DependsOn attribute
With the DependsOn attribute you can specify that the creation of a specific
resource follows another. When you add a DependsOn attribute to a resource,
that resource is created only after the creation of the resource specified in the
DependsOn attribute.
Important
Dependent stacks also have implicit dependencies in the form of target properties
!Ref, !GetAtt, and !Sub. For example, if the properties of
resource A use a !Ref to resource B, the following rules apply:
-
Resource B is created before resource A.
-
Resource A is deleted before resource B.
-
Resource B is updated before resource A.
You can use the DependsOn attribute with any resource. Here are some typical
uses:
-
Determine when a wait condition goes into effect. For more information, see Create wait conditions in a CloudFormation template.
-
Declare dependencies for resources that must be created or deleted in a specific order. For example, you must explicitly declare dependencies on gateway attachments for some resources in a VPC. For more information, see When a DependsOn attribute is required.
-
Override default parallelism when creating, updating, or deleting resources. AWS CloudFormation creates, updates, and deletes resources in parallel to the extent possible. It automatically determines which resources in a template can be parallelized and which have dependencies that require other operations to finish first. You can use
DependsOnto explicitly specify dependencies, which overrides the default parallelism and directs CloudFormation to operate on those resources in a specified order.
Note
During a stack update, resources that depend on updated resources are updated automatically. CloudFormation makes no changes to the automatically updated resources, but, if a stack policy is associated with these resources, your account must have the permissions to update them.
Syntax
The DependsOn attribute can take a single string or list of
strings.
"DependsOn" : [String, ...]
Example
The following template contains an AWS::EC2::Instance resource with a DependsOn attribute that
specifies myDB, an AWS::RDS::DBInstance. When CloudFormation creates this stack, it first creates
myDB, then creates Ec2Instance.
JSON
{ "AWSTemplateFormatVersion" : "2010-09-09", "Mappings" : { "RegionMap" : { "us-east-1" : { "AMI" : "ami-0ff8a91507f77f867" }, "us-west-1" : { "AMI" : "ami-0bdb828fd58c52235" }, "eu-west-1" : { "AMI" : "ami-047bb4163c506cd98" }, "ap-northeast-1" : { "AMI" : "ami-06cd52961ce9f0d85" }, "ap-southeast-1" : { "AMI" : "ami-08569b978cc4dfa10" } } }, "Resources" : { "Ec2Instance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "ImageId": { "Fn::FindInMap": [ "RegionMap", { "Ref": "AWS::Region" }, "AMI" ] } }, "DependsOn" : "myDB" }, "myDB" : { "Type" : "AWS::RDS::DBInstance", "Properties" : { "AllocatedStorage" : "5", "DBInstanceClass" : "db.t2.small", "Engine" : "MySQL", "EngineVersion" : "5.5", "MasterUsername" : "MyName", "MasterUserPassword" : "MyPassword" } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Mappings: RegionMap: us-east-1: AMI: ami-0ff8a91507f77f867 us-west-1: AMI: ami-0bdb828fd58c52235 eu-west-1: AMI: ami-047bb4163c506cd98 ap-northeast-1: AMI: ami-06cd52961ce9f0d85 ap-southeast-1: AMI: ami-08569b978cc4dfa10 Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: Fn::FindInMap: - RegionMap - Ref: AWS::Region - AMI DependsOn: myDB myDB: Type: AWS::RDS::DBInstance Properties: AllocatedStorage: '5' DBInstanceClass: db.t2.small Engine: MySQL EngineVersion: '5.5' MasterUsername: MyName MasterUserPassword: MyPassword
When a DependsOn attribute is
required
VPC-gateway attachment
Some resources in a VPC require a gateway (either an Internet or VPN gateway). If your
CloudFormation template defines a VPC, a gateway, and a gateway attachment, any resources
that require the gateway are dependent on the gateway attachment. For example, an Amazon EC2
instance with a public IP address is dependent on the VPC-gateway attachment if the
VPC and InternetGateway resources are also declared in the
same template.
Currently, the following resources depend on a VPC-gateway attachment when they have an associated public IP address and are in a VPC.
-
Auto Scaling groups
-
Amazon EC2 instances
-
Elastic Load Balancing load balancers
-
Elastic IP addresses
-
Amazon RDS database instances
-
Amazon VPC routes that include the Internet gateway
A VPN gateway route propagation depends on a VPC-gateway attachment when you have a VPN gateway.
The following snippet shows a sample gateway attachment and an Amazon EC2 instance that depends on a gateway attachment:
JSON
"GatewayToInternet" : { "Type" : "AWS::EC2::VPCGatewayAttachment", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "InternetGatewayId" : { "Ref" : "InternetGateway" } } }, "EC2Host" : { "Type" : "AWS::EC2::Instance", "DependsOn" : "GatewayToInternet", "Properties" : { "InstanceType" : { "Ref" : "EC2InstanceType" }, "KeyName" : { "Ref" : "KeyName" }, "ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, { "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "EC2InstanceType" }, "Arch" ] } ] }, "NetworkInterfaces" : [ { "GroupSet" : [ { "Ref" : "EC2SecurityGroup" } ], "AssociatePublicIpAddress" : "true", "DeviceIndex" : "0", "DeleteOnTermination" : "true", "SubnetId" : { "Ref" : "PublicSubnet" } } ] } }
YAML
GatewayToInternet: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: Ref: VPC InternetGatewayId: Ref: InternetGateway EC2Host: Type: AWS::EC2::Instance DependsOn: GatewayToInternet Properties: InstanceType: Ref: EC2InstanceType KeyName: Ref: KeyName ImageId: Fn::FindInMap: - AWSRegionArch2AMI - Ref: AWS::Region - Fn::FindInMap: - AWSInstanceType2Arch - Ref: EC2InstanceType - Arch NetworkInterfaces: - GroupSet: - Ref: EC2SecurityGroup AssociatePublicIpAddress: 'true' DeviceIndex: '0' DeleteOnTermination: 'true' SubnetId: Ref: PublicSubnet
Amazon ECS service and Auto Scaling group
When you use Auto Scaling or Amazon Elastic Compute Cloud (Amazon EC2) to create container instances for an Amazon ECS cluster, the Amazon ECS service resource must have a dependency on the Auto Scaling group or Amazon EC2 instances, as shown in the following snippet. That way the container instances are available and associated with the Amazon ECS cluster before CloudFormation creates the Amazon ECS service.
JSON
"service": { "Type": "AWS::ECS::Service", "DependsOn": [ "ECSAutoScalingGroup" ], "Properties" : { "Cluster": { "Ref": "ECSCluster" }, "DesiredCount": "1", "LoadBalancers": [ { "ContainerName": "simple-app", "ContainerPort": "80", "LoadBalancerName" : { "Ref" : "EcsElasticLoadBalancer" } } ], "Role" : { "Ref":"ECSServiceRole" }, "TaskDefinition" : { "Ref":"taskdefinition" } } }
YAML
service: Type: AWS::ECS::Service DependsOn: - ECSAutoScalingGroup Properties: Cluster: Ref: ECSCluster DesiredCount: 1 LoadBalancers: - ContainerName: simple-app ContainerPort: 80 LoadBalancerName: Ref: EcsElasticLoadBalancer Role: Ref: ECSServiceRole TaskDefinition: Ref: taskdefinition
IAM role policy
Resources that make additional calls to AWS require a service role, which
permits a service to make calls to AWS on your behalf. For example, the
AWS::CodeDeploy::DeploymentGroup resource requires a service role
so that CodeDeploy has permissions to deploy applications to your instances. When you
have a single template that defines a service role, the role's policy (by using the
AWS::IAM::Policy or AWS::IAM::ManagedPolicy resource),
and a resource that uses the role, add a dependency so that the resource depends on
the role's policy. This dependency ensures that the policy is available throughout
the resource's lifecycle.
For example, imagine that you have a template with a deployment group resource, a service role, and the role's policy. When you create a stack, CloudFormation won't create the deployment group until it creates the role's policy. Without the dependency, CloudFormation can create the deployment group resource before it creates the role's policy. If that happens, the deployment group will fail to create because of insufficient permissions.
If the role has an embedded policy, don't specify a dependency. CloudFormation creates the role and its policy at the same time.
