AWS CloudFormation

What it is

AWS CloudFormation is AWS's native infrastructure as code service that allows defining infrastructure resources through declarative templates in YAML or JSON. Unlike imperative tools, CloudFormation manages the complete infrastructure state, creating, updating, and deleting resources in the correct order based on defined dependencies.

The service acts as an orchestration engine that translates templates into AWS API calls, maintaining a record of the current state and providing automatic rollback when operations fail. This state management capability differentiates CloudFormation from traditional provisioning scripts, as it understands resource relationships and can perform incremental changes safely.

CloudFormation is the technological foundation upon which tools like AWS CDK and AWS SAM are built, generating CloudFormation templates as their final output. Understanding CloudFormation is fundamental for diagnosing issues in any IaC tool on AWS.

Template anatomy

A typical CloudFormation template contains several sections that define infrastructure:

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Serverless API with Lambda and DynamoDB'
 
Parameters:
  Environment:
    Type: String
    Default: dev
    AllowedValues: [dev, staging, prod]
 
Resources:
  UserTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Sub 'users-${Environment}'
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: userId
          AttributeType: S
      KeySchema:
        - AttributeName: userId
          KeyType: HASH
 
  UserFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub 'user-api-${Environment}'
      Runtime: nodejs20.x
      Handler: index.handler
      Code:
        ZipFile: |
          exports.handler = async (event) => {
            return { statusCode: 200, body: 'Hello World' };
          };
      Environment:
        Variables:
          TABLE_NAME: !Ref UserTable
 
  ApiGateway:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: !Sub 'user-api-${Environment}'
      EndpointConfiguration:
        Types: [REGIONAL]
 
Outputs:
  ApiEndpoint:
    Description: 'API Gateway endpoint URL'
    Value: !Sub 'https://${ApiGateway}.execute-api.${AWS::Region}.amazonaws.com/prod'
    Export:
      Name: !Sub '${AWS::StackName}-ApiEndpoint'

This example shows key concepts like parameters for reusability, intrinsic functions like !Sub and !Ref for dynamic references, and outputs to expose values to other stacks.

Advanced patterns

Nested Stacks

For complex projects, CloudFormation allows splitting infrastructure into nested stacks, improving modularity and reusability:

NetworkStack:
  Type: AWS::CloudFormation::Stack
  Properties:
    TemplateURL: https://s3.amazonaws.com/templates/network.yaml
    Parameters:
      VpcCidr: 10.0.0.0/16
      Environment: !Ref Environment
 
ApplicationStack:
  Type: AWS::CloudFormation::Stack
  DependsOn: NetworkStack
  Properties:
    TemplateURL: https://s3.amazonaws.com/templates/application.yaml
    Parameters:
      VpcId: !GetAtt NetworkStack.Outputs.VpcId
      SubnetIds: !GetAtt NetworkStack.Outputs.PrivateSubnetIds

StackSets for multi-account

StackSets enables deploying the same infrastructure across multiple AWS accounts and regions from a central account, essential for organizations with multi-account architectures:

# Deployed via StackSet across multiple accounts
SecurityBaselineStack:
  Resources:
    CloudTrail:
      Type: AWS::CloudTrail::Trail
      Properties:
        IsLogging: true
        S3BucketName: !Sub 'audit-logs-${AWS::AccountId}'
        IncludeGlobalServiceEvents: true
        
    GuardDutyDetector:
      Type: AWS::GuardDuty::Detector
      Properties:
        Enable: true
        FindingPublishingFrequency: FIFTEEN_MINUTES

Drift Detection

CloudFormation includes drift detection to identify manual changes made outside the stack:

# Detect drift in a stack
aws cloudformation detect-stack-drift --stack-name my-stack
 
# View drift details
aws cloudformation describe-stack-resource-drifts --stack-name my-stack

Drift detection is crucial in environments where multiple teams might modify resources, as it helps maintain consistency between declared and actual state.

CloudFormation vs Terraform

Aspect	CloudFormation	Terraform
Provider	AWS only	Multi-cloud (AWS, Azure, GCP)
Language	YAML/JSON	HCL (HashiCorp Configuration Language)
State management	Managed by AWS	Local file or remote backend
Cost	Free	Free (open source), paid (Terraform Cloud)
Adoption speed	Immediate for new AWS services	Delay in new service support
Debugging	CloudFormation Events in console	Plan/apply output and state inspection
Rollback	Automatic on failures	Manual with previous `terraform apply`
Modularity	Nested stacks, cross-stack references	Modules with public registry
Testing	Limited, mainly cfn-lint	Terratest, kitchen-terraform

The choice between CloudFormation and Terraform depends primarily on whether you need multi-cloud (Terraform) or prefer native AWS integration (CloudFormation). For AWS-first organizations, CloudFormation offers advantages in new service adoption time and integration with AWS tooling.

Limitations and considerations

CloudFormation has important technical limitations that affect architecture design:

500 resource limit per stack: Requires splitting complex infrastructure into multiple stacks
200 outputs limit per stack: Limits information that can be exposed between stacks
Deployment time: Synchronous operations can be slow for complex resources like RDS
Limited rollback: Some resources don't support automatic rollback (e.g., S3 buckets with content)
Service coverage: New AWS services may take time to have complete support

These limitations require specific patterns like stack splitting, using custom resources for unsupported functionality, and manual rollback strategies for critical resources.

Why it matters

CloudFormation is the foundation of infrastructure automation in AWS and the base upon which CDK, SAM, and other higher-level tools are built. Even when using abstractions, deployment errors, drift issues, and resource limitations manifest at the CloudFormation level.

For staff+ engineers, mastering CloudFormation means understanding the real capabilities and limitations of AWS automation, being able to diagnose complex deployment issues, and designing architectures that leverage patterns like StackSets for multi-account governance. The difference between a provisioning script and a robust IaC solution lies in the state management, automatic rollback, and incremental change capabilities that CloudFormation provides natively.

References

AWS CloudFormation — AWS, 2024. Complete official service documentation.
CloudFormation Best Practices — AWS, 2024. Official best practices for templates and stacks.
Managing Stacks across Accounts and Regions with StackSets — AWS, 2024. Guide for multi-account and multi-region deployments.
Detect Unmanaged Configuration Changes with Drift Detection — AWS, 2024. Documentation on detecting changes outside CloudFormation.
CloudFormation Template Reference Guide — AWS, 2024. Complete reference for resources and properties.
AWS CloudFormation Features — AWS, 2024. Official service features and capabilities.

What it is

Template anatomy

A typical CloudFormation template contains several sections that define infrastructure:

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Serverless API with Lambda and DynamoDB'
 
Parameters:
  Environment:
    Type: String
    Default: dev
    AllowedValues: [dev, staging, prod]
 
Resources:
  UserTable:
    Type: AWS::DynamoDB::Table
    Properties:
      TableName: !Sub 'users-${Environment}'
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: userId
          AttributeType: S
      KeySchema:
        - AttributeName: userId
          KeyType: HASH
 
  UserFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub 'user-api-${Environment}'
      Runtime: nodejs20.x
      Handler: index.handler
      Code:
        ZipFile: |
          exports.handler = async (event) => {
            return { statusCode: 200, body: 'Hello World' };
          };
      Environment:
        Variables:
          TABLE_NAME: !Ref UserTable
 
  ApiGateway:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: !Sub 'user-api-${Environment}'
      EndpointConfiguration:
        Types: [REGIONAL]
 
Outputs:
  ApiEndpoint:
    Description: 'API Gateway endpoint URL'
    Value: !Sub 'https://${ApiGateway}.execute-api.${AWS::Region}.amazonaws.com/prod'
    Export:
      Name: !Sub '${AWS::StackName}-ApiEndpoint'

This example shows key concepts like parameters for reusability, intrinsic functions like !Sub and !Ref for dynamic references, and outputs to expose values to other stacks.

Advanced patterns

Nested Stacks

For complex projects, CloudFormation allows splitting infrastructure into nested stacks, improving modularity and reusability:

NetworkStack:
  Type: AWS::CloudFormation::Stack
  Properties:
    TemplateURL: https://s3.amazonaws.com/templates/network.yaml
    Parameters:
      VpcCidr: 10.0.0.0/16
      Environment: !Ref Environment
 
ApplicationStack:
  Type: AWS::CloudFormation::Stack
  DependsOn: NetworkStack
  Properties:
    TemplateURL: https://s3.amazonaws.com/templates/application.yaml
    Parameters:
      VpcId: !GetAtt NetworkStack.Outputs.VpcId
      SubnetIds: !GetAtt NetworkStack.Outputs.PrivateSubnetIds

StackSets for multi-account

StackSets enables deploying the same infrastructure across multiple AWS accounts and regions from a central account, essential for organizations with multi-account architectures:

# Deployed via StackSet across multiple accounts
SecurityBaselineStack:
  Resources:
    CloudTrail:
      Type: AWS::CloudTrail::Trail
      Properties:
        IsLogging: true
        S3BucketName: !Sub 'audit-logs-${AWS::AccountId}'
        IncludeGlobalServiceEvents: true
        
    GuardDutyDetector:
      Type: AWS::GuardDuty::Detector
      Properties:
        Enable: true
        FindingPublishingFrequency: FIFTEEN_MINUTES

Drift Detection

CloudFormation includes drift detection to identify manual changes made outside the stack:

# Detect drift in a stack
aws cloudformation detect-stack-drift --stack-name my-stack
 
# View drift details
aws cloudformation describe-stack-resource-drifts --stack-name my-stack

Drift detection is crucial in environments where multiple teams might modify resources, as it helps maintain consistency between declared and actual state.

CloudFormation vs Terraform

Aspect	CloudFormation	Terraform
Provider	AWS only	Multi-cloud (AWS, Azure, GCP)
Language	YAML/JSON	HCL (HashiCorp Configuration Language)
State management	Managed by AWS	Local file or remote backend
Cost	Free	Free (open source), paid (Terraform Cloud)
Adoption speed	Immediate for new AWS services	Delay in new service support
Debugging	CloudFormation Events in console	Plan/apply output and state inspection
Rollback	Automatic on failures	Manual with previous `terraform apply`
Modularity	Nested stacks, cross-stack references	Modules with public registry
Testing	Limited, mainly cfn-lint	Terratest, kitchen-terraform

Limitations and considerations

CloudFormation has important technical limitations that affect architecture design:

500 resource limit per stack: Requires splitting complex infrastructure into multiple stacks
200 outputs limit per stack: Limits information that can be exposed between stacks
Deployment time: Synchronous operations can be slow for complex resources like RDS
Limited rollback: Some resources don't support automatic rollback (e.g., S3 buckets with content)
Service coverage: New AWS services may take time to have complete support

These limitations require specific patterns like stack splitting, using custom resources for unsupported functionality, and manual rollback strategies for critical resources.

Why it matters

References

AWS CloudFormation — AWS, 2024. Complete official service documentation.
CloudFormation Best Practices — AWS, 2024. Official best practices for templates and stacks.
Managing Stacks across Accounts and Regions with StackSets — AWS, 2024. Guide for multi-account and multi-region deployments.
Detect Unmanaged Configuration Changes with Drift Detection — AWS, 2024. Documentation on detecting changes outside CloudFormation.
CloudFormation Template Reference Guide — AWS, 2024. Complete reference for resources and properties.
AWS CloudFormation Features — AWS, 2024. Official service features and capabilities.

AWS CloudFormation

What it is

Template anatomy

Advanced patterns

Nested Stacks

StackSets for multi-account

Drift Detection

CloudFormation vs Terraform

Limitations and considerations

Why it matters

References

Related content

AWS CloudFormation

What it is

Template anatomy

Advanced patterns

Nested Stacks

StackSets for multi-account

Drift Detection

CloudFormation vs Terraform

Limitations and considerations

Why it matters

References

Related content