An Introduction to AWS CloudFormation Change Sets

An Introduction to AWS CloudFormation Change Sets

January 22, 2018 1 By Eric Shanks

If you’ve done any work in Amazon Web Services you probably know the importance of CloudFormation (CFn) as part of your Infrastructure as Code (IaC) strategy. CloudFormation provides a JSON or YAML formatted document which describes the AWS infrastructure that you want to deploy. If you need to re-deploy the same infrastructure across production and development environments, this is pretty easy since the configuration is in a template stored in your source control.

Now that we are deploying our infrastructure from CFn templates, we have to consider what we do when a small part of that infrastructure needs a change. Perhaps we can redeploy the entire environment, but this might not be feasible in all cases. Also, if we’re making a small change, it might take a while to redeploy everything when we really only need to tweak the settings a little.

Change Sets

Thankfully, AWS has “Change Sets” which allows us to modify an existing CloudFormation Stack with a new template. If you’re not familiar with a stack, think of this as the deployed object that comes from a CloudFormation Template. For example, if you had a template that deployed four EC2 instances, when you deploy the template, it will create a stack that represents the four servers as part of a deployment. If you delete the stack, you remove all the resources that it described.

Change Sets are created by building a new CloudFormation Template (or modifying the original) and creating a change on the original stack. You can then view the changes that will be deployed before you decide to execute the change.

Creating a Change Set

Let’s take a look at the process from the console. First we need to have a CloudFormation stack that we want to modify. In the example below, I’m going to modify a CFn stack that deployed a Lambda function and an IAM policy document. Assume that I forgot to add a permission to the policy and I want to fix that without re-deploying my whole CFn template.

 

Select the CloudFormation Stack that you want to modify.

then click the Actions drop down. Select “Create Change Set for Current Stack” from the list.

 

From this point forward, it should look a lot like a normal CloudFormation deployment if you do it from the console. The wizard that opens will ask for the template to use as the change set. Select your new CloudFormation Template. NOTE: You can use the same template that was used to deploy the resources if you want, which should re-deploy the exact same settings unless you’ve modified the template. In this case I’ve selected a newly updated template with my new IAM policy permissions.

 

On the next screen enter a change set name (Instead of a Stack name like a standard CFn deployment) and a description. Also, if you’re CFn template has input parameters, enter those here as well.

The next screen will ask for additional options such as adding any tags and specifying a role with permissions to deploy the CFn template resources.

 

On the last screen, you have an opportunity to review your settings before clicking the “Create Change Set” button.

Review the Change Set

At this point, nothing in your environment has changed yet. You created a change set, but that doesn’t deploy your code, it just stages it for the upcoming deployment. If we look at our CloudFormation Stacks again, we can select the stack we created the change set for and click the “Change Sets” tab. We’ll notice that our Change Set is listed under this tab. Click the name of the change set to open up the change set window.

If we look at the change set, we can see under the changes section what will actually be modified. In my case the Change Set will modify my Execution Role and my Lambda Function. Also, under the “Replacement” field, you’ll see False, meaning that the object doesn’t need to be replaced, it can just be edited in place by CloudFormation. Pretty neat huh? Now we can stage any changes we need for the environment ahead of time and assess the impact right from this screen. Pretty handy for System Administrators who want to get as much work done as possible before a change window starts. This is also great for figuring out what components might need a change request opened in your change management system.

Execute the Change

Now, from the change set screen, press the “Execute” button to push the code changes. If you watch your CloudFormation Stacks, you’ll notice your stack start to update.

In a moment, you’ll see the stack has been updated successfully and if we look in the change sets tab again we’ll notice that a change set has been applied to our stack. 

Summary

Change is going to happen so any Infrastructure as Code initiative needs to have a plan to handle it when those changes arise. Can you re-deploy? Should you update it manually? There are reasons that you wouldn’t want to do either of those things. Change Sets allow you to still manage your environment through CloudFormation, but make changes if they need to occur.