AWS CloudFormation Starterkit

Welcome to the AWS CloudFormation Starterkit, designed to streamline your infrastructure setup using CloudFormation templates and the Rain tool. This repository provides a structured approach to managing your AWS resources as code, ensuring efficient and reliable deployments.

Tip

Launch Faster on AWS and Become Fully Secure From Day One! Our AWS Landing Zone Foundation service helps B2B companies achieve SOC 2 compliance 90% faster, redirect 30% of engineering time back to product development all while eliminating the six-figure cost of specialized cloud engineers. so you can focus on shipping your product, instead of worrying about managing your infrastructure on AWS.

Schedule a free introduction call to discover how we can deliver 10x the value of securing and building your infrastructure on AWS for a fraction of the cost of a full-time cloud engineer.

☁️ Learn more about our unique AWS Foundation Service

Is AWS complexity draining your engineering resources? Most B2B startups and growing businesses struggle with overwhelming configuration options, time-consuming compliance requirements, and diverting valuable developer talent away from core product development. Without specialized AWS expertise, you risk security vulnerabilities, mounting technical debt, and delayed time-to-market. All while your competitors race ahead.

Traditional AWS consultancies only compound this problem. They're incentivized to bill by the hour, extending projects indefinitely rather than focusing on your business outcomes. We take the opposite approach. Our fixed-price subscription model proves how confident we are in delivering results, not just billable hours. We succeed when you succeed, aligning our incentives with your growth rather than your AWS complexity.

Our Solution: Enterprise-Grade AWS Foundation

We deliver an enterprise-grade AWS Landing Zone built entirely in AWS CDK coupled with a support and consultacy foundation that grows with your business needs. Here's what we'll deliver to you:

We deploy a Secure and Compliant Landing Zone

• Multi-account architecture with proper security boundaries
  • Achieves a 100% score on the industry-standard CIS AWS Foundation Benchmark
  • Achieves a 96% rating on AWS's own foundational security best practices
• Setup entirely using AWS CDK (Infrastructure as Code)
• Budget monitoring and notifications across all accounts
• Deploy changes quickly through GitHub Actions
• We're continuously adding new features as listed on our Roadmap

We upskill and accelerate your Developers

• They gain access to our library of ready-to-use, security-hardened AWS CDK components
• They receive guidance on how to utilize AWS best practices for your architecture so you avoid technical debt later on

We monitor and maintain the multi-account setup & provide ongoing support

• Gain new Landing Zone features once they're released and get free maintenance and security updates
• Get priority support through Slack/Teams whenever you need assistance with infrastructure challenges
• We proactively do quarterly security and cost optimization assessments to verify AWS account compliance and provide advice to reduce your AWS bill

What This Means For Your Business

• 30% Lower TCO: Cut your Total Cost of Ownership (TCO) by up to 30% through right-sized resources and architectural optimization while eliminating the $150K+ annual cost of a specialized AWS hire
• Close Enterprise Deals Faster: Win enterprise clients with SOC2 compliance ready in weeks instead of months - our clients report 50% faster sales cycles with security-conscious customers
• Unleash Your Development Team: Redirect up to 30% of engineering time from infrastructure back to revenue-generating product features with our pre-built, compliant components
• Scale Without Infrastructure Headaches: Grow from startup to enterprise without ever rebuilding your foundation - our architecture scales seamlessly from your first customer to your millionth

We deliver all of this as a simple subscription service. No large upfront costs, no lock-in. You'll essentially get a solid and secure landing zone foundation + a decade of AWS expertise without having to hire a full-time Cloud Engineer.

Features

• ⚡ Quick Setup: Get started with your infrastructure CI/CD in minutes by configuring a couple of repository variables.
• 🌐 Environment Flexibility: Supports multiple environments (e.g., dev, staging, prod) via GitHub Actions workflows.
• 🤖 Automated Validation: Use Checkov and cfn-lint for static analysis of your CloudFormation templates, ensuring compliance and security best practices.
• 🏗️ Modular Structure: Organize your templates into logical components for better manageability and scalability.
• 🔒 Security Best Practices: Incorporate OIDC for deploying cloudformation stacks in a secure manner in your AWS account via a GitHub Actions workflow.
• 📜 Comprehensive Documentation: Detailed README and inline comments to guide you through setup and deployment processes.
• 🚀 CI/CD Integration: Ready-to-use GitHub Actions workflows for automated deployments and validations.

Setup Guide

This project requires Python 3 and pip for managing dependencies.

To get started, follow these steps:

1. Clone this repository:

git clone https://github.com/towardsthecloud/aws-cloudformation-starterkit.git
cd aws-cloudformation-starterkit

1. Install checkov, cfn-lint via pip & rain via homebrew:

brew install rain
pip install -r requirements.txt

3. Run the provision-repo.sh script to generate the parameter and workflow files for your environment and in the repository with your AWS account information and the necessary variables for the OIDC provider.

./scripts/provision-repo.sh

4. Validate your CloudFormation templates with cfn-lint and checkov using the provided script:

./scripts/validate.sh

5. Deploy the oidc-provider CloudFormation stack using the deploy-templates.sh script:

./scripts/deploy-templates.sh

Warning

Make sure that you have the required IAM role or user setup in your aws config file. Use a tool such as Granted to make accessing your AWS account via the CLI easier and more secure.

Now that you have successfully deployed the OIDC provider, you can use the following steps to configure your GitHub repository with the necessary variables, so that the CI/CD workflow can be used to deploy your CloudFormation stacks.

6. Navigate to your repository's settings page on GitHub.
   1. In the left sidebar, click on "Secrets and variables".
   2. Click on "Actions" and then "New repository variable".
   3. add the following variables:

Note: Make sure to modify the values of the variables to match your specific account and region.

You can now use the provided GitHub Actions workflows to deploy your CloudFormation stacks. Simply commit your changes to the main branch of your repository by adding new stacks to the ./templates folder and the workflow will automatically deploy your stacks.

Project Structure

This starter kit is organized to promote best practices in managing CloudFormation templates:

.
├── .cfnlintrc
├── .checkov.yml
├── .github
│  ├── pull-request-template.md
│  └── workflows
      ├── cfn-lint-scan.yml
│     ├── checkov-scan.yml
│     └── cloudformation-deploy-test.yml
├── LICENSE
├── parameters
│  ├── production
│  │  └── oidc-provider.yml
│  └── test
│     └── oidc-provider.yml
├── README.md
├── requirements.txt
├── scripts
│  ├── provision-repo.sh
│  ├── deploy-templates.sh
│  └── validate-templates.sh
└── templates
   └── oidc-provider.yml

Key Components

• parameters/: This directory contains parameter files for different environments, such as production and test. Each subdirectory corresponds to an environment and contains YAML files that define parameters specific to that environment. It's important to ensure that the filename of each parameter file matches the corresponding template name in the templates/ directory. This naming convention allows scripts to correctly associate parameters with their respective templates during deployment.
• .cfnlintrc: This file is the configuration for cfn-lint, a tool used to validate CloudFormation templates against AWS best practices and syntax rules.
• .checkov.yml: This configuration file is used by Checkov, a static analysis tool for infrastructure as code. It defines the rules and policies that Checkov will enforce when scanning your CloudFormation templates.
• .github/workflows/: Contains GitHub Actions workflows for CI/CD.
• • cfn-lint-scan.yml: Automates the validation of CloudFormation templates using cfn-lint to ensure compliance with AWS best practices and syntax rules.
• • checkov-scan.yml: Automates the validation of CloudFormation templates using Checkov to ensure compliance and security.
• • cloudformation-deploy-test.yml: Manages the deployment of CloudFormation stacks for testing purposes.
• scripts/: Contains shell scripts for managing templates.
• • deploy-templates.sh: Automates the deployment of CloudFormation templates using the Rain tool.
• • provision-repo.sh: Generates the parameter and workflow files for your environment and in the repository with your AWS account information and the necessary variables for the OIDC provider.
• • validate-templates.sh: Validates CloudFormation templates using Checkov to ensure they adhere to best practices.
• templates/: Stores CloudFormation templates.
• • oidc-provider.yml: Example template for setting up an OpenID Connect provider in AWS.

CI/CD Integration

This starter kit includes GitHub Actions workflows for automated validation and deployment. Customize the workflows in the .github/workflows/ directory to suit your CI/CD needs.

Checkov Scan: Automatically runs Checkov on your templates to catch security and compliance issues before deployment. CloudFormation Deploy Test: Deploys your CloudFormation stacks in a test environment to ensure everything works as expected.

Start adding CloudFormation templates

To start adding CloudFormation templates, simply add new files to the ./templates directory and commit them to the main branch of your repository to trigger the CI/CD workflow. The workflow will automatically deploy your stacks using the provided parameter files.

Here are a couple of repositories containing CloudFormation templates that you can use as a starting point:

• Official AWS CloudFormation Templates
• Widdix's AWS CloudFormation Templates
• AWS Quick Start Templates

AWS CDK Starterkit

Looking for a more modern approach to managing your AWS infrastructure? Consider using the AWS CDK Starterkit for a tailored experience that leverages the full power of AWS CDK with TypeScript.

AWS CDK offers several advantages over traditional CloudFormation, such as improved developer experience through the use of familiar programming languages, higher abstraction with reusable constructs, and seamless integration with development workflows. These features make AWS CDK a highly recommended choice for more efficient and flexible infrastructure management.

Explore the AWS CDK Starterkit and start building your infrastructure with greater efficiency and flexibility today!

Acknowledgements

Special thanks to the creators of Rain, Checkov, and cfn-lint for their invaluable tools that make infrastructure management easier and more secure.

Author

Danny Steenman