What Is CloudFormation?

Get an overview of the AWS CloudFormation service, its key concepts, and its use cases.

We'll cover the following

What is infrastructure as code?
Introduction to AWS CloudFormation
- How does CloudFormation work?
Benefits
Understanding costs

Press + to interact

Before we further delve into the world of CloudFormation, let’s first explore the concept of infrastructure as code and how the CloudFormation service fits into it.

What is infrastructure as code?

Infrastructure as code is the practice of defining code instructions for creating and managing different cloud resources instead of relying on manual practices. This helps maintain a highly secure, manageable, and scalable infrastructure. It simplifies the deployment of infrastructure resources, reduces human error, and ensures that infrastructure configurations are consistent and compliant according to the standards of an organization.

Press + to interact

The AWS CloudFormation service is AWS’s solution for dealing with the infrastructure on the AWS Cloud as code. With AWS CloudFormation, we can spend less time creating or managing our AWS resources and focus more on the applications that run on them.

Introduction to AWS CloudFormation

AWS CloudFormation is an automated AWS service that allows us to provision and manage a collection of resources, also called a stack, on the AWS Cloud using code. Almost all of the AWS resources can be created and managed on the cloud.

Press + to interact

We can define AWS resources for their stacks by declaring them in code files called templates. We can provide this template to CloudFormation, which in turn deploys these cloud resources. This avoids the need to create each resource individually using the AWS console or API themselves.

Here’s a list of key CloudFormation terminologies that we need to know:

Templates: CloudFormation templates are used to declare resources on the AWS Cloud that we want to create and manage. Templates are written in a declarative language, either JSON or YAML. These templates can be version-controlled, just like any other code.
Stacks: A stack is a logical collection of AWS resources that can be managed together as a single entity. We can simply create, delete, and modify a collection of AWS resources according to our requirements by creating, deleting, and modifying the associated stack. They can easily manage or remove these resources as a single stack unit.
Change sets: A change set can be described as a set of proposed changes that CloudFormation will apply to a stack. A change set is created when updating an existing stack and allows us to preview all of the additions, modifications, and deletions of AWS resources in that stack.
Nested stacks: Nested stacks, as the name suggests, are essentially sub-stacks that are created and contained within a parent stack. This allows us to break the infrastructure into smaller pieces, making it easier to manage.
Stack policies: Stack policies are JSON documents that define the permissible actions that can be applied to a stack to modify its AWS resources and the impermissible actions that should not be applied to the stack.
CloudFormation helper scripts: CloudFormation helper scripts are AWS-provided tools to facilitate the deployment and configuration of AWS resources deployed using AWS CloudFormation. These helper scripts are mostly used to automate the initialization and setup of Amazon EC2 instances within a stack.

How does CloudFormation work?

The AWS CloudFormation service creates, modifies, or deletes any AWS resources within a stack by making underlying service calls to the relevant AWS services for those resources. CloudFormation determines what service calls need to be made, and the order of those calls is based on the resources and their order declared in the CloudFormation template.

When provisioning, configuring, or deleting resources within the stack, we must have the required permissions for CloudFormation to make those calls on our behalf. Alternatively, we can provide a service role to CloudFormation for provisioning and managing a stack with only the required permissions needed to perform actions on that stack’s resources.

Disclaimer: Once a stack is created, CloudFormation will always use the provided service role for performing any allowed actions on that stack’s resources. We cannot remove the service role once a stack has been created with it.

This becomes a problem when users have CloudFormation permissions for a stack with a service role that includes permissions for stack resources they themselves do not have. Even if these users don’t have the iam:PassRole permission, they’ll be able to leverage the permissions stack’s service and perform actions through the stack they otherwise are not permitted to perform.

Hence, providing the least privileges in the service roles we use with CloudFormation stacks is important.

The following diagram illustrates the workflow of the AWS CloudFormation service stack creation process:

Press + to interact

Here’s a breakdown of the CloudFormation stack creation workflow:

Template creation: We create a CloudFormation template written in JSON or YAML and declare all the relevant AWS resources for the infrastructure we want to deploy. This template also defines any configurations, dependencies, and the order in which we want to provision these resources.
Upload template or define it inline: We have two approaches here: we can either upload our template to an Amazon S3 bucket and generate the relevant S3 URL for it, or we can define the template inline in the API/SDK request to the AWS CloudFormation service. However, when uploading the CloudFormation template directly to the AWS console, the CloudFormation service automatically uploads the template to an S3 bucket and uses the generated S3 bucket URL to create the stack.
Stack creation/modification: CloudFormation then provisions a new stack or reconfigures an existing stack using the provided CloudFormation template after we also specify the stack name and any parameters and tags.
Provision stack resources: Upon stack creation/modification, CloudFormation then provisions, configures, or deletes any AWS resources declared in the CloudFormation template. At this point, CloudFormation, an AWS-managed service, automatically provisions resources in the provided order.

By using AWS CloudFormation, we can easily manage our infrastructure as code on the AWS cloud.

Benefits

Here are some of the scenarios where the CloudFormation service is useful:

Automation: As previously discussed, CloudFormation allows us to deal with infrastructure as code and, hence, automate the creation of resources. This way, it’s easier to manage the infrastructure with no overhead of manually creating resources.
Easier resource management: With CloudFormation, it’s easier to scale our infrastructure with very less chances of errors. For example, let’s say can need to spin up a hundred EC2 instances with the same configuration. Then, we’d only need to review the code for one instance once and simply reuse the same code and the power of CloudFormation to automatically deploy those hundred instances instead of us manually deploying those instances one by one with increased chances of error.
Reusability across regions: We can reuse our CloudFormation template to replicate the same infrastructure in different AWS regions.
Tracking changes: It’s much easier to modify and track any changes to our deployed infrastructure with CloudFormation.
Cost management: All resources in a CloudFormation stack are tagged, making tracking the costs in the cost explorer easier. Having the infrastructure as code also allows the implementation of some sort of cost-reduction strategy. For example, during development, we can set routines to automatically delete a stack and then automatically recreate it based on when we need to use it.

Understanding costs

There are no additional charges for using AWS CloudFormation.

The AWS CloudFormation service itself is a solution from AWS that allows us to manage and provision AWS resources through code templates. Hence, it’s important to note that we’ll still incur costs for the AWS resources we’re provisioning with CloudFormation.

Press + to interact

For example, we’ll incur the same costs for spinning up any EC2 instances, S3 buckets, and ELB load balancers as we would spinning them up ourselves manually.

Note: Pricing of most resources on AWS follows the pay-as-you-go approach. This means that we only pay based on what not-free-to-use AWS resources we use and how we use them; there are no minimum fees and no required upfront commitments.

This lesson taught us about the AWS CloudFormation service, its potential benefits, and how it helps maintain the infrastructure as code on the AWS Cloud. We went over a birds-eye view of how CloudFormation works.

Create a free account to view this lesson.

Continue your learning journey with a 14-day free trial.

By signing up, you agree to Educative's Terms of Service and Privacy Policy

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena