Skip to content

AWS CloudFormation Best practices

AWS CloudFormation Best practices
AWS CloudFormation Best practices are based upon real-world experience of current AWS CloudFormation customers
AWS CloudFormation’s Best Practices provide guidelines for how to plan and organize stacks.
Create templates that describe the resources and the software programs that run on them.
Manage stacks and their resources. This is a requirement for the DevOps Professional, SysOps Associate and Developer exams
Planning and organizing
Organize Your Stacks Using Lifecycle and Ownership
To help you decide which resources should be in each stack, consider the ownership and lifecycle of AWS resources.
Owners can make changes to their resources by grouping resources with similar lifecycles and ownership. They can also use their own process and schedule to make them more efficient without affecting other resources.
For example, Consider an Application that uses both Web and Database instances. Both the Database and the Web have a lifecycle that is different and often the ownership is shared by different teams. Complexity would result if both were managed in the same stack. This would require communication and coordination between teams. It is best to have multiple stacks owned by different teams so they can update their resources without affecting each other’s stack. Cross-Stack references are useful for exporting shared resources
Multiple stacks often require the need to refer to resources and values across stacks.
Cross-stack reference to export resources from a stack for other stacks
Stacks can call the Fn.:ImportValue function to access the exported resources.
For example. For example, the Web stack would always require resources from the Network stack such as VPC, Subnets, etc. Use IAM to Control Access
You can use IAM to restrict access to what AWS CloudFormation actions you can perform such as viewing stack templates, creating and deleting stacks
What actions CloudFormation can take on resources for them
Access to CloudFormation is not a guarantee of access to AWS resources. This must be done separately.
A service role is used to separate permissions between the user and AWS CloudFormation service. Verify Quotas on All Resource Types
Make sure that the stack can create all required resources without exceeding the AWS account limit.
Use templates to duplicate infrastructure in multiple environments
To customize and make templates reusable, use parameters, mappings, or conditions sections
For example, For example, you can create the same stack in development, staging, and production environments with different instance types and instance counts.
Nested stacks are stacks which create other stacks.
Nested stacks are able to separate the common patterns and components, creating dedicated templates that can be copied across stacks.
For example, For example, a standard load balancer configuration could be created as a nested stack and used only by other stacks.
Do not embed credentials in your templates
When you create or update a stack, use input parameters to enter sensitive information such as the DB password.
To obscure the parameter value, use the NoEcho property.
Use AWS-specific parameters types to access existing AWS-specific values such as Virtual Private Cloud IDs and EC2 key pairs names.
AWS CloudFormation will quickly validate AWS-specific parameters types before creating your stack.
Parameter constraints are used to describe allowed input values. CloudFormation will catch any invalid values before creating stacks.
For example. constraints for database user name with min and max lengthUse AWS::CloudFormation::Init to Deploy Software Applications on Amazon EC2 Instances
Use AWS::CloudFormation::Init resource and the cfn-init help