Let’s deploy a template that creates an EC2 instance hosting an Apache web server and a security group. For ease and convenience, I’ll use the AWS Management Console. I’ll navigate to the CloudFormation dashboard. Then, I’ll click create new stack. From there, I can choose to upload a template file, use a sample template that CloudFormation creates for you, or create a template using a drag-and-drop diagram interface called CloudFormation designer.

Since I’m using a template I created, I'll choose to upload a template file, and select my web-server-with-security-group template and click next. Then, I'll have to name my stack - I’ll call it EC2InstanceWithSecurityGroup. 

Then, I have to choose a value for each template parameter. While some parameters might have a default value specified, I can choose to overwrite them if I'd like. For my instance type, I'll click the drop-down and see I have three options, and I'll choose t2.nano. And for my key name, I'll specify a key I created outside of the course so I can ssh into my instance.  

For the SSH location parameter, I can use the 0.0.0.0/0 value which will allow any remote IP address to reach my EC2 instance or I can choose to use a fixed IP address. If you're using fixed IP addresses, remember to use the CIDR notation. For example, If I want to only allow SSH traffic from my IP address, I’ll begin by specifying my IP, say 72.83.109.139 and then add on slash 32 to be in CIDR format.

Then I can click next. Here I will see additional stack options. I can create tags to apply to my resources, and I can also create an IAM role for CloudFormation to use to create my resources. If I don’t provide an IAM role, it will use my user permissions to create the infrastructure. 

Additionally, there's Stack failure options that let me choose if I want to roll back all resources on failure or only roll back failed resources while preserving successfully created ones. You can see that the default behavior rolls back all resources - and I’ll keep that selected for this demo. 

You can also choose to have CloudFormation use Amazon Simple Notification Service, or Amazon SNS, to notify you about stack events during the service creation or deletion. And then the stack policy field is useful if you want to prevent stack resources from being unintentionally updated or deleted during a stack update.

The stack policy is a JSON document that is similar to IAM policies. Like IAM policies, you define stack policies with the following elements: effect, action, principal, and resource. I'll paste in an example stack policy here, so you can take a look. 

The effect field value can be either allow, or deny. Using action or not action, you can specify all the actions that you want, or don't want to allow or deny. Principal is a mandatory attribute, but it only supports the wildcard, which means the statement applies to all principals. And Resource contains the list of all resources to which the statement will be applied. Here you can see an allow all statement, which is allowing all resources to be updated. 

However, I’m also including a Deny statement, which will prevent all updates, like replacement or deletion, to my EC2 Instance. Although the Allow statement specifies all resources, the explicit Deny statement overrides it for the resource with the EC2Instance logical ID. 

Keep in mind, you can always decide to set a stack policy, and then edit it when you need to update the stack. For now, I’ll leave the stack policy blank, click next, review our options and then click create. 

Now, let’s understand what’s happening under the hood here. The stack dashboard has several different tabs.  

The current open tab is events, which lists all stack events. Here you can see the order that the resources are created. Once I kicked off the stack creation, it starts creating my instance security group, since the instance references that resource. Once the security group is created successfully, it then creates the EC2 instance. 

As resources are created, you can also click the resources tab to gather more information and view the created resources. By clicking the EC2 instance physical ID link, it will take me to the EC2 dashboard, and I can see the appropriate information for my new instance. Some resources create quickly, while other resources like RDS database instances may take 10s of minutes to complete 

Back in the CloudFormation dashboard, I can see that my stack status has been changed to create_complete. This means that all of my resources have been successfully created! Which leaves me one more thing to check out, the outputs tab. Here, I can see all the returned values that I specified as outputs in my CloudFormation template.  

I can copy the public IP, open up a new browser window, specify http://, paste the IP in, and you can see our h1 header saying “Hello from cloud academy!”! 

In summary, I provided CloudFormation two inputs, the template and the parameters, it processed those, and outputted a stack. From there, I can grab the information from the outputs of that stack and view the website. That's all for this one, see you next time!