CloudFormation
AWS CloudFormation is an Infrastructure as Code (IaC) service that allows you to define and provision AWS resources automatically and repeatedly using YAML or JSON templates.
โ
Think of it as Terraform, but native to AWS.
| Benefit |
Description |
| โ
Repeatability |
Deploy the same infrastructure in multiple environments |
| โ
Version Control |
Templates can be stored in Git like application code |
| โ
Automation |
Fully automates provisioning of compute, network, storage, IAM, etc. |
| โ
Drift Detection |
Detects manual changes that drift from the original template |
| โ
Stack Management |
All resources are part of a logical "stack" (easy to manage/delete/roll back) |
๐งฑ Core Concepts
| Term |
Meaning |
| Template |
YAML/JSON file defining AWS resources and config |
| Stack |
A deployed template instance (creates resources) |
| StackSet |
Allows deploying stacks to multiple accounts/regions |
| Change Set |
Preview of what changes a template update will make |
| Drift Detection |
Finds resources changed outside CloudFormation |
๐ Template Structure
A CloudFormation template has 5 major sections:
AWSTemplateFormatVersion: '2010-09-09'
Description: Simple EC2 Example
Parameters:
InstanceType:
Type: String
Default: t2.micro
Resources:
MyInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref InstanceType
ImageId: ami-0abcdef1234567890
Outputs:
InstanceId:
Value: !Ref MyInstance
๐ ๏ธ Common Resource Types
| Resource Type |
CloudFormation Type |
| EC2 Instance |
AWS::EC2::Instance |
| S3 Bucket |
AWS::S3::Bucket |
| IAM Role |
AWS::IAM::Role |
| RDS Instance |
AWS::RDS::DBInstance |
| VPC/Subnet |
AWS::EC2::VPC, AWS::EC2::Subnet |
| Lambda Function |
AWS::Lambda::Function |
| API Gateway |
AWS::ApiGateway::RestApi |
๐ Parameters, Mappings, Conditions
| Feature |
Description |
Syntax Example |
| Parameters |
Accept input from user |
!Ref InstanceType |
| Mappings |
Static key-value pairs (e.g. Region โ AMI) |
!FindInMap |
| Conditions |
Control resource creation |
Condition: IsProd |
๐ Template Reuse with Modules / Nested Stacks
| Concept |
Purpose |
| Nested Stack |
A stack defined inside another stack |
| StackSets |
One template across multiple accounts/regions |
| Modules |
Reusable components (like Terraform modules) |
๐ Security & Access Control
| Practice |
Description |
| IAM Role |
CloudFormation uses a service role to provision |
| Stack Policies |
Prevent updates to certain critical resources |
| Secrets Manager |
Avoid hardcoding sensitive data |
๐งช Example: EC2 with Security Group
Resources:
WebSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP
VpcId: vpc-123456
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MyInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t2.micro
SecurityGroupIds:
- !Ref WebSG
๐ Monitoring & Logs
| Tool |
Use Case |
| Events Tab |
Shows real-time status of stack resources |
| CloudTrail |
Logs who made changes to templates/stacks |
| CloudWatch |
Capture output/logs of Lambda if used in stack |
๐งช Drift Detection
Use to compare actual deployed state with template:
aws cloudformation detect-stack-drift --stack-name mystack
| Feature |
CloudFormation |
Terraform |
| Language |
YAML/JSON |
HCL (more readable) |
| Provider Scope |
AWS only |
Multi-cloud |
| State Management |
No manual state file |
Requires .tfstate |
| Modules/Nesting |
Supported (Nested Stacks) |
Better (Modules) |
| Community |
Native AWS |
Larger ecosystem/tools |
โ
Best Practices
| Category |
Practice |
| Modularize |
Use nested stacks or reuse templates |
| Tagging |
Tag all resources using Tags: for cost and management |
| Outputs |
Output critical info like DNS, instance IDs, IPs |
| Change Sets |
Always review changes before updating |
| Avoid hardcoding |
Use Parameters and Mappings instead |
๐งช Deploy from CLI
Deploy a stack:
aws cloudformation deploy \
--template-file my-template.yaml \
--stack-name my-stack \
--capabilities CAPABILITY_IAM
Validate before deployment:
aws cloudformation validate-template --template-body file://my-template.yaml
๐ง Bonus: Use with CI/CD
-
Integrate CloudFormation in CodePipeline, GitHub Actions, or Jenkins
-
Run changesets, validations, and drift detection as part of your pipeline
-
Combine with CloudFormation Macros or Lambda-backed custom resources for advanced control
โ
TL;DR Summary
| Feature |
Value |
| IaC Type |
Native AWS, YAML or JSON |
| Resource Support |
All AWS Services |
| Reusability |
โ
Nested stacks, StackSets |
| Pricing |
Free, only pay for the resources |
| Multi-region/Account |
โ
With StackSets |
| CLI Support |
โ
aws cloudformation ... |