Software Deployment Checklist: Be Ready for Production

Deploying software to production correctly is a challenge. Bad deployments can lead to delays and even downtime. Being in charge of a deployment process is a big responsibility as well as a huge challenge. Modern software deployment involves many moving parts across the organization and its toolset. You need a plan. Consider adding the following checklist to your toolkit for creating a comprehensive deployment plan.

Keep in mind, however, that this checklist is not meant to be the last word on every type of software or every deployment. Not all items will apply to every use case. The checklist is meant to be a starting point for more in-depth discussions with your team.

This is the critical stage where you put the pieces required for a successful deployment in place.

Why: Creating a deployment plan is an opportunity to get insight from all stakeholders. Once the plan is in place, it provides crucial information and instructions for the entire deployment.

How: Plans may involve both manual and automated testing at each deployment stage. Risk analyses, checklists, responsibilities, and contact information for each stakeholder also play a role. The plan should be reviewed and approved by all stakeholders.

Why: Deployments can fail. If your production environment goes down after a deployment, often the best course of action is rolling back to the previous version of the software. Being able to do so quickly makes all the difference to getting your production environment back up and running.

How: Include a rollback plan in your testing plan. Clarify who is responsible and make sure they are available during the deployment. Design a process that can be implemented quickly to minimize downtime. Consider using feature flags to gain more granular control over deploying each feature.

Why: Coherent versioning and release notes contribute to good documentation, especially if you use or hope to use versioned documentation systems. Furthermore, being able to associate any issues with the correct system is valuable for support.

How: Create a formal release or tag in Git or other version control systems. Produce release notes with the features and bugs fixed in each release. Enable bug trackers to associate issues with specific versions.

Why: Understanding the meaning of success can help track and analyze your deployments. This information is key to improving the deployment process long term.

How: Include KPIs in your test plan. Set up any metrics tools needed for measuring KPIs in advance.

Just because an application works in testing environments doesn’t mean it’s ready for deployment. Getting the application code right can make all the difference in whether a deployment is a success or failure.

Why: Almost all software has outside dependencies (e.g., open-source libraries or third-party code used by a marketing department). Risks include security vulnerabilities and losing access to important business tools.

How: Ensure that all third-party code in all environments is known and included in the testing plan. In addition, if code depends on third-party libraries, audit for security vulnerabilities and plan an update if you find any.

Why: All applications should have performance, security, and accessibility standards. Additionally, mobile applications may be required to meet app store standards.

How: Determine all standards the deployment needs to meet and add each to your deployment plan.

Why: This is crucial if the deployment is to a new environment, such as a new cloud provider or server. Incorrect or missing configurations can lead to long delays.

How: Plan for the correct network protocols to handle any CDNs and for routing/DNS changes.

Why: Having correct and current security certificates ensures that all users can access your application through the internet without getting browser warnings about insecurity.

How: Include certs in your deployment plan. Ensure they are ready and not expired in advance.

Why: Alerts are essential when something goes wrong. A deployment could be fine at first and then go down in the middle of the night. On-call staff need to get the alerts. In addition, monitoring (security, networking, error) is important for business analytics and for catching problems before they impact business.

How: Include alerts and monitoring in the deployment plan, even if you have an existing system. Test the system after deployment to ensure it is working as expected.

Why: Logs are useful for debugging any issues that may come up during deployment. In addition, poorly configured logging can cause server performance degradation.

How: Audit logging strategies and ensure they are configured correctly.

Why: Exciting new deployment? Traffic spikes can lead to downtime right when users are trying to access your application.

How: Ensure tools for managing traffic (e.g., proxies, load balancers) are ready to handle what comes.

Why: Caching is both important for performance and a potential frustration if it means that users can’t access the new deployment when expected.

How: Consider clearing the cache after deploying. Include an overall caching strategy for deployment and post-deployment in your plan.

Why: Environment variables are different for each environment and may contain infrastructure configuration, credentials, and more. Missing or incorrect environment files can cause downtime and security risks.

How: Ensure all environment files are correct in all stages and that they won’t be overwritten or inadvertently changed by a deployment.

Consider deployment testing the rehearsal for the real deal. For the greatest accuracy, the testing should simulate a real deployment as much as possible. With a mature deployment strategy and the right safeguards in place, you may even consider testing directly in the production environment.

Why: A simple staging environment is not enough to catch issues caused by environment-specific configurations. 

How: Prepare a staging environment configured to be as similar to production as possible—and eventually, test in production (when you are ready!) with feature flags.

Why: Production data is far more complex than simple dummy data. Issues caused by variations in the data or the volume of data will be missed if you test with only a few simple test data cases.

How: Use real production data in the simulated deployment if at all possible. Of course, security and privacy concerns make it imperative to handle real production data appropriately—so consider limiting who and what has access to it. (In fact, some tools intentionally do not require end user data to be stored at all, helping you comply with requirements and protect customers.) 

Why: If continuous integration/continuous deployment (CI/CD) tools don’t work right, the deployment will fail. Or the deployment could unintentionally proceed even when an important test fails.

Getting it right: Ideally, the test deployment should use the same tools as a production deployment, such as CI/CD. Audit the automated testing used by these tools to make sure critical test failures prevent deployment and minor warnings will not block deployment.

Here is the checklist in an easily printable format for checking off each item:

• Prepare a Plan

• Formulate a Rollback Plan

• Determine Release Versioning

• Agree on KPIs

• Audit Third-Party Code

• Ensure the Final Application Meets Standards

• Plan Network Configuration

• Have SSL Certificates Ready to Deploy Alongside the Application

• Set Up Monitoring and Alerts

• Confirm Logging

• Prepare for Any Traffic Spikes

• Configure and Test Caching

• Set Up Environment Variables

• Deploy to an Environment Similar to Production (or Test in Production)

• Use Real Data for Testing If You Can

• Test All Systems Used in Deployment

In addition to all the items on this checklist, consider decoupling feature release from deployment by using feature flags. These allow features to be turned on after the deployment dust has settled. Additionally, if a feature causes problems, you can turn it off rather than trying to roll back the entire deployment. If you’re interested, one option is CloudBees Feature Management, which offers loads of capabilities for automation, security, governance, and more—helping you to manage more flags safely with less overhead. 

This post was written by Melissa McEwen. Melissa specializes in wearing many hats, with work ranging from content editor to project manager to full-stack developer. Her passions are code quality, work-life balance, and JavaScript. She aims to write in a way that speaks to what developers care about.

• Read the whitepaper: Grow Continuous Delivery Maturity Using Feature Flags