How to manage production, test and development environments with serverless framework

Question

I am planning to build an enterprise application using aws lambda and serverless framework.

I want to separate the dev, test and prod environments and I am planning to use AWS Parameter store for it.

I don't want my production environment configuration be exposed to developers. If the developer runs the command serverless offline -s production start then the production configuration should not be obtained.

It should be obtained only when the serverless function has been successfully deployed to aws lambda.

Answer 1

Here are few considerations based on your question:

• To have different environments on Serverless framework you have to set up the stage. This value can be passed as a parameter when executing sls commands.
• If you are keeping your code in a repo, the developers will have access to all the configurations. If this is really important, you could keep the production configuration in a diff repo where only very specific people will have access to it, and then you make a reference to in in your serverless.yml. Ex: custom: ${file(./config/${opt:stage, 'dev'}.json)} and then in your config folder you create the prod.json file, but pointing to the real one of the new repo you created. Note: this would make your project harder to maintain.
• Considering you don't want your developers to execute your production environment locally. You can use the global variable of serverless offline to block the execution. You could also inform then to not do so.

Here is what should be a good practice and solution based on your problem:

• Considering you have a production environment you want to isolate from a given group in your company, you should create VPC's and configure their resources access, accordingly.
• Then you create users to have diff access. When your developer try to execute the code accessing a resource (dynamoDB for example) in a VPC they don't have access, they will be blocked.
• AWS configure to define which user will execute the SLS command.

• Your development team will still have access to your configuration file.

  Note: In this case the person/group with access to the production VPC will have to do the deploy.

If the answer does not suffice, could you please reinforce which type of resource(s) are sensitive across your Serverless project? I am taking for granted it is the DB as it is the most common scenario.