AWS CloudFormation

• A service that gives developers and businesses an easy way to create a collection of related AWS resources and provision them in an orderly and predictable fashion.

Features

• CloudFormation allows you to model your entire infrastructure in a text file called a template. You can use JSON or YAML to describe what AWS resources you want to create and configure. If you want to design visually, you can use AWS CloudFormation Designer.
• CloudFormation automates the provisioning and updating of your infrastructure in a safe and controlled manner. You can use Rollback Triggers to specify the CloudWatch alarm that CloudFormation should monitor during the stack creation and update process. If any of the alarms are breached, CloudFormation rolls back the entire stack operation to a previously deployed state.
• CloudFormation Change Sets allow you to preview how proposed changes to a stack might impact your running resources.
• AWS StackSets lets you provision a common set of AWS resources across multiple accounts and regions with a single CloudFormation template. StackSets takes care of automatically and safely provisioning, updating, or deleting stacks in multiple accounts and across multiple regions.
• CloudFormation enables you to build custom extensions to your stack template using AWS Lambda.

CloudFormation vs Elastic Beanstalk

• Elastic Beanstalk provides an environment to easily deploy and run applications in the cloud.

• CloudFormation is a convenient provisioning mechanism for a broad range of AWS resources.

Concepts

• Templates
  • A JSON or YAML formatted text file.
  • CloudFormation uses these templates as blueprints for building your AWS resources.
• Stacks
  • Manage related resources as a single unit.
  • All the resources in a stack are defined by the stack’s CloudFormation template.
• Change Sets
  • Before updating your stack and making changes to your resources, you can generate a change set, which is a summary of your proposed changes.
  • Change sets allow you to see how your changes might impact your running resources, especially for critical resources, before implementing them.

• With AWS CloudFormation and AWS CodePipeline, you can use continuous delivery to automatically build and test changes to your CloudFormation templates before promoting them to production stacks.
• CloudFormation artifacts can include a stack template file, a template configuration file, or both. AWS CodePipeline uses these artifacts to work with CloudFormation stacks and change sets.
  • Stack Template File – defines the resources that CloudFormation provisions and configures. You can use YAML or JSON-formatted templates.
  • Template Configuration File – a JSON-formatted text file that can specify template parameter values, a stack policy, and tags. Use these configuration files to specify parameter values or a stack policy for a stack.
• Through the AWS PrivateLink, you can use CloudFormation APIs inside of your Amazon VPC and route data between your VPC and CloudFormation entirely within the AWS network.

Stacks

• If a resource cannot be created, CloudFormation rolls the stack back and automatically deletes any resources that were created. If a resource cannot be deleted, any remaining resources are retained until the stack can be successfully deleted.
• Stack update methods
  • Direct update
  • Creating and executing change sets
• Drift detection enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration. Use CloudFormation to detect drift on an entire stack, or on individual resources within the stack.
  • A resource is considered to have drifted if any if its actual property values differ from the expected property values.
  • A stack is considered to have drifted if one or more of its resources have drifted.
• To share information between stacks, export a stack’s output values. Other stacks that are in the same AWS account and region can import the exported values.
• You can nest stacks.

Templates

• Templates include several major sections. The Resources section is the only required section.
• CloudFormation Designer is a graphic tool for creating, viewing, and modifying CloudFormation templates. You can diagram your template resources using a drag-and-drop interface, and then edit their details using the integrated JSON and YAML editor.
• Custom resources enable you to write custom provisioning logic in templates that CloudFormation runs anytime you create, update (if you changed the custom resource), or delete stacks.
• Template macros enable you to perform custom processing on templates, from simple actions like find-and-replace operations to extensive transformations of entire templates.

StackSets

• CloudFormation StackSets allow you to roll out CloudFormation stacks over multiple AWS accounts and in multiple Regions with just a couple of clicks. StackSets is commonly used together with AWS Organizations to centrally deploy and manage services in different accounts.
• Administrator and target accounts – An administrator account is the AWS account in which you create stack sets. A stack set is managed by signing in to the AWS administrator account in which it was created. A target account is the account into which you create, update, or delete one or more stacks in your stack set.
• In addition to the organization’s management account, you can delegate other administrator accounts in your AWS Organization that can create and manage stack sets with service-managed permissions for the organization.
• Stack sets – A stack set lets you create stacks in AWS accounts across regions by using a single CloudFormation template. All the resources included in each stack are defined by the stack set’s CloudFormation template. A stack set is a regional resource.
• Stack instances – A stack instance is a reference to a stack in a target account within a region. A stack instance can exist without a stack; for example, if the stack could not be created for some reason, the stack instance shows the reason for stack creation failure. A stack instance can be associated with only one stack set.
• Stack set operations – Create stack set, update stack set, delete stacks, and delete stack set.
• Tags – You can add tags during stack set creation and update operations by specifying key and value pairs.

Monitoring

• CloudFormation is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in CloudFormation. CloudTrail captures all API calls for CloudFormation as events, including calls from the CloudFormation console and from code calls to the CloudFormation APIs.

Security

• You can use IAM with CloudFormation to control what users can do with AWS CloudFormation, such as whether they can view stack templates, create stacks, or delete stacks.
• A service role is an IAM role that allows CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows CloudFormation to create, update, or delete your stack resources.
• You can improve the security posture of your VPC by configuring CloudFormation to use an interface VPC endpoint.

Pricing

• No additional charge for CloudFormation. You pay for AWS resources created using CloudFormation in the same manner as if you created them manually.

AWS CloudFormation Deep Dive and Recent Enhancements:

AWS CloudFormation-related Cheat Sheets:

• Elastic Beanstalk vs CloudFormation vs OpsWorks vs CodeDeploy

Validate Your Knowledge

Question 1

A retail company is planning to migrate its on-premises data center to AWS to scale its infrastructure and reach more customers. Their multi-tier web applications will be moved to the cloud and will use a variety of AWS services, IAM policies, and custom network configuration. The requirements can be changed anytime by their Solutions Architect, which means there will be a lot of modifications to the AWS components being deployed. CloudFormation will be used to automate, launch, and version-control the new cloud environment in AWS in various regions.

Which of the following is the MOST recommended way to set up CloudFormation in this scenario?

1. Prepare a single master CloudFormation template containing all logical parts of the architecture. Store the CloudFormation resource outputs to a DynamoDB table that will be used by the template. Upload and manage the template in AWS CodeCommit.
2. Prepare a single master CloudFormation template containing all logical parts of the architecture. Upload and maintain the template in AWS CodeCommit.
3. Prepare multiple separate CloudFormation templates for each logical part of the architecture. Use cross-stack references to export resources from one AWS CloudFormation stack to another and maintain the templates in AWS CodeCommit.
4. Prepare multiple separate CloudFormation templates for each logical part of the architecture. Store the CloudFormation resource outputs to AWS Systems Manager Parameter Store. Upload and manage the templates in AWS CodeCommit.

Show me the answer!

Correct Answer: 3

When you organize your AWS resources based on lifecycle and ownership, you might want to build a stack that uses resources that are in another stack. You can hard-code values or use input parameters to pass resource names and IDs. However, these methods can make templates difficult to reuse or can increase the overhead to get a stack running. Instead, use cross-stack references to export resources from a stack so that other stacks can use them. Stacks can use the exported resources by calling them using the Fn::ImportValue function.

For example, you might have a network stack that includes a VPC, a security group, and a subnet. You want all public web applications to use these resources. By exporting the resources, you allow all stacks with public web applications to use them.

To export resources from one AWS CloudFormation stack to another, create a cross-stack reference. Cross-stack references let you use a layered or service-oriented architecture. Instead of including all resources in a single stack, you create related AWS resources in separate stacks; then you can refer to required resource outputs from other stacks. By restricting cross-stack references to outputs, you control the parts of a stack that are referenced by other stacks.

For example, you might have a network stack with a VPC, a security group, and a subnet for public web applications, and a separate public web application stack. To ensure that the web applications use the security group and subnet from the network stack, you create a cross-stack reference that allows the web application stack to reference resource outputs from the network stack. With a cross-stack reference, owners of the web application stacks don’t need to create or maintain networking rules or assets.

To create a cross-stack reference, use the Export output field to flag the value of a resource output for export. Then, use the Fn::ImportValue intrinsic function to import the value.

Hence, the correct answer is: Prepare multiple separate CloudFormation templates for each logical part of the architecture. Use cross-stack references to export resources from one AWS CloudFormation stack to another and maintain the templates in AWS CodeCommit.

The option that says: Prepare a single master CloudFormation template containing all logical parts of the architecture. Store the CloudFormation resource outputs to a DynamoDB table that will be used by the template. Upload and manage the template in AWS CodeCommit is incorrect because it is better to use multiple separate CloudFormation templates to handle each logical part of the architecture, considering that you are deploying multitier web applications that use a variety of AWS services, IAM policies, and custom network configuration. This will provide a better management of each part of your architecture. In addition, you can simply use cross-stack references in CloudFormation instead of storing the resource outputs in a DynamoDB table.

The option that says: Prepare a single master CloudFormation template containing all logical parts of the architecture. Upload and maintain the template in AWS CodeCommit is incorrect because just as mentioned above, it is better to use multiple separate CloudFormation templates to handle each logical part of the architecture.

The option that says: Prepare multiple separate CloudFormation templates for each logical part of the architecture. Store the CloudFormation resource outputs to AWS Systems Manager Parameter Store. Upload and manage the templates in AWS CodeCommit is incorrect because it is better to handle each logical part of the architecture on a separate CloudFormation template for easier management. Although you can integrate AWS Systems Manager Parameter Store with CloudFormation, this service is more suitable to store data such as passwords, database strings, and license codes as parameter values but not resource outputs. You should create a cross-stack reference to export resources from one AWS CloudFormation stack to another.

References:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html#cross-stack
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-crossstackref.html
https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-reference-resource/

Note: This question was extracted from our AWS Certified DevOps Engineer Professional Practice Exams.

Question 2

A privately funded aerospace manufacturer and sub-orbital spaceflight services company hosts its rapid-evolving applications in AWS. For their deployment process, they are using CloudFormation templates which are regularly updated to map the latest AMI IDs. It takes a lot of time to execute this on a regular basis which is why you were instructed to automate this process.

In this scenario, which of the following options is the most suitable solution that can satisfy the requirement?

1. Configure your Systems Manager State Manager to store the latest AMI IDs and integrate them with your CloudFormation template. Call the update-stack API in CloudFormation whenever you decide to update the EC2 instances in your CloudFormation template.
2. Use a combination of AWS Service Catalog with AWS Config to automatically fetch the latest AMI and use it for succeeding deployments.
3. Use CloudFormation with AWS Service Catalog to fetch the latest AMI IDs and automatically use them for succeeding deployments.
4. Use CloudFormation with Systems Manager Parameter Store to retrieve the latest AMI IDs for your template. Whenever you decide to update the EC2 instances, call the update-stack API in CloudFormation in your CloudFormation template.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Additional Training Materials: AWS CloudFormation Video Courses on Udemy

1. AWS CloudFormation Master Class
2. AWS CloudFormation – Simplified | Hands On with YAML
3. AWS CloudFormation Step By Step: Beginner to Intermediate

References:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
https://aws.amazon.com/cloudformation/features/
https://aws.amazon.com/cloudformation/pricing/
https://aws.amazon.com/cloudformation/faqs/