- Published on
Best Practices for Versioning Across AWS GovCloud and Commercial AWS
Why Version Management Matters Between GovCloud and AWS
For organizations operating in both AWS GovCloud and commercial AWS environments, maintaining consistent and reliable versioning is critical. Different compliance and security requirements in GovCloud often require separate deployments, but duplicating every single file is inefficient and unmanageable. Instead, we need a streamlined approach to versioning that ensures consistency without redundancy.
Key Challenges
Regulatory differences – GovCloud has stricter compliance requirements that may impact infrastructure and deployment strategies.
Infrastructure drift – Managing separate AWS environments can lead to unintended differences in configurations and versions.
Duplication overhead – Copying every single file between environments is inefficient and can lead to inconsistencies.
Best Practices for Versioning Across AWS GovCloud and Commercial AWS
Use a Monorepo with Environment-Specific Configurations
Instead of maintaining separate repositories for GovCloud and AWS, use a monorepo that allows shared code while keeping environment-specific configurations separate.
I like pnpm workspaces. However, if you have a large, complex codebase or application you might want to opt for something like Lerna or Nx.
Feature Flags in TypeScript for GovCloud-Specific Logic
Feature flags allow you to toggle functionality depending on whether the application is running in GovCloud or standard AWS.
Example: Using Feature Flags in TypeScript
const isGovCloud = process.env.AWS_REGION?.startsWith("us-gov");
if (isGovCloud) {
console.log("Running in AWS GovCloud");
} else {
console.log("Running in Commercial AWS");
}
Versioning Infrastructure as Code (IaC) with Terraform
Use Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation with versioning strategies to keep deployments consistent across both environments.
Example: Terraform Folder Structure
infra/
├── modules/
│ ├── networking/
│ ├── compute/
├── environments/
│ ├── aws/
│ ├── govcloud/
Example: Terraform Workspace-Based Versioning
terraform workspace select aws-prod
terraform apply -var="app_version=1.2.3"
terraform workspace select govcloud-prod
terraform apply -var="app_version=1.2.3"
Automate Deployments with CI/CD Pipelines
A well-structured CI/CD pipeline ensures consistency while applying versioning rules. Below is a GitHub Actions workflow that:
Deploys to both GovCloud and AWS. Uses semantic versioning for each deployment. Stores versioned artifacts for each environment
name: Deploy to AWS and GovCloud
on:
push:
branches:
- main
tags:
- 'v*' # Only run for versioned tags like v1.2.3
jobs:
deploy:
runs-on: ubuntu-latest
strategy:
matrix:
environment: [aws, govcloud]
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Extract Version from Tag
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
- name: Set AWS Region
run: |
if [ "${{ matrix.environment }}" == "govcloud" ]; then
echo "AWS_REGION=us-gov-west-1" >> $GITHUB_ENV
else
echo "AWS_REGION=us-east-1" >> $GITHUB_ENV
fi
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Deploy to AWS/GovCloud
run: |
aws cloudformation deploy \
--stack-name my-app-${{ matrix.environment }} \
--template-file infrastructure/${{ matrix.environment }}-template.yml \
--parameter-overrides Version=${{ env.VERSION }} \
--region $AWS_REGION
The example above:
✔ Versioning: Extracts version from Git tag (e.g., v1.2.3).
✔ Environment-Aware: Deploys to AWS or GovCloud based on matrix.environment.
✔ Versioned Deployments: Uses the Version parameter in CloudFormation for tracking releases.
Maintain Separate Artifact Versions
Each deployment should store versioned artifacts in a shared repository like S3 or AWS CodeArtifact.
Example: Uploading Versioned Artifacts to S3
aws s3 cp build.zip s3://my-artifacts-bucket/${ENVIRONMENT}/v${VERSION}/build.zip
Example: Listing Available Versions
aws s3 ls s3://my-artifacts-bucket/${ENVIRONMENT}/
result:
2023-03-20 15:00:00 v1.2.1/
2023-03-21 12:45:00 v1.2.2/
2023-03-22 09:30:00 v1.2.3/
Use Parameter Store or Secrets Manager for Environment-Specific Configurations
Store sensitive and environment-specific configurations in AWS Systems Manager Parameter Store or AWS Secrets Manager, rather than hardcoding them.
Instead of maintaining separate configuration files, AWS Parameter Store can be used to store environment-specific values dynamically.
Example: Storing Parameters
aws ssm put-parameter --name "/my-app/config" --value "govcloud" --type String --region us-gov-west-1
Example: Retrieving Parameters in Python
import boto3
ssm = boto3.client("ssm", region_name="us-gov-west-1")
param = ssm.get_parameter(Name="/my-app/config", WithDecryption=True)
print("Config Value:", param["Parameter"]["Value"])
Conclusion
Managing versioning across AWS GovCloud and commercial AWS requires a structured approach to avoid duplication while maintaining compliance. By using a monorepo, feature flags, versioned Infrastructure as Code, CI/CD pipelines, and artifact repositories, teams can ensure consistency and efficiency in multi-environment deployments.
Implementing these strategies will help reduce operational overhead, minimize infrastructure drift, and ensure that updates are applied uniformly across all environments.
However, you still will need an observability, monitoring, compliance and alerting strategy to ensure that your application is running as expected in both environments. Especially to maintain compliance like FedRAMP.