There is a LOT to CloudFormation! This is the second article continuing my DevOps Pro study series. Part 1 of CloudFormation can be found here.
You can import SSM Parameter Store values – specify a Systems Manager parameter key as the value of the SSM parameter, and CloudFormation gets the value from Parameter Store to use in the deployment
CloudFormation can leverage SSM public parameters to do things like getting the latest amazon Linux distro.
When using CF to deploy Lambdas – use S3 bucket with version control enabled to deploy code changes. Changes to a deployment package in Amazon S3 are not detected automatically during stack updates. To update the function code, change the object key or version in the template.
Custom resources (Lambda) use cases (1) an AWS service CF doesn’t yet cover (2) on-premises resources (3) empty out an S3 bucket before deletion (4) Fetch an AMI ID. The lambda will invoke only on Create, Update, or Delete event – not every template run.
Performing drift detection on a stack determines whether the stack has drifted from its expected template config. It returns detailed information about the drift status of each resource in the stack (that supports drift detection). You cannot fix drift from here, it simply tells you what’s changed:
Know the Stack status codes – especially
Read the article Continue Rolling Back an Update for AWS CloudFormation stacks in the UPDATE_ROLLBACK_FAILED state and the Troubleshooting section of the user guide.
InsufficientCapabilitiesException means you didn’t tick the”I acknowledge that AWS CloudFormation might create IAM resources.” checkbox 🙂
The cfn-hup helper is a daemon that detects changes in resource metadata and runs user-specified actions when a change is detected. This allows you to make configuration updates on your running Amazon EC2 instances through the
UpdateStack API action. Default interval to check for changes to the resource metadata is 15 minutes. Can implement metadata changes inside of an EC2 instances without terminating the instance.
Use stack policies to prevent updates to stack resources. Looks like an IAM policy 🙂
Thank you Chris