Automate Infrastructure with AWS CloudFormation Command Line Tools: Best Practices
Overview
AWS CloudFormation command line tools (primarily AWS CLI and AWS CloudFormation CLI/CloudFormation commands) let you provision, update, and manage stacks from scripts and CI/CD pipelines. Use them to automate repeatable infrastructure tasks, enforce consistency, and integrate infrastructure changes into software delivery.
Best practices
1. Keep templates modular and version-controlled
- Split templates: Break large templates into smaller nested stacks or use the AWS::Include transform to reuse components.
- Store in VCS: Keep templates in Git with clear commit history and pull-request reviews.
- Use semantic versioning: Tag released template versions for rollbacks.
2. Validate and lint templates before deployment
- cfn-lint: Run cfn-lint to catch schema and best-practice issues.
- aws cloudformation validate-template: Use this to ensure the template is syntactically valid.
- Unit tests: Test parameter validation and intrinsic functions where possible.
3. Parameterize and avoid hardcoding
- Parameters and mappings: Use Parameters, Mappings, and Conditions to make templates reusable across environments.
- Use SSM/Secrets Manager: Reference secrets and environment-specific values via SSM Parameter Store or Secrets Manager instead of embedding credentials.
4. Use change sets for safe updates
- Creating change sets: Use
aws cloudformation create-change-setto preview updates and avoid unexpected replacements. - Review changes: Automate approvals by parsing change set outputs in CI workflows.
5. Integrate with CI/CD pipelines
- Automated pipelines: Run validate -> lint -> create-change-set -> execute-change-set steps in CI (GitHub Actions, GitLab CI, CodePipeline).
- Immutable deployments: Prefer stack updates that minimize in-place replacements; consider blue/green patterns for services.
6. Handle secrets and permissions securely
- Least privilege: Grant only required IAM permissions to CI roles executing CloudFormation commands.
- Avoid plain-text: Do not pass secrets as plain parameters; use encrypted SSM parameters or Secrets Manager.
7. Manage drift and state
- Drift detection: Regularly run
aws cloudformation detect-stack-driftand review drift results to detect out-of-band changes. - Stack outputs: Use Outputs to expose values needed by other stacks or applications; reference them via exports.
8. Rollback and recovery strategies
- Enable rollback: Keep default rollback behavior to recover from failed updates, or implement controlled rollback via automation that captures failure context.
- Backups: Ensure dependent resources (databases, S3) have backups/snapshots before risky updates.
9. Use change policies to control resource replacements
- DeletionPolicy/UpdateReplacePolicy: Set policies to retain or snapshot resources on stack deletion or replacement.
- Stack policies: Apply stack policies during updates to protect critical resources from accidental changes.
10. Optimize for speed and cost
- Parallelize where safe: Deploy independent nested stacks in parallel via scripts to reduce total deployment time.
- Review resource types: Use lightweight instance types for non-production and remove unused resources to cut costs.
Useful command snippets
- Validate template:
bash
aws cloudformation validate-template –template-body file://template.yaml
- Create and execute a change set:
bash
aws cloudformation create-change-set –stack-name my-stack –change-set-name cs1 –template-body file://template.yaml –parameters ParameterKey=Env,ParameterValue=prod –capabilities CAPABILITY_NAMEDIAM aws cloudformation describe-change-set –stack-name my-stack –change-set-name cs1 aws cloudformation execute-change-set –stack-name my-stack –change-set-name cs1
- Detect drift:
bash
aws cloudformation detect-stack-drift –stack-name my-stack aws cloudformation describe-stack-drift-detection-status –stack-drift-detection-id <id>
Quick checklist before automated deployment
- Lint and validate template
- Ensure parameters sourced
Leave a Reply