Blog

Infrastructure as Code on AWS: 5 Tips to Get You Started

Infrastructure as Code (IaC) is gaining popularity as a strategy for improving the consistency, resilience and reusability of IT services. Infrastructure as Code AWS strategies are powered by the CloudFormation service, which lets you define simple text-based templates, and use them to spin up surprisingly complex cloud architectures.

In this post, we’ll explore the basics of CloudFormation cloud automation  and provide five tips that can help you kickstart your AWS IaC project. We’ll also show how NetApp Cloud Volumes ONTAP can help with data automation for Infrastructure as Code projects.

In this article, you will learn:



How Do You Use Infrastructure as Code on AWS?

Infrastructure as Code solves an age-old problem: setting up and configuration IT resources was an arduous, manual, error-prone process. Today it is possible to define a configuration file, and spin up IT resources automatically, consistently and predictably, from that file. 

On AWS, the CloudFormation service provides Infrastructure as Code capabilities. CloudFormation uses templates, configuration files defined in JSON or YAML syntax, that are human readable and can be easily edited, which you can use to define the resources you want to set up. CloudFormation reads a template and generates a stack, a set of resources ready to use on AWS.

So, by using CloudFormation, you can define anything from simple resources or complex multi-resource applications using templates and automatically deploy the resources on AWS. You can test your Infrastructure as Code by fine-tuning your configuration and repeating the process.

The Azure cloud takes a similar approach of JSON-based templates—read our article about Infrastructure as Code on Azure.

Benefits of IaC on AWS

The AWS approach to Infrastructure as Code has several advantages: 

  • High visibility—CloudFormation templates are just code—they can be viewed and edited with any text editor. They clearly state which resources will be created and defines their parameters, making it easy for everyone on your team to see and understand what is being deployed.
  • Automated deployment and orchestration—CloudFormation takes a declarative approach, allowing you to declare the end result of your deployment, and performing the right set of operations to get you there. Even if you specify a complex multi-part application, there is no need for scripting or manual actions—CloudFormation can create a working stack fully automatically.
  • Stability with version control—changes to templates can create unintended consequences, errors or service interruption. You can save your CloudFormation templates in a version control system, maintain a tested production version of your template, and if anything goes wrong, tear down the resources and revert to the tested, working template. CloudFormation also tests that a deployment was successful and if it detects errors, it rolls back gracefully to a last known good configuration.
  • Reusability and scalability—AWS lets you deploy the same template as many times as you need. You can define and test a stack one time and then reuse it for many systems across your enterprise, or to scale up the same system by deploying it several times. This is also useful for AWS migration efforts—when migrating services to the cloud, it is often useful to start them up using CloudFormation templates.

AWS CloudFormation Basics

CloudFormation allows you to define configuration for Infrastructure as Code, by directly editing template files, via the CloudFormation API, or the AWS CLI. CloudFormation is a free service—Amazon only charges for the services you provision via templates.

The following diagram illustrates the CloudFormation process. You create templates and save them in an S3 bucket. Then CloudFormation reads the template and creates a stack based on template definitions.

Cloud Formation processSource: Amazon Web Services

Managing template changes
What happens when you need to change a template? CloudFormation recognizes that a template has been edited and creates a change set, which specifies what needs to be changed in the resources you have provisioned, to reflect the changes in the template. Once you approve the change set, it is executed, and the resources are automatically modified.

CloudFormation template

CloudFormation template example
Here is an example of a sample CloudFormation template provided by Amazon, which creates a publicly accessible Amazon S3 bucket, with external access, and a “retain on delete” deletion policy.

This is the JSON syntax—you can also define templates using YAML.
{
  "AWSTemplateFormatVersion" : "2010-09-09",

  "Description" : "AWS CloudFormation Sample Template
 S3_Website_Bucket_With_Retain_On_Delete",
  "Resources" : {
    "S3Bucket" : {
      "Type" : "AWS::S3::Bucket",
      "Properties" : {
        "AccessControl" : "PublicRead",
        "WebsiteConfiguration" : {
          "IndexDocument" : "index.html",
          "ErrorDocument" : "error.html"
         }
      },
      "DeletionPolicy" : "Retain"
    }
  },
 
  "Outputs" : {
    "WebsiteURL" : {
      "Value" : { "Fn::GetAtt" : [ "S3Bucket", "WebsiteURL" ] },
      "Description" : "URL for website hosted on S3"
    },
    "S3BucketSecureURL" : {
      "Value" : { "Fn::Join" : [ "", [ "https://", { "Fn::GetAtt" : [ "S3Bucket", "DomainName" ] } ] ] },
      "Description" : "Name of S3 bucket to hold website content"
    }
  }
}

5 Tips for Building IaC on Amazon with CloudFormation

1. Use IAM to Control Access

Amazon Identity and Access Management (IAM) manages users and permissions in AWS. You’ll need to use IAM in conjunction with CloudFormation to define which operations CloudFormation is permitted to carry out. Before a user can deploy a stack with CloudFormation, that user should have permissions to all the relevant resources in the stack—for example, permission to create instances on EC2, or to create new S3 buckets.

You can use a service role to avoid tying CloudFormation capabilities to the permissions of a specific user. You can define one or more service roles for CloudFormation, giving those roles permission to create, modify, and delete resources. Prefer a granular permission policy with several service roles for different types of stacks, rather than one “super admin” role that can represent a major security risk.

2. Verify account limits and budget for relevant resource types

Check your AWS account limits for the resources that participate in your stack, and whether the limits prevent you from launching any part of the stack. There are also specific limits related to CloudFormation—you can launch only 200 CloudFormation stacks per region by default. If you defined budgets for your AWS account, you should also verify that the resources created by your stack do not exceed the budget for the relevant AWS account.

3. Reuse templates to replicate your stacks

Once you have built a template and tested to ensure it works well, reuse it to rebuild that infrastructure in other environments. For example, if you set up a working stack for your web application, you can reuse it to create dev, test, and production environments that all have the same components. When creating your template, keep in mind that the template should be reusable, and use parameters and conditions to generalize the template beyond the current, specific deployment scenario.

4. Use nested stacks

A nested stack is a CloudFormation template that references another template, to reuse the same stack within another stack. You can use CloudFormation to create a set of “lego blocks” from which to assemble your infrastructure.

For example, you can have a template for a load balancer configuration, a template for setting up an S3 bucket, and another for spinning up certain types of EC2 instances. Instead of explicitly declaring these resources in your templates, use your tested “lego block” templates. This also means you can maintain and update basic templates and apply the change to your entire infrastructure at once. 

5. Validate and test your templates before use

CloudFormation provides a validation engine that scans a template and helps you catch syntax and semantic errors. If your template passes validation, always run it in an isolated non-production environment and test it to ensure resources are running correctly, and there are no performance or security issues. When you reach a stable state, commit your template into source code, labelling it as a stable, tested version.

Infrastructure as Code on AWS with Cloud Volumes ONTAP

NetApp Cloud Volumes ONTAP, the leading enterprise-grade storage management solution, delivers secure, proven storage management services on AWS, Azure and Google Cloud. Cloud Volumes ONTAP supports up to a capacity of 368TB, and supports various use cases such as file services, databases, DevOps or any other enterprise workload, with a strong set of features including high availability, data protection, storage efficiencies, cloud automation, Kubernetes integration, and more.

In particular, Cloud Volumes ONTAP provides Cloud Manager, a UI and APIs for management, automation and orchestration of storage services in your IaC project, supporting hybrid & multi-cloud architectures.

Want to learn more about cloud automation?

Have a look at these articles:

Want to get started? Try out Cloud Volumes ONTAP today with a 30-day free trial.

-