KB Platform
kb.erickguedes.com
AWS: Cloud Computing na Prática

CloudFormation — Infraestrutura como Código

Aula 7 de 8

AWS CloudFormation

CloudFormation provisiona recursos AWS via templates declarativos (YAML/JSON).

Template Básico

AWSTemplateFormatVersion: '2010-09-09'
Description: Stack EC2 + Security Group

Parameters:
  InstanceType:
    Type: String
    Default: t3.micro
    AllowedValues: [t3.micro, t3.small, t3.medium]

Resources:
  WebSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SG para servidor web
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref SSHSourceIp

  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: !Ref InstanceType
      ImageId: !Ref LatestAmi
      SecurityGroupIds: [!Ref WebSecurityGroup]
      UserData: !Base64 |
        #!/bin/bash
        dnf install -y nginx
        systemctl enable --now nginx
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-webserver"

Outputs:
  PublicIP:
    Description: IP público do servidor
    Value: !GetAtt WebServer.PublicIp

Módulos — Reutilização

# modules/vpc.yaml
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  VpcCIDR:
    Type: String
    Default: 10.0.0.0/16
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCIDR
Outputs:
  VpcId:
    Value: !Ref VPC
    Export:
      Name: !Sub "${AWS::StackName}-VpcId"

# main.yaml — consumir módulo
Resources:
  MinhaVPC:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/templates/modules/vpc.yaml
      Parameters:
        VpcCIDR: 10.0.0.0/16

  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      NetworkInterfaces:
        - SubnetId: !GetAtt MinhaVPC.Outputs.PublicSubnetId

Change Sets — Preview de Alterações

# Criar change set (ver o que vai mudar antes de aplicar)
aws cloudformation create-change-set \
  --stack-name minha-stack \
  --template-body file://updated-template.yaml \
  --change-set-name meu-change-set

# Revisar mudanças
aws cloudformation describe-change-set \
  --change-set-name meu-change-set \
  --stack-name minha-stack

# Aplicar
aws cloudformation execute-change-set \
  --change-set-name meu-change-set \
  --stack-name minha-stack

StackSets — Multi-conta/Região

# Criar StackSet (implanta em múltiplas contas)
aws cloudformation create-stack-set \
  --stack-set-name SecurityBaseline \
  --template-body file://security-baseline.yaml \
  --administration-role-arn arn:aws:iam::xxx:role/AdminRole \
  --execution-role-name StackSetExecutionRole

# Adicionar instâncias
aws cloudformation create-stack-instances \
  --stack-set-name SecurityBaseline \
  --accounts '123456789012' '234567890123' \
  --regions 'us-east-1' 'eu-west-1'

Drift Detection

# Detectar alterações manuais (drift)
aws cloudformation detect-stack-drift \
  --stack-name minha-stack

# Verificar resultado
aws cloudformation describe-stack-resource-drifts \
  --stack-name minha-stack \
  --stack-resource-drift-status-filters MODIFIED DELETED

CloudFormation é declarativo — você descreve o estado desejado e a AWS resolve. Use Change Sets para revisar antes de aplicar. StackSets para governança multi-conta.