AWS - CloudFormation (CF) - continue 3-07-2021
Class Notes -
- Doing tasks manually takes lots of time
- Creating environent takes time, and efford.
- Requirement keep changing, new services, IP addresss, requirement keep on enhancing.
- Take sometimes months and months or weeks and weeks to make it mature.
- Best way to do the job is using the code.
- You keep changing the doc and will be using different version (use like git)
- Entire code is called stack
- Say first stack is like v.01 and change the doc and new version v.02 and new requirement comes and new version is release and v.03 comes
- You create your whole infrascture automatically.
- Manual tasks you have to create network, install OS, account, permission, firewall and much more.
- But we can built/provision the infrascture using code. We even versioning your entire infrascture.
- Say, your v.03 has problen, you can go back to v.02 (roll back) easily.
VPC (say like a office)
____________________
| |
| |
| |
| |
|___________________|
inside you have subnet
VPC
- Subnet = Lab1
- EC2 (OS) -> need AMI to launch
- EBS
- EIP (public/ElasticIP)
On your VPC for outside world connectivity, you need to have internet gateway (IG)
- for this you have to create routing table on your subnet.
- You have to use a router to go outside the network.
- Any traffic can come in but I was to use firewall for that. and my security group will filter the connection
- You will allow particular port say only allow port 22 or say 80
or
- you might have your own AMI with private, or there are lots of other usecases.
If you want to automate, any authomate, without kowing the concept, steps, what to do next, you can't automate.
- for eg, you wantt o launch EC2, without subnet and subbnet can't be created without VPC or IG can't be created without VPC.
- Manual or automation, you must know the step/concept.
Got o awl console
- Management service
Go to your notepad
> notepad aws.yaml
- Before automation, create a diagram
- create a step by step plan
Plan:
step1: Create VPC
Step2: Create internet gateway because we will be using public
step3. attach igw to vpc
.....
resource: program: api
Resource is a kind of program, api helps you to attach IGW, Subnet and other resources
google "aws resource type for vpc creating "
Review all the resources available,
for instance
AWS::EC2::Instance
review the property and the values,,
Lets try manual task
1. Launch a vpc
- create a vpc
two things required
name:
IPV4, cidr
go to documents google for resource for vpc
we could not find it, since it is used on ec2, lets try at ec2.
you will find it under ec2
AWS::EC2::VPC
you can copy code directly from the page
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: Boolean
EnableDnsSupport: Boolean
InstanceTenancy: String
Tags:
- Tag
everything comes under resources
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags: # you make a habit if adding tag
- Key: name # key and value
Value: My VPC CF
Look att he doc and what are the required fields.
Enable dns on ec2 by clicking on action and enable hostname
Now go and launch.
Now, go to your CF,
create
upload this templace
CF automatically assign v1 for the first upload.
At the bottom of the page, you see designer viiew before you upload the code.
You can even drag and drop and code is created.
You can design entire infrascture this was as well.after design, you can launch to create.
Specify stack-name after you upload the code
stack name: mystack-aws
next
review the page and click on create stack.
now, without going to VPC portal, your vpc is created the way you want.
you see create in progress... and finally created.
go to your VPCs and you will se it.
click on vpc -> action and enable dns hostname
Now, we have to create internet gateway
Now, we add internet gateway
always give better name.
Always give name tag
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
We made change to our code. we already completed first part VPC
we are going to create second part.
no reason to create a new stack. we will update
go to your stack and click on update and upload your template
click on view and design.. you will see one more resource
VPC and IGW
click next next
If you get any error, check if indent is in place properly.
at the botton of the page, it shows change set preview
now launcing IGW
go to your stack and go to your resources, you see new resource is added
step3. connect IGW to VPC
google
do you have any resouece to attach igw to vpc
We see, vpc attachment
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
# The above line can be written as
# VpcId: !Ref VPC
# InternetGatewayId: !Ref InternetGateway
manually you select IGW and click on action and specify the vpc you want .. here you specify the vpc id.
go to vpc document, and read,,, return value
ref function
fn::GetAtt
and other functions
now upload this code to your CF- stack
go to designer view -> next
we are going to add new resource
now, we create vpc,, IGW created and attached.
Now, next plan is to create subnet
step4 create subnet
collect the info you need
go to google and get yaml
we have a function called select
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
# AvailabilityZone: "us-east-1a" We want to get all az not hardcode
AvailabilityZone: ! GetAZs # getAZs is the function
AvailabilityZone: ! Select [0, GetAZs ] # getAZs is the function
Tags:
- Key: Name
Value: mysubnet1
use select funtion
gogole cloudformation getazs function
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: ! Select [0, GetAZs ]
Tags:
- Key: Name
Value: mysubnetlab1
now, go and upload your code on CF-Stack
next-> next
here is something impacted, we see no ...
update it. now, your new subnet is going to create.
Now, we want to this subnet to have outside world connection
Step 6
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: ! Ref myVPC
Tags:
- Key: Name
Value: my RT
modify the upload to the stack..
now, routing table is created
now, click on routing table
this routing table does not have capability to go to internet.
for this one, you have to go to extra resource
go to route
InternetRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId: ! Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: ! Ref myInternetGateway
update your code
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: ! Select [0, GetAZs ]
Tags:
- Key: Name
Value: mysubnetlab1
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: ! Ref myVPC
Tags:
- Key: Name
Value: my RT
InternetRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId: ! Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: ! Ref myInternetGateway
update your stack, check the designers view,
and update the stack.
we we have lots of resources...
there is something failed.
when something fails, it automatically roll back. to previous version.
lets review the code..
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: ! Select [0, GetAZs ]
Tags:
- Key: Name
Value: mysubnetlab1
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: ! Ref myVPC
Tags:
- Key: Name
Value: my RT
InternetRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId: ! Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: ! Ref InternetGateway # our gatewayid was wrong...
lets update the stack,
it looks good now.
now, attach routing table to subnet
subnet, routing table association
look for resource type
step 8
what subnet you wantt o associate : SubnetA
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: ! Ref mySubnet
RouteTableId: ! Ref myRouteTable
add this code and update the stack.
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: ! Select [0, GetAZs ]
Tags:
- Key: Name
Value: mysubnetlab1
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: ! Ref myVPC
Tags:
- Key: Name
Value: my RT
InternetRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId: ! Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: ! Ref InternetGateway # our gatewayid was wrong...
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: ! Ref mySubnet
RouteTableId: ! Ref myRouteTable
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: "ami-79fd7eee" # or ImageID: ! Reg AMI
InstanceType: ! Ref InstanceType
KeyName: "testkey" # fix your key # !Ref KeyName
SubnetId: !Ref SubnetA
Tags:
- Key: Name
Value: My-Test-env
- Key: Auther
Value: Sam
BlockDeviceMappings:
- DeviceName: "/dev/sdm"
Ebs:
VolumeType: "io1"
Iops: "200"
DeleteOnTermination: "false"
VolumeSize: "20"
- DeviceName: "/dev/sdk"
NoDevice: {}
You can define default values for ami
you can go to doc and review what values are required, which one not requirred.
If you don't speciy instance type: it will puck t1.small
Now, update the stack
parameters:
AMI:
Type: String
Description: My custom AMI for web server
Default: ani-04054jdf83u
InstanceType
Type: String
Description: My instance type
Default: t2.micro
KeyName
Type: String
Description: my ssh key
Default: none
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: ! Select [0, GetAZs ]
Tags:
- Key: Name
Value: mysubnetlab1
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: ! Ref myVPC
Tags:
- Key: Name
Value: my RT
InternetRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId: ! Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: ! Ref mySubnet
RouteTableId: !Ref myRouteTable
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Reg AMI
InstanceType: ! Ref InstanceType
KeyName: !Ref KeyName
SubnetId: !Ref SubnetA
Tags:
- Key: Name
Value: My-Test-env
Update the stack..
now, this failed
lets review the code
parameters:
AMI:
Type: String
Description: My custom AMI for web server
Default: ani-04054jdf83u
InstanceType
Type: String
Description: My instance type
Default: t2.micro
KeyName
Type: String
Description: my ssh key
Default: none
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: ! Select [0, GetAZs ]
Tags:
- Key: Name
Value: mysubnetlab1
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: ! Ref myVPC
Tags:
- Key: Name
Value: my RT
InternetRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId: !Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: ! Ref mySubnet
RouteTableId: !Ref myRouteTable
MyFirstOSbyCF:
Type: AWS::EC2::Instance
Properties:
ImageId: !Reg AMI
SubnetId: !Ref SubnetA
InstanceType: !Ref InstanceType
AvailabilityZone: ap-south-1a
Tags:
- Key: Name
Value: My-Test-env
attach the key manually..
security group is conditional so we need it
we have to add security group.
Now, we don't have public IP enabled
you have to goto eip and attach eip
go to document to see if there is EIP create option
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref MyFirstOSbyCF:
still need to create security group and attach ..
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId: !Ref: VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1 # all the protocols allow
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
parameters:
AMI:
Type: String
Description: My custom AMI for web server
Default: ani-04054jdf83u
InstanceType
Type: String
Description: My instance type
Default: t2.micro
KeyName
Type: String
Description: my ssh key
Default: none
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: ! Select [0, GetAZs ]
Tags:
- Key: Name
Value: mysubnetlab1
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: ! Ref myVPC
Tags:
- Key: Name
Value: my RT
InternetRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId: !Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: ! Ref mySubnet
RouteTableId: !Ref myRouteTable
MyFirstOSbyCF:
Type: AWS::EC2::Instance
Properties:
ImageId: !Reg AMI
SubnetId: !Ref SubnetA
InstanceType: !Ref InstanceType
AvailabilityZone: ap-south-1a
Tags:
- Key: Name
Value: My-Test-env
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref MyFirstOSbyCF:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId: !Ref: VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1 # all the protocols allow
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
update the stack
you have to attach
MyFirstOSbyCF:
Type: AWS::EC2::Instance
Properties:
ImageId: !Reg AMI
SubnetId: !Ref SubnetA
InstanceType: !Ref InstanceType
SecurityGroupIDs: - !Ref InstanceSecurityGroup
AvailabilityZone: ap-south-1a
Tags:
- Key: Name
Value: My-Test-env
update your os part and update the stack
parameters:
AMI:
Type: String
Description: My custom AMI for web server
Default: ani-04054jdf83u
InstanceType
Type: String
Description: My instance type
Default: t2.micro
KeyName
Type: String
Description: my ssh key
Default: none
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: name
Value: My VPC CF
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: My IGW CF
VPCGatewayAttachment
Type: AWS::EC2::VPCGatewayAttachment
Properties: #
VpcId: # we don't hard code here, but we reference it.
Ref: VPC # reference of vpc - it will go and pick the only id
InternetGatewayId:
Ref: InternetGateway # go to this reference
SubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: ! Ref myVPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: ! Select [0, GetAZs ]
Tags:
- Key: Name
Value: mysubnetlab1
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: ! Ref myVPC
Tags:
- Key: Name
Value: my RT
InternetRoute:
Type: AWS::EC2::Route
DependsOn: GatewayToInternet
Properties:
RouteTableId: !Ref: myRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
mySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: ! Ref mySubnet
RouteTableId: !Ref myRouteTable
MyFirstOSbyCF:
Type: AWS::EC2::Instance
Properties:
ImageId: !Reg AMI
SubnetId: !Ref SubnetA
InstanceType: !Ref InstanceType
SecurityGroupIDs: - !Ref InstanceSecurityGroup
AvailabilityZone: ap-south-1a
Tags:
- Key: Name
Value: My-Test-env
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref MyFirstOSbyCF:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId: !Ref: VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1 # all the protocols allow
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
now, update and run, instance does not have to terminate. it is updated successfully...
when our instance starts, what the public ip associated on instance, we want it to be printed
Outputs:
PublicIp:
Value:
fn:: GetAtt:
- MyFirstOSbyCF # go to this os and retireve ip
- PublicIPs
go to document of ec2 instance
look for written values..
now, go and update the code
use function to retireve az, public/private ip and other values
parameter is input function
output is output function
==========================
In summary
Plan:
CF: resoruce: program: api
step1. Create VPC
name
cidr
step2: create IGW
Step3: attach IGW to VPC
vpcid
Step4: Subnet
subnet
AZ
Now, we want to this subnet to have outside world connection
Step5: Create routing table
Step 6: create route
0.0.0./0: igw
step7: Attach Routing table to Subnet
after creating routing table,
routing table to the subnet id
step8: route table association
step 9. launch ec2 instance
No comments:
Post a Comment