DEV Community

Cover image for STOP USING THE AWS CONSOLE…use CloudFormation (IaC) instead
Jude Wakim
Jude Wakim

Posted on • Edited on • Originally published at Medium

STOP USING THE AWS CONSOLE…use CloudFormation (IaC) instead

#aws #cloudformation #infrastructureascode #tutorial

Scenario

Here’s a real-world scenario…imagine “Aurora Digital, an expanding online retailer specializing in luxury home goods, has decided to transition its digital operations to AWS to leverage cloud computing’s benefits. The company is experiencing significant growth and needs a solution that can handle increasing traffic and scale during major sales events without sacrificing performance or security.”

Now, your goal is to “help Aurora Digital implement a cloud-based infrastructure using AWS services, specifically focusing on scalability, security, cost-efficiency, and automation.” -Level Up In Tech, CDA03-CloudFormation

Objectives

Enhance Scalability: Automatically adjust computing resources to meet demand, ensuring the platform remains operational and responsive during peak traffic periods.

Increase Reliability: Improve website uptime and reduce the risk of failures associated with physical hardware and manual interventions.
Boost Security: Implement advanced security protocols and isolation through AWS to protect sensitive customer data and transactions.

Reduce Operational Costs: Lower overall infrastructure costs by optimizing resource usage and eliminating the need for upfront hardware investments.

Why use CloudFormation (IaC)

Automation: Reduce human error and free up developer time to focus on other tasks by automating the provisioning and management of a complex cloud environment.

Consistency: Ensure consistent environments are created every time, thereby eliminating the “it works on my machine” problem.
Version Control: Enhance collaboration among team members by allowing infrastructure to be version-controlled and reviewed as part of the application code.

Reusability: Reuse templates across the company or community, speeding up future deployments and ensuring best practices are followed.

Prerequisites

  • Be familiar with IaC
  • Be familiar with YAML
  • Be familiar with the AWS CLI
  • Have a text editor (I use VSC)

Create the Solution Architecture

So the first step when receiving an objective is designing the solution. Before you start building, you have to know what you are trying to build. To do that, it’s always best practice to create a diagram. I use Draw.io.

For this objective, we need to create a web server for Aurora Digital to host their website. We also need this web server to be automatically scalable in the event of spikes, secure to protect the company’s assets, and resilient in the event of disaster.

This architecture will have multiple EC2 instances, running Apache web server. It will have an auto scaling group to automatically scale the number of instances required to handle the traffic. This will make it scalable. The instances will be spread across three public subnets in three availability zones all within a VPC, making it resilient to any disasters in the area. We will use a load balancer to, guess what… balance the load, of traffic between the instances. This will help with the resilience because if one instance in one availability zone goes down, the auto scaling group will create another instance in another availability zone and if one instance is not performing well or getting overwhelmed with traffic, the load balancer will re-distribute the load to make sure we optimize the utilization of all the instances. Also, we will use security groups to restrict access to the web server only from the load balancer. There will be two security groups (the security group for the load balancer is not displayed in the diagram), one for the webservers that restricts inbound traffic to only allow HTTP traffic from the load balancer and another security group for the load balancer that allows HTTP traffic from anywhere. Doing this makes sure all traffic is routed through the same path, making it easier to control and secure.

Create the YAML Script

Now, that you have the diagram and you know what you are building, build it. Create the script using YAML or JSON ( I will use YAML).

Below is my complete YAML script that I created in Visual Studio Code (VSC).

#cda03-cloudformation AWSTemplateFormatVersion: "2010-09-09" Description: The CloudFormation template in YAML for CDA03-CloudFormation use case. Resources: #vpc CDA03VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.10.0.0/16 EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: CDA03VPC #subnet 1 CDA03PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref CDA03VPC CidrBlock: 10.10.1.0/24 MapPublicIpOnLaunch: true AvailabilityZone: us-east-1a Tags: - Key: Name Value: CDA03PublicSubnet1 #subnet 2 CDA03PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref CDA03VPC CidrBlock: 10.10.2.0/24 MapPublicIpOnLaunch: true AvailabilityZone: us-east-1b Tags: - Key: Name Value: CDA03PublicSubnet2 #subnet 3 CDA03PublicSubnet3: Type: AWS::EC2::Subnet Properties: VpcId: !Ref CDA03VPC CidrBlock: 10.10.3.0/24 MapPublicIpOnLaunch: true AvailabilityZone: us-east-1c Tags: - Key: Name Value: CDA03PublicSubnet3 #igw CDA03InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: CDA03InternetGateway #igw attachment AttachGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref CDA03VPC InternetGatewayId: !Ref CDA03InternetGateway #route table CDA03RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref CDA03VPC Tags: - Key: Name Value: CDA03RouteTable #route to internet PublicRoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref CDA03RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref CDA03InternetGateway # Subnet Route Table Associations Subnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref CDA03PublicSubnet1 RouteTableId: !Ref CDA03RouteTable Subnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref CDA03PublicSubnet2 RouteTableId: !Ref CDA03RouteTable Subnet3RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref CDA03PublicSubnet3 RouteTableId: !Ref CDA03RouteTable #key pair CDA03KeyPair: Type: AWS::EC2::KeyPair Properties: KeyName: cda03-keypair KeyType: rsa #launch template CDA03LaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateData: InstanceType: t2.micro KeyName: cda03-keypair ImageId: ami-0c02fb55956c7d316 # Amazon Linux 2 AMI ID (specific to region) SecurityGroupIds: - !Ref CDA03WebserverSecurityGroup UserData: Fn::Base64: | #!/bin/bash sudo yum update && sudo yum upgrade sudo yum install httpd -y sudo systemctl start httpd sudo systemctl enable httpd cd /usr/share/httpd/noindex/ chown apache:apache /usr/share/httpd/noindex/index.html chmod 644 /usr/share/httpd/noindex/index.html echo "hello world, from $HOSTNAME" | sudo tee /usr/share/httpd/noindex/index.html > /dev/null TagSpecifications: - ResourceType: instance Tags: - Key: Name Value: CDA03-ApacheInstance LaunchTemplateName: CDA03LaunchTemplate #webserver sg CDA03WebserverSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow HTTP access only from the ALB VpcId: !Ref CDA03VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !Ref CDA03ALBSecurityGroup Tags: - Key: Name Value: CDA03WebserverSecurityGroup #asg CDA03ASG: Type: AWS::AutoScaling::AutoScalingGroup Properties: LaunchTemplate: LaunchTemplateId: !Ref CDA03LaunchTemplate Version: !GetAtt CDA03LaunchTemplate.LatestVersionNumber MinSize: 2 DesiredCapacity: 2 MaxSize: 5 VPCZoneIdentifier: - !Ref CDA03PublicSubnet1 - !Ref CDA03PublicSubnet2 - !Ref CDA03PublicSubnet3 TargetGroupARNs: - !Ref CDA03TargetGroup Tags: - Key: Name Value: CDA03ASG PropagateAtLaunch: true # Target Group CDA03TargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: CDA03TargetGroup Protocol: HTTP Port: 80 VpcId: !Ref CDA03VPC TargetType: instance HealthCheckEnabled: true HealthCheckPath: / HealthCheckIntervalSeconds: 30 HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 3 UnhealthyThresholdCount: 2 Matcher: HttpCode: 200 #alb CDA03LoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: CDA03ApplicationLoadBalancer Scheme: internet-facing Subnets: - !Ref CDA03PublicSubnet1 - !Ref CDA03PublicSubnet2 - !Ref CDA03PublicSubnet3 SecurityGroups: - !Ref CDA03ALBSecurityGroup Tags: - Key: Name Value: CDA03LoadBalancer #alb sg CDA03ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow HTTP traffic from anywhere to ALB VpcId: !Ref CDA03VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: CDA03ALBSecurityGroup #alb listener CDA03ALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref CDA03TargetGroup LoadBalancerArn: !Ref CDA03LoadBalancer Port: 80 Protocol: HTTP #outputs (dns url) Outputs: ALBDNSName: Description: "DNS name of the Application Load Balancer" Value: !GetAtt CDA03LoadBalancer.DNSName Export: Name: "ALBDNSName"
Enter fullscreen mode Exit fullscreen mode

Troubleshoot

Once I created the script, I used the AWS CLI to validate the code. In the terminal within VSC, I ran this command, aws cloudformation validate-template --template-body file://cda03-cloudformation-code.yml to see if the code was all correct and ready to be deployed.

This was my response:

“An error occurred (ValidationError) when calling the ValidateTemplate operation: Invalid template resource property ‘ALBDNSName’”

There was an error with the output. I wanted the CloudFormation stack to output the DNS name of the load balancer so I don’t have to look around for it. After a little troubleshooting, I realized I had the outputs block within the resource block. The outputs block is not a resource and is supposed to be on par with the resource block. So after a minor adjustment, I saved the changes to the file and ran the validation again.

Success

Now that the code is validated, and confirmed working. We can create the CloudFormation stack. You will need to run this command aws cloudformation create-stack --stack-name CDA03Stack --template-body file://cda03-cloudformation-code.yml and kick back and relax while CloudFormation creates everything. Wait a couple of minutes for all the services to finish provisioning.

If you try to query the stack for the load balancer DNS name before it is ready you will see a result of “none”, which just means it’s not done provisioning, so wait and try again.

Go to that address to confirm the web server is up and running. Make sure you use HTTP not HTTPS, because that is what we specified in the YAML code. Refresh the page a couple of times to verify that the load balancer is balancing between different instances.

Lastly, let’s confirm that you can only access the web server via the load balancer and not via the instance’s IP addresses directly. To find the instance’s IP addresses from the AWS CLI, use this command aws ec2 describe-instances --region us-east-1 to list all the instances in the us-east-1 region. The public IP address should be listed there, copy it and paste into a browser (using HTTP) to confirm that you cannot access the web server.

Congratulations!
If you followed along and reached this point, you should now see why IaC is better to use than manually creating everything in the console. You created a web server that is scalable, resilient, and secure, and you now can automate its creation process.

To delete the stack from the AWS CLI, use this command aws cloudformation delete-stack --stack-name CDA03Stack. You should not get any response from the terminal but wait a couple minutes until the entire stack gets de-provisioned.

Originally published on Medium

Find me in Linkedin

For similar projects, check out my Github

Top comments (0)