Infrastructure as Code: AWS CloudFormation

AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion. In SAA-C03, CloudFormation is the cornerstone of Automation and Reliability.

Analogy: Think of CloudFormation as an IKEA Instruction Manual. The manual (Template) lists the parts (Resources) and how to put them together. Following the manual ensures that every time you build the desk (Stack), it looks and functions exactly the same.

Core Concepts & Anatomy

CloudFormation uses Templates (JSON or YAML) to describe the desired state of your infrastructure.

  • AWSTemplateFormatVersion: The version of the template (usually “2010-09-09”).
  • Parameters: Input values provided at runtime (e.g., InstanceType).
  • Mappings: Static look-up tables (e.g., mapping Region to AMI ID).
  • Resources: The actual AWS components to be created (The only required section).
  • Outputs: Values returned after creation (e.g., the Public IP of a Load Balancer).
  • Transform: Used for Serverless (SAM) or macros.

Stack Management & Advanced Features

StackSets

Used for multi-account and multi-region deployments. From a single administrator account, you can deploy stacks across hundreds of target accounts and regions simultaneously. Essential for enterprise-scale governance.

Nested Stacks

Promotes reusability. Instead of one massive template, you create smaller templates for specific components (e.g., VPC, Database, Security Groups) and reference them as resources within a “Root Stack”.

Drift Detection

Identifies if resources in a stack have been modified manually outside of CloudFormation. This helps maintain the “Source of Truth” in your code.

Comparison: CloudFormation vs. Alternatives

Feature CloudFormation AWS CDK Elastic Beanstalk
Abstraction Level Low (Declarative JSON/YAML) High (Imperative Code: Python/JS) Very High (PaaS)
Control Full control over every resource Full control (generates CFN) Limited to app environment
Use Case Standardized Infrastructure Developers who prefer coding Quick Web App deployments

Decision Matrix / If–Then Guide

  • If you need to deploy a standard VPC across 50 AWS accounts… Then use CloudFormation StackSets.
  • If you need to prevent a resource (like an S3 bucket) from being deleted when a stack is deleted… Then use DeletionPolicy: Retain.
  • If you need to reference a value from another stack (e.g., a VPC ID)… Then use Export/ImportValue or Nested Stacks.
  • If you want to preview how a stack update will impact running resources… Then use Change Sets.

Exam Tips and Gotchas

  • Rollback: By default, if stack creation fails, CloudFormation deletes all created resources (Rollback). You can disable this for troubleshooting.
  • WaitConditions & CreationPolicy: Used to ensure services (like EC2) are fully configured (e.g., user-data script finished) before the stack marks itself as “CREATE_COMPLETE”.
  • Custom Resources: If CloudFormation doesn’t support a specific action/service natively, use a Lambda-backed Custom Resource to bridge the gap.
  • Intrinsic Functions: Memorize !Ref (get ID), !GetAtt (get attribute like DNS), and !Sub (string substitution).
  • DeletionPolicy: Set to Snapshot for RDS or EBS to take a final backup before the resource is deleted.

Topics covered :

Summary of key subtopics covered in this guide:

  • Template Anatomy (Parameters, Resources, Outputs)
  • Stack Lifecycle (Create, Update, Delete, Rollback)
  • Multi-account deployment with StackSets
  • Modular architecture with Nested Stacks
  • Security (IAM integration, NoEcho for secrets)
  • Drift Detection and Change Sets
  • Deletion Policies and Intrinsic Functions

Infographic: CloudFormation Workflow

TEMPLATE YAML / JSON CFN ENGINE API Calls & Logic STACK Live Resources EC2, RDS S3, IAM
Service Ecosystem

IAM: Use Service Roles to grant CFN permission to build resources.

CloudTrail: Logs every API call made by CloudFormation.

Secrets Manager: Dynamically inject secrets into templates using resolve.

Performance & Scaling

Nested Stacks: Avoid the 50,000-byte template limit and 500-resource limit per stack.

Parallelism: CloudFormation analyzes dependencies and creates independent resources simultaneously.

Cost Optimization

Free Tier: CloudFormation itself is free. You only pay for the resources (EC2, RDS, etc.) it creates.

EstimateCost: Use the EstimateCost API to get a monthly cost estimate of your template via the Simple Monthly Calculator.

Production Use Case: A FinTech company uses StackSets to deploy a standardized “Security Guardrail” (IAM Roles, Config Rules, and CloudWatch Alarms) across 200 AWS accounts globally in under 10 minutes.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top