AWS CloudFormation Example


This document will show you how to enable the CloudFormation stage. This document also assumes that you have configured an AWS account. If you need more instructions on configuring your AWS account please refer to either Deploying to AWS from Spinnaker (using IAM instance roles) or Deploying to AWS from Spinnaker (using IAM credentials)



Enable Cloudformation in Spinnaker

First, we need to enable CloudDriver by adding a clouddriver-local.yml file to your hal config profiles directory e.g. .hal/default/profiles/clouddriver-local.yml.

      enabled: true



Make sure to enable the aws provider, (if you don’t have the provider enable please refer to the background section to find the links).

Also you need to have setted up at least one region. To add a region you can use this instruction:

export AWS_ACCOUNT_NAME=aws-1
hal config provider aws account edit ${AWS_ACCOUNT_NAME} \
    --regions us-east-1,us-west-2

This is an example how should looks your hal config.

  enabled: true
  - name: aws-1
    requiredGroupMembership: []
    providerVersion: V1
    permissions: {}
    accountId: '123456789123'
    - name: us-east-1
    - name: us-west-2
    assumeRole: role/SpinnakerManagedRole
  primaryAccount: aws-1
    templateFile: aws-ebs-shared.json
    baseImages: []
    awsAssociatePublicIpAddress: true
    defaultVirtualizationType: hvm
  defaultKeyPairTemplate: '-keypair'
  - name: us-west-2
    iamRole: BaseIAMRole

You can check your configuration by running hal deploy apply.


CloudFormation permissions in Policy

Another thing to check is in the AWS Console the cloudformation:* permission in the “Action” section inside your Policy, like in the following example.

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::123456789123:role/SpinnakerManagedRole"
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

for more details please refer to Creating a Managing Account IAM Policy in your primary AWS Account Part 3.

Creating your Pipeline

After you’ve deployed your changes, you should now be able to see the new stages when configuring your pipeline. Simply select the stage, and provide the values: example below:

Note: The “Stack name” is a unique value so if you run a second time you will need to change it.

In this example we are going to deploy a simple s3 bucket with the follow template, (Copy and paste in the Text Source section)

  "AWSTemplateFormatVersion": "2010-09-09",
  "Outputs": {
    "BucketName": {
      "Description": "S3 Bucket",
      "Value": {
        "Ref": "S3Bucket"
  "Resources": {
    "S3Bucket": {
      "Properties": {
        "BucketName": "cf-example-s3"
      "Type": "AWS::S3::Bucket"

Note: You can test changing the Cloud Formation JSON Template “Resources” > “S3Bucket” > “Properties” > “BucketName” property “cf-example-s3” by another unique name.

Run the pipeline

Now you can run the pipeline and this will be conclude SUCCEEDED

At the meanwhile you can see the execution details if you go to your AWS CloudFormation console

Note: You can execute the pipeline by generating an embedded-artifact. Deploy (CloudFormation Stack) > Source: Artifact > Expected Artifact: Artifact from execution context > Account: Embedded-artifact > Contents: “Input the CloudFormation JSON/YAML Template”.


In this particular example we created an S3 bucket so in order to validate you need to go to your aws console and check in the S3 bucket section.



The latest tutorials sent straight to your inbox.