AWS CloudFormation Starterkit

Welcome to the AWS CloudFormation Starterkit, designed to streamline your infrastructure setup using CloudFormation templates and the Rain tool. This repository provides a structured approach to managing your AWS resources as code, ensuring efficient and reliable deployments.

Tip

AWS Done Right: Ship Faster, More Securely, at Lower Cost! Our AWS CDK Landing Zone Service helps B2B startups & enterprises achieve SOC 2 compliance 90% faster, reclaim 30% of developer capacity for product innovation while eliminating six-figure Cloud Engineering costs.

Discover how we deliver 10x AWS infrastructure value while cutting costs.

☁️ Learn more how we help businesses succeed on AWS Cloud...

AWS promises simplicity but delivers complexity. Businesses struggle with security risks and compliance requirements that divert developers from core product work.

Without AWS expertise, you face vulnerabilities, technical debt, and market delays while competitors race ahead.

Traditional consultancies worsen this by prioritizing billable hours over outcomes.

We take the opposite approach, focusing exclusively on business outcomes by eliminating AWS complexity, accelerating your developers, and securing your infrastructure through:

Deploying a Secure Landing Zone

• Multi-account architecture with strict security boundaries
  • 100% score on CIS AWS Foundation Benchmark
  • 96% rating on AWS foundational security best practices
• Manage user access securely on AWS via Single Sign-On (SSO)
• Full AWS CDK implementation (Infrastructure as Code)
• Multi-region deployments supported
• Cross-account monitoring and security alerts
• View our Roadmap for all implemented and upcoming features

Upskilling and accelerating your developers

• They get access to our production-ready, security-hardened AWS CDK components
• They receive AWS best practices guidance to prevent technical debt

Providing support and maintenance

• Landing Zone gets updates and security patches
• Priority Slack/Teams support for infrastructure challenges
• Quarterly security and cost optimization assessments to stay compliant and reduce AWS costs

What This Means For Your Business

• 30% Lower TCO: Cut Total Cost by 40% through right-sized resources while eliminating the $150K+ cost of a specialized AWS hire.
• Accelerate Development: Redirect 30% of engineering time from infrastructure to revenue-generating features with pre-built, compliant CDK components.
• Compliance-Ready Infrastructure: Meet security requirements from day one with architecture that speeds up audit preparation by 90% for SOC 2, HIPAA, and other security frameworks.

All of this is included in a fixed monthly subscription. No lock-in, no large upfront costs, just predictable monthly pricing.

Book a free call to see how we deliver 10x AWS infrastructure value at a fraction of a Cloud Engineer's cost.

Features

• ⚡ Quick Setup: Get started with your infrastructure CI/CD in minutes by configuring a couple of repository variables.
• 🌐 Environment Flexibility: Supports multiple environments (e.g., dev, staging, prod) via GitHub Actions workflows.
• 🤖 Automated Validation: Use Checkov and cfn-lint for static analysis of your CloudFormation templates, ensuring compliance and security best practices.
• 🏗️ Modular Structure: Organize your templates into logical components for better manageability and scalability.
• 🔒 Security Best Practices: Incorporate OIDC for deploying cloudformation stacks in a secure manner in your AWS account via a GitHub Actions workflow.
• 📜 Comprehensive Documentation: Detailed README and inline comments to guide you through setup and deployment processes.
• 🚀 CI/CD Integration: Ready-to-use GitHub Actions workflows for automated deployments and validations.

Setup Guide

This project requires Python 3 and pip for managing dependencies.

To get started, follow these steps:

1. Clone this repository:

git clone https://github.com/towardsthecloud/aws-cloudformation-starterkit.git
cd aws-cloudformation-starterkit

1. Install checkov, cfn-lint via pip & rain via homebrew:

brew install rain
pip install -r requirements.txt

3. Run the provision-repo.sh script to generate the parameter and workflow files for your environment and in the repository with your AWS account information and the necessary variables for the OIDC provider.

./scripts/provision-repo.sh

4. Validate your CloudFormation templates with cfn-lint and checkov using the provided script:

./scripts/validate.sh

5. Deploy the oidc-provider CloudFormation stack using the deploy-templates.sh script:

./scripts/deploy-templates.sh

Warning

Make sure that you have the required IAM role or user setup in your aws config file. Use a tool such as Granted to make accessing your AWS account via the CLI easier and more secure.

Now that you have successfully deployed the OIDC provider, you can use the following steps to configure your GitHub repository with the necessary variables, so that the CI/CD workflow can be used to deploy your CloudFormation stacks.

6. Navigate to your repository's settings page on GitHub.
   1. In the left sidebar, click on "Secrets and variables".
   2. Click on "Actions" and then "New repository variable".
   3. add the following variables:

Note: Make sure to modify the values of the variables to match your specific account and region.

You can now use the provided GitHub Actions workflows to deploy your CloudFormation stacks. Simply commit your changes to the main branch of your repository by adding new stacks to the ./templates folder and the workflow will automatically deploy your stacks.

Project Structure

This starter kit is organized to promote best practices in managing CloudFormation templates:

.
├── .cfnlintrc
├── .checkov.yml
├── .github
│  ├── pull-request-template.md
│  └── workflows
      ├── cfn-lint-scan.yml
│     ├── checkov-scan.yml
│     └── cloudformation-deploy-test.yml
├── LICENSE
├── parameters
│  ├── production
│  │  └── oidc-provider.yml
│  └── test
│     └── oidc-provider.yml
├── README.md
├── requirements.txt
├── scripts
│  ├── provision-repo.sh
│  ├── deploy-templates.sh
│  └── validate-templates.sh
└── templates
   └── oidc-provider.yml

Key Components

• parameters/: This directory contains parameter files for different environments, such as production and test. Each subdirectory corresponds to an environment and contains YAML files that define parameters specific to that environment. It's important to ensure that the filename of each parameter file matches the corresponding template name in the templates/ directory. This naming convention allows scripts to correctly associate parameters with their respective templates during deployment.
• .cfnlintrc: This file is the configuration for cfn-lint, a tool used to validate CloudFormation templates against AWS best practices and syntax rules.
• .checkov.yml: This configuration file is used by Checkov, a static analysis tool for infrastructure as code. It defines the rules and policies that Checkov will enforce when scanning your CloudFormation templates.
• .github/workflows/: Contains GitHub Actions workflows for CI/CD.
• • cfn-lint-scan.yml: Automates the validation of CloudFormation templates using cfn-lint to ensure compliance with AWS best practices and syntax rules.
• • checkov-scan.yml: Automates the validation of CloudFormation templates using Checkov to ensure compliance and security.
• • cloudformation-deploy-test.yml: Manages the deployment of CloudFormation stacks for testing purposes.
• scripts/: Contains shell scripts for managing templates.
• • deploy-templates.sh: Automates the deployment of CloudFormation templates using the Rain tool.
• • provision-repo.sh: Generates the parameter and workflow files for your environment and in the repository with your AWS account information and the necessary variables for the OIDC provider.
• • validate-templates.sh: Validates CloudFormation templates using Checkov to ensure they adhere to best practices.
• templates/: Stores CloudFormation templates.
• • oidc-provider.yml: Example template for setting up an OpenID Connect provider in AWS.

CI/CD Integration

This starter kit includes GitHub Actions workflows for automated validation and deployment. Customize the workflows in the .github/workflows/ directory to suit your CI/CD needs.

Checkov Scan: Automatically runs Checkov on your templates to catch security and compliance issues before deployment. CloudFormation Deploy Test: Deploys your CloudFormation stacks in a test environment to ensure everything works as expected.

Start adding CloudFormation templates

To start adding CloudFormation templates, simply add new files to the ./templates directory and commit them to the main branch of your repository to trigger the CI/CD workflow. The workflow will automatically deploy your stacks using the provided parameter files.

Here are a couple of repositories containing CloudFormation templates that you can use as a starting point:

• Official AWS CloudFormation Templates
• Widdix's AWS CloudFormation Templates
• AWS Quick Start Templates

AWS CDK Starterkit

Looking for a more modern approach to managing your AWS infrastructure? Consider using the AWS CDK Starterkit for a tailored experience that leverages the full power of AWS CDK with TypeScript.

AWS CDK offers several advantages over traditional CloudFormation, such as improved developer experience through the use of familiar programming languages, higher abstraction with reusable constructs, and seamless integration with development workflows. These features make AWS CDK a highly recommended choice for more efficient and flexible infrastructure management.

Explore the AWS CDK Starterkit and start building your infrastructure with greater efficiency and flexibility today!

Acknowledgements

Special thanks to the creators of Rain, Checkov, and cfn-lint for their invaluable tools that make infrastructure management easier and more secure.

Author

Danny Steenman