Cloud Formation Flashcards
For cloud formation, describe the 3 stack update models:
- Update with no interruption
- Update with some interruption
- Replacement
Update w/No Interruption: Resource is updated with no interruption and no change to the physical ID, I.e.
Updating a resource profile
Update w/Some interruption: Resource encounters small disruption. Physical ID remains unchanged. I.e changing instance type for an EBS volume
Replacement: New resource with new physical id is created. Dependencies for other resources updated and old resource is deleted
What is the role of a stack update policy in Cloud Formation? How does the principal differ in a stack policy vs. other forms of policy?
A a stack update policy prevents specific updates to resources in a stack. It differs from other forms of policy in the sense that the principal is always *
Can you use cloud formation to estimate resource costs?
Yes
Can you edit an existing CloudFormation template?
No, you need to create a new version
When you delete a CloudFormation template, what happens to the resources created by that stack?
ALL resources created by a CF stack are deleted when the stack is deleted
What is the only mandatory thing in a CloudFormation stack?
Resources are the only mandatory part of a CF stack
How would you pass dynamic inputs to a CloudFormation stack?
You would use CloudFormation parameters
When you build a CloudFormation stack, do you need to specify the order in which they are created. For instance, if I want an EIP, do I need to specify that an EC2 instance needs to be created first and then have the EIP attached to it?
No. You do not need to specify the order in which to create resources in CloudFormation. Cloud formation will determine the correct order for resources to be created.
In your CloudFormation template you see the following line block of yaml:
ProductionEip:
Type: AWS::EC2::EIP
Properties:
InstanceId: !ref PublicHttpdServer
What is !ref?
!ref is a reference to a resource that is also created in the template. In this case it is an Ec2 instance called PublicHttpdServer
Can I create a dynamic amount of resources programatically in CloudFormation?
No. All resources need to be declared
How do I pass a value to a CloudFormation template?
You would use a cloud formation template parameter
I am building a CloudFormation template to provision load generators. This template has a security group restricting inbound ssh access to a clients static IP. Given that the set up of the generator is likely to be the same for client to client with the exception of the inbound static IP, what is the recommended way of achieving this so I don’t have to create new versions every time its updated?
You would create a CloudFormation parameter to read in the static IP when the template runs. For any resource configuration in CloudFormation you should use a parameter
Which function is used to reference parameters in CloudFormation?
Fn::Ref
Where can you reference parameters in a CloudFormation template?
Parameters can be referenced from anywhere in your CloudFormation template
What two classes of things can you reference using !ref in CloudFormation?
You can reference:
- Parameters
- Other resources created in the template
How would you reference you account ID, region or an SNS notification ARN within a CloudFormation template?
AWS provides Pseudo-parameters which allows you to access these values - i.e. !ref AWS::AccountId
I am building a CloudFormation template which needs to use specific AMI’s for each of the 3 regions it runs in, us-east-1, ap-southeast-2 and eu-west-1. What is the best way to specify the AMI for each of the regions
You should use Mappings within your template. These allow you to specify variables if they are known before hand, such as an AMI id.
How do mappings differ from parameters, why would you use one over the other?
You use parameters where values are very user specific and are not known beforehand. Mappings are used when you know in advance what the variables will be (think of them like Constants) or can be deduced from other variables (such as AZ, Region, AccountId)
What function do you use to access values from a MAPPING in a CloudFormation Template?
Fn::FindInMap
What three parameters does Fn:FindInMap take?
MapName, Top Level Key, Second Level Key:
Fn::FindInMap[MapName, TopLevel, SecondLevel]
I have a CloudFormation template Mapping set up to select an AMI for us-east-1, ap-southeast-2 and eu-west-1. My template is currently running out of ap-southeast-2. How would I construct the Fn:FindInMap call to use my current region? The mapping is called “AMIRegionMap” with nodes for the Region and the AMI Name is “AMIName”
You would use a pseudo parameter in the call: !Fn::FindInMap[ AMIRegionMap, !Ref "AWS::Region", AMIName]
I have a situation where I have the outputs of one CloudFormation stack (A) being referenced by another CloudFormation stack (B). Can I delete A?
No. You cannot delete a cloud formation stack if its outputs are being referenced by another stack until all the references in B are deleted.
We are in a highly complex environment in terms of VPC and Subnet creation. Each subnet also has a mix of instance types and operating systems. Its not possible for one team to be expert in both sides of the setup. What could we do in CloudFormation to leverage the skills of both teams?
You would use template outputs. This allows a template to generate outputs - such as VPC and Subnet ID’s to be used as inputs for other templates.
Where and how would you specify an output to export in a cloud formation template?
In the Outputs section using the Export Keyword
Outputs:
Export:
Name:
What function do you use to import an exported value from another templates Outputs section?
Fn:ImportValue
-ImportValue
In a cloud formation template, what 3 things can a condition reference?
- Another Condition
- Mapping
- Parameter Value
What 5 Logical conditions can a CloudFormation template condition evaluate (hint: think in terms of programming)
And Or Not Equals If
If I reference a resource using !Ref in a cloud formation template, what gets returned? What about referencing a parameter?
The resource ID gets returned. For instance, if you reference an EC2 resource, the Instance ID will be returned. When referencing a parameter, the value of the parameter is returned.
We need to try and get the availability zone of an EC2 instance in our CloudFormation template. When we use !Ref all we get is the instance Id. Is there a way to get the availability zone of the Instance?
Yes, you would use Fn:GetAtt. GetAtt allows you get attributes for resources - i.e.
AvaialbilityZone: !GetAtt ec2instance.AvailabilityZone
You see this in your CloudFormation template:
!join[”:” , [a,b,c] ]
What is the output?
a:b:c
What must function calls be prefixed with in a cloud formation template?
!
What is this function and what would the output be?
Name: !Sub
- www.${Domain}
- { Domain: !Ref RootDomainName }
assuming the value of the RootDomainName evaluates to PlanitTesting.com?
This is the sub function and allows you to replace a variable defined by ${variable} with the output from a pseudofunction or a ref
www.PlanitTesting.com
What is the DEFAULT behaviour in cloud formation for when a stack creation fails. How does this differ from when a stack UPDATE fails?
By default, a rollback on a failed create will delete the stack. If a stack update fails, CF will rollback to the last known version. The default behaviour for creates can be over-ridden for troubleshooting
What is the difference between a nested stack and a cross stack(i.e. a stack that uses Outputs, ImportValue and ExportValue)?
A nested stack is best practice when it comes to re-using COMMON components - for instance you have a load balancer configuration that you use for most of your stacks. Instead of copying and pasting the same configurations into your templates, you can create a dedicated template for the load balancer. Then, you just use the resource to reference that template from within other templates.
A Cross stack takes outputs from one stack and uses them as inputs for another stack and is used when stacks have different lifecycles - for instance we might have a dev stack that has a different network config that we need to pass to our ec2 stack so it can deploy instances to the right place.
I need to deploy a cloud formation stack accross multiple accounts and regions, but it is going to be time consuming to do this one at a time. What Cloud Formation technology can I use?
Stack Sets allow you do an all at once deploy accross multiple accounts and regions
Who can create a stack stack, who can update?
Only the cloud formation administrator account can create a stack set. Trusted Accounts can create, update and delete stacks inside a stack set.
What happens to stacks accross accounts and regions when a stack set is updated
All associated stack instances accross all accounts and regions are updated
Where are cloud formation templates stored?
S3
Which intrinsic function should you use to retrieve the DNS name of a Load Balancer created with CloudFormation?
Fn::GetAtt. The DNS name is an Attribute of the ELB. Fn::Ref would return the id.
I tried to create an exported output:
Outputs:
StackSSHSecurityGroup:
Description: The SSH Security Group for our Company
Value: !Ref MyCompanyWideSSHSecurityGroup
Export:
Name: SSHSecurityGroup
But it seems I get an error. It says “SSHSecurityGroup” output already exists. What should you do?
Exported output names must be unique within a region - you’ll need to change the name
What is the role of a change set in CloudFormation?
A change set is a description of changes that would be applied to a stack should the submit of the stack template be accepted. They allow you to see what changes will take place and if you want to accept them
We have a cloudformation template responsible for creating an RDS db cluster, EC2 instances and an ASG. In terms of IAM, apart from using a user or a role that is able to execute the correct API calls to create/update these resources, what other role type could we use and what changes would I need to make to my IAM role?
We could create a service role for cloud formation to use. We need to alter our IAM role to be able to pass the service account to CF using aws:passRole
We have a cloud formation template responsible for creating an RDS db cluster, EC2 instances and an ASG. What risks are there when running this template and what do I do to identify and mitigate them?
The risk is that data loss will occur in RDS as CF modifies some RDS properties which require the replacement of the underlying RDS instances. Make sure you run a change set to identify RDS actions and backup your RDS database.
If I use a service role, what impacts does this have on stack update, create and delete events?
When using a service role the default timeout for these events is increased
In cloud formation, which sections of the template are conditions:
Defined
Evaluated
Parameters declared?
Conditions are defined in the conditions section
Parameters that a condition can use are defined in the parameters section
Conditions are Evaluated in the Resources and Output section
If I want to setup a cross stack reference in cloud formation using an output from another template which section is this defined in and which keyword is used?
Outputs must be EXPORTED in the OUTPUTS section for use in a cross stack reference
What are the two custom resource providers that can be used in CloudFormation? What does a custom resource provider do? What happens to a CloudFormation stack create if our custom resource does not provide a response?
SNS and Lambda. A custom resource provider is used to provision resources that may not be supported by CF. If you don’t provide a response then the stack create will time out.
If we have a cloud formation stack that is responsible for provision application servers and a database server, how would we ensure that our database server is provisioned prior our application servers
You could use the DependsOn attribute. We would put this attribute into the EC2 application servers resource section and specify the name of the db resource in DependsOn
Assume we have an autoscaling group that we are provisioning in Cloudformation. This group must contain 3 EC2 instances. How would we ensure that the instances are created before the autoscaling group?
We would need to use a CreationPolicy attribute. This is like depends on, but we can specify a count as well as a timeout for our resource signals. In this case, each ec2 instance would send a success signal back to CloudFormation. When we hit 3, the resource will be marked as CREATE_COMPLETE and CF can then create our ASG.
I have a a nested stack consisting of the parent: stack a. Stack A has a child stack, B. Stack B also has a child stack: C. If I want to output from stack C to stack A, how would I do this?
You need to output from C to B and the A references the value from B.
What is the role of a wait condition on CloudFormation? if we are provisioning an ASG, would it be better to use a WaitCondition of a CreationPolicy?
A wait condition allows you to specify a pause to allow for a resource to complete. For example we could be provisioning a dynamodb table via a lambda custom resource that is required by some upstream Ec2 instances - we could specify a wait condition to allow time for this to complete before provisioning the instances. For an ASG, its preferable to use a CreationPolicy to determine if the right number of instances have been provisioned
In CloudFormation, what is the role of a ServiceToken? (Hint: Custom Resources)
A service token acts as a reference to where custom resource requests are sent - custom resources can be either lambda functions or SNS topics.
For custom resources, where are success or failed notifications sent and how?
Success or fail notifications for custom resources are sent to S3 by means of a presigned url
In AWS Sam, what are the three ways we can create an API gateway (1 explicit, 2 implicit)
- AWS::Serverless:API (explicit)
Or, whenever we provision a rest api or a lambda function:
- AWS::Gateway:RestAPI
- AWS::Serverless::function