When to Split a CloudFormation Stack

One of the common challenges facing an AWS user is when to split resources into separate CloudFormation stacks. In my personal environment, I recently deployed a stack which created a Route53 hosted zone, an S3 bucket, a certificate, and CloudFront distribution. In short, everything necessary for hosting a static website in AWS Serverless design.

The problem is, half way through the stack deployment it is necessary to create the validation records in DNS, and if for some reason the stack deployment fails, it will not be able to roll back all the resources. The validation record will prevent the Route53 zone from being deleted.

This is just one example of the challege. In this case, creating the zone, and possiby the certificate separately is logical. In that way, the logic controlling the order of deployment is moved out of CloudFormation and into another tool.

I think the answer here is that certain resources, such as Route53 zones, S3 buckets, and VPCs should be created in advance. The balancing act between organization wide architecture and project architecture is the real difficulty, a difficulty that impacts every project.

Regardless of how one balances these challenges, spliting stacks on the basis of necessary manual intervention is generally a good design strategy.