Validate a file:
aws cloudformation validate-template --template-body file://./infra/cloudformation/resources.yml
aws cloudformation create-change-set --stack-name my-iam-stack --template-body file://./infra/cloudformation/iam.yaml --change-set-name cool-new-stuff --capabilities CAPABILITY_NAMED_IAM
Describe change set by arn
aws cloudformation describe-change-set --change-set-name arn:aws:cloudformation:us-east-1:$ACCOUNTID:changeSet/$CHANGESETNAME/$ID
Describe change set by name
aws cloudformation describe-change-set --change-set-name $CHANGESETNAME --stack-name $STACKNAME
Delete change set by name
aws cloudformation delete-change-set --change-set-name $CHANGESETNAME --stack-name $STACKNAME
deploy - creates a changeset then executes it, so it can be used to both create and update an existing stack. Has a more friendly way of supplying stack parameters and tags. Can't be used to specify a stack policy.
create-stack - creates a new stack directly, doesn't use change sets
update-stack - updates an existing stack directly, doesn't use change sets. Unlike deploy
can specify a stack policy.
create-change-set - creates a changeset
set-stack-policy - sets the policy on an existing stack
eg:
aws cloudformation deploy --template-file resources.yml --stack-name my-resources
To create the changeset and leave it in state "REVIEW_IN_PROGRESS" but not execute it (note the stack description will be empty until executed):
tags="Key1=Value1"
params="Param1=Value1"
aws cloudformation deploy \
--template-file resources.yml \
--stack-name my-resources \
--parameter-overrides $(params) \
--tags $(tags) \
--capabilities CAPABILITY_IAM \
--no-execute-changeset
NB: Params not specified in parameter-overrides
will not be changed and left as is.
To execute it you can re-run deploy without --no-execute-changeset
or run:
aws cloudformation execute-change-set --change-set-name awscli-cloudformation-package-deploy-1530503047
To see stack events in a table:
aws cloudformation describe-stack-events --stack-name aws-lambda-scala-dev | jq -r '.StackEvents[] | [.ResourceStatus, .LogicalResourceId, .ResourceStatusReason] | @tsv' | column -t -s $'\t'
To update a stack and the stack policy:
aws cloudformation update-stack \
--template-body file://packaged.yml \
--stack-name $(stackName) \
--capabilities CAPABILITY_IAM \
--parameters $(params) \
--tags $(tags) \
--stack-policy-body file://src/main/cloudformation/policy.json
To delete a stack, and wait for it to complete
aws cloudformation delete-stack --stack-name $(stackName)
aws cloudformation wait stack-delete-complete --stack-name $(stackName)
When you have specified a local artifact eg:
SomeFunction:
Type: AWS::Lambda::Function
Properties:
# relative paths are relative to the cloudformation yaml
Code: target/somefunction-1.0-SNAPSHOT.jar
Use package to upload the artifact to S3 then return a new version of your template file containing the s3 location:
aws cloudformation package \
--template-file stack.yaml \
--output-template-file package.yml \
--s3-bucket BUCKET \
--s3-prefix PREFIX
This will upload target/somefunction-1.0-SNAPSHOT.jar
to s3://BUCKET)/PREFIX/md5sum
, where md5sum is generated by the package command, and return your template with the location substituted, eg:
Lambda:
Properties:
Code:
S3Bucket: BUCKET
S3Key: PREFIX/713be747f5dff46c9573e2775872ee31
Package will check if a object (ie: file with the same md5sum) already exists, skipping the upload if it does.
See package.py
Read the Environment
parameter from a stack (specified using the stack id)
aws cloudformation describe-stacks --stack-name arn:aws:cloudformation:ap-southeast-2:123456789012:stack/mystack/d1391000-9baf-11e8-896d-50fa575f6862 | jq '.Stacks[].Parameters[] | select(.ParameterKey == "Environment")'
To see which stack a resource belongs to you from its PhysicalResourceId (ARN), eg:
aws cloudformation describe-stack-resources --physical-resource-id arn:aws:ec2:ap-southeast-2:123456789012:security-group/sg-409f1239 | jq -r '.StackResources[0].StackName'
To list resources in a stack
aws cloudformation describe-stack-resources --stack-name mystack
This can happen when a resource has been disassociated from the stack but still exist.
Resources can be disassociated when they are removed from the template, the stack is updated and:
- the resource had
DeletionPolicy: Retain
set. When this happen the stack events will showDELETED_SKIPPED
- deletion was attempted but failed three times (eg: because of an authorization failure)
Get output of nameservers (note - doesn't include the final dot)
Outputs:
NameServers:
Description: NameServers
Value: !Join [ ",", !GetAtt CloudHostedZone.NameServers ]