AWS Plugin

The AWS plugin enables you to use Cloudify to manage Cloud resources on AWS. The currently supported resource types are described below.

For information about the library, click here.

Plugin Requirements

Compatibility

The AWS plugin uses the Boto 2.38 client.

AWS Plugin Configuration

The AWS plugin requires credentials and endpoint setup information in order to authenticate and interact with AWS.

Providing Credentials as Secrets

It is recommended that you store your credentials as secrets. You can do this using the CLI. Secrets can then be accessed inside your blueprints, as follows:

 network:
    type: cloudify.aws.nodes.VPC
    properties:
      aws_config:
        aws_access_key_id: { get_secret: aws_access_key_id }
        aws_secret_access_key: { get_secret: aws_secret_access_key }
        ec2_region_name: { get_secret: ec2_region_name }
        ec2_region_endpoint: { get_secret: ec2_region_endpoint }
      use_external_resource: true
      resource_id: { get_secret: vpc_id }
      cidr_block: N/A
 

(see Common Properties for more info on the aws_config dictionary)

Providing Credentials as Environment Variables that are not Stored as Secrets

If you do not use secret storage, you must provide the following credentials as environment variables:

       aws_config:
        aws_access_key_id: { aws_access_key_id }
        aws_secret_access_key: { aws_secret_access_key }
        ec2_region_name: { ec2_region_name }
        ec2_region_endpoint: { ec2_region_endpoint }
      resource_id: { vpc_id }
      cidr_block: N/A
 

Terminology

Types

This section describes the node type definitions. Nodes describe resources in your Cloud infrastructure. For more information, see node type.

Common Properties

All Cloud resource nodes have common properties:

Properties

Each time that you manage a resource with Cloudify, one or more clients are created using the AWS API. You specify the configuration for these clients using the aws_config property. The property must be a dictionary, with the following values:

Your AWS API access credentials
Click here for more information.

Region information:

See the cloudify.datatypes.aws.Config data type definition in the plugin.yaml for the plugin. Note that availability_zone and region are not synonymous, and that availability_zone is not part of the AWS configuration.

cloudify.aws.nodes.Instance

Derived From: cloudify.nodes.Compute

Properties:

Example

This example demonstrates how to add more parameters, tag an instance name, and define the aws_config.

  my_ec2_instance:
    type: cloudify.aws.nodes.Instance
    properties:
      image_id: ami-abcd1234
      instance_type: t1.micro
      parameters:
        placement: us-east-1
      name: my_ec2_instance
      aws_config:
        aws_access_key_id: ...
        aws_secret_access_key: ...
        ec2_region_name: us-east-1
...

Mapped Operations:

Attributes:

See the common Runtime Properties section.

The create function also sets the reservation_id attribute. For information, click here.

The following additional runtime_properties are available on node instances of this type, after the cloudify.interfaces.lifecycle.start operation succeeds.

Additional To use the instance in a VPC, you must connect the instance to a subnet using the cloudify.aws.relationships.instance_contained_in_subnet relationship.

cloudify.aws.nodes.WindowsInstance

Derived From: cloudify.aws.nodes.Instance

Use this type when working with a Windows server. It has the same properties and operations-mapping as cloudify.aws.nodes.Instance, but overrides some of the agent and plugin installations operations-mapping derived from the built-in cloudify.nodes.Compute type.

The default value for the use_password property is overridden for this type, and is set to true. In this case, the password of the Windows server is retrieved, decrypted and located under the password runtime property of this node instance.

cloudify.aws.nodes.KeyPair

Derived From: cloudify.nodes.Root

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section.

cloudify.aws.nodes.SecurityGroup

Derived From: cloudify.nodes.SecurityGroup

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Additional

Note that, to create a security group in a VPC, you must connect the security group to the VPC using the cloudify.aws.relationships.security_group_contained_in_vpc relationship.

cloudify.aws.nodes.Volume

Derived From: cloudify.nodes.Volume

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Note that the ID of the volume in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.ElasticIP

Derived From: cloudify.nodes.Root

Properties:

Mapped Operations:

Attributes:

See the Runtime Properties section.

Note that the actual IP is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.ElasticLoadBalancer

Derived From: cloudify.aws.nodes.ElasticLoadBalancer

Properties:

Mapped Operations:

Attributes:

See the Runtime Properties section.

Note that the ID of the load balancer in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.VPC

Derived From: cloudify.nodes.Network

For more info on VPC, click here.

Properties:

Mapped Operations:

Attributes:

See the Runtime Properties section.

Note that the ID of the VPC in AWS is available via the aws_resource_id runtime-property. When a VPC is created, it receives several default attachments. Cloudify assigns a runtime property for the original DHCP options set, called default_dhcp_options_id. Note that this is not necessarily the current DHCP options set.

cloudify.aws.nodes.Subnet

Derived From: cloudify.nodes.Subnet

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Note that the ID of the subnet in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.Gateway

Derived From: cloudify.nodes.Root

Note that this is a base type for InternetGateway, VPNGateway and CustomerGateway. Not to be used directly.

cloudify.aws.nodes.InternetGateway

Derived From: cloudify.aws.nodes.Gateway

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Note that the ID of the internet gateway in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.VPNGateway

Derived From: cloudify.aws.nodes.Gateway

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section section.

Note that the ID of the VPN gateway in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.CustomerGateway

Derived From: cloudify.aws.nodes.Gateway

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Note that the ID of the customer gateway in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.ACL

Derived From: cloudify.nodes.Root

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Note that the ID of network_acl in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.DHCPOptions

Derived From: cloudify.nodes.Root

Properties:

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Note that the ID of the DHCP option set in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.RouteTable

Derived From: cloudify.nodes.Root

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Note that the ID of the route_table in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.Interface

Derived From: cloudify.nodes.Port

Mapped Operations:

Attributes:

See the common Runtime Properties section.

Note that the ID of the network_interface in AWS is available via the aws_resource_id runtime-property.

cloudify.aws.nodes.SecurityGroupRule

Derived From: cloudify.nodes.Root

Properties:

cloudify.aws.nodes.SecurityGroupRule.Multi

Derived From: cloudify.aws.nodes.SecurityGroupRule

Mapped Operations:

Additional

Note that, to create a security group circular dependency, you must connect the security group rule multi to the security group it is contained in using the cloudify.aws.relationships.rule_contained_in_security_group relationship and to the security group it depends on using the cloudify.aws.relationships.rule_depends_on_security_group.

Relationships

See the relationships section.

The following plugin relationship operations are defined in the AWS plugin:

Types Common Behaviors

Validations

All types provide the same base functionality for the cloudify.interfaces.validation.creation interface operation:

Runtime Properties

See the runtime properties section.

Node instances of any of the types defined in this plugin are set with the following runtime properties during the cloudify.interfaces.lifecycle.create operation:

Default Resource Naming Convention

If use_external_resource is set to true in the blueprint, the resource_id must be that resource’s ID in AWS, unless the resource type is a key pair, in which case the value is the key’s name.

Using Existing Resources

You can use existing resources on AWS, regardless of whether they have been created by a different Cloudify deployment or outside of Cloudify.

All Cloudify AWS types have a property named use_external_resource, for which the default value is false. When set to true, the plugin applies different semantics for each of the operations executed on the relevant node’s instances:

The following behavior is common to all resource types:

The following behaviors are unique:

Account Information

The plugin requires access to your aws_access_key_id and aws_secret_access_key in order to operate. Read about your AWS Boto configuration here.

Tips