CloudFormation in CI/CD
Automate deploys; protect the pipeline.
The safe delivery pattern is the familiar one, run with CloudFormation’s primitives: on a pull request, validate and scan the template and create a change set so the diff is reviewable; on merge, execute the change set to apply the reviewed change — never an ad-hoc deploy from a laptop against production. The change set is the plan; reviewing it before execute is the gate.
jobs:plan:if: github.event_name == 'pull_request'steps:- run: cfn-lint template.yaml && cfn-guard validate -r security.guard -d template.yaml- run: |aws cloudformation create-change-set --stack-name prod-net \--change-set-name pr-${{ github.event.number }} --template-body file://template.yamlaws cloudformation describe-change-set --stack-name prod-net \--change-set-name pr-${{ github.event.number }} # post the diffdeploy:if: github.ref == 'refs/heads/main'environment: production # human approvalsteps:- run: aws cloudformation execute-change-set --stack-name prod-net --change-set-name main
Securing the pipeline
Because the pipeline can reshape your AWS account, harden it like the CI/CD course teaches: authenticate CI to AWS with OIDC and a scoped role (short-lived credentials, no long-lived access keys in secrets), give CloudFormation a least-privilege service role, protect the prod deploy behind an approval gate, and keep template scanning as a required check. The deploy identity and the pipeline are as sensitive as the infrastructure they build.