AWS CloudFormation

A service that gives developers and businesses an easy way to create a collection of related AWS resources and provision them in an orderly and predictable fashion.

Features

CloudFormation allows you to model your entire infrastructure in a text file called a template. You can use JSON or YAML to describe what AWS resources you want to create and configure. If you want to design visually, you can use AWS CloudFormation Designer.
CloudFormation automates the provisioning and updating of your infrastructure in a safe and controlled manner. You can use Rollback Triggers to specify the CloudWatch alarm that CloudFormation should monitor during the stack creation and update process. If any of the alarms are breached, CloudFormation rolls back the entire stack operation to a previous deployed state.
CloudFormation Change Sets allow you to preview how proposed changes to a stack might impact your running resources.
AWS StackSets lets you provision a common set of AWS resources across multiple accounts and regions with a single CloudFormation template. StackSets takes care of automatically and safely provisioning, updating, or deleting stacks in multiple accounts and across multiple regions.
CloudFormation enables you to build custom extensions to your stack template using AWS Lambda.

CloudFormation vs Elastic Beanstalk

Elastic Beanstalk provides an environment to easily deploy and run applications in the cloud.
CloudFormation is a convenient provisioning mechanism for a broad range of AWS resources.

Concepts

Templates
- A JSON or YAML formatted text file.
- CloudFormation uses these templates as blueprints for building your AWS resources.
Stacks
- Manage related resources as a single unit.
- All the resources in a stack are defined by the stack’s CloudFormation template.
Change Sets
- Before updating your stack and making changes to your resources, you can generate a change set, which is a summary of your proposed changes.
- Change sets allow you to see how your changes might impact your running resources, especially for critical resources, before implementing them.

AWS Training AWS CloudFormation 2

With AWS CloudFormation and AWS CodePipeline, you can use continuous delivery to automatically build and test changes to your CloudFormation templates before promoting them to production stacks.
CloudFormation artifacts can include a stack template file, a template configuration file, or both. AWS CodePipeline uses these artifacts to work with CloudFormation stacks and change sets.
- Stack Template File – defines the resources that CloudFormation provisions and configures. You can use YAML or JSON-formatted templates.
- Template Configuration File – a JSON-formatted text file that can specify template parameter values, a stack policy, and tags. Use these configuration files to specify parameter values or a stack policy for a stack.
Through the AWS PrivateLink, you can use CloudFormation APIs inside of your Amazon VPC and route data between your VPC and CloudFormation entirely within the AWS network.

Stacks

If a resource cannot be created, CloudFormation rolls the stack back and automatically deletes any resources that were created. If a resource cannot be deleted, any remaining resources are retained until the stack can be successfully deleted.
Stack update methods
- Direct update
- Creating and executing change sets
Drift detection enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration. Use CloudFormation to detect drift on an entire stack, or on individual resources within the stack.
- A resource is considered to have drifted if any if its actual property values differ from the expected property values.
- A stack is considered to have drifted if one or more of its resources have drifted.
To share information between stacks, export a stack’s output values. Other stacks that are in the same AWS account and region can import the exported values.
You can nest stacks.

Templates

Templates include several major sections. The Resources section is the only required section.
CloudFormation Designer is a graphic tool for creating, viewing, and modifying CloudFormation templates. You can diagram your template resources using a drag-and-drop interface, and then edit their details using the integrated JSON and YAML editor.
Custom resources enable you to write custom provisioning logic in templates that CloudFormation runs anytime you create, update (if you changed the custom resource), or delete stacks.
Template macros enable you to perform custom processing on templates, from simple actions like find-and-replace operations to extensive transformations of entire templates.

StackSets

Administrator and target accounts – An administrator account is the AWS account in which you create stack sets. A stack set is managed by signing in to the AWS administrator account in which it was created. A target account is the account into which you create, update, or delete one or more stacks in your stack set.
Stack sets – A stack set lets you create stacks in AWS accounts across regions by using a single CloudFormation template. All the resources included in each stack are defined by the stack set’s CloudFormation template. A stack set is a regional resource.
Stack instances – A stack instance is a reference to a stack in a target account within a region. A stack instance can exist without a stack, and can be associated with only one stack set.
Stack set operations – Create stack set, update stack set, delete stacks, and delete stack set.
Tags – You can add tags during stack set creation and update operations by specifying key and value pairs.

Monitoring

CloudFormation is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in CloudFormation. CloudTrail captures all API calls for CloudFormation as events, including calls from the CloudFormation console and from code calls to the CloudFormation APIs.

Security

You can use IAM with CloudFormation to control what users can do with AWS CloudFormation, such as whether they can view stack templates, create stacks, or delete stacks.
A service role is an IAM role that allows CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows CloudFormation to create, update, or delete your stack resources.
You can improve the security posture of your VPC by configuring CloudFormation to use an interface VPC endpoint.

Pricing

No additional charge for CloudFormation. You pay for AWS resources created using CloudFormation in the same manner as if you created them manually.

Limits

Limit	Description	Value
Resources	Maximum number of resources that you can declare in your CloudFormation template.	200 resources
Stacks	Maximum number of CloudFormation stacks that you can create.	200 stacks
StackSets	Maximum number of CloudFormation stack sets you can create in your administrator account.	100 stack sets
Stack instances per stack set	The number of stack instances you can have per stack set	2000

AWS CloudFormation Deep Dive and Recent Enhancements:

AWS CloudFormation-related Cheat Sheets:

Elastic Beanstalk vs CloudFormation vs OpsWorks vs CodeDeploy

Validate Your Knowledge

Question 1

You are a new Solutions Architect in your department and you have created 7 CloudFormation templates. Each template has been defined for a specific purpose. What determines the cost of using these new CloudFormation templates?

$2.50 per template per month
The length of time it takes to build the architecture with CloudFormation
It depends on the region where you will deploy.
CloudFormation templates are free but you are charged for the underlying resources it builds.

Show me the answer!

Correct Answer: 4

There is no additional charge for AWS CloudFormation. You pay for AWS resources (such as Amazon EC2 instances, Elastic Load Balancing load balancers, etc.) created using AWS CloudFormation in the same manner as if you created them manually. You only pay for what you use, as you use it; there are no minimum fees and no required upfront commitments.

Option 1 is incorrect. There is no cost for creating CloudFormation templates. Costs are calculated from the AWS resources that are provisioned from that CloudFormation template.

Option 2 is incorrect. There is no cost for the time it takes to execute CloudFormation templates. Costs are calculated from the AWS resources that are provisioned from that CloudFormation template.

Option 3 is incorrect. Costs per region are not calculated based on the CloudFormation template, but rather on the regions where resources are provisioned during the building of the environment using the CloudFormation template.

Reference:
https://aws.amazon.com/cloudformation/pricing/

Question 2

A privately funded aerospace manufacturer and sub-orbital spaceflight services company hosts its rapid-evolving applications in AWS. For their deployment process, they are using CloudFormation templates which are regularly updated to map the latest AMI IDs. It takes a lot of time to execute this on a regular basis which is why you were instructed to automate this process.

In this scenario, which of the following options is the most suitable solution that can satisfy the requirement?

Configure your Systems Manager State Manager to store the latest AMI IDs and integrate it with your CloudFormation template. Call the update-stack API in CloudFormation whenever you decide to update the EC2 instances in your CloudFormation template.
Use a combination of AWS Service Catalog with AWS Config to automatically fetch the latest AMI and use it for succeeding deployments.
Use CloudFormation with AWS Service Catalog to fetch the latest AMI IDs and automatically use them for succeeding deployments.
Use CloudFormation with Systems Manager Parameter Store to retrieve the latest AMI IDs for your template. Whenever you decide to update the EC2 instances, call the update-stack API in CloudFormation in your CloudFormation template.

Show me the answer!

Correct Answer: 4

You can use the existing Parameters section of your CloudFormation template to define Systems Manager parameters, along with other parameters. Systems Manager parameters are a unique type that is different from existing parameters because they refer to actual values in the Parameter Store. The value for this type of parameter would be the Systems Manager (SSM) parameter key instead of a string or other value. CloudFormation will fetch values stored against these keys in Systems Manager in your account and use them for the current stack operation.

If the parameter being referenced in the template does not exist in Systems Manager, a synchronous validation error is thrown. Also, if you have defined any parameter value validations (AllowedValues, AllowedPattern, etc.) for Systems Manager parameters, they will be performed against SSM keys which are given as input values for template parameters, not actual values stored in Systems Manager.

Parameters stored in Systems Manager are mutable. Any time you use a template containing Systems Manager parameters to create/update your stacks, CloudFormation uses the values for these Systems Manager parameters at the time of the create/update operation. So, as parameters are updated in Systems Manager, you can have the new value of the parameter take effect by just executing a stack update operation. The Parameters section in the output for Describe API will show an additional ‘ResolvedValue’ field that contains the resolved value of the Systems Manager parameter that was used for the last stack operation.

Hence, the correct answer is Option 4.

Option 1 is incorrect because the Systems Manager State Manager service simply automates the process of keeping your Amazon EC2 and hybrid infrastructure in a state that you define. This can’t be used as a parameter store that refers to the latest AMI of your application.

Options 2 and 3 are incorrect because using AWS Service Catalog is not suitable in this scenario. This service just allows organizations to create and manage catalogs of IT services that are approved for use on AWS.

References:
https://aws.amazon.com/blogs/mt/integrating-aws-cloudformation-with-aws-systems-manager-parameter-store/
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

For more AWS practice exam questions with detailed explanations, check this out:

XX

Additional Training Materials: AWS CloudFormation Video Courses on Udemy

AWS CloudFormation Master Class by Stephane Maarek
AWS CloudFormation – Simplified | Hands On with YAML by Stack Simplify
Mastering AWS CloudFormation Templates Using JSON by Hari Kammana
AWS CloudFormation Step By Step: Beginner to Intermediate by Emre Yilmaz

Sources:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
https://aws.amazon.com/cloudformation/features/
https://aws.amazon.com/cloudformation/pricing/
https://aws.amazon.com/cloudformation/faqs/

***

AWS Certifications are consistently among the top paying IT certifications in the world, considering that Amazon Web Services is the leading cloud services platform with almost 50% market share! Earn over $150,000 per year with an AWS certification!

Subscribe to our newsletter and notifications for more helpful AWS cheat sheets and study guides like this and answer as many AWS practice exams as you can.🙂