Deep Dive: Infrastructure as Code


so welcome everyone my name is Chetan Dandekar I’m a senior product manager in the deployment and management services among with in AWS I focus mainly on cloud formation and today this session is about diving deep into infrastructure as code on AWS and cloud formation is one of our flagship services for doing infrastructure as code on AWS and I know we have a diverse audience here there are some people who have never used AWS there are some who have who are experts at AWS there are some who are already doing infrastructure as code because somewhere in a more traditional operations but I promise there is something for everyone even though some of this stuff might be already known to some of you so bear with me and I promise there is useful stuff here for everyone in the audience so you are attending infrastructure as code sessions so I assume you are already on board are this train which is likely you are in a business where you need to innovate fast experiment fast so that you can distinguish yourself from the other guy innovating fast also means that you should be able to fail fast and reduce the risk in failure so that you don’t lose the next opportunity and obviously continuous delivery continuous integration enable that innovative agile business because you can push features out fast if something works you can double down quickly on that if something doesn’t work you can course correct really quickly and that’s continuous delivery and obviously the whole DevOps movement supports continuous delivery because there is good communication sharing automation which allows you to be that agile to be able to double down on things that are working and you know to eliminate things that are not working and infrastructure as code in particular and cloud in general supports DevOps because you can automate everything you can treat everything as software even if there are servers which are serving web requests or databases or networking components you can write software for managing all of it and automated and hence deliver that continuously so how do you do infrastructure as code on AWS the flagship service for that is a SS cloud formation and for those who are not familiar with cloud formation it allows you to create templates of the architectures and applications that you want to run on AWS and it the architectures could mean anything in the traditional sense it would mean network storage and compute but in in the new era of cloud computing it could mean DynamoDB table or ElastiCache clusters s3 buckets and so on and so forth so it allows you to create templates of the architectures you want to have you pass those templates to the service and then the service figures out what are the steps it needs to take to get you to that architecture so you specify the desired state and CloudFormation figures out how to get there and you don’t have to worry about the granular ap granular API calls that you need to make to induce your service so let’s say you are provisioning a web application you you probably have s3 bucket and IDs database a web server a CloudFront distribution and so on and so forth and with cloud formation you don’t have to figure out individual API calls for each of these services you don’t have to figure out the order of creation for each of these resources and you don’t have to worry about failure modes if any so if if a request times out you don’t need to worry about retrying at CloudFormation does it automatically for you so that’s fundamentally different from the traditional approach of provisioning scripts where you have to figure out every step and debug every step which might go wrong this is more like building a CAD model and handing it over to a 3d printer and the printer prints out the desired object for you when you have templates you can follow the time-tested software engineering principles on the temp under templates so you can version control them code review them create replicas branch them use them in multiple database accounts or regions and they will work as expected we also have customers who integrate cloud formation templates into their CI CD pipelines like Jenkins or Atlassian bamboo the basic workflow that you have while using cloud formation is something like this you first of all you have a business problem and you design a solution for that problem and broadly you you will need to write application code to implement the business logic and then you will need to have infrastructure to host that application so you design application code implement application code and also design the infrastructure templates from the templates you create stacks which are collection of resources CloudFormation creates those stacks for you from the templates and then CloudFormation also has hooks to let you deploy the application packages on top of those stacks of infrastructure resources and once you have a stack is basically infrastructure and application running and serving your customers and obviously you’re not going to stop there you are going to continue to iterate on it so we will we will follow through this workflow that you can enable using cloud formation just to take an example imagine you are in the food ordering business or food delivery business you will probably have a bunch of services like these are full catalog of billing service a payment service a customer database and so on and so forth whether you call it service-oriented architecture or micro services it’s up to you but it’s either ways you’re going to have a lot of services and they’re going to have interactions between them and dependencies among them so a food ordering the food catalog might want some information from the recommendation service or the customer database and so on and so forth so when you are modeling this in cloud formation each service or each independent unit of operation could be modeled as a stack depending on the complexity if it’s too complex you can also divide it into multiple stacks but we are going to deep dive deep into the food catalog website so let’s say you want to design a web application which is a catalogue of food items in CloudFormation are actually in AWS it will look something like this you obviously need a security group to secure the application you need a server to to serve the requests and you’re also going to be scaling up or down which is done using an auto scaling group you need a load balancer and obviously you need the brain of that application which is the software that you are going to write so you need a way to deploy that software and it’s not an island the food catalog service is going to take information from other services like the database service and recommendation service so you need some way to get that information into the food catalog website and then you might want to optimize it optimize this application by doing things like adding a memcache cluster or adding some alarms so that you can take action if something things are not going too well and so this is your web application that you want to run on AWS and now we are going to walk through how you model that in cloud formation so if you look inside a cloud formation template you can model each of these resources and they look something like what we have on the right side each of the resources are model ization JSON objects and notice that they describe the desired state that you want to have for the web server group you specify how many what’s the range of instances what’s the range of number of instances you want to have and you can the actual number of instances can vary in that range based on the load and then you can specify things like an auto scaling group is connected to a load balancer but you don’t have to write the code which actually makes API calls through the auto scaling api’s and actually provisions the instance for you and then goes and provisions a load balancer for you we have some customers who write JSON directly and here are customers who don’t like to write JSON so what they do is they use tools where which are typically written in their favorite programming language like Ruby or Python that generate the JSON templates so that’s the second option that you have to create large formation templates and a third option that is emerging is also there are some tools out there which let you create cloud formation templates graphically by dragging and dropping these objects and generating JSON out of it so there are multiple ways to create the JSON templates but ultimately you’re going to see something a model like this there is information that you need to supply into a cloud formation stack so in our example you want to get in what’s the DB endpoint for the customer database or what’s the you know what’s the endpoint for the recommendation service and so on and so forth and the way you get information in into a cloud formation stack is by passing in parameters they are not free form you can add validation logic around it so for example if you want to if you want to choose from a limited set of instance types you can actually specify that if you want to make sure that a value that you are passing in is a valid VPC ID you can actually specify AWS ec2 VPC ID as a parameter data type and that allows you to make sure that this the input that is getting into a stack is a is valid on the other side you also need to get information out so once you have this stack set up the stack as an application is going to have an endpoint so you can specify the outputs that you want to get out of the stack in this case you know it will be the DNS name or the IP address of the elastic load balancer and the this is an important part which is deploying application that actually runs on the web servers the primary way to bring in software bits and bootstrapping them on a web server in cloud formation is what we call cloud formation in it we will go deep into this this topic a little later in this presentation and then for convenience the CloudFormation template language provides multiple other functions like you know a getting an attribute of a resource or joining a string and so on and so forth and we actually just launched support for executing lamb in working lambda functions while clock you are creating cloud function stacks so that opens the door for writing any code that you want while creating a cloud formation stack and getting it executed so let’s say you want to reverse a string you can actually write a lambda function get the string reverse and use it in a cloud formation stack once you have a template you you can use the cloud formation console to upload the template specify the parameter values and create a stack obviously if you are practicing infra infrastructure as code chances are you want to automate all of this so you won’t go to the console to create the stack you will probably use the api’s the SDKs or the command line to provide the template and create the stack you can still come back to the console to see the health of the stack so once your stack is created you’re going to see the status of each stack that you have and some useful information like the events that happen for each stack the templates associated with it or tags that are added to each of the stack and as I mentioned I’m using infrastructure as a very broad term it’s not just Network compute and storage cloud formation today supports over 20 aw services and we are continuously adding support for more and more aww speeches so you can provision any of this through cloud formation and that was the basic workflow and now if we double click on creating infrastructure templates you can treat these templates just like any other software you can code them using your favorite development tools right from visual studio to beam you can version control them run code reviews you can even run unit tests so let’s say you have a complex architecture naturally you’re going to have some logical modular you know modular ization in that architecture so you might have a subnet independent of some other sublet and when you are editing a template for a given subnet before merging it back to your main branch you can actually run unit tests on any changes that you have made to that subnet template so you can apply any any software engineering principles that you apply to your application code and in fact I have heard this thing this star this phrase multiple times from my customers which is it’s all software there is no infrastructure in software just like application code is software and what that means is you can organize it like software so you don’t have to create one stack for all your resources or you don’t have to create individual stacks for each one of your resource that you have in your raid of this account you can actually organize them based on how well their lifecycle aligns and the common purpose that they work towards so for example if you have one web application which has a common business problem that is solves all the resources for that web application can be part of one stack if you have a V PC and a bunch of subnets which are shared across a lot of different applications you probably don’t want to bundle them with the applications you probably want to create a separate stack for them so this is what we typically see with some of our customers which is you will have a very basic identity layer with your I M users and policies then you have a networking layer with the V pcs and subnets which are relatively stable then there are some shared services and the very top there are web applications which come and go very frequently now another thing to note is that if you are creating say a network component specifically for a given web application then obviously you want to bundle it with the web application so let’s say you are creating a security group for each of your web application then you don’t want that security group to be in the bottom layer in the bottom based networking layer you want that security group to be bundled with that application and once you have organized templates in in this fashion or whichever other fashion that that suits your operations then you can actually recreate these things in multiple environments like there are staging or production or let’s say you create new AWS accounts you can repeat these things in those accounts very quickly let’s say you are you expand into another alw region you can use the same set of templates and same organization to quickly recreate your entire you know entire set of applications in those accounts or regions just to complete this analogy so if you think about application software you know somebody writes the source code you build it and you package it and then there is typically a loader or interpreter which actually interprets that application code and then ultimately you reach where you have a data application in a desired state in a in a service memory so infrastructure is no different when you’re using cloud formation you have JSON templates or scripts which generate JSON templates you PI R you know you package those templates and then you pass them on to cloud formation and cloud formation acts as a loader and interpreter of those templates and creates the desired state of the infrastructure for you in the cloud and obviously you’re not going to once you setup your application you’re not going to stop stop so we also have support for iterating on the infrastructure that you are provision there are two main ways to iterate there is what we call in-place updates so you update your templates and then with an updated template you call update stack on the same stack that is running or you can do Bluegreen deployment where you take the updated template and create a new stack from scratch without touching your existing stack and then once the new stack comes up and is tested then you start moving traffic to the new stack and there are pros and cons for each of these approaches the in-place update is faster because typically an incremental change on an existing stack is going to be faster than recreating a whole stack you’re going to spend less money because you are not duplicating the resources you already have and most importantly I think you don’t have to worry about transferring the data and application state that you might have in a stack because you are not really creating a completely new stack whereas if you create a new stack then you have to make sure that your data from the old stack is migrated over to the new stack on the other other hand there is a big advantage to blue/green which is you are never touching a running stack so if anything goes wrong at any point you can always fall back on the old stack and you don’t have to be limited to the 20 or so services that CloudFormation supports so we have extensibility mechanism called custom resources in cloud formation which is essentially a plug-in system which lets you plug in your own logic as part of the stack creation so I’ll take a specific example so let’s say you have that food catalog website which is a web application which is running in AWS using lots of different types of database resources and you want to use a third-party web analytics service to go with this application so when this stack is provisioned you also want to provision a subscription in that analytic service for this web application you can actually model that in a CloudFormation template you in a cloud formation template you would write a custom resource and you will also specify a what we call service token which is identifier for that third-party service and then pass information like you know what plan you have or what IP address the service should use and so on and so forth to that service and when CloudFormation interprets this it will go on provisioning all the regular stuff as it will in AWS and when it encounters a custom resource it will actually call the third-party service and tell it to provision a web analytics subscription wait for success or failure and bring it back to the stack so if it succeeds then that external resource essentially becomes a part of the stack and if it fails the stack is rolled back so it becomes even though you are using AWS and non AWS resources it becomes a single unit of deployment and this custom resource mechanism can also be used not only to well it can be is not only to provision third party resources but also supplement the CloudFormation provisioning with your own custom logic and it will be more clear with this new feature that we launched so before before integrating lambda to implement a custom resource either you or the third party would have to implement your own web service – which can receive requests from CloudFormation requests like create this resource update resource rollback resource and so on and so forth we launched a lambda integration just yesterday which allows you to write lambda function and be able to call that function as a custom resource from a CloudFormation stack so you here is your CloudFormation stack and you can have a custom resource which represent represents your lambda function in the stack and when the stack is created updated or deleted we’ll make a call to that lambda function let it run the logic that you have written and get back the output and this is useful for things like looking up an army ID so if you are already using cloud formation and if you’re using Windows you might be aware that the Windows army IDs change every month on AWS so one of the tasks that you need to do is update those windows army IDs and until now you had to do that statically or but now not anymore now you can write a lambda function which automatically looks up the latest Windows ami IDs on Amazon and use them for any Windows tag that you’re creating which is also true for a custom army ID so let’s say you have you are baking your own custom Army’s and tagging them with a particular version number now you can write a lambda function which looks up your custom army IDs for a based on a specific tag and gets the right army ID back so it makes it simpler to automate that process rather than you looking up the right army ID and passing it in to a cloud formation stack there are a lot of our customers who do cross stack references that is they have separate stacks for separate purposes they have a networking stack a database stack and application stack and they need to pass information from one star to another they want to refer to say a subnet or a security group that is in a different stack from an application stand until now you had to look up the subnet ID or the security group ID and pass it in manually as an to that application stack that is using the submit now you can write a lambda function embed that in the application stack and it will look up the right subnet ID and security group for you and the list goes on I mean any any custom logic that you want to implement if you want to you know if you have a smart espresso machine and want to order a coffee when a stack is successfully created you can write a lambda function for that and if somebody does write that lambda function please let us know and we’ll be very happy to you know write a blog post about it moving on to a related topic we talked a lot about infrastructure provisioning but it really goes hand-in-hand with application deployment if you want to automate infrastructure provisioning it’s only useful if you can also automate application deployment so for a few few more slides I’m going to talk about infrastructure provisioning as code and application deployment s code infrastructure provisioning is obviously things like networking provisioning provisioning queues kanessa streams and so on and so forth and then application deployment is once you have ec2 servers running you want to download packages boots and you know install them at the right place bootstrap the application and so on and so forth and you can model all of this in a CloudFormation template and that we automated and there are multiple ways of describing application deployment and making it happen in a in context of a cloud formation template and we’ll dive deeper into e into those options so at the at the very basic level you obviously have the Amazon machine machine images or armies that you can use you can use the Amazon provided armies or third-party amis or your own armies that you bake then we have this flexible mechanism called flower formation in it which lets you describe the application configuration you want to have and then cloud formation makes it happen for you cloud formation in it also serves as an entry point for any other configuration tool that you might want to use so let’s say you want to use chef or puppet or our own AWS code deploy you can use cloud formation in it to install an agent that brings in those tools and then lastly you can also use opsworks so opsworks is our application management service which you can use in context of cloud formation and of Sox itself bring is provides its own chef recipes and also it lets you bring your own chef recipes and we’ll dive deep into each of these sort of three options that you have starting with cloud formation in it it’s it follows the same declarative model that the infrastructure part of cloud formation follows so you don’t have to specify the step wise instructions the for for downloading configuring and bootstrapping an application you just have to tell us that in a declarative way so things like list of packages that you want to install or the sources that you want to download and unzip the commands that you want to run and so on and so forth just to give you an example of what I mean by declarative so let’s say you are downloading an application package from s3 bucket you don’t have to actually write the commands that downloads the package from s3 or if the request times out then retries it and so on and so forth we do that for you you just have to tell us the the source from which to get the package and the destination for the package on the web server that you are provisioning and it’s it’s the same pattern for anything else that CloudFormation in its supports it is debuggable in the sense that it produces lots of logs and you don’t even have to log onto the machines ssh into the machines to actually see those logs you can see them in the console using another of a SS service called cloud watch logs we look into slight more details lightly more detail into that later and you can also do update so typically we’ll have customers who update you have a stack around and then maybe they want to install an extra package or a new version of the package so what they would do what they do is the updater template call update stack using the updated template and then there is a cloud formation daemon running on each of the web server web servers called CF and hub which detects those changes and and reconciles that web server with the new update so it will incremental e bring that a web server to the new configuration and as I mentioned before it cloud formation in it serves as an entry point for any other configuration tool so let’s say you want to use chef what you would do is you will have cloud formation in net to install the chef client and then you can bring in your existing chef recipes for things like installing WordPress onto the web server AWS code deploy follows the same model so you can install the a SS code deploy agent using cloud formation in it and then let AWS code deploy do the rest and this model works well when you actually want to have a very clear distinction between infrastructure provisioning and application deployment so maybe you want to deploy infrastructure and not change it very often and then do dozens of application deployments on the same infrastructure then you might want to consider this option where you use cloud formation for infrastructure provisioning and then use some other service with a nice console and everything to to do the application deployment needless to say we Pro B support authentication mechanisms so you don’t have to when you are installing your application packages on do cloud formation stacks you don’t have to open it up to public you can keep them behind your s3 credentials you can also use github and download packages from github and directly onto cloud function stacks so when you are using AWS CloudFormation init you actually trigger that process through the user data script that you might be familiar with so when you provide when you boot up an ec2 instance you get two run that user reader script which is the initial script on an ec2 instance so you you would download the AWS CloudFormation init package trigger it let it do its job and then once it’s done you can signal it back to cloud formation so your user data script will look something like that you can also use cloud wash logs for debugging we talked we touched on this a few slides ago and I wanted to go into specifics so if you want to pump out the cloud formation Internet logs and send them out to cloud watch and view them in club in AWS console then you have to do some slight configuration in your template so when you are along with your own packages and services you have to drop the cloud watch logs configuration file onto onto your instances that you’re provisioning and then it will start streaming your CF and n it logs on to cloud watch and the good thing about that is you don’t you don’t ever have to log on or SSH into your instances you can see those in the console now moving on to the second approach which is baking armies and using armies to boot applications in your cloud formation stacks clearly there is cloud formation it provides a lot of flexibility and visibility into what what goes into your application deployment so long after you have deployed your application and application is running you can go back to your cloud formation init configuration and see what you install and have a fairly good idea about what’s running in a stack compare that with army army is is a black box so once you bake an army it’s very hard to recall what actually is running in the Adamic but on the other hand it also has a advantage which is whenever you bake an army it’s set in stone so if you want to have that assurance that once I bake an army nobody is going to touch it and I know exactly what it is then army could be a good option and also army is the ha is the fastest way to boot an instance when you are using CF and in it cloud formation in it or share for any other configuration it is actually going to do that configuration after the instance boots so basically it is in downloading all the packages and all the configuration scripts and then running them after the instance boots when you are using Amazon machine images or amis it’s all big 10 so the boot time is really really short so we see this pattern among a lot of our customers where during the development and testing phase they want that flexibility for configuring applications so they use cloud formation in it or user data scripts or chef once they have reached a release candidate then they bake an army out of that and then when they want to scale really scale to a really large number of instances and really quickly then they use that bake Tommy the important thing to note is that even if you are baking Army’s make sure that you keep a track of the cloud formation in its script that went into that army because otherwise once an army is baked you will have no way to know you know what you are configured in that army now the third approach for application deployment with cloud formation is using cloud formation and Ops works together we looked at the infrastructure provisioning and application deployment and you know you might ask I can do everything through CloudFormation template or even a shell script then why should I use opsworks and the answer to that is this there are two main benefits to using opsworks one it provides a well-defined application lifecycle so we looked at cloud formation in it a few slides ago and you know it provides you a lot of flexibility and it lets you define your own life cycle so you you can say this is the point where the application is installed this is a point where the application is rebooted and so on and so forth but you have to define the application life cycle but if you are looking for a well-defined application life cycle opsworks provides it for you and then soft also of souks already has entry points like when the application is initialized or rebooted shutdown and so on and so forth and then you can just hook in your own chef scripts or or any configuration scripts at those well-defined points so that’s one advantage and then the second advantage is it provides an interactive console to then adjust the application profile so if you want to scale up once the application is running in an interactive way you can go to of source console look at the metrics and then scale it scale it up or scale it down so that’s the that’s the benefit that of source provides so we have customers who use some of our customers you do everything purely through cloud formation in it and cloud formation and then there are some others who decide that they want to do purely infrastructure through cloud formation and then when it comes to managing ec2 and application on ec2 they use opsworks so there is a there is a convenience versus control trade-off that they have to make because so you if you’re getting the well defined lifecycle then obviously you won’t have any way to arbitrarily define the application lifecycle that you can in cloud formation in it so this is the model that you know what we are call what we call cloud formation of Sox side-by-side and you can actually automate all of this so you can also model your ops box configuration inside a cloud formation template so even if you are using if you even if you are in a fully automated way and you still want to use off source you can use off Sox along with other resources in a CloudFormation template so this is observes inside cloud formation and then moving on to other tools of the trade we also see customers integrate cloud formation with their CI CD pipelines things like jenkins and bamboo and pretty soon they will also integrate with our own CI CD system core pipeline and code commit but this is the general pattern that we see typically they have a set of infrastructure developers who focus on the common artifacts like network or databases and then there are set of app developers who focus on one business problem typically an application all of them use a common tool chain to store the application code and the infrastructure templates the templates written by the DevOps team or the infrastructure team are typically broad things like I am policies network configuration and then if the application developers want any application specific infrastructure like let’s say you have application which needs a dynamodb table or an elastic cache cluster then those templates are better off being owned by the application team so they also have their own templates and then they go through the code reviews continuous integration systems unit tests and when they have all the artifacts the app packages the CloudFormation template is ready then they call CloudFormation api’s to provision the stacks and deploy the application bits in any of their environments in any accounts or regions I’m seeing a few pictures being taken so I’m just taking a pause for that and then if you are new to cloud formation if you are already using AWS through the console or let’s say through CLI you don’t have to start with a blank slate you can start template izing your existing resources and convert them their configuration into infrastructure as code and the primary tool to do that is what we call cloud former it’s a it’s a it’s a better tool that we publish and you can stand it up as a web application in your account and it will walk you through your existing resources you can select the resources that you want to template eyes and it will output a base template you will have to do some post-processing things like you know it will output an ec2 instance with an actual army ID that it was created from but you obviously want to parameterize that so you have to do some post-processing on that and then you are good to go and then once you have that post-process template then you can actually replicate that existing architecture here in any account or any region and before ending this session I just want to reflect on and share the type of customers that we see using infrastructure as code and cloud formation on AWS so we broadly see three different types of customers there are obviously a lot of development teams and devops teams who are very comfortable writing code so they will you know they write JSON templates they treat them as just like any other software we saw a lot of that in the previous slides but it’s also important important to note that even in traditional organizations where they have IT admins or you know managed service providers they value template izing configuration simply because it allows them a mechanism to enforce standard practices so let’s say you are a company of 5000 people and you want to have a standard set of security group rules that you want everyone to use you can write a template which is very visible you know exactly what rules are being followed and then you can have a people in your company use that template to set up their security groups no matter what application they are running so we see that a standardization a lot it also offers role specialization so we have customers where you have networking experts you have database admins and so on and so forth so you can have them write CloudFormation templates for their own area of expertise and then the consumers of that those templates can actually combine those templates and use them in Ennis in a tree of templates fashion and then obviously there are is we so if you are an independent software vendor there are probably two types you know if you are running a SAS service chances are as the customers on board to your service you want to scale out so you want to potentially you want to create a a replica of the your entire application stack for each of your customers in that case you can use the same template to scale out to create more stacks and scale out as you bring in customers onto your SAS platform and even if you are a traditional eyes we where you need to install application in your customers a SS account we see sharing cloud formation templates either on a SS marketplace or VI any other mechanism so there’s a good packaging and deployment mechanism to to transfer that those bits between you and your customer so that’s all I had for this session we have I think we have should have plenty of time for questions and answers and I’ll be happy to take your questions and I also have my colleague Chris Whitaker Turnus kind of so you can ask questions to any of us and that way we can get more questions and answers Jen thank you you

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *