AWS CloudFormation & Benefits | Deep Dive & Hands-On.

AWS CloudFormation & Benefits - Deep Dive & Hands-On.

 Focus:

• Tailored for:
• AWS Pro-level,
• Solutions Architect,
• DevOps,
• DevSecops
• SRE.

Scope:

• Intro,
• Core Concepts (definitions) used in CloudFormation,
• Key Features and Benefits,
• How CloudFormation Works (Architecture),
• Core Components & Description,
• Supported Deployment Languages,
• Benefits of CloudFormation (why it Matters),
• Major Features,
• Benefits of AWS CloudFormation,
• Use Cases,
• Limitations (What CloudFormation Is Not),
• CloudFormation Best Practices,
• Project: Hands-On.

Intro:

• AWS CloudFormation is a service that helps twtech to model and setup its Amazon Web Services resources using infrastructure as code (IaC).
•  With AWS CloudFormation twtech :
• Defines AWS resources it needs in a template, 
• Then used the template to provision those reosurces,
• Manage those resources as a single unit called a "stack". 

Core Concepts (definitions) used in CloudFormation

Templates:

• These are files written in JSON or YAML format that describe twtech desired AWS infrastructure.
• They are the blueprint for twtech stack and can be reused to replicate environments.

Stack:

• A stack is a collection of AWS resources that twtech manages as a single unit when they are provisioned via a CloudFormation template.

Infrastructure as Code (IaC): 

• This practice allows twtech to manage and provision computing infrastructure through machine-readable definition files (template or code), 
• rather than physical hardware configuration or interactive configuration tools.

Change Sets:

•  Before making changes to a running stack, twtech can create a change set to see a preview of how its proposed changes will impact its resources.
•  This helps twtech to understand which resources will be:
• Modified, 
• Replaced, 
• or Interrupted

Key Features and Benefits

Automation:

•  CloudFormation automates the process of creating, updating, and deleting resources, which eliminates manual steps and potential human error.

Repeatability: 

• Templates ensure that twtech infrastructure can be consistently deployed across different environments (e.g., development, staging, production).

Version Control: 

• By storing templates in version control systems, twtech can track changes to its infrastructure, collaborate with team members, and roll back to previous versions if needed.

Dependency Management (life cycle policy: depends-on) 

• CloudFormation handles the dependencies between resources. 
• For example, it ensures that a Virtual Private Cloud (VPC) is created before an EC2 instance is launched within it.

Drift Detection:

• This feature allows twtech to detect if its actual stack configuration has deviated from its initial defined template.
• This helps twtech maintain consistency. 

NB:

• For more details and official documentation, visit the AWS CloudFormation Documentation. 

https://docs.aws.amazon.com/cloudformation/

The Concept of AWS CloudFormation

• AWS CloudFormation is an Infrastructure-as-Code (IaC) service that lets twtech to:
• model, 
• provision, 
• and manage AWS infrastructure using templates (YAML/JSON).
• twtech define its infrastructure in a template, and CloudFormation deploys it consistently, securely, and repeatedly through a stack.

 How CloudFormation Works (Architecture)

1. Template

• twtech writes a template that describes:
• AWS resources like:
• EC2, 
• VPC, 
• S3, 
• Lambda, 
• IAM, etc.
• Configurations and dependencies
• Parameters, conditions, outputs

2. Stack

• A stack is a deployed set of resources created from the template.

3. Stack Lifecycle

• CREATE_IN_PROGRESS
• CREATE_COMPLETE
• UPDATE_IN_PROGRESS
• UPDATE_COMPLETE
• ROLLBACK_IN_PROGRESS (auto if error occures)
• DELETE_IN_PROGRESS

4. Change Sets

• Preview the effect of updates on running stacks before applying changes.

5. Execution Role

• CloudFormation assumes an IAM role to provision resources.

6. Drift Detection

• Checks whether resources have been changed manually outside CloudFormation.

 Core Components & Description

Concept	Description
Resources	AWS services to create (required section).
Parameters	User inputs for dynamic templates.
Mappings	Static key-value lookup (like region → AMI ID).
Conditions	Logic to control resources (prod vs dev).
Outputs	Information returned after stack creation.
Metadata	Used by helper scripts (cfn-init, cfn-hup).
Intrinsic Functions	Fn::Sub, Fn::Join, Ref, Fn::GetAtt.
Nested Stacks	Modular template reuse.
StackSets	Deploy stacks across multiple accounts & regions.

 Supported Deployment Languages

• YAML (most common)
• JSON

AWS also offers:

• AWS CDK (TypeScript/Python/Go/Java)
• SAM (Serverless IaC built on CloudFormation)

NB:

• But CloudFormation remains the underlying engine.

 CloudFormation (why it Matters)

• It is the native IaC tool tightly integrated with AWS, used for:
• Enterprise automation
• DevOps workflows
• CI/CD pipelines
• Cloud governance
• Multi-account deployments

 Major Features

1. Declarative IaC

• twtech describe what it wants, and CloudFormation handles how to build it.

2. Safe Provisioning & Rollbacks

• If any resource creation fails:
• CloudFormation rolls back to the previous stable state.
• Ensures atomic deployments.

3. Change Sets (Safe Updates)

• Before updating, view:
• Which resources will be replaced
• Impacts on downtime
• New and removed resources

4. Drift Detection

• Detects manual/unmanaged changes such as:
• Modified SG rules
• Changed IAM roles
• Deleted resources

5. StackSets

• Deploy the same stack across:
• Multiple AWS accounts
• Multiple regions
• Useful for:
•  Enterprise governance
•  Security baselines
•  Multi-account VPC patterns

6. Helper Scripts

• Installed on EC2 for bootstrapping:
• cfn-init
• cfn-signal
• cfn-get-metadata
• cfn-hup
• Used for:
•  Software installation
•  Updates based on metadata
•  Auto-reconfigure instances

7. Rollback Triggers

• Roll back if CloudWatch alarms breach thresholds during update.

8. Cross-Stack References

• Export output values to be imported by other stacks.

9. Modularization

• Nested stacks
• Macro & Transform functions
• Reusable resource patterns

 Benefits of AWS CloudFormation

1. Consistency & Repeatability

•  All environments (Dev, QA, Prod) look identical.
•  Eliminates human error and configuration drift.

2. Automation & Fast Deployment

• Fully automated provisioning.
• Ideal for CI/CD pipelines and DevOps workflows.

3. Infrastructure Version Control

• Templates can be stored in Git:
• Track changes
• Approvals
• Code reviews
• Rollback to older versions

4. Cost Management

• Delete stacks to remove everything created.
• Prevents orphaned resources.
• Enables tagging for cost visibility.

5. Security & Compliance

• IAM roles restrict what the template can create.
• Standardized blueprints ensure compliant environments.
• Drift detection identifies manual, unapproved changes.

6. Multi-Account Governance

• With StackSets:
• Centralize control of AWS Organizations
• Enforce baseline security policies
• Deploy resources across hundreds of accounts

7. Integrates with All AWS Services

• CloudFormation supports almost every AWS service, often on day-one.

8. Reduced Operational Overhead

• No need to manually:
•  Configure VPCs
•  Set up EC2
•  Create IAM roles/policies
•  Provision databases

 Use Cases

1. Full Application Stacks

• Create complete environments including:
• VPC
• Load Balancers
• EC2/ECS/Lambda
• Databases
• Monitoring

2. CI/CD Pipelines (DevOps)

• Automate deployment of:
• Infrastructure
• Serverless apps (SAM)
• Microservices

NB:

• It can be Integrated with CodePipeline, GitHub Actions, Jenkins, etc.

3. Multi-Account AWS Organizations

• Baseline resources:
• SecurityHub
• GuardDuty
• CloudTrail
• IAM roles

4. Immutable Infrastructure

• Replace resources instead of modifying them in place.

5. Disaster Recovery

• Rebuild environments quickly using templates.

 Limitations (What CloudFormation Is Not)

• Not ideal for ad-hoc, quick provisioning → Use CDK/SAM
• CloudFormation updates can be slow
• Debugging template errors is sometimes difficult
• Harder to orchestrate complex conditional logic
• No first-class loop/iteration → Use Mappings/Conditions/Transforms

 CloudFormation Best Practices

1. Use YAML

• Cleaner, supports comments, more readable.

2. Modularize Templates

• Use nested stacks
• Reuse prototypes (VPC, ALB, ECS, IAM roles)

3. Use Parameters Sparingly

• Prefer:
• Mappings
• SSM Parameter Store
• Default values

4. Prefer IAM Roles Over Keys

• Never store secrets in templates.

5. Use Change Sets for All Updates

• Avoid surprise resource replacements.

6. Turn on Drift Detection

• Especially in production.

7. Validate Templates

Use:

aws cloudformation validate-template

8. Tag All Resources

• For cost management and governance.

9. Keep Templates Small

• Large monolithic templates → harder to manage.

Project: Hands-On

• How twtech uses AWS CloudFormation to: 
• Model and setup its Amazon Web Services resources with infrastructure as code (IaC).
• With AWS CloudFormation twtech:
•  defines the AWS resources it needs in a template,
•  then used the template to provision 
• and manage those resources as a single unit called a "stack". 

Search for AWS service: CloudFormation

• Overview of how CloudFormation works:
  
  

• Recap (Review):
• twtech infrastructure management using AWS CloudFormation.
• This service allows twtech to create and manage a collection of Amazon Web Services resources based on a template.
• CloudFormation facilitates orderly and predictable provisioning and updating of resources and enables version control of the infrastructure.
•  AWS CloudFormation allows twtech to model the resources it needs for an application or solution in a text file, formatted in JSON or YAML.
• The template can be uploaded manually or retrieve from an S3 bucket.
•  The template defines the collection of resources as a single unit called a stack.
•  CloudFormation then translates the template's parameters into API calls in AWS  and creates the stack for twtech (AssumeRole0.
• AWS CloudFormation also provisions the stack's resources as a running environment.
•  twtech can create, update, and delete stacks using the AWS CloudFormation console, AWS API, or AWS command-line interface (CLI).
• To get started with CloudFormation, navigate to the stacks screen and  find a list of stacks currently running in this region and their respective statuses.
• twtech can view the stacks deployed in different regions using the region selection menu.
•  To find stacks faster, twtech can use the search bar to filter by stackname or keywords, and also filter by status.
•   Additionally, twtech can select a stack and perform actions on it. For example,
•   twtech can enable termination protection for its business-critical stacks to prevent accidental deletion.
•  twtech can also perform advanced tasks such as managing drift, creating change sets, and importing resources into a stack.
•   When twtech is ready to begin deploying resources using CloudFormation, it can create a new stack.
•   This creation process involves specifying the template to use, entering stack details, configuring additional stack options, and reviewing the entire stack configuration before creating it.
•  Once the deployment is initiated, a screen for the new stack appears in the events detail pane.
•  From events detail pane, twtech can track the status of operations as the stack is created.
•  To better view the stack details, twtech can collapse the CloudFormation navigation pane.
•  The stack detail panes offer a ton of information, including stack information, resources, outputs, parameters, and the template used to create the stack.
•  AWS CloudFormation stack sets extend the functionality of stacks, enabling twtech to create, update, or delete stacks across multiple accounts and regions with a single operation.
•  This AWS CloudFormation stack sets  also allows twtech to easily scale out its CloudFormation deployments throughout an AWS
  organization.
•  Eventually, to share information between stacks, twtech can export a stack's output values.

  NB: 

• Other stacks in the same AWS account and region can import these exported values. 
• Take for instance, a single networking stack might export the IDs of a subnet and a security group for public web users.
• twtech final thought:  AWS CloudFormation is a powerful tool that simplifies twtech infrastructure management.

Useful official link: https://www.youtube.com/watch?v=1h-GPXQrLZw

Benefits and features:

• How twtech creates a stack: Create stack (group of resources deployed and managed as unit from a single template)

Step-1:

• twtech select the appropriate region where its template works: United State Ohio

Step-2:

• Prerequisite - Prepare template & Specify template (yaml file specifying list of resources and parameters from Visual studio Code)

Step-3:

• Define (Configure) the template: to reference the expected resources that would be deployed in aws.
• AMI are tired to regions and should be referenced apporpriately. 

Step-4:

• Select and upload the template from the folder created for clouldFormation (yaml) files.

• View the code in infrastructure composer: (CloudFront + Infrastructure composer… for better visual understanding of twtech template)

Instance details:

Step-5:

• Return to CloudFormation console and continue creating the stack. (NB: changes made all are save)

Step-6: Specify stack details

• Provide a stack name: twtech-cf-stack

Configure stack options

• Add tag:

Review and create

• Submit to aws CloudFront: to Provision the resources.

From: create_in_progress

To: create completed

Step-7:

Verify the Resource(s) created, in this case: Myinstance

• The code (template used) in included in the stack. It can be copied, editd in, viewed better with infrastructure compose.
• Thus, the name Infrastructure as Code (IaC)

• To verify more details of the instance created, go to: EC2 console

To view tags applied by CloudFormation to the instance:

Step-8:

• How twtech updates (make direct updates) it Cloudformation stack:  Return to CloudFormation console.

• How twtech replaces the existing template with new template: Configure the template to reference appropriate region and Operating system needed.
• Always Remember, Amazon Machine Image is tired to a region.

# twtechSample-CloudFormation-update.yaml

---

Parameters:

SecurityGroupDescription:

Description: Security Group Description

Type: String

Resources:

MyInstance:

Type: AWS::EC2::Instance

Properties:

AvailabilityZone: us-east-2a

ImageId: ami-00e428798e77xxxx

InstanceType: t2.micro

SecurityGroups:

- !Ref SSHSecurityGroup

- !Ref ServerSecurityGroup

# an elastic IP for our instance

MyEIP:

Type: AWS::EC2::EIP

Properties:

InstanceId: !Ref MyInstance

# our EC2 security group

SSHSecurityGroup:

Type: AWS::EC2::SecurityGroup

Properties:

GroupDescription: Enable SSH access via port 22

SecurityGroupIngress:

- CidrIp: 0.0.0.0/0

FromPort: 22

IpProtocol: tcp

ToPort: 22

# our second EC2 security group

ServerSecurityGroup:

Type: AWS::EC2::SecurityGroup

Properties:

GroupDescription: !Ref SecurityGroupDescription

SecurityGroupIngress:

- IpProtocol: tcp

FromPort: 80

ToPort: 80

CidrIp: 0.0.0.0/0

- IpProtocol: tcp

FromPort: 22

ToPort: 22

CidrIp: 192.168.1.1/32

Outputs:

ElasticIP:

Description: Elastic IP Value

Value: !Ref MyEIP

Step-9:

• Select the new template that would be used to replace the existing one.

• Specify stack details: twtechupdatedCFstatck

• Configure stack options: keep the defaults values

Review twtech-CFstack: And update

 

Change set Preview:

• Changes: 4

Submit the update Stack  templed to  AWS cloudFormation:

• From: updates_In_progress

To: updates_completed

Step-10:

• From ec2 console: Verify whether the instance was terminated before a new instance provisioned  (twtechCFstack)
• Yes: It was .
• meaning twtech needs to backup any exisiting resources in the instance before updating the stack

• From ec2 console: Verify that the Elastic IP was provisioned  and attached to the instance (twtechCFstack)
• Yes. It was.

• From ec2 console: Verify that the 2 security groups were provisioned  and attached to the instance (twtechCFstack)
• Yes : they were

• From ec2 console: Verify that the the specified CidreIP (192.168.1.1/32) were provisioned  and attached to the instance (twtechCFstack) as referenced in the security group blog of the updated template.
• Yes:  it was

• From ec2 console: Verify that the Port 22 was added to instance(twtechCFstack) as referenced in the updated template.
• Yes:  it was

• How twtech accesses the updated template and Infrastructure composer

View in Infrastructure Composer:

NB:

• For cleanup: Manual deletion is possible for cloudformation. However it is not allowed by security standard.
• Use CloudFormation to delete all tag resources in a stack:
• Select the stack to be deleted and hit: delete

Confirm deletion:

NB:

• It takes a couple of minutes (about 10-15 minutes) to fully provision the stack: Be patient
• In the case where wrong setting or wrong with template configuration: Stack won’t create the expected resources.
• There will be repeated attempts by CloudFormation to create, but until template is fixed, that repeated attempt may go on forever. 
• for example, not referencing the appropriate AMI or region that corresponds to the AMI.
•  There will also a roll-back of the resource that might have been provisioned alongside.

Successfully Done