CloudFormation Project
Class 54th AWS CloudFormation June 28th project
Practical
Step1:
--Thanks
Saturday, June 28, 2025
CloudFormation Project
Cloudformation part2
Cloudformation part2
Class 54th AWS Cloudformation June 28th
Practical:
Step1:Cloud formation>stack>Create stack >Choose template >upload a template file
Click next
CFT.yaml file upload
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CCITAdminUser:
Type: AWS::IAM::User
Properties:
UserName: CCITAdmin
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
CCITDev1User:
Type: AWS::IAM::User
Properties:
UserName: CCITDev1
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
CCITDev2User:
Type: AWS::IAM::User
Properties:
UserName: CCITDev2
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
Step2: give stack name any
Step3: The script will create the new users,ccitadmin,ccitdev1 and ccitdev2 users
# Creating the Dev user group
CCITDevGroup:
Type: AWS::IAM::Group
Properties:
GroupName: CCITDevGroup
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AWSLambda_FullAccess
Step6:click make a direct update >replace existing template
Step7:Group created successfully. CCITDevGroup this added policies s3,lambda
Step8:adding users to the dev group
# Adding users to the dev group
AddUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: !Ref CCITDevGroup
Users:
- !Ref CCITDev1User
- !Ref CCITDev2User
Step9:Click save existing template replate upload Click submit
Successfully added users to the dev group
Step10:Creating own policies ,iam service ,modify the CFT.yml,replace existing upload and click next click submit
# Create Customer managed policy
RDSAccessPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: RDSPermissions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "rds:*"
Resource: "*"
Step11:RDS permission policy customer managed policy created succcessfully.
Step12: We can attach the policy to the group using below line - !Ref RDSAccessPolicy save the
file upload replace
Creating the Dev user group
CCITDevGroup:
Type: AWS::IAM::Group
Properties:
GroupName: CCITDevGroup
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AWSLambda_FullAccess
- !Ref RDSAccessPolicy
Step13:Succefully added policy to the group
Step14:Creating role for Ec2 resource, we have give permission Ec2instance for s3 bucket access
# Creating the Role for EC2
EC2InstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: RoleforEC2
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: EC2S3Access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "s3:*"
Resource: "*"
Click save replace upload and click next and click submit cloudstack ,See below role created and permission Ec2
Step15: Creating Ec2 instance eu-west-1 imageid: ami-0f4f4482537714bd9 instance type:t2.micro goto
Key pair:AMAZON-LNX-KEY
# Creating EC2 instance
EC2Instnace:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-0f4f4482537714bd9
KeyName: AMAZON-LNX-KEY
Step16: See below instance created successfully.
Step17: Instance create we need attach the role to the Ec2instance
See below role is not attached for the ec2 instance
# Creating EC2 instance profile
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: EC2InstanceProfile
Roles:
- !Ref EC2InstanceRole
Step18:
See above code we have hotcode the imageid, this will not generic if same code will not work other region due imageid,so need to overcome this issue using mapping run time take the imagid
As see below same i will cloudstack in other location it will create Ec2 instance based on mapping
Mappings:
RegionMap:
eu-west-3:
AMI: ami-0f8d3c5dcfaceaa4f
InstType: t2.micro
KeyName: Ec2VM-First
eu-west-2:
AMI: ami-0f4f4482537714bd9
InstType: t3.micro
KeyName: AMAZON-LNX-KEY
# Creating EC2 instance
EC2Instnace:
Type: AWS::EC2::Instance
Properties:
InstanceType: !FindInMap [RegionMap, !Ref "AWS::Region", InstType]
ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI]
IamInstanceProfile: !Ref EC2InstanceProfile
KeyName: !FindInMap [RegionMap, !Ref "AWS::Region", KeyName]
Step19:Once delete the stack automatically all corresponding resouce will be delete automatically
Step20:See instance is terminated automatically ,user,usergroup all related resource will
deleted
Step21:Now Same templated uploaded in the our region paris,upload existing CFT.yaml
file click next and click submit
it will take time complete the instance due it will will process first create user and use groups
and policy ,finally create Ec2 instance
creation
AWSTemplateFormatVersion: '2010-09-09'
Description: Creates a VPC with public and private subnets, Internet Gateway, and route tables
Resources:
# VPC
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/22
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MycustomVPC
# Internet Gateway
MyInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MyInternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref MyVPC
InternetGatewayId: !Ref MyInternetGateway
# Public Subnets
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.0.0/24
MapPublicIpOnLaunch: true
AvailabilityZone: !Select [0, !GetAZs '']
Tags:
- Key: Name
Value: PublicSubnet1
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
AvailabilityZone: !Select [1, !GetAZs '']
Tags:
- Key: Name
Value: PublicSubnet2
PublicSubnet3:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.2.0/24
MapPublicIpOnLaunch: true
AvailabilityZone: !Select [2, !GetAZs '']
Tags:
- Key: Name
Value: PublicSubnet3
# Private Subnets
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.3.0/26
MapPublicIpOnLaunch: false
AvailabilityZone: !Select [0, !GetAZs '']
Tags:
- Key: Name
Value: PrivateSubnet1
PrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.3.64/26
MapPublicIpOnLaunch: false
AvailabilityZone: !Select [1, !GetAZs '']
Tags:
- Key: Name
Value: PrivateSubnet2
PrivateSubnet3:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.3.128/26
MapPublicIpOnLaunch: false
AvailabilityZone: !Select [2, !GetAZs '']
Tags:
- Key: Name
Value: PrivateSubnet3
# Public Route Table and Route
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: PublicRouteTable
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref MyInternetGateway
# Associate Public Subnets with Route Table
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref PublicRouteTable
PublicSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref PublicRouteTable
PublicSubnet3RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet3
RouteTableId: !Ref PublicRouteTable
# Private Route Table (no route to internet yet)
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: PrivateRouteTable
# Associate Private Subnets with Private Route Table
PrivateSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet1
RouteTableId: !Ref PrivateRouteTable
PrivateSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet2
RouteTableId: !Ref PrivateRouteTable
PrivateSubnet3RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet3
RouteTableId: !Ref PrivateRouteTable
Step24:Completed successfully.
See below successfully created two subnet2 each subnet three availability zone and internet gateway attached for public subnets
One more feature Metadata is use for general description for understand
Outputblock for output what are resource generated from the script
# This is Output Block
Outputs:
AdminUser:
Description: "IAM Admin User created"
Value: !Ref CCITAdminUser
DevUser1:
Description: "IAM Dev User 1 created"
Value: !Ref CCITDev1User
DevUser2:
Description: "IAM Dev User 2 created"
Value: !Ref CCITDev2User
DevGroup:
Description: "IAM Group for Dev Users"
Value: !Ref CCITDevGroup
ManagedPolicy:
Description: "Customer managed policy for RDS Access"
Value: !Ref RDSAccessPolicy
EC2Role:
Description: "IAM Role attached to EC2 Instance"
Value: !Ref EC2InstanceRole
InstanceProfile:
Description: "IAM Instance Profile attached to EC2"
Value: !Ref EC2InstanceProfile
EC2InstanceId:
Description: "Launched EC2 Instance ID"
Value: !Ref EC2Instnace
Export:
Name: EC2InstanceID
EC2PublicDNS:
Description: "Public DNS of the EC2 instance"
Value: !GetAtt EC2Instnace.PublicDnsName
EC2PublicIP:
Description: "Public IP of the EC2 instance"
Value: !GetAtt EC2Instnace.PublicIp
Step25:Full script CFT.yml
AWSTemplateFormatVersion: '2010-09-09'
Mappings:
RegionMap:
eu-west-3:
AMI: ami-0f8d3c5dcfaceaa4f
InstType: t2.micro
KeyName: Ec2VM-First
eu-west-2:
AMI: ami-0f4f4482537714bd9
InstType: t3.micro
KeyName: AMAZON-LNX-KEY
Resources:
CCITAdminUser:
Type: AWS::IAM::User
Properties:
UserName: CCITAdmin
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
CCITDev1User:
Type: AWS::IAM::User
Properties:
UserName: CCITDev1
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
CCITDev2User:
Type: AWS::IAM::User
Properties:
UserName: CCITDev2
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
CCITDevGroup:
Type: AWS::IAM::Group
Properties:
GroupName: CCITDevGroup
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AWSLambda_FullAccess
- !Ref RDSAccessPolicy
AddUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: !Ref CCITDevGroup
Users:
- !Ref CCITDev1User
- !Ref CCITDev2User
RDSAccessPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: RDSPermissions
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "rds:*"
Resource: "*"
EC2InstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: RoleforEC2
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: EC2S3Access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "s3:*"
Resource: "*"
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: EC2InstanceProfile
Roles:
- !Ref EC2InstanceRole
EC2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: !FindInMap [RegionMap, !Ref "AWS::Region", InstType]
ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI]
IamInstanceProfile: !Ref EC2InstanceProfile
KeyName: !FindInMap [RegionMap, !Ref "AWS::Region", KeyName]
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/22
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MycustomVPC
MyInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MyInternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref MyVPC
InternetGatewayId: !Ref MyInternetGateway
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.0.0/24
MapPublicIpOnLaunch: true
AvailabilityZone: !Select [0, !GetAZs '']
Tags:
- Key: Name
Value: PublicSubnet1
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
AvailabilityZone: !Select [1, !GetAZs '']
Tags:
- Key: Name
Value: PublicSubnet2
PublicSubnet3:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.2.0/24
MapPublicIpOnLaunch: true
AvailabilityZone: !Select [2, !GetAZs '']
Tags:
- Key: Name
Value: PublicSubnet3
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.3.0/26
MapPublicIpOnLaunch: false
AvailabilityZone: !Select [0, !GetAZs '']
Tags:
- Key: Name
Value: PrivateSubnet1
PrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.3.64/26
MapPublicIpOnLaunch: false
AvailabilityZone: !Select [1, !GetAZs '']
Tags:
- Key: Name
Value: PrivateSubnet2
PrivateSubnet3:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.3.128/26
MapPublicIpOnLaunch: false
AvailabilityZone: !Select [2, !GetAZs '']
Tags:
- Key: Name
Value: PrivateSubnet3
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: PublicRouteTable
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref MyInternetGateway
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref PublicRouteTable
PublicSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref PublicRouteTable
PublicSubnet3RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet3
RouteTableId: !Ref PublicRouteTable
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: PrivateRouteTable
PrivateSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet1
RouteTableId: !Ref PrivateRouteTable
PrivateSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet2
RouteTableId: !Ref PrivateRouteTable
PrivateSubnet3RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet3
RouteTableId: !Ref PrivateRouteTable
Outputs:
AdminUser:
Description: "IAM Admin User created"
Value: !Ref CCITAdminUser
DevUser1:
Description: "IAM Dev User 1 created"
Value: !Ref CCITDev1User
DevUser2:
Description: "IAM Dev User 2 created"
Value: !Ref CCITDev2User
DevGroup:
Description: "IAM Group for Dev Users"
Value: !Ref CCITDevGroup
ManagedPolicy:
Description: "Customer managed policy for RDS Access"
Value: !Ref RDSAccessPolicy
EC2Role:
Description: "IAM Role attached to EC2 Instance"
Value: !Ref EC2InstanceRole
InstanceProfile:
Description: "IAM Instance Profile attached to EC2"
Value: !Ref EC2InstanceProfile
EC2InstanceId:
Description: "Launched EC2 Instance ID"
Value: !Ref EC2Instance
Export:
Name: EC2InstanceID
Step26: Upload the file click save and click submit the stack ,Competed successfully.
Step27:Below screen shot refence output block the Cloudformation
CloudFormation is faster than the Terraform
Using Git Cloudformation
https://github.com/Vakatisubbu/ec2-cloudform.git
Step1:Create New repository in Git ec2-cloudform >Public
Upload the CFT.yaml file to git commit changes
Step2:Create stack Choose the Sync from Git Click next
Step3:Given any name ccit-git-stack Choose option click add connection
Step4:Give any connection name gitconnectionsubbu click connect to Github
Step7:After Git authorization number will populate automatically,Click connect
Step8:Git connection create with developer tool Click Trigger a release it will build automatically when do commit on Git hub repository.
Step10:Create source connection where get the code ,below option and then click next
Step11:Given stack name and yaml file name which is having in the git repository
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessGitRepos",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection",
"codeconnections:UseConnection"
],
"Resource": [
"arn:aws:codestar-connections:*:*:connection/*",
"arn:aws:codeconnections:*:*:connection/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
Step12: Click Create pipeline from template
Source created codepipelinetemplate Successfully
Step13: Source Connected ,deployment failed due to permission issue
Resource handler returned message: "User: arn:aws:sts::216989104632:assumed-role/CodePipelineStarterTemplate-Depl-CloudFormationRole-Qgt6LbG4vO0A/AWSCloudFormation is not authorized to perform: iam:ListAccessKeys on resource: user CCITAdmin because no identity-based policy allows the iam:ListAccessKeys action (Service: Iam, Status Code: 403, Request ID: ff160699-0364-49a9-bc97-0c8935571f4d) (SDK Attempt Count: 1)" (RequestToken: bc9dabd3-1b27-2e4d-0b72-0ac04c39232a, HandlerErrorCode: AccessDenied)
Step18:Click retry option or else you git commit the change it will trigger automatically.
Step19: Click retry stage or Git change some test commit changes
Added from Ec2Instanceprofile to Ec2Instanceprofile1
Automaticaly deployment triggered See creating inprocess
Step15:Check this role in
Step16:Click the role given administrator permission added ,you can able give single permission Iam permission,Ec2creation..etc. i have given administratorAccess onetime
Step17: Delete the existing stack,some it will not deleted smoothly due some the users created already,if failed to delete retry delete selection force delete
Step18:Click retry option or else you git commit the change it will trigger automatically.
Step19: Click retry stage or Git change some test commit changes
Added from Ec2Instanceprofile to Ec2Instanceprofile1
Step20:stack completed successfully and codepipeline also completed
Step21:See below screens shot Ec2 , users and VPC Public,private subnets and interenetway
attached successfully with single scrip
Step21:After completed delete the stack click delete once deleted all resource which is create from cloud from all resource will deleted automaitcally.
--Thanks
Subscribe to:
Posts (Atom)