Profile picture
, 10 tweets, 2 min read
My Authors
Read all threads
When doing infra as code, you want to plan your deploys around what infra state—that is, resource graphs—you want to achieve, not around what graph manipulation your tooling restricts you to. To that end, here's a maturity model for CloudFormation support for AWS services 1/10
Stage 1: CloudFormation support at launch, for every launch. For cloud-native customers, if it's not in CloudFormation, it doesn't exist. This should be table stakes at this point. But it's not, so let's make it a milestone. 2/10
But CloudFormation support at launch isn't the real story. CloudFormation resource designs are constrained by the underlying control plane API of the service, and these are often designed long before CloudFormation support is even thought about. 3/10
What defines a good control plane API design? One that has no functionality that cannot be accessed through CloudFormation. But further than that, one in which *advanced* CloudFormation usage is planned for and well-supported. Let's see what that looks like: 4/10
Stage 2: Any (control plane) state of the service is representable in a single CloudFormation template (setting aside limits on number of resources).
Lambda, API Gateway, and Kinesis are among services that fail this test. 5/10
Stage 3: It is possible to achieve any (control plane) state of the service in a single stack operation. You can move from any resource graph to any other graph without an defining an intermediate graph or arbitrary dependencies. DynamoDB fails this test. 6/10
Stage 4: The service's resources are designed to allow decoupled management of the service according to common use cases (e.g., managing primary definition and operational parameters as separate resources, so they could be deployed by separate dev and ops teams) 7/10
Very few CloudFormation resources look like Stage 4. Lambda's recent decision to have provisioned concurrency as a separate set of APIs is a start, though it did not show up in the same way in CloudFormation. 8/10
Note that Stage 4 implies engaging customers very early on to understand how they would want to manage a theoretical service or feature. It may also mean being more willing to make API changes in beta. 9/10
The move to open source resource provider development is great, but it also implies that resource design happens after the API is fixed, which means you're going to be stuck in Stage 1. CloudFormation resource design needs to happen in concert with API design. 10/10
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Ben Kehoe

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ben11kehoe see all

Profile picture
Ben Kehoe
@ben11kehoe
Over 15 years after launch, SQS:ListQueues is finally paginated. (Note: the SDKs may not be updated yet) docs.aws.amazon.com/AWSSimpleQueue…
Shoutout to APIs like IAM:ListAccountAliases, which are paginated despite being defined to return a list with exactly one element.
and by god I will paginate my calls to ListAccountAliases too github.com/benkehoe/aws-w…
Read 3 tweets
Profile picture
Ben Kehoe
@ben11kehoe
AWS SSO has a naming problem. It’s going to quickly be the best way to enable access into AWS *using your own Single sign on identity provider for authentication.* Its capability to be an IdP or single sign on provider to other apps is not where its value lies for most people 1/
Today, you need your IdP to understand everything about access into AWS—the mapping of people to accounts and roles, because that information needs to get packaged up in a SAML assertion. Size limits on the SAML assertion make sensible multi-account setups hard. 2/
AWS SSO moves those mappings into AWS. Authentication uses your IdP—you sign into your own single sign on system, but the SAML that gets sent over is just your identity; the access you’re granted is maintained in AWS SSO. 3/
Read 10 tweets
Profile picture
Ben Kehoe
@ben11kehoe
AWS has been adding a lot of features to use OAuth directly with API Gateway, skipping Cognito Identity Pools and AWS IAM. I think this is regressive. A lot of useful functionality is coming out of it, but we should hope to get that IAM-side instead.
For example, using OAuth, you can define allowed scopes on a given route (resource+method). Now you've got attribute-based access control in your app. Great! Except all the excellent tooling around AWS IAM is no longer available to you.
Or, you can use a Lambda authorizer to create a policy based on the token contents. It's super flexible, you can accomplish complicated authorization scenarios. But now you own the authorization system, including all the security monitoring and operations associated with that.
Read 8 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!