In this article, by Lucas Chan and Rowan Udell, authors of the book, AWS Administration Cookbook, we will cover the following:
- Infrastructure as Code
- AWS CloudFormation
(For more resources related to this topic, see here.)
What is AWS?
Amazon Web Services (AWS) is a public cloud provider. It provides infrastructure and platform services at a pay-per-use rate. This means you get on-demand access to resources that you used to have to buy outright. You can get access to enterprise-grade services while only paying for what you need, usually down to the hour.
AWS prides itself on providing the primitives to developers so that they can build and scale the solutions that they require.
How to create an AWS account
In order to follow along, you will need an AWS account. Create an account here. by clicking on the Sign Up button and entering your details.
Regions and Availability Zones on AWS
A fundamental concept of AWS is that its services and the solutions built on top of them are architected for failure. This means that a failure of the underlying resources is a scenario actively planned for, rather than avoided until it cannot be ignored.
Due to this, all the services and resources available are divided up in to geographically diverse regions. Using specific regions means you can provide services to your users that are optimized for speed and performance.
Within a region, there are always multiple Availability Zones (a.k.a. AZ). Each AZ represents a geographically distinct—but still close—physical data center. AZs have their own facilities and power source, so an event that might take a single AZ offline is unlikely to affect the other AZs in the region.
The smaller regions have at least two AZs, and the largest has five.
At the time of writing this, the following regions are active:
| Code | Name | Availability Zones |
| us-east-1 | N. Virginia | 5 |
| us-east-2 | Ohio | 3 |
| us-west-1 | N. California | 3 |
| us-west-2 | Oregon | 3 |
| ca-central-1 | Canada | 2 |
| eu-west-1 | Ireland | 3 |
| eu-west-2 | London | 2 |
| eu-central-1 | Frankfurt | 2 |
| ap-northeast-1 | Tokyo | 3 |
| ap-northeast-2 | Seoul | 2 |
| ap-southeast-1 | Singapore | 2 |
| ap-southeast-2 | Sydney | 3 |
| ap-south-1 | Mumbai | 2 |
| sa-east-1 | Sao Paulo | 3 |
The AWS web console
The web-based console is the first thing you will see after creating your AWS account, and you will often refer to it when viewing and confirming your configuration.
The AWS web console
The console provides an overview of all the services available as well as associated billing and cost information. Each service has its own section, and the information displayed depends on the service being viewed. As new features and services are released, the console will change and improve. Don’t be surprised if you log in and things have changed from one day to the next.
Keep in mind that the console always shows your resources by region. If you cannot see a resource that you created, make sure you have the right region selected.
Choose the region closest to your physical location for the fastest response times. Note that not all regions have the same services available. The larger, older regions generally have the most services available. Some of the newer or smaller regions (that might be closest to you) might not have all services enabled yet. While services are continually being released to regions, you may have to use another region if you simply must use a newer service.
The us-east-1 (a.k.a. North Virginia) region is special given its status as the first region. All services are available there, and new services are always released there.
As you get more advanced with your usage of AWS, you will spend less time in the console and more time controlling your services programmatically via the AWS CLI tool and CloudFormation, which we will go into in more detail in the next few topics.
CloudFormation templates
CloudFormation is the Infrastructure as Code service from AWS.
Where CloudFormation was not applicable, we have used the AWS CLI to make the process repeatable and automatable.
Since the recipes are based on CloudFormation templates, you can easily combine different templates to achieve your desired outcomes. By editing the templates or joining them, you can create more useful and customized configurations with minimal effort.
What is Infrastructure as Code?
Infrastructure as Code (IaC) is the practice of managing infrastructure though code definitions.
On an Infrastructure-as-a-Service (IaaS) platform such as AWS, IaC is needed to get the most utility and value. IaC differs primarily from traditional interactive methods of managing infrastructure because it is machine processable. This enables a number of benefits:
- Improved visibility of resources
- Higher levels of consistency between deployments and environments
- Easier troubleshooting of issues
- The ability to scale more with less effort
- Better control over costs
On a less tangible level, all of these factors contribute to other improvements for your developers: you can now leverage tried-and-tested software development practices for your infrastructure and enable DevOps practices in your teams.
Visibility
As your infrastructure is represented in machine-readable files, you can treat it like you do your application code. You can take the best-practice approaches to software development and apply them to your infrastructure. This means you can store it in version control (for example, Git and SVN) just like you do your code, along with the benefits that it brings:
- All changes to infrastructure are recorded in commit history
- You can review changes before accepting/merging them
- You can easily compare different configurations
- You can pick and use specific point-in-time configurations
Consistency
Consistent configuration across your environments (for example, dev, test, and prod) means that you can more confidently deploy your infrastructure. When you know what configuration is in use, you can easily test changes in other environments due to a common baseline.
IaC is not the same as just writing scripts for your infrastructure. Most tools and services will leverage higher-order languages and DSLs to allow you to focus on your higher-level requirements. It enables you to use advanced software development techniques, such as static analysis, automated testing, and optimization.
Troubleshooting
IaC makes replicating and troubleshooting issues easier: since you can duplicate your environments, you can accurately reproduce your production environment for testing purposes.
In the past, test environments rarely had exactly the same infrastructure due to the prohibitive cost of hardware. Now that it can be created and destroyed on demand, you are able to duplicate your environments only when they are needed. You only need to pay for the time that they are running for, usually down to the hour. Once you have finished testing, simply turn your environments off and stop paying for them.
Even better than troubleshooting is fixing issues before they cause errors. As you refine your IaC in multiple environments, you will gain confidence that is difficult to obtain without it. By the time you deploy your infrastructure in to production, you have done it multiple times already.
Scale
Configuring infrastructure by hand can be a tedious and error-prone process. By automating it, you remove the potential variability of a manual implementation: computers are good at boring, repetitive tasks, so use them for it!
Once automated, the labor cost of provisioning more resources is effectively zero—you have already done the work. Whether you need to spin up one server or a thousand, it requires no additional work.
From a practical perspective, resources in AWS are effectively unconstrained. If you are willing to pay for it, AWS will let you use it.
Costs
AWS have a vested (commercial) interest in making it as easy as possible for you to provision infrastructure. The benefit to you as the customer is that you can create and destroy these resources on demand.
Obviously, destroying infrastructure on demand in a traditional, physical hardware environment is simply not possible. You would be hard-pressed to find a data center that will allow you to stop paying for servers and space simply because you are not currently using them.
Another use case where on demand infrastructure can make large cost savings is your development environment. It only makes sense to have a development environment while you have developers to use it. When your developers go home at the end of the day, you can switch off your development environments so that you no longer pay for them. Before your developers come in in the morning, simply schedule their environments to be created.
DevOps
DevOps and IaC go hand in hand. The practice of storing your infrastructure (traditionally the concern of operations) as code (traditionally the concern of development) encourages a sharing of responsibilities that facilitates collaboration.
Image courtesy: Wikipedia
By automating the PACKAGE, RELEASE, and CONFIGURE activities in the software development life cycle (as pictured), you increase the speed of your releases while also increasing the confidence.
Cloud-based IaC encourages architecture for failure: as your resources are virtualized, you must plan for the chance of physical (host) hardware failure, however unlikely.
Being able to recreate your entire environment in minutes is the ultimate recovery solution.
Unlike physical hardware, you can easily simulate and test failure in your software architecture by deleting key components—they are all virtual anyway!
Server configuration
Server-side examples of IaC are configuration-management tools such as Ansible, Chef, and Puppet.
While important, these configuration-management tools are not specific to AWS, so we will not be covering them in detail here.
IaC on AWS
CloudFormation is the IaC service from AWS.
Templates written in a specific format and language define the AWS resources that should be provisioned. CloudFormation is declarative and can not only provision resources, but also update them.
We will go into CloudFormation in greater detail in the following topic.
CloudFormation
We’ll use CloudFormation extensively throughout, so it’s important that you have an understanding of what it is and how it fits in to the AWS ecosystem. There should easily be enough information here to get you started, but where necessary, we’ll refer you to AWS’ own documentation.
What is CloudFormation?
The CloudFormation service allows you to provision and manage a collection of AWS resources in an automated and repeatable fashion. In AWS terminology, these collections are referred to as stacks. Note however that a stack can be as large or as small as you like. It might consist of a single S3 bucket, or it might contain everything needed to host your three-tier web app.
In this article, we’ll show you how to define the resources to be included in your CloudFormation stack. We’ll talk a bit more about the composition of these stacks and why and when it’s preferable to divvy up resources between a number of stacks. Finally, we’ll share a few of the tips and tricks we’ve learned over years of building countless CloudFormation stacks.
Be warned: pretty much everyone incurs at least one or two flesh wounds along their journey with CloudFormation. It is all very much worth it, though.
Why is CloudFormation important?
By now, the benefits of automation should be starting to become apparent to you. But don’t fall in to the trap of thinking CloudFormation will be useful only for large collections of resources. Even performing the simplest task of, say, creating an S3 bucket can get very repetitive if you need to do it in every region.
We work with a lot of customers who have very tight controls and governance around their infrastructure, especially in the finance sector, and especially in the network layer (think VPCs, NACLs, and security groups). Being able to express one’s cloud footprint in YAML (or JSON), store it in a source code repository, and funnel it through a high-visibility pipeline gives these customers confidence that their infrastructure changes are peer-reviewed and will work as expected in production. Discipline and commitment to IaC SDLC practices are of course a big factor in this, but CloudFormation helps bring us out of the era of following 20-page run-sheets for manual changes, navigating untracked or unexplained configuration drift, and unexpected downtime caused by fat fingers.
The layer cake
Now is a good time to start thinking about your AWS deployments in terms of layers. Your layers will sit atop one another, and you will have well-defined relationships between them.
Here’s a bottom-up example of how your layer cake might look:
- VPC
- Subnets, routes, and NACLs
- NAT gateways, VPN or bastion hosts, and associated security groups
- App stack 1: security groups, S3 buckets
- App stack 1: cross-zone RDS and read replica
- App stack 1: app and web server auto scaling groups and ELBs
- App stack 1: cloudfront and WAF config
In this example, you may have many occurrences of the app stack layers inside your VPC, assuming you have enough IP addresses in your subnets! This is often the case with VPCs living inside development environments. So immediately, you have the benefit of multi-tenancy capability with application isolation.
One advantage of this approach is that while you are developing your CloudFormation template, if you mess up the configuration of your app server, you don’t have to wind back all the work CFN did on your behalf. You can just turf that particular layer (and the layers that depend on it) and restart from there. This is not the case if you have everything contained in a single template.
We commonly work with customers for whom ownership and management of each layer in the cake reflects the structure of the technological divisions within a company. The traditional infrastructure, network, and cyber security folk are often really interested in creating a safe place for digital teams to deploy their apps, so they like to heavily govern the foundational layers of the cake. Conway’s Law, coined by Melvin Conway, starts to come in to play here:
“Any organization that designs a system will inevitably produce a design whose structure is a copy of the organization’s communication structure.”
Finally, even if you are a single-person infrastructure coder working in a small team, you will benefit from this approach. For example, you’ll find that it dramatically reduces your exposure to things such as AWS limits, timeouts, and circular dependencies.