5.4 CloudFormation and Infrastructure as Code
Key Takeaways
- CloudFormation provisions AWS resources declaratively using JSON or YAML templates — it is the primary IaC tool in AWS.
- Stacks are the unit of deployment; StackSets deploy stacks across multiple accounts and Regions simultaneously.
- Change Sets preview changes before applying them, reducing the risk of unintended modifications to production resources.
- Drift detection identifies resources that have been manually changed outside of CloudFormation.
- AWS CDK (Cloud Development Kit) lets you define infrastructure using programming languages (TypeScript, Python, Java) and synthesizes CloudFormation templates.
CloudFormation and Infrastructure as Code
Quick Answer: CloudFormation = declarative IaC using YAML/JSON templates. Stacks = unit of deployment. StackSets = deploy across accounts/Regions. Change Sets = preview changes before applying. CDK = write IaC in programming languages, compiled to CloudFormation. SAM = simplified CloudFormation for serverless.
CloudFormation Overview
AWS CloudFormation lets you model and set up your AWS resources so you can spend less time managing resources and more time focusing on applications.
Template Anatomy
| Section | Required | Description |
|---|---|---|
| AWSTemplateFormatVersion | No | Template version (only valid value: "2010-09-09") |
| Description | No | Template description |
| Parameters | No | Input values at stack creation time |
| Mappings | No | Static key-value lookups (e.g., AMI IDs by Region) |
| Conditions | No | Control resource creation based on parameters |
| Resources | Yes | AWS resources to create (the only required section) |
| Outputs | No | Values to export or display after creation |
Key Concepts
| Concept | Description |
|---|---|
| Stack | A collection of AWS resources managed as a single unit |
| StackSet | Deploy stacks to multiple accounts and Regions |
| Change Set | Preview proposed changes before execution |
| Drift detection | Detect manual changes to managed resources |
| Nested stacks | Reusable template components (stack references another stack) |
| Cross-stack references | Export values from one stack, import in another |
| Rollback | Automatic rollback on creation/update failure |
CloudFormation vs. Terraform vs. CDK
| Feature | CloudFormation | Terraform | CDK |
|---|---|---|---|
| Language | YAML/JSON | HCL | TypeScript, Python, Java, C#, Go |
| Provider | AWS only | Multi-cloud | Compiles to CloudFormation |
| State | Managed by AWS | External state file | CloudFormation (via cfn) |
| Drift | Built-in detection | Refresh command | CloudFormation drift |
| Best for | AWS-native IaC | Multi-cloud | Developers who prefer programming languages |
AWS SAM (Serverless Application Model)
SAM is an extension of CloudFormation for serverless applications:
- Simplified syntax for Lambda, API Gateway, DynamoDB, Step Functions
- Local testing and debugging via SAM CLI
- Compiles to standard CloudFormation
On the Exam: "Deploy identical infrastructure across 15 AWS accounts in 3 Regions" → CloudFormation StackSets. "Preview infrastructure changes before applying" → Change Sets. "Detect manual changes to managed resources" → Drift Detection.
A company needs to deploy the same CloudFormation stack to 20 AWS accounts across 4 Regions. What should they use?
Before updating a production CloudFormation stack, a DevOps engineer wants to see exactly what changes will be made. What should they use?