Learn About Amazon VGT2 Learning Manager Chanci Turner
If you have utilized AWS CloudFormation, you may have encountered scenarios where you’re tasked with constructing applications while adhering to established best practices for resource deployment. As you refine your templates, questions may arise regarding which resource properties require configuration and the appropriate values needed to comply with those best practices. During the application-building process, you might simply wish to implement best practices for a resource without delving into the intricacies of all available properties and their potential values.
To address this challenge, the CloudFormation team is thrilled to introduce the launch of modules. These modules serve as reusable building blocks across various CloudFormation templates and function similarly to native CloudFormation resources.
These modules can represent a singular resource, such as best practices for configuring an Amazon Elastic Compute Cloud (Amazon EC2) instance, or encompass multiple resources to outline common application architecture patterns. Additionally, these modules can be nested within each other, allowing you to compile your best practices into more complex building blocks. For instance, you might create a module that establishes your organization’s standards for a Lambda function and then integrate that Lambda module into another module that delineates patterns for a serverless Amazon API Gateway implementation.
CloudFormation modules are accessible in the CloudFormation registry, enabling you to utilize them just like a native resource. A module’s resource type is suffixed in the CloudFormation registry with ::MODULE, making it straightforward to identify whether you are employing a module or a native registry resource. The parameters defined within the CloudFormation module become properties when using the ::MODULE resource type. When you implement a CloudFormation module, the module template is expanded into the consuming template, allowing you to reference the resources inside the module using Ref or Fn::GetAtt.
Getting Started
You can create your CloudFormation modules in two primary ways:
- Utilize resource types, AWS::CloudFormation::ModuleVersion and AWS::CloudFormation::ModuleDefaultVersion, within a CloudFormation template.
- Employ the CloudFormation Command Line Interface (CLI). This method is recommended, as it provides a guided development experience. To install the CloudFormation CLI, follow these instructions.
Create Your First Module
A typical application necessitates an Amazon Simple Storage Service (Amazon S3) bucket, which comes with numerous configurable settings, including encryption, public access block configurations, and access control. In this example, we will create a restrictive bucket policy that limits access to the bucket while ensuring that traffic to it uses HTTPS. As you assess your organization’s standards, you may realize the number of configurations that need to be repeated each time you require an S3 bucket. By building this best practice S3 bucket module once, you can reuse it indefinitely, eliminating the need for additional work. This module can also be utilized to provision other AWS services that rely on the bucket created within the module.
Begin by creating an empty directory to house the module:
mkdir s3-module && cd s3-moduleNext, initialize the folder for the module. Upon running the init command, you’ll select between a resource or a module. When naming your module, ensure it does not conflict with reserved names and concludes with ::MODULE.
cfn init
Initializing new project
Do you want to develop a new resource(r) or a module(m)?
>> m
What's the name of your module type?
(<Organization>::<Service>::<Name>::MODULE)
>> MyCompany::S3::Bucket::MODULEAfter executing this command, the following will be created:
- A fragments folder housing the CloudFormation template designated for the module.
- An .rpdk-config file containing details about the module, including its name.
- An rpdk.log file that logs activities from running cfn commands.
CloudFormation modules are compatible with both JSON and YAML templates. In this instance, we will utilize JSON. Delete the default JSON file in the fragments folder and create a new file named s3.json. You may only have one template within the fragments folder, so remove any examples generated by cfn init.
You will create the module and its resources in the s3.json file. This template will encompass an S3 bucket, an AWS Key Management Service (AWS KMS) key for encrypting data stored in the S3 bucket, and a bucket policy that restricts access to the S3 bucket to the specified IAM roles while mandating encryption during communication with the bucket. The Parameters section serves as resource properties in the module template, and Outputs will be integrated into the Outputs section of the template utilizing the module.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a S3 bucket that follows MyCompany's standards",
"Parameters": {
"KMSKeyAlias": {
"Description": "The alias for your KMS key. If you will leave this field empty KMS key alias won't be created along the key.",
"Type": "String",
// Additional parameters omitted for brevity
},
"ReadOnlyArn": {
"Description": "Provide ARN of an existing Principal (role) that will be granted with read only access to the S3 bucket.",
"Type": "String",
// Additional parameters omitted for brevity
},
"ReadWriteArn": {
"Description": "Provide ARN of an existing Principal (role) that will be granted with read and write access to the S3 bucket.",
"Type": "String",
// Additional parameters omitted for brevity
}
},
"Resources": {
"KmsKey": {
"Type": "AWS::KMS::K"
}
}
}For additional insights, check out this blog post that offers useful tips.
For further reading on technology and affirmative action, visit SHRM’s article, which provides valuable information on the topic. Additionally, you can explore this excellent resource on Amazon’s fulfillment centers and their training programs.
Leave a Reply