AWS CloudFormation VPC Infrastructure
Overview
Create production-ready VPC infrastructure using AWS CloudFormation templates. This skill covers VPC components (Subnets, Route Tables, NAT Gateways, Internet Gateways), template structure best practices, parameter patterns, and cross-stack references for modular, reusable infrastructure as code.
When to Use
Use this skill when:
-
Creating new VPCs with public and private subnets
-
Configuring route tables for internet and NAT connectivity
-
Setting up Internet Gateways and NAT Gateways
-
Implementing template Parameters with AWS-specific types
-
Creating Outputs for cross-stack references
-
Organizing templates with Mappings and Conditions
-
Designing reusable, modular CloudFormation templates
Quick Start
Basic VPC with Public Subnet
AWSTemplateFormatVersion: 2010-09-09 Description: Simple VPC with public subnet
Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Sub ${AWS::StackName}-vpc
PublicSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.1.0/24 AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${AWS::StackName}-public-subnet
InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub ${AWS::StackName}-igw
VPCGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway
PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${AWS::StackName}-public-rt
DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: VPCGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet RouteTableId: !Ref PublicRouteTable
VPC with Public and Private Subnets
AWSTemplateFormatVersion: 2010-09-09 Description: VPC with public and private subnets across multiple AZs
Parameters: EnvironmentName: Type: String Default: production Description: Environment name for resource tagging
VpcCidr: Type: String Default: 10.0.0.0/16 Description: CIDR block for the VPC
Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Environment Value: !Ref EnvironmentName - Key: Name Value: !Sub ${AWS::StackName}-vpc
InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Environment Value: !Ref EnvironmentName - Key: Name Value: !Sub ${AWS::StackName}-igw
VPCGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway
Public Subnet 1
PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.1.0/24 AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Environment Value: !Ref EnvironmentName - Key: SubnetType Value: Public - Key: Name Value: !Sub ${AWS::StackName}-public-1
PublicRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Environment Value: !Ref EnvironmentName - Key: Name Value: !Sub ${AWS::StackName}-public-rt-1
DefaultPublicRoute1: Type: AWS::EC2::Route DependsOn: VPCGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable1 DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation1: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet1 RouteTableId: !Ref PublicRouteTable1
Private Subnet 1
PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.10.0/24 AvailabilityZone: !Select [0, !GetAZs ''] Tags: - Key: Environment Value: !Ref EnvironmentName - Key: SubnetType Value: Private - Key: Name Value: !Sub ${AWS::StackName}-private-1
PrivateRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Environment Value: !Ref EnvironmentName - Key: Name Value: !Sub ${AWS::StackName}-private-rt-1
PrivateSubnetRouteTableAssociation1: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PrivateSubnet1 RouteTableId: !Ref PrivateRouteTable1
Outputs: VpcId: Description: VPC ID Value: !Ref VPC Export: Name: !Sub ${AWS::StackName}-VpcId
PublicSubnet1Id: Description: Public Subnet 1 ID Value: !Ref PublicSubnet1 Export: Name: !Sub ${AWS::StackName}-PublicSubnet1Id
PrivateSubnet1Id: Description: Private Subnet 1 ID Value: !Ref PrivateSubnet1 Export: Name: !Sub ${AWS::StackName}-PrivateSubnet1Id
Template Structure
Template Sections Overview
AWS CloudFormation templates are JSON or YAML files with specific sections. Each section serves a purpose in defining your infrastructure.
AWSTemplateFormatVersion: 2010-09-09 # Required - template version Description: Optional description string # Optional description
Section order matters for readability but CloudFormation accepts any order
Mappings: {} # Static configuration tables Metadata: {} # Additional information about resources Parameters: {} # Input values for customization Rules: {} # Parameter validation rules Conditions: {} # Conditional resource creation Transform: {} # Macro processing (e.g., AWS::Serverless) Resources: {} # AWS resources to create (REQUIRED) Outputs: {} # Return values after stack creation
Format Version
The AWSTemplateFormatVersion identifies the template version. Current version is 2010-09-09 .
AWSTemplateFormatVersion: 2010-09-09 Description: My CloudFormation Template
Description
Add a description to document the template's purpose. Must appear after the format version.
AWSTemplateFormatVersion: 2010-09-09 Description: > This template creates a VPC with public and private subnets for hosting web applications. It includes:
- Internet Gateway for public access
- NAT Gateway for private subnet outbound access
- Security groups for web and database tiers
Metadata
Use Metadata for additional information about resources or parameters.
Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VpcCidr - PublicSubnetCidr - PrivateSubnetCidr - Label: default: Tags Parameters: - EnvironmentName - ProjectName ParameterLabels: VpcCidr: default: VPC CIDR Block EnvironmentName: default: Environment Name
Resources Section
The Resources section is the only required section. It defines AWS resources to provision.
Resources: MyVPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Sub ${AWS::StackName}-vpc
Parameters
Parameter Types
Use AWS-specific parameter types for validation and easier selection in the console.
Parameters: VpcId: Type: AWS::EC2::VPC::Id Description: Select an existing VPC
SubnetId: Type: AWS::EC2::Subnet::Id Description: Select a subnet
SecurityGroupIds: Type: List<AWS::EC2::SecurityGroup::Id> Description: Select existing security groups
InstanceType: Type: AWS::EC2::InstanceType Description: EC2 instance type Default: t3.micro AllowedValues: - t3.micro - t3.small - t3.medium - t3.large
AmiId: Type: AWS::EC2::Image::Id Description: Select an AMI
KeyName: Type: AWS::EC2::KeyPair::KeyName Description: Select an existing key pair
Parameter Constraints
Add constraints to validate parameter values.
Parameters: VpcCidr: Type: String Description: CIDR block for the VPC Default: 10.0.0.0/16 AllowedPattern: ^([0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{1,2}$ ConstraintDescription: Must be a valid CIDR block (x.x.x.x/x)
InstanceCount: Type: Number Description: Number of instances to launch Default: 1 MinValue: 1 MaxValue: 10
Environment: Type: String Description: Deployment environment Default: development AllowedValues: - development - staging - production ConstraintDescription: Must be development, staging, or production
SSM Parameter Types
Reference Systems Manager parameters for dynamic values.
Parameters: LatestAmiId: Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id> Description: Latest AMI ID from SSM Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
Mappings
Use Mappings for static configuration data based on regions or other factors.
Mappings: RegionMap: us-east-1: HVM64: ami-0ff8a95407f89df2f HVMG2: ami-0a0c776d80e2a1f3c us-west-2: HVM64: ami-0a0c776d80e2a1f3c HVMG2: ami-0a0c776d80e2a1f3c eu-west-1: HVM64: ami-0ff8a95407f89df2f HVMG2: ami-0a0c776d80e2a1f3c
EnvironmentConfig: development: InstanceType: t3.micro MinInstances: 1 MaxInstances: 2 staging: InstanceType: t3.small MinInstances: 1 MaxInstances: 3 production: InstanceType: t3.medium MinInstances: 2 MaxInstances: 10
Resources: Instance: Type: AWS::EC2::Instance Properties: ImageId: !FindInMap [RegionMap, !Ref AWS::Region, HVM64] InstanceType: !FindInMap [EnvironmentConfig, !Ref Environment, InstanceType]
Conditions
Use Conditions to conditionally create resources based on parameters.
Parameters: DeployNatGateway: Type: String Default: true AllowedValues: - true - false
Environment: Type: String Default: development AllowedValues: - development - staging - production
Conditions: ShouldDeployNat: !Equals [!Ref DeployNatGateway, true] IsProduction: !Equals [!Ref Environment, production]
Resources: NatGateway: Type: AWS::EC2::NatGateway Condition: ShouldDeployNat Properties: AllocationId: !If - ShouldDeployNat - !GetAtt EIP.AllocationId - !Ref AWS::NoValue SubnetId: !Ref PublicSubnet
ProductionOnlyResource: Type: AWS::EC2::VPCEndpoint Condition: IsProduction Properties: ServiceName: !Sub com.amazonaws.${AWS::Region}.s3 VpcId: !Ref VPC
Transform
Use Transform for macros like AWS::Serverless for SAM templates.
AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::Serverless-2016-10-31 Description: SAM template for serverless application
Resources: MyFunction: Type: AWS::Serverless::Function Properties: Handler: index.handler Runtime: nodejs18.x CodeUri: function/ Events: ApiEvent: Type: Api Properties: Path: /{proxy+} Method: ANY
Outputs and Cross-Stack References
Basic Outputs
Outputs: VpcId: Description: VPC ID Value: !Ref VPC
PublicSubnetId: Description: Public Subnet ID Value: !Ref PublicSubnet
VpcCidr: Description: VPC CIDR Block Value: !GetAtt VPC.CidrBlock
Exporting Values for Cross-Stack References
Export values so other stacks can import them.
Outputs: VpcId: Description: VPC ID for other stacks Value: !Ref VPC Export: Name: !Sub ${AWS::StackName}-VpcId
PublicSubnetIds: Description: Comma-separated public subnet IDs Value: !Join [",", [!Ref PublicSubnet1, !Ref PublicSubnet2]] Export: Name: !Sub ${AWS::StackName}-PublicSubnetIds
PrivateSubnetIds: Description: Comma-separated private subnet IDs Value: !Join [",", [!Ref PrivateSubnet1, !Ref PrivateSubnet2]] Export: Name: !Sub ${AWS::StackName}-PrivateSubnetIds
Importing Values in Another Stack
Parameters: VpcId: Type: AWS::EC2::VPC::Id Description: VPC ID from network stack # User selects from exported values in console
Or use Fn::ImportValue for programmatic access
Resources: SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !ImportValue Fn::Sub: ${NetworkStackName}-VpcId GroupDescription: Security group for application
Cross-Stack Reference Pattern
Create a dedicated network stack that exports values:
network-stack.yaml
AWSTemplateFormatVersion: 2010-09-09 Description: Network infrastructure stack
Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 Tags: - Key: Name Value: !Sub ${AWS::StackName}-vpc
PublicSubnets: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.1.0/24 AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: true
Outputs: VpcId: Value: !Ref VPC Export: Name: !Sub ${AWS::StackName}-VpcId
PublicSubnetIds: Value: !Ref PublicSubnets Export: Name: !Sub ${AWS::StackName}-PublicSubnetIds
Application stack imports these values:
application-stack.yaml
AWSTemplateFormatVersion: 2010-09-09 Description: Application stack that imports from network
Parameters: NetworkStackName: Type: String Description: Name of the network stack Default: network-stack
Resources: Instance: Type: AWS::EC2::Instance Properties: SubnetId: !ImportValue Fn::Sub: ${NetworkStackName}-PublicSubnetIds InstanceType: t3.micro
VPC Components
VPC with All Components
AWSTemplateFormatVersion: 2010-09-09 Description: Complete VPC with public/private subnets, NAT, and IGW
Parameters: EnvironmentName: Type: String Default: production
Resources:
VPC
VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Sub ${EnvironmentName}-vpc - Key: Environment Value: !Ref EnvironmentName
Internet Gateway
InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub ${EnvironmentName}-igw - Key: Environment Value: !Ref EnvironmentName
InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway
NAT Gateway (with EIP)
NatGatewayEIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub ${EnvironmentName}-nat-eip
NatGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGatewayEIP.AllocationId SubnetId: !Ref PublicSubnet1 Tags: - Key: Name Value: !Sub ${EnvironmentName}-nat-gw - Key: Environment Value: !Ref EnvironmentName
Public Subnets
PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.1.0/24 AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${EnvironmentName}-public-1 - Key: SubnetType Value: Public
PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.2.0/24 AvailabilityZone: !Select [1, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${EnvironmentName}-public-2 - Key: SubnetType Value: Public
Private Subnets
PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.10.0/24 AvailabilityZone: !Select [0, !GetAZs ''] Tags: - Key: Name Value: !Sub ${EnvironmentName}-private-1 - Key: SubnetType Value: Private
PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.11.0/24 AvailabilityZone: !Select [1, !GetAZs ''] Tags: - Key: Name Value: !Sub ${EnvironmentName}-private-2 - Key: SubnetType Value: Private
Public Route Table
PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName}-public-rt
DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation1: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet1 RouteTableId: !Ref PublicRouteTable
PublicSubnetRouteTableAssociation2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet2 RouteTableId: !Ref PublicRouteTable
Private Route Table (with NAT)
PrivateRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName}-private-rt
DefaultPrivateRoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway
PrivateSubnetRouteTableAssociation1: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PrivateSubnet1 RouteTableId: !Ref PrivateRouteTable
PrivateSubnetRouteTableAssociation2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PrivateSubnet2 RouteTableId: !Ref PrivateRouteTable
Outputs: VpcId: Value: !Ref VPC Export: Name: !Sub ${EnvironmentName}-VpcId
InternetGatewayId: Value: !Ref InternetGateway Export: Name: !Sub ${EnvironmentName}-InternetGatewayId
PublicSubnetIds: Value: !Join [",", [!Ref PublicSubnet1, !Ref PublicSubnet2]] Export: Name: !Sub ${EnvironmentName}-PublicSubnetIds
PrivateSubnetIds: Value: !Join [",", [!Ref PrivateSubnet1, !Ref PrivateSubnet2]] Export: Name: !Sub ${EnvironmentName}-PrivateSubnetIds
NatGatewayId: Value: !Ref NatGateway Export: Name: !Sub ${EnvironmentName}-NatGatewayId
Best Practices
Use AWS-Specific Parameter Types
Always use AWS-specific parameter types for validation and easier selection.
Parameters: VpcId: Type: AWS::EC2::VPC::Id Description: Select a VPC
SubnetIds: Type: List<AWS::EC2::Subnet::Id> Description: Select subnets
SecurityGroupIds: Type: List<AWS::EC2::SecurityGroup::Id> Description: Select security groups
Organize by Lifecycle
Separate resources that change at different rates into different stacks.
Network stack - rarely changes
AWSTemplateFormatVersion: 2010-09-09 Description: Network infrastructure (VPC, subnets, routes) Resources: VPC: AWS::EC2::VPC Subnets: AWS::EC2::Subnet RouteTables: AWS::EC2::RouteTable
Application stack - changes frequently
AWSTemplateFormatVersion: 2010-09-09 Description: Application resources Parameters: NetworkStackName: Type: String Resources: Instances: AWS::EC2::Instance
Use Meaningful Names
Use AWS::StackName and parameters for consistent naming.
Resources: VPC: Type: AWS::EC2::VPC Properties: Tags: - Key: Name Value: !Sub ${AWS::StackName}-vpc - Key: Environment Value: !Ref EnvironmentName
Use Pseudo Parameters
Use pseudo parameters for region-agnostic templates.
Resources: S3Bucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub ${AWS::StackName}-${AWS::AccountId}-${AWS::Region}
LambdaFunction: Type: AWS::Lambda::Function Properties: Runtime: nodejs18.x Handler: index.handler Role: !GetAtt LambdaExecutionRole.Arn
Validate Before Deployment
Validate template
aws cloudformation validate-template --template-body file://template.yaml
Check for syntax errors
aws cloudformation validate-template
--template-body file://template.yaml
--query 'Description'
Use cfn-lint for advanced validation
pip install cfn-lint cfn-lint template.yaml
Stack Policies
Stack Policies prevent unintentional updates to critical resources. Use them to protect production infrastructure.
{ "Statement": [ { "Effect": "Allow", "Action": "Update:", "Principal": "", "Resource": "" }, { "Effect": "Deny", "Action": ["Update:Replace", "Update:Delete"], "Principal": "", "Resource": "LogicalId=ProductionDatabase" }, { "Effect": "Deny", "Action": "Update:Replace", "Principal": "*", "Resource": "LogicalId=VPC" } ] }
Apply the stack policy:
aws cloudformation set-stack-policy
--stack-name my-production-stack
--stack-policy-body file://stack-policy.json
Common Stack Policy Use Cases:
-
Protect database resources: Prevent accidental replacement of RDS instances
-
Protect VPC infrastructure: Prevent changes that could disrupt connectivity
-
Protect IAM roles: Prevent modifications that could break authorization
Termination Protection
Enable termination protection to prevent accidental stack deletion. This is critical for production environments.
Enable via AWS Console:
-
Go to CloudFormation > Stacks
-
Select your stack
-
Click "Stack actions" > "Enable termination protection"
Enable via AWS CLI:
Enable termination protection
aws cloudformation update-termination-protection
--stack-name my-production-stack
--enable-termination-protection
Disable termination protection (requires console access)
aws cloudformation update-termination-protection
--stack-name my-production-stack
--no-enable-termination-protection
Enable via CloudFormation (for new stacks):
Resources: ProductionStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: https://s3.amazonaws.com/my-bucket/production.yaml TerminationProtection: true
Important Considerations:
-
Termination protection does not prevent stack updates
-
To delete a protected stack, you must first disable termination protection
-
Nested stacks inherit termination protection from parent stacks
-
Always enable for production and staging environments
Drift Detection
Drift detection identifies differences between your CloudFormation stack and the actual infrastructure. Run regular drift checks to ensure compliance.
Detect Drift on a Stack:
Detect drift on a stack
aws cloudformation detect-drift
--stack-name my-vpc-stack
Check drift status
aws cloudformation describe-stack-drift-detection-status
--stack-drift-detection-id <detection-id>
Get drift detection results
aws cloudformation describe-stack-resource-drifts
--stack-name my-vpc-stack
Drift Status Values:
-
IN_SYNC : Resource matches the template
-
DRIFTED : Resource has been modified outside CloudFormation
-
NOT_CHECKED : Resource was not checked
-
UNKNOWN : Drift status could not be determined
Automated Drift Detection with Events:
Use AWS Config for continuous drift monitoring
Resources: ConfigRule: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: cloudformation-drift-detection Scope: ComplianceResourceTypes: - AWS::EC2::VPC - AWS::EC2::Subnet - AWS::EC2::SecurityGroup Source: Owner: CUSTOM_LAMBDA SourceIdentifier: Fn::GetAtt: [DriftDetectionFunction, Arn]
Best Practices for Drift Detection:
-
Run drift detection weekly for production stacks
-
Set up CloudWatch Events to trigger drift detection on schedule
-
Document and address all drift immediately
-
Use drift detection as part of change management process
Change Sets
Change Sets allow you to preview stack changes before applying them. This is essential for production deployments.
Create and Review a Change Set:
Create a change set
aws cloudformation create-change-set
--stack-name my-vpc-stack
--template-body file://updated-template.yaml
--change-set-name vpc-update-changeset
--capabilities CAPABILITY_IAM
List change sets
aws cloudformation list-change-sets
--stack-name my-vpc-stack
Describe change set
aws cloudformation describe-change-set
--stack-name my-vpc-stack
--change-set-name vpc-update-changeset
Execute change set
aws cloudformation execute-change-set
--stack-name my-vpc-stack
--change-set-name vpc-update-changeset
Delete change set (if not executing)
aws cloudformation delete-change-set
--stack-name my-vpc-stack
--change-set-name vpc-update-changeset
Change Set Types:
Type Description Use Case
UPDATE
Standard update Regular changes
CREATE
Creates new stack Initial deployment
IMPORT
Imports existing resources Lift-and-shift
Change Set Output Example:
{ "ChangeSetId": "arn:aws:cloudformation:us-east-1:123456789:changeSet/...", "Changes": [ { "Type": "Resource", "ResourceChange": { "Action": "Modify", "LogicalResourceId": "VPC", "PhysicalResourceId": "vpc-12345678", "Replacement": "False", "Details": [ { "Target": { "Attribute": "Tags", "RequiresRecreation": "Never" }, "Evaluation": "Static", "ChangeSource": "DirectModification" } ] } } ], "ExecutionStatus": "AVAILABLE", "Status": "CREATE_COMPLETE" }
Best Practices for Change Sets:
-
Always create a change set before updating production stacks
-
Review all changes carefully before execution
-
Use meaningful change set names (e.g., vpc-security-update-2024-01 )
-
Execute change sets promptly after review
-
Set a TTL on change sets if your organization requires approval workflows
CI/CD Integration with Change Sets
GitHub Actions workflow for safe deployments
name: Deploy CloudFormation on: push: branches: [main]
jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
aws-region: us-east-1
- name: Create Change Set
id: changeset
run: |
aws cloudformation create-change-set \
--stack-name ${{ env.STACK_NAME }} \
--template-body file://template.yaml \
--change-set-name preview-changes \
--capabilities CAPABILITY_IAM \
--query 'Id' \
--output text
- name: Describe Change Set
run: |
aws cloudformation describe-change-set \
--stack-name ${{ env.STACK_NAME }} \
--change-set-name preview-changes
- name: Execute Change Set (Manual approval required)
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
aws cloudformation execute-change-set \
--stack-name ${{ env.STACK_NAME }} \
--change-set-name preview-changes
Related Resources
-
For advanced patterns: See EXAMPLES.md
-
For reference: See REFERENCE.md
-
AWS CloudFormation User Guide: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
-
AWS VPC Documentation: https://docs.aws.amazon.com/vpc/latest/userguide/