In an AWS CloudFormation template, you define independent resources or resources that are implicitly dependent, in other words, reference other resources. For instance, you can define an EC2 instance and a security group. Then, you might choose to attach the security group to the instance or not. In these two cases, AWS CloudFormation organizes the order of the creation of resources differently.
In addition, you might have another resource such as an Amazon SNS topic in the same template which you might want to provision after your EC2 instance created. Maybe you have an explicit dependency between them.
In this blog post, I will talk about how AWS CloudFormation handles the order of creation for independent or implicitly dependent resources. I will also explain how you can add your own dependencies in a template, as well.
When the Resources are Independent
Let’s start with the first scenario. Please imagine that you have an EC2 instance and a security group. But, you don’t attach the security group to your EC2 instance. Then, your CloudFormation template might be something like below. In this example, I use the Frankfurt region.
When you create a new stack from this template, AWS CloudFormation starts creating both of the resources in parallel. You can view this on the events tab on stack details page on AWS Management Console as below.
As you see, the timestamp values for both of the initial
CREATE_IN_PROGRESS status events for EC2Instance and SecurityGroup resources are same. This means that the requests for creation of these resources are sent at this time. However, as we see in the following events, the actual times when the creations start and complete might differ. Because these depend on how fast a resource is created. So, we can say that the creation starts parallel and executes almost in parallel.
If you delete this stack, AWS CloudFormation starts the deletion of these resources in parallel, too. Because the resources are independent.
When the Resources Have an Implicit Dependency
If you attach the security group to the EC2 instance using
SecurityGroupIds property, you create an implicit dependency between resources. Then your template may become something like below:
If you launch a new stack from this template, AWS CloudFormation handles the order differently. You can see the order of resource creation when you look at the events tab at stack details page as below.
As you see, this time AWS CloudFormation started the creation of the EC2 instance after the security group status became
Ref function ensured this, before returning a valid physical id for the security group. Simply, to be able to attach a security group during EC2 instance creation; first of all, that security group should exist. If you don’t have a security group, you have nothing to attach.
When you delete the stack, AWS CloudFormation deletes the resources in reverse order. Firstly, it starts deleting the referencing resources and then the referenced ones.
How to Define an Explicit Dependency
What if you don’t use an intrinsic function between resources like
Ref and you would like to create a resource after another? Actually, a common example of this scenario is to make an EC2 instance wait for a database resource such as an Amazon RDS instance or a DynamoDB table. However, let’s continue with our previous example. What if you have an Amazon SNS topic and for some reason, you would like to create it after the EC2 instance?
The answer is using the
DependsOn attribute when you define the new SNS topic:
DependsOn is a common attribute for all resource types and its value can be either a single logical id of a resource or a list of logical ids of the resources in the same template that it should wait for. So, in our template, SNSTopic resource waits for EC2Instance resource. Please note that you should never use an intrinsic function like
Ref in front of logical ids. You should provide only the logical id.
When you launch the stack, the events list becomes like this:
As you see, SNSTopic waited for EC2Instance resource because of the explicit dependency defined using DependsOn. Besides, EC2Instance also waited for SecurityGroup resource as we didn’t remove the implicit dependency between them.
When you delete the stack, again AWS CloudFormation orders the deletion of resources in reverse order. It deletes the SNSTopic resource first as it was the one created last. Then, it continues with the deletion of the EC2 instance and finally with the security group.
To sum up, AWS CloudFormations aims to create and delete resources as parallel as possible. But, if there is an implicit dependency because of an intrinsic function such as
Ref, it creates the referenced resource first. In addition, you can define your own dependencies in a template using the
DependsOn resource attribute.
By the way, currently, I am preparing online courses for AWS CloudFormation and will be demonstrating something similar to this in one of the lectures as a screencast. It will be a series of two courses, actually. The first one which is in progress will take the student from beginner to intermediate level on AWS CloudFormation. After finishing this course, the student will be able to write his/her own templates, create stacks from them, define parameters, outputs, conditions. It will include some AWS CLI features, as well. I am planning it to be a base for the second course.
On the other hand, the second course will target intermediate level users of AWS CloudFormation. It will cover more advanced level concepts such as nested stacks, cross-stack references, helper scripts, stack policies, resource policies, and some troubleshooting.
Building an online course is a tricky job; but, I hope these courses will help more people learn AWS CloudFormation and adopt it in their daily provisioning operations.
Also, I will share coupons in this blog when these courses are ready.
Thanks for reading!