What is CF?
- Infrastructure as Code service
- Leverages version control and automation
- Single or multiple templates to make an env
- Can interact with other tools e.g. puppet
- CF creates instances;
- Puppet puts the instances in a certain state
What sort of stuff can we update in the stack?
- AMI of instances
- Update a cloudwatch alarm
- Auto-scaling groups
How do we update the stack?
- Update the template
- Update the stack with the new template
What are stack policies good for?
- Perhaps you don’t want just anybody updating the stack
- Preventing resource updates:
- JSON documents
- Similar to IAM and bucket policies
Why might stack rollbacks fail?
- Nested stacks.
- Dependencies between resources
- Resource modified outside of template
What’s the CF Template?
- Declaration of resources that make up a stack
- Declares an object as a name-value pair
- Or a pair of name + enclosed objects
- The “resource” object is the only required object in the template
What else is in a CF template?
- Metadata: Assists with config
- Parameters: Good for secrets
- Rules: Evaluate parameters
- Mappings: Map an instance type to a certain architecture, e.g.
- Conditions: Flags to dictate, say, size of server
- Transform: Sort of like an “import” statement. (Include lambdas)
- Resources: Define resources; the main thing
- Outputs: URL to the web server, e.g.
How are CF templates a disaster recovery tool?
- You can store templates in a second region
How do we safeguard template integrity?
- Use source control
- Use “drift detection”
- Make sure templates match their backups between regions