GPWM Project

What's GPWM?

GPWM are the initials for Gwynedd Purves Wynn-Aubrey Meredith's

For the few who don't yet know, Major GPW Meredith, of the Seventh Heavy Battery of the Royal Australian Artillery was the veteran commander of the Australians against the Emus in the bloody Emu War of 1932.

Here we honor his courage, sacrifice, and life-story by aptly naming an infrastructure-as-code DSL wrapper tool after his legacy.

The great GPW Meredith - Australian Hero

Evil Emu - Enemy Of The State

Major GPW Meredith... Father, patriot and true hero. Lest we forget!

Infrastructure as Code

The idea behind this is to allow for small, re-usable, independent, and readable infrastructure building blocks that different teams (networking/security/application) can own without affecting others, and allowing microservices in different cloud provider accounts and environments to be created just by modifying a set of values given to a template. Three main components make up the system:

• Consumables: A YAML-like template rendered through a Python’s Mako engine that results in a CF template.
• Stacks (input values): A YAML file representing values that will be fed to a template (similar to the –cli-input-json option in the AWS CLI).
• Script: Interpolates the input values of a stack with a consumable and executes an action with the resulting rendered stack: creates, deletes, render, etc.

Cloudformation, GCP Deployment Manager, Azure Resource Manager and pretty much any infrastructure DSL out there have a few small deficiencies that makes it somewhat hard to build reusable, concise, and easy to read templates, for
example:

• No “for loops”.
• No high-level data structures like dictionaries or objects as variables.
• No ability to run custom code locally.
• Exports/Imports for linking stacks impose a hard dependency between stacks.

To address these shortcomings, the tool first uses a higher-level templating engine (Mako or Jinja) to provide a richer and featureful text processing capabilities to the provider's DSL before compliling into the provider's native DSL and sending the resulting stack to the cloud provider.

This is not an abstraction layer like Terraform. The resulting template is a native AWS Cloudformation stack, or GCP/ARM deployments.

Stack Types

For documentation specific to the provider of choice:

• AWS
• Azure
• GCP
• Shell

Examples

Usage

pip install gpwm

# Configure authentication with AWS (assuming a CLI profile already exists)
export AWS_DEFAULT_PROFILE=some-profile
export AWS_DEFAULT_REGION=us-west-2

# Getting help
python3 gpwm.py --help

# Specify a build ID
export BUILD_ID="SOME_BUILD_ID"  # for example "$(date -u +'%F-%H-%M-%S')-$BITBUCKET_COMMIT"

# prints a rendered stack on the screen
python3 gpwm.py render aws/stacks/vpc-training-dev.mako
python3 gpwm.py render google/deployments/instance.mako

# Creates the stack/deployment in with the cloud provider
python3 gpwm.py create aws/stacks/vpc-training-dev.mako
python3 gpwm.py create google/deployments/instance.mako

# Deletes the stack/deployment from the cloud provider
python3 gpwm.py delete aws/stacks/vpc-training-dev.mako
python3 gpwm.py delete google/deployments/instance.mako

# Updates an existing stack/deployment in the cloud provider
python3 gpwm.py update aws/stacks/vpc-training-dev.mako
python3 gpwm.py update google/deployments/instance.mako

# Updates a stack with review (change set) - AWS only
python3 gpwm.py update aws/stacks/vpc-training-dev.mako -r

# The template path/url specified in the stack/deployment file
# will be prepended by GPWM_TEMPLATE_URL_PREFIX (if set).
# This can be used to enforce the use of company-certified templates, for
# when used with a deployment pipeline tool such as Jenkins
export GPWM_TEMPLATE_URL_PREFIX=s3://my-s3-bucket/subfolder
python3 gpwm.py create aws/stacks/vpc-training-dev.mako

# Stack files can be fed via stdin (-t option must be used).
# Very handy when another tool is creating the stack file on the fly
cat my-stack.txt | python3 gpwm.py create -t jinja -
some-script.sh | python3 gpwm.py create -t jinja -

AWS

Stack

<%
    stack_type = "vpc"
    team = "demo"
    environment = "dev"
%>
StackName: ${stack_type}-${team}-${environment}
TemplateBody: examples/consumables/network/vpc.mako
Parameters:
  team: ${team}
  environment: ${environment}
  cidr: 10.0.0.0/16
  nat_availability_zones:
    - {"name": "a", "cidr": "10.0.0.0/28"}
    - {"name": "b", "cidr": "10.0.0.16/28"}
Tags:
  type: ${stack_type}
  team: ${team}
  environment: ${environment}

Template

##
## Owner: networking
##
## Dependencies: None
##
## Parameters:
##   - team (required): The team owning the stack
##   - environment (required): The environment where the stack is running on (dev, prod, etc)
##   - cidr (required): The CIDR for the VPC
##   - nat_availability_zones (required): A list of dictionaries representing the CIDR and
##     availability zone for the default NAT gateways:
##     - name (required): Availability zone name ("a", "b", "c"...)
##     - cidr (required): the CIDR NAT gateway's subnet.
##
AWSTemplateFormatVersion: "2010-09-09"
Description: VPC stack for ${team}-${environment}

Resources:
  VPC:
    Type: "AWS::EC2::VPC"
    Metadata:
      Name: ${team}-${environment}
    Properties:
      CidrBlock: ${cidr}
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
      Tags:
        - {Key: team, Value: ${team}}
        - {Key: version, Value: ${environment}}
        - {Key: Name, Value: ${team}-${environment}}

  InternetGateway:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
        - {Key: team, Value: ${team}}
        - {Key: type, Value: ${environment}}
        - {Key: Name, Value: ${team}-${environment}}

  VPCGatewayAttachment:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      VpcId: {Ref: VPC}
      InternetGatewayId: {Ref: InternetGateway}

  RouteTablePublic:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: {Ref: VPC}
      Tags:
        - {Key: team, Value: ${team}}
        - {Key: type, Value: ${environment}}
        - {Key: Name, Value: ${team}-${environment}-public}

  Route:
    Type: "AWS::EC2::Route"
    DependsOn: VPCGatewayAttachment
    Properties:
      RouteTableId: {Ref: RouteTablePublic}
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: {Ref: InternetGateway}

  % for az in nat_availability_zones:
  SubnetAZ${az["name"]}:
    Type: "AWS::EC2::Subnet"
    Properties:
      VpcId: {Ref: VPC}
      CidrBlock: ${az["cidr"]}
      AvailabilityZone: {"Fn::Sub": "<%text>$</%text>{AWS::Region}${az["name"]}"}
      MapPublicIpOnLaunch: false
      Tags:
        - {Key: team, Value: ${team}}
        - {Key: type, Value: ${environment}}
        - {Key: Name, Value: ${team}-${environment}-nat-${az["name"]}-public}

  RouteTableAssociationAZ${az["name"]}:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      SubnetId: {Ref: SubnetAZ${az["name"]}}
      RouteTableId: {Ref: RouteTablePublic}

  RouteTablePrivateAZ${az["name"]}:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: {Ref: VPC}
      Tags:
        - {Key: team, Value: ${team}}
        - {Key: environment, Value: nat}
        - {Key: Name, Value: ${team}-${environment}-private-${az["name"]}}

  EIPNATAZ${az["name"]}:
    Type: "AWS::EC2::EIP"
    Properties:
      Domain: vpc

  NatGatewayAZ${az["name"]}:
    Type: "AWS::EC2::NatGateway"
    Properties:
      AllocationId: {"Fn::GetAtt": [EIPNATAZ${az["name"]}, AllocationId]}
      SubnetId: {Ref: SubnetAZ${az["name"]}}

  RoutePrivateAZ${az["name"]}:
    Type: "AWS::EC2::Route"
    Properties:
      RouteTableId: {Ref: RouteTablePrivateAZ${az["name"]}}
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: {Ref: NatGatewayAZ${az["name"]}}

  % endfor

Why should I use this tool?

Amazon popularized the concept of "infrastructure as code" by proving a declarative, standardized way for their users to describe what their infrastructure should be like. Now, most reputable cloud providers offer their own versions of templated, declarative resource managers:

• AWS: Cloudformation
• Google Cloud: Cloud Deployment Manager
• Azure: Resource Manager
• Openstack: Heat
• Hashicorp: Terraform

In this context, stacks or deployments are text files that are processed through a templating engine of choice, and must result in a YAML file after processing. As of now, Mako and Jinja are supported, with raw JSON and YAML in the roadmap, though if using the latter two, there's really no reason to this tool, just use the provider's own CLI/SDK

These stacks are meant to represent resources in the cloud provider of choice, either:

• Via the cloud provider's own declarative language which, describes the final state of the infrastructure
• Via commands or API calls used to get to that final states, ie the procedural approach. The procedural approach should be used only when there's really no other way of managing resources via a declarative approach

At this point, these types of stacks/deployments are supported:

• AWS (declarative)
• Azure (declarative)
• GCP (declarative)
• Shell (procedural)

Regardless of the provider, the design principles for this tool are:

• Never abstract, or dumb-down the cloud provider's native resource manager DSL, only enhance it
• Use and operation of the tool should be easy for mere mortals
• Never race the provider for features. We are going to lose
• Simplicity, flexibility, and reusability: Allow for small, focused stack/deployment building blocks that can be reused and loosely connected with other deployments, without having to deploy a massive tightly coupled group of resources
• Never mix concepts and constructs from different cloud providers, eg AWS VPC is not the same as Azure vnet. Related to abstraction mentioned above, for maximum flexibility and efficiency, we want to be able to tune every knob of a resource. And this can only be done, if we treat every resource natively
• Assume that we know better than the cloud provider about how their infrastructure should be managed
• The code should avoid the more complex and obscure Python idioms, so people can understand and change the code more easily.

With the guidelines above, the tool always attempts to provide the cloud provider's look-and-feel for the syntax/constructs of the stacks/deployment files: An AWS Clouformation stack looks like Cloudformation; an ARM deployment file looks like ARM, etc. To illustrate, in AWS, the variable and section names used in a CFN stack are UpperCamelCase, in Azure they are lowerCamelCase, and GCP uses snake_case (Python-like). This tool tries hard to keep that spirit, so not to throw off users already familiar with a particular cloud provider's DSL.

Why a higher level template engine? And why Mako as default?

A text templating engine extends the functionality of a CFN template or any other text file by allowing "for loops", the use of more complex data types like dictionaries and objects, and overall better readability by not having to deal with CFN's hard-to-read intrinsic functions. On top of that, Mako allows for inline python code right inside the template.

Mako is the default because it's very easy to define simple blocks of python code inside the template, making it a very powerful tool. But to simplify the lives of the folks familiar to Ansible, Saltstack, and others, Jinja is also supported, but be warned that it's just not as flexible as Mako.

Development

Follow the guidelines in the development page

Contacts

• Gustavo Baratto: gbaratto AT gmail