Merikanto

一簫一劍平生意,負盡狂名十五年

AWS - 12 CloudFormation & SAM

Veröffentlicht am in
Symbole im Artikel gezählt: 2.5k Wörter Lesezeit ≈ 3 min

In the twelfth post of the AWS service components series, we’re going to talk about 2 services that serve the purpose of Infrastructure-as-Code (IaC):

  • CloudFormation
  • SAM (Serverless Application Model)

CloudFormation

  • Easy way to create a collection of related AWS resources, and provision them in an orderly and predictable fashion
  • Model your entire infrastructure in a JSON / yaml file (Templates)
  • CF automates the provisioning and updating of your infrastructure in a safe and controlled manner. You can use Rollback Triggers to specify CW alarms that CF should monitor during the stack creation and update process. If any of the alarms are breached, CF rolls back the entire stack operation to a previous deployed state

  • CF change sets: Preview how proposed changes to a stack might impact your running resources
  • Stacks:
    • Manage related resources as single unit
    • All the resources in a stack are defined by the stack’s CF template
    • Config drift detection
  • StackSets: Provision a common set of AWS resources across multiple accounts and regions with a single CF template. StackSets takes care of automatically and safely provisioning, updating, or deleting stacks in multiple accounts and across multiple regions
  • CF enables you to build custom extensions to your stack template using Lambda

CF & Beanstalk

  • Eb provides an environment to deploy & run apps
  • CF is a provisioning mechanism for AWS resources
  • Both EB & CF only deploy apps to the cloud, NOT on-premise

Monitoring

  • CF is integrated with CT (CT captures API calls for CF as events)

Security

  • A service role is an IAM role that allows CF make calls to resources on your behalf

  • Improve security by config CF to use an interface VPC endpoint


SAM

  • An open-source framework for building serverless applications (A specification)
  • Shorthand syntax to express functions, APIs, databases, and event source mappings (JSON / yaml)
  • During deployment, SAM transforms and expands the SAM syntax into CF syntax

SAM CLI

  • Lambda-like execution environment that lets you locally build, test, and debug applications defined by SAM templates
  • Deploy your applications to AWS

Syntax

  • AWS::Serverless::Api
    • API Gateway
  • AWS::Serverless::Application
    • Embed as serverless app, from S3 (nested application), deployed as nested stacks
  • AWS::Serverless::Function
    • Config info for creating a Lambda function
    • Describe any event source to attach: S3, DynamoDB Streams, Kinesis Data Streams
  • AWS::Serverless::LayerVersion
    • Lambda layer version

Control access to APIs

1. Cognito user pool: User directories

2. Lambda authorizer

  • A Lambda function that you provide to control access to your API. When your API is called, this Lambda function is invoked with a request context / authorization token that are provided by the client application. Tow types of authorizer:
    • Token-based: JWT / OAuth
    • Request parameter based: Receives the caller’s identity in a combination of headers, query string parameters, stageVariables, and $context variables