I’m fairly new with Serverless but already running into an architectural issue with the framework.
Our multi-account AWS organization setup is as follows:
-
AWS account called “shared services” that we use to store deployment artifacts and which is pointed to by environment accounts.
-
Environment AWS accounts “production” and “development” that include for instance API gateway resources and a lambdas that are invoked through the API gateway.
We would like to point lambda version in “production” to exact same deployment artifact (.zip file) than what the “development” is pointing to. The deployment artifact itself would be stored in S3 bucket in “shared services” account and lambda execution role of both “production” and “development” would have read access to that bucket in order for them to use the deployment artifact. Rationale for this is that we would like to be 100% sure that whatever code was ran in “development” would be ran in “production”. It would thus not be okay to rebuild and package the same code to separate S3 buckets in “production” and “development” accounts.
My question is, would this scheme be possible with Serverless, and if yes what would be an idiomatic way to achieve this? I see that name parameter of deploymentBucket entity in provider of serverless.yml allows specifying an existing S3 bucket. With this we could instruct Serverless to operate on S3 bucket that would be stored in the “shared services” account and we could create that S3 bucket off-band.
Also it seems that artifact parameter of package entity in serverless.yml can be used to point Serverless deployment to an existing artifact that is already stored in S3.
Is it also possible to only package and upload an artifact to S3 using Serverless CLI command? Documentation of package command leaves some questions open. If package allows for just building and uploading artifact to predefined S3 bucket then this could be done as a separate step whereas the deployment could be done separately for “development” and “production” so that they would point to a version in the shared S3 bucket that was previously uploaded by the package command.
Any opinions or best practices here?