Skip to main content

Skillber v1.0 is here!

Learn more

AWS CloudFormation

Checking access...

What is CloudFormation?

AWS CloudFormation is a native IaC service that lets you model AWS resources using JSON or YAML templates. It provisions resources in an ordered, predictable fashion and rolls back on failure.

Templates

CloudFormation templates are YAML or JSON documents that declare the AWS resources you want to provision. Every template has a Resources section and optional Parameters, Mappings, Conditions, and Outputs.

AWSTemplateFormatVersion: "2010-09-09"
Description: "S3 bucket with versioning enabled"
Resources:
DataBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::AccountId}-data-bucket"
VersioningConfiguration:
Status: Enabled
Tags:
- Key: Environment
Value: Production
Outputs:
BucketName:
Description: "Name of the created bucket"
Value: !Ref DataBucket

Resources and Intrinsic Functions

Resources are declared with a Type (e.g., AWS::EC2::VPC, AWS::RDS::DBInstance) and Properties. AWS CloudFormation provides intrinsic functions for dynamic template values:

FunctionPurpose
!RefReturns the physical ID of a resource or parameter value
!SubSubstitutes variables in a string
!GetAttReturns an attribute of a resource
!JoinJoins values with a delimiter
!SelectReturns an element from a list
!FindInMapReturns a value from a mapping
!IfConditional value based on a condition
Resources:
WebServer:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI]
InstanceType: !If [IsProduction, t3.medium, t3.micro]
SecurityGroups:
- !Ref WebSecurityGroup

Parameters

Parameters allow you to pass values into templates at stack creation time — making templates reusable across environments.

Parameters:
Environment:
Type: String
AllowedValues:
- dev
- staging
- production
Default: dev
Description: "Deployment environment"
VpcCIDR:
Type: String
Default: "10.0.0.0/16"
AllowedPattern: "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/\\d{1,2}"

Change Sets

Change sets let you preview how proposed changes will affect running resources before applying them — equivalent to terraform plan.

Terminal window
aws cloudformation create-change-set \
--stack-name my-stack \
--template-body file://updated-template.yaml \
--change-set-name my-change-set
aws cloudformation describe-change-set \
--change-set-name my-change-set
aws cloudformation execute-change-set \
--change-set-name my-change-set

Stacks and StackSets

A stack is a single instance of a CloudFormation template. A StackSet lets you deploy the same template across multiple accounts and regions from a single operation.

Terminal window
# Create a StackSet
aws cloudformation create-stack-set \
--stack-set-name vpc-baseline \
--template-body file://vpc-template.yaml
# Deploy to multiple accounts and regions
aws cloudformation create-stack-instances \
--stack-set-name vpc-baseline \
--accounts 123456789012 234567890123 \
--regions us-east-1 eu-west-1

StackSets are the standard way to enforce baseline infrastructure (guardrails, logging, networking) across an AWS Organization.

StackSet Requirements

StackSets require trusted execution IAM roles and organizational unit (OU) targeting. They are typically configured by the cloud center of excellence team.

CloudFormation vs Terraform

AspectCloudFormationTerraform
ScopeAWS-onlyMulti-cloud (2000+ providers)
LanguageJSON / YAMLHCL (HashiCorp Configuration Language)
StateManaged by AWS (no state file)Local or remote state file
Drift DetectionBuilt-in (detect-stack-drift)Requires terraform plan
RollbacksAutomatic on failureManual (state manipulation)
ModulesNested stacksRegistry modules with versioning
PolicyService Control Policies (SCP)Sentinel / OPA
PricingFree (no additional cost)Free CLI; Terraform Cloud paid tiers
Learning CurveEasier for AWS-only teamsSteeper but more transferable

When to Use Each

Use CloudFormation when:

  • You are AWS-only and want the tightest AWS integration
  • You need automatic rollbacks on failure
  • You want no state file to manage (AWS handles it)
  • Your organization uses Service Catalog and StackSets heavily

Use Terraform when:

  • You are multi-cloud or use non-AWS providers (Datadog, Cloudflare, Kubernetes)
  • You want reusable modules with versioned registries
  • Your team values HCL’s readability over JSON/YAML
  • You need state management for complex dependency graphs

Caution

CloudFormation templates can become deeply nested with !Sub and !Join, making them harder to read than equivalent HCL. Terraform’s HCL syntax is generally more expressive and maintainable for complex infrastructure.

Summary

CloudFormation is the native IaC solution for AWS-only teams, offering seamless integration, automatic rollbacks, and StackSets for multi-account deployments. Terraform is the better choice for multi-cloud environments and teams that value HCL’s expressiveness and the Terraform Registry’s module ecosystem.