Update ProceduresΒΆ
Procedures for safely updating the VPC Provisioner tool and maintaining deployed infrastructure.
Table of ContentsΒΆ
Version StrategyΒΆ
Semantic VersioningΒΆ
We follow Semantic Versioning 2.0.0:
MAJOR (1.x.x): Breaking changes, incompatible configuration format changes
MINOR (x.1.x): New features, new actions, backward compatible
PATCH (x.x.1): Bug fixes, backward compatible
Example: 1.2.3 β Major: 1, Minor: 2, Patch: 3
Pre-Update ChecklistΒΆ
Before updating:
Review RELEASE_NOTES.md for breaking changes
Backup current configuration files
Document current image version:
docker images vpc-provisionerTest new version against a non-production config first
Schedule maintenance window for production updates
Notify stakeholders
Prepare rollback plan (keep previous image tag)
Updating the Docker ImageΒΆ
Pull New VersionΒΆ
# Pull latest from AWS Marketplace registry
docker pull public.ecr.aws/<marketplace-id>/vpc-provisioner:latest
# Or pull specific version
docker pull public.ecr.aws/<marketplace-id>/vpc-provisioner:1.2.3
# Tag locally
docker tag public.ecr.aws/<marketplace-id>/vpc-provisioner:latest vpc-provisioner:latest
Note: Replace <marketplace-id> with the actual registry path from your AWS Marketplace subscription.
Verify New VersionΒΆ
# Check image details
docker images vpc-provisioner
# Verify tool runs
docker run --rm vpc-provisioner:latest --help
# Validate existing config against new version
docker run --rm \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action validate-config
Test Before ProductionΒΆ
Run a test deployment with the new image to verify compatibility:
docker run --rm \
-v ~/.aws:/home/vpcuser/.aws:ro \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action test-deploy
This creates an isolated test stack with a random suffix β no impact on production resources. Delete the test stack when done:
aws cloudformation delete-stack \
--stack-name <test-stack-name> \
--region us-west-2
Rollback ProceduresΒΆ
Quick RollbackΒΆ
If the new version causes issues, revert to the previous image:
# Re-tag previous version
docker tag public.ecr.aws/<marketplace-id>/vpc-provisioner:1.2.2 vpc-provisioner:latest
# Verify rollback
docker run --rm vpc-provisioner:latest --help
# Validate config with previous version
docker run --rm \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action validate-config
Keep Multiple VersionsΒΆ
Tag versions explicitly so you can switch between them:
docker tag public.ecr.aws/<marketplace-id>/vpc-provisioner:1.2.2 vpc-provisioner:1.2.2
docker tag public.ecr.aws/<marketplace-id>/vpc-provisioner:1.2.3 vpc-provisioner:1.2.3
# Use specific version
docker run --rm \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:1.2.2 \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action validate-config
Configuration UpdatesΒΆ
Modifying an Existing ConfigurationΒΆ
When you need to change VPC settings (CIDR blocks, subnets, NAT gateway, tags):
# 1. Edit configuration file
vi configs/edge-prod-b001-us-west-2-vpc.yaml
# 2. Validate changes
docker run --rm \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action validate-config
# 3. Regenerate CloudFormation template
docker run --rm \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/templates:/app/templates \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action create-prov-template
# 4. Validate the template
docker run --rm \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/templates:/app/templates \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action validate-prov-template
# 5. Preview what will change
docker run --rm \
-v ~/.aws:/home/vpcuser/.aws:ro \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/templates:/app/templates \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action show-changes
# 6. Regenerate IAM policy (if permissions changed)
docker run --rm \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/policies:/app/policies \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action create-policy
Adding SubnetsΒΆ
When adding new subnets to an existing VPC:
Add the new subnet definitions to your configuration
Ensure CIDRs donβt overlap with existing subnets
Regenerate the template and preview changes with show-changes
Verify the changes are additive (no replacements of existing subnets)
Infrastructure MaintenanceΒΆ
Drift DetectionΒΆ
Check if deployed infrastructure has been modified outside of CloudFormation:
docker run --rm \
-v ~/.aws:/home/vpcuser/.aws:ro \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action check-drift
If drift is detected, review the changes and decide whether to:
Update the configuration to match the current state
Redeploy to restore the intended state
Replacing a DeploymentΒΆ
To fully replace an existing VPC deployment:
# 1. Tear down existing infrastructure
docker run --rm \
-v ~/.aws:/home/vpcuser/.aws:ro \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action delete-vpc \
--force
# 2. Redeploy with updated configuration
docker run --rm \
-v ~/.aws:/home/vpcuser/.aws:ro \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/templates:/app/templates \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action create-vpc \
--force
Warning: delete-vpc removes the VPC and all its resources (subnets, NAT gateways, route tables, internet gateway). Ensure no EC2 instances, RDS databases, or other services are running in the VPC before proceeding.
Monitoring After UpdateΒΆ
Verify Deployed InfrastructureΒΆ
# Check CloudFormation stack status
aws cloudformation describe-stacks \
--stack-name edge-prod-b001-us-west-2-vpc-stack \
--region us-west-2 \
--query 'Stacks[0].StackStatus'
# Check VPC exists
aws ec2 describe-vpcs \
--filters "Name=tag:Name,Values=edge-prod-b001-us-west-2-vpc" \
--region us-west-2
# Check subnets
aws ec2 describe-subnets \
--filters "Name=tag:Name,Values=edge-prod-b001-us-west-2-*" \
--region us-west-2 \
--query 'Subnets[].{Name:Tags[?Key==`Name`].Value|[0],CIDR:CidrBlock,AZ:AvailabilityZone}'
# Run drift detection
docker run --rm \
-v ~/.aws:/home/vpcuser/.aws:ro \
-v $(pwd)/vpc/configs:/app/configs:ro \
-v $(pwd)/vpc/reports:/app/reports \
vpc-provisioner:latest \
--config edge-prod-b001-us-west-2-vpc.yaml \
--action check-drift
Review LogsΒΆ
# Check recent execution logs
ls -lt reports/*.log | head -5
# Check for errors in logs
grep -i error reports/*.log
Update ScheduleΒΆ
Recommended ScheduleΒΆ
Security patches: Within 24 hours of release
Bug fixes: Within 1 week
Minor updates: Monthly
Major updates: Quarterly (after thorough testing)
Maintenance WindowsΒΆ
Development: Anytime
Staging: Business hours (for immediate feedback)
Production: Scheduled maintenance window with stakeholder notification
Copyright Β© 2025 Axon Tech Labs All rights reserved.
See LICENSE.txt for terms and conditions.