Amazon AWS DevOps Engineer Professional – Configuration Management and Infrastructure Part 2

 

15. CloudFormation Rollbacks

Okay, so as we saw, our instance creation failed, and so we got a rollback. So, if you fail to create a stack using the create stack API, everything rolls back and everything is deleted by default. And so we can just look at the log within the cloud formation console, and so that basically means failure equals rollback. So that’s the parameter of the API: failure equals rollback. However, if we wanted to travel shoots, we would disable the rollback and manually travel shoots. And that’s called “failure equals do nothing,” and we’ll see how to set it through the console. So failure equals doing nothing, and that basically leaves everything as is. So, for example, our EC2 instance will not be deleted and we will be able to see it right away. And finally, if you want to get rid of the entire stack and not keep anything, you’ll do “failure equals delete” and it will just disappear right away for stack updates. If things fail, the stack will basically roll back automatically no matter what to the previous known working states.

And so you can only look at the log to see what happened as well as your error messages. So let’s have a look at how it works right now. So as you can see, our CFNsignal stack right here was in rollback complete, and basically everything was deleted. So if you go to resources and see this, everything is complete. Complete deletion, complete deletion. So for us, it’s not cool because we can’t really debug what goes on, for instance, to understand why it failed.

So what I’m going to do is now actually delete my stack, but everything was deleted underneath anyway, and I’m going to create a new stack, upload it, and use the same CFN signal failure stack, but this time I’m going to call it CFN signal failure. We’re not going back this time. So we’ll use a confirmation key pair, click on next, and then in the advanced options, here we go, rollback configuration. We can say monitoring time and so on, but in the stack creation option at the very bottom there’s rollback on failure, which is what actually interests us. And so right now, if the stack creation fails, should we roll back? No, we’ll disable it, and that should keep every resource created as is so we can debug. So let us return to the next point.

And now, as you can see, the rollback on failure is indeed disabled. So now we should be able to test out that use case. I’ll create the stack and pause until we get a failure. Okay, so this time we still didn’t receive any resource signals, so the create failed. And so if we go to our stacks, as we can see, we are in the create failed state, but if we go to our resources, they’re still there. So my EC2 instance and my SSH security group are still there.

They’re still in the process of being created. So now the cool thing is that I can go into this EC2 instance and see what’s going on and why things fail. So I’ll take the public IP, and I’ll be able to troubleshoot using SSH. So let me SSH into it. Great, I’m in there. And now I’ll just catch CFN VAR log, canine log, and, oh, here we go, we get a command. Hello, failed. And here we go. This is the problem. So, because we disabled rollback on failure, we can now troubleshoot our simple instance and figure out why it failed. And so yeah, that’s pretty cool. I like the idea of how these things work like this.

So you need to remember that for this to happen, for you to do your troubleshooting, you need to basically disable rollback on failure. And so yeah, we’ve done our debugging, and we know exactly why things failed. So now we must manually delete this tag in order for it to be removed, as well as the associated resources. So that’s it. I hope that makes sense for you. It’s always good to see things visually rather than just using slides. So I hope you enjoy it, and I will see you in the next year.

16. CloudFormation Nested Stacks

So let’s talk about confirmation nested stacks, because these can happen at the exam. So nested stacks are stacks within other stacks, hence the name “nested.” They essentially allow you to isolate a pattern or common components in two separate stacks and simply call them from other stacks. So if you know, for example, how to configure a load balancer really well and you want to reuse that configuration all across the board for your company, then instead of copying and pasting, you would isolate that load balancer into a nested stack and reference that from within your stack. Maybe it’s a security group; maybe that’s an SSH security group that you want to have a specific configuration for it. Maybe you want to isolate this into a nested stack. And so they’re considered best practices, and we’ll see how to use them in a second.

And so, by the way, if you wanted to update an existing stack, you would always update the parent first, then the root stack, and then everything would get updated from there. So that’s the idea. They can have their small questions at the exam. So let’s go take a look at how it works in practice. So let’s create a stack, and this one will be a template file, and that will be the seven-nested stack YAML. So before we do this, let’s take a look at what’s inside that file, obviously. So in this one, we have an SSH key; this is the key pair we’re going to use to SSH into our instance. And now the cool thing, though, is that we have a cloud formation stack as a type. So we have my stack within resources and the type of stack, which is the AWS cloud formation stack, and that is enough for you to declare a nested stack. So the properties are that you have to define a template URL, and so I use this template URL right here, which is the Lamp single instance template. So we could follow this link. So I’ll just copy this link so you can see what it is. So let’s go take a look in there.

And so this is just a template file; it’s in JSON format, but that doesn’t really matter. And so, as you can see, this has parameters. So there’s a key name, a database name, a database user, and all of these are parameters that we must pass, and then there’s a mapping that was defined, and then at the very bottom resources, it will create a webserver instance of type EC, two instances, and it will instal using cloud formation. So we can see cloud formation in it again. It will instal MySQL, HTTP, and PHP, as well as much more than is contained in the files.

It will basically create an entire HTML file in there, which is quite nice. So as you can see, the cloud formation in it can be used to do some pretty crazy stuff, and the installation goes on and on and on, and at the very end we still have services running and some commands to configure everything. So the cool thing is that now this stack won’t be copied and pasted into our stack; we’re just going to call it a nested stack. So let’s go have a look here. We’ll just use a template URL, and this will automatically pull in that stack for us, and we’ll pass in the parameters key name, DB name, DB user name, DB password, DB root password, instance type, and finally, when we want to SSH from it, the cool thing is that we can reference the output of this stack directly into our output value.

So, for example, by doing my stack outputs website URL, we can get an output from an ingested stack. So let’s go have a look because I think when we actually use it, it will make more sense. So here we go, we’re going to click Next. I’ll call it the “nested stack example,” and the SSH key will be the same as before. Click on Next, and then click on Create Stack. So the important thing is that within capabilities, it’s saying that because you’re using a US confirmation stack, you need to acknowledge that you might create IAM resources and also that you need to have this IAM capability auto-expand that you need because you need to expand the nested stack we just referenced. So we’ll just take these two boxes and click on “Create Stack.” Here we go. So now our thing is being initiated. So the cool thing is that now this stack itself will be created, and it’s been created in progress.

So if we go back to the stacks now, we can see that even though I uploaded only one file, a nested stack example, within this thing there was a new stack with a new stack name that was being created, and that is the whole file that I just showed you from before, which is right here. And so this stack is, as we can see, nested. So it says they are nested right here, and within them we can look at the events. And here we see the web server security group, the web server instance, and everything else being created as we speak, as well as a description.

So all these things are from within the nested templates. So now the only thing we have to do is just wait for the web server instance to configure itself. All right, so it looks like this nested stack has been completely created because the wait condition has received a success signal again. But now if we go back to my parents’ stack, which is called the parent stack, the main one, then if we go into resources, as we can see, we can get a create complete. And the events are that as soon as my nested stack is finished, we get a full create complete for the parent stack as well.

So the really cool thing is that if we go to outputs now, we get a URL to access our underlying easy-to-instance, and that comes directly as an output from the nested stack. So let’s go take a look. Welcome to the Austin cloud formation PHP sample, it says. And it says I connected to the local host successfully. So that’s pretty awesome. I mean, it’s just pretty basic, but it shows how nested stacks work. And then, most importantly, you’d never touch the nested stack, ever. You don’t update this directly. What you would do is update the parent stack, and so what we would do is delete everything; we’ll delete the parent stack, so I’ll delete the parent stack, and automatically my nested stack will get deleted as well. So that’s about it. Okay, I hope you enjoyed it, and I will see you in the next lecture.

17. CloudFormation ChangeSets

All right, so let’s quickly talk about change sets. So when you update a stack, maybe sometimes you want to be sure that the stack will update the way you want it. So maybe you want to have greater confidence. And for this, we use change sets and change that will tell us what happens but not whether or not it will work. So it’s not a way to just do QA and make sure, yes, there won’t be any failures. Change sets and changes that don’t work like this just help you understand that some things will change, some things will be deleted, and some things will be created. So let’s take an example. From the documentation, we have our original stack. We’re going to create a change set, and then we’re going to view that change set. So we’ll see what gets added, changed, or removed. And maybe optionally, we can create additional change sets if you want to refine our methodology.

And then, when we’re ready, we’re going to execute that change set and go get our updated confirmation templates. So that’s the idea, though. We’ve actually used ChangeSet without knowing beforehand. But here, we’re just going to formalize this in this lecture. So for this example, we’ll just use the zero, justice 2, and then the one SSgt with Seep YAML. So let’s go ahead. To begin, we will create a stack, upload our template, and it will be our zero, simply EC Two. Just like before, in the very, very beginning, I’ll call it the Stack CS Demo, and there are no parameters needed. I’ll go ahead and click on Next, and we’ll go ahead and click on Create Stack. So this will go ahead and create our EC2 instance for us. All right, so our stack has now been created. So, if I go to the change sets on the left, you can see that there are currently no change sets available. So we can click on here and create change sets directly for a Stack CS demo.

So another way we could do this is to go to stacks, then click on Stack CS Demo action and create change sets for current stacks. So, we have two options now: we can reuse the current template and simply change some parameters, or we can replace the current template with something new, or we can replace the current template with something new in Designer and upload what the new is. The new one is this one. Sgeip is one EC to two. So now we want to know what would happen if I were to apply this update to my template. So I’ll just create a description. I’ll call it FUBAR because I want to be quick. Okay, then we click on Next, and here we go. We have specified the template, and the parameters are FUBAR for the security group description.

And I’ll go ahead and say at the bottom, “Create change sets.” So we can describe it and, if we want, name it. I’ll click on “Create Change Sets” and here we go. Our chance set has now been created. So if we go to change set on the left hand side, as we can see, it says “Create Complete,” but it hasn’t been applied yet. Now let’s have a look at the inputs. The inputs are all the parameters and the things we’ve sent it before. The template is what we’ve just uploaded, and the JSON changes represent what is going to change. So the JSON changes are quite hard to read, to be honest. There’s very, very much verbosity. But if we go to the Changes tab and actually scroll at the bottom, we can see that it is going to add a server security group. Add an SSH security group. It’s going to modify my EC2 instance, and it’s actually going to replace it.

So it’s a replacement. True. So we will lose our current EC2 instance, and a new one will be created, and then it will add an EIP. And so the cool thing about this is that we can see beforehand if we are willing to make this change. Maybe I didn’t want my EC2 instance to get replaced, so maybe I don’t want to apply this. In my case, I don’t mind, so I’ll apply it. But this is why a set of changes will be helpful. So when you’re ready, you can either delete it or execute it. I will execute it, and basically, it just triggers an update that we already know. And so I’ll just wait for the update to be complete. But there are no surprises here. The cool thing, though, is that if you go back to changing sets now, it will show you the last executed chain set. But there is no new chance set to apply, so you have to create a new one if you want to update it. So that’s it. I’ll just wait a little bit and then delete that stack. But I won’t film that. I hope you understand how transfers work now, and I will see you in the next lecture.

18. CloudFormation DeletionPolicy

All right, let’s learn how to retain data after deletion so we can put something called a Deletion Policy on any resource we want to control what happens when the confirmation templates get deleted. So we can say that Deletion Policy Equals Retention, and we can specify it for any resource. And in that case, confirmation will preserve or backup that resource, which is kind of neat. And we can tell it to keep a resource; we’ll use Retain, and it works for anything: resources, nested stacks, whatever you want. There’s another one called “deletion policy equals snapshots.” And this one is quite cool because it only applies to EBS volumes, the Elastic ache cluster, replication groups, the resub instanced cluster, and the redshift cluster. But what we get is that the actual instance gets deleted for whatever I just named here, but it will make a snapshot just before deleting it. Hence, we can keep our data. So if you have a development environment and for some reason you want to delete the development environment but you want to keep the data for later use and analysis, maybe you want to use a deletion policy that equals snapshots. Finally, deletion.

Policy equals delete. That’s the default behavior. That’s what we would do. And by the way, there are a few other exceptions. For a DB cluster, the default policy is snapshots. But for the rest of the resources and confirmation templates, deletion policy equals delete. And if you wanted to delete an actor bucket, something you should know is that you first need to delete everything in that bucket and make it empty before you can delete the Esther bucket yourself. So let’s go take a look at how retaining data on deletes works. So I’m going to open the deletion policy.

YAML. In addition, we have a “My Security Group.” This is a security group that enables SSH access on port 22 from anywhere. And the deletion policy for this one is retain. So we won’t lose that security group when we delete our stack. And we have an EBS volume, and it’s an EC-2 volume. And the deletion policy this time is snapshots. And the properties are that the ability zone is going to be in USG 1A, the size is going to be 1GB, and it’s going to be a GB 2. So when we delete our stack, we should expect the security group to remain and the EBS volume to go away, but a snapshot to be made of it. So let’s go and create a stack. I will upload a template file, and I will choose my Deletion Policy stack. All right, excellent. Click on next, and I’ll call it the deletion policy.

And I’m really bad at writing right now, but whatever. And we’ll click on “next” and then “create stack.” And so very quickly for us, this will provision an EBS volume and a security group. So as we can see now, both my security group and my EBS volume are in the Create Complete stage. So in my resources If I refresh this, I have an EBS volume and I have a security group. So here they are. I’m going to close the rest. All right. Here’s my EBS. Volume 1GB. GP two.

And right here is my deletion, my security group. So now what I’m going to do is go to my stack, click on the stack name, and then click on “Delete Stack.” and this will delete the stack itself. So click on “delete.” And so, based on what we’ve seen before, when we delete a cloud formation stack, everything should go away. But because we have specified, if you remember, a deletion policy retained for the security group and snapshot for the EBC Two volume, we shall see a very different behavior. So let’s go take a look. Here we have a deletion in progress. And if we look at the events, as we can see, my EBS volume is getting snapshotted. So it is actually creating a snapshot for us. And my security group was in the process of being deleted. So this is kind of neat.

So now, if we can see, our volume for now is still here. But if I click on snapshots, we can see that there is a 1 GB snapshot that was created for me automatically by cloud formation. So let’s go back to the cloud formation stack and refresh everything. And so we can see now that the snapshot is in Create Complete. So now what should happen is that now that it is in Create Complete, my EBS volume should be in Delete In Progress. So it’s going to be deleted because it’s been snapshotted. So let’s go back to the volumes. And as we can see, we do not have any EBS volumes anymore because they have been deleted. So it’s a cool way to expose how things work.

And then finally, our entire stack is in the delete complete stage, so we have no more stacks to display. So the outcome of this is that we have a security group that is still there, and we have a snapshot that gets created for us for this EBS volume automatically. So what you need to remember, though, is that once you do these things well, you need to delete these things manually. So we’ll delete the snapshot manually to clean it up properly, and I’ll also delete the security group manually to delete it properly. But it’s quite a neat trick to see. Remember, we have a deletion policy, we keep snapshots, and we delete by default. All right, that’s it. I will see you at the next lecture.

19. CloudFormation TerminationProtection

very quick lecture. But if you wanted to protect your stacks against these accidental deletes, you could use something called “termination protection.” The same way we have it for easy two-instances, we also have it for confirmation templates. So let’s see how fast it works. All right, so I’m going to create a stack, and I will upload a template file, and I’ll just upload the very first one, just EC-2 YAML. Click on “next.” Click on “next.” I’ll just need to name it. I’ll name it Test and the next, and at the bottom, create a stack. So here we go.

We’re creating our stack, and as we know already, this is going to create yet another easy instance. Okay, so now our stack has been created, and as we can see, we’re in “create complete.” So if I go back to my stack, I am able to delete it, but I won’t this time. I will edit the termination protection and say right now it is disabled, but I will enable my termination protection so I can’t delete this accidentally. So let’s try to delete it right now. I say action, delete stack, and it says you can’t delete it because termination protection is enabled. So, in order to delete the stack, I’ll first disable the determination protection, and then after that, I can delete my stack. So that’s it; that’s all I want to show you in this quick one, but I hope that was helpful, and I will see you in the next lecture.