In a serie of blog articles I’ll take a closer look at AWS Cloudformation. Read more about what AWS Cloudformation is, how to design templates, bootstrapping an EC2 with userdata, using metadata and updating EC2 instances with cfn-hup in my previous blog articles:
- AWS Cloudformation – Templates, stacks and change sets
- AWS Cloudformation – Designing Templates
- AWS Cloudformation – Bootstrapping an Ec2 instance with Userdata
- AWS Cloudformation – Metadata
- AWS Cloudformation – Updating EC2 instance with cfn-hup
In this blog article I’ll take a closer look at updating your AWS resources in your stack with Change sets.
Updating AWS resources with Change sets
When you need to change your stack resources this can be done via change sets. Change sets allow you to preview how the proposed changes might impact the running resources. They don’t indicate whether Cloudformation will succesfully update a stack. Meaning, a change set is unaware of any insufficient permissions on certain resources for example. If such thing will happen, Cloudformation will attempt to rollback your resources to their original state.
Here is an overview of how a change set will update your resources.
Creating a change set can be done by the following command. You can use the same template as before and just change the parameters for example. This will deploy the change set.
aws cloudformation create-change-set --stack-name Demo--change-set-name DemoChangeset --use-previous-template --parameters ParameterKey=InstanceName,ParameterValue=somevalue
The output can be found in the Cloudformation console or via an API call from the cli. For example this:
aws cloudformation describe-change-set --change-set-name DemoChangeset --stack-name demo arn:aws:cloudformation:us-east- 1:xxxxxxxxxxx:changeSet/DemoChangeset/6b0951dd-3a0d-4287-893b- 03f5e450db22 DemoChangeset 2019-09- 27T13:14:10.608Z None AVAILABLE arn:aws:cloudformation: us-east-1:xxxxxxxxx:stack/demo/f1d47e80-e127-11e9-947d- 1262c1c6cf8e demo CREATE_COMPLETE None None CHANGES Resource RESOURCECHANGE Modify EC2Instance i- 08076d71e01fc64d4 False AWS::EC2::Instance DETAILS DirectModification Dynamic TARGET Tags Never DETAILS InstanceName ParameterReference Static TARGET Tags Never SCOPE Tags PARAMETERS InstanceName somevalue PARAMETERS KeyName demo PARAMETERS SSHLocation 0.0.0.0/0 PARAMETERS InstanceType t2.micro
It describes what will be changed, when executing this change set. Executing a change set from the command line is quite similar to the previous command.
aws cloudformation execute-change-set \ --change-set-name DemoChangeset --stack-name demo
Working with change sets gives you more control over the potential impact of changes. In addition to this it also opens the door to additional control over updates. IAM can be used to control access to specific Cloudformation functions (UpdateStack, CreateChangeSet etc). You could allow developers to create en view change sets and restrict execution to more experienced administrators.
Vincent Lamers, Linux-consultant @ AT Computing