The Order of Resource Creations on AWS CloudFormation

AWS CloudFormation resource creations order

In an AWS CloudFormation template, you define independent resources or resources that are implicitly dependent; in other words, referencing other resources. For instance, you can define an Amazon EC2 instance and a security group. Then, you might choose to attach the security group to the EC2 instance or not. In these two cases, AWS CloudFormation organizes the order of the resource creations differently.

In addition, you might have another resource, such as an Amazon SNS topic in the same template, which you might want to provision after your EC2 instance is created. Maybe you have an explicit dependency between them.

In this blog post, I will talk about how AWS CloudFormation handles the order of creation for independent or implicitly dependent resources. I will also explain how to add your custom dependencies in a template.

When the Resources are Independent

Let’s start with the first scenario. Please imagine that you have an EC2 instance and a security group. But, you don’t attach the security group to your EC2 instance. Then, your CloudFormation template might be something like below. In this example, I use the Frankfurt region.

AWSTemplateFormatVersion: 2010-09-09
Description: Template for the blog post about order of resource creations.
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0eaec5838478eb0ba
      InstanceType: t2.micro
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for the blog post
      SecurityGroupIngress:
        -
          IpProtocol: "tcp"
          FromPort: 80
          ToPort: 80
          CidrIp: "0.0.0.0/0"

When you create a new stack from this template, AWS CloudFormation starts the creations of both resources in parallel. You can view this on the events tab on the stack details page on AWS Management Console as below.

Independent resource creations on AWS CloudFormation

As you see, the timestamp values for both of the initial CREATE_IN_PROGRESS status events for EC2Instance and SecurityGroup resources are identical. This means that the requests for creations of these resources are sent at this time. However, as we see in the following events, the actual times when the creations start and complete might differ. Because these depend on how fast a resource is created. So, we can say that creations start in parallel and execute almost in parallel.

If you delete this stack, AWS CloudFormation starts deletions of these resources in parallel, too, because the resources are independent.

Independent resource deletions on AWS CloudFormation

When the Resources Have an Implicit Dependency

If you attach the security group to the EC2 instance using the SecurityGroupIds property, you create an implicit dependency between resources. Then your template may become something like below:

AWSTemplateFormatVersion: 2010-09-09
Description: Template for the blog post about order of resource creations.
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0eaec5838478eb0ba
      InstanceType: t2.micro
      SecurityGroupIds:
        -
          Ref: SecurityGroup
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for the blog post
      SecurityGroupIngress:
        -
          IpProtocol: "tcp"
          FromPort: 80
          ToPort: 80
          CidrIp: "0.0.0.0/0"

If you launch a new stack from this template, AWS CloudFormation handles the order differently. You can see the order of resource creation when you look at the events tab on the stack details page as below.

Resource creations on AWS CloudFormation when there is an implicit dependency

As you see, this time, AWS CloudFormation started the creation of the EC2 instance after the security group’s status became CREATE_COMPLETE. Here, the Ref function ensured this before returning a valid physical id for the security group. Hence, to be able to attach a security group during the EC2 instance creation, that security group should exist beforehand. You have nothing to attach if you don’t have a security group, right?

Besides, AWS CloudFormation deletes the resources in reverse order if you delete the stack. It starts with deleting the referencing resources and then continues with the deletions of the referenced ones.

Resource deletions on AWS CloudFormation when there is an implicit dependency

How to Define an Explicit Dependency

What if you don’t use an intrinsic function between resources like Ref and you would like to create a resource after another? Actually, a typical example of this scenario is to make an EC2 instance wait for a database resource, such as an Amazon RDS instance or a DynamoDB table. However, let’s continue with our previous example. What if you have an Amazon SNS topic, and for some reason, you would like to create it after the EC2 instance?

The answer is using the DependsOn attribute when you define the new SNS topic:

AWSTemplateFormatVersion: 2010-09-09
Description: Template for the blog post about order of resource creations.
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0eaec5838478eb0ba
      InstanceType: t2.micro
      SecurityGroupIds:
        -
          Ref: SecurityGroup
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for the blog post
      SecurityGroupIngress:
        -
          IpProtocol: "tcp"
          FromPort: 80
          ToPort: 80
          CidrIp: "0.0.0.0/0"
  SNSTopic:
    Type: AWS::SNS::Topic
    DependsOn: EC2Instance

DependsOn is a common attribute for all resource types, and its value can be either a single logical ID of a resource or a list of logical IDs of the resources in the same template that it should wait for. So, in our template, the SNSTopic resource waits for the EC2Instance resource. Please note that you should only provide the logical ID here; you should not use the intrinsic Ref function before it.

When you launch the stack, the events list becomes like this:

Resource creations on AWS CloudFormation when there is an explicit dependency with DependsOn

As you see, SNSTopic waited for the EC2Instance resource because of the explicit dependency we defined using the DependsOn attribute. Besides, the EC2Instance resource waited for the SecurityGroup resource as we didn’t remove the implicit dependency between them.

In addition, if you delete the stack, AWS CloudFormation orders the deletion of resources in reverse order. It deletes the SNSTopic resource first as it was the one created last. Then, it continues with the deletion of the EC2 instance and finally with the security group.

Resource deletions on AWS CloudFormation when there is an explicit dependency with DependsOn

Would you like to learn AWS CloudFormation?

We cover this topic in my beginner-level AWS CloudFormation course on Udemy, AWS CloudFormation Step by Step: Beginner to Intermediate. If you are interested in learning AWS CloudFormation in detail as a beginner, please check it out. The link also contains a discount coupon for you.

After finishing it, you can also continue with learning more advanced CloudFormation features, such as nested stacks, custom resources, and so on, by joining my AWS CloudFormation Step by Step: Intermediate to Advanced course afterward.

I will be glad to see you there! You can find all my courses on our Courses page.

Conclusion

To sum up, AWS CloudFormations aims to create and delete resources as parallel as possible. But, if there is an implicit dependency because of an intrinsic function such as Ref, it creates the referenced resource first. In addition, you can define your custom dependencies in a template using the DependsOn resource attribute.

Thanks for reading.

References

Emre Yilmaz

AWS Consultant • Instructor • Founder @ Shikisoft

Follow