Updating Infrastructure as Code (IaC) Templates: AWS SAM & CloudFormation

This study guide focuses on the critical skill of modifying and evolving existing cloud infrastructure using AWS CloudFormation and the AWS Serverless Application Model (SAM). Managing updates effectively ensures environment consistency and minimizes downtime during the deployment lifecycle.

Learning Objectives

After studying this guide, you should be able to:

• Identify the differences between Update-in-Place and Replacement behaviors in CloudFormation.
• Utilize Change Sets to preview the impact of template modifications before execution.
• Update AWS SAM templates to modify Lambda functions, APIs, and event sources.
• Manage environment-specific configurations using Parameters and Mappings.
• Perform safe rollbacks and handle update failures within a CI/CD pipeline.

Key Terms & Glossary

• IaC (Infrastructure as Code): The process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
• Change Set: A preview of the changes CloudFormation will make to your stack, allowing you to see which resources will be created, updated, or deleted.
• Drift Detection: A feature that identifies whether a stack's actual configuration has diverged from its expected template configuration due to manual changes.
• Intrinsic Function: Special functions (e.g., Ref, Fn::GetAtt) used in templates to assign values to properties that are not available until runtime.
• SAM Transform: A macro (declared as Transform: AWS::Serverless-2016-10-31) that converts SAM syntax into standard CloudFormation syntax during deployment.

The "Big Idea"

In a modern DevOps environment, the infrastructure is treated with the same rigor as application code. Updating IaC templates allows teams to evolve their architecture—adding capacity, tightening security, or deploying new features—while maintaining a "source of truth." By updating the template instead of the live resources, you ensure that every environment (Dev, Test, Prod) remains synchronized and reproducible.

Formula / Concept Box

CloudFormation Update Behaviors

[!WARNING] Always check the AWS Resource Property reference. If an update requires Replacement, the Physical ID of the resource will change, and any data not backed up or stored externally may be lost.

Hierarchical Outline

1. CloudFormation Update Workflow
   • Template Modification: Editing the JSON/YAML source code.
   • Change Set Creation: Generating a summary of proposed actions.
   • Execution: Applying the Change Set to the stack.
2. AWS SAM Specific Updates
   • Template.yaml: Modifying AWS::Serverless resource types.
   • SAM CLI (sam deploy): Automating the update process and managing the S3 deployment bucket.
3. Advanced Update Techniques
   • Parameters & Mappings: Using !Ref and !FindInMap to change values across environments without changing logic.
   • Stack Sets: Updating templates across multiple AWS accounts and regions simultaneously.
4. Handling Failures
   • Rollback Configuration: Automatically returning to the last known stable state on error.
   • Termination Protection: Preventing accidental deletion of critical stacks during updates.

Visual Anchors

The Change Set Workflow

Infrastructure Layering

This TikZ diagram visualizes how a template update interacts with the stack layers.

\begin{tikzpicture}[node distance=1.5cm, every node/.style={fill=white, font=\footnotesize}] % Layers \draw[thick, fill=blue!10] (0,0) rectangle (6,1) node[midway] {Resources (EC2, S3, RDS)}; \draw[thick, fill=green!10] (0,1.2) rectangle (6,2.2) node[midway] {Stack Logic (Mappings, Outputs)}; \draw[thick, fill=orange!10] (0,2.4) rectangle (6,3.4) node[midway] {Input Parameters (InstanceType, Env)};

% Update Arrow \draw[->, ultra thick, red] (7, 3.4) -- (7, 0) node[midway, right] {Update Propagation}; \node[align=left] at (3, 4) {\textbf{CloudFormation Stack Structure}}; \end{tikzpicture}

Definition-Example Pairs

• Parameter: A way to pass custom values to your template at runtime.
  • Example: Defining an InstanceType parameter so you can use t3.micro in Dev and m5.large in Prod using the same template.
• Mapping: A look-up table within the template to provide values based on a key.
  • Example: A map that provides different AMI IDs for the us-east-1 and eu-west-1 regions.
• Update Policy: Defines how CloudFormation handles updates for specific resources, like an Auto Scaling Group.
  • Example: Using AutoScalingRollingUpdate to ensure a minimum number of instances remain online while the group is being updated.

Worked Examples

Scenario 1: Updating a SAM Lambda Function

Goal: Update an existing AWS SAM template to increase the memory of a Lambda function and add an environment variable.

Original Template snippet:

Updated Template snippet:

Steps to execute:

1. Save the changes to template.yaml.
2. Run sam build to prepare the artifacts.
3. Run sam deploy to create a Change Set and update the CloudFormation stack.

Scenario 2: Adding a Parameter to CloudFormation

Goal: Make the S3 bucket name configurable instead of hardcoded.

Change:

1. Add a Parameters section.
2. Use !Ref in the Resources section.

Checkpoint Questions

1. What is the main benefit of using a Change Set before updating a production stack?
2. If you change the AllocatedStorage of an Amazon RDS instance in a CloudFormation template, does it result in a replacement of the instance?
3. Which command is used in the SAM CLI to synchronize local template changes with the AWS cloud environment?
4. How does CloudFormation behave if one resource fails to update during a multi-resource stack update?
5. True/False: You can use !Ref to refer to a value defined in the Mappings section of a template.