Skip to content

Latest commit

 

History

History
175 lines (123 loc) · 5.84 KB

aws-cloudformation.md

File metadata and controls

175 lines (123 loc) · 5.84 KB

AWS CloudFormation

Validate

Validate a file:

aws cloudformation validate-template --template-body file://./infra/cloudformation/resources.yml

Create change set

aws cloudformation create-change-set --stack-name my-iam-stack --template-body file://./infra/cloudformation/iam.yaml --change-set-name cool-new-stuff --capabilities CAPABILITY_NAMED_IAM

Describe change set by arn

aws cloudformation describe-change-set --change-set-name arn:aws:cloudformation:us-east-1:$ACCOUNTID:changeSet/$CHANGESETNAME/$ID

Describe change set by name

aws cloudformation describe-change-set --change-set-name $CHANGESETNAME --stack-name $STACKNAME

Delete change set by name

aws cloudformation delete-change-set --change-set-name $CHANGESETNAME --stack-name $STACKNAME

Deploy

deploy - creates a changeset then executes it, so it can be used to both create and update an existing stack. Has a more friendly way of supplying stack parameters and tags. Can't be used to specify a stack policy. create-stack - creates a new stack directly, doesn't use change sets update-stack - updates an existing stack directly, doesn't use change sets. Unlike deploy can specify a stack policy. create-change-set - creates a changeset set-stack-policy - sets the policy on an existing stack

eg:

aws cloudformation deploy --template-file resources.yml --stack-name my-resources

To create the changeset and leave it in state "REVIEW_IN_PROGRESS" but not execute it (note the stack description will be empty until executed):

tags="Key1=Value1"
params="Param1=Value1"
aws cloudformation deploy \
    --template-file resources.yml \
    --stack-name my-resources \
    --parameter-overrides $(params) \
    --tags $(tags) \
    --capabilities CAPABILITY_IAM \
    --no-execute-changeset

NB: Params not specified in parameter-overrides will not be changed and left as is.

To execute it you can re-run deploy without --no-execute-changeset or run:

aws cloudformation execute-change-set --change-set-name awscli-cloudformation-package-deploy-1530503047

To see stack events in a table:

aws cloudformation describe-stack-events --stack-name aws-lambda-scala-dev | jq -r '.StackEvents[] | [.ResourceStatus, .LogicalResourceId, .ResourceStatusReason] | @tsv' | column -t -s $'\t'

To update a stack and the stack policy:

aws cloudformation update-stack                                         \
    --template-body file://packaged.yml                                 \
    --stack-name $(stackName)                                           \
    --capabilities CAPABILITY_IAM                                       \
    --parameters $(params)                                              \
    --tags $(tags)                                                      \
    --stack-policy-body file://src/main/cloudformation/policy.json

To delete a stack, and wait for it to complete

aws cloudformation delete-stack --stack-name $(stackName)
aws cloudformation wait stack-delete-complete --stack-name $(stackName)

Package

When you have specified a local artifact eg:

SomeFunction:
    Type: AWS::Lambda::Function
    Properties:
      # relative paths are relative to the cloudformation yaml
      Code: target/somefunction-1.0-SNAPSHOT.jar

Use package to upload the artifact to S3 then return a new version of your template file containing the s3 location:

aws cloudformation package \
        --template-file stack.yaml \
        --output-template-file package.yml \
        --s3-bucket BUCKET \
        --s3-prefix PREFIX

This will upload target/somefunction-1.0-SNAPSHOT.jar to s3://BUCKET)/PREFIX/md5sum, where md5sum is generated by the package command, and return your template with the location substituted, eg:

  Lambda:
    Properties:
      Code:
        S3Bucket: BUCKET
        S3Key: PREFIX/713be747f5dff46c9573e2775872ee31

Package will check if a object (ie: file with the same md5sum) already exists, skipping the upload if it does.

See package.py

Inspect

Read the Environment parameter from a stack (specified using the stack id)

aws cloudformation describe-stacks --stack-name arn:aws:cloudformation:ap-southeast-2:123456789012:stack/mystack/d1391000-9baf-11e8-896d-50fa575f6862 | jq '.Stacks[].Parameters[] | select(.ParameterKey == "Environment")'

To see which stack a resource belongs to you from its PhysicalResourceId (ARN), eg:

aws cloudformation describe-stack-resources --physical-resource-id arn:aws:ec2:ap-southeast-2:123456789012:security-group/sg-409f1239 | jq -r '.StackResources[0].StackName'

To list resources in a stack

aws cloudformation describe-stack-resources --stack-name mystack

Troubleshooting

Cloudformation tries to recreate an existing resource

This can happen when a resource has been disassociated from the stack but still exist.

Resources can be disassociated when they are removed from the template, the stack is updated and:

  • the resource had DeletionPolicy: Retain set. When this happen the stack events will show DELETED_SKIPPED
  • deletion was attempted but failed three times (eg: because of an authorization failure)

YAML

Outputs

Get output of nameservers (note - doesn't include the final dot)

Outputs:
  NameServers:
    Description: NameServers
    Value: !Join [ ",", !GetAtt CloudHostedZone.NameServers ]