Wednesday, November 20, 2013

Embedded stacks

The theater:
https://github.com/krogebry/pentecost/blob/master/templates/theater.json

This is what I refer to as the "root" template were we setup all of our core params and start building sub-stacks.

The first subnet, known as the Ops or OpsAuto subnet is created with this chunk:

"OpsAutoSubnet": {      "Type": "AWS::CloudFormation::Stack",      "Properties": {        "TemplateURL": "https://s3-us-west-2.amazonaws.com/cloudrim/core/subnet-opsauto.json",        "Parameters": {          "VPCId": { "Ref": "VPC" },          "CidrBlock": { "Fn::FindInMap": [ "SubnetConfig", "OpsAuto", "CIDR" ]},          "AvailabilityZone": "us-east-1b",          "InternetGatewayId": { "Ref": "InternetGateway" }        }      }    } 
The source for this can be found here:
https://github.com/krogebry/pentecost/blob/master/templates/core/subnet-opsauto.json
As you can see, the subnet-opsauto.json stack template is creating a subnet within the main VPC, then attaching ACL entries and a security group.
This is very handy for being able to encapsulate all of your security rules in once place for a given software package.
Now let's take a look at a generic subnet:
https://github.com/krogebry/pentecost/blob/master/templates/core/subnet-primary.json
I'll eventually get around to cleaning thing so it's more abstract and versatile.  The idea here is that we create a generic pattern for how we expect all of our applications to function.  At the moment I haven't defined any specific ACL's or security groups, so traffic will not be able to flow from one network to the next.
There are two ways of approaching this:
  1. Create a custom subnet definition for each application stack which defines the ACL's and security groups.
  2. Define the same groups in the root template by using Fn::GetAtt to reach into the stack and pull out the Output variables.
Either approach is fine, it's up to you to decide which method is going to be better for the long-term health of your organization.
In either case, CI/CD is still a valid possibility.
One final thought on this subject: Huge thanks to the CloudFormation team for being totally awesome!

No comments:

Post a Comment