AWS CloudFormation

Question 1

AWS CloudFormation

Answer 1

AWS CloudFormation is a service that allows you to manage, configure and provision your AWS infrastructure as code.

AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment.

Question 2

CloudFormation Benefits

Answer 2

• Infrastructure is provisioned consistently, with fewer mistakes (human error).
• Less time and effort than configuring resources manually.
• You can use version control and peer review for your CloudFormation templates.
• Free to use (you’re only charged for the resources provisioned).
• It can be used to manage updates and dependencies.
• It can be used to rollback and delete the entire stack as well.

Question 3

Key Concepts

Answer 3

1. Templates
2. Stacks
3. StackSets
4. Change Sets

Question 4

Template Principles

Answer 4

A template is a YAML or JSON template used to describe the end-state of the infrastructure you are either provisioning or changing.

After creating the template, you upload it to CloudFormation directly or using Amazon S3.

CloudFormation reads the template and makes the API calls on your behalf.

The resulting resources are called a “Stack”.

Logical IDs are used to reference resources within the template.

Physical IDs identify resources outside of AWS CloudFormation templates, but only after the resources have been created.

Question 5

Mandatory Template elements

Answer 5

List of resources and associated configuration values.

Question 6

Template components - Resources , What is it ?

Answer 6

The required Resources section declares the AWS resources that you want to include in the stack, such as an Amazon EC2 instance or an Amazon S3 bucket.

• Mandatory.
• Represent AWS components that will be created.
• Resources are declared and can reference each other.

Question 7

Template components - Parameters, What is it ?

Answer 7

Use the optional Parameters section to customize your templates. Parameters enable you to input custom values to your template each time you create or update a stack.

• Provide inputs to your CloudFormation template.
• Useful for template reuse.

Question 8

Pseudo Parameters, what is it ?

Answer 8

Pseudo parameters are parameters that are predefined by AWS CloudFormation. You do not declare them in your template. Use them the same way as you would a parameter, as the argument for the Ref function.

• AWS::AccountId – Returns the AWS account ID of the account in which the stack is being created.
• AWS::NotificationARNs – Returns the list of notification Amazon Resource Names (ARNs) for the current stack.
• AWS::Region – Returns a string representing the AWS Region in which the encompassing resource is being created.
• AWS::StackId – Returns the ID of the stack as specified with the aws cloudformation create-stack command.

Question 9

Mappings, what is it ?

Answer 9

The optional Mappings section matches a key to a corresponding set of named values.

• Fixed variables.
• Good for differentiating between regions, environments, AMIs etc.
• Need to know the values in advance.
• For user-specific values use parameters instead.

Exam tip: with mappings you can, for example, set values based on a region. You can create a mapping that uses the region name as a key and contains the values you want to specify for each specific region.

Question 10

Outputs, what is it ?

Answer 10

The optional Outputs section declares output values that you can import into other stacks (to create cross-stack references), return in response (to describe stack calls), or view on the AWS CloudFormation console.

• Outputs can be imported into other stacks.
• Can view the outputs in the console or using the AWS CLI.
• Cannot delete a Stack if its outputs are being referenced by another CloudFormation Stack.

Question 11

Conditions, what is it ?

Answer 11

The optional Conditions section contains statements that define the circumstances under which entities are created or configured.

Question 12

Transform, what is it ?

Answer 12

The optional Transform section specifies one or more macros that AWS CloudFormation uses to process your template.

The transform section can be used to reference additional code stored in S3, such as Lambda code or reusable snippets of CloudFormation code.

The AWS::Serverless transform, which is a macro hosted by AWS CloudFormation, takes an entire template written in the AWS Serverless Application Model (AWS SAM) syntax and transforms and expands it into a compliant AWS CloudFormation template.

Question 13

Intrinsic Functions

Answer 13

AWS CloudFormation provides several built-in functions that help you manage your stacks.

Use intrinsic functions in your templates to assign values to properties that are not available until runtime.

Question 14

Instrinsic Funtions

Answer 14

Ref

Fn::Ref (or !Ref in YAML),

The intrinsic function Ref returns the value of the specified parameter or resource.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns the value of an attribute from a resource in the template.

Fn::FindInMap

The intrinsic function Fn::FindInMap returns the value corresponding to keys in a two-level map that is declared in the Mappings section.

Fn::ImportValue

The intrinsic function Fn::ImportValue returns the value of an output exported by another stack.

You typically use this function to create cross-stack references.

Fn::Sub

The intrinsic function Fn::Sub substitutes variables in an input string with values that you specify.

In your templates, you can use this function to construct commands or outputs that include values that aren’t available until you create or update a stack.

Question 15

Stacks

Answer 15

• Deployed resources based on templates.
• Create, update, and delete stacks using templates.
• Deployed through the Management Console, CLI or APIs.

Stack creation errors:

• Automatic rollback on error is enabled by default.
• You will be charged for resources provisioned even if there is an error.

Updating stacks:

AWS CloudFormation provides two methods for updating stacks: direct update or creating and executing change sets.

When you directly update a stack, you submit changes and AWS CloudFormation immediately deploys them.

Use direct updates when you want to quickly deploy your updates.

With change sets, you can preview the changes AWS CloudFormation will make to your stack, and then decide whether to apply those changes.

Question 16

Stack Sets, what is the purpose ?

Answer 16

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.

Using an administrator account, you define and manage an AWS CloudFormation template, and use the template as the basis for provisioning stacks into selected target accounts across specified regions.

An administrator account is the AWS account in which you create stack sets.

A stack set is managed by signing in to the AWS administrator account in which it was created.

A target account is the account into which you create, update, or delete one or more stacks in your stack set.

Before you can use a stack set to create stacks in a target account, you must set up a trust relationship between the administrator and target accounts.

Question 17

Nested Stacks

Answer 17

Nested stacks allow re-use of CloudFormation code for common use cases.

For example standard configuration for a load balancer, web server, application server etc.

Instead of copying out the code each time, create a standard template for each common use case and reference from within your CloudFormation template.

Question 18

Best Practices

Answer 18

AWS provides Python “helper scripts” which can help you install software and start services on your EC2 instances.

• Use CloudFormation to make changes to your landscape rather than going directly into the resources.
• Make use of Change Sets to identify potential trouble spots in your updates.
• Use Stack Policies to explicitly protect sensitive portions of your stack.
• Use a version control system such as CodeCommit or GitHub to track changes to templates.

Question 19

User data with EC2

Answer 19

User data can be included in CloudFormation.

The script is passed into Fn::Base64

The user data script logs are stored in /var/log/cloud-init-output.log

Binary is available on Amazon EC2 at /opt/aws/bin/cfn-init

Question 20

Rollbacks and Creation Failures

Answer 20

Stack creation failures:

• By default everything will be deleted.
• You can optionally disable rollback (good for troubleshooting failures).

Stack update failures:

• The stack will automatically roll back to the previous known working state.
• The logs can assist with understanding what issue occurred.

Question 21

Authorization and Access Control

Answer 21

You can use IAM with AWS CloudFormation to control what users can do with AWS CloudFormation, such as whether they can view stack templates, create stacks, or delete stacks.

In addition to AWS CloudFormation actions, you can manage what AWS services and resources are available to each user.

That way, you can control which resources users can access when they use AWS CloudFormation.

Question 22

Charges

Answer 22

There is no additional charge for AWS CloudFormation.

You pay for AWS resources (such as Amazon EC2 instances, Elastic Load Balancing load balancers, etc.) created using AWS CloudFormation in the same manner as if you created them manually.

You only pay for what you use, as you use it; there are no minimum fees and no required upfront commitments.