Given this situation:

• Stack A exports X
• Stack B Imports X from stack A
• Stack A and Stack B are in different Metadata Roles

Issuing a retract on Stack A's role will not first attempt to delete Stack B.

We want to be able to test out changes before we submit a PR, but we don't want to have to create a complete set of explicit environments for each infrastructure developer. We need a way to stand up an environment that has all the right things, but doesn't require us editing every template just to add our personal development environment.

The main thing is that as an infrastructure developer, I should be able to deploy my proposed changes to the templates without impacting anyone else, and without anyone else impacting me.

Some options:

1. require personal AWS accounts so a single "developer" environment can be deployed
2. support regex restrictions on environment values rather than just a list of acceptable values

Option (1) may require additional infrastructure in each AWS account, and keeping that additional infrastructure in sync is a separate problem, but tractable if we're using "infrastructure as code" techniques. This option allows "many" infrastructure developers to manage template development while restricting access to anything that is considered close to production. Similar to lower/upper, but with an addition tier below "lower."

Option (2) may require individual CIDRs if VPCs are peered. How would that be managed in a scalable, easy manner?

When running aws-cft commands, I often find myself chaining multiple commands together:

aws-cft -e dev -r foo
aws-cft -e dev -r bar
aws-cft -e dev -r baz

It would be great if we could have multiple roles in a single command:

aws-cft -e dev -r foo -r bar -r baz

In evangelizing this tool, it would be nice to direct users to a README section that explains why this tool would be desired over vanilla CloudFormation or Terraform, etc.

This would be a runbook that would create a diagram, perhaps with something like PlanetUML, illustrating the resources and their relationships.

This could be constrained by environment and/or role.

As someone managing templates for new services, I'd like to generate consistent sets of templates. For example, when standing up a web application with an ASG and an ALB, with RDS, I'd like to create a set of template skeletons with a common theme that cover security groups, RDS, the ASG, and ALB.

Some possible targets:

• web applications (public ALB, ASG, EC2, RDS, security groups)
• micro-service (private shared ALB, ASG, EC2, RDS, security groups)
• bastion (EC2, security groups)
• application-specific, such as drupal, wordpress, or other applications that might use ECR, ECS, and EFS.

There are times where I find myself wanting to update only narrow sets of stacks, and there are other times where I find myself wanting to update broad sets of stacks. If we could have optional arrays for Roles, it would give more options for deployment breadth, and help avoid some specialized stacks getting stale.

Current:

Description: ECS Foo Report Service
Metadata:
  Role: foo-report

Suggested:

Description: ECS Foo Report Service
Metadata:
  Role:
  - ecs
  - foo
  - foo-report

I haven't been able to narrow down what resource type (if any one specific) is causing it, but it uses these resources:

    Type: AWS::EC2::SecurityGroup
    Type: AWS::EC2::SecurityGroupIngress
    Type: AWS::ElasticLoadBalancingV2::Listener
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Type: AWS::Route53::RecordSet

add "gem" to the end.

Given this situation:

• Stack A exports X
• Stack B Imports X from stack A
• Stack A and Stack B are in different Metadata Roles

Retracting the role for Stack A will only attempt to delete Stack A (a different problem), and this will result in a hung aws-cft command. I believe this is because when a stack is attempted to be deleted, but there is an export in use, CloudFormation will not report DELETE_FAILED, but instead will show whatever status the stack had before (UPDATE_COMPLETE or CREATE_COMPLETE).

When i run with -j 3 to allow 3 concurrent jobs, I typically hit an AWS Rate Limiting barrier:

.rvm/gems/ruby-2.4.1/gems/aws-sdk-core-2.9.44/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call': Rate exceeded (Aws::CloudFormation::Errors::Throttling)

I'm curious if it's possible to self-limit or backoff/retry in the case of a Throttling error.

The example set should demonstrate a fairly complete deployment of a web application with accompanying ALB, RDS resource, and a micro-service that is not exposed to the public Internet. The example should also demonstrate the capabilities of aws-cft-tools to manage parameters and template dependencies.

I'm having an issue where I can't retract based on roles. It's currently telling me that a dependency hasn't been marked for removal, but that dependency is definitely in the wordpress role. Any suggestions?

$ aws-cft retract -p newgov -e stge -r wordpress
*** Unable to remove templates.
The following templates are dependencies for templates not marked for removal: 
wordpress/security.yml
$ head cloudformation/templates/wordpress/security.yml 
AWSTemplateFormatVersion: "2010-09-09"
Description: "Security Groups and Ingress Rules for the WordPress stack"
Metadata:
  Role: wordpress
Parameters:
  Environment:
    Type: String
    AllowedValues:
    - stge
    - prod

One issue we have been having lately is when two people are working in the same Environment, there can be conflicts. Usually these conflicts can be avoided by using the "role" feature. The problem arises when a change is made to a base layer stack, such as adding a new Export value. Because the role feature deploys all dependent stacks as well as the role-specific stacks, adding an Export to the VPC (for example), can be exceedingly difficult to time.

One solution to this problem would be to add a feature that takes the role based deployment and only deploys the stacks tagged with that specific role name. Any thoughts?

Symptoms:
with options to delete all stacks of a given environement and role, retract aborts request due to dependencies on templates that are within the set of stacks to delete.
Example:
[app@ip-10-105-2-204 aws-cft]$ aws-cft retract -e poc -r Role1 -c
*** Unable to remove templates.
The following templates are dependencies for templates not marked for removal:
applications/xxx-webapp.yaml
applications/xxx-batchapp.yaml

Results of stacks shows these stacks are within result set of stacks to delete:
[app@ip-10-105-2-204 aws-cft]$ aws-cft stacks -e poc

We want to be able to quickly get most of the work done for adding an environment to the templates. This could be along the lines of making a new environment foo that looks like environment bar. Remaining editing would be to tweak anything that has to be different for different environments.

When using v0.1.0, i'm seeing some odd behavior regarding the current stack it says its updating. For example:

This output seems to imply that "demo-vpc-networks" had a failure. However, looking at "demo-vpc-networks" stack:

The latest update was from last month. After investigating further, I found a rolled back stack elsewhere that had a legitimate failure, but that name never came up...

This wasn't a problem in the pre-release 0.1.0, but something seems to have changed.