CloudFormation - kamialie/knowledge_corner GitHub Wiki
Content
Overview
Infrastructure as a code tool (free service). Templates are saved in S3
and
can be written in JSON or YAML. Provides drift detection to find changes in
infrastructure.
New AWS features are often not immediately available in CloudFormation
, but
its Lambda
function can be used (called) to create resources that are not
currently supported.
Stack is a collection of resources that can be created, updated, and deleted as a unit. Resources in a stack can also be managed individually. Parent stack can span one or multiple child stacks (created before other resources). It can also reference values from child stack that exposes them as outputs in the form of key/value pairs. StackSets allow to create, update, or delete stacks across multiple accounts and regions.
Template sections
Only resources section is mandatory. To references values from other section
use Fn::Rf
function and name of resource:
Properties:
VpcId: !Ref VpcParameter
- Format version - what format and values to expect
AWSTemplateFormatVersion: 2010-09-09
- Description - documentation and is visible after execution
Description: Simple example
- Metadata
- Parameters - dynamic inputs (at run-time). AWS also provides pseudo
parameters (enabled and supplied by default) -
AWS:AccountId
,AWS::StackName
and so on.Parameters: BucketName: Type: String Default: default-value Description: bucket to create
- Conditions - create resources or outputs based on logical statement(s). Each
condition can reference another condition, parameter value or mapping.
Conditions: CreateProdResources: !Equals [!Ref EnvType, prod]
- Mappings - static variables in a form of map of values, e.g. region
corresponding to AMI. Use
Fn::FindInMap
function to retrieve a value from specific key -!FindInMap [Mapname, TopLevelKey, SecondLevelKey]
Mappings: RegionMap: us-east-1: "HVM64": "ami-0ff8a91507f77f867" us-west-1: "HVM64": "ami-0bdb828fd58c52235"
- Transform - reference macros, re-usable code, or external code, e.g. Lambda code.
- Resources (mandatory)
Resources: ResourceName: Type: AWS::AWSProductName::DataTypeName Properties: [...]
- Outputs - information about created resources
Outputs: WebsiteURL: Description: URL of website Value: !GetAttr [ "WebsiteBucket", "WebsiteURL"]
Intrinsic functions
- Ref - when referencing resources returns physical id
- Fn:GetAtt - get attributes of resources by passing attribute name
- Fn:FindInMap
- Fn:ImportValue
- Fn:Join
- Fn:Sub - create interpolated strings, must contain
${VariableName}
- Condition functions:
- Fn:If
- Fn:Not
- Fn:Equals
Exporting values
To share data between stacks export using Outputs
block - Export
field is
used to set the name of the resource to be exported. Fn::ImportValue
function
is used to import value using this name. Exported stack can not be deleted
until all references are deleted.
Exporter:
Outputs:
SubnetId:
Description:
Value: !Ref Subnet
Export:
Name:
Fn::Sub: ${AWS::StackName}-SubnetId
Importer:
Parameter:
ExporterStackName:
Type: String
SubnetId:
Fn::ImportValue:
Fn::Sub: ${ExporterStackName}-SubnetId
Stacks
Nested stack
Template within a template that allows re-using common resources. To updated a nested stack always update parent stack.
Resources:
NestedStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: "https://s3.amazon.com/.../template.yaml"
Parameters:
Foo: "bar"
ChangeSet
The difference between currently deployed version and new template definition. Does not confirm if update will be successful.
StackSet
Create, update, or delete stacks across multiple accounts and regions. Administrator can create a StackSet, while trusted accounts can create, update, delete stack instances from a StackSet.
Operations
By default update action is allowed on all resources. Stack Policies allow
protecting certain resources from changes - defined in a JSON document (similar
to IAM policy). When Stack Policy is in place, all resource are protected by
default, therefore, an explicit Allow
policy should be in place to allow
updates.
{
"Statement": [
{
"Effect": "Allow",
"Action": "Update:*",
"Principal": "*",
"Resource": "*"
}
]
}
Rollback
By default if stack creation fails, every rolls back (gets deleted). Optionally rollback feature can be disabled, which helps with troubleshooting - only keeps successfully created resources, failed resources are removed or rolled back, if they existed before.
Notifications
Supports SNS Topic. Notifies stack state changes, such as rollback in progress, stack being created, deleted and so on.
Drift
Drift detection doesn't support all resources (but does most). Drift detection mechanism must be triggered manually, which would show the current and expected (defined in template) results for each drifted resource.
Serverless Application Model
Extension of CloudFormation to define Serverless applications. Provides simplified syntax for defining Serverless resources, e.g. API Gateway, Lambda, etc. Also comes with its own CLI.
# Package application and upload to S3
$ sam package
# Deploy using CloudFormation
$ sam deploy
CLI
# Validate template file
$ aws cloudformation validate-template --template-body <path/to/file>
# Deploy template
$ aws cloudformation deploy --template-file <path/to/file> --stack-name <custom_name>
# Get general info on deployed stack(s)
$ aws cloudformation describe-stacks [--stack-name <custom_name>]
# Delete stack
# Doesn't return any info, run describe command to see status
$ aws cloudformation delete-stack --stack-name <custom_name>
# View outputs values
$ aws cloudformation describe-stack