Thanks for joining our first CloudFormation hangout! Developer Community Manager Evan Brown (@evandbrown on GitHub and Twitter) will spend the first 15 minutes of the Hangout reviewing the major features that were introduced for CloudFormation in 2013, and the final 15 minutes answering your questions.
Watch the recording of the live session - including Q&A - below:
Q&A is enabled for this Hangout. To ask your question, click the Ask a new question button in the bottom-right corner of your screen, like so:
You can enter your questions at any point during the hangout. Keep in mind that it takes about 50 seconds before the audio and video to make it through all the tubes to your computer, so by the time you've typed your question we may be on another topic. But don't worry! We've got the final half of the Hangout reserved just for Q&A.
AWS CloudFormation lets you create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion. Declare and manage your complete application environment, including VPCs, EC2 Instances in Auto Scaling Groups, RDS Databases, and more, all in a template file:
Store your template files in version control (e.g., git) and use them to launch identical stacks multiple times in multiple AWS Regions around the world.
Adds features like auto-refreshing stack events, a new stack launch and upate wizard that includes alphabetical ordering of input parameters.
You can toggle back to the previous console if you like. Please click the feedback link and give us your feedback.
- ELB Cross-Zone Load Balancing
- Elastic Beanstalk Worker Tier
Launched in GovCloud (US) in August. A variety of complete sample templates are available.
CloudFormation added support for a number of new AWS Resources and features in 2013, including:
"RedisCluster" : {
"Type": "AWS::ElastiCache::CacheCluster",
"Properties": {
"Engine" : "redis",
"NumCacheNodes" : "1"
...
}
}
-
Run from CLI:
aws cloudformation create-stack \ --stack-name redis-sample \ --template-url https://s3.amazonaws.com/cloudformation-templates-us-east-1/ElastiCache_Redis.template\ --parameters ...
"OptimizedInstance" : {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Properties" : {
"EbsOptimized" : "true",
}
}
Invoked when you change an ASG's Launch Configuration or Subnet group membership.
"ASG1" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {...}
"UpdatePolicy" : {
"AutoScalingRollingUpdate" : {
"MaxBatchSize" : "2",
"MinInstancesInService" : "6",
"PauseTime" : "PT12M5S"
}
}
}
"ReplicaDB" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"SourceDBInstanceIdentifier" : { "Ref" : "MasterDB" },
}
}
- Sample template
- Documentation
Including:
-
AssociatePublicIpAddressproperty forAWS::EC2::NetworkInterfacetype -
PrivateIpAddressesfor theAWS::EC2::Instancetype -
EnableDnsSupportandEnableDnsHostnamesproperties onAWS::EC2::VPCresource type -
AWS::ElastiCache::*resource types and properties
Create resources conditionally based on input parameters or mappings.
This snippet attaches an EBS volume conditionally, only when the EBSVolumeDeviceName != "No Volume", and sets the Iops property only if the instance type is EBSOptimized (as discovered in the InstanceConfig map):
{
"Parameters" : {
"EBSVolumeDeviceName" : {
"Description" : "Device name to attach an EBS volume (Default no EBS volume attached)",
"Type" : "String",
"Default" : "No Volume"
},
},
"Mappings" : {
"InstanceConfig" : {
"t1.micro" : { "Arch" : "PV64", "EBSOptimized" : "false" },
"m1.large" : { "Arch" : "PV64", "EBSOptimized" : "true" }
}
},
"Conditions" : {
"AttachVolume" : { "Fn::Not" : [{ "Fn::Equals" : [ { "Ref" : "EBSVolumeDeviceName" }, "No Volume" ]}]},
"IsEBSOptimized" : { "Fn::Equals" : [ { "Fn::FindInMap" : [ "InstanceConfig", { "Ref" : "InstanceType" }, "EBSOptimized" ]}, "true" ] }
},
"Resources" : {
"EBSVolume": {
"Type": "AWS::EC2::Volume",
"Condition" : "AttachVolume",
"Properties": {
"VolumeType" : { "Fn::If" : ["IsEBSOptimized", "io1", {"Ref" : "AWS::NoValue"}]},
"Iops" : { "Fn::If" : ["IsEBSOptimized", { "Ref" : "IOPs" }, {"Ref" : "AWS::NoValue"}]}
}
}
}
}
Speaking of Conditionals, the AWS Toolkit for Microsoft Visual Studio includes a CloudFormation plugin that provides IntelliSense editing for templates. Here's a shot of the editor in action:
Norm Johanson recently wrote a nice post about the editor and its new support for Conditional Resources.
Specify the name (i.e., Physical ID) of your choice for several AWS resources, including CloudWatch alarms, DynamoDB tables, Elastic Beanstalk applications and environments, S3 buckets, SNS topics, SQS queues, ElastiCache clusters, ELBs, and RDS db instances.
"MyQueue": {
"Type": "AWS::SQS::Queue",
"Properties" : {
"QueueName" : "TheRealNameOfTheQueue"
}
}
Custom Resources allow you to write custom code and define your own Resources that are part of a CloudFormation stack. Two of our CloudFormation engineers gave a deep, fantastic talk on the subject at re:Invent and released a framework to make development even easier. I encourage you to watch the video on YouTube:
Express permissions for IAM Users and Groups that grant access to Actions (e.g., DeleteStack) and Resources (e.g., a specific CloudFormation Stack). For example:
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Deny",
"Action":[
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Resource":"arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/*"
}]
}
Stack Policies are applied at the CloudFormation stack level (similar to how Bucket Policies are applied to S3 Buckets) and protect individual resources in your stack from being updated or deleted during stack update events. Stack Policies should be used only as a fail-safe to prevent accidental updates; use IAM policies to control access to Stacks and actions.
{
"Statement" : [
{
"Effect" : "Deny",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "LogicalResourceId/ProductionDatabase"
},
{
"Effect" : "Allow",
"Action" : "Update:*",
"Principal": "*",
"Resource" : "*"
}
]
}
Make calls to CloudFormation APIs or use the CloudFormation Management Console with STS credentials or as a Federated Identity user. Here's a picture:
I can retrieve a session token from STS and use the automatically-expiring credentials to make API calls to CloudFormation:
$> aws sts get-session-token
{
"Credentials": {
"SecretAccessKey": "ZpC-------------Tf/p",
"SessionToken": "AQoDYXdzELL//////////wEa8AEeI6Tbr4DUvHHxirqtRA9irfnG/f+/MnOW6vtZ7j++gUg0goK0d7gAgxJ3OlQU=",
"Expiration": "2013-12-20T12:26:44Z",
"AccessKeyId": "ASI----------WKIQ"
}
}
CloudFormation creates, updates and deletes resources in parallel in order to improve performance of these operations. For example, provisioning a RAID 0 setup, which involves the creation of multiple EBS volumes, is now faster because CloudFormation can provision the volumes in parallel. CloudFormation automatically determines which resources in a template can be created in parallel.
Use the DependsOn attribute for control over the order of resource creation.
CloudFormation allows nesting a stack as a resource inside a template (i.e., stacks in stacks in stacks). With Nested Stack Updates, updates initiated on a top-level stack will also updated its nested stacks automatically. Only stacks whose templates have changed will be updated.
Here's an example of a nested stack:
{
"Resources" : {
"myStack" : {
"Type" : "AWS::CloudFormation::Stack",
"Properties" : {
"TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template",
"TimeoutInMinutes" : "60"
}
}
}
}
- AWS Application Management Blog
- @AWSCloudFormer - CloudFormation on Twitter
- The Documentation
- re:Invent Session Videos
Was this Hangout helpful? Are you interested in more of them for 2014? Let me know! evbrown@amazon.com