CloudFormation

List of CloudFormation Concepts

  • Physical and Logical Resources

  • Parameters (max 200)

  • Parameters Properties:

    • AllowedPattern

    • AllowedValues

    • ConstraintDescription (regex)

    • Default

    • Description

    • MaxLength (for String)

    • MinLength (for String)

    • MaxValue (for Number)

    • MinValue (for Number)

    • NoEcho: boolean to set if the value can be printed in CLI, API or console.

  • Pseudo Parameters

  • Intrinsic Functions (Ref, Fn::GetAtt, Fn::Join, Fn::Split, Fn::GetAZs, Fn::Select, Fn::Base64, Fn::Sub (no self-reference), Fn::Cird, Fn::ImportValue, Fn::FindInMap, Fn::Transform)

    • Conditions (Fn::If, Fn::And, Fn::Equals, Fn::Not, Fn::Or)

  • Mappings (improve template portability)

  • Ouputs:

    • For nested stacks to export values to parent stacks.

    • For cross-stack references.

  • Conditions

  • DependsOn (for example Elastic IPs and Internet Gateway Attachments)

  • CreationPolicy (EC2 and ASG), WaitConditions (+ WaitConditionHandle) and CFN Signal

  • Nested Stacks (for sharing CODE)

    • Overcome the limit of 500 resources per stack

    • For separating related building blocks

    • For being able to reuse code to deploy the same block for another project (CODE reuse)

  • Cross-stack references (For sharing RESOURCES, no cross-region, no cross-account)

    • Overcome the limit of 500 resources per stack

    • Decouple the lifecyce of some resources from others

    • Exports and Fn::ImportValue

    • Exports List (regional, each value must have a unique id in the region)

    • For Service-oriented architectures, STACK (NOT CODE) reuse

  • Stack Sets (cross-account, cross-region deployment) + Self-managed/Service-managed roles: useful for deploying AWS Config rules or IAM Roles for cross-account operations

    • Accounts or OUs (Organizations) as targets

    • Concurrent Accounts

    • Failure Tolerance

    • Retain Stacks, to retain resources on stacks deletion

  • DeletionPolicy (only for delete, NOT for template changes that cause REPLACEMENT)

    • Retain

    • Delete

    • Snapshot (For supported resources: non EC2-related EBS volumes, Redshift, RDS, Neptune, ElastiCache)

  • Stack Roles

    • Defaults to the permission of the identity that’s creating the stack (user in the console or cli for example)

    • Of course the user not only needs the permissions to use CloudFormation, but also to create all the resources that the stack creates

    • They allow users with limited permissions (who have the PassRole permission) to deploy infrastructure using a more generous role.

  • CloudFormation Init (cfn-init): a DESIRED STATE configuration management system. User Data is procedural.

    • Cross-platform on linux (sometimes on windows too)

    • Defined in the METADATA key of the EC2 instance in the template

    • Only run ONCE, even if the stack is updated it won’t run again.

    • Idempotent

    • The User Data must contain the cfn-init comand and send a cfn-signal with the exit code on finish.

    • It contains:

      • A configSets key that defines which ConfigKeys to execute

      • ConfigKeys: groups of configurations to be applied. Each has the following keys:

        • packages: packages to install

        • groups: local group management

        • users: local user management

        • sources: download and extract archives

        • files: files to create

        • commands: commands to execute

        • services: services to start

  • cfn-hup: an extra tool that YOU have to INSTALL and maintain that detects changes in the instance METADATA and runs cfn-init (which is idempotent) again or OTHER configurable actions.

    • If used with cfn-init any stack update that updates the ec2 metadata triggers cnf-init again.

  • ChangeSets

  • Custom Resources