Design considerations - Multi-Region Infrastructure Deployment

Design considerations

CloudFormation execution role

When AWS CodePipeline executes an AWS CloudFormation change set commands, it assumes the CloudFormationExecutionRole that has the necessary permissions to provision and manage the solution’s AWS CloudFormation template.

When deploying the solution, the CloudFormation Execution Policy template parameter must specify an ARN for an AWS Identity and Access Management (IAM) policy with the necessary permissions. We recommend that you create a new IAM policy that contains the minimally-scoped set of permissions necessary to manage the deployed template.

CloudFormation template dependencies

If the template hosted in GitHub contains dependencies on nested stacks or AWS Lambda functions, the deployment package must be in the same AWS Region as the primary and secondary Regions. Therefore, nested stacks templates and AWS Lambda function source code need to be in the same Region because AWS CloudFormation can only refer to regional Amazon Simple Storage Service (Amazon S3) buckets.

GitHub source repository

AWS CodePipeline connects to your existing GitHub source repository. To integrate with GitHub, CodePipeline uses an OAuth application or a personal access token for your pipeline. CodePipeline creates a GitHub webhook that starts your pipeline when a change occurs in the repository.