twtech
deep-dive into AWS CloudFormation.
This level is tailored for:
- AWS Pro-level,
- Solutions Architect,
- DevOps,
- DevSecops
- SRE.
Scope:
- What
it is,
- How
it works,
- Key
concepts,
- Architecture,
- Benefits,
- Best
practices,
- Advanced features.
Breakdown:
- Intro,
- Core Concepts (definitions) used in CloudFormation,
- Key
Features and Benefits,
- How CloudFormation Works (Architecture),
- Core Components & Description,
- Supported Deployment Languages,
- Benefits of CloudFormation (why it Matters),
- Major Features,
- Benefits of AWS CloudFormation,
- Use Cases,
- Limitations (What CloudFormation Is Not),
- CloudFormation Best Practices,
Intro:
- AWS CloudFormation is a service that helps twtech to model and setup its Amazon Web Services resources using infrastructure as code (IaC).
- With AWS CloudFormation twtech defines the AWS resources it needs in a template, then used the template to provision and manage those resources as a single unit called a "stack".
Core
Concepts (definitions) used in CloudFormation
Templates:
- These are files written in JSON or YAML
format that describe twtech desired AWS infrastructure.
- They are the blueprint for twtech stack and can be reused to replicate environments.
Stack:
- A stack is a collection of AWS resources that twtech manages as a single unit when they are provisioned via a CloudFormation template.
Infrastructure
as Code (IaC):
- This practice allows twtech to manage and provision computing infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
Change
Sets:
- Before
making changes to a running stack, twtech can create a change set to see a preview of how its proposed changes will
impact its resources.
- This helps twtech to understand which resources will be modified, replaced, or interrupted
Key
Features and Benefits
Automation:
- CloudFormation automates the process of creating, updating, and deleting resources, which eliminates manual steps and potential human error.
Repeatability:
- Templates ensure that twtech infrastructure can be consistently deployed across different environments (e.g., development, staging, production).
Version
Control:
- By storing templates in version control systems, twtech can track changes to its infrastructure, collaborate with team members, and roll back to previous versions if needed.
Dependency
Management:
- CloudFormation handles the dependencies between resources. For example, it ensures that a Virtual Private Cloud (VPC) is created before an EC2 instance is launched within it.
Drift
Detection:
- This feature allows twtech to detect if its actual stack configuration has deviated from its defined template, helping you maintain consistency.
NB:
- For more details and official documentation, visit the AWS CloudFormation Documentation.
https://docs.aws.amazon.com/cloudformation/
The Concept of AWS CloudFormation
- AWS CloudFormation is an Infrastructure-as-Code (IaC) service that lets you
model,
provision, and manage AWS infrastructure using templates (YAML/JSON).
- twtech define its infrastructure in a template,
and CloudFormation deploys it consistently, securely, and repeatedly through a stack.
How
CloudFormation Works (Architecture)
1.
Template
twtech writes a template that describes:
- AWS resources (EC2, VPC,
S3, Lambda, IAM, etc.)
- Configurations and dependencies
- Parameters, conditions, outputs
2.
Stack
- A stack is a deployed set of resources created from the template.
3.
Stack Lifecycle
-
CREATE_IN_PROGRESS -
CREATE_COMPLETE -
UPDATE_IN_PROGRESS -
UPDATE_COMPLETE -
ROLLBACK_IN_PROGRESS(auto if error) -
DELETE_IN_PROGRESS
4.
Change Sets
- Preview the effect of updates on running stacks before applying changes.
5.
Execution Role
- CloudFormation assumes an IAM role to provision resources.
6.
Drift Detection
- Checks whether resources have been changed manually outside CloudFormation.
Core
Components & Description
|
Concept |
Description |
|
Resources |
AWS services to create (required
section). |
|
Parameters |
User inputs for dynamic templates. |
|
Mappings |
Static key-value lookup (like
region → AMI ID). |
|
Conditions |
Logic to control resources (prod
vs dev). |
|
Outputs |
Information returned after stack creation. |
|
Metadata |
Used by helper scripts (cfn-init,
cfn-hup). |
|
Intrinsic Functions |
Fn::Sub, Fn::Join, Ref, Fn::GetAtt. |
|
Nested Stacks |
Modular template reuse. |
|
StackSets |
Deploy stacks across multiple accounts & regions. |
Supported
Deployment Languages
- YAML (most common)
- JSON
AWS also offers:
- AWS CDK (TypeScript/Python/Go/Java)
- SAM (Serverless IaC built on
CloudFormation)
NB:
But CloudFormation remains the underlying engine.
CloudFormation (why it Matters)
It is the native IaC tool tightly integrated with AWS, used for:
- Enterprise
automation
- DevOps
workflows
- CI/CD
pipelines
- Cloud
governance
- Multi-account
deployments
Major
Features
1. Declarative IaC
- twtech describe what it wants, and CloudFormation handles how to build it.
2. Safe Provisioning & Rollbacks
If any resource creation fails:
- CloudFormation rolls back to the previous stable state.
- Ensures atomic deployments.
3. Change Sets (Safe Updates)
Before updating, view:
- Which
resources will be replaced
- Impacts on
downtime
- New and
removed resources
4. Drift Detection
Detects manual/unmanaged changes such as:
- Modified SG
rules
- Changed IAM
roles
- Deleted
resources
5. StackSets
Deploy the same stack across:
- Multiple AWS accounts
- Multiple regions
Useful for:
- Enterprise
governance
- Security
baselines
- Multi-account
VPC patterns
6. Helper Scripts
Installed on EC2 for bootstrapping:
-
cfn-init -
cfn-signal -
cfn-get-metadata -
cfn-hup
Used for:
- Software
installation
- Updates based
on metadata
- Auto-reconfigure
instances
7. Rollback Triggers
- Roll back if CloudWatch alarms breach thresholds during update.
8. Cross-Stack References
- Export output values to be imported by other stacks.
9. Modularization
- Nested stacks
- Macro &
Transform functions
- Reusable
resource patterns
Benefits
of AWS CloudFormation
1. Consistency & Repeatability
- All environments (Dev, QA, Prod) look
identical.
- Eliminates human error and configuration drift.
2. Automation & Fast Deployment
- Fully
automated provisioning.
- Ideal for
CI/CD pipelines and DevOps workflows.
3. Infrastructure Version Control
Templates can be stored in Git:
- Track changes
- Approvals
- Code reviews
- Rollback to
older versions
4. Cost Management
- Delete stacks
to remove everything created.
- Prevents orphaned
resources.
- Enables
tagging for cost visibility.
5. Security & Compliance
- IAM roles
restrict what the template can create.
- Standardized
blueprints ensure compliant environments.
- Drift
detection identifies manual, unapproved changes.
6. Multi-Account Governance
With StackSets:
- Centralize
control of AWS Organizations
- Enforce
baseline security policies
- Deploy
resources across hundreds of accounts
7. Integrates with All AWS Services
- CloudFormation supports almost every AWS service, often on day-one.
8. Reduced Operational Overhead
No need to manually:
- Configure
VPCs
- Set up EC2
- Create IAM
roles/policies
- Provision
databases
Use
Cases
1.
Full Application Stacks
Create complete environments including:
- VPC
- Load
Balancers
- EC2/ECS/Lambda
- Databases
- Monitoring
2.
CI/CD Pipelines (DevOps)
Automate deployment of:
- Infrastructure
- Serverless apps (SAM)
- Microservices
NB:
- It can be Integrated with CodePipeline, GitHub Actions, Jenkins, etc.
3.
Multi-Account AWS Organizations
Baseline resources:
- SecurityHub
- GuardDuty
- CloudTrail
- IAM roles
4.
Immutable Infrastructure
- Replace resources instead of modifying them in place.
5.
Disaster Recovery
- Rebuild environments quickly using templates.
Limitations (What
CloudFormation Is Not)
- Not ideal for ad-hoc, quick provisioning → Use CDK/SAM
- CloudFormation updates can be slow
- Debugging template errors is sometimes difficult
- Harder to orchestrate complex conditional logic
- No first-class loop/iteration → Use
Mappings/Conditions/Transforms
CloudFormation
Best Practices
1.
Use YAML
Cleaner, supports comments, more readable.
2.
Modularize Templates
- Use nested stacks
- Reuse prototypes (VPC, ALB,
ECS, IAM roles)
3.
Use Parameters Sparingly
Prefer:
- Mappings
- SSM Parameter Store
- Default values
4.
Prefer IAM Roles Over Keys
- Never store secrets in templates.
5.
Use Change Sets for All Updates
- Avoid surprise resource replacements.
6.
Turn on Drift Detection
- Especially in production.
7.
Validate Templates
Use:
aws cloudformation validate-template8.
Tag All Resources
- For cost management and governance.
9.
Keep Templates Small
- Large monolithic templates → harder to manage.
- Model and setup its Amazon Web Services resources using infrastructure as code (IaC).
- With AWS CloudFormation twtech defines the AWS resources it needs in a template, then used the template to provision and manage those resources as a single unit called a "stack".
- Overview of how CloudFormation works:
- twtech infrastructure management using AWS CloudFormation.
- This service allows twtech to create and manage a collection of
Amazon Web Services resources based on a template.
- CloudFormation
facilitates orderly and predictable provisioning and updating of resources and
enables version control of the infrastructure.
- AWS CloudFormation allows twtech to model the resources it needs
for an application or solution in a text file, formatted in JSON or YAML.
- The
template can be uploaded manually or retrieve from an S3 bucket.
- The temple defines the collection of resources as a
single unit called a stack.
- CloudFormation
then translates the template's parameters into API calls and creates the stack for twtech.
- AWS
CloudFormation also provisions the stack's resources as a running environment.
- twtech can create,
update, and delete stacks using the
AWS CloudFormation console, AWS API, or AWS command-line interface (CLI).
- To get started with
CloudFormation, navigate to the stacks
screen and find a list of stacks currently running in this region and their
respective statuses.
- twtech can view the stacks
deployed in different regions using the region selection menu.
- To find
stacks faster, twtech can use the
search bar to filter by stackname or keywords, and also filter by status.
- Additionally, twtech can select a stack and perform actions on
it. For example,
- twtech can enable
termination protection for its business-critical stacks to prevent accidental
deletion.
- twtech can also
perform advanced tasks such as managing drift, creating change sets, and importing resources into a stack.
- When twtech is ready to
begin deploying resources using CloudFormation, it can create a new stack.
- This creation process
involves specifying the template to use, entering stack details, configuring additional stack options, and reviewing the entire stack configuration before
creating it.
- Once the
deployment is initiated, a
screen for the new stack appears in the events detail pane.
- From events
detail pane, twtech can track the
status of operations as the stack is created.
- To better
view the stack details, twtech can collapse the CloudFormation navigation pane.
- The stack
detail panes offer a ton of information, including stack information, resources, outputs, parameters, and the
template used to create the stack.
- AWS
CloudFormation stack sets extend the functionality of stacks, enabling twtech to create, update, or
delete stacks across multiple accounts and regions with a single operation.
- This AWS
CloudFormation stack sets also allows twtech to easily scale out its CloudFormation
deployments throughout an AWS
organization. - Eventually, to share information between stacks,
twtech can export a stack's output
values.
- NB: Other stacks in the same AWS account and region can import these exported values. Take for instance, a single networking stack might export the IDs of a subnet and a security group for public web users.
- twtech
final thought: AWS CloudFormation is a powerful tool that
simplifies twtech infrastructure management.
Useful
official link: https://www.youtube.com/watch?v=1h-GPXQrLZw
Benefits and features:
- How twtech creates a stack: Create stack (group of resources deployed and managed as unit from a single template)
Step-1:
- twtech select the appropriate region where its template works: United State Ohio
Step-2:
- Prerequisite - Prepare
template & Specify template (yaml
file specifying list of resources and parameters from Visual studio Code)
Step-3:
- Define (Configure) the template: to reference the expected resources that would be deployed in aws.
- AMI are tired to regions and should be referenced apporpriately.
Step-4:
- Select and upload the template from the folder created for clouldFormation (yaml) files.
- View the code in infrastructure composer: (CloudFront + Infrastructure composer… for better visual understanding of twtech template)
Instance
details:
Step-5:
- Return
to CloudFormation console and continue creating the stack. (NB: changes made all are save)
Step-6: Specify stack
details
- Provide a stack name: twtech-cf-stack
Configure stack options
- Add tag:
Review and create
From: create_in_progress
To:
create
completed
Step-7:
Verify
the Resource(s) created, in this case: Myinstance
- The
code (template
used) in included in the
stack. It can be copied, editd in, viewed better with infrastructure compose.
- Thus, the name Infrastructure as Code (IaC)
- To
verify more details of the instance created, go to: EC2 console
To view tags applied by CloudFormation to the instance:
Step-8:
- How twtech updates (make direct updates) it Cloudformation stack: Return to CloudFormation console.
- How twtech replaces the existing template with new
template: Configure the template to reference appropriate region
and Operating system needed.
- Always Remember, Amazon Machine Image is tired to a region.
# twtechCloudFormation-update.yaml
|
--- |
|
Parameters: |
|
SecurityGroupDescription: |
|
Description: Security Group Description |
|
Type: String |
|
Resources: |
|
MyInstance: |
|
Type: AWS::EC2::Instance |
|
Properties: |
|
AvailabilityZone: us-east-2a |
|
ImageId: ami-00e428798e77xxxx |
|
InstanceType: t2.micro |
|
SecurityGroups: |
|
- !Ref SSHSecurityGroup |
|
- !Ref ServerSecurityGroup |
|
# an
elastic IP for our instance |
|
MyEIP: |
|
Type: AWS::EC2::EIP |
|
Properties: |
|
InstanceId: !Ref MyInstance |
|
# our
EC2 security group |
|
SSHSecurityGroup: |
|
Type: AWS::EC2::SecurityGroup |
|
Properties: |
|
GroupDescription: Enable SSH access via port
22 |
|
SecurityGroupIngress: |
|
- CidrIp: 0.0.0.0/0 |
|
FromPort: 22 |
|
IpProtocol: tcp |
|
ToPort: 22 |
|
# our
second EC2 security group |
|
ServerSecurityGroup: |
|
Type: AWS::EC2::SecurityGroup |
|
Properties: |
|
GroupDescription: !Ref
SecurityGroupDescription |
|
SecurityGroupIngress: |
|
- IpProtocol: tcp |
|
FromPort: 80 |
|
ToPort: 80 |
|
CidrIp: 0.0.0.0/0 |
|
- IpProtocol: tcp |
|
FromPort: 22 |
|
ToPort: 22 |
|
CidrIp: 192.168.1.1/32 |
|
Outputs: |
|
ElasticIP: |
|
Description: Elastic IP Value |
|
Value: !Ref MyEIP |
Step-9:
- Select the new template that would be used to replace the existing one.
- Specify stack details: twtechupdatedCFstatck
- Configure stack options: keep the defaults values
Review twtech-CFstack: And update
Change set Preview:
- Changes: 4
Submit the update Stack templed to AWS cloudFormation:
- From: updates_In_progress
To: updates_completed
Step-10:
- From ec2 console: Verify whether the instance was terminated before a new instance provisioned (twtechCFstack)
- Yes: It was (meaning twtech need to to backup any resources in the instance before updating the stack)
- From ec2 console: Verify that the Elastic IP was provisioned and attached to the instance(twtechCFstack)
- Yes. It was.
- From ec2 console: Verify that the 2 security groups were provisioned and attached to the instance(twtechCFstack)
- Yes : they were
- From ec2 console: Verify that the the specified CidreIP (192.168.1.1/32) were provisioned and attached to the instance(twtechCFstack) as referenced in the security group blog of the updated template.
- Yes: it was
- From ec2 console: Verify that the Port 22 was added to instance(twtechCFstack) as referenced in the updated template.
- Yes: it was
- How twtech accesses the updated template and Infrastructure composer
View in Infrastructure Composer:
NB:
-
For
cleanup: Manual deletion
is possible for cloudformation. However it is not allowed by security standard.
- Use CloudFormation to delete all tag resources in a stack:
- Select the stack to be deleted and hit: delete
Confirm deletion:
NB:
- It takes a couple of minutes (about 10-15 minutes) to fully provision the stack: Be patient
- In the
case where wrong setting or wrong with template configuration: Stack won’t create the expected resources.
- There will be
repeated attempts by CloudFormation to create, but until template is fixed, that
repeated attempt may go on forever. ( for example, not referencing the appropriate AMI or region that corresponds to the AMI).
- There will also a roll-back of the resource that might have been provisioned alongside.
No comments:
Post a Comment