Aws Cloudformation
Aws Cloudformation
AWS CloudFormation provides a common language for you to describe and provision all the
infrastructure resources in your cloud environment.
CloudFormation interprets the template and makes the appropriate API calls to create the
resources you have defined.
CloudFormation has some similarities with AWS Elastic Beanstalk though they are also quite
different as detailed in the table below:
Can be used to deploy Deploys web applications based on Java, .NET, PHP,
almost any AWS service Node.js, Python, Ruby, Go, and Docker
You can use version control and peer review for your CloudFormation templates.
Key Concepts
The following table describes the key concepts associated with AWS CloudFormation:
Component Description
Templates The JSON or YAML text file that contains the instructions for building
out the AWS environment
Stacks The entire environment described by the template and created, updated,
and deleted as a single unit
Change Sets A summary of proposed changes to your stack that will allow you to see
how those changes might impact your existing resources before
implementing them
Templates The JSON or YAML text file that contains the instructions for building
out the AWS environment
Templates
A template is a YAML or JSON template used to describe the end-state of the infrastructure
you are either provisioning or changing.
After creating the template, you upload it to CloudFormation directly or using Amazon S3.
CloudFormation reads the template and makes the API calls on your behalf.
Physical IDs identify resources outside of AWS CloudFormation templates, but only after the
resources have been created.
Template elements
Mandatory:
List of resources and associated configuration values.
Not mandatory:
Template parameters (limited to 60).
Output values (limited to 60).
List of data tables.
Template components
Resources – the required Resources section declares the AWS resources that you want to
include in the stack, such as an Amazon EC2 instance or an Amazon S3 bucket.
Mandatory.
Represent AWS components that will be created.
Resources are declared and can reference each other.
Resources:
MyEC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: "ami-0ff8a91507f77f867"
Parameters
Use the optional Parameters section to customize your templates. Parameters enable you to
input custom values to your template each time you create or update a stack.
Note: the InstanceTypeParameter has a default value of t2.micro. This is the value that AWS
CloudFormation uses to provision the stack unless another value is provided.
Parameters:
InstanceTypeParameter:
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- m1.small
- m1.large
Description: Enter t2.micro, m1.small, or m1.large. Default is t2.micro.
Pseudo Parameters
Pseudo parameters are parameters that are predefined by AWS CloudFormation. You do not
declare them in your template. Use them the same way as you would a parameter, as the
argument for the Ref function.
Examples include:
AWS::AccountId – Returns the AWS account ID of the account in which the stack is
being created.
AWS::NotificationARNs – Returns the list of notification Amazon Resource Names
(ARNs) for the current stack.
AWS::Region – Returns a string representing the AWS Region in which the
encompassing resource is being created.
AWS::StackId – Returns the ID of the stack as specified with the aws cloudformation
create-stack command.
Mappings
The optional Mappings section matches a key to a corresponding set of named values.
Fixed variables.
Good for differentiating between regions, environments, AMIs etc.
Need to know the values in advance.
For user-specific values use parameters instead.
The following example has region keys that are mapped to two sets of values: one named
HVM64 and the other HVMG2.
RegionMap:
us-east-1:
HVMG2: ami-0a584ac55a7631c0c
us-west-1:
Outputs
The optional Outputs section declares output values that you can import into other
stacks (to create cross-stack references), return in response (to describe stack calls), or view
on the AWS CloudFormation console.
In the following example YAML code, the output named StackVPC returns the ID of a VPC,
and then exports the value for cross-stack referencing with the name VPCID appended to
the stack’s name
Outputs:
StackVPC:
Conditions
The optional Conditions section contains statements that define the circumstances under
which entities are created or configured.
In the sample YAML code below, resources are created only if the EnvType parameter is
equal to prod:
Conditions:
Transform
The optional Transform section specifies one or more macros that AWS CloudFormation
uses to process your template.
The transform section can be used to reference additional code stored in S3, such as
Lambda code or reusable snippets of CloudFormation code.
In the following example, the template uses AWS SAM syntax to simplify the declaration of a
Lambda function and its execution role:
Transform: AWS::Serverless-2016-10-31
Resources:
MyServerlessFunctionLogicalID:
Intrinsic Functions
AWS CloudFormation provides several built-in functions that help you manage your stacks.
Use intrinsic functions in your templates to assign values to properties that are not available
until runtime.
Stacks
Updating stacks:
AWS CloudFormation provides two methods for updating stacks: direct update or
creating and executing change sets.
When you directly update a stack, you submit changes and AWS CloudFormation
immediately deploys them.
Use direct updates when you want to quickly deploy your updates.
With change sets, you can preview the changes AWS CloudFormation will make to
your stack, and then decide whether to apply those changes.
Stack Sets
AWS CloudFormation StackSets extends the functionality of stacks by enabling you to
create, update, or delete stacks across multiple accounts and regions with a single
operation.
Using an administrator account, you define and manage an AWS CloudFormation template,
and use the template as the basis for provisioning stacks into selected target accounts
across specified regions.
An administrator account is the AWS account in which you create stack sets.
A stack set is managed by signing in to the AWS administrator account in which it was
created.
A target account is the account into which you create, update, or delete one or more stacks
in your stack set.
Before you can use a stack set to create stacks in a target account, you must set up a trust
relationship between the administrator and target accounts.
Nested Stacks
Nested stacks allow re-use of CloudFormation code for common use cases.
For example standard configuration for a load balancer, web server, application server etc.
Instead of copying out the code each time, create a standard template for each common
use case and reference from within your CloudFormation template.
Best Practices
AWS provides Python “helper scripts” which can help you install software and start services
on your EC2 instances.
Use CloudFormation to make changes to your landscape rather than going directly
into the resources.
Make use of Change Sets to identify potential trouble spots in your updates.
Use Stack Policies to explicitly protect sensitive portions of your stack.
Use a version control system such as CodeCommit or GitHub to track changes to
templates.
Simplified syntax for defining serverless resources: APIs, Lambda Functions, DynamoDB
Tables etc.
Use the SAM CLI to package your deployment code, upload it to S3 and deploy your
serverless application.
cfn-init:
cfn-signal:
The cfn-signal helper script signals AWS CloudFormation to indicate whether Amazon
EC2 instances have been successfully created or updated.
If you install and configure software applications on instances, you can signal AWS
CloudFormation when those software applications are ready.
You use the cfn-signal script in conjunction with a CreationPolicy or an Auto Scaling
group with a WaitOnResourceSignals update policy.
When AWS CloudFormation creates or updates resources with those policies, it
suspends work on the stack until the resource receives the requisite number of
signals or until the timeout period is exceeded.
You can signal a creation policy (CreationPolicy) or a wait condition handle
(WaitOnResourceSignals).
Troubleshooting errors:
Make sure the AMI has the CloudFormation helper scripts included.
Check that the cfn-init and cfn-signal commands have run successfully.
Verify internet connectivity.
AWS::AutoScaling::AutoScalingGroup
AWS::EC2::Instance
AWS::CloudFormation::WaitCondition
DeletionPolicy attribute:
With the DeletionPolicy attribute you can preserve or (in some cases) backup a
resource when its stack is deleted.
You specify a DeletionPolicy attribute for each resource that you want to control.
If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the
resource by default.
DependsOn attribute:
WaitCondition:
Note: For Amazon EC2 and Auto Scaling resources, AWS recommends that you use a
CreationPolicy attribute instead of wait conditions.
You can use a wait condition for situations like the following:
To coordinate stack resource creation with configuration actions that are external to
the stack creation.
To track the status of a configuration process.
UpdatePolicy Attribute (WaitOnResourceSignals)
AWS::AutoScaling::AutoScalingGroup,
AWS::ElastiCache::ReplicationGroup
AWS::Elasticsearch::Domain
AWS::Lambda::Alias
UpdateReplacePolicy attribute:
Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the
existing physical instance of a resource when it is replaced during a stack update
operation.
Rollbacks and Creation Failures
The stack will automatically roll back to the previous known working state.
The logs can assist with understanding what issue occurred.
You can monitor the progress of a stack update by viewing the stack’s events. The
console’s Events tab displays each major step in the creation and update of the stack sorted
by the time of each event with latest events on top.
For resources created by CloudFormation, use AWS monitoring and reporting tools
applicable to the service.
You can use IAM with AWS CloudFormation to control what users can do with AWS
CloudFormation, such as whether they can view stack templates, create stacks, or delete
stacks.
In addition to AWS CloudFormation actions, you can manage what AWS services and
resources are available to each user.
That way, you can control which resources users can access when they use AWS
CloudFormation.
For example, you can specify which users can create Amazon EC2 instances, terminate
database instances, or update VPCs. Those same permissions are applied anytime they use
AWS CloudFormation to do those actions.