Cloud Formation

Question 1

For cloud formation, describe the 3 stack update models:

• Update with no interruption
• Update with some interruption
• Replacement

Answer 1

Update w/No Interruption: Resource is updated with no interruption and no change to the physical ID, I.e.
Updating a resource profile

Update w/Some interruption: Resource encounters small disruption. Physical ID remains unchanged. I.e changing instance type for an EBS volume

Replacement: New resource with new physical id is created. Dependencies for other resources updated and old resource is deleted

Question 2

What is the role of a stack update policy in Cloud Formation? How does the principal differ in a stack policy vs. other forms of policy?

Answer 2

A a stack update policy prevents specific updates to resources in a stack. It differs from other forms of policy in the sense that the principal is always *

Question 3

Can you use cloud formation to estimate resource costs?

Answer 3

Yes

Question 4

Can you edit an existing CloudFormation template?

Answer 4

No, you need to create a new version

Question 5

When you delete a CloudFormation template, what happens to the resources created by that stack?

Answer 5

ALL resources created by a CF stack are deleted when the stack is deleted

Question 6

What is the only mandatory thing in a CloudFormation stack?

Answer 6

Resources are the only mandatory part of a CF stack

Question 7

How would you pass dynamic inputs to a CloudFormation stack?

Answer 7

You would use CloudFormation parameters

Question 8

When you build a CloudFormation stack, do you need to specify the order in which they are created. For instance, if I want an EIP, do I need to specify that an EC2 instance needs to be created first and then have the EIP attached to it?

Answer 8

No. You do not need to specify the order in which to create resources in CloudFormation. Cloud formation will determine the correct order for resources to be created.

Question 9

In your CloudFormation template you see the following line block of yaml:

ProductionEip:
Type: AWS::EC2::EIP
Properties:
InstanceId: !ref PublicHttpdServer

What is !ref?

Answer 9

!ref is a reference to a resource that is also created in the template. In this case it is an Ec2 instance called PublicHttpdServer

Question 10

Can I create a dynamic amount of resources programatically in CloudFormation?

Answer 10

No. All resources need to be declared

Question 11

How do I pass a value to a CloudFormation template?

Answer 11

You would use a cloud formation template parameter

Question 12

I am building a CloudFormation template to provision load generators. This template has a security group restricting inbound ssh access to a clients static IP. Given that the set up of the generator is likely to be the same for client to client with the exception of the inbound static IP, what is the recommended way of achieving this so I don’t have to create new versions every time its updated?

Answer 12

You would create a CloudFormation parameter to read in the static IP when the template runs. For any resource configuration in CloudFormation you should use a parameter

Question 13

Which function is used to reference parameters in CloudFormation?

Answer 13

Fn::Ref

Question 14

Where can you reference parameters in a CloudFormation template?

Answer 14

Parameters can be referenced from anywhere in your CloudFormation template

Question 15

What two classes of things can you reference using !ref in CloudFormation?

Answer 15

You can reference:

• Parameters
• Other resources created in the template

Question 16

How would you reference you account ID, region or an SNS notification ARN within a CloudFormation template?

Answer 16

AWS provides Pseudo-parameters which allows you to access these values - i.e. !ref AWS::AccountId

Question 17

I am building a CloudFormation template which needs to use specific AMI’s for each of the 3 regions it runs in, us-east-1, ap-southeast-2 and eu-west-1. What is the best way to specify the AMI for each of the regions

Answer 17

You should use Mappings within your template. These allow you to specify variables if they are known before hand, such as an AMI id.

Question 18

How do mappings differ from parameters, why would you use one over the other?

Answer 18

You use parameters where values are very user specific and are not known beforehand. Mappings are used when you know in advance what the variables will be (think of them like Constants) or can be deduced from other variables (such as AZ, Region, AccountId)

Question 19

What function do you use to access values from a MAPPING in a CloudFormation Template?

Answer 19

Fn::FindInMap

Question 20

What three parameters does Fn:FindInMap take?

Answer 20

MapName, Top Level Key, Second Level Key:

Fn::FindInMap[MapName, TopLevel, SecondLevel]

Question 21

I have a CloudFormation template Mapping set up to select an AMI for us-east-1, ap-southeast-2 and eu-west-1. My template is currently running out of ap-southeast-2. How would I construct the Fn:FindInMap call to use my current region? The mapping is called “AMIRegionMap” with nodes for the Region and the AMI Name is “AMIName”

Answer 21

You would use a pseudo parameter in the call:
!Fn::FindInMap[
   AMIRegionMap,
   !Ref "AWS::Region", 
   AMIName]

Question 22

I have a situation where I have the outputs of one CloudFormation stack (A) being referenced by another CloudFormation stack (B). Can I delete A?

Answer 22

No. You cannot delete a cloud formation stack if its outputs are being referenced by another stack until all the references in B are deleted.

Question 23

We are in a highly complex environment in terms of VPC and Subnet creation. Each subnet also has a mix of instance types and operating systems. Its not possible for one team to be expert in both sides of the setup. What could we do in CloudFormation to leverage the skills of both teams?

Answer 23

You would use template outputs. This allows a template to generate outputs - such as VPC and Subnet ID’s to be used as inputs for other templates.

Question 24

Where and how would you specify an output to export in a cloud formation template?

Answer 24

In the Outputs section using the Export Keyword
Outputs:
Export:
Name:

Question 25

What function do you use to import an exported value from another templates Outputs section?

Answer 25

Fn:ImportValue

-ImportValue

Question 26

In a cloud formation template, what 3 things can a condition reference?

Answer 26

• Another Condition
• Mapping
• Parameter Value

Question 27

What 5 Logical conditions can a CloudFormation template condition evaluate (hint: think in terms of programming)

Answer 27

And
Or
Not
Equals
If

Question 28

If I reference a resource using !Ref in a cloud formation template, what gets returned? What about referencing a parameter?

Answer 28

The resource ID gets returned. For instance, if you reference an EC2 resource, the Instance ID will be returned. When referencing a parameter, the value of the parameter is returned.

Question 29

We need to try and get the availability zone of an EC2 instance in our CloudFormation template. When we use !Ref all we get is the instance Id. Is there a way to get the availability zone of the Instance?

Answer 29

Yes, you would use Fn:GetAtt. GetAtt allows you get attributes for resources - i.e.

AvaialbilityZone: !GetAtt ec2instance.AvailabilityZone

Question 30

You see this in your CloudFormation template:
!join[”:” , [a,b,c] ]

What is the output?

Answer 30

a:b:c

Question 31

What must function calls be prefixed with in a cloud formation template?

Answer 31

!

Question 32

What is this function and what would the output be?

Name: !Sub

• www.${Domain}
• { Domain: !Ref RootDomainName }

assuming the value of the RootDomainName evaluates to PlanitTesting.com?

Answer 32

This is the sub function and allows you to replace a variable defined by ${variable} with the output from a pseudofunction or a ref
www.PlanitTesting.com

Question 33

What is the DEFAULT behaviour in cloud formation for when a stack creation fails. How does this differ from when a stack UPDATE fails?

Answer 33

By default, a rollback on a failed create will delete the stack. If a stack update fails, CF will rollback to the last known version. The default behaviour for creates can be over-ridden for troubleshooting

Question 34

What is the difference between a nested stack and a cross stack(i.e. a stack that uses Outputs, ImportValue and ExportValue)?

Answer 34

A nested stack is best practice when it comes to re-using COMMON components - for instance you have a load balancer configuration that you use for most of your stacks. Instead of copying and pasting the same configurations into your templates, you can create a dedicated template for the load balancer. Then, you just use the resource to reference that template from within other templates.

A Cross stack takes outputs from one stack and uses them as inputs for another stack and is used when stacks have different lifecycles - for instance we might have a dev stack that has a different network config that we need to pass to our ec2 stack so it can deploy instances to the right place.

Question 35

I need to deploy a cloud formation stack accross multiple accounts and regions, but it is going to be time consuming to do this one at a time. What Cloud Formation technology can I use?

Answer 35

Stack Sets allow you do an all at once deploy accross multiple accounts and regions

Question 36

Who can create a stack stack, who can update?

Answer 36

Only the cloud formation administrator account can create a stack set. Trusted Accounts can create, update and delete stacks inside a stack set.

Question 37

What happens to stacks accross accounts and regions when a stack set is updated

Answer 37

All associated stack instances accross all accounts and regions are updated

Question 38

Where are cloud formation templates stored?

Answer 38

S3

Question 39

Which intrinsic function should you use to retrieve the DNS name of a Load Balancer created with CloudFormation?

Answer 39

Fn::GetAtt. The DNS name is an Attribute of the ELB. Fn::Ref would return the id.

Question 40

I tried to create an exported output:

Outputs:
StackSSHSecurityGroup:
Description: The SSH Security Group for our Company
Value: !Ref MyCompanyWideSSHSecurityGroup
Export:
Name: SSHSecurityGroup

But it seems I get an error. It says “SSHSecurityGroup” output already exists. What should you do?

Answer 40

Exported output names must be unique within a region - you’ll need to change the name

Question 41

What is the role of a change set in CloudFormation?

Answer 41

A change set is a description of changes that would be applied to a stack should the submit of the stack template be accepted. They allow you to see what changes will take place and if you want to accept them

Question 42

We have a cloudformation template responsible for creating an RDS db cluster, EC2 instances and an ASG. In terms of IAM, apart from using a user or a role that is able to execute the correct API calls to create/update these resources, what other role type could we use and what changes would I need to make to my IAM role?

Answer 42

We could create a service role for cloud formation to use. We need to alter our IAM role to be able to pass the service account to CF using aws:passRole

Question 43

We have a cloud formation template responsible for creating an RDS db cluster, EC2 instances and an ASG. What risks are there when running this template and what do I do to identify and mitigate them?

Answer 43

The risk is that data loss will occur in RDS as CF modifies some RDS properties which require the replacement of the underlying RDS instances. Make sure you run a change set to identify RDS actions and backup your RDS database.

Question 44

If I use a service role, what impacts does this have on stack update, create and delete events?

Answer 44

When using a service role the default timeout for these events is increased

Question 45

In cloud formation, which sections of the template are conditions:
Defined
Evaluated
Parameters declared?

Answer 45

Conditions are defined in the conditions section
Parameters that a condition can use are defined in the parameters section
Conditions are Evaluated in the Resources and Output section

Question 46

If I want to setup a cross stack reference in cloud formation using an output from another template which section is this defined in and which keyword is used?

Answer 46

Outputs must be EXPORTED in the OUTPUTS section for use in a cross stack reference

Question 47

What are the two custom resource providers that can be used in CloudFormation? What does a custom resource provider do? What happens to a CloudFormation stack create if our custom resource does not provide a response?

Answer 47

SNS and Lambda. A custom resource provider is used to provision resources that may not be supported by CF. If you don’t provide a response then the stack create will time out.

Question 48

If we have a cloud formation stack that is responsible for provision application servers and a database server, how would we ensure that our database server is provisioned prior our application servers

Answer 48

You could use the DependsOn attribute. We would put this attribute into the EC2 application servers resource section and specify the name of the db resource in DependsOn

Question 49

Assume we have an autoscaling group that we are provisioning in Cloudformation. This group must contain 3 EC2 instances. How would we ensure that the instances are created before the autoscaling group?

Answer 49

We would need to use a CreationPolicy attribute. This is like depends on, but we can specify a count as well as a timeout for our resource signals. In this case, each ec2 instance would send a success signal back to CloudFormation. When we hit 3, the resource will be marked as CREATE_COMPLETE and CF can then create our ASG.

Question 50

I have a a nested stack consisting of the parent: stack a. Stack A has a child stack, B. Stack B also has a child stack: C. If I want to output from stack C to stack A, how would I do this?

Answer 50

You need to output from C to B and the A references the value from B.

Question 51

What is the role of a wait condition on CloudFormation? if we are provisioning an ASG, would it be better to use a WaitCondition of a CreationPolicy?

Answer 51

A wait condition allows you to specify a pause to allow for a resource to complete. For example we could be provisioning a dynamodb table via a lambda custom resource that is required by some upstream Ec2 instances - we could specify a wait condition to allow time for this to complete before provisioning the instances. For an ASG, its preferable to use a CreationPolicy to determine if the right number of instances have been provisioned

Question 52

In CloudFormation, what is the role of a ServiceToken? (Hint: Custom Resources)

Answer 52

A service token acts as a reference to where custom resource requests are sent - custom resources can be either lambda functions or SNS topics.

Question 53

For custom resources, where are success or failed notifications sent and how?

Answer 53

Success or fail notifications for custom resources are sent to S3 by means of a presigned url

Question 54

In AWS Sam, what are the three ways we can create an API gateway (1 explicit, 2 implicit)

Answer 54

1. AWS::Serverless:API (explicit)

Or, whenever we provision a rest api or a lambda function:

2. AWS::Gateway:RestAPI
3. AWS::Serverless::function