|6 min read

AWS CloudFormation: Infrastructure as Code Begins

AWS just launched CloudFormation and the idea of declaring your infrastructure in a template file is quietly revolutionary

cloudterraform

AWS released CloudFormation into general availability last month, and I have been experimenting with it on the free tier whenever I get spare time. The premise sounds simple: you write a JSON template that describes your AWS resources, submit it to CloudFormation, and it provisions everything for you. Automatically. Repeatably. Every single time.

If that does not sound revolutionary, you have probably never had to set up the same infrastructure twice.

The Manual Way

Let me describe what provisioning infrastructure looks like today for most teams I have interacted with. You log into the AWS Management Console. You click through a dozen screens to create a VPC, subnets, security groups, an EC2 instance, maybe an Elastic IP. You configure each one manually. You write down the settings in a wiki page or, more often, you forget to document anything at all.

Three months later, you need to set up a staging environment that mirrors production. You open the wiki page (if it exists), squint at the notes you left yourself, and try to recreate everything. Something is different. Maybe the AMI ID changed. Maybe you forgot a security group rule. Maybe the subnet CIDR conflicts with something. You spend two days debugging what should have taken two hours.

This is the reality of manual infrastructure management, and it is everywhere. I see it in my own work. I have seen it at companies where people have been doing this for years.

What CloudFormation Changes

CloudFormation introduces a simple but powerful idea: your infrastructure should be code. Not documentation about infrastructure. Not screenshots of console settings. Actual code that can be version controlled, reviewed, tested, and executed reliably.

Here is a minimal CloudFormation template that creates an EC2 instance:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Simple EC2 instance",
  "Resources": {
    "MyInstance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "ImageId": "ami-12345678",
        "InstanceType": "t1.micro",
        "KeyName": "my-keypair",
        "SecurityGroups": [{"Ref": "MySecurityGroup"}]
      }
    },
    "MySecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow SSH access",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": "22",
            "ToPort": "22",
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}

You submit this template, CloudFormation creates a "stack," and both resources are provisioned in the correct order with the correct dependencies. The security group is created first because the instance references it. CloudFormation figures out the dependency graph automatically.

Want to tear everything down? Delete the stack. Want to create an identical copy? Submit the same template. Want to modify something? Update the template and submit the change; CloudFormation calculates what needs to change and applies it.

Why This Matters

The concept is not entirely new. Configuration management tools like Puppet and Chef have been doing something similar for server configuration. But CloudFormation operates at a different level. It manages the infrastructure itself: networks, load balancers, databases, DNS records, the entire topology of your cloud environment.

There are a few properties that make this approach genuinely different from manual provisioning.

Repeatability. The same template produces the same infrastructure every time. No more "works in my environment" problems caused by subtle differences between staging and production.

Version control. You can store your templates in Git. You can see who changed what, when, and why. You can review infrastructure changes in a pull request the same way you review code changes. This is an enormous improvement over the current state of affairs where infrastructure knowledge lives in people's heads.

Self-documentation. The template is the documentation. You do not need a separate wiki page describing your infrastructure because the template describes it precisely and completely. And unlike wiki pages, the template is always current because it is the source of truth.

Dependency management. CloudFormation understands that resources depend on each other and creates them in the right order. When you delete a stack, it tears down resources in reverse dependency order. This eliminates an entire class of manual errors.

The Declarative Model

What interests me most is the declarative approach. You do not tell CloudFormation how to create your infrastructure. You tell it what you want, and it figures out the how. This is fundamentally different from writing a script that makes a sequence of API calls.

A script says: "Create this VPC, then create this subnet, then create this instance." If the script fails halfway through, you have a partial environment and need to figure out what was created and what was not. If you run the script again, it might fail because some resources already exist.

A template says: "I want a VPC, a subnet, and an instance." CloudFormation looks at the current state, compares it to the desired state, and makes whatever changes are necessary to reconcile the two. If it fails, it rolls back automatically.

This declarative model is borrowed from functional programming, and seeing it applied to infrastructure feels like a significant conceptual leap. Infrastructure becomes a function: given these inputs (parameters), produce this output (a running environment).

The Limitations

CloudFormation is not perfect, and it would be dishonest to pretend otherwise.

The JSON templates are verbose and hard to read. Even a simple setup produces hundreds of lines of JSON. There is no commenting in JSON, which makes it harder to explain the reasoning behind configuration choices. I have heard that YAML support might come eventually, which would help.

The error messages can be cryptic. When a stack creation fails, CloudFormation tells you which resource failed but the error messages are often AWS API errors that require some detective work to interpret.

Rollback is automatic but can be slow. If a stack creation fails after 15 minutes of provisioning, the rollback can take another 15 minutes. You sit and watch resources being deleted one by one, knowing you will need to fix the template and try again.

And the ecosystem is young. There are not many examples or best practices available yet. Most of the documentation is AWS's official docs, which are thorough but dry.

The Bigger Picture

CloudFormation is one product from one cloud provider, but the idea it represents, infrastructure as code, feels like it will outlast any specific implementation. The principle that infrastructure should be defined declaratively, version controlled, and automatically provisioned is too powerful to remain niche.

I have seen a few open source projects exploring similar ideas. Tools like Puppet and Chef handle server configuration, and I suspect we will see more tools that handle infrastructure provisioning in a cloud-agnostic way. The demand is clearly there.

For someone like me, early in my career and working with enterprise infrastructure, this is exciting. The gap between "developer" and "operations engineer" has always felt artificial. Tools like CloudFormation blur that line further. The person writing the application code and the person provisioning the infrastructure can now work in the same language, use the same tools, and review each other's changes.

I plan to keep experimenting with CloudFormation on personal projects and document what I learn here. The free tier gives you enough room to play with small stacks, and the learning curve, while real, is manageable if you already understand AWS basics.

Infrastructure as code. It sounds like a buzzword, but the more I use it, the more it feels like the future.

Share: