How to Use Cloudformation and Sam for Serverless Infrastructure Management

How to Use CloudFormation and SAM for Serverless Infrastructure Management in AWS

Managing serverless infrastructure can be complex, but AWS offers powerful tools to simplify this process. Two of the most popular tools are AWS CloudFormation and AWS Serverless Application Model (SAM). These tools help developers define, deploy, and manage serverless resources efficiently and reliably.

In this guide, you will learn what CloudFormation and SAM are, how they work together, and step-by-step methods to use them for deploying and maintaining serverless applications at scale.

What Is AWS CloudFormation?

AWS CloudFormation is an Infrastructure as Code (IaC) service that lets you model and provision AWS resources using templates. Templates are written in JSON or YAML and define every resource your application needs—from VPCs and EC2 instances to Lambda functions and DynamoDB tables. CloudFormation handles the creation, updating, and deletion of these resources in a safe and predictable way through stacks.

Key benefits of CloudFormation include:

• Repeatability – Deploy identical environments across development, staging, and production.
• Version control – Treat your infrastructure as code stored in Git alongside your application code.
• Automated rollbacks – If a stack update fails, CloudFormation can automatically revert to the last known good state.
• Dependency management – CloudFormation automatically determines the order in which resources are created or updated based on their dependencies.

For more details, refer to the official AWS CloudFormation documentation.

What Is AWS SAM?

AWS Serverless Application Model (SAM) is an open-source framework built on top of CloudFormation. It provides a simplified syntax specifically designed for serverless applications. SAM templates use the same CloudFormation format but add serverless‑specific resource types and properties. This reduces the boilerplate code needed to define Lambda functions, API Gateway endpoints, DynamoDB tables, and more.

SAM also comes with a CLI tool that offers local testing, packaging, and deployment workflows. It can run your serverless application locally using Docker, making it easier to debug before deploying to the cloud.

Learn more in the AWS SAM Developer Guide.

How SAM Extends CloudFormation

While CloudFormation requires verbose definitions for IAM roles, Lambda event source mappings, and API Gateway configurations, SAM abstracts these details. For example, declaring an AWS::Serverless::Function automatically generates an IAM role with basic Lambda permissions. You can still customize the role via the Policies or Role property.

SAM also introduces shorthand for common patterns:

• AWS::Serverless::Function – Lambda function with built‑in event source integration.
• AWS::Serverless::Api – API Gateway REST API with OpenAPI support.
• AWS::Serverless::SimpleTable – DynamoDB table with single attribute key.
• AWS::Serverless::StateMachine – Step Functions state machine.

Any SAM template must include the transform declaration: Transform: AWS::Serverless-2016-10-31.

Getting Started with CloudFormation and SAM

To begin using SAM and CloudFormation for serverless deployments, you need the following tools installed on your local machine:

1. AWS CLI – Command‑line interface for interacting with AWS services. Install the AWS CLI and configure it with your credentials.
2. AWS SAM CLI – A separate tool that extends the AWS CLI for serverless workflows. Install the SAM CLI.
3. Docker Desktop – Required for local testing of Lambda functions inside a container.

Once these are in place, create a new directory for your project and initialize a SAM application:

sam init

This command launches an interactive prompt that lets you choose a runtime (e.g., Node.js, Python, Java), a template name, and a folder structure. The generated project includes a template.yaml file, a src/ directory for your code, and optional events/ and tests/.

Sample SAM Template Explained

Below is a simple SAM template that defines a Lambda function exposed via API Gateway:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs14.x
      CodeUri: src/
      Events:
        ApiEvent:
          Type: Api
          Properties:
            Path: /hello
            Method: get
Outputs:
  HelloWorldApi:
    Description: "API Gateway endpoint URL for Prod stage"
    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/hello/"

Key components of this template:

• Transform – Signals CloudFormation to process SAM‑specific resources.
• HelloWorldFunction – The Lambda function resource. Handler points to the file and function to execute. Runtime specifies the Node.js version. CodeUri tells SAM where the source code lives relative to the template.
• Events – Defines an API Gateway event source for the Lambda function. SAM automatically creates an API Gateway REST API and a permission resource.
• Outputs – After deployment, SAM returns the API endpoint URL. !Sub is a CloudFormation intrinsic function that interpolates the generated API Gateway ID.

To add a DynamoDB table, you can extend the template:

  MyTable:
    Type: AWS::Serverless::SimpleTable
    Properties:
      PrimaryKey:
        Name: id
        Type: String
      ProvisionedThroughput:
        ReadCapacityUnits: 5
        WriteCapacityUnits: 5

Deploying Serverless Applications with SAM

The deployment process with SAM involves three main steps: build, package, and deploy.

1. Build

Run sam build inside your project directory. This command:

• Downloads dependencies (e.g., npm packages for Node.js, pip modules for Python).
• Compiles the code if needed (e.g., TypeScript for Node.js, Java with Maven).
• Copies artifacts to a .aws-sam/build directory.
• Generates a CloudFormation template with resolved paths and Lambda layer references.

The build step ensures that everything is packaged correctly before deployment.

2. Deploy

Use sam deploy --guided for the first deployment. This interactive mode asks for:

• Stack Name – The CloudFormation stack name (e.g., hello-world-stack).
• AWS Region – The region to deploy to.
• Confirm changes before deploy – Recommended. You can review the changeset before CloudFormation applies it.
• Allow SAM CLI IAM role creation – SAM can create an IAM role with minimal permissions to manage the stack.
• Save arguments to configuration file – Saves parameters so future deployments can use sam deploy without the --guided flag.

After confirmation, SAM creates a CloudFormation stack and provisions all resources. The output displays the API endpoint URL if you defined one.

3. Updates and Rollbacks

To update your application, modify the template or code, run sam build again, and then sam deploy. CloudFormation will generate a change set comparing the current stack with the updated template. It adds, modifies, or deletes resources as needed.

If an update fails, CloudFormation can automatically roll back to the previous stack state. You can also manually roll back by deleting the stack and redeploying the old template, or by using CloudFormation stack policies to protect critical resources.

Benefits of Using CloudFormation and SAM Together

Combining CloudFormation with SAM gives you the best of both worlds: the general‑purpose power of CloudFormation and the serverless‑focused simplicity of SAM.

• Infrastructure as code ensures repeatability and version control across environments.
• Automated deployments reduce manual errors and speed up release cycles.
• Easy updates and rollbacks via CloudFormation stacks provide safety nets for production changes.
• Simplified syntax with SAM reduces the template size and complexity for serverless resources.
• Local testing with the SAM CLI allows you to invoke Lambda functions and emulate API Gateway locally before deploying.
• CI/CD integration – SAM templates can be deployed through AWS CodePipeline, Jenkins, GitHub Actions, and other CI/CD tools.

Best Practices for Managing Serverless Infrastructure

Use Nested Stacks for Large Applications

As your application grows, a single template can become unwieldy. Break your infrastructure into reusable nested stacks. For example, have one stack for networking, one for database, and one for Lambda functions. Use AWS::CloudFormation::Stack in the parent template to include them. SAM supports nested stacks natively.

Leverage SAM Policy Templates

SAM provides predefined policy templates that attach common IAM permissions to your Lambda functions. Instead of writing full IAM policy documents, use Policies with shorthand names like AmazonDynamoDBFullAccess or AWSLambdaBasicExecutionRole. This keeps your template concise and secure.

Use Parameters and Mappings

Make your templates reusable by parameterizing environment‑specific values (e.g., stage name, VPC ID). Define parameters in the Parameters section and reference them with Ref. Use Mappings for regional differences (e.g., AMI IDs, instance types).

Implement Tagging

Tag all resources with consistent metadata like Environment, Project, and Owner. This simplifies cost tracking and resource management. You can apply tags at the stack level using the Tags property in the CloudFormation section or directly on resources.

Enable Termination Protection

For production stacks, enable termination protection in CloudFormation to prevent accidental deletion. This adds a confirmation prompt before stack deletion can proceed.

Integrating SAM with CI/CD Pipelines

To automate deployments, integrate SAM into your CI/CD pipeline. Here’s a typical workflow using AWS CodePipeline:

1. Source code is committed to a Git repository (e.g., AWS CodeCommit, GitHub).
2. Pipeline triggers a build stage that runs sam build and runs unit tests.
3. The build stage packages the template and uploads artifacts to an S3 bucket.
4. A deploy stage runs sam deploy with the packaged template, using the --capabilities CAPABILITY_IAM flag to allow IAM role creation.
5. CloudFormation updates the stack with changes.

You can also use AWS SAM Pipelines to quickly generate a CI/CD pipeline using predefined templates.

Common Pitfalls and Troubleshooting

Stack Update Fails Due to Resource Limits

CloudFormation has limits on stack size (500 resources), template body size (51,200 bytes), and maximum number of outputs. For large deployments, use nested stacks or export values to avoid reaching these limits.

Lambda Function Timeout During Build

If your Lambda function has a large number of dependencies, the sam build step may time out. Increase the timeout by setting the --build-image or use a custom build container with more CPU/memory. Alternatively, pre‑download dependencies in your CI environment.

Inconsistent Environment Behavior

Differences between local testing and production often stem from missing environment variables, wrong IAM permissions, or incorrect event source mappings. Use the same IAM policies and environment variables defined in your template for local tests. The SAM CLI supports --env-vars to pass environment variables from a JSON file.

Deployment Exceeding the CloudFormation Template Body Size

SAM templates can become large due to inline code or many resources. Use sam package to upload code to S3 and reference the artifact. This reduces the template size. Alternatively, compress your template or split resources across stacks.

Conclusion

AWS CloudFormation and SAM are indispensable tools for managing serverless infrastructure. CloudFormation gives you full control over your entire AWS environment, while SAM simplifies the creation of serverless resources. Together, they enable you to define infrastructure as code, automate deployments, and maintain consistency across environments.

Start by experimenting with small services, then gradually adopt advanced patterns like nested stacks, CI/CD pipelines, and policy templates. For further reading, check out the AWS SAM specification and the AWS Compute Blog for real‑world examples.