Having 90% of the system in a single Cloudformation template worked pretty well for me.
On every stage (dev, test, prod) I can deploy it automatically up to two times (blue and green) by running a simple shell script. So when I update the application I just deploy it another time on prod, test it one last time by adding the IP of the load balancer in my local hosts file and if I'm satisfied with the result switching the DNS entry to the new version using a weighted DNS record with the ability to switch back until I shut down the old version.
Doing anything continuous doesn't feel worth it in such a small setup with one update every 1-3 months.
What I like most about the approach is that I'm free to change any aspect in the main template without any risk to break something in the live application. Only changes to the elements shared between versions need to be handled carefully.
The main template includes
VPC, network, fargate service, loadbalancer, firewall, KMS,
DNS records, access rights, database tables, queues, monitoring metrics, email alerts
It excludes everything that is shared from update to update which are defined separately and just referenced from the main template such as
some database tables, persistent storage container registry, user groups (Only the groups, not the rights assigned to them)
On every stage (dev, test, prod) I can deploy it automatically up to two times (blue and green) by running a simple shell script. So when I update the application I just deploy it another time on prod, test it one last time by adding the IP of the load balancer in my local hosts file and if I'm satisfied with the result switching the DNS entry to the new version using a weighted DNS record with the ability to switch back until I shut down the old version.
Doing anything continuous doesn't feel worth it in such a small setup with one update every 1-3 months.
What I like most about the approach is that I'm free to change any aspect in the main template without any risk to break something in the live application. Only changes to the elements shared between versions need to be handled carefully.
The main template includes VPC, network, fargate service, loadbalancer, firewall, KMS, DNS records, access rights, database tables, queues, monitoring metrics, email alerts
It excludes everything that is shared from update to update which are defined separately and just referenced from the main template such as some database tables, persistent storage container registry, user groups (Only the groups, not the rights assigned to them)