2

Is it a good practice for CloudFormation deployment be done via CI/CD? I am currently considering the safety & performance aspect.

If someone accidentally removed a DB for example, CloudFormation will just remove it ... There could be code reviews to prevent this ... but just wondering if its a good practice.

With a serverless application there maybe no choice? Like otherwise its too manual to deploy everything

Another observation is performance, CloudFormation is rarely changed but it will need to run anyway if its part of the CI/CD process. Is there any way to speed this up?

iraSenthil
  • 11,307
  • 6
  • 39
  • 49
Jiew Meng
  • 84,767
  • 185
  • 495
  • 805

2 Answers2

4

Definitely.

You cannot achieve CI/CD in true sense until you do that. Consider a scenario that for a particular release you added a messaging queue (AWS SQS). Now if you haven't integrated your Cloudformation with your CI/CD then your code that reads/write to/from SQS goes into your environment but will fail to do either operations just for the simple fact that SQS does not exist because your cloudformation change that would have created the SQS did not execute. So, eventually you end up having half baked environment.

To avoid this pitfall it is highly recommended that you execute your cloudformation as part of your CI/CD

Regarding your concern 'If someone accidentally removed a DB for example, CloudFormation will just remove it', this can happen even with the actual code. For example the developer had put in some test code to cleanup the database but forgot to remove that and that code gets executed in production environment. But ideally this would not happen because of the guard rails of manual testing, automated testing and JUnits. So in similar context treat Cloudformation as any other code (in fact Cloudformation is best described as Infrastructure as Code) which should be tested thoroughly. To check out on details for Unit Testing Cloudformation , see Is there a way to unit test AWS Cloudformation template

Arafat Nalkhande
  • 11,078
  • 9
  • 39
  • 63
1

Yes absolutely. If you treat Infrastructure as Software (IaS), then you should be able to implement modern CI/CD software practices like syntax checking, unit testing, functional testing, verification, automated testing and deployment etc on your Cloudformation templates as well.

AWS provides a best practices solution here:

https://aws.amazon.com/answers/devops/aws-cloudformation-validation-pipeline/

The solution provides this introduction:

> "Many Amazon Web Services (AWS) customers use AWS CloudFormation to manage their infrastructure as code and to help deploy AWS resources in a controlled and predictable way. DevOps teams are commonly tasked with validating AWS CloudFormation templates before launch to ensure they follow industry best practices and satisfy company-specific business and governance requirements. These teams often leverage AWS Developer Tools, which is a set of services designed to help DevOps professionals follow continuous integration and continuous delivery (CI/CD) practices and create their own pipelines to automatically build, validate, and deploy code."

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50