Operations Management

Practicing Infrastructure as Code with AWS CloudFormation - Template Design and Stack Management

Define infrastructure with templates and preview impact with change sets before deployment. Detect configuration drift with drift detection and deploy across your entire organization with StackSets.

約 3 分で読めます

Overview of CloudFormation

CloudFormation is an IaC service that defines AWS resources in templates and provisions them as stacks. Compared to manual resource creation, it delivers environment reproducibility, version control, and automation. SAM is an extension of CloudFormation that simplifies the definition of serverless applications.

Template Design and Stack Management

Templates define Parameters (up to 200) for deployment-time input values, Mappings for environment-specific settings, and Conditions for conditional logic. A single stack can manage up to 500 resources; when this limit is exceeded, nested stacks are used for partitioning. Change sets are created before stack updates to preview which resources will be added, modified, or deleted. Resources that trigger replacement cause temporary service interruption, making change set review critical. Nested stacks split components such as VPCs, security groups, and databases into separate templates, referenced from a parent template.

Drift Detection and StackSets

Drift detection identifies whether stack resources have deviated from their template definitions. Manual console operations or script-based changes are detected as drift, and you can review the differences from the template. Automate periodic drift detection with EventBridge schedules to catch configuration deviations early. StackSets deploy the same template across multiple accounts and regions in a single operation. With Organizations integration, deployments are automated at the OU level. When a new account is added to an OU, the StackSet is automatically deployed, preventing gaps in guardrail coverage. For a systematic study of IaC, related books on Amazon can also be a useful reference.

CloudFormation Pricing and Efficiency

CloudFormation itself incurs no additional charges. Costs are limited to the usage fees of the provisioned AWS resources. Managing third-party resources incurs per-handler-operation charges per resource. To improve template development efficiency, use CloudFormation Linter (cfn-lint) to catch syntax errors early, and review change sets to confirm the impact before deployment. Reuse common resources (VPCs, security groups) with nested stacks to eliminate template duplication. The Rain CLI can streamline template formatting and deployment.

Summary

CloudFormation is a template-based IaC service that delivers infrastructure reproducibility and automation. Change sets let you preview impact before deployment, and drift detection catches configuration deviations. StackSets deploy templates across your entire organization, automating multi-account, multi-region infrastructure management.

Related Services

AWS CloudFormationAn IaC service that defines and provisions AWS resources as code using templatesAmazon S3A scalable object storage serviceAWS LambdaA serverless compute service that runs code without server management

Related Articles

Visually Design Serverless Applications with AWS Application Composer - Automatic IaC Template GenerationLearn about visual design of serverless architectures with Application Composer, automatic SAM template generation, and VS Code integration.IaC with Programming Languages Using AWS CDK - Designing Constructs and StacksLearn about defining infrastructure with TypeScript/Python using CDK, choosing between L1/L2/L3 constructs, and testing techniques.Platform Engineering with AWS Proton - Self-Service Infrastructure Template DeliveryLearn about Proton's infrastructure template management, separation of environments and services, and developer self-service design.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

How Far Does CloudFormation Drift Detection See - How It Tracks Manual Changes and Its LimitationsLearn how CloudFormation drift detection internally compares the current state of resources with the expected state defined in templates, the boundary between detectable and undetectable changes, and strategies for drift remediation.AWS CloudFormationAn Infrastructure as Code service that lets you define and manage AWS infrastructure using JSON or YAML templates, handling the entire lifecycle of resources as a single stackWhat Happens During a CloudFormation Stack Update - Behind Change Sets, Rollbacks, and ReplacementsLearn about the internal processing flow when CloudFormation updates a stack, including how change sets detect differences, the logic behind resource update, replacement, and deletion decisions, and how rollbacks work.AWS IaC Maturity - The Advantage of Declarative Infrastructure Management with CloudFormation, CDK, and SAMExamine the maturity of AWS's Infrastructure as Code ecosystem centered on CloudFormation, CDK, and SAM, compared with Azure ARM/Bicep and GCP Deployment Manager, and how CDK's multi-language support transforms the developer experience.