CloudFormation 2

Question 1

Deletion Policy

What is CFN DeletionPolicy?

Answer 1

Attribute on a Resource. When true, deleting the stack will leave the resource intact.

Question 2

Deletion Policy

What are the three values for DeletionPolicy?

Answer 2

Delete, Retain, Snapshot (takes a snapshot of a DB, then deletes it)

Question 3

Deletion Policy

If you mark a Resource with “Retain” on deletion, can it be deleted?

Answer 3

YES, if a change requires delete-then-create, or if you just want to delete it youself.

Question 4

Stack Roles, Change Sets

Normally need permission to create everything. That’s a lot. How deal with this?

Answer 4

Create a Stack Role: Role with permissions to do everything. Use PASS ROLE to use it.

Question 5

Stack Roles, Change Sets

What’s PassRole?

Answer 5

You have permission to give the roll to something (CFN), but not to assume it yourself.

Question 6

Stack Roles, Change Sets

About to deploy a tmpl, but worried it might delete-then-create a RDS database.

Answer 6

ChangeSet: see what it would do, let it proceed or stop it.

Question 7

Stack Roles, Change Sets

How can you prevent changes to a Stack from altering certain high-value resources?

Answer 7

Use a CloudFormation Stack Policy and deny updates explicitly.

Question 8

Wait and Signal

What is the typical use case for Wait+Signal?

Answer 8

Provision an EC2, have CFN wait around until EC2 up and ready and tells CFN that it’s done

Question 9

Wait and Signal

How do you configure wait+Signal?

Answer 9

Pick number of success messages needed to continue, and a timeout

Question 10

Wait and Signal

What is the actual service on an EC2 instance that can tell a CFN stack to continue?

Answer 10

cfn-signal

Question 11

Wait and Signal

What can cfn-signal communicate back to the stack?

Answer 11

Success or Failed

Question 12

Wait and Signal

What do you put in a CFN template to say it should wait for a signal?

Answer 12

CreationPolicy if EC2 or ASG, WaitCondition otherwise

Question 13

Wait and Signal

Why both a CreationPolicy and a WaitCondition exist?

Answer 13

CreationPolicy built into the CFN schema for EC2 and ASG

Question 14

Wait and Signal

How do you use a WaitCondition?

Answer 14

Issues a pre-signed URL. Anything using this PSU can tell CFN to continue

Question 15

Wait and Signal

What are Signals?

Answer 15

Set per-resource in CFN stack. Call to the AWS SDK when the CFN stack is waiting. When the Signal is called, CFN unblocks.

Question 16

Wait and Signal

Typical use of Signals?

Answer 16

Set Signal on EC2 Instance. When init code inside instance is ready, signal CFN.

Question 17

Wait and Signal

What is CFN doing while a Signal hasn’t arrived yet?

Answer 17

The single Resource doesn’t go to CREATE_COMPLETE until the Signal arrives.

Question 18

Wait and Signal

Technical details of how a Signal is sent?

Answer 18

Uses a pre-signed URL where you store the status.

Question 19

Wait and Signal

What specific setting to have an EC2 wait for a signal when EC2 created?

Answer 19

“CreatePolicy” with number of signals

Question 20

Wait and Signal

Make a Create ASG CFN wait until has some available instances?

Answer 20

MinSuccessfulInstancesPercent under CreatePolicy

Question 21

Wait and Signal

How get CFN Stack to wait until a signal (non-EC2 stuff)?

Answer 21

Create AWS::CloudFormation::WaitCondition. Use DependsOn to stop other things from creating.

Question 22

Custom Resources

What things will CFN call to implement a Custom Resource?

Answer 22

SNS or Lambda function

Question 23

Custom Resources

What’s the flow for custom resources?

Answer 23

CFN calls SNS/Lambda, passes in lots of data including pre-signed URL. Write JSON status to PSU.