AWS — Infrastructure as Code Tutorial — Step 1.1 — CloudFormation

John Gakhokidze
5 min readNov 22, 2020

Please make sure you read Prerequisites for course first.

I will leave the introduction for the importance of “Infrastructure as code” to AWS.

From the Operational Excellence Pillar:

  • Perform operations as code: In the cloud, you can apply the same engineering discipline that you use for application code to your entire environment. You can define your entire workload (applications, infrastructure, etc.) as code and update it with code. You can script your operations procedures and automate their execution by triggering them in response to events. By performing operations as code, you limit human error and enable consistent responses to events.
  • Make frequent, small, reversible changes: Design workloads to allow components to be updated regularly to increase the flow of beneficial changes into your workload. Make changes in small increments that can be reversed if they fail to aid in the identification and resolution of issues introduced to your environment (without affecting customers when possible).

There are 3 more principles, but the aforementioned are related to our course.

Note: all steps are in GitHub repository

Getting started .. with failure

Let us get started… With the simplest possible template (creating empty VPC) -well, with the bad template first 😃- as one of the principles is “Anticipate failure”

Filename vpc-with-error.yaml on GitHub.

You heard right — we’ll be using Yaml

If we try to deploy it the good old way through the console, we’ll get an error


Some knowledge of Yaml is really needed here. 4 rules we need to know for now:

  • Anything in Yaml is Key: Value
  • Indents are Important
  • Do not use TAB — use the same numbers of spaces for indentation
  • Some Keys contain subkeys, and are referred to as sections


Your guess is — below, we are either missing a Value for Properties, or Properties is a section.

Indeed we are missing something— and here it comes The Anatomy of CloudFormation Template

“The required Resources section declares the AWS resources that you want to include in the stack, such as an Amazon EC2 instance or an Amazon S3 bucket”

Important: Resources is the only required section in the template

Next, the CidrBlock line must have an indent. Let us correct it:

We still see that red curly underscore after Properties:, so something is still not right. If we try to deploy it again, we will not get an error right away, instead:

  1. Stack will start running
  2. Stack will fail after sometime

If we check the Events tab, we can see it ended up with rolling back changes:

And now we see the error:

The CIDR ‘’ is invalid. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidVpc.Range; Request ID: 754a74bb-a9c2–4830-b969-a7700711d815; Proxy: null)

Make sure to delete the failed stack, before proceeding to the next step.

Ok, so it is not a Yaml error, but inattentiveness.

VPC CidrBlock netmask ( must be between /16 and /28

Let us correct it.

Filename vpc.yaml on GitHub

This time template will be deployed, without errors (we will discuss the yellow curly underscored line later - make sure you have cfn_nag installed)

Do not forget to delete Stack

CFN-LINT — avoiding a long wait in the line

Let us summarize what we have done:

  1. We had to upload the template 3 times
  2. Two times it failed, and we had to spend time watching the console

Reasonable question: anything we can do before even trying to run the template?

We can do it — with the help of cfn-lint

Let us go back to our bad template:

cfn-lint.exe .\vpc-with-error.yaml

Error 1. Yaml syntax — E0000 Null value at line 5 column 16 — having knowledge of CloudFormation Anatomy about sections, we realize it is an Indentation error

cfn-lint.exe .\vpc-with-error.yaml

Error 2. ( inattentiveness ) — E2505 VPC Cidrblock netmask ( must be between /16 and /28 — error explicitly says what to correct

And finally no output from cfn-lint — if no error

cfn-lint.exe .\vpc-with-error.yaml


  • We now have some knowledge of Yaml syntax. — Read more about Yaml language syntax
  • We touched upon AWS CloudFormation template anatomy and learned about the only required section in template — Resources. — Read more about AWS CloudFormation template anatomy
  • We started to troubleshoot our template locally, which will save us time, before deploying template which is syntactically correct from the Yaml side, but violates AWS rules on allowed Resources values or limits. — Read more about cfn-lint.