Production workflow with CloudFormation

Is there a way to preview CloudFormation templates before deploying, or to upload it manually?

This is specifically for production workflows. Essentially, I’d like to:

  1. Review the CloudFormation configuration changes before deploying, potentially via CloudFormation Change Sets.
  2. Restrict access to production deploys, for example to only a specific web user with 2FA enforced.

I see currently (1.0.0-beta2) there is an option serverless deploy --noDeploy. This creates a template file in .serverless/cf-template-update-*.json. However, this only seems to contain the custom resources from serverless.yml file, and not the functions. The S3 zip upload would also likely have to happen via the CLI before being able to deploy the CloudFormation changes.

Is something like this possible with serverless, or is there another recommend workflow for production?

I like your request to work with CFN Change Sets (and I don’t think it’s possible yet). I’ll have a look to see how much work that will be, as it sounds useful.

Restricting deployment access to a specific user is not going to be something (I think) that the Serverless framework will be able to do for you - it’s more of an AWS setting. As mentioned in the setup docs, the framework currently works best with Administrator-level policy access to your AWS account, so restricting it is not really possible until all the IAM requirements are nailed-down.

In the future (when all requirements are sorted) it will be possible to set up a restricted role to run deployments with, and require that users using that role have 2FA enabled, but not yet.

I’m happy to configure all of that manually in AWS. My main question is: Can I generate the CloudFormation JSON with serverless to upload manually, instead of deploying directly with serverless?

Yup, serverless deploy --noDeploy. Although at the moment the stack needs to be created, but if you just want to update things, running the command will put the compiled cf templates into a .serverless folder in your current directory

At the moment the generate json file doesn’t seem to include anything defined under functions/events - only custom resources defined in the resources: section of serverless.yml. Is that correct?

serverless deploy --noDeploy should include everything. 2 files should be created, one stack file that shows the stack that will be used for creation of the whole CF stack and one to update. The update one has all resources in it. If it was never deployed before it might fail, otherwise it should work fine.

Ok, seems like that’s a bug in 1.0.0-beta2 that has been fixed since: https://github.com/serverless/serverless/pull/1881

1 Like

Hi All,
Regarding the CloudFront template, I don’t have enough permissions to create CF in AWS due to the Company policy restrictions. But, I have existing CF template (created by Admin). Is it possible to associate this existing one with serverless service via configuration?

Thanks.

@dtabolich its currently not possible to set a fully custom CF stack name, so you will have to get permission to create the CF stack or have an Admin create the CF stack for you.

@flomotlik, thanks for comments.
Actually, I’ve managed this by creating stack in advanced based on the naming convention you use and seems that it is working now!
There are some incompatible changes from AWS resources perspective like API Gateway stages, but hopefully I’ll be able to solve them behind CF.

Thank you!