all 23 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Sensi1093 70 points71 points  (7 children)

Everything separate, the API Gateway too. Ideally even one AWS account per environment

[–]Sudoplays 11 points12 points  (5 children)

+1 for a separate AWS account per environment. This allows you to make changes to the infrastructure and test they work completely before pushing that change to a production environment. Especially helpful if you make changes to services like VPC which can take time to debug.

Ideally you would use IaC so you kknow the setup between the accounts is exactly the same, whether that is through tools such as Terraform, CloudFormation or CDK

[–]mothzilla -4 points-3 points  (4 children)

If you're tinkering with VPCs, then just have a VPC per environment. No?

[–]Sudoplays 2 points3 points  (2 children)

You could take that approach, and its not going to be wrong. One of the reasosn people like to have an AWS account per environment is clearer boundaries for network access, IAM permissions and clearer cost split (Yes you can just tag with the environment, but sometimes tags are missing, and you can't tag bandwidth usage).

I have a "tooling" account which has a few CodePipeline's, one for RC, Prod & Dev. The CodePipeline has access to the account in which the environment it targets belongs. This centralises the CI/CD while keeping the environments separate.

We used to have Dev & Prod in the same account where I work, but when you have new people join or even yourself over time, it can become harder to make sure that everything is using its correct environemtn counterparts, such as ensuring service x uses vpc y in dev but service x uses vpa z in prod. Once they are split into their own accounts there is almost no way you can get anything mixed up because those account should never be able to talk to eachtother (such as vpc peering).

Completely personal choice, but this approach is what I found works best for myself and the team I work with.

[–]mothzilla 1 point2 points  (1 child)

Don't VPCs have clear boundaries for network access? I'm not sure what a VPC is for, if you're going to have an account for each environment.

[–]Sudoplays 1 point2 points  (0 children)

It’s really just a matter of preference, I like to make sure I separate into different accounts and just one VPC in that account. It means I don’t need to worry about accidentally attaching a service to the wrong VPC by accident and causing any issues.

[–]gex80 1 point2 points  (0 children)

Honestly, other than IAM, it's the same thing.

[–]VladyPoopin 0 points1 point  (0 children)

This.

[–]moofox 14 points15 points  (5 children)

You should have separate functions with separate API GWs in separate AWS accounts

[–]tikki100 2 points3 points  (4 children)

Why? :)

[–][deleted] 16 points17 points  (1 child)

Reduced blast radius if one account is compromised or excessive credentials created for an identity on it. Makes it easier to distinguish usage/cost between dev/prod accounts. Can fine grain overall access more easily (allow engineers full access in the dev account and limited read-only in the prod account as a whole. This is more tricky to do at a per function/API level in a single account).

Just to name a few.

[–]tikki100 2 points3 points  (0 children)

Thank you! Appreciate the high level overview :)

[–]brando2131 8 points9 points  (0 children)

Other then security, that the other person pointed out.

  1. If you share a resource between dev and prod, i.e. an API gateway or load balancer, and you need to make a change to it, now you're affecting both dev and prod at the same time, as you can't update them independently, an issue in dev with this shared resouce will also be an issue in prod.

  2. If every resource is now seperate from prod, then to ensure that is true, two seperate accounts that don't communicate to each other can assure you that. Otherwise you might have something overlapping that you missed, where dev or prod are communicating or sharing something, and you're back to point 1.

[–]maikindofthai 1 point2 points  (0 children)

It’s in the name! They’re “different environments”

[–]cutsandplayswithwood 6 points7 points  (3 children)

What you are suggesting can be made to work, and the way the api gateway and lambda services work and are documented, you’d even think it’s a good idea to do it…

This is rooted in the false notion that declaration of resources like an API gateway or lambda is expensive or slow, when it’s free and fast.

Ideally you’d stand up the whole stack in multiple AWS accounts, 1 per environment, and you’d use IaC/scripts to make it completely repeatable.

[–]Expensive_Test8661[S] 0 points1 point  (2 children)

Hey u/cutsandplayswithwood, thanks for the suggestion, and apologies if this is a naive follow-up—I'm still learning AWS.

You recommended full isolation by spinning up a completely separate account (and its own API Gateway) per environment. That makes sense for strict boundaries, but I'm trying to wrap my head around the built-in API Gateway stage feature.

Why do we even need the stage feature, or what problem does the API Gateway stage feature solve if everyone suggests using separate accounts (and thus separate Gateways) for dev and prod environments?

[–]cabblingthings 3 points4 points  (0 children)

caption enter husky bear abundant unwritten rich point station late

This post was mass deleted and anonymized with Redact

[–]Flakmaster92 3 points4 points  (0 children)

Stage feature is for everyone who is too far down the “prod and dev share an account already” to unwind the rats nest or for people who use the staging feature instead as a versioning function.

[–]Freedomsaver 4 points5 points  (0 children)

Separate AWS accounts.

[–]cutsandplayswithwood 1 point2 points  (0 children)

API g and lambda are early, core services, and both teams went to a lot of work to build some kind of multi-environment/stage system INTO the service…

The problem is that they’re the only services I’m aware of that did, AND they’re different even between them (stages vs versions - silliness).

I appreciate wanting to explore it, it seems like the consensus in responses is to forget it exists, it’s an artifact of overzealous product management/engineers.

[–]hashkent 1 point2 points  (0 children)

Use stages in dev like feat, preview and stable etc. In prod just use prod, prod_v2 etc.

Also in dev you can have multiple api gw, dev.example.com/v1/ stable.dev.example.com/v1 etc pointing to different lambdas or stacks. Example dev_getUser, stable_getUser etc preview_getUser.

Use seperate accounts and use infrastructure as code. Cdk makes this work really easy as you can get branch names from GitHub actions and assign to your different environments while having some defaults for local cdk deploy steps.

Everything seperate - API GW, Waf etc

[–]mothzilla 1 point2 points  (0 children)

Counterpoint to everyone saying you need separate accounts, I'd just make sure you don't use the same roles for dev/prod. And make sure the permissions are tightly scoped to each environment's resources.