Getting started with CI/CD for serverless applications

(1)

(2)

Getting started with CI/CD for serverless applications

Marcia Villalba

Senior Developer Advocate AWS

@mavi888uy

(3)

About me

AWS Developer Advocate

Working with serverless since 2015 Host of FooBar YouTube Channel https://youtube.com/foobar_codes

@mavi888uy

(4)

Stages of the software release process

Source Build Test Production

(5)

Stages of the software release process

Source Build Test Production

Developers version,

review and commit

code changes

(6)

Stages of the software release process

Source Build Test Production

Build tasks and unit testing

Developers version,

review and commit

code changes

(7)

Stages of the software release process

Source Build Test Production

Deploy to testing environments and run integration tests Developers version,

review and commit code changes

Build tasks and unit

testing

(8)

Stages of the software release process

Source Build Test Production

Deploy to production environment Developers version,

review and commit code changes

Build tasks and unit

testing Deploy to testing

environments and

run integration tests

(9)

Stages of the software release process

Source Build Test Production

(10)

Stages of the software release process

Source Build Test Production

Approved deploy

(11)

Stages of the software release process

Source Build Test Production

Automated deploy Approved deploy

(12)

(13)

The orchestrator

(14)

AWS CodePipeline

• Continuous delivery service for fast and reliable application updates

• Model and visualize your software release process

• Builds, tests, and deploys your code every time there is a code change

• Integrates with third-party tools and AWS

• https://aws.amazon.com/codepipeline/

(15)

Example of minimal developer’s pipeline

This pipeline:

• Three stages

• Builds code artifact

• One development environment

• Uses AWS SAM/AWS CloudFormation to deploy artifact and other AWS resources

• Has Lambda custom actions for testing functions

MyBranch-Source

Source

CodeCommit i

Build

test-build-source

CodeBuild i

MyDev-Deploy

create-changeset

AWS CloudFormation i

execute-changeset

AWS CloudFormation i Run-stubs

(16)

Example of full pipeline

This pipeline:

• Five stages

• Builds code artifact

• Three deployed to “environments”

• Uses AWS SAM/AWS CloudFormation to deploy artifact and other AWS resources

• Has Lambda custom actions for testing functions

• Integrates with a third-party tool/service

• Has a manual approval before deploying to production

Source

GitHub ⁱ

Build

test-build-source

CodeBuild ⁱ

Deploy-Testing

create-changeset

AWS CloudFormation ⁱ

execute-changeset

Run-stubs

Lambda ⁱ

Deploy-Staging

Deploy-Prod

create-changeset

execute-changeset

Post-Deploy-Stack

Lambda ⁱ

create-changeset

execute-changeset

QA-Sign-Off

Manual approval ⁱ Review

Run-API-test

Runscope ⁱ

(17)

Example of full pipeline

This pipeline:

• Five stages

• Builds code artifact

• Three deployed to “environments”

• Uses AWS SAM/AWS CloudFormation to deploy artifact and other AWS resources

• Has Lambda custom actions for testing functions

• Integrates with a third-party tool/service

• Has a manual approval before deploying to production

Source

GitHub ⁱ

Build

test-build-source

CodeBuild ⁱ

Deploy-Testing

create-changeset

execute-changeset

Run-stubs

Lambda ⁱ

Deploy-Staging

Deploy-Prod

create-changeset

execute-changeset

Post-Deploy-Stack

Lambda ⁱ

create-changeset

execute-changeset

QA-Sign-Off

Run-API-test

Runscope ⁱ

Dev account

Staging account

(18)

(19)

Release process stages

Source Build Test Production

Code

Infrastructure

(20)

AWS CloudFormation

• Infrastructure as code (IaC)

• Provides a common language for you to describe and provision all the

infrastructure resources in your cloud environment

• Build and rebuild your infrastructure and

applications, without having to perform

manual actions or write custom scripts

https://aws.amazon.com/cloudformation/

(21)

AWS Serverless Application Model (SAM)

• Open source framework for building serverless applications on AWS

• Shorthand syntax to express functions, APIs, databases, and event source mappings

• Transforms and expands SAM syntax into AWS CloudFormation syntax on deployment

• Supports all AWS CloudFormation resource types

https://aws.amazon.com/serverless/sam/

(22)

AWS SAM template

AWSTemplateFormatVersion: '2010-09-09’

Transform: AWS::Serverless-2016-10-31 Resources:

MySimpleTableFunction:

Type: AWS::Serverless::Function Properties:

Handler: mySimpleTableFunction.handler Runtime: nodejs12.x

CodeUri: ./functions Policies:

- DynamoDBReadPolicy:

TableName: !Ref MySimpleTable Events:

MySimpleFunctionApi:

Type: Api Properties:

Path: /simpleTable Method: GET

MySimpleTable:

Type: AWS::Serverless::SimpleTable

(23)

AWS SAM template

MySimpleTable:

AWS Cloud

Amazon API Gateway

Lambda function

Table Role

===

To become this

Allowing

this

(24)

AWS SAM template

MySimpleTable:

Tells AWS CloudFormation this is a SAM template it

needs to “transform”

(25)

AWS SAM template

MySimpleTable:

Just 20 lines to create:

• Lambda function

• IAM role

• API Gateway

(26)

AWS SAM template

MySimpleTable:

Function configuration

(27)

AWS SAM template

MySimpleTable:

Permissions for the

function

(28)

AWS SAM Policy Templates

MySimpleTable:

Policies:

- CloudWatchPutMetricPolicy: {}

Policies:

- DynamoDBReadPolicy:

TableName: !Ref MySimpleTable

(29)

AWS SAM Policy Templates

MySimpleTable:

All the available policies can be found in this link

http://bit.ly/sam-policy-template

(30)

AWS SAM template

MySimpleTable:

API Gateway

(31)

AWS SAM template

MySimpleTable:

Creates a Amazon DynamoDB table with 5

(32)

# Global information for all the functions Globals:

Function:

Runtime: nodejs12.x MemorySize: 256

Timeout: 100 Tracing: Active

Resources:

MySimpleFunction:

Type: 'AWS::Serverless::Function’

Properties:

Handler: mySimpleFunction.handler CodeUri: ./functions

Events:

MySimpleFunctionAPI:

Path: /simple Method: GET

# A function that uses a Simple table function MySimpleTableFunction:

Properties:

Handler: mySimpleTableFunction.handler CodeUri: ./functions

Policies:

- DynamoDBCrudPolicy:

TableName: !Ref MySimpleTable Environment:

Variables:

TABLE_NAME: !Ref MySimpleTable Events:

Path: /simpletable Method: GET

MySimpleTable:

AWS SAM Globals

(33)

# Global information for all the functions Globals:

Function:

Runtime: nodejs12.x MemorySize: 256

Timeout: 100 Tracing: Active

Resources:

MySimpleFunction:

Properties:

Handler: mySimpleFunction.handler CodeUri: ./functions

Events:

Path: /simple Method: GET

# A function that uses a Simple table function MySimpleTableFunction:

Properties:

Handler: mySimpleTableFunction.handler CodeUri: ./functions

Policies:

- DynamoDBCrudPolicy:

TableName: !Ref MySimpleTable Environment:

Variables:

TABLE_NAME: !Ref MySimpleTable Events:

Path: /simpletable Method: GET

MySimpleTable:

AWS SAM Globals

(34)

AWS Lambda Environment Variables

• Key-value pairs that you can dynamically pass to your function

• Available via standard environment variable APIs such as process.env for Node.js or os.environ for Python

• Can optionally be encrypted via AWS Key Management Service (KMS)

• Useful for creating environments per stage (i.e. dev, testing,

production)

(35)

AWS Lambda Environment Variables

IN AWS SAM template

MySimpleFunction:

Type: "AWS::Serverless::Function"

Properties:

Handler: mySimpleFunction.handler Policies:

- DynamoDBCrudPolicy:

TableName: !Ref MyDynamoDBTable Environment:

Variables:

TABLE_NAME: !Ref MyDynamoDBTable Events:

MySimpleFunctionAPI:

Type: Api

Properties:

RestApiId: !Ref MyApi

Path: /simple

(36)

AWS Lambda Environment Variables

In the handler of the function

MySimpleFunction:

Type: "AWS::Serverless::Function"

Properties:

Handler: mySimpleFunction.handler Policies:

- DynamoDBCrudPolicy:

TableName: !Ref MyDynamoDBTable Environment:

Variables:

TABLE_NAME: !Ref MyDynamoDBTable Events:

MySimpleFunctionAPI:

Type: Api

Properties:

RestApiId: !Ref MyApi Path: /simple

Method: GET

'use strict';

const TABLE_NAME = process.env.TABLE_NAME;

module.exports.getItem = async (propertyId, sortKey) => { console.log('getItem');

...

(37)

Different resources names for different stages

DEV STAGE PROD

(38)

Different resources names for different stages

In AWS SAM template

Parameters:

MyEnvironment:

Type: String Default: dev AllowedValues:

- dev

- staging - prod

Mappings:

ResourcesName:

dev:

tableName: MyDynamoDBTable-dev staging:

tableName: MyDynamoDBTable-staging prod:

tableName: MyDynamoDBTable-prod

Resources:

MyDynamoDBTable:

Type: "AWS::DynamoDB::Table"

Properties:

. . .

TableName: !FindInMap [ResourcesName, !Ref MyEnvironment, tableName]

(39)

Different resources names for different stages

Parameters:

MyEnvironment:

- dev

- staging - prod

Mappings:

ResourcesName:

dev:

Resources:

MyDynamoDBTable:

Properties:

. . .

In AWS SAM template

(40)

Different resources names for different stages

Parameters:

MyEnvironment:

- dev

- staging - prod

Mappings:

ResourcesName:

dev:

Resources:

MyDynamoDBTable:

Properties:

. . .

TableName: !FindInMap [ResourcesName, !Ref MyEnvironment, tableName]

In AWS SAM template

(41)

Different resources names for different stages

Parameters:

MyEnvironment:

- dev

- staging - prod

Mappings:

ResourcesName:

dev:

Resources:

MyDynamoDBTable:

Properties:

. . .

In AWS SAM template

(42)

We need to pass the stage name as a parameter when we create the AWS Cloudformation change set

Different resources names for different stages

In AWS CodePipeline

(43)

AWS CodeCommit

• Fully managed source-control service that hosts secure Git-based repositories

• Allows teams to collaborate on code in a secure and highly scalable ecosystem

• Automatically encrypts your files in transit and at rest

• Integrated with AWS Identity and Access Management (IAM)

• https://aws.amazon.com/codecommit/

(44)

Release process stages

Source Build Test Production

(45)

AWS CodeBuild

• Fully managed build service that can compile source code, run tests, and produce software packages

• Scales continuously and processes multiple builds concurrently

• Can consume environment variables from AWS Systems Manager Parameter Store

• No build servers to manage

• Supports dependency caching

• https://aws.amazon.com/codebuild/

(46)

phases:

install:

commands:

- pip install --upgrade pip - pip install pipenv –user

- pipenv install awscli aws-sam-cli - npm install

pre_build:

commands:

- eslint *.js - npm test build:

commands:

- sam build post_build:

commands:

- sam package –template-file template.yaml –s3-bucket $BUCKET_NAME –output-template packaged.yaml

artifacts:

type: zip files:

- packaged.yaml

AWS CodeBuild: Lambda buildspec using SAM CLI

(47)

phases:

install:

commands:

pre_build:

commands:

artifacts:

type: zip files:

AWS CodeBuild: Lambda buildspec using SAM CLI

Use install phase to install packages or any pre-

reqs you may need throughout the build

(48)

phases:

install:

commands:

pre_build:

commands:

artifacts:

type: zip files:

- packaged.yaml

AWS CodeBuild: Lambda buildspec using SAM CLI

Use pre-build phase to run unit tests

(49)

phases:

install:

commands:

pre_build:

commands:

artifacts:

type: zip files:

AWS CodeBuild: Lambda buildspec using SAM CLI

In the build phase, we build the project using AWS SAM

(50)

phases:

install:

commands:

pre_build:

commands:

artifacts:

type: zip files:

- packaged.yaml

AWS CodeBuild: Lambda buildspec using SAM CLI

Use post-build for creating the package of the artifact

(51)

phases:

install:

commands:

pre_build:

commands:

artifacts:

type: zip files:

AWS CodeBuild: Lambda buildspec using SAM CLI

Where AWS CodeBuild can find the output artifacts

(52)

Release process stages

Source Build Test Production

(53)

The pipeline: Testing

Configure Test Package

The build phase is a common place for testing

Source control Build Staging Production

(54)

The pipeline: Testing

Configure and/or compile

Test Package

Test points

With serverless, it is

easy to test at different points in the pipeline

(55)

Where and what to test

• Code review via pull request

• Lint/syntax check

• Unit test pass

• Code successfully compiles

• Application deploys successfully

• Mocked/stubbed integration tests

• Application deploys successfully

• Test against real services (potentially against

production dependencies)

• Run pre-traffic Lambda tests

• Deploy canaries

• Complete wait period successfully

• Deploy 100%

• Run post-traffic Lambda tests

Source

CodeCommit ⁱ

Build

test-build-source

CodeBuild ⁱ

Deploy-Testing

create-changeset

execute-changeset

Run-stubs

Lambda ⁱ

Deploy-Staging

Deploy-Prod

create-changeset

AWS CloudFormation ⁱ execute-changeset

AWS CloudFormation ⁱ create-changeset

execute-changeset

QA-Sign-Off

Run-API-test

Runscope ⁱ

(56)

Different ways to make sure everything is ok

AWS Lambda functions

Third party services

Manual QA

Safe deployments

(57)

Using AWS Lambda to perform integration tests

…

exports.handler = async (event, context) => {

let jobId = event["CodePipeline.job"].id;

// DO SOME INTEGRATION TESTS

if (testsPassed) { let params = {

jobId: jobId };

return codepipeline.putJobSuccessResult(params).promise(data => { context.succeed('Test passed');

}).catch(error => {

context.fail(error);

});

} else {

let params = {

jobId: jobId,

failureDetails: {

message: JSON.stringify('Test failed’), type: 'JobFailed’,

externalExecutionId: context.invokeid }

};

return codepipeline.putJobFailureResult(params).promise(data => { context.fail(message);

});

}

(58)

Using AWS Lambda to perform integration tests

…

jobId: jobId };

}).catch(error => {

});

} else {

let params = {

jobId: jobId,

failureDetails: {

};

});

} };

Write some integration tests

(59)

Using AWS Lambda to perform integration tests

…

jobId: jobId };

}).catch(error => {

});

} else {

let params = {

jobId: jobId,

failureDetails: {

};

});

}

Needs to call the

putJobSuccessuResult

(60)

Using AWS Lambda to perform integration tests

…

jobId: jobId };

}).catch(error => {

});

} else {

let params = {

jobId: jobId,

failureDetails: {

};

});

} };

Needs to call the

putJobFailureResult

(61)

Using AWS Lambda to perform integration tests

…

jobId: jobId };

}).catch(error => {

});

} else {

let params = {

jobId: jobId,

failureDetails: {

};

});

}

More information on how to configure this

https://amzn.to/2SVWZlW

(62)

Using 3rd party service to test

For adding tests there are lots of 3rd party tools supported.

Find more information on how to configure them with AWS CodePipeline here:

https://amzn.to/2SV0iK3

(63)

Manual approvals

(64)

Manual approvals

(65)

AWS CodeDeploy

• Automates code deployments to any instance and Lambda

• Handles the complexity of updating your applications

• Avoid downtime during application deployment

• Roll back automatically if failure detected

• Deploy to Amazon EC2, Lambda, Fargate, EC2,

or on-premises servers

(66)

Deployment preference

Canary10Percent30Minutes Canary10Percent5Minutes Canary10Percent10Minutes Canary10Percent15Minutes

Linear10PercentEvery10Minutes Linear10PercentEvery1Minute Linear10PercentEvery2Minutes Linear10PercentEvery3Minutes AllAtOnce

BeforeAllowTraffic

AfterAllowTraffic AllowTraffic

Deployment Preference

(67)

Versions are immutable

snapshots of a function – code + configuration

An Alias is a pointer to a version

Lambda Version and aliases

v1

v2

v3

Alias: prod

Alias: dev

(68)

AWS CodeDeploy – Lambda canary deployment

Gateway API Lambda

function weighted alias “live”

v1 Lambda function

code

100%

(69)

Gateway API Lambda function weighted alias “live”

v1 code 100%

Run PreTraffic hook against v2 code before it receives traffic

v2 code 0%

AWS CodeDeploy – Lambda canary deployment

(70)

AWS CodeDeploy – Lambda canary deployment

Gateway API Lambda

function weighted alias “live”

v1 code 90%

Wait for 10 minutes, roll back in case of alarm

v2 code

10%

(71)

Gateway API Lambda function weighted alias “live”

v1 code 0%

Run PostTraffic hook and complete deployment

v2 code 100%

AWS CodeDeploy – Lambda canary deployment

(72)

Testing using safe deployments

HelloFunction:

Type: 'AWS::Serverless::Function’

Properties:

Handler: handler.hello Runtime: nodejs12.x

CodeUri: ./hello

AutoPublishAlias: live DeploymentPreference:

Type: Linear10PercentEvery10Minutes Alarms:

- !Ref AliasErrorMetricGreaterThanZeroAlarm

- !Ref LatestVersionErrorMetricGreaterThanZeroAlarm Hooks:

PreTraffic: !Ref PreTrafficLambdaFunction

PostTraffic: !Ref PostTrafficLambdaFunction

(73)

HelloFunction:

Type: 'AWS::Serverless::Function’

Properties:

Handler: handler.hello Runtime: nodejs12.x

CodeUri: ./hello

AutoPublishAlias: live DeploymentPreference:

Type: Linear10PercentEvery10Minutes Alarms:

- !Ref AliasErrorMetricGreaterThanZeroAlarm

- !Ref LatestVersionErrorMetricGreaterThanZeroAlarm Hooks:

PreTraffic: !Ref PreTrafficLambdaFunction

Testing using safe deployments

Instructs AWS SAM to publish a new

version of the function for each new

deployment and link it to the live alias

(74)

HelloFunction:

Type: 'AWS::Serverless::Function’

Properties:

Handler: handler.hello Runtime: nodejs12.x

CodeUri: ./hello

AutoPublishAlias: live DeploymentPreference:

Type: Linear10PercentEvery10Minutes Alarms:

- !Ref AliasErrorMetricGreaterThanZeroAlarm

- !Ref LatestVersionErrorMetricGreaterThanZeroAlarm Hooks:

PreTraffic: !Ref PreTrafficLambdaFunction PostTraffic: !Ref PostTrafficLambdaFunction

Testing using safe deployments

Canary10Percent30Minutes Canary10Percent5Minutes Canary10Percent10Minutes Canary10Percent15Minutes

Linear10PercentEvery10Minutes

Linear10PercentEvery1Minute

Linear10PercentEvery2Minutes

Linear10PercentEvery3Minutes

AllAtOnce

(75)

HelloFunction:

Type: 'AWS::Serverless::Function’

Properties:

Handler: handler.hello Runtime: nodejs12.x

CodeUri: ./hello

AutoPublishAlias: live DeploymentPreference:

Type: Linear10PercentEvery10Minutes Alarms:

- !Ref AliasErrorMetricGreaterThanZeroAlarm

- !Ref LatestVersionErrorMetricGreaterThanZeroAlarm Hooks:

PreTraffic: !Ref PreTrafficLambdaFunction

Testing using safe deployments

A list of alarms that you want to monitor

You can specify a maximum of 10 alarms

(76)