DevOps practices for small serverless teams

I’ve written in the past about how serverless fostering small autonomous teams is my single biggest motivator for choosing to specialise in serverless. And in a recent episode of Yan Cui’s Real World Serverless podcast, two technical startup founders cited their relative lack of expertise with DevOps practices as one of their main reasons for selecting a serverless tech stack. The empowerment that serverless brings to individual application developers to ship fast can be very rewarding.

But yet, there are still several DevOps concerns that need to be addressed and these can take some time to put in place. Choosing to go serverless is only part of the puzzle. In fact, I rank practices like continuous delivery and automated testing as more important for effective software delivery than choosing a serverless architecture. So if you’re busy obsessing over the design of a complex async workflow but have no automated integration tests or deployment pipeline, you might want to examine your priorities!

So what are all the different DevOps concerns that small teams of serverless developers (with limited or no in-house DevOps expertise) need to consider and put into practice? Here’s a list to get you started:

• Provisioning of isolated cloud environments for individual developers.
• Provisioning of secure and isolated shared environments (test, staging, prod, etc) with least-privilege permissions
• Governance and access control mechanism to allow engineers role-restricted access to different cloud environments (e.g. AWS SSO + AWS Organizations)
• Account-related monitoring—billing alerts, audit trails, etc

• CI/CD pipelines for:

  • Running checks on changes in a Pull Request
  • Deploying services to shared environments (test, staging, prod) and running post-deployment checks after merge into mainline
• Automated tests: unit, integration, E2E, smoke

• Deployment scripts for:

  • Deploying workload stacks to an environment
  • Deploying configuration settings, e.g. secrets to SSM Parameter Store
• Application workload-related monitoring and alerting for production environment— how will you know when there’s a problem so that you can react fast?
• Dependency version management process — how are you going to ensure that all your NPM packages are kept up-to-date, especially for security vulnerabilities?

• Documented processes for:

  • Administering access to and configuration of the cloud organisation
  • New developers setting up their dev environment
  • Typical feature development workflow
  • Administering the CI/CD pipelines

All of these tasks are common to almost all serverless projects, irrespective of the application’s feature and architectural requirements. If you’d like to learn more about any of the above for your team, just hit reply because I love chatting about this stuff (or you can even check out my Serverless Launchpad service if you’d like more hands-on help from me).

I’ll say it again: choosing a serverless stack is not a panacea—if you skimp on core DevOps practices then you’ll struggle to realise the benefits that serverless can bring.