Saturday, 4 January 2020

AWS Cloudformation LAB Part3






In the previous posts, we succeeded in getting the Linux web server running via a template in CloudFormation. Now we want to add in support for SSH access from the internet to the Linux Instance. Luckily AWS has designed their product around the ability to just update whats changed, rather than having to tear it down and rebuild it all again with the updated configuration.

To do this, go to the Update option in the CloudFormation stack page.


From here we want to select Edit template in designer, and then View in Designer, so we can access the existing template that is currently active.


This will take us back in to the designer. Click on the PublicSecurity resource, and make sure you have YAML mode on and that you are in the Component tab for the SecurityGroup resource.

Add in the following addition text to the SecurityGroupIngress:
        # --- This opens the SSH port on the SecurityGroup from any source inbound
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp: 0.0.0.0/0



Once added, you can then click on the Cloud with Arrow icon top left, to then publish this update.


Chose Next at each of the following screens to keep all the other existing setting the same, then this will take you back to the Stack building page. As you can see from the progress, only the SecurityGroup is updated, and the rest of the design is left as is (so its fast).

Now you will be able to SSH to your web server ! Note you will need to login using your .pem file that you created when you setup the keypair for this LAB. A basic guide from AWS can be found HERE.

The updated LAB YAML template can be downloaded from HERE

So that's it - you are now well on your way with CloudFormation ! I hope you enjoyed the posts, and take them as just the start to continue your AWS development and usage.

The AWS CloudFormation guide can be accessed HERE, and has some really good details on design, usage, and sample snippets that you can add in to your own templates.

AWS Cloudformation LAB Part2


In the previous post, we used designer to create the LAB we wanted in a simple graphical way. Now we will go in to the template parts and add in the parameters we need to join it all together.

In the designer, click on each resource below, then in the template section at the bottom of the screen click the Components TAB (making sure you are in YAML mode as per the button on the right. JSON will work - but the scripts I am using are in YAML so you need to enter it as YAML first then you can convert it to JSON). Delete the initial {} next to the Properties: string if it is present.

Resource:
     VPC
Add to Properties:
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      # --- this configures the private subnet block for the whole VPC
      CidrBlock: 10.0.0.0/16
      Tags:
        -
          Key: 'Name'
          Value: 'CloudFormation WebServer'

Result sample:

Resource:
    Subnet
Add to Properties:
      # --- this configures the specific subnet within the VPC we will be working with
      CidrBlock: 10.0.0.0/24
      Tags:
        -
          Key: 'Name'
          Value: 'CloudFormation WebServer'

Resource:
     Route
Add to Properties:
     # --- this configures a default route outbound to the IGW
     DestinationCidrBlock: 0.0.0.0/0

Resource:
      ACLIN
Add to Properties:
      # --- this configures no traffic blocking for inbound traffic via the ACL
      CidrBlock: 0.0.0.0/0
      Egress: 'false'
      PortRange:
        From: '0'
        To: '65535'
      Protocol: -1
      RuleAction: Allow
      RuleNumber: 100

Resource:
      ACLOUT
Add to Properties:
    # --- this configures no ACL blocking for outbound traffic
    CidrBlock: 0.0.0.0/0
      Egress: 'true'
      PortRange:
        From: '0'
        To: '65535'
      Protocol: '-1'
      RuleAction: Allow
      RuleNumber: 100

Resource:
      PublicSecurity
Add to Properties:
      # --- this permits port 80 inbound to the web server from any source
      GroupDescription: Web Ingress Group
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
      Tags:
        -
          Key: 'Name'
          Value: 'CloudFormation WebServer'

Resource:
      IGW
Add to Properties:
      Tags:
        -
          Key: 'Name'
          Value: 'CloudFormation WebServer'

Resource:
      wwwInstance
Delete all the existing text below Properties, and replace with:
      # --- !Ref is a variable, and this one references the AMI type we chose at the start
      InstanceType: !Ref 'InstanceType'
      ImageId: !Ref LatestAmiId
      # --- this variable holds the Key Pair for the Linux server access (which you need to create BEFORE the CloudFormation template is run)
      KeyName: !Ref KeyName
      NetworkInterfaces:
        - GroupSet:
            - Ref: PublicSecurity
          SubnetId: !Ref Subnet
          AssociatePublicIpAddress: 'false'
          DeviceIndex: '0'
          DeleteOnTermination: 'true'
      Tags:
        -
          Key: 'Name'
          Value: 'CloudFormation WebServer'
      # --- this is the script that will be run on the wwwInstance once it is spun up, to enable http and a string to show on the screen for success !This is the part I consider the secret of this script, as it runs the required setup on the linux server so its ready for use once completed
      UserData:
        'Fn::Base64': !Sub >
          #!/bin/bash -xe

          sudo yum update -y 

          sudo yum install httpd -y 

          sudo systemctl start httpd 

          sudo systemctl enable httpd

          echo "<html><body><p><h1 align=center>Congrats - you have a working
          web server !!</h1></body></html>" > /var/www/html/index.html

Resource:
      Overall Template (click outside the VPC to get to this section)
Add to Parameters:
  # --- each of these variable are choices we will get at the start that go into the template
  LatestAmiId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
  InstanceType:
    Description: 'Enter t1.micro, t2.micro, or t3.micro. Default is t3.micro.'
    Type: String
    Default: t3.micro
    AllowedValues:
      - t1.micro
      - t2.micro
      - t3.micro
  KeyName:
    Description: Name of an EC2 KeyPair to enable SSH access to the instance.
    Type: 'AWS::EC2::KeyPair::KeyName'
    ConstraintDescription: must be the name of an existing EC2 KeyPair.

Add to Outputs (to the right of Parameters and Mappings):
  # --- these options will display once the CloudFormation template has completed running
  CloudInfo:
    Value: 'Here are some sample outputs from CloudFormation:'
  FQDN:
    Description: Public DNS for web server
    Value: !GetAtt wwwInstance.PublicDnsName
  InstanceID:
    Description: The Instance ID
    Value: !Ref wwwInstance


Once that's all entered, you can chose the Tick at the top left to 'Validate template', then click Create Stack next to the tick to launch ! This will take you through a few screens to Create the stack - chose next to each, select a name for the Stack (e.g. CloudForm-LAB), an instance type, and the keypair name (this needs to have been created prior via EC2 - KeyPairs - for OpenSSH), and then Next, Next and Create stack.



This will take you to the creation screen, where you can click the Circle Arrow to watch the setup of all resources. If all is well, after about 2 mins it will say CREATE_COMPLETE on the left.


If you get a ROLLBACK_IN_PROGRESS and CREATE_FAIL, just scroll down to see what the issue was that failed the template. Then you can DELETE the Stack, and once that's cleared go back in and edit the template issue and run again.

Once it has completed, click on the Outputs link to get the public DNS for the web server, so you can test if its working.




If all is correct, simply copy the FQDN address to your web browser, and you should see (note it may take a minute from when the lab finished until the httpd is running):

Congrats - you have a working web server !!

Perfect ! You have just automated a full AWS VPC environment that is templated and can be rebuilt any time.

Click HERE to download the full template used in this LAB

Now we want to be able to SSH to this instance, but we forgot to enable port 22 as part of the secuirty rule set. In the next post, we will load an updated template to fix that and allow us to SSH in to the linux server for further changes.


AWS Cloudformation LAB Part1

  


AWS Cloud is so much more than just a cloud storage provider, something I learnt well during my Masters when for my final (capstone) subject in 2019 I wrote a paper on AWS and its emerging applications. I am presently working through study for the AWS Certified Solution Architect Professional certification, and one of many features that is covered is Cloud Formation.

Cloud Formation is an AWS tool that allows you to script a complete environment to be setup (and as we will see - then change it) via a template design, rather than manually setting up all the components. Great for something that you need to roll out in a repeated (or scalable) fashion, and then have the ability easily to remove all the components once done with the project, so you don't have to go in to each area and delete each resource (and possible leave some resource(s) in place costing you wasted money!).

In our LAB here we will go through and initially build a Linux instance with a web server within a VPC, with internet access via a public IP. A similar walk through from AWS on this design can be found here:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/working-with-templates-cfn-designer-walkthrough-createbasicwebserver.html

In our case we will make some slightly different options and methods, as well as use the GUI Designer to make it a bit more graphical and easy to understand what is connecting to where for the resources. Once the lab is build, then we can go to the template editor and add our options/parameters in to the YAML code and build it.

The design we will create looks like this:


So lets get started !

The components we need to make up our lab are:

  1. A VPC to encompass the instance, rules and routes
  2. A EC2 linux instance to run the web server
  3. In and Out ACL rules
  4. An Inbound Security Group
  5. An EIP
  6. An Internet Gateway
It may be worth building this in a region NOT where you currently have resources - just to make it easier to identify which resources are part of the LAB, and being able to trouble shoot or delete resources easily if anything goes wrong with the automatic method.

You will need to log in to your AWS account, and go to CloudFormation (just search it on the main home page). Once in to the CloudFormation page, click on Create stack, then Create template in Designer. You should now be in the drag-n-drop designer, where we can place our resources and build our connections.

From here you can build templates in virtually all AWS services - for us on the left go to EC2. All the resources we will use for this LAB are located under this heading.


As per the above design picture, you now need to add in a VPC. Within the VPC add a SecurityGroup, a Route Table (then a Route inside the RouteTable), a Subnet (then an instance inside the subnet) and a NetworkACL (with 2 NetworkACLEntries inside it).
Outside the VPC add an EIP and an Internet Gateway.

Once that's setup, you should have something looking like this:


You can download the template up to this stage from HERE

To make things easier, from here go through and rename a few of the resources, just so they make more sense when you read the template.

Right click on the following resources, click on the Eye picture, then in the box at the bottom of the screen chose YAML on the right and Components at the bottom tab, and change the name below the 'Resources' line:



  • InternetGateway: IGW (just type over the EC2IG2UXKH string in the example above)
  • EIP: EIP
  • ROUTE: Route
  • Left ACL entry: ACLIN
  • Right ACL entry: ACLOUT
  • SecurityGroup: PublicSecurity
  • Instance: wwwInstance
  • Subnet: Subnet
Now when we look at the diagram (and later the template) the references will be a bit clearer. You can do ALL the resources if you want - but at a minimum I have done the above.

Last thing for this section is to link the resources together. For this you will use the purple and pink dots around each resource. If you hover your mouse over each one around a specific resource, you will find it relates to different functions. Link the following by putting your mouse over the relevant dot around the resource, click and drag it to the related resource, as per the following:
  • EIP - to wwwInstance
  • wwwInstance - 'SecurityGroup' to PublicSecurity
  • NetworkACL - 'SubnetNetworkAclAssociation' to Subnet
  • RouteTable - 'SubnetRouteTableAssociation' to Subnet
  • Route - 'InternetGateway' to IGW
  • IGW - 'VPCGatewayAttachement' to VPC
  • Route - 'Depends on' link 'VPCGatewayAttachement to VPC'
We have now completed the designer part of the setup, with resources and links in place, ready for the parameters to be configured. Your image should look something like the one at the top of this post. Note I will publish the complete template at the end of the series.

You can download the updated template from HERE

In Part2 we will look at setting up the required options in the template to then allow us to build the LAB !