Our template only includes a web server and a security group that makes updating CloudFormation a fairly harmless operation. Furthermore, our change was fairly trivial as AWS could simply update the existing security group as opposed to having to replace it. As you can imagine, as the architecture becomes more and more complex so does the CloudFormation template. Depending on the update you want to perform, you might encounter unexpected changes when you review the change set in the final step of updating a template.

AWS offers an alternate and safer way to update templates. The feature is called Change Sets and is accessible from the CloudFormation console:

1. Open the CloudFormation web console in your browser (https://console.aws.amazon.com/cloudformation).
2. Select the HelloWorld stack that we previously created.
3. Click on Action and then Create Change Set.

From there you can follow the same steps you took to create a simple update. The main difference happens on the last screen:

Unlike the regular stack updates, Change Sets have a strong emphasis on giving you the ability to review a change before applying it. If you are satisfied with the changes displayed, you have the ability to execute the update.

Lastly, when using a Change Set to update your stack, you can easily audit recent changes using the Change Set tab of your stack in the CloudFormation console.

Finally, we will commit the changes to the troposphere script with the following command:

$ git commit -am "Only allow ssh from our local IP"
$ git push