AWS CloudFormation: Signed, sealed, and deployed

State Street Corporation is a global bank that is responsible for managing over 10% of the world’s wealth.  It also focuses on engineering better outcomes for its investors and customers, striving to bring innovative solutions to market and enhance customer value.

To manage complexity and provide a stable agile platform, State Street uses Infrastructure as Code (IaC) to interacts with AWS services and manage cloud resources.

Why State Street chose AWS CloudFormation
State Street considered tools such as Terraform, Puppet, and Chef to help enable Infrastructure as Code for its environments.  AWS CloudFormation was selected as a preferred platform, due to key differentiators:

1. Integrated resource management for AWS services:
   1. A singular model for resource lifecycle management across the various services.
   2. An advantage over AWS Serverless Application Model (SAM) and AWS CDK (at this time), as these are more specific to a given service.
   3. Users manage resources via the console, programmatically, and various CI/CD tools.  CloudFormation provides oversight of concurrency and state management for more effective management.
2. Bimodal application deployment:
   1. Deployment for applications within an AWS account (and potentially a Region).
   2. Deployment of complex application across multiple AWS accounts and multiple Regions (through the use of AWS CloudFormation StackSets).
   3. A programmatic interface for configuration drift detection, which can be used to trigger compensating actions, alerts or other actions.
3. A more robust security management model:
   1. Service roles ensure that deployment processes do not have overly permissive privileges.
   2. Nested stacks reuse components that enforce security standards.
   3. A substack that manages application IAM roles deployed in an integrated manner with its resource deployments (to minimize configuration and security permission drift over releases).
   4. Integration with AWS CloudTrail allows for continuous monitoring using other services like Amazon GuardDuty, anomaly detection via AWS CloudTrail Insights, and other tools.

Extensions on AWS CloudFormation
State Street codifies patterns via standardized templates and manages deployment bundles and their sequencing via StackSets. (Other helpful points are provided in the AWS CloudFormation Best Practices documentation).

State Street also extends the base constructs to enable practices with abstraction for complex releases, and to provide consistency across those releases.

Some of the notable ones are:

1. Adopt custom resources in CloudFormation templates as part of the service enablement.
   1. Provides a mechanism to integrate newly released APIs/capabilities that may not have AWS CloudFormation support, which affects Stacks and StackSets.
   2. Creates a method to update static variables (for example, LaunchTemplate AMI) as part of the Stack lifecycle events (for example, UPDATE).
   3. Allows for a consistent deployment experience and minimizes friction when attempting to orchestrate across multiple components in a given release.
2. Create utility services as custom resources, which implement an alternative to key intrinsic functions, such as Import for common Stacks.  Depicted in the diagram below.
   1. Enables a common set of core services and functions across accounts using a broader application team community.
   2. Mitigates some of the restrictions that lead to tight coupling across Stacks (given that their update frequency is not aligned).
   3. Eliminates the need for account-specific parameter management by application teams, when deploying complex applications across accounts.
3. Optimize deployment sequencing through judicious expression of dependencies (DependsOn attributes) and options (Conditions).  Shown in the diagram below.
   1. Serializes execution when dependencies cannot be directly inferred by AWS CloudFormation.  For example, when a Stack has both IAM roles and the Amazon Relational Database (RDS) cluster that references them within the same CloudFormation template.
   2. Allows custom checkpointing and runtime parameter setting during the execution of the Stack.
   3. Tailors deployment based on runtime variables (such as environment class and instance types) across the AWS accounts in scope.

Conclusion
State Street views AWS CloudFormation as a foundational service that enables use of AWS services to achieve their business outcomes. In this blog, State Street shared their rationale for selecting AWS CloudFormation to anchor their Infrastructure as Code (IaC) approach. They also elaborated on some of the extensions and approaches used to scale deployments across teams, by using custom resources to augment native support.  By using a utility service to abstract runtime cross-stack, they gained benefits of using conditions and dependency attributes to assist with complex deployment sequencing.

State Street looks forward to future integration and enhancements on the platform.  To learn more about AWS CloudFormation, visit the AWS CloudFormation documentation site.

The content and opinions in this post are those of the third-party author and AWS is not responsible for the content or accuracy of this post.

About the Authors

Wensi Lu is a business system analyst at State Street Digital Product Engineering team. She focuses on process modelling, re-engineering and optimization for AWS enabled applications and supporting platforms.

Ho Fai Wong is a lead data analyst at State Street Digital Product Engineering team. He works on building end-to-end, cloud-native, serverless applications on AWS including deployment automation and orchestration.

Jacky (Jue) Shu is a lead operations analyst at State Street Digital Product Engineering team. He is responsible for AWS operations and application deployments and had been a database architect for many years.

The content and opinions in this post are those of the third-party author and AWS is not responsible for the content or accuracy of this post.