Tags Archives: drift

AWS – CloudFormation

CloudFormation is a crucial exam topic.


CloudFormation is a way of automating the creation and modification of infrastructure in AWS. Infrastructure as code – is declarative code.


Makes it easy to re-deploy an environment configuration either in same az, region or other az or regions, and at other times.



Provides for separation of concern:


vpc stacks


app stacks


network stacks


There are existing CF templates available to use


CF templates can be manually created using CloudFormation Designer


you can also use the Console to input parameters


or automatically using YAML files and CLI commands to deploy.



A stack file always refers to a version of the CloudFormation template syntax. The last version is from 2010.




The CF building blocks are:


Template components:


Resources – these are MANDATORY – the AWS resources declared in your template


Parameters – the dynamic inputs for your template


Mappings – static variables for your template


Outputs – references to what has been created


Conditionals – List of conditions to perform resource creation




Template helpers include references and functions


The exam does NOT require you to actually write CloudFormation templates – but it expects you to know how to read templates.


YAML and JSON can be used for CF – but JSON is not pleasant – YAML is much easier and appears in the exam. YAML uses key-value pairs.





are the core of the CF Template – they are mandatory. AWS provides over 224 CF resources

They represent the components that can be created by CF. They are declared and can also reference each other


Resource types identifiers are of the form:




Where to find them: there is a link in docs.aws.amazon.com


listed under


AWS Resource Types Reference



Almost every AWS service is represented in the CF Resources List. for those which aren’t, you can use AWS Lambda Custom Resources.



Resource definitions in the YAML form always contain a Type field and a Properties field


The contents of the Properties field will be specific to the actual resource they define.


You cannot create resources “dynamically”, everything in the CF template has to be declared, it is not possible to perform code generation in the template.



CloudFormation automatically takes care of resolving dependencies between resources defined in the stack.


This means that if you define a subnet and a VPC, for example, CloudFormation creates the VPC before the subnet, since a subnet always refers to a specific VPC. And when you delete a stack, CF will automatically delete the subnet before it deletes the VPC.





They provide a powerful way for you to enter inputs into your CF template.


Esp useful if you want to re-use your templates in other departments or functions of your company


and where some inputs can not be determined precisely ahead of time


and help to prevent errors occurring due to type setting in the template.

So you should use a parameter definition when you think the resource config value/s are likely to change in the future.


Types include string, number, comma-delimited list


there are min or max lengths, constraints, allowed patterns/values


how to reference… you use a function called Ref




you use it in the form !Ref <paramenter>




VpcId: !Ref MyVPC


They can be deployed anywhere in a template.


The !Ref is a YAML convention


and it can reference other elements in the template.


Pseudo Parameters


these can be used any time and are enabled by default




are fixed variables that are hard-coded in the template.


They are often used to differentiate between different regions, AZs, environments, AMIs, etc.


Use when you are sure they will not change. They allow for safer templates. But if the values are more user specific, use parameters instead.






this returns a named value from a specific key…


this is used to access mapping values


!FindInMap [ MapName, TopLevelKey, SecondLevelKey ]


this is a way to read the value of the mapping.




these are optional output values that can be imported into other stacks, provided you export them first.


You can view the outputs via Console or CLI.



Cross Stack Reference – know for the exam!


It is a way to do cross-stack collaboration to read variables from one stack into another.


in the other second template you use Fn::ImportValue function



!ImportValue SSHSecurityGroup (or whatever)


Important; note that you cannot delete a CF stack if it has outputs referenced by another stack – you must remove those first (if possible).





they are used to control creation of resources or outputs according to a set condition, usually if


Environment (dev /test /prod )


or any other parameter value…


then create or don’t create a resource


each condition can also reference another condition, parameter or mapping



How to define a condition?



CreateProdResources: !Equals [ !ref EnvType, prod ]

that means if the env type is equal to prod, then do something


the logical ID you choose yourself.


the logical functions can be…




How to use a condition:


apply it to resources, outputs etc


a resource may only be created if a condition applies



Intrinsic Functions – you must know these for the exam!



plus the condition functions:

Fn:If, Fn::Not, Fn::Equals etc etc




this will reference a given parameter, resource,


remember – the shorthand in YAML for this is !Ref <item>






attributes are attached to any resource you create, to find out the attributes relating specifically to each resource, check the documentation.


You can get use the GetAtt to access whichever attribute you want to reference


eg to find out the aZ of an EC2 instance:


!GetAtt EC2Instance.Availability zone





used to access the mapping values



see above – already covered




to import values that are exported in other templates




you can use this to join values with a delimiter eg to create a list a,b,c


or A:B:C


or whatever




or !Sub


– substitution of variables with a string


Finally, condition functions


we saw those above..





How to add your user data to CloudFormation


A user data script can also be passed to CF. This is done via the function:


Fn::Base64 | <your user script contents>


(not the script file, the actual contents copypasted)


important note: you MUST include the pipe symbol with the function when passing the script contents, else the function will not work!



the user data script log is maintained at /var/log/cloud-init-output.log






AWS::CloudFormation::Init MUST be in the metadata of a resource

this makes EC2 configs more readable


the EC2 will query CF to get the init data.


The logs are written to /var/log/cfn-init.log


NOTE DONT CONFUSE cloud-init and cfn-init!


cfn-init vs cloud-init


There are two similarly named tools that it is important not to mix up: cfn-init and cloud-init.


Both of these tools provide a means of customizing EC2 instances, but they are in fact different tools. So what’s the difference between them?



cloud-init: is a Ubuntu project that provides a way of customizing Cloud instances.


cfn-init is an official AWS-supported tool for customizing EC2 instances.





The cfn-init tool is an AWS utility for customizing EC2 instances.It has 2 main documentation pages: AWS::CloudFormation::Init and cfn-init.


cfn-init supports various config management tasks such as creating packages, files, users, groups, commands, and services.


You can find these tasks grouped together under “Configsets” which form part of a CloudFormation template, defined using YAML or JSON.


The cfn-init script is pre-installed on AmazonLinux2 distros.


The cfn-init script obtains the Configset definition from the CloudFormation stack template.



cfn-init is a set of helper scripts that work with the CloudFormation stack.


cfn-init does two things. Firstly, it reads the instructions from CF on how the EC2 instance should be initialized stack and executes it.


Secondly, it informs CloudFormation when completed or if an error occurred. CloudFormation waits until the cfn-init process is completed, and it can roll back in the event of errors.


cfn-init doesn’t require credentials, so you don’t need to use the –access-key, –secret-key, –role, or –credential-file options.

cfn-init uses the user data to initialize and start the init process.


It performs 3 tasks:


1. installs the aws-cfn-bootstrap script


2. runs cfn-init


3. then signals to CloudFormation the result of step 2


This means you don’t have to change the user data when you want to install more services. The arguments for the functions are passed from CloudFormation directly via (–stack ${AWS::StackName}, –region ${AWS::Region}), or else through referencing other items in the template (–resource Instance, which is the resource name, or by using the –configsets setup).


For step 3 to complete, CloudFormation has to expect an initialization signal. this is done via CreationPolicy. Without this, CloudFormation will wait until the instance resource is created and up and running, and only then will mark it as completed.




The basic building block for cfn.init is a config. This defines (and in this order):


packages – these define which package is to be installed via a package manager (eg apt or yum).


sources – these download compressed files and then extract them to a directory.


files – this creates files with defined content.


commands – this runs arbitrary commands, eg building an app or copying files.


services – these instruct the system service manager – generally systemd – to start a service and to keep it up and running




ConfigSets are a configuration that defines which configs are to be run and in which order. Each config has to complete running before cfn-init will start the next one.





It’s important to know in which order cfn-init runs the various component parts of the configuration, as it does not necessarily follow the order in which the elements are placed in the template file.


First, the configSet defines the order for the configs. Anything else in the list gets run later on.


Secondly, within a config the elements will run according to a fixed ordering defined by AWS.


As an example of this, it will always install packages before running any commands. Generally you should maintain the template order in the same order as when cfn-init will run it.


Finally, there is also ordering inside a config step. In this case note that commands will be run in alphabetical ordering. For this reason, it is advisable to number the commands with 01, 02, 03, 04, nd so on to ensure the correct running order is followed.


/opt/aws/cfn-init and /opt/aws/cfn-signal


Some best practices for using cfn-init:

Comment out the CreationPolicy from the template before you write the cfn-init scripts. This is because otherwise CloudFormation will roll back the whole stack, and with that destroy the instance, if you make a mistake. But be sure to uncomment it when you’re finished.


You can run the cfn-init command if you SSH into the instance too, in order to run a quick deploy test.


Remember when debugging you can check the logs at /var/log/cfn-init.log and /var/log/cfn-init-cmd.log.


Aim to maintain the template in the correct ordering of the elements, keeping the configs listed according to the configSet, and the parts of the config listed according to their own implicit ordering. And be sure to prefix the commands with 01, 02, 03, and so on, so you can follow what is happening in which order.


Refer to the AWS-provided CF template at https://s3.eu-west-1.amazonaws.com/cloudformation-templates-eu-west-1/WordPress_Single_Instance.template.


Define a WAIT CONDITION – this blocks the template until it receives a signal from cfn-signal





Exam question:


what to do if the wait condition hasn’t received the required number of signals back from an EC2 instance?


1. Ensure the AMI image you used has the CF helper scripts installed. (you can also download them to the instance) – check this first!


2. Verify that cfn-init and cfn-signal have run ok on the instance, check the logs at /var/log/cloud-init.log or cfn-init.log


retrieve the logs by logging into the instance, but!


make sure you DISABLE ROLLBACK ON FAILURE else CloudFormation deletes the EC2 after your stack fails to create!


3. Ensure the EC2 has a connection to the internet – via a NAT device if on a private subnet, or via IGW if on a public subnet



Nested Stacks



these are stacks that are repeated patterns or common components for other stacks that you can reuse to avoid having to rewrite code each time.


eg a load balancer config that is often used, or a security group config that is often deployed.


exam question: remember you never alter or update or configure the nested stack, only the PARENT stack.


To update a stack, use ChangeSets


But – exam q: ChangeSets do NOT tell you if the update will work!


To declare a nested stack:


first, in your nestedstacks yaml file, declare the Resource type AWS::CloudFormation::Stack – this is essential to create the stack as a “nested stack” type. You give this resource a name eg


Type: AWS::CloudFormation::Stack
https://s3.amazonaws.com/<the file name of the template (can be yaml or json>



When you click on create stack – you have to confirm that you might be creating iam resources with custom names, and that it might require the CAPABILITY_AUTO_EXPAND


– this means CF will expand the nested stack into other stacks if you invoke it.



confirm these two and click on Create stack…




CloudFormation Drift


This allows you to protect your CF infra from manual config changes


CF Drift tracks the changes made manually so you can check them


Retaining Data: Deletion Policy for any resource


eg DeletionPolicy =


= Retain – you specify which resource to preserve or backup


= Snapshot – for EBS, Elasticache, RDS, Redshift


= delete – this is the default – to delete s3 bucket the bucket must first be empty! – remember this for exam!


you can set max concurrent actions and failure tolerance level as well



Termination Protection for CloudFormation



Very Important when using CF:


Termination Protection – this protects your CF stack from being inadvertently deleted


 How to control who can change termination protection on stacks.


To enable or disable termination protection on stacks, a user requires permission to perform the cloudformation:UpdateTerminationProtection action.


Here is an example of how to allow users to enable or disable termination protection on stacks:





ASG Creation Policy and
ASG Update Policy – need to know these for the exam!


“depends on” – waits for another action to complete first


StackPolicy – enables you to enable/deny certain actions from being made.





CloudFormation StackSets are used to create update or delete stacks across multiple accounts and regions via single operation..


Very useful for maintaining CF stacks across multiple regions and accounts.



The admin account must first create the stackset


a trusted account can then create update or delete the stackset


when updating – all associated stack instances are updated across all accounts and regions


You can set a maximum concurrent actions on targets (either #number  or a %)


Important: because StackSets operate across multiple accounts,  you must first create the necessary IAM permissions before you can use them. 


Determine which AWS account is the administrator account – because the Stacksets are created using this account. The target account will then be the account in which you create the individual stacks which belong to the Stackset.


Decide how you want to set the permissions for the Stacksets.. easiest is where you give ALL users and groups permission to create and update all Stacksets. But you may want to restrict this, by specifying specific users and groups, and the resources they can include in their Stacksets and which Stackset operations they are permitted to perform.


Then create the necessary IAM services roles in your admin and target accounts to define these chosen permissions.


There is a CF pre-defined template that can create a set of IAM permissions for this task to make it easier.


CloudFormation will then go ahead and create these permissions in IAM for you  when you run it.




How CloudFormation Rollbacks Work


If the stack creation fails:


then the default is for everything to be rolled back, ie deleted. Check the logs.


remember you have the option to disable this rollback and then troubleshoot exactly where it went wrong.


if the stack update fails:


then the stack automatically rolls back to the previous known working stage, you can check in the logs and error messages for what went wrong.



Some CloudFormation CLI Command Examples



Two AWS CLI commands to display information about your CloudFormation stacks:


aws cloudformation list-stacks and


aws cloudformation describe-stacks




Creating a Stack


aws cloudformation create-stack –stack-name example –template-body file://templates/single-instance.yml –parameters file://parameters/single-instance.json


To create the change set, example:


aws cloudformation create-change-set –stack-name example –template-body file://templates/instance-and-route53.yml –parameters file://parameters/instance-and-route53.json –change-set-name changeset-1



Listing the Stack Resources


After running the aws cloudformation create-stack command, you can list the stack’s resources by running the aws cloudformation list-stack-resources command.



This displays a summary of each resource in the stack specified with the –stack-name parameter – including a summary of the stack and the creation or deletion status.



Updating a Stack



for example:


aws cloudformation update-stack –stack-name example –template-body file://templates/instance-and-route53.yml –parameters file://parameters/instance-and-route53.json


Check the status of the stack with the AWS CloudFormation console via the Events tab.


aws cloudformation execute-change-set –stack-name example –change-set-name changeset-1


Alternatively you can execute the Change Set from the CloudFormation console. However, the CLI execute-change-set method shows you the Change Set was applied and so gives you a clear audit trail.



Deleting Stacks


this can be done from the dashboard as well as from the CLI, example:


aws cloudformation delete-stack –stack-name <name of stack>





Managing events with CloudFormation and EventBridge


CloudFormation can send events to EventBridge whenever a create, update, delete, or drift-detection action takes place on your stack.


Unlike for other destinations, you don’t need to select which event types you want to track.


You can use EventBridge rules to route events to your defined targets.



Continue Reading