Database Specialty - CloudFormation and Automation

Question 1

Infrastructure as Code

Answer 1

• Currently, we have been doing a lot of manual work
• All this manual work will be very tough to reproduce:
  
  • In another region
  • in another AWS account
  • Within the same region if everything was deleted
• Wouldn’t it be great, if all our infrastructure was… code?
• That code would be deployed and create / update / delete our infrastructure

Question 2

What is CloudFormation

Answer 2

• CloudFormation is a declarative way of outlining your AWS Infrastructure, for
  any resources (most of them are supported).
• For example, within a CloudFormation template, you say:
  
  • I want a security group
  • I want two EC2 machines using this security group
  • I want two Elastic IPs for these EC2 machines
  • I want an S3 bucket
  • I want a load balancer (ELB) in front of these machines
• Then CloudFormation creates those for you, in the right order, with the exact
  configuration that you specify

Question 3

Benefits of AWS CloudFormation (1/2)

Answer 3

• Infrastructure as code
  
  • No resources are manually created, which is excellent for control
  • The code can be version controlled for example using git
  • Changes to the infrastructure are reviewed through code
• Cost
  
  • Each resources within the stack is tagged with an identifier so you can easily see how
    much a stack costs you
  • You can estimate the costs of your resources using the CloudFormation template
  • Savings strategy: In Dev, you could automation deletion of templates at 5 PM and
    recreated at 8 AM, safely

Question 4

Benefits of AWS CloudFormation (2/2)

Answer 4

• Productivity
  
  • Ability to destroy and re-create an infrastructure on the cloud on the fly
  • Automated generation of Diagram for your templates!
  • Declarative programming (no need to figure out ordering and orchestration)
• Separation of concern: create many stacks for many apps, and many layers. Ex:
  
  • VPC stacks
  • Network stacks
  • App stacks
• Don’t re-invent the wheel
  
  • Leverage existing templates on the web!
  • Leverage the documentation

Question 5

How CloudFormation Works

Answer 5

• Templates have to be uploaded in S3 and then referenced in CloudFormation
• To update a template, we can’t edit previous ones. We have to reupload a new version
  of the template to AWS
• Stacks are identified by a name
• Deleting a stack deletes every single artifact that was created by
  CloudFormation.

Question 6

Deploying CloudFormation templates

Answer 6

• Manual way:
  
  • Editing templates in the CloudFormation Designer
  • Using the console to input parameters, etc
• Automated way:
  
  • Editing templates in a YAML file
  • Using the AWS CLI (Command Line Interface) to deploy the templates
  • Recommended way when you fully want to automate your flow

Question 7

CloudFormation Building Blocks

Answer 7

Templates components (one course section for each):
1. Resources: your AWS resources declared in the template (MANDATORY)
2. Parameters: the dynamic inputs for your template
3. Mappings: the static variables for your template
4. Outputs: References to what has been created
5. Conditionals: List of conditions to perform resource creation
6. Metadata

Templates helpers:
1. References
2. Functions

Question 8

YAML Crash Course

Answer 8

• YAML and JSON are the languages you can
  use for CloudFormation.
• JSON is horrible for CF
• YAML is great in so many ways
• Let’s learn a bit about it!
• Key value Pairs
• Nested objects
• Support Arrays
• Multi line strings
• Can include comments

Question 9

What are resources?

Answer 9

• Resources are the core of your CloudFormation template (MANDATORY)
• They represent the different AWS Components that will be created and
  configured
• Resources are declared and can reference each other
• AWS figures out creation, updates and deletes of resources for us
• There are over 224 types of resources (!)
• Resource types identifiers are of the form:
  AWS::aws-product-name::data-type-name

Question 10

How do I find resources documentation?

Answer 10

• I can’t teach you all of the 224 resources, but I can teach you how to
  learn how to use them.
• All the resources can be found here:
  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aw
  s-template-resource-type-ref.html
• Then, we just read the docs J
• Example here (for an EC2 instance):
  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aw
  s-properties-ec2-instance.html

Question 11

Analysis of CloudFormation Template

Answer 11

• Going back to the example of the introductory section, let’s learn why it
  was written this way.
• Relevant documentation can be found here:
• http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsproperties-ec2-instance.html
• http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsproperties-ec2-security-group.html
• http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsproperties-ec2-eip.htm

Question 12

What are parameters?

Answer 12

• Parameters are a way to provide inputs to your AWS CloudFormation
  template
• They’re important to know about if:
  
  • You want to reuse your templates across the company
  • Some inputs can not be determined ahead of time
• Parameters are extremely powerful, controlled, and can prevent errors
  from happening in your templates thanks to types.

Question 13

When should you use a parameter?

Answer 13

• Ask yourself this:
• Is this CloudFormation resource configuration likely to change in the future?
• If so, make it a parameter.
• You won’t have to re-upload a template to change its content

Question 14

How to Reference a Parameter

Answer 14

• The Fn::Ref function can be leveraged to reference parameters
• Parameters can be used anywhere in a template.
• The shorthand for this in YAML is !Ref
• The function can also reference other elements within the template

Question 15

Concept: Pseudo Parameters

Answer 15

• AWS offers us pseudo parameters in any CloudFormation template.
• These can be used at any time and are enabled by default

Question 16

What are mappings?

Answer 16

• Mappings are fixed variables within your CloudFormation Template.
• They’re very handy to differentiate between different environments
  (dev vs prod), regions (AWS regions), AMI types, etc
• All the values are hardcoded within the template

Question 17

When would you use mappings vs parameters ?

Answer 17

• Mappings are great when you know in advance all the values that can be
  taken and that they can be deduced from variables such as
  
  • Region
  • Availability Zone
  • AWS Account
  • Environment (dev vs prod)
  • Etc…
• They allow safer control over the template.
• Use parameters when the values are really user specific

Question 18

Fn::FindInMap
Accessing Mapping Values

Answer 18

• We use Fn::FindInMap to return a named value from a specific key
• !FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

Question 19

What are outputs?

Answer 19

• The Outputs section declares optional outputs values that we can import into
  other stacks (if you export them first)!
• You can also view the outputs in the AWS Console or in using the AWS CLI
• They’re very useful for example if you define a network CloudFormation, and
  output the variables such as VPC ID and your Subnet IDs
• It’s the best way to perform some collaboration cross stack, as you let expert
  handle their own part of the stack
• You can’t delete a CloudFormation Stack if its outputs are being referenced
  by another CloudFormation stack

Question 20

Outputs Example

Answer 20

• Creating a SSH Security Group as part of one template
• We create an output that references that security group

Question 21

Cross Stack Reference

Answer 21

• We then create a second template that leverages that security group
• For this, we use the Fn::ImportValue function
• You can’t delete the underlying stack until all the references are deleted
  too.

Question 22

What are conditions used for?

Answer 22

• Conditions are used to control the creation of resources or outputs
  based on a condition.
• Conditions can be whatever you want them to be, but common ones
  are:
  
  • Environment (dev / test / prod)
  • AWS Region
  • Any parameter value
• Each condition can reference another condition, parameter value or
  mapping

Question 23

How to define a condition?

Answer 23

• The logical ID is for you to choose. It’s how you name condition
• The intrinsic function (logical) can be any of the following:
• Fn::And
• Fn::Equals
• Fn::If
• Fn::Not
• Fn::Or

Question 24

Using a Condition

Answer 24

• Conditions can be applied to resources / outputs / etc…

Resources:
MountPoint:
Type: “AWS: :EC2: :VolumeAttachment”
Condition: CreateProdResources

Question 25

CloudFormation
Must Know Intrinsic Functions

Answer 25

• Ref
• Fn::GetAtt
• Fn::FindInMap
• Fn::ImportValue
• Fn::Join
• Fn::Sub
• Condition Functions (Fn::If, Fn::Not, Fn::Equals, etc…)

Question 26

Fn::Ref

Answer 26

• The Fn::Ref function can be leveraged to reference
  
  • Parameters => returns the value of the parameter
  • Resources => returns the physical ID of the underlying resource (ex: EC2 ID)
• The shorthand for this in YAML is !Ref

DbSubnet1:
Type: AWS: :EC2: :Subnet
Properties:
VpcId: !Ref MyVPC

Question 27

Fn::GetAtt

Answer 27

• Attributes are attached to any resources you create
• To know the attributes of your resources, the best place to look at is
  the documentation.
• For example: the AZ of an EC2 machine!

Question 28

Fn::FindInMap
Accessing Mapping Values

Answer 28

• We use Fn::FindInMap to return a named value from a specific key
• !FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

Question 29

Fn::ImportValue

Answer 29

• Import values that are exported in other templates * For this, we use the
  Fn::ImportValue function

Question 30

Fn::Join

Answer 30

• Join values with a delimiter
• • This creates “a:b:c”

Question 31

Function Fn::Sub

Answer 31

• Fn::Sub, or !Sub as a shorthand, is used to substitute variables from a
  text. It’s a very handy function that will allow you to fully customize your
  templates.
• For example, you can combine Fn::Sub with References or AWS Pseudo
  variables!

Question 32

Condition Functions

Answer 32

• The logical ID is for you to choose. It’s how you name condition
• The intrinsic function (logical) can be any of the following:
• Fn::And
• Fn::Equals
• Fn::If
• Fn::Not
• Fn::Or

Conditions:
CreateProdResources: !Equals [ !Ref EnvType, prod]

Question 33

CloudFormation Rollbacks

Answer 33

• Stack Creation Fails:
  
  • Default: everything rolls back (gets deleted). We can look at the log
  • Option to disable rollback and troubleshoot what happened
• Stack Update Fails:
  
  • The stack automatically rolls back to the previous known working state
  • Ability to see in the log what happened and error messages

Question 34

ChangeSets

Answer 34

• When you update a stack, you need to know what changes before it
  happens for greater confidence
• ChangeSets won’t say if the update will be successful

Question 35

Nested stacks

Answer 35

• Nested stacks are stacks as part of other stacks
• They allow you to isolate repeated patterns / common components in
  separate stacks and call them from other stacks
• Example:
  
  • Load Balancer configuration that is re-used
  • Security Group that is re-used
• Nested stacks are considered best practice
• To update a nested stack, always update the parent (root stack)

Question 36

CloudFormation – Cross Stacks

Answer 36

• Helpful when stacks have different lifecycles
• Use Outputs Export and Fn::ImportValue
• When you need to pass export values to
  many stacks (VPC Id, etc…)

Question 37

CloudFormation – Nested Stacks

Answer 37

• Helpful when components must be re-used
• Ex: re-use how to properly configure an
  Application Load Balancer
• The nested stack only is important to the
  higher level stack (it’s not shared)

Question 38

CloudFormation - StackSets

Answer 38

• Create, update, or delete stacks across multiple accounts and regions with a
  single operation
• Administrator account to create StackSets
• Trusted accounts to create, update, delete stack instances from StackSets
• When you update a stack set, all associated stack instances are updated throughout all accounts and regions.

Question 39

CloudFormation for DB Specialty Exam

Answer 39

• AWS::RDS::DBInstance
  https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws- properties-rds-database-instance.html
• Important Parameters:
  
  • DeleteAutomatedBackups: remove automated backups immediately after the DB
    instance is deleted. Default value: remove all automated backups
  • DeletionProtection: enable deletion protection on the DB in RDS. The database can’t
    be deleted while it has DeletionProtection on.
  • MasterUsername / MasterPassword: must be provided as text values (we’ll see how
    to handle that securely later on)
  • EnableIAMDatabaseAuthentication: can be enabled, does not replace Master
    username & password
  • DBClusterIdentifier: (optional) if the DB belongs to an Aurora DB cluster

Question 40

RDS and CloudFormation – DB Updates

Answer 40

• If Update Requires: Replacement:
  
  • New DB is created
  • Links are updated
  • Old DB is deleted
• If a DB instance is deleted or replaced during an update, AWS
  CloudFormation deletes all automated snapshots.
• However, it retains manual DB snapshots
• During an update that requires replacement, you can apply a stack
  policy to prevent DB instances from being replaced

Question 41

RDS and CloudFormation – database update

Answer 41

• Take a snapshot before updating an update. If you don’t, you lose
  the data when AWS CloudFormation replaces your DB instance.
  To preserve your data:
• Deactivate any applications that are using the DB instance so that there’s
  no activity on the DB instance.
• Create a snapshot of the DB instance
• If you want to restore your instance using a DB snapshot, modify the
  updated template with your DB instance changes and add
  the DBSnapshotIdentifier property with the ID of the DB snapshot that
  you want to use.
• After you restore a DB instance with a DBSnapshotIdentifier property,
  you must specify the same DBSnapshotIdentifier property for any future
  updates to the DB instance.
• Update the stack.
• DBSnapshotIdentifier is also useful for mass creating dev/test
  databases with some data from prod

Question 42

CloudFormation protections

Answer 42

• CloudFormation Stack Termination Protection: can’t delete the stack without removing it (but you can still update the stack)
• CloudFormation Stack Policy: prevent updates to CloudFormation templates.
• CloudFormation DeletionPolicy: what happens if a resource gets deleted
  * Delete: delete the resource (default behaviour for most resources)
  * Retain: do not delete the resources
  * Snapshot: (only to resources that support snapshot) snapshot then delete
• The default CloudFormation behavior for RDS depends on DBClusterIdentifier :
• If DBClusterIdentifier not specified (= non Aurora), CloudFormation will snapshot
• If DBClusterIdentifier is specified (=Aurora), CloudFormation deletes the DB instance

Question 43

Aurora with CloudFormation

Answer 43

• First create an AWS::RDS::DBCluster
• Then add AWS::RDS::DBInstance
• Default DeletionPolicy of
  RDS::DBCluster is Snapshot
  * Means if individual DBInstance are deleted, no snapshot is made (default)
  * If the DBCluster is deleted, a snapshot will be made
• RDS::DBInstance will inherit
  configurations

Question 44

CloudFormation Parameters

Answer 44

• Parameters are referenced using !Ref
• They can have 4 different sources:
  * (static) Given using the CLI / Management console
  * (static) Given using a flat file from local filesystem or S3
  * (dynamic) From the SSM Parameter Store
  * (dynamic) From AWS Secrets Manager
• The last two are the most secure way
• Exam trap: you cannot pass in KMS encrypted parameters through
  * Use SSM Parameter Store or Secrets Manager
  instead!

Question 45

CloudFormation Parameters - SSM

Answer 45

• Retrieve a String (plaintext) or SecureString
  (KMS encrypted) from SSM Parameter Store
  at runtime!
  
  • Amazing to store environment specific variables
  • Hierarchical way of storing parameters
• SSM CF parameters: will be resolved every time you run the template, does not work for SecureString.
• Dynamic parameter pattern:
  ‘{{resolve:ssm:parameter-name:version}}’, you
  must specify the exact version, works for
  SecureString.

Question 46

CF Parameters – Secrets Manager

Answer 46

• Secrets rotation + integration with RDS =
• Dynamic parameter pattern:
  ‘{{resolve:ssm:parameter-name:version}}’, you must
  specify the exact version
• Neither Secrets Manager nor CloudFormation logs
  or persists any resolved secret value
• Updating a secret in Secrets Manager does not
  automatically update the secret in CloudFormation
• To manage updating the secret in your template,
  consider using version-id to specify the version of
  your secret.
• {{resolve:secretsmanager:secret-id:secret- string:json-key:version-stage:version-id}

Question 47

Secrets Manager + RDS

Answer 47

1. Create a AWS::SecretsManager::Secret
   * Specify GenerateSecretString to randomly generate a secret
2. Create an AWS::RDS::DBInstance that references that secret
   * Using dynamic references
3. Create a
   AWS::SecretsManager::SecretTargetAttachment
   
   • Link to Secrets Manager secret and the RDS database together
   • Will add RDS properties to Secret Manager JSON

Question 48

Secrets Manager Rotation Schedule

Answer 48

4. Create a
   AWS::SecretsManager::RotationSchedule
   * It will create a Lambda
   function
   * You must do this after
   creating the secret
   attachment

Question 49

Other CloudFormation concepts

Answer 49

• CloudFormation Drift:
• See if the resource configurations have changed from the template over time
• Stack Set:
• Apply the same CloudFormation template into many accounts / regions
• Change Set:
• Evaluate the changes that will be applied before applying them (safety)