When I first heard about Cloudformation's new GitSync feature, I was eager to try it out. In the past I had implemented Continuous Deployment of Cloudformation templates using Sceptre within Github Actions workflows.
Coupled with Cloudformation's rollback, and generally robust capabilities, this was indeed an attractive proposition for continuous IaC deployment.
The stack itself comprises of standard networking components for a 3 tiered VPC designed for hosting a web application: 1 Public Subnet, 2 private subnets, spread across 3 Availability Zones.
Instead of the typically over-priced NAT Gateway offerred by AWS, I have dropped in a cheaper alternative, fck-nat.
As per the instructions provided by AWS, you will need an IAM Role with at minimum, the permissions to execute Cloudformation functions, and a trust policy which allows Cloudformation to be driven by GitSync.
In addition, however, this stack requires additional permissions which are provided in the file iam_policy.yaml
.
You will also need to provision an EC2 keypair for the NAT instance. The one used in this example is named "infrastructure-networking".
I used an NPM package cfn-diagram to generate an infrastructure diagram for this stack (in draw.io format). Use the following commands:
npm run generate:vpc:html
npm run generate:vpc:diagram
The results are kinda underwhelming but could probably be improved with some effort.
Cloudformation GitSync works as it says on the tin. I got into a fast workflow while troubleshooting issues that arose while developing the stack. I hope to use it for more CFN stacks, and perhaps compare it to the SAM workflow for CFN templates.