Summary Prerequisites and limitations Architecture Tools Best practices Epics Troubleshooting Related resources Additional information

Automate the creation of Amazon WorkSpaces Applications resources using AWS CloudFormation

Ram Kandaswamy, Amazon Web Services

Summary

This pattern provides code samples and steps to automate the creation of Amazon WorkSpaces Applications resources in the AWS Cloud by using an AWS CloudFormation template. The pattern shows you how to use a CloudFormation stack to automate the creation of your WorkSpaces Applications application resources, including an image builder, image, fleet instance, and stack. You can stream your WorkSpaces Applications application to end users on an HTML5-compliant browser by using either the desktop or application delivery mode.

Prerequisites and limitations

Prerequisites

An active AWS account
An acceptance of WorkSpaces Applications terms and conditions
Basic knowledge of WorkSpaces Applications resources, such as fleets and stacks and image builders

Limitations

You can’t modify the AWS Identity and Access Management (IAM) role associated with an WorkSpaces Applications instance after that instance is created.
You can’t modify properties (such as the subnet or security group) on the WorkSpaces Applications image builder instance after that image builder is created.

Architecture

The following diagram shows you how to automate the creation of WorkSpaces Applications resources by using a CloudFormation template.

Workflow for automatically creating WorkSpaces Applications resources.

The diagram shows the following workflow:

You create a CloudFormation template based on the YAML code in the Additional information section of this pattern.
The CloudFormation template creates a CloudFormation test stack.
1. (Optional) You create an image builder instance by using WorkSpaces Applications.
2. (Optional) You create a Windows image by using your custom software.
The CloudFormation stack creates an WorkSpaces Applications fleet instance and stack.
You deploy your WorkSpaces Applications resources to end users on an HTML5-compliant browser.

Tools

Amazon WorkSpaces Applications is a fully managed application streaming service that provides you with instant access to your desktop applications from anywhere. WorkSpaces Applications manages the AWS resources required to host and run your applications, scales automatically, and provides access to your users on demand.
AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.

Best practices

Configure network access for image builders correctly – Launch image builders in virtual private cloud (VPC) subnets with proper internet access by using a NAT gateway for outbound-only internet access.
Test network connectivity to required resources (such as application servers, databases, and licensing servers) before creating images. Verify that VPC route tables allow connections to all necessary network resources. For more information, see Internet access in the WorkSpaces Applications documentation.
Monitor fleet capacity against service quotas proactively – WorkSpaces Applications instance type and size quotas are per AWS account, per AWS Region. If you have multiple fleets in the same Region that use the same instance type and size, the total number of instances in all fleets in that Region must be less than or equal to the applicable quota. For more information, see Troubleshooting Fleets in the WorkSpaces Applications documentation.

Test applications in Image Builder Test mode before fleet deployment – Always validate applications in Image Builder Test mode before creating images and deploying to fleets. Test mode simulates the limited permissions that end users have on fleet instances. For more information, see Troubleshooting Image Builders in the WorkSpaces Applications documentation.

Epics

Task	Description	Skills required
Install custom software and create an image.	Launch image builder and choose the relevant instance types, subnet, security group, and so on. Use admin mode while connecting to the instance. Use the Image assistant or a PowerShell script to create a new Windows image for your custom software. Note Consider using the Windows AppLocker feature to further lock down the image.	AWS DevOps, Cloud architect

Task	Description	Skills required
Update the CloudFormation template.	Use the code in the Additional information section of this pattern as a YAML file. Update the YAML file with the required values for the parameters in your environment.	AWS systems administrator, Cloud administrator, Cloud architect, General AWS, AWS administrator
Create a CloudFormation stack by using the template.	Sign in to the AWS Management Console and open the CloudFormation console. On the navigation pane, choose Stacks. Choose Create stack and then choose With new resources (standard). In the Prerequisite – Prepare template section, choose Template is ready. In the Specify template section, choose Upload a template file. Choose Choose file and then choose your updated CloudFormation template. Complete the rest of the steps in the wizard to create your stack.	App owner, AWS systems administrator, Windows Engineer

Troubleshooting

Issue	Solution
Various issues	For more information, see Troubleshooting in the WorkSpaces Applications documentation.

Related resources

References

Tutorials and videos

Additional information

The following code is an example of a CloudFormation template that you can use to automatically create WorkSpaces Applications resources.


AWSTemplateFormatVersion: 2010-09-09
Parameters:
  SubnetIds:
    Type: 'List<AWS::EC2::Subnet::Id>'
  testSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup::Id'
  ImageName:
    Type: String
Resources:
  
  AppStreamFleet:
    Type: 'AWS::AppStream::Fleet'
    Properties:
      ComputeCapacity:
        DesiredInstances: 5
      InstanceType: stream.standard.medium
      Name: appstream-test-fleet
      DisconnectTimeoutInSeconds: 1200
      FleetType: ON_DEMAND
      IdleDisconnectTimeoutInSeconds: 1200
      ImageName: !Ref ImageName
      MaxUserDurationInSeconds: 345600
      VpcConfig:
        SecurityGroupIds:
          - !Ref testSecurityGroup
        SubnetIds: !Ref SubnetIds
  AppStreamStack:
    Type: 'AWS::AppStream::Stack'
    Properties:
      Description: AppStream stack for test
      DisplayName: AppStream test Stack
      Name: appstream-test-stack
      StorageConnectors:
        - ConnectorType: HOMEFOLDERS
      UserSettings:
        - Action: CLIPBOARD_COPY_FROM_LOCAL_DEVICE
          Permission: ENABLED
        - Action: CLIPBOARD_COPY_TO_LOCAL_DEVICE
          Permission: ENABLED
        - Action: FILE_DOWNLOAD
          Permission: ENABLED
        - Action: PRINTING_TO_LOCAL_DEVICE
          Permission: ENABLED
  AppStreamFleetAssociation:
    Type: 'AWS::AppStream::StackFleetAssociation'
    Properties:
      FleetName: appstream-test-fleet
      StackName: appstream-test-stack
    DependsOn:
      - AppStreamFleet
      - AppStreamStack

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure mutual TLS for applications on Amazon EKS

Create a custom log parser for Amazon ECS using Firelens