AWS re:Invent 2019: [REPEAT 1] Best practices for authoring AWS CloudFormation (DOP302-R1)

Authoring Best Practices

  • Parameters: Avoid hardcoding values, can add validation to users and improve UX with console grouping, labels, descriptions; keep secrets in SSM Parameter Store and Secrets Manager

  • Mappings: As a case statement, helps maintain a set of information for various environments

  • Conditions: Simple if/then statements (e.g. if dev do this, if prod do that)

  • Imports and exports, leverage cross-stack references or export/import values through SSM

  • Use !Sub over !Join

  • Leverage SSM Parameter Store for latest AMI instance IDs

Testing & Deployment Best Practices

  • Run Lint in headless mode, prevent promoting templates with errors

  • Use TaskCat to live-test infrastructure

  • Use ChangeSets to know what effect the change will have on the underlying resources before actually deploying it

  • Use StackSets to deploy across multiple accounts and regions

  • Use automated deployment pipelines to deploy infrastructure changes

  • Refactor large stacks with resource import

  • Detect and remediate drift

StackSets best practices

  • Partially deploy your CloudFormation StackSet updates to reduce blast radius; great for sanity testing / releasing incrementally

  • Depending on your speed needs, consider setting a higher concurrent account limit

  • Use parameter overrides to define specific parameters in account-region pairs

  • Separate stacks by function and frequency of changes needed

Last updated