Many Amazon Web Services (AWS) customers use AWS CloudFormation to manage their infrastructure as code and to help deploy AWS resources in a controlled and predictable way. DevOps teams are commonly tasked with validating AWS CloudFormation templates before launch to ensure they follow industry best practices and satisfy company-specific business and governance requirements. These teams often leverage AWS Developer Tools, which is a set of services designed to help DevOps professionals follow continuous integration and continuous delivery (CI/CD) practices and create their own pipelines to automatically build, validate, and deploy code.

To help accelerate customer development and deployment of AWS CloudFormation templates, AWS offers the AWS CloudFormation Validation Pipeline solution. This reference implementation is designed to integrate with an existing AWS CodeCommit repository and automatically provisions and configures the necessary services, including AWS CodePipeline, AWS CodeBuild, and AWS Lambda, to run a set of customizable tests for logical and functional integrity against AWS CloudFormation templates.

The following sections assume basic knowledge of DevOps practices, AWS CloudFormation, and architecting on the AWS Cloud.


When developing code, use a DevOps model that integrates teams and enables collaboration across the entire software development lifecycle, from development and test to deployment to operations. For rapid and reliable code releases, implement CI/CD practices to regularly iterate on your code, and automatically build and test changes in multiple dimensions before deployment to a production environment. With these general DevOps best practices in mind, consider the following when using a CI/CD pipeline for the development and deployment of AWS CloudFormation templates:

  • Implement granular access control policies to your source repository, and regularly monitor activity that triggers your pipeline.
  • Create a comprehensive pipeline that simplifies the execution of different automated tests. Incorporate logical tests to check for correct syntax, references, and security settings, along with functional tests that examine regional application, network accessibility, and resource dependencies.
  • Include a manual approval stage in your pipeline before deploying templates to a production environment.

AWS offers a solution that automatically provisions and configures the AWS services necessary to create a validation pipeline for AWS CloudFormation templates. The diagram below presents the components and functionality you can build using the AWS CloudFormation Validation Pipeline implementation guide and accompanying AWS CloudFormation template.

  1. AWS CodePipeline monitors your AWS CodeCommit repository (the pipeline source) for new or modified AWS CloudFormation templates.
  2. An AWS Lambda function runs logical pre-create tests on the template code, including a default test on template syntax, an optional test that uses AWS CodeBuild, and any user-defined tests.
  3. A Lambda function launches test stacks in multiple AWS Regions, as defined in a customer-provided configuration file.
  4. Another Lambda function runs user-defined functional post-create tests on the test stacks.
  5. If all tests are successful, the solution sends an Amazon Simple Notification Service (Amazon SNS) email notification to let you know that the template is ready for manual approval in AWS CodePipeline.
  6. Once approved, the pipeline invokes a Lambda function that deploys the template to a solution-created Amazon Simple Storage Service (Amazon S3) bucket, where it also stores Amazon CloudWatch data on each Lambda function.
Deploy Solution
Implementation Guide

What you'll accomplish:

Deploy the AWS CloudFormation Validation Pipeline using AWS CloudFormation templates that automatically launch and configure the components necessary to implement a validation pipeline for your AWS CloudFormation templates in AWS CodeCommit.

Build upon a preconfigured testing framework to develop your own custom testing. This AWS CloudFormation Validation Pipeline includes Lambda functions that run common checks, such as correct resource naming and network connectivity, and provide a reference for your own Lambda-based tests. The solution also incorporates the AWS Quick Start testing methodology, enabling you to automatically launch multiple test stacks with different parameters and across different AWS Regions.

Experiment with a demo environment to understand the overall pipeline flow. The solution includes a supplementary AWS CloudFormation template that configures a fully functioning demo environment, enabling customers to experiment with pipeline functionality while familiarizing themselves with AWS CloudFormation best practices (see the implementation guide for more information).

What you'll need before starting:

An AWS account: You will need an AWS account to begin provisioning resources. Sign up for AWS.

An AWS CodeCommit repository: This solution is designed to use an AWS CodeCommit repository as the pipeline source.

Skill level: This solution is intended for IT infrastructure and DevOps professionals who have practical experience with automation and architecting on the AWS cloud.

Q: What tests does AWS CloudFormation Validation Pipeline include?

The AWS CloudFormation Validation Pipeline includes a set of preconfigured Lambda functions for validating AWS CloudFormation templates, including pre-create checks on template code and syntax and post-create checks on test stacks. One of these functions runs a default set of tests from cfn-nag, an open source linting tool for AWS CloudFormation. You can also incorporate your own custom tests into the pipeline. See the implementation guide for detailed information.

Q: Can I deploy this solution in any AWS Region?

You must deploy this solution in an AWS Region that supports AWS CodePipeline, AWS CodeBuild, and AWS CodeCommit. Once deployed, you can configure the pipeline to launch test stacks in any AWS Region.

Q: Which source code repositories does this solution support?

The AWS CloudFormation Validation Pipeline is designed to integrate with an existing AWS CodeCommit repository. If you want to use an Amazon S3 bucket or GitHub as your repository location, you must modify the source stage of the pipeline and configure access appropriately. See the implementation guide for more information.

 

Need more resources to get started with AWS? Visit the Getting Started Resource Center to find tutorials, projects and videos to get started with AWS.

Tell us what you think