How FundApps deploys AWS Lambda functions across accounts taking into consideration workflow, CI and security.
Deploying with ApexDavid Blooman@dblooman
View Slide
FundApps makes compliancesimple for financial institutions
SERVERLESS
LAMBDA
DEPLOY FAST
DEPLOY EASILY
DEPLOY CONSISTENTLY
• Add new code• Update configuration• Package everything• Handle versioning
Works for an entire team
Plays nice with Continuous Integration
APEX
“Apex lets you build,deploy, and manageAWS Lambdafunctions with ease”
• Batteries included but optional• Environment variable population viacommand-line, file, or inline config• Multiple environments via project.ENV.jsonand function.ENV.json files
• Transparently generates a zip for your deploy• Ignore deploying files with .apexignore• Function rollback support
.|____functions| |____hello| | |____index.js|____project.json
{"name": "demo","description": "demo for meetup","memory": 128,"timeout": 5,"role": "arn:aws:iam::00000000:role/lambda_function","environment": {}}/project.json
{"name": "function1","description": "demo for meetup","memory": 256,"timeout": 5,"role": "arn:aws:iam::00000000:role/lambda_function","environment": {}}/function.json
$ apex deploy
• Create zip file• Upload• Add configuration• Update ENV vars
No CloudFormation
At FundApps:Everything created in Terraform
resource "aws_lambda_function" "test_lambda" {filename = "lambda_function_payload.zip"function_name = "lambda_function_name"role = "${aws_iam_role.iam_for_lambda.arn}"handler = "exports.test"source_code_hash = "${base64sha256(file("function_payload.zip"))}"environment {variables = {foo = "bar"}}}
Apex updates the zip fileand ENV variables
Why Terraform?
Infrastructure as an organism
Split infrastructure from the deployment
Diffs
Terraform + Apex
Continuous Integration
Security
Every Lambda has its ownIAM role and policy
Only deploy through CI
Secrets and configuration
Consul
Single point of truth• Consul• KMS• Etcd• Zookeeper• S3• Credstash• CI server
$ apex deploy -r eu-west-1 \-s S3_BUCKET=$S3_BUCKET-s S3_REGION=$S3_REGION \function_foo -e $environment -i $2/deploy.sh
Don’t want to check invariables to git
ENV Vars are all encrypted in KMSnow though, right?
Apex doesn’t handle encryptionIts still a manual process
exports.handler = (event, context, callback) => {if (decrypted) {processEvent(event, context, callback);} else {const kms = new AWS.KMS({region: 'eu-west-1'});kms.decrypt({CiphertextBlob: new Buffer(encrypted, 'base64')}, (err, data) => {if (err) {console.log('Decrypt error:', err);return callback(err);}decrypted = data.Plaintext.toString('ascii');processEvent(event, context, callback);});}
Value Axis0ms300ms600ms900ms1200ms1 2 3 4 5 6 7 8 9 10 11 12 13 14 15Node w/ KMS Node w/o KMS
0ms4.5ms9ms13.5ms18ms2 3 4 5 6 7 8 9 10 11 12 13 14 15Node w/ KMS Node w/o KMS
0ms500ms1000ms1500ms2000ms1 2 3 4 5 6 7 8 9 10Node w/ KMS Node w/o KMS Go w/ KMS Go w/o KMS
0ms75ms150ms225ms300ms2 3 4 5 6 7 8 9 10Node w/ KMS Node w/o KMS Go w/ KMS Go w/o KMS
We use Go, node.js and PythonApex supports Golang and Rust
Apex Serverless GordonGolang, Nodejs,Python, Java, RustNodejs, Python, Java,C#Golang, Nodejs,Python, Java
Apex gives us flexibility
Deploying from EC2
Apex is for you if:Total control of your infraand lots of flexibility
Thank you
David Blooman@dbloomanWe’re hiringSoftware Engineers & Infrastructure Engineersfundapps.workable.com