# AWS CloudFormation
<p align=center><a href=https://aws.amazon.com/cloudformation><img src=images/AWS-Cloudformation-Logo.png width=250></a></p>

## Introduction

> AWS CloudFormation is an AWS service that sets up and manages AWS resource and service infrastructures. It allows you to define '**infrastructure as Code**', allowing you more time to focus on building your AWS applications. By defining a YAML or JSON template, you can describe all the AWS resources required (e.g. EC2, RDS or S3) by your application, and CloudFormation will handle the provisioning of those resources on your behalf. 

For full details on the features of AWS CloudFormation, consult the documentation [here](https://docs.aws.amazon.com/cloudformation/index.html).

## Benefits

* **Simplify application-infrastructure creation:** Consider a case where an application infastruture is to deploy an EC2 instance and an S3 bucket with the correct security permissions. Doing this manually can be very time-consuming. By defining the process in a template, another instance of this infrastructure can quickly be created in a few clicks.
* **Replicate your architecture:** Since the CloudFormation infrastructure is defined in code by your template, you can easily reuse the template to deploy the same infastruture to another AWS region.
* **Track changes easily:** If a problem occurs while making changes to your infrastructure, e.g. updating the security permission to your EC2 instance, you would need to remember the previous settings. CloudFormation provides a rollback feature to enable you to use a previous version of your template if a problem occurs; it also tracks the changes made.
* **Free:** CloudFormation is fully free to use; however, note that the services your define in your template will have the normal associated costs. Each template is allotted a limited quota during creation, which can be viewed [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html).

## CloudFormation Concepts

* **Template:** A template can be specified in JSON or YAML format, and it acts as the blueprint for your AWS infrastructure. It will define the resources used and how they are configured when added to the stack.
* **Stack:** After configuring your AWS template and deploying it, your resources will be managed in a single object called a stack. From the stack, you can update, delete and create resources on your stack defined by the template. 
* **Change sets:** These allow you to generate a summary of the proposed changes to be made to your stack before updating it. Since AWS destroys the previous stack when updating to a new one, you can view the changes to ensure no critical elements are affected during the update. 


## Creating CloudFormation Templates

Before using CloudFormation, we must design a template that can be uploaded to create our stack. Although we can create the template in YAML or JSON format, we will be using YAML for this lesson. The YAML template is where you will configure your AWS resources to be added to your stack. The full available structure of an AWS CloudFormation template can be found [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html). 

Below is a basic template that defines a simple AWS CloudFormation stack configuring an EC2 instance. The general process of creating a CloudFormation template will involve defining the AWS resources that your CloudFormation stack will contain and subsequently defining the properties of each of the resources. In the example, we have defined a new Unbuntu EC2 instance. Notice that the properties of the resource (ImageId, InstanceType and Amazon EBS storage) are relevant to an EC2 instance. 

We initially define the version of the template and provide a description. Thereafter, we add the resources of the template, in our case, an EC2 instance, followed by the properties of that resource. To know what resources are available to you and their corresponding properties, consult the AWS CloudFormation documentation [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html). 

Go to the documentation, find AWS::EC2::Instance, and go to that page. Near the top of the page, you will see all the available properties of an EC2 instance.

<img src="images/EC2_props.png?modified=1254341248" height="600" width="600" />



Scrolling further down, you will be presented with a more detailed explanation of each property available for the resource. For instance, consider the ``ImageId`` property for EC2 instances. The details inform us on whether it is a required property, the type (so we know how to specify it) and what happens to the property in the case of a CloudFormation stack update. 

Therefore, in this case, we know to specify it as a string in our template, and we need to specify it here or in the ``LaunchTemplate`` property. Hence, it is not required, and we do not have to specify it here. We also know that when the CloudFormation stack updates, the ``ImageId`` will be replaced. This is how you determine what properties and resources to define in your template. We will also configure the ``InstanceType`` as ``t2.micro``(Free Tier) before finalising the template. 

<img src="images/prop_details.png?modified=1254341248" height="150" width="700" />

In [None]:
#Date and describe your CloudFormation template.
AWSTemplateFormatVersion: '16-09-2021'                  
Description: 'Your first AWS CloudFormation template'

# Define a resource dictionary which will contain the AWS resources.
Resources:
# Name the resource so it can be referenced if needed.                                 
  UbuntuServer20.04:
    Type: "AWS::EC2::Instance"
    # Define the properties of the resource in a new dictionary.
    Properties:
                              
      AccessControl: PublicRead
      ImageId: "ami-0a8e758f5e873d1c1"     
      InstanceType: t2.micro  
      # input your own AWS key  
      KeyName: yourkey            
      BlockDeviceMappings:                  
        -
          DeviceName: /dev/sda1
          Ebs:
            VolumeType: standard
            VolumeSize: 5
            DeleteOnTermination: True
            Encrypted: False


Now that we have configured a simple template, we launch it to create a simple EC2 stack. Copy the above code, and add it to a file called ``EC2_stack.yaml``. Subsequently, navigate to the AWS CloudFormation service page. Select **Create stack** to begin creating the stack. Configure the options as shown in the image, and click next. Afterwards, name the stack, and continue clicking next until the stack-creation process begins. 

<img src="images/first_stack_EC2.png?modified=1234148" height="700" width="1000"/>

You should be taken to the events page of the CloudFormation interface, where you will see the status of the stack as **CREATE_IN_PROGRESS**. Wait until the status changes to **CREATE_COMPLETE**. At this point, if you view your AWS EC2 services page, you will observe that a new EC2 instance has been launched for you by the CloudFormation stack you just created, indicating that the process was a success. Next, we begin creating a more substantial stack with multiple resources, which is more attuned to how it is done in the industry.

<img src="images/first_stack_creation.png?modified=124148" height="500" width="1400"/>

We create another resource for our template, which will allow us to SSH into our EC2 instance when created and also expand on the properties available for the EC2 instance. To do this, we configure an EC2 security group:

In [None]:
# Date and describe your CloudFormation template
AWSTemplateFormatVersion: "2010-09-09"                    
Description: "Your first AWS CloudFormation template"

# Define a resource dictionary which will contain the AWS resources.
Resources: 
# Name the resource so it can be referenced if needed.                                 
  UbuntuServerInstance:                       
    Type: "AWS::EC2::Instance"
    # Define the properties of the resource in a new dictionary.
    Properties:
      # Reference the security group we created so that our EC2 instance will be preconfigured with SHH access.          
      ImageId: "ami-0a8e758f5e873d1c1"     
      InstanceType: t2.micro  
      # Input your AWS key  
      KeyName: yourkeyname               
      BlockDeviceMappings:                  
        -
          DeviceName: /dev/sda1
          Ebs:
            VolumeType: standard
            DeleteOnTermination: True
            Encrypted: False
        
# Define the new Security group resource.
  EC2instanceSecurityGroup:
    # Name the resource so that it can be referenced.                 
    Type: "AWS::EC2::SecurityGroup" 
    # Configure the resource properties.        
    Properties:                             
      GroupDescription: Allow SSH Access to an EC2 instance on port 22      
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0

### The Ref function 

Having configured the new resource, we must ensure that the EC2 instance knows to use the newly created security group. We can achieve this using the reference function, which is one of the many functions that can be applied to any of your templates. Others can be found [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference.html). The syntax for referencing resources or properties using the function is as follows:

In [None]:
# In JSON 
# Logical name will refer to the resource or property you want to refer to.
{ "Ref" : "LogicalName" } 

# In YAML (preferable)
# Long form
Ref : LogicalName
#Short form
!Ref LogicalName

Now, we add this to our template so that the EC2 instance will be preconfigured to work with SSH when created. Since the EC2 resource has a security-group property, we can reference the security group there.

In [None]:
# Date and describe your CloudFormation template.
AWSTemplateFormatVersion: "2010-09-09"
Description: "Your first AWS CloudFormation template"

# Define a resource dictionary which will contain the AWS resources.
Resources: 
# Name the resource so it can be referenced if needed.                                 
  UbuntuServerInstance:            
    Type: "AWS::EC2::Instance"
    # Define the properties of the resource in a new dictionary.
    Properties:
      # Reference the newly created security group so our EC2 instance will be preconfigured with SHH access.
      SecurityGroups:
        - !Ref EC2instanceSecurityGroup                
      ImageId: "ami-0a8e758f5e873d1c1"     
      InstanceType: t2.micro  
      # Input your AWS key.  
      KeyName: yourkeyname               
      BlockDeviceMappings:                  
        - 
        DeviceName: /dev/sda1
          Ebs:
            VolumeType: standard
            DeleteOnTermination: True
            Encrypted: False
        
# Define the new Security group resource.
  EC2instanceSecurityGroup:
    # Name the resource so that it can be referenced.                 
    Type: "AWS::EC2::SecurityGroup" 
    # Configure the resource properties.        
    Properties:                             
      GroupDescription: Allow SSH Access to an EC2 instance on port 22      
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0

## Passing Parameters in Templates

As can be observed, in our template, the EC2 instance has the property, **KeyName**, which requires a value. Specifying this value directly in the template is not recommended for security reasons. Therefore, we create custom parameters that the user will need to define when creating the stack in CloudFormation. Each parameter is declared with a list of its attributes and a required type, which can be a string, number or an AWS type. We can also add a description for the parameter. For more information, read the docs for defining and passing parameters [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html). We add KeyName as a parameter and reference it in our EC2 instance so that it will be required when creating our stack.

In [None]:
# Date and describe your CloudFormation template.
AWSTemplateFormatVersion: "2010-09-09"                    #
Description: "Your first AWS CloudFormation template"

# Create the parameters entry and define our parameters here.
Parameters:
  # Parameter for the user key name pair on stack creation
  UsersKeyName:
    Description: Name of a key name pair that exists on your AWS account.
    Type: AWS::EC2::KeyPair::KeyName


# Define a resource dictionary which will contain the AWS resources.
Resources: 
# Name the resource so that it can be referenced if needed.                                 
  UbuntuServerInstance:                       
    Type: "AWS::EC2::Instance"
    # Define the properties of the resource in a new dictionary.
    Properties:
      # Reference the newly created security group so our EC2 instance will be preconfigured with SHH access.
      SecurityGroups:
        - !Ref EC2instanceSecurityGroup                
      ImageId: "ami-0a8e758f5e873d1c1"     
      InstanceType: t2.micro  
      # Input your AWS key.  
      KeyName: !Ref UsersKeyName               
      BlockDeviceMappings:                  
        -
          DeviceName: /dev/sda1
          Ebs:
            VolumeType: standard
            DeleteOnTermination: True
            Encrypted: False
            
  # Define the new Security group resource.
  EC2instanceSecurityGroup:
    # Name the resource so that it can be referenced.                 
    Type: "AWS::EC2::SecurityGroup" 
    # Configure the resource properties.        
    Properties:                             
      GroupDescription: Allow SSH Access to an EC2 instance on port 22      
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0


Finally, before finishing the creation of our stack, we add an Amazon RDS service, an S3 bucket, and configure an Amazon IAM role that will enable the creation and access to these resources. Once the template has been created, save it as a YAML file named **Ourfirststack.yaml**, ready to be uploaded. For the database password parameters, notice that **NoEcho** is used. This allows the password to be set and viewed within the stack using asterisks, which adds a layer of security to the created password.

In [None]:
# Date and describe your CloudFormation template.
AWSTemplateFormatVersion: "2010-09-09"                    #
Description: "Your first AWS CloudFormation template"

# Create the parameters entry and define our parameters here.
Parameters:
  # Parameter for the user key name pair on stack creation
  UsersKeyName:
    Description: Name of a key name pair that exists on your AWS account.
    Type: AWS::EC2::KeyPair::KeyName

  # Parameter to set the RDS database password on creation
  MySQLDBPassword: 
    Description: Parameter to configure the master password to our postgres database on creation
    Type: String
    NoEcho: true
  
  # Parameter to set the bucketname on creation
  BucketName:
    Description: Parameter to give a unique name to S3 bucket
    Type: String

# Define a resource dictionary which will contain the AWS resources.
Resources: 
# Name our resource so that it can be referenced if needed.                                 
  UbuntuServerInstance:                       
    Type: "AWS::EC2::Instance"
    # Define the properties of the resource in a new dictionary.
    Properties:
      # Reference the newly created security group so that the EC2 instance will be preconfigured with SHH access.
      SecurityGroups:
        - !Ref EC2instanceSecurityGroup                
      ImageId: "ami-0a8e758f5e873d1c1"     
      InstanceType: t2.micro  
      # Input your AWS key.  
      KeyName: !Ref UsersKeyName               
      BlockDeviceMappings:                  
        -
          DeviceName: /dev/sda1
          Ebs:
            VolumeType: standard
            DeleteOnTermination: True
            Encrypted: False
            
  # Define the new Security group resource.
  EC2instanceSecurityGroup:
    # Name the resource so that it can be referenced.                 
    Type: "AWS::EC2::SecurityGroup" 
    # Configure the resource properties.        
    Properties:                             
      GroupDescription: Allow SSH Access to an EC2 instance on port 22      
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0

  CloudStackIAMRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Create a new user role to allow access to RDS instance, S3 bucket and EC2 instance created by the stack.
      RoleName: StackUser
      AssumeRolePolicyDocument:
        Version: "2012-10-17"  
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - rds.amazonaws.com
                - s3.amazonaws.com
            Action: 
              - 'sts:AssumeRole'
      Path: "/"


  RolePolicies:
    Type: "AWS::IAM::Policy"
    Properties: 
      PolicyName: "NewStackUser"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action: "*"  
            Resource: "*"
      Roles: 
        - !Ref CloudStackIAMRole

  RootInstanceProfile: 
    Type: "AWS::IAM::InstanceProfile"
    Properties: 
      Path: "/"
      Roles: 
        - Ref: CloudStackIAMRole

  AWSS3Bucket:
    Type: AWS::S3::Bucket
      # Specify when the stack is deleted to keep the bucket.
    DeletionPolicy: Retain
    Properties: 
      # Add the BucketName parameter so that a bucket name is required on stack creation.
      BucketName: !Ref BucketName

  AWSRDSDatabase:
    Type: AWS::RDS::DBInstance 
    Properties:
      DBName: templateDB
      Engine: MySQL
      MasterUsername: admin
      MasterUserPassword: !Ref MySQLDBPassword
      PubliclyAccessible : true
      DBInstanceClass: db.t2.micro
      AllocatedStorage: 20


## Creating a stack

Now that the stack infrastructure has been defined in code, we can upload the template to CloudFormation to create our stack. Go to the CloudFormation page on AWS services. Once on the CloudFormation dashboard, navigate to **stacks > Create stack > With new resources**, and upload the created template. It should now be on the create stack screen. If, however, your template is not in a valid YAML/JSON format, then CloudFormation will alert you so that you can make the required changes to your template. Once uploaded with no template errors, continue to the next screen.<br><br>


<img src="images/create_stack.png?modified=12345678" />



Here, we name the stack and finish defining any required parameter that was created in the YAML template. Finish naming the stack, and add the values for the required parameters in the YAML template. 

<img src="images/stack_name_parameters.png?modified=123324678"/>


On the next page, you can configure additional options for your stack, such as rolling back the whole stack if there is a failure or saving the resources that were successfully created. You can define a custom role that will be responsible for changing the stack and tag resources in your stack to more easily categorise and identify them. There are other more advanced options that we recommend you explore. For now, we will leave this screen in the default settings and proceed.

<img src="images/config_stack.png?modified=12345678" />

Lastly, we review the created stack with the options we defined. Since you are creating a stack that defines an IAM role, you must permit the stack to create this role. Thus, you will be met with the following panel at the bottom of the review screen. Acknowledge the option, and finish creating the stack.

<img src="images/IAM_role_warning.png?modified=1345678" />

Once we begin creating the stack, we will be redirected to the created stacks event page, where the creation of the stack will begin. After some time, the events will update with each step needed to create the stack. Once the stack is created and fully functioning, the stack-creation status will change from **CREATE_IN_PROGESS** to **CREATE_COMPLETE**. Once completed, explore the various tabs across the top to view the stack configurations in more detail. Additionally, verify that the AWS services were created by the created stack using the template.

<img src="images/stack_overview.png?modified=1345678" />

## Creating a Stack Change Set

Having created a stack defined in a template, we create a change set by editing the template and uploading it to observe the effect of the change(s). The documentation for working with stack sets can be found [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html). Duplicate the template. Rename it to **Changesettemplate.yaml**, change the type of the database engine, as well as the deletion policy of the S3 bucket, and remove SSH access from the EC2 instance. 


In [None]:
# Date and describe your CloudFormation template.
AWSTemplateFormatVersion: "2010-09-09"                    #
Description: "Your first AWS CloudFormation template"

# Create the parameters entry and define our parameters here.
Parameters:
  # Parameter for the user key name pair on stack creation
  UsersKeyName:
    Description: Name of a key name pair that exists on your AWS account.
    Type: AWS::EC2::KeyPair::KeyName

  # Parameter to set the RDS database password on creation
  MariaDBDBPassword: 
    Description: Parameter to configure the master password to our postgres database on creation
    Type: String
    NoEcho: true
  
  # Parameter to set the bucketname on creation
  BucketName:
    Description: Parameter to give a unique name to S3 bucket
    Type: String

# Define a resource dictionary which will contain the AWS resources.
Resources: 
# Name the resource so it can be referenced if needed.                                 
  UbuntuServerInstance:                       
    Type: "AWS::EC2::Instance"
    # Define the properties of the resource in a new dictionary
    Properties:
      # Reference the created security group so that the EC2 instance will be preconfigured with SHH access.               
      ImageId: "ami-0a8e758f5e873d1c1"     
      InstanceType: t2.micro  
      # Input your AWS key.  
      KeyName: !Ref UsersKeyName               
      BlockDeviceMappings:                  
        -
          DeviceName: /dev/sda1
          Ebs:
            VolumeType: standard
            DeleteOnTermination: True
            Encrypted: False
            

  CloudStackIAMRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Create a new user role to allow access to RDS instance, S3 bucket and EC2 instance created by the stack.
      RoleName: StackUser
      AssumeRolePolicyDocument:
        Version: "2012-10-17"  
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
                - rds.amazonaws.com
                - s3.amazonaws.com
            Action: 
              - 'sts:AssumeRole'
      Path: "/"


  RolePolicies:
    Type: "AWS::IAM::Policy"
    Properties: 
      PolicyName: "NewStackUser"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action: "*"  
            Resource: "*"
      Roles: 
        - !Ref CloudStackIAMRole

  RootInstanceProfile: 
    Type: "AWS::IAM::InstanceProfile"
    Properties: 
      Path: "/"
      Roles: 
        - Ref: CloudStackIAMRole

  AWSS3Bucket:
    Type: AWS::S3::Bucket
      # Specify when the stack is deleted to keep the bucket.
    DeletionPolicy: Delete
    Properties: 
      # Add the BucketName parameter so that a bucket name is required on stack creation.
      BucketName: !Ref BucketName

  AWSRDSDatabase:
    Type: AWS::RDS::DBInstance 
    Properties:
      DBName: templateDB
      Engine: MariaDB
      MasterUsername: admin
      MasterUserPassword: !Ref MariaDBDBPassword
      PubliclyAccessible : true
      DBInstanceClass: db.t2.micro
      AllocatedStorage: 20

After making these changes, select the **Change sets** tab for the stack, and **Create change set**.  Now, on the create change set screen, upload the newly created template as a replacement, and continue to the parameters screen.

<img src="images/change_set_template.png?modified=145678" />

On the next screen, the change set will provide the option of editing the existing parameters if we so choose. In this case, leave the parameters as the previously set values, and confirm the details on the configuration and review stages of the change set creation.

<img src="images/change_set_parameters.png?modified=1611568" />

Once the review stage is complete, the last step is to provide a description for your change set. Be sure to give the change set a detailed description so that other users viewing the stack details know which changes were implemented on the stack. 

<img src="images/change_set_desc.png?modified=1611568" />

Once you have provided the description and created the change set, the next step is to view the changes made and execute the change if satisfied with the results. Evidently, our change set has been completed successfully, and the changes to the stack are as expected. The EC2 policy is being removed, and the RDS database and EC2 instance are being modified. 

We can also check the changes made to the template using the Template tab along the top of the **Changes** pane. Once satisfied with the changes, you can implement them using the **Execute** button (top right), with the option to remove successfully provisioned resources or roll back the entire stack. In this case, we will roll back the entire stack.

<img src="images/change_set_finalisation.png?modified=1611568" />

Once executed, you will be taken to the events screen to view the progress of change set implementation. If all goes well, the implementation will finish with the status **UPDATE_COMPLETE**. 

## Conclusion
At this point, you should have a good understanding of
* how to define infrastructure in code using templates and why this process is better than manual configuration.
* how to create templates that define your infrastructure in code. 
* the basic layouts of templates and how to configure resources. 
* how to create parameters for templates to add customisation to the stack.
* the importance of change sets in making changes to the stack so that the stack can be safely updated. 