Can UsePreviousTemplate (in CloudFormation UpdateStack) be used together with nested stacks

1
votes

Using nested stacks is a best practice in AWS CloudFormation, and indeed they solve many problems (code reuse, stack limits, etc).

When updating a stack (either through UpdateStack or ChangeSets), one can provide UsePreviousTemplate=True in order to instruct CloudFormation to use whatever template is currently live for the stack. This is useful if all you want to is update some parameters, and especially if you have some automated script doing the update (we update a parameter with the SHA of the code on github that we want to put live, and CloudFormation does the rest for us -- build and deploy, so we update this parameter from a lambda as soon as we have the code ready for a deploy); in this case you want to make sure that all you do is update the stuff controlled by the parameter, and not accidentally provide a new (or old) template.

There seems to be no documentation on what happens if you give this parameter when there are nested stacks involved, nor does there seem to be any place where one could specify anything useful in this regard. There also seems to be nothing useful in the definition of the nested stack:

Type: AWS::CloudFormation::Stack
Properties: 
  NotificationARNs: 
    - String
  Parameters: 
    Key : Value
  Tags: 
    - Tag
  TemplateURL: String
  TimeoutInMinutes: Integer

Hence the following question:

  • What is the behaviour when doing an update with UsePreviousTemplate=True on a stack with nested stacks?
  • Is it possible to do a stack update, using something like UsePreviousTemplate=True not only for the parent stack but also for the nested stacks?
1
amazon-cloudformationnested-stack

1 Answers

1
votes

What is the behaviour when doing an update with UsePreviousTemplate=True on a stack with nested stacks?

The previous template for the root stack is being used. However this template points to the s3 location of the nested template, and the nested template is again retrieved from this location. This means that:

  • Any changes to that template on s3 result in those changes being deployed to your nested stack
  • If the template is not to be found on that spot anymore, the stack-update fails.
  • In general, you will always see the nested stacks in your ChangeSet, (supposedly) because CloudFormation doesn't know until the moment it's actually running if there are changes in the template. Also means that the stack-update of the parent will be slower.

You can avoid the first of these issues by using a versioned URL, if you have versioning switched on in your bucket by adding ?versionId=... to your url:

https://s3.#BUCKETREGION#.amazonaws.com/..../.../.../.../nested.template?versionId=XXXX

Note: the above is true regardless of whether there are Macros in the nested stacks (which legitimately would mean that at least they need re-evaluation upon update), or even CAPABILITY_AUTO_EXPAND is given or not (if not, this guarantees no macros in the nested stacks).

Is it possible to do a stack update, using something like UsePreviousTemplate=True not only for the parent stack but also for the nested stacks?

There is a possibility to set a stack policy that disallows updates on nested stacks ([here][3], under "Prevent Updates to Nested Stacks"), however in my experiments all that it did was disallow any update on the parent stack (since any update will automatically affect the client stacks).

So for now I'm inclined to say "no", but I'd be happy to be proven wrong here!