Differences

This shows you the differences between two versions of the page.

--- cloud:aws:cloudformation [2023/12/05 12:29] – skipidar
+++ cloud:aws:cloudformation [2023/12/05 15:02] (current) – skipidar
@@ Line 3: / Line 3: @@
 ==== Why is Terraform better? ====
- - "Cloudformation" relies on uploads of substacks to S3 , whereas terraform just deploys everything from the folder
+  *  "Cloudformation" relies on uploads of substacks to S3 , whereas terraform just deploys everything from the folder
- - "Cloudformation" is not enough verbose on errors and changes. Terraform generates accurate changesets in human readable files.
+  *  "Cloudformation" is not enough verbose on errors and changes. Terraform generates accurate changesets in human readable files.
- - "Cloudformation" has problems with versioning and deploying multiple versions of same resource. Terraform uses
+  *  "Cloudformation" has problems with versioning and deploying multiple versions of same resource. Terraform uses
+  * CloudFormation has a very NOT user friendly lifecycle. Forcing to "is in ROLLBACK_COMPLETE state and can not be updated"
+  * Minor. Cloudformation "deploy", "create-stack" and all the historical errors are still there with broken signatures. E.g.  ''file:/ '' required for create-stack or validate-stack, but no for deploy
+  * Cloudformation support of moving resources between stacks is very chatty
+==== Deploying with cloudformation ====
+If using nested-stacks first you need a bucket,
+into which you will package nested stacks.
+<sxh yaml>
+AWSTemplateFormatVersion: '2010-09-09'
+Description: AWS template for SiteWise demo
+Resources:
+  MyS3SubstackBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: my-alf-s3-package-bucket-2023-12-05
+      AccessControl: Private
+      Tags:
+        - Key: Purpose
+          Value: CF stacks bucket
+  MyBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref MyS3SubstackBucket
+      PolicyDocument:
+        Statement:
+          - Sid: AllowCloudFormationAccess
+            Effect: Allow
+            Principal:
+              Service: cloudformation.amazonaws.com
+            Action: s3:*
+            Resource: !Join
+              - ''
+              - - 'arn:aws:s3:::'
+                - !Ref MyS3SubstackBucket
+                - /*
+</sxh>
+now deploy the bucket
+<sxh shell>
+FILENAME="seed.cloudformation.yaml"
+STACKNAME="MySeedStackName"
+REGION="eu-west-1"
+# validate
+aws cloudformation validate-template --template-body file://$FILENAME
+# check the change set
+aws cloudformation deploy --stack-name $STACKNAME --template-file $FILENAME --region $REGION --no-execute-changeset
+# execute via "deploy" which automatically creates / updates stack
+aws cloudformation deploy --stack-name $STACKNAME --template-file $FILENAME --region $REGION
+# delete stack
+# aws cloudformation delete-stack --stack-name $STACKNAME
+</sxh>
+parent1.cloudformation.yaml
+<sxh yaml>
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Provision a SG
+Parameters:
+  VpcIdParameter:
+    Type: String
+    Default: "vpc-01eb7fd6f29cea57b"
+  packageBucket:
+    Type: String
+    Default: "my-alf-s3-package-bucket-2023-12-05"
+Resources:
+  SubStack1:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: "substack.helloworld.cloudformation.yaml"
+      Parameters:
+        VpcId: !Ref VpcIdParameter
+</sxh>
+substack.helloworld.cloudformation.yaml
+<sxh yaml>
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Provision a SG
+Parameters:
+  VpcId:
+    Type: String
+Resources:
+  MySecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: MySecurityGroup
+      VpcId: !Ref VpcId
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          FromPort: 80
+          ToPort: 80
+          CidrIp: 0.0.0.0/0 # Example: Allowing HTTP traffic from anywhere (Please adjust for your use case)
+      Tags:
+        - Key: Name
+          Value: MySecurityGroup
+</sxh>
+now you can package the stack
+  * the sub-stacks will end up in the package-bucket.
+  * a new file `packaged-root-template.yaml` is generated, where the `TemplateURL` field is replaced by s3 references.
+  * you can deploy the parent stack and see nested stacks being deployed too.
+<sxh shell>
+set -e
+FILENAME="parent1.cloudformation.yaml"
+STACKNAME="MyParentStackName"
+REGION="eu-west-1"
+PACKAGEBUCKET="my-alf-s3-package-bucket-2023-12-05"
+# validate
+# aws cloudformation validate-template --template-body file://$FILENAME
+# package uploading substacks
+rm packaged-root-template.yaml
+aws cloudformation package --template-file $FILENAME --s3-bucket $PACKAGEBUCKET  --output-template-file packaged-root-template.yaml --region $REGION
+# check the change set, dont execute :  "no-execute-changeset"
+# aws cloudformation deploy --stack-name $STACKNAME --template-file $FILENAME --region $REGION --no-execute-changeset
+# arn of change set is printed, here arn:aws:cloudformation:eu-west-1:913372342854:changeSet/awscli-cloudformation-package-deploy-1701783364/21bb1e0c-a0ea-41ca-9edd-5a7ab989b3a5
+# can see change-set
+# aws cloudformation describe-change-set --change-set-name arn:aws:cloudformation:eu-west-1:913372342854:changeSet/awscli-cloudformation-package-deploy-1701783364/21bb1e0c-a0ea-41ca-9edd-5a7ab989b3a5  --region $REGION
+# can continue via
+# aws cloudformation execute-change-set --change-set-name arn:aws:cloudformation:eu-west-1:913372342854:changeSet/awscli-cloudformation-package-deploy-1701783364/21bb1e0c-a0ea-41ca-9edd-5a7ab989b3a5  --region $REGION
+# execute via "deploy" which automatically creates / updates stack
+aws cloudformation deploy --stack-name $STACKNAME --template-file packaged-root-template.yaml --region $REGION  --parameter-overrides VpcIdParameter="vpc-01eb7fd6f29cea57b"
+# delete stack
+# aws cloudformation delete-stack --stack-name $STACKNAME
+</sxh>