CloudFormation Is Everywhere
So although I had some good experience with CloudFormation before arriving at Linux Academy, there’s nothing like troubleshooting and validating labs as a learning experience. And becoming adept with CloudFormation can go a long way in ramping up your overall AWS skillset. CloudFormation is everywhere!
As an example, spin up an Elastic Beanstalk Environment and then hurry over to the CloudFormation Management Console and watch what happens. Well, what happens is that a CloudFormation Stack will be spinning up. Why? We didn’t tell CloudFormation to do anything. We chose our low maintenance, highly productive friend Elastic Beanstalk. But the truth is, Elastic Beanstalk needs CloudFormation in its life and uses CloudFormation to spin up the resources you requested.
CloudFormation is working behind the scenes for you and Elastic Beanstalk is taking all of the credit. And the truth is, that if you wanted to customize your new Elastic Beanstalk environment (this is advanced stuff), you could do so in the EB CloudFormation template. So if you’re working anywhere in AWS, there’s a good bet that CloudFormation is involved behind the scenes and it is a great move to sharpen up your CloudFormation skills.
CloudFormation Deep Dive
After this trial-by-fire working extensively with CloudFormation, CloudFormation Deep Dive was born. The course is now nearing a year and a half old and IT years are kind of like dog years so I’m happy to report that that’s exactly what is going to happen. I’ve started working on updating the course and will be undergoing considerable changes. I’m sure many will be happy to hear that you won’t be seeing my mug at the bottom of the screen for 12 plus hours worth of lessons. But a great addition to the course will be the inclusion of Linux Academy’s interactive diagrams. I’m excited to be providing interactive diagrams and have big plans to provide creative ways to learn CloudFormation.
New Features in CloudFormation
So let’s talk about some of these new features of CloudFormation? We’ll start by talking about Drift Detection. What is Drift Detection? Well let’s talk about CloudFormation Stacks and in doing so, we will get to Drift Detection. Let’s say we create a CloudFormation Stack in our Production environment. We, of course, keep our template in a safe place so that we can re-create our Production stack if needed.
Furthermore, what about Disaster Recovery? Wouldn’t it make sense to stash our production template away in another region? If our template is in another region, in the case of a disaster in our prod region, we can quickly use our template to spin up our environment in our DR region. This is a great use of Cloudformation templates. Unless our Recovery Time Objective (RTO) is very small, we can use this techni
que for Disaster Recovery.
But you’re probably guessing there is more to this story, and you would be correct. How do we manage change? Do we have procedures in place? If we need to make updates to resources in our stack what is the best practice? Our options are to perform updates within CloudFormation or we can update the resources independently (outside) of our stack.
So, if we need to change the ingress on a Security Group created in our stack we could go directly to the EC2 console, go to the Security Group and change the ingress. Done. Easy peasy. No need to perform a stack update in CloudFormation right? Wrong!! If you change stack resources outside of the stack, you have introduced DRIFT. And that’s not a good thing. Why? Well, let’s remember what CloudFormation is at its core. It is Infrastructure as Code. It is code. And we need to follow best practices when updating our code.
We need to have source control and all of that good stuff. Sure, we can easily change the ingress on a Security Group real quick like in the EC2 Management Console. But if that Security Group belongs to a CloudFormation Stack, guess what? We have just invalidated our Prod template. That template no longer accurately represents our Stack. And that is really bad because our DR plan is now jacked up. We can no longer rely on our template. Our template is counterfeit. Sure, we could build a stack with it and we could even use it for DR. But what if our ingress is not as it should be in our Prod environment? Maybe we just introduced a security breach simply by changing our stack resources outside of CloudFormation.
So as you may have guessed, AWS has provided Drift Detection to keep an eye on such things. At any time we can run Drift Detection on our stacks to determine if our stack has drifted, and how it has drifted. Ideally, we would have processes in place and our team knows not to change stack resources outside of CloudFormation. But things don’t always go as planned and Drift Detection can go a long way in helping to maintain the integrity of our templates and our stacks.
Coming Attractions: Cheat sheets and Template snippets
In addition to the interactive diagram being a learning tool for the course, I’m hoping it can become a one-stop shop for anybody working with CloudFormation that wants a quick-start on template snippets. Examples would be quick lookups and code snippets on specific services such as an S3 Bucket. Need to know how to create a bucket in S3? One click will get you started on the code you need. Do you need your bucket to host a static website? One more click will get you a good look at that code snippet. And I plan to incorporate this kind of interactive “cheat sheet” for several of the more commonly used services. So overall, the course will be much more interactive for the user and provide an enriched learning experience. And like all Linux Academy courses, there will be Labs, Labs, and more Labs!
So, of course, the new and improved CloudFormation Deep Dive will have thorough coverage on CloudFormation Drift Detection. Some of the other new features of CloudFormation include Macros, handling of Secrets, Serverless Application Model (not directly a CloudFormation feature but closely linked), some enhancements for Stack Sets, VPC Private Link Support, and some Guardrails. Now some of this may sound interesting and some of it may not ring a bell at all. But let’s save discussion on some of these other new features for next time. Meanwhile, keep an eye out for updates on the release of the new CloudFormation Deep Dive. It won’t be long now and I’m excited to bring a new and improved perspective to the CloudFormation Deep Dive!
Or if you’re interested in learning how to roll your own VPN with AWS CloudFormation, take a look at this.