CI/CD on AWS

© 2019, Amazon Web Services, Inc. or its affiliates. All
rights reserved. S U M M I T CI/CD on AWS Danilo Poccia Principal Evangelist, Serverless AWS @danilop Tonino Greco Head of Infrastructure and DevOps Dunelm @toninog

rights reserved. S U M M I T Listen Iterate Experiment Innovation Flywheel Experiments power the engine of rapid innovation

rights reserved. S U M M I T Pillars of releasing modern applications

rights reserved. S U M M I T Pillars of releasing modern applications Infrastructure as code

rights reserved. S U M M I T Infrastructure as code goals 1. Make infrastructure changes repeatable and predictable 2. Release infrastructure changes using the same tools as code changes 3. Replicate production environment in a staging environment to enable continuous testing

rights reserved. S U M M I T Release infrastructure-as-code with AWS CloudFormation “Master” branch Prepare template Create & execute change set Create & execute change set

rights reserved. S U M M I T Model function environments with AWS Serverless Application Model (SAM) • Open source framework for building serverless applications on AWS • Shorthand syntax to express functions, APIs, databases, and event source mappings • Transforms and expands SAM syntax into AWS CloudFormation syntax on deployment • Supports all AWS CloudFormation resource types https://aws.amazon.com/serverless/sam/

rights reserved. S U M M I T Model container environments with AWS Cloud Development Kit (CDK) • Open source framework to define cloud infrastructure in TypeScript, Java, C#, … • Provides library of higher-level resource types (“construct” classes) that have AWS best practices built in by default, packaged as npm modules • Provisions resources with CloudFormation • Supports all CloudFormation resource types AWS CDK https://awslabs.github.io/aws-cdk D eveloper Preview

rights reserved. S U M M I T AWS Cloud Development Kit (CDK) npm install -g aws-cdk cdk init app --language typescript cdk synth cdk deploy cdk diff cdk destroy CodePipeline Use CloudFormation deployment actions with any synthesized CDK application Jenkins Use CDK CLI D eveloper Preview TypeScript C# F# Java Python …

rights reserved. S U M M I T CDK template import ec2 = require('@aws-cdk/aws-ec2'); import ecs = require('@aws-cdk/aws-ecs'); import cdk = require('@aws-cdk/cdk'); class BonjourFargate extends cdk.Stack { constructor(parent: cdk.App, name: string, props?: cdk.StackProps) { super(parent, name, props); const vpc = new ec2.VpcNetwork(this, 'MyVpc', { maxAZs: 2 }); const cluster = new ecs.Cluster(this, 'Cluster', { vpc }); new ecs.LoadBalancedFargateService( this, "FargateService", { cluster, image: ecs.DockerHub.image("amazon/amazon-ecs-sample"), }); } } const app = new cdk.App(); new BonjourFargate(app, 'Bonjour'); app.run(); TypeScript

rights reserved. S U M M I T import ec2 = require('@aws-cdk/aws-ec2'); import ecs = require('@aws-cdk/aws-ecs'); import cdk = require('@aws-cdk/cdk'); class BonjourFargate extends cdk.Stack { constructor(parent: cdk.App, name: string, props?: cdk.StackProps) { super(parent, name, props); const vpc = new ec2.VpcNetwork(this, 'MyVpc', { maxAZs: 2 }); const cluster = new ecs.Cluster(this, 'Cluster', { vpc }); new ecs.LoadBalancedFargateService( this, "FargateService", { cluster, image: ecs.DockerHub.image("amazon/amazon-ecs-sample"), }); } } const app = new cdk.App(); new BonjourFargate(app, 'Bonjour'); app.run(); CDK template TypeScript

rights reserved. S U M M I T CDK template import ec2 = require('@aws-cdk/aws-ec2'); import ecs = require('@aws-cdk/aws-ecs'); import cdk = require('@aws-cdk/cdk'); class BonjourFargate extends cdk.Stack { constructor(parent: cdk.App, name: string, props?: cdk.StackProps) { super(parent, name, props); const vpc = new ec2.VpcNetwork(this, 'MyVpc', { maxAZs: 2 }); const cluster = new ecs.Cluster(this, 'Cluster', { vpc }); new ecs.LoadBalancedFargateService( this, "FargateService", { cluster, image: ecs.DockerHub.image("amazon/amazon-ecs-sample"), }); } } const app = new cdk.App(); new BonjourFargate(app, 'Bonjour'); app.run(); TypeScript

rights reserved. S U M M I T CDK Lambda cron example export class LambdaCronStack extends cdk.Stack { constructor(app: cdk.App, id: string) { super(app, id); const lambdaFn = new lambda.Function(this, 'Singleton', { code: new lambda.InlineCode( fs.readFileSync('lambda-handler.py', { encoding: 'utf-8' })), handler: 'index.main’, timeout: 300, runtime: lambda.Runtime.Python37, }); const rule = new events.EventRule(this, 'Rule', { scheduleExpression: 'cron(0 18 ? * MON-FRI *)’, }); rule.addTarget(lambdaFn); } } Lambda function CloudWatch Events rule CloudFormation Stack Set the target TypeScript

rights reserved. S U M M I T Model pipelines with AWS CDK • Minimize copy-and-paste by using object-oriented language • Define microservice pipeline “shape” in one class, then re-use it across many pipelines • CDK includes many high-level constructs for modeling a CodePipeline pipeline, including automatically configuring IAM role policies

rights reserved. S U M M I T CDK pipelines: Construct export class MyMicroservicePipeline extends cdk.Construct { constructor(parent: cdk.Construct, name: string, props: MyMicroservicePipelineProps) { super(parent, name); const pipeline = new codepipeline.Pipeline(this, 'Pipeline', { pipelineName: props.serviceName, }); const githubAccessToken = new cdk.SecretParameter(this, 'GitHubToken', { ssmParameter: 'GitHubToken' }); new codepipeline.GitHubSourceAction(this, 'GitHubSource', { stage: pipeline.addStage('Source'), owner: 'myorg', repo: props.serviceName, oauthToken: githubAccessToken.value }); …

rights reserved. S U M M I T CDK pipelines: Stack import cdk = require('@aws-cdk/cdk'); import { MyMicroservicePipeline } from './pipeline'; class MyMicroservicePipelinesStack extends cdk.Stack { constructor(parent: cdk.App, name: string, props?: cdk.StackProps) { super(parent, name, props); new MyMicroservicePipeline(this, 'Pipeline1', { 'serviceName': 'Microservice1' }); new MyMicroservicePipeline(this, 'Pipeline2', { 'serviceName': 'Microservice2' }); new MyMicroservicePipeline(this, 'Pipeline3', { 'serviceName': 'Microservice3' }); new MyMicroservicePipeline(this, 'Pipeline4', { 'serviceName': 'Microservice4' }); } } const app = new cdk.App(); new MyMicroservicePipelinesStack(app, 'MyMicroservicePipelines'); app.run();

rights reserved. S U M M I T Pillars of releasing modern applications Infrastructure as code

rights reserved. S U M M I T Pillars of releasing modern applications Continuous integration

rights reserved. S U M M I T Continuous integration goals Source Build Test Production

rights reserved. S U M M I T Continuous integration goals 1. Automatically kick off a new release when new code is checked in 2. Build and test code in a consistent, repeatable environment 3. Continually have an artifact ready for deployment 4. Continually close feedback loop when build fails

rights reserved. S U M M I T AWS CodePipeline • Continuous delivery service for fast and reliable application updates • Model and visualize your software release process • Builds, tests, and deploys your code every time there is a code change • Integrates with third-party tools and AWS

rights reserved. S U M M I T AWS CodePipeline: Supported sources Pick branch AWS CodeCommit GitHub Pick object or folder Amazon S3 Pick Docker tag Amazon ECR Automatically kick off release and pull latest source code

rights reserved. S U M M I T AWS CodePipeline: ECR source action Source code: “master” branch ECR repository: “release” tag

rights reserved. S U M M I T AWS CodePipeline: Supported triggers Automatically kick off release Amazon CloudWatch Events • Scheduled (nightly release) • AWS Health events (Fargate platform retirement) Available in CloudWatch Events console, API, SDK, CLI, and AWS CloudFormation Webhooks • DockerHub • Quay • Artifactory Available in CodePipeline API, SDK, CLI, and CloudFormation

rights reserved. S U M M I T AWS CodeBuild • Fully managed build service that compiles source code, runs tests, and produces software packages • Scales continuously and processes multiple builds concurrently • No build servers to manage • Pay by the minute, only for the compute resources you use • Monitor builds through CloudWatch Events

rights reserved. S U M M I T AWS CodeBuild • Each build runs in a new Docker container for a consistent, immutable environment • Docker and AWS CLI are installed in every official CodeBuild image • Provide custom build environments suited to your needs through the use of Docker images

rights reserved. S U M M I T AWS CodeBuild: Lambda buildspec version: 0.2 phases: build: commands: - npm ci - npm test - > aws cloudformation package --template-file template.yaml --output-template packaged.yaml --s3-bucket $BUCKET artifacts: type: zip files: - packaged.yaml

rights reserved. S U M M I T AWS CodeBuild: Lambda buildspec using SAM CLI version: 0.2 phases: install: commands: - pip install --upgrade awscli aws-sam-cli build: commands: - sam build - sam package --s3-bucket $BUCKET --output-template-file packaged.yaml artifacts: type: zip files: - packaged.yaml

rights reserved. S U M M I T AWS CodeBuild: Docker buildspec version: 0.2 phases: build: commands: - $(aws ecr get-login --no-include-email) - docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG . - docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $ECR_REPO:$IMAGE_TAG - docker push $ECR_REPO:$IMAGE_TAG

rights reserved. S U M M I T Pillars of releasing modern applications Continuous integration

rights reserved. S U M M I T Pillars of releasing modern applications Continuous deployment

rights reserved. S U M M I T Continuous deployment goals Source Build Test Production

rights reserved. S U M M I T Continuous deployment goals 1. Automatically deploy new changes to staging environments for testing 2. Deploy to production safely without impacting customers 3. Deliver to customers faster: Increase deployment frequency, and reduce change lead time and change failure rate

rights reserved. S U M M I T AWS CodeDeploy • Automates code deployments to any instance and Lambda • Handles the complexity of updating your applications • Avoid downtime during application deployment • Roll back automatically if failure detected • Deploy to Amazon EC2, Lambda, ECS, or on- premises servers

rights reserved. S U M M I T CodeDeploy – Lambda canary deployment API Gateway Lambda function weighted alias “live” v1 Lambda function code 100%

rights reserved. S U M M I T CodeDeploy – Lambda canary deployment API Gateway Lambda function weighted alias “live” v1 code 100% Run PreTraffic hook against v2 code before it receives traffic v2 code 0%

rights reserved. S U M M I T CodeDeploy – Lambda canary deployment API Gateway Lambda function weighted alias “live” v1 code 90% Wait for 10 minutes, roll back in case of alarm v2 code 10%

rights reserved. S U M M I T CodeDeploy – Lambda canary deployment API Gateway Lambda function weighted alias “live” v1 code 0% Run PostTraffic hook and complete deployment v2 code 100%

rights reserved. S U M M I T CodeDeploy – Lambda deployments in SAM templates Resources: GetFunction: Type: AWS::Serverless::Function Properties: AutoPublishAlias: live DeploymentPreference: Type: Canary10Percent10Minutes Alarms: - !Ref ErrorsAlarm - !Ref LatencyAlarm Hooks: PreTraffic: !Ref PreTrafficHookFunction PostTraffic: !Ref PostTrafficHookFunction Canary10Percent30Minutes Canary10Percent5Minutes Canary10Percent10Minutes Canary10Percent15Minutes Linear10PercentEvery10Minutes Linear10PercentEvery1Minute Linear10PercentEvery2Minutes Linear10PercentEvery3Minutes AllAtOnce

rights reserved. S U M M I T API Gateway canary stage API Gateway Production stage v1 code v2 code 99.5% 0.5% Canary stage

rights reserved. S U M M I T CodeDeploy-ECS blue-green deployments • Provisions “green” tasks, then flips traffic at the load balancer • Validation “hooks” enable testing at each stage of the deployment • Fast rollback to “blue” tasks in seconds if case of hook failure or CloudWatch alarms • Monitor deployment status and history via console, API, Amazon SNS notifications, and CloudWatch Events • Use “CodeDeploy-ECS” deploy action in CodePipeline or “aws ecs deploy” command in Jenkins

rights reserved. S U M M I T CodeDeploy-ECS appspec version: 1.0 Resources: - TargetService: Type: AWS::ECS::Service Properties: - TaskDefinition: "my_task_definition:8" LoadBalancerInfos: - ContainerName: "SampleApp" ContainerPort: 80 Hooks: - BeforeInstall: "LambdaFunctionToExecuteAnythingBeforeNewRevisionInstalltion" - AfterInstall: "LambdaFunctionToExecuteAnythingAfterNewRevisionInstallation" - AfterAllowTestTraffic: "LambdaFunctionToValidateAfterTestTrafficShift" - BeforeAllowTraffic: "LambdaFunctionToValidateBeforeTrafficShift" - AfterAllowTraffic: "LambdaFunctionToValidateAfterTrafficShift"

rights reserved. S U M M I T CodeDeploy-ECS blue-green deployment 100% Prod traffic

rights reserved. S U M M I T CodeDeploy-ECS blue-green deployment Target group 2 100% Prod traffic Test traffic listener (port 9000)

rights reserved. S U M M I T CodeDeploy-ECS blue-green deployment Green tasks: v2 code 100% Prod traffic Provision green tasks

rights reserved. S U M M I T CodeDeploy-ECS blue-green deployment 100% Prod traffic Run hook against test endpoint before green tasks receive prod traffic 0% Prod traffic

rights reserved. S U M M I T CodeDeploy-ECS blue-green deployment Flip traffic to green tasks, rollback in case of alarm 0% Prod traffic 100% Prod traffic

rights reserved. S U M M I T CodeDeploy-ECS blue-green deployment 100% Prod traffic Drain blue tasks

rights reserved. S U M M I T AWS Deployment Framework (ADF) https://github.com/awslabs/aws-deployment-framework

rights reserved. S U M M I T Pillars of releasing modern applications Continuous deployment

CHALLENGES • Multiple independent tribes deploying to AWS • Complex
Serverless deployments • Deploy rapid and often Our Answer • SAM CLI - Wrapped in Ansible • Part of a Pipeline library – functions for the developer • Jenkins Pipeline as code • Extensible, reproducible and simple • Slack integrations Dunelm Ltd

Git Commit Jenkins Webhook Automation Code Product Code Code Linting
Prepare Worker Node Install Software Security Validation Build / compile Run Tests Deploy Install Software for building Vulnerability and Library scan Compile the software Run Unit and functional tests Deploy to AWS

THE BENEFITS ü Simple, reproducible and security conscious ü Scalable
for performance – each pipeline has it’s own worker node (on Spot instances) ü Highly customisable for each tribe – self serve ü Centrally managed library of functions – easy to adapt to change ü Rapid onboarding of new developers – easy to use ü Rapid development of CI/CD pipelines ü Over 100 developers using the pipelines (across all Dunelm technology tribes) Dunelm Ltd

THE BENEFITS – THE STATS • Daily there are •
>200 pipelines active • each deploying > 15 times / day • Having > 10 stages per pipeline • Productivity gains • > 95% of pipelines are successful • Allow tribes to be > 30% more effective (based on burnup charts and sprint reviews) • Allows us to test and security audit automatically Dunelm Ltd

ADDITIONAL BENEFITS • Slack integration with Jenkins • Status updates
in Tribe channels • Kick off adhoc builds from Slack • Slack integration with AWS • Able to delete stacks (AWS CloudFormation) • Add parameters to AWS Systems Manager • Create Amazon Route53 DNS entries • AWS Lambda function to delete AWS CloudFormation stacks once they are removed from BitBucket Dunelm Ltd

CI/CD on AWS

CI/CD on AWS

More Decks by Danilo Poccia

Other Decks in Programming

Featured

Transcript