AWS CloudFormation 

• CloudFormation is a powerful tool for managing your AWS infrastructure as code. 

• You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and CloudFormation takes care of provisioning and configuring those resources for you.

• You don't need to individually create and configure AWS resources and figure out what's dependent on what; CloudFormation handles that.  

• When you use that template to create a CloudFormation stack, CloudFormation provisions all the resources for you. 

• After the stack has been successfully created, your AWS resources are up and running.

• You can delete the stack just as easily, which deletes all the resources in the stack. 

• By using CloudFormation, you easily manage a collection of resources as a single unit. 

• By defining your infrastructure in a template, you ensure consistency, automation, and repeatability in your cloud deployments. 

• CloudFormation allows you to model your entire infrastructure in a text file, making it easier to deploy, manage, and update your resources. 

• The infrastructure you define in CloudFormation templates is essentially a Blueprint for your cloud architecture.

• It 's declarative IaaC approach. Means we define the end desired state and system figures out how to achieve it.

• More idempotent - means running it multiple times results in same state.

Key Components

Templates 

• A template is a text file written in JSON or YAML format that describes the resources and their configurations. 

• The template includes a collection of logical AWS resources, dependencies, and parameters.

• Anatomy of a CloudFormation Template :

  • AWSTemplateVersion: Capability of template.

  • Description: Some meaningful description.

  • Resources: Defines the AWS resources to be created (e.g., EC2, S3, VPC, etc.).

  • Parameters: Used to define input variables that are passed during stack creation (e.g., instance type, VPC ID).

  • Outputs: Specifies the values that are returned when the stack is created or updated, such as URLs or resource IDs.

  • Mappings: Defines a mapping of keys and corresponding values that you can reference in the template (e.g., region-specific settings).

  • Conditions: Allows you to create conditions for resources that are created only under certain circumstances (e.g., if a specific parameter is passed).

  • Metadata: Provides additional information about the resources in your template.

  • Transform: Used for macros or specifying the AWS::Include transformation for Lambda-backed resources.

• If you created a stack with the following template, CloudFormation provisions an instance with an ami-0ff8a91507f77f867 AMI ID, t2.micro instance type, testkey key pair name, and an Amazon EBS volume. And  include an Elastic IP address (EIP) and associate it with the Amazon EC2 instance.

AWSTemplateFormatVersion: 2010-09-09

Description: A sample template

Resources:

  MyEC2Instance:

    Type: 'AWS::EC2::Instance'

    Properties:

      ImageId: ami-0ff8a91507f77f867

      InstanceType: t2.micro

      KeyName: testkey

      BlockDeviceMappings:

        - DeviceName: /dev/sdm

          Ebs:

            VolumeType: io1

            Iops: 200

            DeleteOnTermination: false

            VolumeSize: 20

  MyEIP:

    Type: 'AWS::EC2::EIP'

    Properties:

      InstanceId: !Ref MyEC2Instance

Stacks 

• A stack is a collection of AWS resources that are created, updated, or deleted as a single unit. 

• It’s essentially a deployment of the template that AWS CloudFormation manages.

• It does the state management. Which mean if something goes wrong with the new changes in an existing stack, it rolls back the template to last configuration.

• Example: You might have a stack for an entire web application that includes EC2 instances, an RDS database, VPC settings, and an S3 bucket.

Change Sets 

• If you need to make changes to the running resources in a stack, you update the stack. 

• Before making changes to your resources, you can generate a change set, which is a summary of your proposed changes. 

• Change sets allow you to see how your changes might impact your running resources, especially for critical resources, before implementing them.

• For example, if you change the name of an Amazon RDS database instance, CloudFormation will create a new database and delete the old one. You will lose the data in the old database unless you've already backed it up. If you generate a change set, you will see that your change will cause your database to be replaced, and you will be able to plan accordingly before you update your stack.

Resources 

• These are the individual AWS services that you want to manage with CloudFormation. 

• Resources can be EC2 instances, security groups, VPCs, S3 buckets, IAM roles, RDS databases, etc. Example:

  • EC2 instances are a resource defined in a CloudFormation template to provision virtual servers.

  • S3 bucket creation is another example.

Parameters

• Parameters allow you to create reusable templates by making them flexible. They are inputs to the template provided during the stack creation.

• Example: If you're creating an EC2 instance, you could define parameters for the instance type, key pair, or security group.

Outputs

• Outputs are used to return values after the stack has been created, which can be useful for sharing information between stacks or displaying important details such as IP addresses, resource IDs, etc.

• Example: After deploying a web application stack, you might output the URL of the application or the ARN (Amazon Resource Name) of an S3 bucket.

StackSets

• StackSets allow you to create, update, or delete stacks across multiple AWS accounts and regions with a single operation. 

• This is useful when you want to deploy a consistent infrastructure across multiple environments or accounts.

• Use Case: In a large organization with multiple accounts and regions, you can use StackSets to manage infrastructure in a standardized way.

Resources Types

• CloudFormation provides a wide variety of built-in resource types (e.g., EC2, S3, Lambda, RDS, DynamoDB). You can use these resource types in your template to define your infrastructure.

• Example: If you need to create a VPC, you'd reference the AWS::EC2::VPC resource type, and for an S3 bucket, you'd use the AWS::S3::Bucket resource type.

Drift Detection

• Drift detection allows you to detect changes made outside of CloudFormation, for example, manual changes through the AWS Management Console, AWS CLI, or API. 

• If a resource's configuration deviates from its original template, drift detection helps you identify these discrepancies.

• Use Case: This helps ensure that your infrastructure is in sync with the desired state defined in CloudFormation.

CloudFormation Designer

• CloudFormation Designer is a graphical tool that allows you to visualize and create CloudFormation templates. It provides a drag-and-drop interface to design your cloud infrastructure and automatically generates the corresponding JSON or YAML code.

How CloudFormation works

• When you use CloudFormation to create your stack, CloudFormation makes underlying service calls to AWS to provision and configure the resources described in your template. 

• You need permission to create these resources. For example, to create EC2 instances by using CloudFormation, you need permissions to create instances.

• The calls that CloudFormation makes are all declared by your template. For example, suppose you have a template that describes an EC2 instance with a t2.micro instance type. When you use that template to create a stack, CloudFormation calls the Amazon EC2 create instance API and specifies the instance type as t2.micro. The following diagram summarizes the CloudFormation workflow for creating stacks.

• If you specify a template file stored locally, CloudFormation uploads it to an S3 bucket in your AWS account. CloudFormation creates a bucket for each region in which you upload a template file. 

• The buckets are accessible to anyone with Amazon Simple Storage Service (Amazon S3) permissions in your AWS account. 

• If a bucket created by CloudFormation is already present, the template is added to that bucket.

• You can use your own bucket and manage its permissions by manually uploading templates to Amazon S3. Then whenever you create or update a stack, specify the Amazon S3 URL of a template file.

Updating a stack with a change set

• When you need to update your stack's resources, you can modify the stack's template. 

• You don't need to create a new stack and delete the old one.

• To update a stack, create a change set by submitting a modified version of the original stack template, different input parameter values, or both. 

• CloudFormation compares the modified template with the original template and generates a change set. 

• The change set lists the proposed changes. 

• After reviewing the changes, you can start the change set to update your stack or you can create a new change set.

• Change sets don't indicate whether your stack update will be successful. For example, a change set doesn't check if you will surpass an account quota, if you're updating a resource that doesn't support updates, or if you have insufficient permissions to modify a resource, which can cause a stack update to fail. 

• CloudFormation updates your stack by updating only the resources that you modified and signals that your stack has been successfully updated. If the stack updates fails, CloudFormation rolls back changes to restore the stack to the last known working state. 

• The following diagram summarizes the workflow for updating a stack.

EXAMPLE of a Template

AWSTemplateFormatVersion: 2010-09-09

Description: CloudFormation Template for WebServer with Security Group and EC2 Instance

Parameters:

  LatestAmiId:

    Description: The latest Amazon Linux 2 AMI from the Parameter Store

    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'

    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'

  InstanceType:

    Description: WebServer EC2 instance type

    Type: String

    Default: t2.micro

    AllowedValues:

      - t3.micro

      - t2.micro

    ConstraintDescription: must be a valid EC2 instance type.

  MyIP:

    Description: Your IP address in CIDR format (e.g. 203.0.113.1/32).

    Type: String

    MinLength: '9'

    MaxLength: '18'

    Default: 0.0.0.0/0

    AllowedPattern: '^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$'

    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.

Resources:

  WebServerSecurityGroup:

    Type: AWS::EC2::SecurityGroup

    Properties:

      GroupDescription: Allow HTTP access via my IP address

      SecurityGroupIngress:

        - IpProtocol: tcp

          FromPort: '80'

          ToPort: '80'

          CidrIp: !Ref MyIP

  WebServer:

    Type: AWS::EC2::Instance

    Properties:

      ImageId: !Ref LatestAmiId

      InstanceType: !Ref InstanceType

      SecurityGroupIds:

        - !Ref WebServerSecurityGroup

      UserData: !Base64 |

        #!/bin/bash

        yum update -y

        yum install -y httpd

        systemctl start httpd

        systemctl enable httpd

        echo "<html><body><h1>Hello World!</h1></body></html>" > /var/www/html/index.html

Outputs:

  WebsiteURL:

    Value: !Join

      - ''

      - - http://

        - !GetAtt WebServer.PublicDnsName

    Description: Website URL

helper scripts

• CloudFormation provides the following Python helper scripts that you can use to install software and start services on an Amazon EC2 instance that you create as part of your stack:

  • cfn-init – Use to retrieve and interpret resource metadata, install packages, create files, and start services.

  • cfn-signal – Use to signal with a CreationPolicy or WaitCondition, so you can synchronize other resources in the stack when the prerequisite resource or application is ready.

  • cfn-get-metadata – Use to retrieve metadata for a resource or path to a specific key.

  • cfn-hup – Use to check for updates to metadata and execute custom hooks when changes are detected.

• You call the scripts directly from your template. The scripts work in conjunction with resource metadata that's defined in the same template. The scripts run on the Amazon EC2 instance during the stack creation process.

• The scripts aren't executed by default. You must include calls in your template to execute specific helper scripts.