Beta

AWS Certified SysOps Administrator - Associate

Domain 3 Deployment Provisioning and Automation

Advanced Automation Features of CloudFormation

In this article, we explore advanced CloudFormation features essential for both exam preparation and efficient infrastructure management. These features ensure stable deployments and can significantly simplify troubleshooting and operations.

When deploying critical infrastructure changes, imagine a scenario where a database and application launch successfully, but the web server fails. Without proper automation, this partial implementation might lead to downtime and unexpected costs. CloudFormation’s advanced mechanisms help avoid such issues by ensuring a known good state.

Rollback Triggers

CloudFormation uses rollback triggers powered by CloudWatch alarms to monitor stack stability. If a resource fails to provision correctly—say, a web server does not start—the service automatically rolls back changes to maintain a stable environment. This design helps prevent unexpected resource usage costs resulting from partially deployed configurations.

Additionally, when using change sets, you can disable this automatic rollback to freeze the state for troubleshooting, or if you plan to rebuild the entire stack later.

The image shows a CloudFormation interface with a stack named "SaaS-Test" in a "ROLLBACK_COMPLETE" status, and a dropdown menu with stack actions. A caption below explains that triggered alarms prompt CloudFormation to roll back changes to maintain stability.

You can also define custom policies to determine how CloudFormation responds to triggers, providing further operational flexibility.

Drift Detection

Drift detection compares your CloudFormation template with the current state of your AWS resources. This feature is particularly useful for identifying modifications made manually or outside of CloudFormation management.

Consider an EC2 instance that was initially set to a T2 micro but later altered to a T2 nano. Drift detection will flag this discrepancy. The JSON examples below display the expected configuration versus the actual configuration:

{
  "ImageId": "ami-f5f41398",
  "InstanceType": "t2.micro",
  "NetworkInterfaces": [
    {
      "AssociatePublicIpAddress": true,
      "DeleteOnTermination": true,
      "DeviceIndex": 0,
      "GroupSet": [
        "sg-4c9ddf3b"
      ],
      "SubnetId": "subnet-0f5c1220"
    }
  ],
  "UserData": "IYWVrlU2u3c2gkLxhCn1L ... (truncated)"
}

{
  "ImageId": "ami-f5f41398",
  "InstanceType": "t2.nano",
  "NetworkInterfaces": [
    {
      "DeleteOnTermination": true,
      "DeviceIndex": 0,
      "GroupSet": [
        "sg-4c9ddf3b"
      ],
      "SubnetId": "subnet-0f5c1220"
    },
    {
      "DeleteOnTermination": false,
      "DeviceIndex": 1,
      "GroupSet": [
        "sg-4c9ddf3b"
      ],
      "SubnetId": "subnet-0f5c1220"
    }
  ]
}

The drift detection process then compares the expected and actual configurations:

{
  "Expected": {
    "ImageId": "ami-f5f41398",
    "InstanceType": "t2.micro",
    "NetworkInterfaces": [
      {
        "AssociatePublicIpAddress": true,
        "DeleteOnTermination": true,
        "DeviceIndex": 0,
        "GroupSet": [
          "sg-4c9ddf3b"
        ],
        "SubnetId": "subnet-0f5c1220"
      }
    ],
    "UserData": "IYEvYmlU23gLxhCnl1b81GRndUgLkXgYdzLWNmbiti290c3RyYXYAkJBn0YIWsMTrK0sB2A..."
  },
  "Actual": {
    "ImageId": "ami-f5f41398",
    "InstanceType": "t2.nano",
    "NetworkInterfaces": [
      {
        "DeleteOnTermination": true,
        "DeviceIndex": 0,
        "GroupSet": [
          "sg-4c9ddf3b"
        ],
        "SubnetId": "subnet-0f5c1220"
      }
    ]
  }
}

After initiating drift detection via the AWS console or CLI, CloudFormation alerts you to any discrepancies. This information enables you to decide whether to accept the drifted state or take corrective measures, such as stopping and relaunching the affected instance.

The image illustrates the concept of drift detection in network security, showing a person at a desk with a laptop and a large smartphone displaying a gear icon, alongside text explaining the prevention of security risks.

If drift is detected—for example, if an EC2 instance changes from a T2 micro to a T2 nano—CloudFormation prompts you to decide whether to accept the changes or initiate corrective actions.

The image is a flowchart illustrating the drift detection process in CloudFormation. It shows steps from initiating drift detection to determining if resources match, leading to outcomes of either no drift detected or drift detected and flagged.

The image illustrates a drift detection process involving an EC2 instance and a t2.nano instance, with a note about flagging deviations for corrective action.

Dependency Handling

CloudFormation enables you to control the sequence in which resources are created by specifying dependencies within your template. For instance, you can ensure that a database is provisioned before an EC2 instance by using the "DependsOn" attribute.

Explicitly declaring dependencies avoids potential conflicts or errors that might arise when CloudFormation guesses the creation order. This is critical, especially in enterprise environments where resource creation order must follow strict policies.

The image explains CloudFormation dependency handling, highlighting two tools: "Ref" for referencing resources to indicate dependencies, and "DependsOn" for explicitly defining resource creation order.

Resource Import

CloudFormation makes it possible to import existing resources into a new or existing stack. Rather than recreating resources from scratch, you can integrate them into a managed stack directly from the AWS console. This simplification streamlines tracking, drift detection, and overall infrastructure management.

For example, if you have manually created RDS instances, you can import them into CloudFormation. This process reads their configurations and integrates them into a template for easier management.

The image illustrates the process of importing resources into CloudFormation for Infrastructure as Code (IaC), showing a transition from individual resources to a stack for easier tracking and replication.

The image is a slide titled "Importing Resources – Transition to Infrastructure as Code," explaining that manually created RDS instances can be imported into CloudFormation to manage updates via IaC and minimize errors.

Nested Stacks

Nested stacks allow for the modularization of CloudFormation templates by splitting them into smaller, independent stacks for different layers of your infrastructure. This approach enables teams to work autonomously while maintaining a cohesive overall architecture.

However, note that nested stacks must be stored in S3 and require broad permissions during creation. Also, an error in a parent stack could affect all nested stacks.

The image shows a diagram of a nested stack with three layers: Application Layer, Database Layer, and Network Layer. Below the diagram, there's a note stating that using a single large CloudFormation template is cumbersome and hard to maintain.

The image shows a diagram of a cloud connected to multiple cubes, representing nested stacks, with a caption explaining that nested stacks reuse components like programming functions.

Outputs from nested stacks can be shared via cross-stack references, allowing one stack to export a value (such as a subnet ID) that another stack can import.

Cross-Stack References Example

Consider the following YAML snippet where one stack exports a subnet ID for public web servers:

---
Outputs:
  PublicSubnet:
    Description: The subnet ID to use for public web servers
    Value:
      Ref: PublicSubnet
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-SubnetID"

The public web server stack then imports this exported value:

---
Resources:
  ElasticLoadBalancer:
    Type: AWS::ElasticLoadBalancer
    Properties:
      Subnets:
        - Fn::ImportValue:
            Fn::Sub: "${NetworkStackName}-PublicSubnet"
      SecurityGroups:
        - Ref: ELBSecurityGroup
      CrossZone: 'true'

In this example, the export in one stack is referenced by the import in another, with the network stack name provided as a parameter.

The image illustrates a diagram of cross-stack references, showing how resources are shared efficiently between VPC, IAM, and EC2 stacks using export and import functions.

CloudFormation Testing

There are several tools available to test your CloudFormation templates and ensure they adhere to best practices:

  • CFN Lint: A linter that checks YAML/JSON templates for syntax errors and compliance with common best practices.
  • CloudFormation Guard: A tool that validates templates against custom rules defined in a domain-specific language, allowing you to enforce organizational policies.
  • TaskCat: An end-to-end testing tool that deploys CloudFormation templates across multiple regions.

Note

TaskCat is not part of exam materials; however, CFN Lint and CloudFormation Guard are widely recognized for their effectiveness.

The image is about CloudFormation Testing, featuring two tools: Cfn-lint and CloudFormation Guard. Cfn-lint is described with features like testing YAML/JSON templates and creating rules for best practices.

CI/CD with CloudFormation

Integrating CloudFormation with CI/CD pipelines can enhance your deployment processes significantly. Whether using GitHub, Bamboo, or other version control systems, you can leverage AWS CodePipeline (or similar tools) to trigger CodeBuild actions that validate and deploy CloudFormation stacks automatically.

This practice ensures version control, automated deployments, and consistency across environments while facilitating rapid iteration during development.

The image illustrates a CI/CD pipeline using AWS services, including CodeCommit, CodePipeline, CodeBuild, and CloudFormation. It shows the flow from code commit to deployment using these AWS tools.

The image outlines the benefits of using a CI/CD with CloudFormation template, highlighting version control, automated deployments, consistency, and rapid iteration.

In summary, leveraging features such as rollback triggers, drift detection, dependency handling, resource import, nested stacks, cross-stack references, dedicated testing tools, and CI/CD integrations with CloudFormation can dramatically improve operational efficiency and infrastructure reliability. These practices not only aid in exam preparation but are also vital for real-world deployments.

Thanks for reading.

Watch Video

Watch video content

Previous
Demo The Anatomy of a CloudFormation Template
Next
Demo Creating a simple S3 Bucket with CloudFormation