{"id":27149821,"url":"https://github.com/jliscom/sample-cloudformation","last_synced_at":"2025-04-08T13:20:04.933Z","repository":{"id":148150595,"uuid":"97908423","full_name":"JLiscom/Sample-CloudFormation","owner":"JLiscom","description":"Some thoughts/patterns for CloudFormation.","archived":false,"fork":false,"pushed_at":"2017-09-16T05:07:20.000Z","size":57,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-08T13:19:50.112Z","etag":null,"topics":["aws","cloudformation"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JLiscom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-07-21T05:14:32.000Z","updated_at":"2017-09-18T17:24:26.000Z","dependencies_parsed_at":"2023-06-01T09:45:58.872Z","dependency_job_id":null,"html_url":"https://github.com/JLiscom/Sample-CloudFormation","commit_stats":null,"previous_names":["jliscom/sample-cloudformation"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLiscom%2FSample-CloudFormation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLiscom%2FSample-CloudFormation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLiscom%2FSample-CloudFormation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JLiscom%2FSample-CloudFormation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JLiscom","download_url":"https://codeload.github.com/JLiscom/Sample-CloudFormation/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247847610,"owners_count":21006100,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloudformation"],"created_at":"2025-04-08T13:20:04.071Z","updated_at":"2025-04-08T13:20:04.917Z","avatar_url":"https://github.com/JLiscom.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sample-CloudFormation\n\n## Naming scheme\nI recommend always prefixing stack names, and exports with the environment the stack is a part of. IE `Prod-Web`, `Dev-DB`, `...`. This lets you groups environments together and avid collisions.\n\nFor CloudFormation files: use a `.cf.yml` or `.cf.json` as the extension to indicate the file is CloudFormation. `.template` is a generic term and has/could be used for other things. Editors may not know what format `.template` is in and cannot provide syntax highlighting.\n\n`.cf.yml` and `.cf.json` has a benefit over simply `.yml` and `.json`   because you can see its a CloudFormation template. Many projects with have lots of configuration files and it will save you an few accidental clicks. Plus it makes them easier to find.\n\n## Variables\nDo not go crazy with parameters. Use parameters for things that actually differ between environments. Keep it simple.\n\nUse stack exports to track backplane information such as VPC and subnets. You can easily reference the output by convention along with an environment parameter to retrieve environment specific information\n\n## Format\nUse Yaml for CloudFormation you write. [It is so much better](https://www.trek10.com/blog/cloudformation-yaml-and-why-its-awesome/). Yaml is better if humans are writing CloudFormation. If your using a pre-parser it does not matter as much.\n\nYaml is a superset of JSON[[1]](https://stackoverflow.com/questions/1726802/what-is-the-difference-between-yaml-and-json-when-to-prefer-one-over-the-other). In regards to CloudFormation you can switch back and forth with an [AWS provided tool](https://github.com/awslabs/aws-cfn-template-flip).\n\nUse `Sub` instead of `Join` to concatenate variables and text. Its newer and better[1+1=2].\n\n## Patterns\n### Producer/Consumer pattern\nTo leverage interconnectivity between resources, I generally do not recommend using IP based Security Groups(SG) except if they are broad(Summary masks). IE the public subnet is allowed to access this or this VPC is allows to access this.\n\nFor fine grain control, use a security group as a bus to facilitate security interconnectivity. Buses are used in computing to connect components with the minimal number of interconnection points. This is method is sometimes called `access security groups`.\n\n![](images/producer-consumer.png)\n\nIn the above diagram, each resource has the following security groups attached to it.\n\n| Resource | Security Groups |\n| --- | --- |\n| Bastion | Bastion SG, Bation Bus SG |\n| Web App | Web App SG, DB Buss SG |\n| DB | DB SG |\n\nBeing a consumer in this model is to be a member of the bus group. Being a member allows a resource to access the resource across the bus.\n\nBeing a producer is allowing access from a bus SG.\n\nThis may seem backwards at first. Think of the DB. The DB is a producer and the web app consumes the database. Oddly the Bastion is a consumer of management traffic the Web App produces.\n\nA network interface by default can have up to 5 security groups attached [[1]](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html#vpc-limits-security-groups). More than enough to facilitate complicated solutions. This limit can be increased to 10 with some restrictions on number of group entries.\n\nYou can see examples of this in the templates in this repo.\n\n## Why should you listen to me\n- I have 3 AWS certs one of which is a pro level.\n- I work in Professional Services so I basically do the same thing over and over with dozens of clients. This is the best way I have found to wire stuff up. This is OpenSource so if you have a better way please open an issue or a Pull Request.\n- I have a classic Computer Science background. I prefer simplicity and first principal thought. Buses are used by hardware engineers over something like a full wire mesh do to simplicity and economic constraints. All I have done is simply realize you can do that with security groups.\n\n## License\n© 2017 - Distributed under the MIT License\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjliscom%2Fsample-cloudformation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjliscom%2Fsample-cloudformation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjliscom%2Fsample-cloudformation/lists"}