1
00:00:00,510 --> 00:00:03,840
Hello and come back with our last lecture about cloud formation.

2
00:00:03,840 --> 00:00:05,410
So let's not them out.

3
00:00:05,430 --> 00:00:11,210
This is decs creating or calling a stack or a template from within another template.

4
00:00:11,250 --> 00:00:16,030
So unless stacks are stacked that create other stacks Why would I use it.

5
00:00:16,080 --> 00:00:22,830
I could have a large template that is going to launch a stack and within this template I need or the

6
00:00:22,830 --> 00:00:25,640
resulting stack I need to use that will be multiple times.

7
00:00:25,650 --> 00:00:32,160
So instead of writing the attributes and the properties for that multiple times why don't I just call

8
00:00:32,160 --> 00:00:38,410
the stack that launches and be for me in the resulting bigger stack.

9
00:00:38,610 --> 00:00:44,520
So to create an instance stack use there's a resource under cloud formation which is a stack resource

10
00:00:44,880 --> 00:00:45,750
in your template.

11
00:00:45,750 --> 00:00:49,900
Use it in your template to call reference other templates within your template.

12
00:00:49,900 --> 00:00:53,880
So one big template called different smaller templates.

13
00:00:53,880 --> 00:00:59,400
Think about programs when you have models where you have functions that you can call Unisys stacks to

14
00:00:59,400 --> 00:01:02,010
reuse common template patterns.

15
00:01:02,010 --> 00:01:08,220
And as your infrastructure grows cold and patterns can emerge in which you declare the same components

16
00:01:08,220 --> 00:01:11,760
in each of your templates like ill be like auto scaling.

17
00:01:12,360 --> 00:01:16,840
You can separate out the common components instead of having them within them.

18
00:01:16,890 --> 00:01:21,000
The mother template and create dedicated templates for them.

19
00:01:21,150 --> 00:01:27,480
That way you can mix and match different templates but use nested stacks to create a single bigger unified

20
00:01:27,570 --> 00:01:27,960
stack.

21
00:01:27,960 --> 00:01:33,900
Let's talk about cross stack references which I think also I have touched on briefly.

22
00:01:34,050 --> 00:01:38,390
When do you use it you use it to export shared resources.

23
00:01:38,390 --> 00:01:43,620
So when you organize your elements in resources based on lifecycle and ownership and instead of including

24
00:01:43,650 --> 00:01:51,390
all of your resources in one stack you create related resources in separate stacks then you can referencing

25
00:01:51,420 --> 00:01:52,140
from one another.

26
00:01:52,140 --> 00:01:53,930
So one will be exporting.

27
00:01:53,940 --> 00:01:59,460
Remember when you looked at the import value function in interesting functions we looked at exporting

28
00:01:59,460 --> 00:02:01,580
from one and importing from the other one.

29
00:02:01,590 --> 00:02:03,660
So when you use the crosschecked references.

30
00:02:03,790 --> 00:02:08,440
It to export resources from a stack so that other stacks can use them.

31
00:02:08,450 --> 00:02:13,920
So how can the other ones important using the function important value function as we saw before.

32
00:02:14,040 --> 00:02:18,600
And that's how one will be exporting and the other one will be importing.

33
00:02:18,690 --> 00:02:24,090
So let's take an example let's say for example you have a network stack and the network stack or a template

34
00:02:24,120 --> 00:02:30,540
has the BBC Security Group and a subnet for a public web application and a separate public with application

35
00:02:30,540 --> 00:02:31,110
stack.

36
00:02:31,320 --> 00:02:33,130
So I have two templates two stacks.

37
00:02:33,120 --> 00:02:38,040
One will take care of the VPC Security Group and subnet and the other one will be the web application

38
00:02:38,040 --> 00:02:45,800
stack that will include the web application part so can include the lambda functions can include include

39
00:02:45,800 --> 00:02:48,770
the two instances the easiest containers so on and so forth.

40
00:02:48,780 --> 00:02:52,230
Fine but now when don't have that at the end what do they have.

41
00:02:52,230 --> 00:02:55,910
I would have the VPC created from Stack number one.

42
00:02:55,980 --> 00:02:57,040
Right.

43
00:02:57,060 --> 00:02:57,930
This is number two.

44
00:02:57,920 --> 00:03:01,920
So this is the web app and this is the infra structure.

45
00:03:01,920 --> 00:03:06,240
So the BBC is right there and then I have the security group and the subnet.

46
00:03:06,270 --> 00:03:07,680
This is my security group.

47
00:03:07,710 --> 00:03:08,650
I have all that.

48
00:03:08,760 --> 00:03:13,500
But the applications stack the application guys the application team or the application developers they

49
00:03:13,500 --> 00:03:20,670
need to read to run the other template such that it's going to run the easy to instances inside that

50
00:03:20,690 --> 00:03:27,240
subnet right to run the web and then provide them and also it needs to use the security group in order

51
00:03:27,240 --> 00:03:30,300
to apply to the eyes of these two instances.

52
00:03:30,300 --> 00:03:35,460
So in order to ensure that web applications that will be launched in the easy to instance use the security

53
00:03:35,460 --> 00:03:42,810
group and subnet from the network stack What do I do you need to cross reference or cross tag or cross

54
00:03:42,880 --> 00:03:49,230
stack reference that allows the web application stack which is run by the Web Application developers

55
00:03:49,230 --> 00:03:53,570
are pushing developers to reference the source outputs from the network stack.

56
00:03:53,570 --> 00:03:57,620
What will be the resource output when I am on the network stack and going to get a VPC.

57
00:03:57,620 --> 00:03:58,910
I'm going to get a security group.

58
00:03:58,920 --> 00:04:00,490
I'm going to be at a subnet right.

59
00:04:00,690 --> 00:04:01,470
So what do I need.

60
00:04:01,470 --> 00:04:07,910
I need the VBC ID I need the security group Id need the subnet ID such that I can launch two instances

61
00:04:07,920 --> 00:04:14,250
and then I can reference in the import value function that ID of that security group and VPC to apply

62
00:04:14,250 --> 00:04:20,910
it to create the instance within the subnet based on the subnet Id apply the security group to it inside

63
00:04:21,000 --> 00:04:21,720
the VPC.

64
00:04:21,720 --> 00:04:27,750
So with that cross reference owners of the web applications that dont need to create or maintain networking

65
00:04:27,750 --> 00:04:31,950
rules or assets exactly like what happens today today.

66
00:04:32,420 --> 00:04:35,420
Exactly like what happens on premise.

67
00:04:35,880 --> 00:04:42,560
Some security best practices for cloud formation only allow specific templates and stack policies.

68
00:04:42,580 --> 00:04:43,770
What do you mean here.

69
00:04:43,850 --> 00:04:49,020
And I remember when we said that when you when you are going to create a stack then you need to define

70
00:04:49,020 --> 00:04:50,400
the template that will be used.

71
00:04:50,520 --> 00:04:50,980
Right.

72
00:04:51,150 --> 00:04:56,900
So you can only limit two specific templates and stack policies that you have configure and have control

73
00:04:56,910 --> 00:05:03,190
so you can provide the you are l and this is only what will be allowed to be created that template will

74
00:05:03,190 --> 00:05:06,650
be created for those specific group of I am users.

75
00:05:06,700 --> 00:05:11,800
And also when you come there that could be the application development team where you will allow them

76
00:05:11,800 --> 00:05:16,930
only to deal with easy too but they have nothing to do with S-3 or they have nothing to do with our

77
00:05:16,940 --> 00:05:19,080
ideas that will be for the rest of his team.

78
00:05:19,180 --> 00:05:26,680
So you can restrict what resource type can the I am principles create which I am principals depending

79
00:05:26,680 --> 00:05:32,660
on the group so the group will have right on our ideas and creating RLDS and multiagency and all that.

80
00:05:32,660 --> 00:05:38,170
The storage team will have right on S-3 and creating buckets and all that the application and development

81
00:05:38,230 --> 00:05:43,560
team will have the easy to and abs and so on and so forth that has to do with AC too.

82
00:05:43,610 --> 00:05:44,380
All right.

83
00:05:44,470 --> 00:05:47,770
So restrict what resource types can on and principle create.

84
00:05:47,770 --> 00:05:48,190
Why.

85
00:05:48,180 --> 00:05:52,390
Because you don't want someone who is supposed to launch an easy to instance to end up launching easy

86
00:05:52,430 --> 00:05:59,590
intense and or just going in groups and elbows and elbows and security and knuckles and so on and so

87
00:05:59,590 --> 00:06:05,830
forth so you have to be careful about who does what through I am permissions and I remember who ever

88
00:06:05,830 --> 00:06:13,780
creates a template then that template cannot do more than what the permissions of this user can do.

89
00:06:14,110 --> 00:06:21,790
But if you define an IBM role and then embedded when you are creating the stack then whatever permissions

90
00:06:21,790 --> 00:06:27,220
in the same rule will apply for what resources can be created what can be deleted and so on and so forth.

91
00:06:27,220 --> 00:06:30,120
OK how about cloud trail and asinus.

92
00:06:30,250 --> 00:06:34,750
So classful mission integrates with cloud trail and as you mentioned before if logging is enabled and

93
00:06:34,750 --> 00:06:39,660
you define a bucket for cloud to intercept the logs it will not only send the cloud mission logs its

94
00:06:39,670 --> 00:06:44,230
going to send every single call that cloud for the mission is going to do even to the other end of your

95
00:06:44,230 --> 00:06:49,750
services steps during processing the stack whether it has succeeded or it has failed.

96
00:06:49,750 --> 00:06:55,440
If you are deleting one then all these API calls will be logged in you are looking back at our history

97
00:06:55,440 --> 00:06:57,660
record that you have defined when you enable that.

98
00:06:57,730 --> 00:07:05,140
Also cloud trail can send events to two Asinus for notification purposes so when cloud formation will

99
00:07:05,140 --> 00:07:11,680
create a stack delete the stack so on and so forth it can be integrated with Asinus and not vacation's

100
00:07:11,680 --> 00:07:12,140
for that.

101
00:07:12,250 --> 00:07:15,160
So that was it about cloud formation I hope it is clear now.

102
00:07:15,310 --> 00:07:16,570
So let's take a break now.

103
00:07:16,580 --> 00:07:16,770
Thank you.