AWS CloudFormation and GitLab CI Pipeline

Brett Gillett

Summary of Environment

A multinational recruiting firm required a large hybrid deployment to support their main business functions in North America - including, but not limited to, payroll, finance, and time tracking. AWS CloudFormation is used to manage all environments - including production - across several AWS accounts and AWS regions. We took a ‘microservices approach’ to the creation of the templates used to deploy and maintain the environment. Virtually all aspects of the AWS deployment are managed via small, easy to operate and maintain CloudFormation templates.

Multi Account CloudFormation deployment

Deployment Strategy

To simplify deployment, we developed a Continuous Integration/Deployment (CI/CD) solution based on GitLab. To reduce management overhead, the GitLab infrastructure resides in Curious Orbit’s AWS account and uses IAM roles to deploy CloudFormation templates into our customers' accounts. To provide separation of duty and meet change management requirements, all CloudFormation deployments are managed via Change Sets. Before deployment, each commit is validated using the CloudFormation validate command. Once verified, we generate Change Sets, which are reviewed by the customer and either accepted or rejected. The customer is responsible for executing each change in their own environments.

In addition to Change Sets, we deploy Stack Policies and set Stack termination protection to help protect resources which are being maintained via AWS CloudFormation.

Here’s an overview of how an automated deployment works:

  1. A git commit is made to the centralized GitLab repository
  2. A GitLab CI script is started. The script performs the following functions:
  • It validates the template using the CloudFormation validate CLI command
  • If the validate is successful, it creates a CloudFormation Change Set in the appropriate AWS account.
  1. We notify the customer a change set is ready for review
  2. The customer reviews the proposed changes and either proceeds with the deployment or asks for additional updates

Workload Management

Virtually all workloads are deployed and supported by CloudFormation using the deployment strategy described above. By using ‘Infrastructure as Code’, the customer can maintain their strict security requirements and leverage the source controlled templates as part of their audit process - both internal as well as external.

Brett Gillett


Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?