The Order of Resource Creations on AWS CloudFormation

  • by Emre Yilmaz
  • Feb 4, 2019
  • AWS, DevOps
  • Istanbul
AWS CloudFormation resource creations order

In an AWS CloudFormation template, you define independent resources or resources that are implicitly dependent, in other words, reference other resources. For instance, you can define an EC2 instance and a security group. Then, you might choose to attach the security group to the instance or not. In these two cases, AWS CloudFormation organizes the order of the creation of resources differently.

In addition, you might have another resource such as an Amazon SNS topic in the same template which you might want to provision after your EC2 instance created. Maybe you have an explicit dependency between them.

In this blog post, I will talk about how AWS CloudFormation handles the order of creation for independent or implicitly dependent resources. I will also explain how you can add your own dependencies in a template, as well.


UPDATE: Our new Udemy course AWS CloudFormation Step By Step: Beginner to Intermediate is live! If you are interested, you can read my blog post about it to learn more or join us with up to 90% discount using the coupon below.

Click here to redeem your coupon!


When the Resources are Independent

Let’s start with the first scenario. Please imagine that you have an EC2 instance and a security group. But, you don’t attach the security group to your EC2 instance. Then, your CloudFormation template might be something like below. In this example, I use the Frankfurt region.

AWSTemplateFormatVersion: 2010-09-09
Description: Template for the blog post about order of resource creations.
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0eaec5838478eb0ba
      InstanceType: t2.micro
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for the blog post
      SecurityGroupIngress:
        -
          IpProtocol: "tcp"
          FromPort: 80
          ToPort: 80
          CidrIp: "0.0.0.0/0"

When you create a new stack from this template, AWS CloudFormation starts creating both of the resources in parallel. You can view this on the events tab on stack details page on AWS Management Console as below.

Independent resource creations on AWS CloudFormation

As you see, the timestamp values for both of the initial CREATE_IN_PROGRESS status events for EC2Instance and SecurityGroup resources are same. This means that the requests for creation of these resources are sent at this time. However, as we see in the following events, the actual times when the creations start and complete might differ. Because these depend on how fast a resource is created. So, we can say that the creation starts parallel and executes almost in parallel.

If you delete this stack, AWS CloudFormation starts the deletion of these resources in parallel, too. Because the resources are independent.

Independent resource deletions on AWS CloudFormation

When the Resources Have an Implicit Dependency

If you attach the security group to the EC2 instance using SecurityGroupIds property, you create an implicit dependency between resources. Then your template may become something like below:

AWSTemplateFormatVersion: 2010-09-09
Description: Template for the blog post about order of resource creations.
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0eaec5838478eb0ba
      InstanceType: t2.micro
      SecurityGroupIds:
        -
          Ref: SecurityGroup
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for the blog post
      SecurityGroupIngress:
        -
          IpProtocol: "tcp"
          FromPort: 80
          ToPort: 80
          CidrIp: "0.0.0.0/0"

If you launch a new stack from this template, AWS CloudFormation handles the order differently. You can see the order of resource creation when you look at the events tab at stack details page as below.

Resource creations on AWS CloudFormation when there is an implicit dependency.

As you see, this time AWS CloudFormation started the creation of the EC2 instance after the security group status became CREATE_COMPLETE. Here, Ref function ensured this, before returning a valid physical id for the security group. Simply, to be able to attach a security group during EC2 instance creation; first of all, that security group should exist. If you don’t have a security group, you have nothing to attach.

When you delete the stack, AWS CloudFormation deletes the resources in reverse order. Firstly, it starts deleting the referencing resources and then the referenced ones.

Resource deletions on AWS CloudFormation when there is an implicit dependency.

How to Define an Explicit Dependency

What if you don’t use an intrinsic function between resources like Ref and you would like to create a resource after another? Actually, a common example of this scenario is to make an EC2 instance wait for a database resource such as an Amazon RDS instance or a DynamoDB table. However, let’s continue with our previous example. What if you have an Amazon SNS topic and for some reason, you would like to create it after the EC2 instance?

The answer is using the DependsOn attribute when you define the new SNS topic:

AWSTemplateFormatVersion: 2010-09-09
Description: Template for the blog post about order of resource creations.
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0eaec5838478eb0ba
      InstanceType: t2.micro
      SecurityGroupIds:
        -
          Ref: SecurityGroup
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for the blog post
      SecurityGroupIngress:
        -
          IpProtocol: "tcp"
          FromPort: 80
          ToPort: 80
          CidrIp: "0.0.0.0/0"
  SNSTopic:
    Type: AWS::SNS::Topic
    DependsOn: EC2Instance

DependsOn is a common attribute for all resource types and its value can be either a single logical id of a resource or a list of logical ids of the resources in the same template that it should wait for. So, in our template, SNSTopic resource waits for EC2Instance resource. Please note that you should never use an intrinsic function like Ref in front of logical ids. You should provide only the logical id.

When you launch the stack, the events list becomes like this:

Resource creations on AWS CloudFormation when there is an explicit dependency with DependsOn.

As you see, SNSTopic waited for EC2Instance resource because of the explicit dependency defined using DependsOn. Besides, EC2Instance also waited for SecurityGroup resource as we didn’t remove the implicit dependency between them.

When you delete the stack, again AWS CloudFormation orders the deletion of resources in reverse order. It deletes the SNSTopic resource first as it was the one created last. Then, it continues with the deletion of the EC2 instance and finally with the security group.

Resource deletions on AWS CloudFormation when there is an explicit dependency with DependsOn.

Conclusion

To sum up, AWS CloudFormations aims to create and delete resources as parallel as possible. But, if there is an implicit dependency because of an intrinsic function such as Ref, it creates the referenced resource first. In addition, you can define your own dependencies in a template using the DependsOn resource attribute.

By the way, currently, I am preparing online courses for AWS CloudFormation and will be demonstrating something similar to this in one of the lectures as a screencast. It will be a series of two courses, actually. The first one which is in progress will take the student from beginner to intermediate level on AWS CloudFormation. After finishing this course, the student will be able to write his/her own templates, create stacks from them, define parameters, outputs, conditions. It will include some AWS CLI features, as well. I am planning it to be a base for the second course.

On the other hand, the second course will target intermediate level users of AWS CloudFormation. It will cover more advanced level concepts such as nested stacks, cross-stack references, helper scripts, stack policies, resource policies, and some troubleshooting.

Building an online course is a tricky job; but, I hope these courses will help more people learn AWS CloudFormation and adopt it in their daily provisioning operations.

Also, I will share coupons in this blog when these courses are ready.

Thanks for reading!


UPDATE: Our new Udemy course AWS CloudFormation Step By Step: Beginner to Intermediate is live! If you are interested, you can read my blog post about it to learn more or join us with up to 90% discount using the coupon below.

Click here to redeem your coupon!


References

...

Freelance AWS Consultant, Instructor

CEO @ Shikisoft

Follow

Would you like to learn AWS CloudFormation?

Our new course AWS CloudFormation Step by Step: Beginner to Intermediate is live on Udemy!

Join us now with up to 90% discount using the coupon below!

Enroll now!
RSS

Subscribe to this blog's RSS feed

Categories