Using CloudFormation Nested Change Sets

Every year, just in time for re:invent, AWS announces a plethora of upgrades to the services in the AWS ecosphere. This year is no different, even though re:invent will be completely virtual.

For anyone using CloudFormation and nested stacks, one of the major frustrations has been the inability to see what changes are being applied to the nested stacks when doing a stack update. In case you missed it, on November 18, 2020, AWS released a change to CloudFormation allowing users to see the changesets being applied to the nested stacks.

A nested stack is when one CloudFormation stack has another stack as a resource. Consider this fragment:

Parameters:
VpcId:
# select the VPC the stack is being deployed in.
Type: AWS::EC2::VPC::Id
Description: Select the VPC
BucketName:
Type: String

Resources:
ClusterA:
Type: AWS::ECS::Cluster
Properties:
ClusterName: clusterA
ClusterSettings:
- Name: containerInsights
Value: enabled
CloudwatchExportsBucket:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://bucket.s3.amazonaws.com/template.yaml
Parameters:
BucketName: !Ref BucketName

This fragment creates the ECS Cluster resource named ClusterA, and then uses another CloudFormation stack to create the LoadBalancer resource by using the AWS::CloudFormation::Stack resource type. The nested stack template must exist in an S3 bucket accessible to CloudFormation. Assuming the templates are deployed to an S3 bucket, we can use either the CloudFormation console or the AWS CLI to create the stack and its resources.

aws cloudformationcreate-stack --stack-name my-sample-changeset --template-url https://labr-cfn.s3.amazonaws.com/parent.yaml --parameters "ParameterKey=BucketName,ParameterValue=my-sample-changset"
{
"StackId": "arn:aws:cloudformation:us-east-1:548985610555:stack/my-sample-changeset/dea1ea90-319a-11eb-a380-0e2470ba0d5b"
}

We can use the console to verify the stack:

Verifying the stack creation
Verifying the stack creation

With the resources created, what happens when we want to apply a change to those resources?

To illustrate using the changeset, let’s change the name of our S3 bucket.

Changing the S3 bucket name
Changing the S3 bucket name

As we progress through the update process in the console, we get to the last page where we can review the changes being applied. We are interested in the Changeset Preview section.

Viewing the root changeset.
Viewing the root changeset.

Prior to November 18, 2020, the changeset preview would list only the stack name. The link to “View nested stack changeset” did not exist. To see the changes being applied to our nested stack, click on the link.

Viewing the nested changeset.
Viewing the nested changeset.

We can see the changes being applied to our stack. We cannot execute the changeset from this view, there is a warning at the top of the page indicating the changeset can only be executed or deleted from the root changeset.

Applying a nested changed set only at the root.
Applying a nested changed set only at the root.

Click to return to the root changeset, and then execute the changeset. At this point, the view changes back to the parent stack events.

Monitoring the stack update.
Monitoring the stack update.

From this view, we can continue to monitor the progress of our update as normal.

This is a very nice addition to CloudFormation as the changes being applied to the nested stacks may not be what we expect, especially in complex stacks. By reviewing the changes being applied to our nested stacks, we can choose to not deploy the change should there be an impact we are not expecting.

It would be nice to see all of the changes in the single view, instead of having to navigate through each nested changeset, but this is a good start.

AWS CloudFormation change sets now support nested stacks

ICYMI: Serverless pre:Invent 2020

Chris is a highly-skilled Information Technology, AWS Cloud, Training and Security Professional bringing cloud, security, training, and process engineering leadership to simplify and deliver high-quality products. He is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications. His extensive technology, information security, and training experience make him a key resource who can help companies through technical challenges. Chris is a member of the AWS Community Builder Program.

This article is Copyright © 2020, Chris Hare.

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store