signals.
AutoScalingGroup-resources require MinSuccessfulInstancePercent.
"AutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": {
"AvailabilityZones": { "Fn::GetAZs": "" }, "LaunchConfigurationName": { "Ref": "LaunchConfig" }, "DesiredCapacity": "3",
"MinSize": "1",
"MaxSize": "4" },
"CreationPolicy": { "ResourceSignal": {
"Count": "3",
"Timeout": "PT15M" }
} }
Can we also use arbitrary pauses in CloudFormation?
Yes, using the WaitCondition-property.
“WebServerGroup” : {
“Type” : “AWS::AutoScaling::AutoScalingGroup”, “Properties” : {
“AvailabilityZones” : { “Fn::GetAZs” : “” }, “LaunchConfigurationName” : { “Ref” : “LaunchConfig” }, “MinSize” : “1”,
“MaxSize” : “5”,
“DesiredCapacity” : { “Ref” : “WebServerCapacity” }, “LoadBalancerNames” : [ { “Ref” : “ElasticLoadBalancer” } ]
} },
“WaitHandle” : {
“Type” : “AWS::CloudFormation::WaitConditionHandle”
},
“WaitCondition” : {
“Type” : “AWS::CloudFormation::WaitCondition”, “DependsOn” : “WebServerGroup”,
} }
“Properties” “Handle”
“Timeout” “Count”
: {
: { “Ref” : “WaitHandle” },
: “300”,
: { “Ref” : “WebServerCapacity” }
Is there a different way to update a stack, except for re-creating the entire stack and change sets?
Yes, stack updates allow to use an updated template, that will only modify the resources affected by changes.
How to check who modified a certain stack?
All events triggered by a single stack action are assigned the ClientRequestToken value.
Check CloudTrail stored in S3 to get more info about the API calls.
Why use update policies?
To determine how to respond to changes in Autoscaling and Lambda resources.
IgnoreUnmodifiedGroupSizeProperties
“UpdatePolicy” : { “AutoScalingScheduledAction” : {
“IgnoreUnmodifiedGroupSizeProperties” : Boolean }
}
Why use deletion policies?
By default all resources are deleted once a stack is deleted. Using retain this can be circumvented.
Some resource can have a backup taken before being deleted
AWS::EC2::Volume
AWS::ElastiCache::CacheCluster AWS::ElastiCache::ReplicationGroup
AWS::RDS::DBInstance
AWS::RDS::DBCluster
AWS::Redshift::Cluster
{
“AWSTemplateFormatVersion” : “2010-09-09”, “Resources” : {
“myS3Bucket” : {
“Type” : “AWS::S3::Bucket”, “DeletionPolicy” : “Retain”
} }
}
Are there limits on CloudFormation templates?
Yes, there are limits on how large a template can grow, how many parameters, resources, and outputs it can have.
How to manage an infrastructure bigger than a single template allows?
Stack exports or nested stacks
How to export stack outputs?
"Outputs" : {
"Logical ID" : {
"Description" : "Information about the value", "Value" :
"Value to return",
"Export" : {
"Name" : "Value to export" }
}
}How to import a stack output from another template?
Use the intrinsic functionFn::ImportValue.
Only the export name is required.
What is a nested stack?
A single parent stack can create one or more AWS::CloudFormation::Stack resources, which act as child stacks that the parent manages.
What are the benefits of nested stacks?
Workaround CloudFormation template limits
Separate resources into logical groups
Let’s us separate duties
How to share data between stacks in a nested relationship?
Use a combination of stack outputs and the Fn::GetAtt function calls.
How to access output create by nested child stack and accessed from a parent stack:
{ “Fn::GetAtt” : [ “logicalNameOfChildStack”, “Outputs.attributeName” ] }
How to prevent certain types of updates to a stack, or parts thereof, even though the user or roles do have the permissions to do so?
Stack Policies.
{
"Statement" : [
{
"Effect" : "Allow", "Action" : "Update:*", "Principal": "*", "Resource" : "*"
}, {
"Effect" : "Deny",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "LogicalResourceId/ProductionDatabase"
} ]
}
{
"Statement" : [
{
"Effect" : "Deny", "Principal" : "*", "Action" : "Update:*", "Resource" : "*", "Condition" : {
"StringEquals" : {
"ResourceType" : ["AWS::EC2::Instance", "AWS::RDS::DBInstance"]
} }
} ]
}
What types of updates can be allowed or denied by stack policies?
Update:Modify Update actions where resources will experience some or no interruption
Update:Replace Update actions where replacement resources create (the physical ID of
the resource changes)
Update:Delete Update actions where resources delete from the stack
Update:* All update actions
Once a stack policy has been set, it will need to be overridden during updates to protected resources. To do so, you supply a new, temporary stack policy.
What helper scripts does CloudFormation provide that are called by EC2’s UserData property?
cfn-init,
cfn-signal
cfn-get-metadata
cfn-hup
What are CloudFormation StackSets?
They give users the ability to control, provision, and manage stacks across multiple accounts.
How can CloudFormation be used within CodePipeline?
As a deployment provider. CloudFormation can reference input parameters, stack policies, and other config data in the Pipeline deployment.
