AWS Dev Day Oslo, April 3rd, 2019
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.O S L O2 0 1 9 . 0 4 . 0 3CI/CD for Modern ApplicationsDanilo PocciaPrincipal Evangelist, Serverless@danilopM A D 1
View Slide
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Development transformation at Amazon: 2001–2002monolithic application+ teams2001Lesson learned: decompose for agility2002microservices+ 2 pizza teams
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Full ownershipFull accountability“DevOps”Focused innovationTwo-pizza teams
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Monolith development lifecyclemonitorreleasetestbuilddevelopersdelivery pipelinesservices
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Microservice development lifecycle???developersdelivery pipelinesservices
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Microservice development lifecycledevelopers servicesmonitorreleasetestbuilddelivery pipelinesmonitorreleasetestbuildmonitorreleasetestbuildmonitorreleasetestbuildmonitorreleasetestbuildmonitorreleasetestbuild
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.ListenIterateExperimentInnovationFlywheelExperiments power the engine of rapid innovation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Approaches to modern application development• Simplify environment management• Reduce the impact of code changes• Automate operations• Accelerate the delivery of new, high-quality services• Gain insight across resources and applications• Protect customers and the business
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Approaches to modern application development• Simplify environment management with serverless technologies• Reduce the impact of code changes with microservice architectures• Automate operations by modeling applications & infrastructure as code• Accelerate the delivery of new, high-quality services with CI/CD• Gain insight across resources and applications by enabling observability• Protect customers and the business with end-to-end security & compliance
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.What is serverless?No infrastructure provisioning,no managementAutomatic scalingPay for value Highly available and secure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Approaches to modern application developmentServerless containersLong-runningAbstracts the OSFully managed orchestrationFully managed cluster scalingServerless functionsEvent-drivenMany language runtimesData source integrationsNo server management
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Comparison of operational responsibilityAWS LambdaServerless functionsAWS FargateServerless containersECS/EKSContainer-management as a serviceEC2Infrastructure-as-a-ServiceMore opinionatedLess opinionatedAWS manages Customer manages• Data source integrations• Physical hardware, software, networking,and facilities• Provisioning• Application code• Container orchestration, provisioning• Cluster scaling• Physical hardware, host OS/kernel,networking, and facilities• Application code• Data source integrations• Security config and updates, network config,management tasks• Container orchestration control plane• Physical hardware software,networking, and facilities• Application code• Data source integrations• Work clusters• Security config and updates, network config,firewall, management tasks• Physical hardware software,networking, and facilities• Application code• Data source integrations• Scaling• Security config and updates, network config,management tasks• Provisioning, managing scaling andpatching of servers
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Release process stagesSource Build Test Production
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Pillars of releasing modern applications
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Pillars of releasing modern applicationsInfrastructureas code
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Infrastructure as codeDeclarativeI tell youwhat I needI tell youwhat to doImperative
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Infrastructure as code goals1. Make infrastructure changes repeatable and predictable2. Release infrastructure changes using the same tools as code changes3. Replicate production environment in a staging environment to enablecontinuous testing
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Release infrastructure-as-code“Master”branchPreparetemplateCreate & executechange setCreate & executechange set
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Model function environments with AWSServerless Application Model (SAM)• Open source framework for building serverlessapplications on AWS• Shorthand syntax to express functions, APIs,databases, and event source mappings• Transforms and expands SAM syntax into AWSCloudFormation syntax on deployment• Supports all AWS CloudFormation resource typeshttps://aws.amazon.com/serverless/samOpenSource
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SAM templateAWSTemplateFormatVersion: '2010-09-09’Transform: AWS::Serverless-2016-10-31Resources:GetFunction:Type: AWS::Serverless::FunctionProperties:Handler: index.getRuntime: nodejs8.10CodeUri: src/Policies:- DynamoDBReadPolicy:TableName: !Ref MyTableEvents:GetResource:Type: ApiProperties:Path: /resource/{resourceId}Method: getMyTable:Type: AWS::Serverless::SimpleTableJust 20 lines to create:• Lambda function• IAM role• API Gateway• DynamoDB table
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Use SAM CLI to package and deploy SAM templatessam init --name my-function --runtime pythoncd my-function/sam validatesam local generate-event/invoke/start-api/start-lambdasam build # Depending on the runtimesam package --s3-bucket my-packages-bucket \--output-template-file packaged.yamlsam deploy --template-file packaged.yaml \--stack-name my-stack-prodsam logs -n MyFunction --stack-name my-stack-prod -tsam publish # To the Serverless Application RepositoryOpenSource
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.TweetSource:Type: AWS::Serverless::ApplicationProperties:Location:ApplicationId: arn:aws:serverlessrepo:...SemanticVersion: 2.0.0Parameters:TweetProcessorFunctionName: !Ref MyFunctionSearchText: '#serverless -filter:nativeretweets'Nested apps to simplify solving recurring problemsStandardComponentCustomBusinessLogicPolling schedule(CloudWatchEvents rule)triggerTwitterProcessorSearchCheckpointTwitterSearchPollerTwitterSearch API
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Model container environments with AWSCloud Development Kit (CDK)DeveloperPreview• Open source framework to define cloudinfrastructure in JavaScript, TypeScript, Java, C#,Python, …• Provides library of higher-level resource types(“construct” classes) that have AWS best practicesbuilt in by default, packaged as npm modules• Provisions resources with CloudFormation• Supports all CloudFormation resource typesAWSCDKhttps://awslabs.github.io/aws-cdkOpenSource
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.import cdk = require('@aws-cdk/cdk');import ec2 = require('@aws-cdk/aws-ec2');import ecs = require('@aws-cdk/aws-ecs');class BonjourFargate extends cdk.Stack {constructor(parent: cdk.App, name: string, props?: cdk.StackProps) {super(parent, name, props);const vpc = new ec2.VpcNetwork(this, 'MyVpc', { maxAZs: 2 });const cluster = new ecs.Cluster(this, 'Cluster', { vpc });new ecs.LoadBalancedFargateService(this, "FargateService", {cluster,image: ecs.DockerHub.image("amazon/amazon-ecs-sample"),});}}const app = new cdk.App();new BonjourFargate(app, 'Bonjour');app.run();CDK template
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CDK templateimport cdk = require('@aws-cdk/cdk');import ec2 = require('@aws-cdk/aws-ec2');import ecs = require('@aws-cdk/aws-ecs');class BonjourFargate extends cdk.Stack {constructor(parent: cdk.App, name: string, props?: cdk.StackProps) {super(parent, name, props);const vpc = new ec2.VpcNetwork(this, 'MyVpc', { maxAZs: 2 });const cluster = new ecs.Cluster(this, 'Cluster', { vpc });new ecs.LoadBalancedFargateService(this, "FargateService", {cluster,image: ecs.DockerHub.image("amazon/amazon-ecs-sample"),});}}const app = new cdk.App();new BonjourFargate(app, 'Bonjour');app.run();
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Model pipelines with AWS CDK• Minimize copy-and-paste by using object-oriented language• Define microservice pipeline “shape” in one class, then re-use it acrossmany pipelines• CDK includes many high-level constructs for modeling a CodePipelinepipeline, including automatically configuring IAM role policies
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CDK pipelines: Constructexport class MyMicroservicePipeline extends cdk.Construct {constructor(parent: cdk.Construct, name: string, props:MyMicroservicePipelineProps) {super(parent, name);const pipeline = new codepipeline.Pipeline(this, 'Pipeline', {pipelineName: props.serviceName,});const githubAccessToken = new cdk.SecretParameter(this, 'GitHubToken’,{ ssmParameter: 'GitHubToken' });new codepipeline.GitHubSourceAction(this, 'GitHubSource', {stage: pipeline.addStage('Source’),owner: 'myorg’,repo: props.serviceName,oauthToken: githubAccessToken.value});…
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.import cdk = require('@aws-cdk/cdk');import { MyMicroservicePipeline } from './pipeline';class MyMicroservicePipelinesStack extends cdk.Stack {constructor(parent: cdk.App, name: string, props?: cdk.StackProps) {super(parent, name, props);new MyMicroservicePipeline(this, 'Pipeline1', { 'serviceName': 'Microservice1' });new MyMicroservicePipeline(this, 'Pipeline2', { 'serviceName': 'Microservice2' });new MyMicroservicePipeline(this, 'Pipeline3', { 'serviceName': 'Microservice3' });new MyMicroservicePipeline(this, 'Pipeline4', { 'serviceName': 'Microservice4' });}}const app = new cdk.App();new MyMicroservicePipelinesStack(app, 'MyMicroservicePipelines');app.run();CDK pipelines: Stack
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Use CDK CLI to synthesize and deploy CDK templatesnpm install -g aws-cdkcdk init app --language typescriptcdk synthcdk deploycdk diffcdk destroy
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Pillars of releasing modern applicationsContinuousintegration
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Continuous integration goalsSource Build Test Production
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Continuous integration goals1. Automatically kick off a new release when new code is checked in2. Build and test code in a consistent, repeatable environment3. Continually have an artifact ready for deployment4. Continually close feedback loop when build fails
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodePipeline• Continuous delivery service for fast and reliableapplication updates• Model and visualize your software release process• Builds, tests, and deploys your code every timethere is a code change• Integrates with third-party tools and AWS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodePipeline: Supported sourcesPick branchAWS CodeCommitGitHubPick object or folderAmazon S3Pick Docker tagAmazon ECRAutomatically kick off release and pull latest source code
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodePipeline: ECR source actionSource code:“master” branchECR repository:“release” tag
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodePipeline: Supported triggersAutomatically kick off releaseAmazon CloudWatch Events• Scheduled (nightly release)• AWS Health events (Fargateplatform retirement)Available in CloudWatch Eventsconsole, API, SDK, CLI, and AWSCloudFormationWebhooks• DockerHub• Quay• ArtifactoryAvailable in CodePipeline API,SDK, CLI, and CloudFormation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodeBuild• Fully managed build service that compiles sourcecode, runs tests, and produces software packages• Scales continuously and processes multiple buildsconcurrently• No build servers to manage• Pay by the minute, only for the computeresources you use• Monitor builds through CloudWatch Events
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodeBuild• Each build runs in a new Docker container for aconsistent, immutable environment• Docker and AWS CLI are installed in every officialCodeBuild image• Provide custom build environments suited toyour needs through the use of Docker images
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodeBuild: Lambda buildspecversion: 0.2phases:build:commands:- npm ci- npm test- >aws cloudformation package--template-file template.yaml--output-template packaged.yaml--s3-bucket $BUCKETartifacts:type: zipfiles:- packaged.yaml
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodeBuild: Lambda buildspec using SAM CLIversion: 0.2phases:install:commands:- pip install --upgrade awscli aws-sam-clibuild:commands:- sam build- sam package --s3-bucket $BUCKET --output-template-file packaged.yamlartifacts:type: zipfiles:- packaged.yaml
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodeBuild: Docker buildspecversion: 0.2phases:build:commands:- $(aws ecr get-login --no-include-email)- docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG .- docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $ECR_REPO:$IMAGE_TAG- docker push $ECR_REPO:$IMAGE_TAG
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Pillars of releasing modern applicationsContinuousdeployment
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Continuous deployment goalsSource Build Test Production
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Continuous deployment goals1. Automatically deploy new changes to staging environments for testing2. Deploy to production safely without impacting customers3. Deliver to customers faster: Increase deployment frequency,and reduce change lead time and change failure rate
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.AWS CodeDeploy• Automates code deployments to any instanceand Lambda• Handles the complexity of updating yourapplications• Avoid downtime during application deployment• Roll back automatically if failure detected• Deploy to Amazon EC2, containers, Lambda, oron-premises servers
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy – Lambda deploymentsEnable in your serverless application templateResources:GetFunction:Type: AWS::Serverless::FunctionProperties:DeploymentPreference:Type: Canary10Percent10MinutesAlarms:- !Ref ErrorsAlarm- !Ref LatencyAlarmHooks:PreTraffic: !Ref PreTrafficHookFunctionPostTraffic: !Ref PostTrafficHookFunctionCanary10Percent30MinutesCanary10Percent5MinutesCanary10Percent10MinutesCanary10Percent15MinutesLinear10PercentEvery10MinutesLinear10PercentEvery1MinuteLinear10PercentEvery2MinutesLinear10PercentEvery3MinutesAllAtOnce
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy – Lambda canary deploymentAPIGatewayLambdafunctionweightedalias “live”v1 Lambdafunctioncode100%
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy – Lambda canary deploymentAPIGatewayLambdafunctionweightedalias “live”v1 code100%Run PreTraffic hook against v2 code before it receives trafficv2 code0%
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy – Lambda canary deploymentAPIGatewayLambdafunctionweightedalias “live”v1 code90%Wait for 10 minutes, roll back in case of alarmv2 code10%
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy – Lambda canary deploymentAPIGatewayLambdafunctionweightedalias “live”v1 code0%Run PostTraffic hook and complete deploymentv2 code100%
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.API Gateway canary stageAPIGatewayProductionstagev1 codev2 code99.5%0.5%Canarystage
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy-ECS blue-green deployments• Provisions “green” tasks, then flips traffic at theload balancer• Validation “hooks” enable testing at each stage ofthe deployment• Fast rollback to “blue” tasks in seconds if case ofhook failure or CloudWatch alarms• Monitor deployment status and history viaconsole, API, Amazon SNS notifications, andCloudWatch Events• Use “CodeDeploy-ECS” deploy action inCodePipeline or “aws ecs deploy” command inJenkins
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy-ECS appspecversion: 1.0Resources:- TargetService:Type: AWS::ECS::ServiceProperties:- TaskDefinition: "my_task_definition:8"LoadBalancerInfos:- ContainerName: "SampleApp"ContainerPort: 80Hooks:- BeforeInstall: "LambdaFunctionToExecuteAnythingBeforeNewRevisionInstalltion"- AfterInstall: "LambdaFunctionToExecuteAnythingAfterNewRevisionInstallation"- AfterAllowTestTraffic: "LambdaFunctionToValidateAfterTestTrafficShift"- BeforeAllowTraffic: "LambdaFunctionToValidateBeforeTrafficShift"- AfterAllowTraffic: "LambdaFunctionToValidateAfterTrafficShift"
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy-ECS blue-green deployment100%Prodtraffic
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy-ECS blue-green deploymentTargetgroup 2100%ProdtrafficTest traffic listener(port 9000)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy-ECS blue-green deploymentGreen tasks:v2 code100%ProdtrafficProvision green tasks
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy-ECS blue-green deployment100%Testtraffic100%ProdtrafficRun hook against test endpoint before green tasks receive prod traffic
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy-ECS blue-green deployment100%ProdtrafficFlip traffic to green tasks, rollback in case of alarm0%Prodtraffic
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.CodeDeploy-ECS blue-green deployment100%ProdtrafficDrain blue tasks
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deployments• Docker tags are resolved when each container starts, not just duringdeployments• Deploying “latest” or “prod” can result in untested code in productionafter a scale-out event• Use unique “immutable” tags for deployments
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deployments
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deploymentsBuild pushes new “latest” imageImage: [email protected] (“latest”)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deploymentsService scales up, launching new tasksImage: [email protected] (“latest”)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deploymentsDeploy using immutable tags{"name": "sample-app","image": "amazon/amazon-ecs-[email protected]:3e39d933b1d948c92309bb583b5a1f3d28f0119e1551ca1fe538ba414a41af48d"}{"name": "sample-app","image": "amazon/amazon-ecs-sample:build-b2085490-359f-4eaf-8970-6d1e26c354f0"}SHA256 DigestBuild ID
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deploymentsCompute immutable tags during buildSHA256 Digestexport IMAGE_URI=`docker inspect --format='{{index .RepoDigests 0}}' my_image:$IMAGE_TAG`Example Result:amazon/[email protected]:3e39d933b...Build IDexport IMAGE_TAG=build-`echo $CODEBUILD_BUILD_ID | awk –F":" ‘{print $2}'`Example Result:build-b2085490-359f-4eaf-8970-6d1e26c354f0
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deploymentsBuild pushes new image tagged with new build IDImage: [email protected] (“build-22222”)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deploymentsService scales up, launching new tasksImage: [email protected] (“build-22222”)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Container image tagging for deploymentsImage: “build-22222” tagDeployment updates service’s task definition, replacing tasksImage: [email protected] (“build-22222”)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Capital One – Credit Offers API serverless architectureAffiliateswww.capitalone.com/credit-cards/prequalifyAWS CloudCapital OneAPI GatewayVPCLambdaFunctionTraces LogsProduction SupportCommand CenterCOATCredit Offers API TeamLambdaFunctionS3 BucketTTLThird-PartyAPI
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Capital One – Credit Offers API CI/CD pipelineContinuous Improvement, Continuous Delivery!GitHub LGTM Bot Jenkins AWS SAMS3 Bucket(Versioning)LambdaFunctionDeploymentType:dev: AllAtOnceqa: AllAtOnceqaw: AllAtOnceprod: Canary10Percent10Minutesprodw: Canary10Percent10Minutescanary5xxGetProductsAlarm:Type: AWS::CloudFormation::AlarmProperties:AlarmActions:- !FindInMap:- params- AdminSNSTopic- !Ref EnvironmentAlarmDescription: 500 error from productlisting Lambda.ComparisonOperator:GreatherThanOrEqualTothresholdPeriod: 300Statistic: SumThreshold: 1EvaluationPeriod: 1
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Capital One – Benefits from taking the API serverlessPerformance gainsFrom the time the requestis received by lambda tothe time to send theresponse back70%Cost savingsBy removing EC2, ELB andRDS from our solution90%Increase in team velocityReduce investment in team’s timeon DevOps and dedicate back tofeature development!30%
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Demo – Store & ReplyAWS CloudRegionhttps://github.com/danilop/store-and-reply
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Takeaways1. Manage your infrastructure as code2. Frequently build and integrate your code to get a first feedback3. Continuously release in production using canary releases withmonitoring and automated rollbacks4. Use canary releases to get both technical and business feedback
Thank you!© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.Danilo Poccia@danilop