Creating resources using Fn::ForEach with CloudFormation
Alex Kearns
Ubertas Consulting (part of Devoteam)
Introduction
It’s been a while since I’ve published a blog post as I’ve been busy experimenting with some new
forms of content creation (i.e. Twitch) and settling into my new job. I’m back now with a look at an
exciting new feature to CloudFormation, the Fn::ForEach intrinsic function.
CloudFormation
For a long time, if you wanted to create multiple resources in CloudFormation you’d need to define them all individually. For example, take a look at the snippet below.
Resources: BucketOne: Type: AWS::S3::Bucket Properties: BucketName: my-bucket-one BucketTwo: Type: AWS::S3::Bucket Properties: BucketName: my-bucket-twoWhilst there are of course advantages to this, the main one being that it’s incredibly explicit what resources are being created, it does introduce repetitiveness and create inertia in the developer experience when lots of similar resources need to be created.
Back in October 2021, the idea of an Fn::Map intrinsic function was proposed
on GitHub here. In May
2022, an official request for comment (RFC) was
published by AWS attracting
lots of thoughts and opinions from various members of the community. It’s great to see AWS taking
input from end users into account when developing new features. The time taken from the feature
being marked as approved and it being released for general availability was around a month. It’s
always interesting to get a little insight to how AWS propose, plan and deliver features.
The new Fn::ForEach intrinsic function was released on 26 July 2023
here.
The way that it’s described is “With Fn::ForEach, you can replicate parts of your templates with
minimal lines of code”. Let’s dive in and take a look at how easy (or not) this really is.
First of all, it’s important to note that this new function requires the AWS::LanguageExtensions
transform to be specified in the CloudFormation template.
In it’s simplest form, defining a mappable resource follows the pattern in the snippet below. Each
loop needs to have a unique name. This is represented by the {UniqueLoopName} part of the example.
Within the loop (represented as a list) there are three items.
- Firstly,
{ValueIdentifier}which is a string that defines the dynamic name that’ll be later used for referencing the iterated over value (e.g.BucketName). - The second item is the list itself that’ll be iterated over.
- Finally, the last item is the resource (or resources) that should be created from the list
defined. The syntax for defining these resources is exactly as per the normal CloudFormation
resource specification with just a couple of differences. Rather than specifying a static logical
resource name, such as
MyBucketOne, you must use the dynamic reference name you specified to ensure all resources are created with unique names. In addition, you then have access to the value of the current item through the use of!Ref {ValueIdentifier}.
AWSTemplateFormatVersion: 2010-09-09Transform: "AWS::LanguageExtensions"Resources: Fn::ForEach::{UniqueLoopName}: - { ValueIdentifier } - [...] - Resource${ValueIdentifier}: Type: AWS::Service::Resource Properties: Property: !Ref { ValueIdentifier }Let’s move on to building a couple of examples in CloudFormation, followed by a look at Terraform as an alternative.
Example one
In this example, we’re creating a couple of S3 buckets. This will create buckets named bucketone
and buckettwo, both at the logical level (within CloudFormation) and the physical level (the
bucket name).
This is the most simplistic example I could think of, but to me it presents a problem. Typically CloudFormation logical names are CamelCase and S3 buckets can only have lowercase characters in their physical names. As a result, we’ve had to compromise on the logical name to meet the hard requirement imposed by the physical name. Annoying, huh? Keep reading to see an alternative way.
AWSTemplateFormatVersion: 2010-09-09Transform: "AWS::LanguageExtensions"Resources: Fn::ForEach::Buckets: - BucketName - - bucketone - buckettwo - ${BucketName}: Type: AWS::S3::Bucket Properties: BucketName: !Ref BucketNameExample two
In this example we’re still building two S3 buckets, however this time we’re making use of
CloudFormation’s ‘Mappings’ functionality in order to retrieve different values. Using the pattern
below we can define values like One and Two to identify our buckets, then link them to physical
resource names of my-bucket-one and my-bucket-two using the Fn::FindInMap intrinsic function.
Pretty nifty.
AWSTemplateFormatVersion: 2010-09-09Transform: 'AWS::LanguageExtensions'Mappings: BucketMap: One: BucketName: my-bucket-one Two: BucketName: my-bucket-twoResources: Fn::ForEach::Buckets: - BucketNumber - - One - Two - Bucket${BucketNumber}: Type: AWS::S3::Bucket Properties: BucketName: Fn::FindInMap: ["BucketMap", !Ref BucketNumber, "BucketName"]Terraform
I’m not going to spend too much time on Terraform mainly because the focus of this article is the new functionality in CloudFormation, we’ll take a look at how it compares however.
At a high level, Terraform offers two features that are contenders to our example usage
Fn::ForEach intrinsic function. These are the for_each and count meta arguments.
for_each
The for_each meta argument is the closest match to CloudFormation’s Fn::ForEach. It takes a map
or strings as input and then creates a resource for each item.
In the example below, we define two bucket names as a set of strings and two buckets as a map. From
looking at the two resources, aws_s3_bucket.buckets_set and aws_s3_bucket.buckets_map we can see
that all that’s required is specifying for_each and each.value to access the iterated over
values. In the case of the map, it’s possible to then access nested properties such as
each.value.name.
locals { bucket_names = set(["my-bucket-one", "my-bucket-two"]) buckets = { three = { name = "my-bucket-three" }, four = { name = "my-bucket-four" } }}
resource "aws_s3_bucket" "buckets_set" { for_each = local.bucket_names
bucket_name = each.value}
resource "aws_s3_bucket" "buckets_map" { for_each = local.buckets
bucket_name = each.value.name}When you define resources in this way, you can access properties via syntax like
aws_s3_bucket.buckets_map["three"].
count
If requirements are as simple as just creating x number of resources, then Terraform’s count
meta argument is the one for you. This allows you to say “I want to create 10 S3 buckets”, and make
use of the count index (zero-indexed) to build up unique names. For an example, see the snippet
below which’ll create S3 buckets names my-bucket-1 through to my-bucket-10.
locals { number_of_buckets = 10}
resource "aws_s3_bucket" "buckets" { count = local.number_of_buckets
bucket_name = "my-bucket-${count.index + 1}"}When you define resources in this way, you can access properties via the syntax
aws_s3_bucket.buckets_map[0].
Summary
So, what’s my overall view on this?
It’s great that CloudFormation now supports the dynamic creation of resources from a list of items. I’m sure that I’m not the only person who’s been waiting for this for a long time. But unfortunately I think that’s about as far as my excitement goes. Whilst functionally it does solve the problem, it just feels a bit messy. I don’t think that’s down to any fault of the AWS service team, nor suggestions made by the community, but rather a limitation of having to implement it into something YAML and JSON compatible.
To me the Terraform implementation is cleaner and easier to read. For this reason, I’d still recommend that over CloudFormation if you’re going to be defining lots of resources dynamically.
That’s all for now. I promise not to take so long until I next publish something, I’ve got a few ideas for services I’d like to explore!
Links
You can find some useful related links below: