Writing my first CloudFormation Template in AWS

2021.12.10

For my first project, I utilised CloudFormation, which is one of several tools for provisioning AWS resources. Here are some suggestions to help you utilise CloudFormation more efficiently and safely throughout its process.

There are certain tools that can assist you in developing error-free and dependable Templates before you begin working with CloudFormation.

cfn-lint

The open-source command-line utility "cfn-lint" tests CloudFormation YAML/JSON templates against the AWS CloudFormation Resource Specification and other criteria. It comprises validating resource attributes and following best practises.

cfn-nag

"cfn-nag" is an open source command-line programme that analyses CloudFormation templates statically. It will look for vulnerable infrastructure such as:

It examines IAM and Security Group policies to see whether they are overly liberal, it also check passwords, access logs, and encryption.

Best Practices for CloudFormation

HardCoded Names

When using the Continuous Integration and Continuous Deployment patterns for your service, you may wish to spin up your CloudFormation Stack several times in a region or account. Because these resources are global, you may encounter resources with the same name (e.g., IAM Roles, etc.) at some point. Instead of utilising names, use tags or add a prefix to all of your resources.

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  EnvPrefix:
    Type: String
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${EnvPrefix}-role-dev

Validate your Template

Validate your templates against the specification of AWS CloudFormation Resource and check for vulnerable infrastructure - you can do this automatically with the following tools (cfn-lint, cfn-nag).

Use allowed Parameters and values

To avoid false statements and the following errors in deployments use AWS-Specific Parameter Types for existing resources, for not existing resources define allowed patterns or allowed values for the parameter.

Now the question is where to check the allowed parameter, is documentation enough?

According to my experience, documentation isn't enough; there are many parameters that aren't documented or are default parameters. So I tried launching the resource directly from the console to learn about service and default parameters; default parameters are parameters that already have a default value; these parameters aren't always required inside a Template. This method will also help you understand the service you want to create using CloudFormation.

Pay attention to tabs.

Tabs caused a lot of issues in my template at first, but after installing "cfn-lint," I was able to readily spot flaws like incorrect tab spacing.

Short Syntax

For all intrinsic functions, try to utilise short-form syntax; there are just a few circumstances where this isn't practicable. It's much simpler to understand the short-form syntax than it is to read the complete function name syntax.

#Easy to read
Arn: !GetAtt DynamoDBTable.Arn

#Hard to read
Arn: 
   Fn::GetAtt: 
     - DynamoDBTable
     - Arn

Comments

Comments are highly important in CloudFormation; without them, it's quite difficult to comprehend templates. Having comments in your template will make your job and everyone working with you a lot simpler.

Use existing CloudFormation templates.

There's a good chance you'll require comparable sets of templates for a variety of situations. The days of needing to start from scratch each time you use AWS CloudFormation templates are gone. Instead, use a pre-made template to duplicate the infrastructure you require. The CloudFormation template parameters and conditions may then be used to modify your configuration.  This allows you to swiftly build up resources in a variety of settings and locations throughout the planet. When required, you can share templates with different teams in your business due to their portability.

Here, you can find many such re-usable templates.

Conclusion

Working on CloudFormation is not tough, but it requires a good amount of attention to details, I made lot of mistakes like wrong AZ id, inconsistent tags and naming, incorrect tab space, incorrect port number and the worst of all incorrect parameter name, To overcome such mistakes you need to practice and observe, always verify the template before deploying it.

The best practices I have mentioned are the one I faced issues in, but there are more things to make a CloudFormation Template which I or you will get to know as you go further up the road.

References

  1. https://github.com/aws-cloudformation/cfn-lint
  2. https://github.com/aws-cloudformation/cfn-lint
  3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html