Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deploying with Apex

David Blooman
February 01, 2017

Deploying with Apex

How FundApps deploys AWS Lambda functions across accounts taking into consideration workflow, CI and security.

David Blooman

February 01, 2017
Tweet

Other Decks in Technology

Transcript

  1. Deploying with Apex
    David Blooman
    @dblooman

    View Slide

  2. FundApps makes compliance
    simple for financial institutions

    View Slide

  3. SERVERLESS

    View Slide

  4. LAMBDA

    View Slide

  5. DEPLOY FAST

    View Slide

  6. DEPLOY EASILY

    View Slide

  7. DEPLOY CONSISTENTLY

    View Slide

  8. DEPLOY CONSISTENTLY

    View Slide

  9. • Add new code
    • Update configuration
    • Package everything
    • Handle versioning

    View Slide

  10. Works for an entire team

    View Slide

  11. Plays nice with Continuous Integration

    View Slide

  12. APEX

    View Slide

  13. “Apex lets you build,
    deploy, and manage
    AWS Lambda
    functions with ease”

    View Slide

  14. • Batteries included but optional
    • Environment variable population via
    command-line, file, or inline config
    • Multiple environments via project.ENV.json
    and function.ENV.json files

    View Slide

  15. • Transparently generates a zip for your deploy
    • Ignore deploying files with .apexignore
    • Function rollback support

    View Slide

  16. View Slide

  17. .
    |____functions
    | |____hello
    | | |____index.js
    |____project.json

    View Slide

  18. {
    "name": "demo",
    "description": "demo for meetup",
    "memory": 128,
    "timeout": 5,
    "role": "arn:aws:iam::00000000:role/lambda_function",
    "environment": {}
    }
    /project.json

    View Slide

  19. {
    "name": "function1",
    "description": "demo for meetup",
    "memory": 256,
    "timeout": 5,
    "role": "arn:aws:iam::00000000:role/lambda_function",
    "environment": {}
    }
    /function.json

    View Slide

  20. .
    |____functions
    | |____hello
    | | |____index.js
    |____project.json

    View Slide

  21. $ apex deploy

    View Slide

  22. View Slide

  23. View Slide

  24. • Create zip file
    • Upload
    • Add configuration
    • Update ENV vars

    View Slide

  25. No CloudFormation

    View Slide

  26. At FundApps:
    Everything created in Terraform

    View Slide

  27. resource "aws_lambda_function" "test_lambda" {
    filename = "lambda_function_payload.zip"
    function_name = "lambda_function_name"
    role = "${aws_iam_role.iam_for_lambda.arn}"
    handler = "exports.test"
    source_code_hash = "${base64sha256(file("function_payload.zip"))}"
    environment {
    variables = {
    foo = "bar"
    }
    }
    }

    View Slide

  28. Apex updates the zip file
    and ENV variables

    View Slide

  29. Why Terraform?

    View Slide

  30. Infrastructure as an organism

    View Slide

  31. Split infrastructure from the deployment

    View Slide

  32. Diffs

    View Slide

  33. Terraform + Apex

    View Slide

  34. DEPLOY CONSISTENTLY

    View Slide

  35. Continuous Integration

    View Slide

  36. View Slide

  37. Security

    View Slide

  38. Every Lambda has its own
    IAM role and policy

    View Slide

  39. Only deploy through CI

    View Slide

  40. Secrets and configuration

    View Slide

  41. Consul

    View Slide

  42. Single point of truth
    • Consul
    • KMS
    • Etcd
    • Zookeeper
    • S3
    • Credstash
    • CI server

    View Slide

  43. $ apex deploy -r eu-west-1 \
    -s S3_BUCKET=$S3_BUCKET
    -s S3_REGION=$S3_REGION \
    function_foo -e $environment -i $2
    /deploy.sh

    View Slide

  44. Don’t want to check in
    variables to git

    View Slide

  45. ENV Vars are all encrypted in KMS
    now though, right?

    View Slide

  46. Apex doesn’t handle encryption
    Its still a manual process

    View Slide

  47. View Slide

  48. View Slide

  49. exports.handler = (event, context, callback) => {
    if (decrypted) {
    processEvent(event, context, callback);
    } else {
    const kms = new AWS.KMS({
    region: 'eu-west-1'
    });
    kms.decrypt({
    CiphertextBlob: new Buffer(encrypted, 'base64')
    }, (err, data) => {
    if (err) {
    console.log('Decrypt error:', err);
    return callback(err);
    }
    decrypted = data.Plaintext.toString('ascii');
    processEvent(event, context, callback);
    });
    }

    View Slide

  50. Value Axis
    0ms
    300ms
    600ms
    900ms
    1200ms
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
    Node w/ KMS Node w/o KMS

    View Slide

  51. 0ms
    4.5ms
    9ms
    13.5ms
    18ms
    2 3 4 5 6 7 8 9 10 11 12 13 14 15
    Node w/ KMS Node w/o KMS

    View Slide

  52. 0ms
    500ms
    1000ms
    1500ms
    2000ms
    1 2 3 4 5 6 7 8 9 10
    Node w/ KMS Node w/o KMS Go w/ KMS Go w/o KMS

    View Slide

  53. 0ms
    75ms
    150ms
    225ms
    300ms
    2 3 4 5 6 7 8 9 10
    Node w/ KMS Node w/o KMS Go w/ KMS Go w/o KMS

    View Slide

  54. View Slide

  55. We use Go, node.js and Python
    Apex supports Golang and Rust

    View Slide

  56. Apex Serverless Gordon
    Golang, Nodejs,
    Python, Java, Rust
    Nodejs, Python, Java,
    C#
    Golang, Nodejs,
    Python, Java

    View Slide

  57. Apex gives us flexibility

    View Slide

  58. Deploying from EC2

    View Slide

  59. View Slide

  60. Apex is for you if:
    Total control of your infra
    and lots of flexibility

    View Slide

  61. Thank you

    View Slide

  62. David Blooman
    @dblooman
    We’re hiring
    Software Engineers & Infrastructure Engineers
    fundapps.workable.com

    View Slide