XenonStack Recommends


AWS Cloudformation IaC Tool - Complete Guide

Gursimran Singh | 04 August 2022

Infrastructure As Code with AWS Cloudformation - Complete Guide

Overview of Infrastructure as Code

Increasing the number of production and delivery cycles using Infrastructure as Code (IaC) activities has changed how software engineers design, test, and release apps. Automation tools that promote these activities are necessary to make building and configuring infrastructure more competitive and effective, reducing costs and effort.

Infrastructure is the process of managing and prevising computer data centers through machine-readable definition. This approach is used to promote cloud computing, which is sometimes marketed as Infrastructure as a service (IAS). Infrastructure as a code can be broken down into three measurable categories -

  1. Cost Reduction
  2. Speed
  3. Risk
The process of configuring and managing the infrastructure through a descriptive model. Click to explore about, Infrastructure as Code Tools to Boost Your Productivity
There are three approaches to Infrastructure as code -
  1. Declarative
  2. Imperative
  3. Intelligent

The declarative approach focuses on what the eventual target configuration should be. It defines the desired state of the system and executes what needs to happen to achieve the desirable state. The main focus of the Imperative approach is how the Infrastructure is to be changed to meet. Imperative defines the specific commands that need to be executed in the appropriate order to end with the desired conclusion. The intelligent approach focuses on why the configuration should be a certain way and a certain consideration of all code relationships and code dependency of multiple applications. It determines the correct desired state before system execution needs to happen to achieve a desirable state that is not coded deployment application.

There are two methods of Infrastructure as code -

  1. Pull
  2. Push
In the Push method, the control server pushes the configuration to the destination server. In the pull method, the server is configured according to the configuration from the controlling server.

What is the Infrastructure Resource Lifecycle?

The stages of the lifecycle are -
  1. Resource provisioning - The administrator provision the resources according to the specifications the administrator wants.
  2. Configuration management - In this, the resources become components for the configuration management system, which supports activities such as tuning and patching.
  3. Monitoring and performance - In Monitoring and performance tools, authorize the operational status of the resources by analyzing the items such as metrics, synthetic transactions, and log files.
  4. Compliance and governance - Compliance and governance frameworks drive the additional authentication to ensure the alignment, including corporate and industry standards, as well as regulatory specifications.
  5. Resource optimization - The performance data and identify changes needed to optimize the environment around criteria such as performance and cost management which is reviewed by Administrators.
Every stage involves procedures that can leverage the code. This increases the benefits of Infrastructure as Code from its traditional role in provisioning to the entire resource lifecycle.
Infrastructure as code allows DevOps teams to use technology to control and customize infrastructures, rather than manually configuring servers and operating systems. Click to explore about, AWS CloudFormation Benefits and Features

Practitioners of Infrastructure as code

  1. Developers/DevOps teams - It benefits CloudFormation's capability to treat Infrastructure as code; it allows them to apply software engineering principles, such as code reviews, integration testing SOA, and revision control to Infrastructure.
  2. IT admins and MSPs - It values CloudFormation as a platform to enable standardization, managed consumption, and role specialization.
  3. ISVs - It values CloudFormation for its ability to support scaling out of multi-tenant SaaS products by quickly replicating or updating stacks. ISVs also value CloudFormation as a way to package and deploy their software in their customer accounts on AWS.

What is AWS CloudFormation?

AWS CloudFormation provides developers and systems administrators an effortless way to create, maintain, provision, and update a collection of appropriate AWS resources reliably. It uses templates written in JSON (JavaScript Object Notation) or YAML (YAML Ain't Mark-up Language) format to describe the collection of AWS resources. We can use a template to create similar copies of the same stack repeatedly across AWS Regions. After deploying the resources, we can modify and update them in a good manner way. The information resource lifecycle starts with the modification of resources.

Why Infrastructure as Code on AWS?

We can use IaC to set up AWS infrastructure. IaC makes it easier to spin up AWS infrastructure. It automates the implementation of infrastructure, but it also improves performance. There are many resources that a customer can use to set up the AWS infrastructure. AWS Marketplace offers a host of IaC solutions

  1. Chef
  2. CloudShell Colony 
  3. Terraform 
  4. Puppet 
  5. Saltstack 

How does AWS CloudFormation work?

AWS CloudFormation is highly embedded and can only be used with AWS. The models for CloudFormation are written in YAML in addition to JSON. It offers a shared language for the description and provision of all network resources in a cloud environment. CloudFormation uses Rollback Triggers to restore infrastructure stacks to a previously deployed state if errors are observed to ensure that deployment and upgrading of infrastructure are achieved in a controlled manner. It also allows for treating infrastructures as code, authoring them with any code editor, and searching for version control.

AWS CloudFormation allows underlying service calls to AWS to provision and customize the services as you construct a stack. Note that AWS CloudFormation can do only the acts you have permission to do. For example, to create S3 buckets using AWS CloudFormation, you need permission to create buckets. Similar permissions would be required to delete an S3 bucket.

You can use Identity and Access Management (IAM) from AWS to control permissions. The calls that AWS CloudFormation makes are all declared by your template. For example, suppose you have a template that describes an S3 bucket with static website hosting configurations. When you use that template to create a stack, AWS CloudFormation calls the Amazon S3 bucket, creates API, and specifies the static web hosting configurations.

AWS CloudFormation Template

We can create an AWS CloudFormation template (a JSON or YAML-formatted document) in a text editor or use AWS CloudFormation Designer. The AWS Cloudformation provides a template-based way of creating infrastructure and managing the dependencies between resources during the starting process when the process is being designed. With AWS CloudFormation, we can maintain our infrastructure, such as the application source code. 

We can also choose to use a provided template. The template describes the resources we want and their configurations. For example, suppose we want to create an EC2 instance. Our template can declare an EC2 instance and describe its properties.

AWSTemplateFormatVersion: '2010-09-09'

Description: A simple EC2 instance



Type: AWS::EC2::Instance


ImageId: ami-0ff8a91507f77f867

InstanceType: t1.micro

We can also create a template and save it with any file extension like .json, .yaml, or .txt. We can either save it locally or in S3 buckets.

We can build an AWS CloudFormation stack by specifying the location of the template file, such as a local machine path or Amazon S3 URL. If the template includes parameters, we can define the input values when we create the stack. Parameters allow you to transfer values to your template to customize your resources each time you build a stack. You can build stacks using the AWS CloudFormation console, API, or AWS CLI.

Setting up AWS CloudFormation

  1. Step 1 - Code your Infrastructure from scratch with the help of CloudFormation template language, in either YAML or JSON format, or start from many available sample templates.
  2. Step 2 - Check your template code locally or upload your template code into the S3 bucket.
  3. Step 3 - Use AWS CloudFormation from the browser console; then, use command line tools or APIs to create a stack based on your template code.
  4. Step 4 - After this, AWS CloudFormation provisions and configures the stack and resources you specified on your template.
A DevOps rooted process for Operations and Infrastructure teams to extend infrastructure sections of computing, network, and storage. Click to explore about, How to Implement Infrastructure as Code in CI/CD Pipeline?

What are the features of AWS CloudFormation?


We can model and provision third-party application services alongside AWS resources using the AWS CloudFormation Registry. Monitoring, team productivity, incident management, and version control systems are examples of third-party services. We can create our resource providers using the AWS CloudFormation CLI, an open-source platform that streamlines the development process, including local test and code generation capabilities.

Automate with Best Practices

With CloudFormation, we can apply DevOps and GitOps best practices using widely used methods, such as starting from a Git repository and deploying through a CI/CD pipeline. We can also simplify auditing changes and trigger automated deployments with pipeline integrations such as GitHub Actions and AWS CodePipeline.

Controlled Environment

In a secure and managed way, CloudFormation automates the provisioning and upgrading of our infrastructure. Manual measures or controls that can lead to mistakes are not available. In order to specify the CloudWatch alarms that CloudFormation should control during the stack development and update process, we can use Rollback Triggers. CloudFormation rolls back the entire stack process to a previously deployed state if any of the alarms are activated.

Preview Changes

AWS CloudFormation Change Sets allow everyone to preview how the running resources can be impacted by proposed changes to a stack, for example, to verify whether our changes will remove or substitute any essential resources. Only after we decide to execute the Change Set does CloudFormation allow the modifications to our stack.

What are the benefits of Infrastructure as Code on AWS CloudFormation?


IaC provides the services deployed in your account with easy visibility and what their configurations are. We do not need to log into the web console to search for them. In any editor, we can quickly review them.


The architecture will be affected if there is a change in the settings or the deletion of the wrong app from the Web Console. Infrastructure as code, particularly when combined with source control management software, such as Git, helps us solve this.


You only have to write code once with the infrastructure as code, and you can use it several times. This ensures that multiple resources can be set up using a single design.

Simple updates

You may use CloudFormation templates to make modifications to existing resources and deploy new ones. This capability facilitates tasks such as adding extra storage to a fleet of ec2 instances or altering access control rules.

Change management and auditing

Track changes based on which templates you use and how they evolve. Change tracking in CloudFormation allows you to see how your AWS services and resources have changed over time without going through logs to recreate the sequence of updates.


IaC delivers the cloud infrastructure rapidly, so a developer will be able to quickly create new functionality that will improve the organization's productivity.

What is Amazon EC2 Systems Manager?

Amazon EC2 system manager is a collection of abilities that analyzes standard maintenance, administration, deployment, and execution of operational tasks on EC2 instances and servers or virtual machines (VMs) in physical environments. Systems Manager helps us to understand and control the current state of the EC2 instance and OS configurations. We can track and slightly manage the system configuration, OS patch levels, application configurations, and other details.

Systems Manager Document Structure

A Systems Manager document defines the actions that the Systems Manager performs on the managed instances. The Systems Manager includes more than a dozen preconfigured documents to support the capabilities. All documents are written in JSON and also include both parameters and actions. This is an example of a custom document for a Windows-based host. This document uses the ipconfig command to assemble the network configuration of the node and then installs MySQL. Amazon EC2 Systems Manager helps you to deploy, customize, enforce, and audit an expected state configuration to the EC2 instances and servers or VMs in the physical environment.

AWS OpsWorks enables the use of Chef Recipes to support the configuration of an environment. We can use OpsWorks for Chef Automate independently or on top of an environment provisioned by the AWS CloudFormation. The Systems Manager is associated with the run documents and policies, and the recipes associated with OpsWorks for Chef Automate are part of the infrastructure code base and can be controlled as application source code is managed.

A tool used for changing, building, and versioning infrastructure efficiently and safely. Click to explore about, Infrastructure as Code using Terraform

What is Amazon CloudWatch?

It is a set of services that ingests, interprets, and responds to runtime metrics, logs, and events. CloudWatch collects metrics from many AWS services automatically, such as Amazon EC2, Elastic Load Balancing (ELB), and Amazon Dynamo DB. CloudWatch consists of three services: the leading CloudWatch service, Amazon CloudWatch Logs, and Amazon CloudWatch Events.

Amazon CloudWatch Logs

Amazon CloudWatch Logs stores and monitors logs from Amazon EC2, AWS Cloud Trail, and other sources. Ingested log data is the basis for new CloudWatch metrics that can, in turn, trigger CloudWatch alarms. Log processing and correlation are used for a more in-depth analysis of application behaviors and can expose internal details that are hard to figure out from metrics.

Amazon CloudWatch Events

Amazon CloudWatch Events produces a stream of events from AWS environments; it applies a rules engine and delivers matching events to specify the targets. The capability of the Infrastructure to respond to particular circumstances offers benefits in both operations and security. Regarding information security, the Events Manager can provide notifications for console logins, authentication failures, and risky API calls recorded by Cloud Trail. Monitoring is essential to understand systems' behavior and to automate data-driven reactions.

CloudWatch collects observations from runtime environments in the form of metrics and logs and makes those actionable through alarms, streams, and events. Lambda functions that are written in Python, Node.js, Java, or C# can respond to the events by extending the role of Infrastructure as Code to the operational domain and improving the flexibility of operating environments.

Why Use YAML in AWS CloudFormation?

  1. In YAML, better authoring and readability of templates are done.
  2. YAML supports native comments.
  3. In YAML, simplification as templates get more and more complex.
  4. In YAML, sequence items are denoted by a dash.

YAML Function Declaration

  1. Two ways to declare intrinsic functions: Long and Short
  2. Short Form: o ! FindInMap [ MapName, TopLevelKey, SecondLevelKey ]
  3. Long Form: o "Fn::FindInMap”: [ "MapName", "TopLevelKey", "SecondLevelKey"]
  4. Tag = ! (It's not a Negation operator)
  5. Few things to note with Tags
  6. You cannot use one tag instantly after another. o !Base64!Sub…
  7. Instead, you can do this o "Fn::Base64": !Sub... o !Select [ !Ref Value, [1,2,3]]

Intrinsic Functions in CloudFormation

Fn:: Sub In CloudFormation It Substitutes the variables in an input string with values. The function accepts a string or a map as a parameter. Usage

o VarName: ${MyVariableValue}
o Literal: ${!LiteralValue}
Use '|’ if you are spanning multiple lines -It is also available in JSON. Cross Stack References In CloudFormation -In this, Sharing resources is made easy IAM roles, VPC, Security groups
  1. We can add an explicit "Export" declaration to stack output
  2. We can use the resource in another stack using a new intrinsic function -Fn::ImportValue
Few guidelines -
  1. Export names must be unique within an account and region
  2. It cannot create references across regions
  3. It cannot delete a stack that is referenced by another stack (Dependencies are communicated in errors).
  4. This Output cannot be modified or removed as long as a current stack references it.

A Holistic Strategy

Infrastructure is the process of managing and prevising computer data centers through machine-readable definition. There are three approaches to Infrastructure as a code. The declarative approach focuses on what the eventual target configuration should be. The imperative approach focuses on how the Infrastructure is to be changed to meet. The intelligent approach focuses on why the configuration should be a certain way, consideration should be a certain way, and payment of all code relationships and code dependency of multiple applications.