The document discusses using AWS CloudFormation for continuous integration and continuous deployment (CI/CD) of infrastructure as code. It covers version controlling templates, static analysis and testing of templates, and deploying templates through pipelines to different environments like staging and production. It also provides examples of deploying full application stacks including EC2 instances, containers, serverless architectures, and strategies for grouping resource types.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Earn Your DevOps Black Belt:
Deployment Scenarios with AWS
CloudFormation
Luis Colon
Sr. Developer Advocate
AWS CloudFormation
D E V 3 0 8
Chuck Meyer
Sr. Developer Advocate
AWS CloudFormation

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
CI/CD for infrastructure
Building an infrastructure pipeline
Testing and validation
Full Stack deployment examples
Serverless deployment

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation at a glance
Code in YAML or
JSON directly or use
sample templates
Upload local
files or from
an S3 bucket
Create stack
using console,
API or CLI
Stacks and
resources are
provisioned
Enables provisioning and management of your
infrastructure as code

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Release processes for code
Source Build Test Promote
Continuous integration
Continuous delivery
Continuous deployment

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure as is code!
Source
Version control all templates and
configuration
Build Static analysis and unit tests
Test Clean environment for integration testing
Promote Deployment to live environments

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Version control everything
• Templates
• Parameter files
• Helper scripts
• Configuration files
Source
(Version controlled!)

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Static Analysis
• Run in a build tool or even a AWS Lambda function
• Validate syntax: cfn-lint
• Validate governance/business logic: cfn_nag
• Fail build and notify on errors
Build

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cfn-lint results
> cfn-lint bad-route-table-association.yaml
E3022 SubnetId in AuxiliaryPublicSubnetRouteTableAssociation1 is
also associated with PublicSubnetRouteTableAssociation1
bad-route-table-association.yaml:24:9

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integration testing
• Catch problems that aren’t obvious in a single template/stack
• TaskCat tests your templates by creating a stack in multiple regions
simultaneously
• Generates a report with a pass/fail grade for each region
Test

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TaskCat results
·[0;37;44m[taskcat]·[0m |GENERATING REPORTS·[1;41;0m
·[0;30;43m[INFO ]·[0m :Creating report in [taskcat_outputs]
·[0;30;43m[INFO ]·[0m :Collecting CloudFormation Logs
·[0;30;43m[INFO ]·[0m :Collecting logs for tCaT-tag-vpc-test-889778e5"
|StackName: tCaT-tag-vpc-test-889778e5
|Region: us-east-2
|Logging to: taskcat_outputs/tCaT-tag-vpc-test-889778e5-us-east-2-cfnlogs.txt
|Tested on: Wednesday, 31. October 2018 02:45PM
--------------------------------------------------------------------------------------
ResourceStatusReason:
Stack launch was successful

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deploy to all environments
• Create stacks in each environment, validate, continue
• Decide on a deployment strategy: Blue/Green, In-place, etc.
• Use an orchestration tool to ensure consistent deployment
• Use stack sets for deployment to multiple accounts & regions
• Insert approval stages if needed
Promote

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build Test Promote
Infrastructure CI/CD – SaaS Tools
AWS Cloud
Region
Developers
Git Push
Templates Taskcat
Source
Staging
Production
Testing Change set

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure CI/CD – DIY Tools
AWS Cloud
Region
Developers
Git Push
Templates
Staging
Production
Testing
VPC
Test PromoteSource Build
Change set

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full stack deployment
{
{
{

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full stack deployment – Amazon EC2
{
{
{ VPC
AZ1 AZ1

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full stack deployment – Containers
{ VPC
AZ1 AZ1
Django MySQL
{
{

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full stack deployment – serverless
{
{

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full stack deployment – strategies
• Group resources by lifecycle
• Separate longer lived resources from ephemeral resources
• Isolate stateful resources
Auto Scaling
AMI

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 – Two Pipelines
Infrastructure (monthly) Application (daily)
VPC
AZ1 AZ1 AZ1 AZ1

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build Test Promote
Amazon EC2 – Infrastructure CI/CD
AWS Cloud
Region
Developers
Git Push
Templates Taskcat
Source
Staging
Production
Testing

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build Test Promote
Amazon EC2 – Application CI/CD
AWS Cloud
Region
Developers
Git Push
Source
Staging
Production
Application
Code

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container pipeline
Environment Service
VPC
AZ1 AZ1
Container 1
Container 1
Templates Templates

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build Test Promote
Container full stack CI /CD
AWS Cloud
Region
Developers
Acceptance
Production
Testing
Source

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container based microservice management
• Mu is an open source tool released by Stelligent
• Full-stack microservice management
• Constructs pipelines, deploys services, manages environments
• Uses native services (AWS CodePipeline, AWS CodeBuild, AWS
CloudFormation)
https://getmu.io/

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Serverless Application Model (SAM)
AWS CloudFormation extension optimized for
serverless
New serverless resource types: functions, APIs,
and tables
Supports anything AWS CloudFormation
supports
Open specification (Apache 2.0)
- SAM Translator recently open sourced!

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SAM template for a custom resource
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Looks up the latest AMI ID for a given region and architecture.
Resources:
cfnlookupamiids:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: .
Description: Looks up the latest AMI ID for a given region and architecture.
MemorySize: 128
Timeout: 3
Policies:
- AMIDescribePolicy: {}

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build Test Promote
Serverless deployment CI /CD with SAM
AWS Cloud
Region
Developers
Acceptance
Production
Testing
Source

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Takeaways
• Treat infrastructure definitions as code
• Version control everything
• Test everything
• Group resources by lifecycle (persistent vs. application)
• Deploy it all via pipeline(s)

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tools we mentioned
cfn-lint https://git.io/vhGFK
cfn_nag https://git.io/fpe1K
taskcat https://git.io/fpe1X
mu https://git.io/fA7Tl
SAM CLI https://git.io/fpe1H

38. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Luis Colon
licolon@amazon.com
@luiscolon1
Chuck Meyer
cmmeyer@amazon.com
@chuckm

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.