AWS CloudFormation

Posted on Edited on In , , , , Symbols count in article: 5.8k Reading time ≈ 5 mins.

Introduction

Speed up cloud provisioning with infrastructure as code

Amazon CloudFormation
User Guide for CloudFormation

AWS CloudFormation gives you an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. A CloudFormation template describes your desired resources and their dependencies so you can launch and configure them together as a stack. You can use a template to create, update, and delete an entire stack as a single unit, as often as you need to, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.

Working with stacks

Using the Console

Protecting a stack from being deleted

Protecting a stack from being deleted

You can prevent a stack from being accidentally deleted by enabling termination protection on the stack.

Template reference

Template reference

Resource and Property Reference

RDS

RDS Deletion

Set DeletionProtection to True
Set DeleteAutomatedBackups to False
Set DeletionPolicy to Retain

CloudFormation - DeletionPolicy attribute
CloudFormation - Protecting a stack from being deleted
CloudFormation - AWS::RDS::DBInstance
RDS - Deleting a DB instance

ADF

To delete a DB instance, you must do the following:

  • Provide the name of the instance
  • Enable or disable the option to take a final DB snapshot of the instance
  • Enable or disable the option to retain automated backups

DeletionProtection
A value that indicates whether the DB instance has deletion protection enabled. The database can’t be deleted when deletion protection is enabled. By default, deletion protection is disabled. For more information, see Deleting a DB Instance.

DeletionPolicy
With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when its stack is deleted.

  • Retain: AWS CloudFormation keeps the resource without deleting the resource or its contents when its stack is deleted. You can add this deletion policy to any resource type.
  • Delete: AWS CloudFormation deletes the resource and all its content if applicable during stack deletion. You can add this deletion policy to any resource type.

DeleteAutomatedBackups
A value that indicates whether to remove automated backups immediately after the DB instance is deleted. This parameter isn’t case-sensitive. The default is to remove automated backups immediately after the DB instance is deleted.

Termination protection

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
{
  "Type" : "AWS::RDS::DBInstance",
  "Properties" : {
      "AllocatedStorage" : String,
      "AllowMajorVersionUpgrade" : Boolean,
      "AssociatedRoles" : [ DBInstanceRole, ... ],
      "AutoMinorVersionUpgrade" : Boolean,
      "AvailabilityZone" : String,
      "BackupRetentionPeriod" : Integer,
      "CACertificateIdentifier" : String,
      "CharacterSetName" : String,
      "CopyTagsToSnapshot" : Boolean,
      "DBClusterIdentifier" : String,
      "DBInstanceClass" : String,
      "DBInstanceIdentifier" : String,
      "DBName" : String,
      "DBParameterGroupName" : String,
      "DBSecurityGroups" : [ String, ... ],
      "DBSnapshotIdentifier" : String,
      "DBSubnetGroupName" : String,
      "DeleteAutomatedBackups" : Boolean,
      "DeletionProtection" : Boolean,
      "Domain" : String,
      "DomainIAMRoleName" : String,
      "EnableCloudwatchLogsExports" : [ String, ... ],
      "EnableIAMDatabaseAuthentication" : Boolean,
      "EnablePerformanceInsights" : Boolean,
      "Engine" : String,
      "EngineVersion" : String,
      "Iops" : Integer,
      "KmsKeyId" : String,
      "LicenseModel" : String,
      "MasterUsername" : String,
      "MasterUserPassword" : String,
      "MaxAllocatedStorage" : Integer,
      "MonitoringInterval" : Integer,
      "MonitoringRoleArn" : String,
      "MultiAZ" : Boolean,
      "OptionGroupName" : String,
      "PerformanceInsightsKMSKeyId" : String,
      "PerformanceInsightsRetentionPeriod" : Integer,
      "Port" : String,
      "PreferredBackupWindow" : String,
      "PreferredMaintenanceWindow" : String,
      "ProcessorFeatures" : [ ProcessorFeature, ... ],
      "PromotionTier" : Integer,
      "PubliclyAccessible" : Boolean,
      "SourceDBInstanceIdentifier" : String,
      "SourceRegion" : String,
      "StorageEncrypted" : Boolean,
      "StorageType" : String,
      "Tags" : [ Tag, ... ],
      "Timezone" : String,
      "UseDefaultProcessorFeatures" : Boolean,
      "VPCSecurityGroups" : [ String, ... ]
    }
}
1
2
3
4
5
6
7
8
9
{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Resources" : {
    "myS3Bucket" : {
      "Type" : "AWS::S3::Bucket",
      "DeletionPolicy" : "Retain"
    }
  }
}

Best Practices

Create change sets before updating your stacks

Change sets allow you to see how proposed changes to a stack might impact your running resources before you implement them. AWS CloudFormation doesn’t make any changes to your stack until you run the change set, allowing you to decide whether to proceed with your proposed changes or create another change set.

Use change sets to check how your changes might impact your running resources, especially for critical resources. For example, if you change the name of an Amazon RDS database instance, AWS CloudFormation will create a new database and delete the old one; you will lose the data in the old database unless you’ve already backed it up. If you generate a change set, you will see that your change will replace your database. This can help you plan before you update your stack. For more information, see Updating stacks using change sets.

Use stack policies

Stack policies help protect critical stack resources from unintentional updates that could cause resources to be interrupted or even replaced. A stack policy is a JSON document that describes what update actions can be performed on designated resources. Specify a stack policy whenever you create a stack that has critical resources.

During a stack update, you must explicitly specify the protected resources that you want to update; otherwise, no changes are made to protected resources. For more information, see Prevent updates to stack resources.