<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Iac | The AWS Blog</title><link>https://theawsblog.com/tags/iac/</link><description>Articles, tutorials and insights from the AWS community.</description><generator>Hugo</generator><language>en</language><managingEditor>@theawsblog (The AWS Blog)</managingEditor><webMaster>@theawsblog</webMaster><lastBuildDate>Tue, 30 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://theawsblog.com/tags/iac/index.xml" rel="self" type="application/rss+xml"/><item><title>CloudFormation Express mode is about feedback loops, not just faster deploys</title><link>https://theawsblog.com/news/emiliano-montesdeoca/cloudformation-express-mode-feedback-loops/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/cloudformation-express-mode-feedback-loops/</guid><description>AWS CloudFormation Express mode shortens infrastructure iteration by completing after configuration is applied, but builders need clear guardrails for when stabilization still matters.</description><content:encoded>&lt;p&gt;CloudFormation Express mode is easy to read as a speed announcement. The more useful way to read it is as a feedback-loop announcement.&lt;/p&gt;
&lt;p&gt;In the &lt;a href="https://aws.amazon.com/blogs/aws/accelerate-your-infrastructure-deployments-by-up-to-4x-with-aws-cloudformation-express-mode/"&gt;AWS News Blog post&lt;/a&gt;, AWS explains that Express mode lets CloudFormation complete when resource configuration has been applied instead of waiting for extended stabilization checks. That can make stack operations much faster, especially during iterative infrastructure work.&lt;/p&gt;
&lt;p&gt;That is valuable, but only if teams understand what changed: CloudFormation is not making every resource ready sooner. It is changing when the deployment returns control to you.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;Standard CloudFormation waits for stabilization checks after applying resource configuration. Those checks are useful when the next action depends on the resource being operational.&lt;/p&gt;
&lt;p&gt;Express mode skips that waiting period and lets resources continue stabilizing in the background. AWS says this can reduce deployment time by up to four times and highlights examples where long wait periods around resources such as Lambda network interfaces become much shorter.&lt;/p&gt;
&lt;p&gt;No template changes are required. Builders can use Express mode through the console, AWS CLI, SDKs, CDK, and other IaC workflows.&lt;/p&gt;
&lt;h2 id="where-it-helps-most"&gt;Where it helps most&lt;/h2&gt;
&lt;p&gt;This is strongest in development and platform engineering loops where the cost of waiting is high and the risk of background stabilization is low.&lt;/p&gt;
&lt;p&gt;Good fits include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;iterative CDK or CloudFormation template development,&lt;/li&gt;
&lt;li&gt;AI-assisted infrastructure generation where an agent needs quick validation cycles,&lt;/li&gt;
&lt;li&gt;sandbox environments where failed or incomplete resources can be cleaned up,&lt;/li&gt;
&lt;li&gt;inner-loop testing of isolated infrastructure components,&lt;/li&gt;
&lt;li&gt;deletes that currently block workflows while AWS finishes cleanup.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The bigger win is not shaving seconds from one deployment. It is reducing the friction that makes engineers avoid small infrastructure changes. Faster feedback encourages smaller changes, and smaller changes are easier to review and recover.&lt;/p&gt;
&lt;h2 id="where-i-would-be-careful"&gt;Where I would be careful&lt;/h2&gt;
&lt;p&gt;Express mode should not become the default answer for every production deployment.&lt;/p&gt;
&lt;p&gt;If your pipeline shifts traffic, starts integration tests, runs database migrations, or declares a release successful immediately after CloudFormation returns, stabilization still matters. A resource can be configured but not yet ready for the next dependency in your delivery process.&lt;/p&gt;
&lt;p&gt;The practical guardrail is simple: separate &lt;strong&gt;configuration applied&lt;/strong&gt; from &lt;strong&gt;service ready&lt;/strong&gt;. Express mode can own the first signal. Your pipeline still needs health checks, smoke tests, alarms, and rollback logic for the second.&lt;/p&gt;
&lt;p&gt;Also note the rollback behavior. The source article says Express mode disables rollback by default for the fastest iteration experience, with options to re-enable rollback. That is sensible for local iteration. For production, it should be an explicit decision with cleanup and monitoring in place.&lt;/p&gt;
&lt;h2 id="builder-checklist"&gt;Builder checklist&lt;/h2&gt;
&lt;p&gt;Before adopting Express mode broadly, I would define three deployment profiles:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Inner loop:&lt;/strong&gt; Express mode allowed, rollback optional, cleanup automated.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pre-production:&lt;/strong&gt; Express mode allowed only when smoke tests verify readiness after stack completion.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Production:&lt;/strong&gt; Express mode allowed only for stacks where downstream steps do not assume full stabilization, or where readiness gates replace CloudFormation waiting.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Also update runbooks. If a deployment returns faster but a resource continues stabilizing, on-call engineers need to know where to look: CloudFormation events, service-specific logs, metrics, and alarms.&lt;/p&gt;
&lt;h2 id="the-practical-takeaway"&gt;The practical takeaway&lt;/h2&gt;
&lt;p&gt;CloudFormation Express mode is not a license to ignore readiness. It is a way to stop paying stabilization latency when your workflow does not need CloudFormation to wait.&lt;/p&gt;
&lt;p&gt;Used deliberately, it can make infrastructure development feel less heavy and make AI-assisted IaC workflows more practical. Used casually, it can move waiting from CloudFormation into your users&amp;rsquo; first request. The difference is whether your pipeline has an explicit readiness gate after the stack operation completes.&lt;/p&gt;</content:encoded></item><item><title>CloudFormation pre-deployment validation makes IaC failures cheaper</title><link>https://theawsblog.com/news/emiliano-montesdeoca/cloudformation-cdk-predeployment-validation/</link><pubDate>Tue, 30 Jun 2026 00:00:00 +0000</pubDate><author>Emiliano Montesdeoca</author><guid>https://theawsblog.com/news/emiliano-montesdeoca/cloudformation-cdk-predeployment-validation/</guid><description>AWS CloudFormation and CDK pre-deployment validation now runs on stack operations, helping builders catch quota, Config, and ECR issues before failed deployments waste time.</description><content:encoded>&lt;p&gt;The best deployment failure is the one that fails before it starts changing infrastructure.&lt;/p&gt;
&lt;p&gt;AWS has announced that &lt;a href="https://aws.amazon.com/blogs/devops/ship-infrastructure-faster-with-cloudformation-and-cdk-pre-deployment-validation-on-every-stack-operation/"&gt;CloudFormation pre-deployment validation now runs automatically on every stack create and update operation&lt;/a&gt;. The same post also introduces new checks and a &lt;code&gt;cdk validate&lt;/code&gt; workflow.&lt;/p&gt;
&lt;p&gt;This is not as visually exciting as a new service. It is more useful than many new services.&lt;/p&gt;
&lt;h2 id="what-changed"&gt;What changed&lt;/h2&gt;
&lt;p&gt;Pre-deployment validation now runs on CloudFormation stack operations without requiring a separate setup. The source article mentions new checks for service quota limits, AWS Config Recorder conflicts, and ECR repository delete readiness. It also describes operation-level control and CDK integration through &lt;code&gt;cdk validate&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;For builders, this shifts some failure detection earlier in the pipeline. Instead of discovering quota or environment conflicts halfway through deployment, teams can catch them before the operation commits to a path.&lt;/p&gt;
&lt;h2 id="why-it-matters"&gt;Why it matters&lt;/h2&gt;
&lt;p&gt;Infrastructure failures are expensive because they consume time, create partial state, and distract teams from the real change they were trying to ship.&lt;/p&gt;
&lt;p&gt;Quotas are a classic example. A template can be valid and still fail because the target account or Region does not have enough capacity for a resource type. A pre-deployment check that catches this earlier improves both developer experience and operational safety.&lt;/p&gt;
&lt;p&gt;The CDK angle matters too. CDK users often think in application constructs while CloudFormation owns the final deployment. Bringing validation closer to the CDK workflow helps developers discover platform constraints before the change reaches a shared environment.&lt;/p&gt;
&lt;h2 id="the-trade-offs"&gt;The trade-offs&lt;/h2&gt;
&lt;p&gt;Validation is not a proof of success. It can catch known classes of problems, but it cannot guarantee the application will work, the dependency will be healthy, or the rollout will be safe.&lt;/p&gt;
&lt;p&gt;Builders still need:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;template linting and policy checks,&lt;/li&gt;
&lt;li&gt;least-privilege review,&lt;/li&gt;
&lt;li&gt;drift detection,&lt;/li&gt;
&lt;li&gt;integration tests,&lt;/li&gt;
&lt;li&gt;deployment alarms,&lt;/li&gt;
&lt;li&gt;rollback or remediation plans,&lt;/li&gt;
&lt;li&gt;post-deploy smoke tests.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;There is also a balance between strictness and velocity. If validation blocks legitimate emergency changes, teams will look for bypasses. The &lt;code&gt;DisableValidation&lt;/code&gt; option should be treated like any other break-glass control: rare, logged, and reviewed.&lt;/p&gt;
&lt;h2 id="what-to-do-next"&gt;What to do next&lt;/h2&gt;
&lt;p&gt;Add &lt;code&gt;cdk validate&lt;/code&gt; or equivalent CloudFormation validation to pull requests and pre-merge pipelines where it makes sense. Then track validation failures as a signal. If many teams hit the same quota or Config issue, the platform needs a baseline fix, not repeated ticket handling.&lt;/p&gt;
&lt;p&gt;For production, make validation one gate in a broader release process. It should happen before deployment, but readiness should still be proven after deployment.&lt;/p&gt;
&lt;p&gt;The practical takeaway: pre-deployment validation makes IaC failures cheaper and faster to understand. It does not remove the need for good deployment engineering, but it moves a useful class of mistakes to the left.&lt;/p&gt;</content:encoded></item></channel></rss>