AWS CloudFormation (Stack)

Overview

• environment on to which resources are deployed
  • RollbackOnFailure: Yes (default no)
  • Tags: cost allocation
  • Timeout: default none
  • StackPolicy

Stack Policy

• Associated with stack
• Prevent unintentional update
• Fail-safe mechanism but do not use instead of IAM policy
• By default all resources can be updated
• When stack policy enabled all resources are protected
  • Explicitly specify "Allow" to override
• Cannot be removed once added
• JSON document (1 per stack)
  
  • Effect = [Deny, Allow]
  • Action = [ Update: Modify, Update:Replace, Update:Delete, Update:* ]
  • Principal = "*"
  • Resource = LogicalResourceId/myInstance
    • NotResource 
  • Conditions
    • Resource Types the policy applies
      
      • e.g. AWS::EC2::Instance, AWS::CloudFormation::Stack
  • Examples
    • Only prevent updates to all RDS instances

Stack event

• Asynchronous (no feedback)
• Every time CF does something Event is created
• can be delivered to SNS (e.g. set-up subscription to WebAnalytics tool)
• Extensibility point

Termination protection

• Fail safe
  • prevent from accidentally deleting stack

Stack update - trigger 

• Modify template
  
  • changing logical name is typically enough to update the resource
    • sometimes property must be changed also
  • elements that cannot be updated by themselves (require broader resource updates)
    
    • conditions
    • outputs
    • ResourceAttributes: CreatePolicy, UpdatePolicy, DeletionPolicy
  • elements that can be updated by themselves only if referenced
    • mapping
  • update to resource may affect properties of other resources
    • e.g. when Ref or Fn::GetAtt used
    • in that case dependant is also updated (cascading update)
• Run
  • CLI aws cloudformation update-stack
  • API UpdateStack
• Rollback configuration
  • Optional - conditions for rollback (e.g. monitoring CloudWatch)

Stack update - resource impact

• No Interruption
  • e.g. CloudWatch Alarm
• Some Interruption
  • e.g. EC2 instance 
• Replacement
  • e.g. DBInstance (RDS)

Stack update lifecycle

• Nested stacks
  • Update initiated recursively (but only changed resources are updated)
• Update States
  
  • UPDATE_IN_PROGRESS
  • UPDATE_COMPLETE
  • UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
  • UPDATE_FAILED
  • UPDATE_ROLLBACK_IN_PROGRESS
  • UPDATE_ROLLBACK_COMPLETE
  • UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS
  • UPDATE_ROLLBACK_FAILED
•  Cancellation
  • Cancel when State = UPDATE_IN_PROGESS
    • -> UPDATE_ROLLBACK_IN_PROGRESS
      • -> UPDATE_ROLLBACK_COMPLETE
      • -> UPDATE_ROLLBACK_FAILED
        • e.g. when previous DB got deleted outside of CF (configuration drift)
        • fix the error
        • continue to rollback (you cannot update such stack anymore)

Changeset

• Ability to preview all actions CF is about to make as part of Update
• Allows "Pull Request" model of work (review&approve)

StackSet

• Ability to roll-out CloudFormation templates
  • Multi-account
  • Multi-region