運用管理

AWS CloudFormation

An Infrastructure as Code service that lets you define and manage AWS infrastructure using JSON or YAML templates, handling the entire lifecycle of resources as a single stack

About 6 min read

Overview

AWS CloudFormation is an Infrastructure as Code (IaC) service that automates the provisioning and management of AWS resources through code. You declaratively describe AWS resources such as VPCs, EC2 instances, RDS databases, and Lambda functions along with their configurations in JSON or YAML template files, and deploy them as a stack. CloudFormation automatically resolves dependencies between resources defined in the template and creates them in the correct order. The change set feature lets you preview which resources will be affected by template changes before applying them, preventing unintended modifications. The drift detection feature identifies discrepancies between manually modified resources and the template. When a stack is deleted, all resources are automatically cleaned up, making it especially useful during development and testing phases where environments are frequently created and destroyed. CloudFormation itself is free to use - you only pay for the resources it creates.

Key Template Sections and Intrinsic Functions

A CloudFormation template consists of several key sections: Parameters, Mappings, Conditions, Resources, and Outputs. Parameters are input values passed at deploy time, allowing you to dynamically configure settings like environment names or instance types - use AllowedValues and ConstraintDescription to validate inputs and provide clear error messages. Mappings are lookup tables for values that vary by region or environment, commonly used for region-specific AMI ID mappings with the Fn::FindInMap function. Conditions control resource creation based on criteria, such as enabling Multi-AZ only in production environments or provisioning a NAT Gateway only when private subnets are requested. Resources define the AWS resources included in the stack and form the core of the template - CloudFormation automatically resolves DependsOn relationships and creates resources in the correct order. Outputs define values that can be referenced after stack creation, such as endpoint URLs or resource ARNs, and can be exported for cross-stack references. Built-in intrinsic functions like Fn::Ref (reference parameters and resources), Fn::GetAtt (retrieve resource attributes), Fn::Sub (string substitution with variables), Fn::Join, Fn::Select, and Fn::If enable dynamic template composition.

Safe Updates with Change Sets and Drift Detection

Change Sets are CloudFormation's mechanism for previewing the impact of template modifications before applying them. When you create a change set, CloudFormation analyzes the differences between the current stack and the proposed template, showing which resources will be added, modified, or replaced. This is critical because some property changes trigger resource replacement (e.g., changing an RDS instance's engine), which can cause data loss if not anticipated. Always review change sets for any resources marked as 'Replacement' before executing. Drift detection identifies discrepancies between the actual state of deployed resources and the template definition - for example, when someone manually modifies a security group rule through the console. Running drift detection regularly helps maintain infrastructure-as-code discipline and catch unauthorized changes. Setting stack policies to explicitly prevent updates or deletions of critical resources like production databases adds another safety layer. Azure Resource Manager (ARM) templates offer a similar What-If operation for previewing changes, but CloudFormation's change set workflow is more tightly integrated into the deployment process. Related books on Amazon are also available for further study.

Modularization with Nested Stacks and StackSets

As infrastructure grows, monolithic templates become unwieldy and risky to update. Nested stacks let you decompose a large template into reusable child templates - separate the network layer (VPC, subnets, route tables), database layer (RDS, DynamoDB), and application layer (Lambda, ECS, API Gateway) into distinct templates, then orchestrate them from a parent stack. Each child stack can be developed, tested, and versioned independently, and changes to one layer do not require redeploying the entire infrastructure. Cross-stack references via Outputs and Fn::ImportValue enable loose coupling between stacks, though you should avoid importing values from resources that might be replaced, as CloudFormation prevents deleting exports that are in use. For large-scale environments, StackSets deploy the same template across multiple AWS accounts and regions simultaneously, ensuring consistent governance - for example, deploying baseline security configurations (GuardDuty, Config rules, CloudTrail) to every account in an organization. AWS SAM (Serverless Application Model) is a CloudFormation extension that provides higher-level abstractions like AWS::Serverless::Function to simplify serverless application deployment while remaining fully compatible with CloudFormation syntax.

共有するXB!

Related Terms

Amazon CloudWatchAWS Elastic BeanstalkAWS Lambda

Related Services

Amazon CloudWatchAWS Lambda

Related Articles

Building Unified Monitoring with Amazon CloudWatch - Designing Metrics, Logs, and AlarmsBuild unified monitoring with the three pillars of metrics, logs, and alarms. This article covers interactive analysis with Logs Insights, high-precision notifications with composite alarms, and leveraging Embedded Metric Format.How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Visually Design Serverless Applications with AWS Application Composer - Automatic IaC Template GenerationLearn about visual design of serverless architectures with Application Composer, automatic SAM template generation, and VS Code integration.

Similar Terms and Articles

AWS CloudFormationAn IaC service that defines and provisions AWS resources as code using templatesPracticing Infrastructure as Code with AWS CloudFormation - Template Design and Stack ManagementDefine infrastructure with templates and preview impact with change sets before deployment. Detect configuration drift with drift detection and deploy across your entire organization with StackSets.What Happens During a CloudFormation Stack Update - Behind Change Sets, Rollbacks, and ReplacementsLearn about the internal processing flow when CloudFormation updates a stack, including how change sets detect differences, the logic behind resource update, replacement, and deletion decisions, and how rollbacks work.How Far Does CloudFormation Drift Detection See - How It Tracks Manual Changes and Its LimitationsLearn how CloudFormation drift detection internally compares the current state of resources with the expected state defined in templates, the boundary between detectable and undetectable changes, and strategies for drift remediation.AWS ProtonA service where platform teams provide infrastructure templates and developers deploy via self-service