CloudFormation

It is a one of the good feature in AWS cloud computing.

Scenario: when you are having to create multiple AWS resources in a short while and create and stop when its required is a bit tedious task. To manage our schedule and creating all the AWS resources every time is bit time taking activity.

So, to save our time and create AWS resources with a simple template where you can write once and use it many times when there is a similar requirement or you can use the same template by modifying the template according to your task.This template is called "AWS cloudformation template".

This template you can write it in either JSON or YAML language.

This template has the below features.

1. Simplify infrastructure management:For Ex: you have a web application which required a database and auto scaling features and load balancing tasks.To create all the AWS resources , you need to spend bit more time and you need to connect all together to achieve the required benefits.But When you have the AWS cloudformation template is ready with all the AWS resources properties and which have the dependencies on other AWS resources, its a one time task , with this template you just create and execute the stack , this Stack will take care all the resources creation including it dependencies.
2. Quickly replicate your infrastructure:When you want to replicate your app in multiple regions, you have the overhead task that you have to replicate all the AWS resources along with your app and if you have app in multiple regions you can have an advantage that if one region fails other region will be used for your app. So, With AWS cloud-formation template , you can just change the regions ans AZs info and use the same template to provision the resources with minimal amount of time.
3. Easily Control and track changes to your infrastructure:Since the template is in text file format, you can easily compare and do the changes easily.Also you can rollback the changes if your AWS resources are not functioning properly with your template changes. You can maintain version control tool to track the template versions to easy track.

Template:
This file is in various extenstions  JSON,YAML,.template or .txt file .But this is written in either json or Yaml scripting laungage.

For ex JSON:(Source : AWS Documentation)
{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "A sample template",
  "Resources" : {
    "MyEC2Instance" : {
      "Type" : "AWS::EC2::Instance",
      "Properties" : {
        "ImageId" : "ami-0ff8a91507f77f867",
        "InstanceType" : "t2.micro",
        "KeyName" : "testkey",
        "BlockDeviceMappings" : [
          {
            "DeviceName" : "/dev/sdm",
            "Ebs" : {
              "VolumeType" : "io1",
              "Iops" : "200",
              "DeleteOnTermination" : "false",
              "VolumeSize" : "20"
            }
          }
        ]
      }
    }
  }
}

For ex YAML(Source AWS Documentation)

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  MyEC2Instance:
    Type: "AWS::EC2::Instance"
    Properties:
      ImageId: "ami-0ff8a91507f77f867"
      InstanceType: t2.micro
      KeyName: testkey
      BlockDeviceMappings:
        -
          DeviceName: /dev/sdm
          Ebs:
            VolumeType: io1
            Iops: 200
            DeleteOnTermination: false
            VolumeSize: 20


Stacks: You created a template and which includes all the AWS resources , AWS treat it is Stack. Where you can create, update, delete when and where its required.

Change sets: This set has a changes which you want to update the Running resources of the stack which you already created.For ex, If you want to update a tag of the AWS S3 bucket , which was used in various places and your change will affect if you update in between.

So, If you use the Change sets , it will take care of the changing the respective places where its required by taking a backing up your old changes. This will be smooth handling of the AWS resources updation.

How AWS cloud formation works:

Make a note that , when you create a stake with your template , if any resource fails to create , the status of the stack will be failed with automatic roll back failed feature.which will delete the resources which are created to save the cost and unnecessary resources.

Updating stack with change sets:

Source: AWS official documentation

Template basics:
The Resources object contains list of resources objects,A resource declaration contains the list of resources attributes which are themselves declared as child objects.
Type: Must have a resource type means what type of AWS resource you want to create.

Syntax: AWS::productIdentifier::ResourceType

For ex, for EC2 creation , we need to write as AWS::EC2::Instance.

Resource declarations uses a properties attribute to specify the information used to create the resource.Sometimes we no need to specify access for S3 buckets as it will take automatically default access like this for some of the AWS resources we no need to provide all the parameters which required , AWS stack will set default attributes for the resources.

Fn::GetAtt: Takes two names , one is logical name of the resource and the name of the attribute you want to retrive.

Ref: This is a function , where you can refer the created resource from which you can assign the values to other AWS resource by referring to the created AWS resource.

For some of the parameters like AWS AMI , we need to specify the region in the template where you want launch EC2 in that region.If you have no idea where to launch EC2 instance , you can specify a conditional logic wherever you launch the EC2 it can take that region to create AM,because as we know AMIs are region specific.

Fn:FindInMap: Which will be used to map the name of the parameter with a value and this will used in case you want to create AMIs with region specific.

Fn:Join: takes two parameters, a delimiter that separates a value you want to concatenate and an array of values you want them to appear in an order.

Whenever you update the stack with your parameters there is a function: cfn:hup:deamon will be executed for every 15 mins to pickup the change. So usually it will take 15 mins of time to get your stack updated.

When you update the AWS resources manually in AWS console , make sure that the same resource parameters are changes parallely, so that it will be in sync with your updated stack.

Updating autoscaling groups

Please note that updating EC2 instance will take an immediate impact as cft-hup function will sync immediately but Updating auto scaling group will not take affect immediately because cft-hup deamon will be running independently on each EC2 instance and it will take time to get it effect with small duration.

Before updating the template analyse few parameters as below

1. Whether the change will effect impact any running services like alarm to your application, because when these kind of services are implemented in your app, it may impact during updating of the stack.
2. Consider the resources are mutable ot immutable , so that it will not change immediate and takes some amount of time to affect the changes.

Lets see an example

Create below AWS resources with template and execute the stack to create the resources as per the template.

AWS resources

• VPC
• Subnets(Private and public)
• Internet gateway
• Private and Public route tables
• NAT gateway

How to 

Open AWS management console , Search for Cloud formation, and select "Create Stack"

The window appears as below

Here you will have multiple options

• If you have uploaded your template in S3 bucket , you can use that URL to create the the stack.
• If not you can upload the template by selecting "upload a template file"

When you upload a template , by default it will upload to S3 bucket and the same URL you will get as below

S3 Bucket:

Select "View in Designer", you will architect diagram to see your resources how they will connect each other once your stack creates, In my case as below

Select "Create Stack"

Select Desired AZs

Update Keypair name and NAT instance details according to your convenient and select "Next".

Under "Review Form" you can see AWS resources which we are going to create from the template.

Verify and select "Create stack button" if you are OK else update the template if something is missing.

The option: Rollback on failure will be used when stack creation fails , it automatically rollback the resources which it created.This will save the time and money without creating resources.

aws-vpc.template , which is written in YAML. { "AWSTemplateFormatVersion": "2010-09-09", "Description": "This template creates a Multi-AZ, multi-subnet VPC infrastructure with managed NAT gateways in the public subnet for each Availability Zone. You can also create additional private subnets with dedicated custom network access control lists (ACLs). If you deploy the Quick Start in a region that doesn't support NAT gateways, NAT instances are deployed instead. **WARNING** This template creates AWS resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qnnspaap)", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Availability Zone Configuration" }, "Parameters": [ "AvailabilityZones", "NumberOfAZs" ] }, { "Label": { "default": "Network Configuration" }, "Parameters": [ "VPCCIDR", "PublicSubnet1CIDR", "PublicSubnetTag1", "CreatePrivateSubnets", "PrivateSubnet1ACIDR", "PrivateSubnetATag1", "CreateAdditionalPrivateSubnets", "VPCTenancy" ] }, { "Label": { "default": "Deprecated: NAT Instance Configuration" }, "Parameters": [ "KeyPairName", "NATInstanceType" ] } ], "ParameterLabels": { "AvailabilityZones": { "default": "Availability Zones" }, "CreateAdditionalPrivateSubnets": { "default": "Create additional private subnets with dedicated network ACLs" }, "CreatePrivateSubnets": { "default": "Create private subnets" }, "KeyPairName": { "default": "Deprecated: Key pair name" }, "NATInstanceType": { "default": "Deprecated: NAT instance type" }, "NumberOfAZs": { "default": "Number of Availability Zones" }, "PrivateSubnet1ACIDR": { "default": "Private subnet 1A CIDR" }, "PublicSubnet1CIDR": { "default": "Public subnet 1 CIDR" }, "PublicSubnetTag1": { "default": "Tag for Public Subnets" }, "VPCCIDR": { "default": "VPC CIDR" }, "VPCTenancy": { "default": "VPC Tenancy" } } } }, "Parameters": { "AvailabilityZones": { "Description": "List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.", "Type": "List<AWS::EC2::AvailabilityZone::Name>" }, "CreateAdditionalPrivateSubnets": { "AllowedValues": [ "true", "false" ], "Default": "false", "Description": "Set to true to create a network ACL protected subnet in each Availability Zone. If false, the CIDR parameters for those subnets will be ignored. If true, it also requires that the 'Create private subnets' parameter is also true to have any effect.", "Type": "String" }, "CreatePrivateSubnets": { "AllowedValues": [ "true", "false" ], "Default": "true", "Description": "Set to false to create only public subnets. If false, the CIDR parameters for ALL private subnets will be ignored.", "Type": "String" }, "KeyPairName": { "Description": "Deprecated. NAT gateways are now supported in all regions.", "Type": "String", "Default": "deprecated" }, "NATInstanceType": { "Default": "deprecated", "Description": "Deprecated. NAT gateways are now supported in all regions.", "Type": "String" }, "NumberOfAZs": { "AllowedValues": [ "2", "3", "4" ], "Default": "2", "Description": "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.", "Type": "String" }, "PrivateSubnet1ACIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/19", "Description": "CIDR block for private subnet 1A located in Availability Zone 1", "Type": "String" }, "PrivateSubnetATag1": { "AllowedPattern": "^([a-zA-Z0-9+\\-._:/@]+=[a-zA-Z0-9+\\-.,_:/@ *\\\\\"'\\[\\]\\{\\}]*)?$", "ConstraintDescription": "tags must be in format \"Key=Value\" keys can only contain [a-zA-Z0-9+\\-._:/@], values can contain [a-zA-Z0-9+\\-._:/@ *\\\\\"'\\[\\]\\{\\}]", "Default": "Network=Private", "Description": "tag to add to private subnets A, in format Key=Value (Optional)", "Type": "String" }, "PublicSubnet1CIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.128.0/20", "Description": "CIDR block for the public DMZ subnet 1 located in Availability Zone 1", "Type": "String" }, "PublicSubnetTag1": { "AllowedPattern": "^([a-zA-Z0-9+\\-._:/@]+=[a-zA-Z0-9+\\-.,_:/@ *\\\\\"'\\[\\]\\{\\}]*)?$", "ConstraintDescription": "tags must be in format \"Key=Value\" keys can only contain [a-zA-Z0-9+\\-._:/@], values can contain [a-zA-Z0-9+\\-._:/@ *\\\\\"'\\[\\]\\{\\}]", "Default": "Network=Public", "Description": "tag to add to public subnets, in format Key=Value (Optional)", "Type": "String" }, "VPCCIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/16", "Description": "CIDR block for the VPC", "Type": "String" }, "VPCTenancy": { "AllowedValues": [ "default", "dedicated" ], "Default": "default", "Description": "The allowed tenancy of instances launched into the VPC", "Type": "String" } }, "Conditions": { "3AZCondition": { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "NumberOfAZs" }, "3" ] }, { "Condition": "4AZCondition" } ] }, "4AZCondition": { "Fn::Equals": [ { "Ref": "NumberOfAZs" }, "4" ] }, "AdditionalPrivateSubnetsCondition": { "Fn::And": [ { "Fn::Equals": [ { "Ref": "CreatePrivateSubnets" }, "true" ] }, { "Fn::Equals": [ { "Ref": "CreateAdditionalPrivateSubnets" }, "true" ] } ] }, "AdditionalPrivateSubnets&3AZCondition": { "Fn::And": [ { "Condition": "AdditionalPrivateSubnetsCondition" }, { "Condition": "3AZCondition" } ] }, "AdditionalPrivateSubnets&4AZCondition": { "Fn::And": [ { "Condition": "AdditionalPrivateSubnetsCondition" }, { "Condition": "4AZCondition" } ] }, "GovCloudCondition": { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-gov-west-1" ] }, "NVirginiaRegionCondition": { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, "PrivateSubnetsCondition": { "Fn::Equals": [ { "Ref": "CreatePrivateSubnets" }, "true" ] }, "PrivateSubnets&3AZCondition": { "Fn::And": [ { "Condition": "PrivateSubnetsCondition" }, { "Condition": "3AZCondition" } ] }, "PrivateSubnets&4AZCondition": { "Fn::And": [ { "Condition": "PrivateSubnetsCondition" }, { "Condition": "4AZCondition" } ] }, "PrivateSubnetATag1Condition": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "PrivateSubnetATag1" }, "" ] } ] }, "PublicSubnetTag1Condition": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "PublicSubnetTag1" }, "" ] } ] } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": { "Ref": "VPCCIDR" }, "InstanceTenancy": { "Ref": "VPCTenancy" }, "EnableDnsSupport": true, "EnableDnsHostnames": true, "Tags": [ { "Key": "Name", "Value": { "Ref": "AWS::StackName" } } ] } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [ { "Key": "Name", "Value": { "Ref": "AWS::StackName" } } ] } }, "VPCGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": { "Ref": "VPC" }, "InternetGatewayId": { "Ref": "InternetGateway" } } }, "PrivateSubnet1A": { "Condition": "PrivateSubnetsCondition", "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "PrivateSubnet1ACIDR" }, "AvailabilityZone": { "Fn::Select": [ "0", { "Ref": "AvailabilityZones" } ] }, "Tags": [ { "Key": "Name", "Value": "Private subnet 1A" }, { "Fn::If": [ "PrivateSubnetATag1Condition", { "Key": { "Fn::Select": [ "0", { "Fn::Split": [ "=", { "Ref": "PrivateSubnetATag1" } ] } ] }, "Value": { "Fn::Select": [ "1", { "Fn::Split": [ "=", { "Ref": "PrivateSubnetATag1" } ] } ] } }, { "Ref": "AWS::NoValue" } ] } ] } }, "PublicSubnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "PublicSubnet1CIDR" }, "AvailabilityZone": { "Fn::Select": [ "0", { "Ref": "AvailabilityZones" } ] }, "Tags": [ { "Key": "Name", "Value": "Public subnet 1" }, { "Fn::If": [ "PublicSubnetTag1Condition", { "Key": { "Fn::Select": [ "0", { "Fn::Split": [ "=", { "Ref": "PublicSubnetTag1" } ] } ] }, "Value": { "Fn::Select": [ "1", { "Fn::Split": [ "=", { "Ref": "PublicSubnetTag1" } ] } ] } }, { "Ref": "AWS::NoValue" } ] }, ], "MapPublicIpOnLaunch": true } }, "PrivateSubnet1ARouteTable": { "Condition": "PrivateSubnetsCondition", "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "Private subnet 1A" }, { "Key": "Network", "Value": "Private" } ] } }, "PrivateSubnet1ARoute": { "Condition": "PrivateSubnetsCondition", "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "PrivateSubnet1ARouteTable" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "NATGateway1" } } }, "PrivateSubnet1ARouteTableAssociation": { "Condition": "PrivateSubnetsCondition", "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "PrivateSubnet1A" }, "RouteTableId": { "Ref": "PrivateSubnet1ARouteTable" } } }, "PublicSubnetRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "Public Subnets" }, { "Key": "Network", "Value": "Public" } ] } }, "PublicSubnetRoute": { "DependsOn": "VPCGatewayAttachment", "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "PublicSubnetRouteTable" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGateway" } } }, "PublicSubnet1RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "PublicSubnet1" }, "RouteTableId": { "Ref": "PublicSubnetRouteTable" } } }, "NAT1EIP": { "Condition": "PrivateSubnetsCondition", "DependsOn": "VPCGatewayAttachment", "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "NATGateway1": { "Condition": "PrivateSubnetsCondition", "DependsOn": "VPCGatewayAttachment", "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "NAT1EIP", "AllocationId" ] }, "SubnetId": { "Ref": "PublicSubnet1" } } } }, "Outputs": { "NAT1EIP": { "Condition": "PrivateSubnetsCondition", "Description": "NAT 1 IP address", "Value": { "Ref": "NAT1EIP" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-NAT1EIP" } } }, "PrivateSubnet1ACIDR": { "Condition": "PrivateSubnetsCondition", "Description": "Private subnet 1A CIDR in Availability Zone 1", "Value": { "Ref": "PrivateSubnet1ACIDR" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-PrivateSubnet1ACIDR" } } }, "PrivateSubnet1AID": { "Condition": "PrivateSubnetsCondition", "Description": "Private subnet 1A ID in Availability Zone 1", "Value": { "Ref": "PrivateSubnet1A" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-PrivateSubnet1AID" } } }, "PublicSubnet1CIDR": { "Description": "Public subnet 1 CIDR in Availability Zone 1", "Value": { "Ref": "PublicSubnet1CIDR" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-PublicSubnet1CIDR" } } }, "PublicSubnet1ID": { "Description": "Public subnet 1 ID in Availability Zone 1", "Value": { "Ref": "PublicSubnet1" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-PublicSubnet1ID" } } }, "PrivateSubnet1ARouteTable": { "Condition": "PrivateSubnetsCondition", "Value": { "Ref": "PrivateSubnet1ARouteTable" }, "Description": "Private subnet 1A route table", "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-PrivateSubnet1ARouteTable" } } }, "PublicSubnetRouteTable": { "Value": { "Ref": "PublicSubnetRouteTable" }, "Description": "Public subnet route table", "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-PublicSubnetRouteTable" } } }, "VPCCIDR": { "Value": { "Ref": "VPCCIDR" }, "Description": "VPC CIDR", "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-VPCCIDR" } } }, "VPCID": { "Value": { "Ref": "VPC" }, "Description": "VPC ID", "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-VPCID" } } } } }

When you select "Creare Stack", it will start creating all the resources ,The time taken to create the AWS resources is depends on Resrources.

While creating stack , you can see the stack creation progress and status of the stack.

Under resources: You can see what are the resources are started creating and resources are completed creating.Based on that you can figure out the resources are created . Once done you can see status as "Creation_complete" else "creation_failed" with specific reason.

In my case it took just 5 mins and the stack is ready.

You can see below pictures for my case.

VPC:

Subnets(private and Public)

Route tables

NAT Gateway

NACL

Internet gateway

So,Now you can launch EC2 instances in Public and private subnets and communicate each other by using the keypair which you have used in your template.

Hope this helps in understanding of the cloud formation concept how and why we are using in AWS. 

Thank you for reading!!!!👍👍👍👍👍👍👍👍👍👍