Note after long time: The reason that I used that technique was using for implementation in Cloudformation but after time I realized that solution is getting hard to maintain. Solution is easy and still usable but after that time I recommend to use Terraform for same action.
Cloudformation is good and official way to create your own infrastructure while using AWS. It supports almost all1 of AWS services to create, delete and making special configurations on services which they offer.
Even if I don’t like to write CloudFormation sometimes it’s necessary. In this blog post, I tried to explain how to use all features of AWS with Ansible and Cloudformation together.
Why we have to use Cloudformation
- It supports new services faster than compare to third parties(Ansible, Troposphere, Terraform)
- Native language of AWS
- Supports by AWS
- So you can send ticket to get help in so many situations
- Maybe a little more secure compared to others
- There is not another additional layer or third party code to reach AWS API’s
Why we don’t have to use Cloudformation
- In my opinion, it’s not Infrastructure as Code
- The reason of why I am thinking like that. Every IaC language has to give the same output even structure has been changed from outside. In this situation, CFN is not good because It says if you create some resource by using me. Don’t touch it anymore2.
- For Example, If somebody changed our ACL rules to 0.0.0.0/0 you will not know before that you are going to check from a console3.
- Try it it’s true(Timestamp 05.09.2017)
- The reason of why I am thinking like that. Every IaC language has to give the same output even structure has been changed from outside. In this situation, CFN is not good because It says if you create some resource by using me. Don’t touch it anymore2.
- It’s really hard to write
- There are no loops.
- While creating security groups or similar things need it.
- JSON
- Not even case, It worse than seeing ghost.
- YAML is still hard.
- Still, I couldn’t find good YAML indentation checker(Fn::BLABLA makes problem)
- There are no loops.
- Documentation is hard
- Really there is so many option and parameter that you have to read and understand how it works.
Solution
We already complained so much. Let’s now care about solution :). Are we going to use CFN. Absolutely yes!.
Show me the code
We will use ansible which creates Cloudformation template.Advantages
-
- To using CFN and cli solution together. This will help us to use all new features which is not in CFN yet and improving our environment via Infrastructure as Code perspective.
- Loops
- Ansible with Jinja2
- Loops
- Security groups exampleThere is example which we use to create security groups
123456789101112131415161718192021222324252627282930313233343536373839404142434445{% for ingress in security_group['ingress_rules'] %}r{{ loop.index }}IngressTo{{ security_group['name'] }}From{{ ingress['description'] }}{{ ingress['from_port'] }}To{{ ingress['to_port'] }}:Type: AWS::EC2::SecurityGroupIngressProperties:GroupId:Ref: r{{ security_group['name'] }}IpProtocol: {{ ingress['proto'] }}FromPort: {{ ingress['from_port'] }}ToPort: {{ ingress['to_port'] }}{% if ingress['cidr_ip'] is defined %}CidrIp: {{ ingress['cidr_ip'] }}DependsOn:- r{{ security_group['name'] }}{% else %}SourceSecurityGroupId:Ref: r{{ ingress['group_name'] }}DependsOn:- r{{ security_group['name'] }}- r{{ ingress['group_name'] }}{% endif %}{% endfor %}{% for egress in security_group['egress_rules'] %}r{{ loop.index }}EgressFrom{{ security_group['name'] }}To{{ egress['description'] }}{{ egress['from_port'] }}To{{ egress['to_port'] }}:Type: AWS::EC2::SecurityGroupEgressProperties:GroupId:Ref: r{{ security_group['name'] }}IpProtocol: {{ egress['proto'] }}FromPort: {{ egress['from_port'] }}ToPort: {{ egress['to_port'] }}{% if egress['cidr_ip'] is defined %}CidrIp: {{ egress['cidr_ip'] }}DependsOn:- r{{ security_group['name'] }}{% else %}SourceSecurityGroupId:Ref: r{{ egress['group_name'] }}DependsOn:- r{{ security_group['name'] }}- r{{ egress['group_name'] }}{% endif %}{% endfor %}{% endfor %}
- Security groups exampleThere is example which we use to create security groups
This is just small part of creating security groups You can look here how to create security groups in a better way.
Last words
I hope that I could explain Ansible VS Cloudformation articles are not an option and solution. Give a chance to them hug each on of them.