AWS CloudFormation Validation Pipeline
AWS CloudFormation Validation Pipeline

Architecture Overview

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.


        AWS CloudFormation Validation Pipeline default architecture

Figure 1: AWS CloudFormation Validation Pipeline default architecture

The solution includes two AWS CloudFormation templates that automate the deployment of a validation pipeline for AWS CloudFormation templates hosted in a customer’s existing AWS CodeCommit repository. Together, the solution templates deploy and configure AWS CodePipeline, AWS Lambda functions that manage overall testing processes, necessary AWS Identity and Access Management roles, an Amazon Simple Notification Service (Amazon SNS) topic, an Amazon DynamoDB table, an Amazon S3 bucket, AWS CloudFormation test stacks, and AWS CodeBuild (as an optional resource).

When a user commits an AWS CloudFormation template to the AWS CodeCommit repository, the pipeline source action is triggered (see Working with Actions in AWS CodePipeline). This invokes a Lambda function that runs logical pre-create tests on the template code, including a default test on template syntax, an optional test that uses AWS CodeBuild to run cfn-nag rules, and any user-defined tests. The pipeline then invokes Lambda functions that launch test stacks and configure resources, as defined in the customer-provided configuration file. Once the testing environment is configured, the pipeline invokes another Lambda function that runs functional post-create tests on the stacks. The solution includes preconfigured test functions, but the pipeline is designed to accommodate additional functions for custom testing scenarios. You have the option to keep or automatically delete stacks after testing.

If all tests are successful, the solution sends an Amazon SNS email notification to let you know that the template is ready for manual approval in AWS CodePipeline. If you approve the action, the pipeline invokes a Lambda function that copies the template to a solution-created S3 bucket. The function uploads the template with two different S3 prefixes: one that uses the commit ID, and one that uses a generic latest key. This allows you to overwrite an actively referenced template while preserving all previous versions.

The solution uses Amazon CloudWatch data on the solution’s Lambda functions to create a custom report on pipeline failures and manual approvals. It uploads this report to the same S3 bucket as the approved templates.