The latest articles on Forem by Piotr Mionskowski (@miensol). https://forem.com/miensol https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F52490%2F8008718f-eb79-4593-8066-09a0d2c010da.png https://forem.com/miensol en Piotr Mionskowski Thu, 18 Jun 2020 05:07:42 +0000 https://forem.com/miensol/autoscaling-aws-eks-cluster-with-custom-gitlab-runner-configuration-270 https://forem.com/miensol/autoscaling-aws-eks-cluster-with-custom-gitlab-runner-configuration-270 <p>Gitlab offers a robust CI/CD solution suitable for most projects.<br> The <a href="https://docs.gitlab.com/ee/user/project/clusters/add_remove_clusters.html">documentation</a> depicts the easiest way to connect your Kubernetes cluster to Gitlab.<br> Once connected Gitlab can install and configure Gitlab runner.</p> <p>However, such approach does not allow for many adjustments to Gitlab runner configuration.<br> For example when using Kubernetes executor providing build level <a href="https://docs.gitlab.com/runner/executors/kubernetes.html#overwriting-build-resources">resource requests and limits</a> does not work.</p> <p>In this post we'll use aws-cdk to:</p> <ul> <li>provision an AWS EKS cluster</li> <li>install <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html">cluster autoscaler</a> </li> <li>install Gitlab runner using <a href="https://docs.gitlab.com/runner/install/kubernetes.html">Helm chart</a> </li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--7YsLt-b7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/miensol/miensol.github.io/develop/content/posts/gitlab-ci-kubernetes-cluster/gitlab-aws.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--7YsLt-b7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/miensol/miensol.github.io/develop/content/posts/gitlab-ci-kubernetes-cluster/gitlab-aws.png" alt=""></a></p> <h2> Prerequisite </h2> <p>Create an aws-cdk typescript project with necessary dependencies using<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nb">mkdir </span>cicd <span class="o">&amp;&amp;</span> <span class="nb">cd </span>cicd npx cdk init <span class="nt">--language</span> typescript npm i <span class="nt">--save</span> @aws-cdk/aws-eks </code></pre></div> <h2> Create EKS Cluster with aws-cdk </h2> <p>First we add an AWS EKS cluster with a managed node group.<br> <a href="https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html">A managed node group</a> provides a convenient way to provision and manage nodes.<br> </p> <div class="highlight"><pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nx">CICDStack</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="kd">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">clusterAdmin</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Cluster Master Role</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">AccountRootPrincipal</span><span class="p">(),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">clusterName</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">cicd</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">cluster</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">eks</span><span class="p">.</span><span class="nx">Cluster</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CICD Cluster</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">mastersRole</span><span class="p">:</span> <span class="nx">clusterAdmin</span><span class="p">,</span> <span class="na">clusterName</span><span class="p">:</span> <span class="nx">clusterName</span><span class="p">,</span> <span class="na">defaultCapacity</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">mainNodeGroup</span> <span class="o">=</span> <span class="nx">cluster</span><span class="p">.</span><span class="nx">addNodegroup</span><span class="p">(</span><span class="dl">"</span><span class="s2">main</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">desiredSize</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">M5</span><span class="p">,</span> <span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">XLARGE2</span><span class="p">),</span> <span class="na">nodegroupName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">main</span><span class="dl">"</span><span class="p">,</span> <span class="na">maxSize</span><span class="p">:</span> <span class="mi">10</span> <span class="p">});</span> <span class="p">...</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>The <code>clusterAdmin</code> IAM Role is going to be use to manage the cluster with <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl/">kubectl</a>.<br> We do not need it to install and configure Gitlab runner. However, it is essential for debugging purposes.</p> <h2> Install Gitlab runner using Helm chart </h2> <p>For our EKS cluster to perform any CI work we need to install <a href="https://docs.gitlab.com/runner/install/kubernetes.html">Gitlab runner</a>.<br> Thankfully Gitlab provides <a href="https://charts.gitlab.io/">an official Helm chart</a>.<br> </p> <div class="highlight"><pre class="highlight typescript"><code><span class="nx">cluster</span><span class="p">.</span><span class="nx">addChart</span><span class="p">(</span><span class="dl">"</span><span class="s2">gitlab-runner</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">chart</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gitlab-runner</span><span class="dl">"</span><span class="p">,</span> <span class="na">repository</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://charts.gitlab.io/</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">v0.17.1</span><span class="dl">"</span><span class="p">,</span> <span class="na">wait</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">values</span><span class="p">:</span> <span class="p">{</span> <span class="na">gitlabUrl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://gitlab.com/</span><span class="dl">"</span><span class="p">,</span> <span class="na">runnerRegistrationToken</span><span class="p">:</span> <span class="dl">"</span><span class="s2">&lt;runner registration token&gt;</span><span class="dl">"</span><span class="p">,</span> <span class="na">rbac</span><span class="p">:</span> <span class="p">{</span> <span class="na">create</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">runners</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/master/values.yaml</span> <span class="c1">// required for dind</span> <span class="na">privileged</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">builds</span><span class="p">:</span> <span class="p">{</span> <span class="na">cpuRequests</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1</span><span class="dl">"</span><span class="p">,</span> <span class="na">cpuRequestsOverwriteMaxAllowed</span><span class="p">:</span> <span class="dl">"</span><span class="s2">16</span><span class="dl">"</span><span class="p">,</span> <span class="na">cpuLimitOverwriteMaxAllowed</span><span class="p">:</span> <span class="dl">"</span><span class="s2">16</span><span class="dl">"</span><span class="p">,</span> <span class="na">memoryRequests</span><span class="p">:</span> <span class="dl">"</span><span class="s2">4Gi</span><span class="dl">"</span><span class="p">,</span> <span class="na">memoryLimitOverwriteMaxAllowed</span><span class="p">:</span> <span class="dl">"</span><span class="s2">16Gi</span><span class="dl">"</span><span class="p">,</span> <span class="na">memoryRequestsOverwriteMaxAllowed</span><span class="p">:</span> <span class="dl">"</span><span class="s2">16Gi</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre></div> <p>For the Gitlab runner to register in Gitlab server we need to get a runner registration token.<br> You can find the runner registration token on a project or group CI/CD settings page.<br> In the above example I passed the value as is to the <code>runnerRegistrationToken</code> setting.<br> However, you should not commit that into source control and instead use an environment variable,<br> or <a href="https://docs.aws.amazon.com/cdk/latest/guide/get_ssm_value.html">a parameter store reference</a>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--H2oPMgyN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/miensol/miensol.github.io/develop/content/posts/gitlab-ci-kubernetes-cluster/registration-token.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--H2oPMgyN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/miensol/miensol.github.io/develop/content/posts/gitlab-ci-kubernetes-cluster/registration-token.png" alt="runner registration token"></a></p> <p>Note that we have configured a couple of values defined in <a href="https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/master/values.yaml">the Helm chart</a>.<br> Most notably we set the required <code>cpu*OverwriteMaxAllowed</code> and <code>memory*OverwriteMaxAllowed</code> options.<br> We have to configure them otherwise it will not be possible to set Kubernetes CPU and memory allocations for requests and limits on the <code>.gitlab-ci.yml</code>.<br> With the above set we can request a certain amount of CPU and memory for build:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="na">variables</span><span class="pi">:</span> <span class="na">KUBERNETES_CPU_REQUEST</span><span class="pi">:</span> <span class="m">3</span> <span class="na">KUBERNETES_CPU_LIMIT</span><span class="pi">:</span> <span class="m">5</span> <span class="na">KUBERNETES_MEMORY_REQUEST</span><span class="pi">:</span> <span class="s">2Gi</span> <span class="na">KUBERNETES_MEMORY_LIMIT</span><span class="pi">:</span> <span class="s">4Gi</span> </code></pre></div> <h2> Install Cluster autoscaler using aws-cdk construct </h2> <p>In order for our AWS EKS cluster to scale dynamically we need to install <a href="https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html">Cluster autoscaler</a>.<br> With autoscaler installed, whenever the amount of <strong>declared requested</strong> CPU or memory resources exceeds those available on nodes, a new node will be added to the cluster.</p> <p>I've wrapped the Cluster autoscaler setup <a href="https://github.com/miensol/miensol.github.io/blob/develop/content/posts/gitlab-ci-kubernetes-cluster/cicd/lib/cluster-autoscaler.ts">into aws-cdk construct</a><br> With the <code>ClusterAutoscaler</code> construct we can simply enhance our EKS Cluster by adding the following to the <code>CICDStack</code> definition:<br> </p> <div class="highlight"><pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">ClusterAutoscaler</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cluster-autoscaler</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">cluster</span><span class="p">:</span> <span class="nx">cluster</span><span class="p">,</span> <span class="na">nodeGroups</span><span class="p">:</span> <span class="p">[</span><span class="nx">mainNodeGroup</span><span class="p">],</span> <span class="nx">clusterName</span><span class="p">,</span> <span class="p">});</span> </code></pre></div> <h2> Connect to the cluster with kubectl </h2> <p>After a deployment the new Gitlab runner becomes available for a project or Gitlab group.<br> The <code>cdk deploy</code> command will also output a hint on how to configure <code>kubectl</code> to connect to the cluster.<br> It will look somewhat similar to the example below:<br> </p> <div class="highlight"><pre class="highlight shell"><code>aws eks update-kubeconfig <span class="nt">--name</span> cicd <span class="nt">--region</span> eu-west-1 <span class="se">\</span> <span class="nt">--role-arn</span> arn:aws:iam::XXXXXXXXXXX:role/CICD-ClusterMasterRoleXXXX-XXXX </code></pre></div> <p>You only need to execute the above command once. It will store the configuration for <code>kubectl</code> on your local disk.<br> Afterwards you can inspect the EKS Kubernetes cluster with <code>kubectl</code> e.g:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="o">&gt;</span> kubectl get pods NAME READY STATUS RESTARTS AGE cicdcicdclusterchartgitlabrunnerdXXXXX-gitlab-runner-XXXXXXXXXX 1/1 Running 0 26h </code></pre></div> <p>You can find full working example <a href="http://github.com/miensol/miensol.github.io/blob/develop/content/posts/gitlab-ci-kubernetes-cluster/cicd">under the github repository</a>.</p> awscdk eks kubernetes gitlab Piotr Mionskowski Sun, 07 Jun 2020 18:42:26 +0000 https://forem.com/miensol/deploy-aws-cdk-app-to-different-environments-297d https://forem.com/miensol/deploy-aws-cdk-app-to-different-environments-297d <p>Infrastructure as a code greatly improves traceability, repeatability and thus overall quality of the software systems built with it.<br> With a correct setup development teams can now more easily spin up short-lived clones of systems or their parts.<br> This gives a profound boost in both productivity but also ability to run automated regression or performance tests.</p> <p>In this post I will show how to use aws-cdk to deploy multiple copies of the same application:</p> <p><a href="https://miensol.pl/deploying-aws-cdk-app-to-different-environments/#using-multiple-aws-accounts-to-deploy-copies-of-the-same-aws-cdk-application" rel="noopener noreferrer"><strong>1. Using multiple AWS accounts.</strong></a></p> <p><a href="https://miensol.pl/deploying-aws-cdk-app-to-different-environments/#using-single-aws-account-to-deploy-copies-of-the-same-aws-cdk-application" rel="noopener noreferrer"><strong>2. Using a single AWS account.</strong></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fdeploying-aws-cdk-app-to-different-environments%2Fdna.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fdeploying-aws-cdk-app-to-different-environments%2Fdna.jpg" alt="dna clone"></a></p> <h2> Using multiple AWS accounts to deploy copies of the same aws-cdk application </h2> <p>By default, every aws-cdk <code>Stack</code> you create is environment-agnostic.<br> You can deploy an environment-agnostic stack with any AWS account granted you have enough entitlements.<br> Note that AWS account does not mean IAM user. A single AWS account can have multiple IAM users.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fdeploying-aws-cdk-app-to-different-environments%2Fiam-user-vs-account.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fdeploying-aws-cdk-app-to-different-environments%2Fiam-user-vs-account.png" alt="iam user vs account"></a></p> <p>The <code>cdk deploy</code> command uses specified AWS profile or a default one.</p> <p>Let us start with a bare bone app <code>multiple-accounts</code> generated with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>multiple-accounts <span class="o">&amp;&amp;</span> <span class="nb">cd </span>multiple-accounts npx cdk init <span class="nt">--language</span> typescript </code></pre> </div> <p>To make our example more entertaining I added a single S3 Bucket to the <code>MultipleAccountsStack</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">s3</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/aws-s3</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">MultipleAccountsStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">MyBucket</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I also created 2 AWS profiles for 2 AWS accounts, using <code>aws configure</code>, named <code>blog-staging</code> and <code>blog-production</code> for demonstration.</p> <h3> Deploy aws-cdk app using explicitly specified profile </h3> <p>For start let's use <code>--profile</code> parameter to deploy our stacks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> npx cdk deploy <span class="nt">--profile</span> blog-staging MultipleAccountsStack: deploying... MultipleAccountsStack: creating CloudFormation changeset... ... ✅ MultipleAccountsStack Stack ARN: arn:aws:cloudformation:eu-central-1:XXXXXXXXXX:stack/MultipleAccountsStack/0d3c7530-a318-11ea-ab8d-02b8022d5b40 <span class="o">&gt;</span> npx cdk deploy <span class="nt">--profile</span> blog-production MultipleAccountsStack: deploying... MultipleAccountsStack: creating CloudFormation changeset... ... ✅ MultipleAccountsStack Stack ARN: arn:aws:cloudformation:eu-central-1:YYYYYYYYYY:stack/MultipleAccountsStack/3a5cc690-a319-11ea-b00b-023cc2de05b4 </code></pre> </div> <p>Note how <code>XXXXXXXXXX</code> and <code>YYYYYYYYYY</code> identifies, which AWS account deployed the stack.<br> The stack has the same <strong>name</strong> in both cases: <code>MultipleAccountsStack</code></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fdeploying-aws-cdk-app-to-different-environments%2Fstack-name.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fdeploying-aws-cdk-app-to-different-environments%2Fstack-name.png" alt="stack name"></a></p> <p>You can specify the AWS profile to use with <code>AWS_PROFILE</code> environment variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">AWS_PROFILE</span><span class="o">=</span>blog-production npx cdk deploy </code></pre> </div> <p>Last but not least the standard AWS CLI environment variables work as well:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span>xxxx <span class="nb">export </span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span>yyy <span class="nb">export </span><span class="nv">AWS_DEFAULT_REGION</span><span class="o">=</span>eu-central-1 npx cdk deploy </code></pre> </div> <p>Please refer to <a href="https://docs.aws.amazon.com/cdk/latest/guide/environments.html" rel="noopener noreferrer">the documentation</a> for further details.</p> <h3> Benefits of using multiple AWS accounts to deploy aws-cdk app </h3> <p>The first advantage is how using multiple AWS accounts keeps aws-cdk code simple.<br> The infrastructure code ignores details of the environment it runs in. This makes it possible to re-use it in other contexts.<br> This approach also improves security.<br> With multiple AWS accounts we minimise risk of aws-cdk installations affecting each other.</p> <h3> Downsides of using multiple AWS accounts to deploy aws-cdk app </h3> <p>The following example presents a first downside, or in reality a gotcha easy to miss.<br> Say someone not well versed in AWS services decided to name the bucket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">MyBucket</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">bucketName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">important-assets</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>It will work fine when deployed for the first time. However, as soon as we try to deploy it to a second AWS account we get:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> npx cdk deploy <span class="nt">--profile</span> blog-production <span class="o">(</span>node:61539<span class="o">)</span> ExperimentalWarning: Conditional exports is an experimental feature. This feature could change at any <span class="nb">time </span>MultipleAccountsStack: deploying... MultipleAccountsStack: creating CloudFormation changeset... 0/3 | 10:56:27 AM | CREATE_IN_PROGRESS | AWS::S3::Bucket | MyBucket <span class="o">(</span>MyBucketF68F3FF0<span class="o">)</span> 0/3 | 10:56:27 AM | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata 1/3 | 10:56:27 AM | CREATE_FAILED | AWS::S3::Bucket | MyBucket <span class="o">(</span>MyBucketF68F3FF0<span class="o">)</span> important-assets already exists </code></pre> </div> <p>Some AWS resources names need a unique name in a given region across all AWS accounts.</p> <p>The difficulty to create AWS accounts on a developer whim is the second downside.<br> Remember that want to re-create environments with changed parts.<br> Forcing a new AWS account may turn out problematic and create a management headache too big to ignore.</p> <h2> Using single AWS account to deploy copies of the same aws-cdk application </h2> <p>As we saw above by default the Stack name gets derived from the class name.<br> Thankfully one can easily override that behaviour.<br> In my projects I prefer using a <code>DEPLOY_ENV</code> environment variable to specify the deployment target.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DEPLOY_ENV</span><span class="o">=</span>staging npx cdk deploy </code></pre> </div> <p>We need to adjust our app definition so that <code>DEPLOY_ENV</code> is recognized.</p> <h3> Using DEPLOY_ENV variable inside aws-cdk entry point </h3> <p>The aws-cdk app typically resided as <code>bin</code> folder. In our example it is the <code>bin/multiple-accounts.ts</code> file.<br> With the following adjustment we can deploy our app to many targets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cp">#!/usr/bin/env node </span><span class="k">import</span> <span class="dl">"</span><span class="s2">source-map-support/register</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">MultipleAccountsStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../lib/multiple-accounts-stack</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">deployEnv</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DEPLOY_ENV</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">dev</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="k">new</span> <span class="nc">MultipleAccountsStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="nx">deployEnv</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">-MultipleAccountsStack</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>During deployment aws-cdk will create a CloudFormation stack named <code>${process.env.DEPLOY_ENV}-MultipleAccountsStack</code>:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fdeploying-aws-cdk-app-to-different-environments%2Fdeploy-env-stack-name.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fdeploying-aws-cdk-app-to-different-environments%2Fdeploy-env-stack-name.png" alt="deploy env stack name"></a></p> <h3> Using DEPLOY_ENV consistently inside aws-cdk application </h3> <p>As I mentioned above one can easily fall into unique name traps.<br> In order to avoid naming conflicts and to apply consistent naming scheme I often define a helper similar to the following.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">deployEnv</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DEPLOY_ENV</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">dev</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">envSpecific</span><span class="p">(</span><span class="nx">logicalName</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="nb">Function</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">suffix</span> <span class="o">=</span> <span class="k">typeof</span> <span class="nx">logicalName</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">function</span><span class="dl">"</span> <span class="p">?</span> <span class="nx">logicalName</span><span class="p">.</span><span class="nx">name</span> <span class="p">:</span> <span class="nx">logicalName</span><span class="p">;</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nf">deployEnv</span><span class="p">()}</span><span class="s2">-</span><span class="p">${</span><span class="nx">suffix</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">MultipleAccountsStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nf">envSpecific</span><span class="p">(</span><span class="nx">MultipleAccountsStack</span><span class="p">),</span> <span class="nx">props</span><span class="p">);</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">MyBucket</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">bucketName</span><span class="p">:</span> <span class="nf">envSpecific</span><span class="p">(</span><span class="dl">"</span><span class="s2">important-assets</span><span class="dl">"</span><span class="p">),</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With the above change our cdk app entry point no longer decides how to name the stack.<br> Note however, that you can still allow passing the name through constructor <strong>when</strong> you need it.</p> <p>Using <code>envSpecific</code> helper keeps important resource names consistent.<br> More importantly it allows deploying as many copies of aws-cdk app as we like.</p> awscdk iac ci cd Piotr Mionskowski Sun, 24 May 2020 20:11:13 +0000 https://forem.com/miensol/combine-aws-step-functions-with-cloudwatch-events-using-aws-cdk-d75 https://forem.com/miensol/combine-aws-step-functions-with-cloudwatch-events-using-aws-cdk-d75 <p><a href="https://aws.amazon.com/step-functions/" rel="noopener noreferrer">AWS Step Functions</a> allow one to execute &amp; coordinate <strong>long-running</strong> processes.<br> Step Functions fall into serverless AWS services, and the platform manages the function execution state completely.</p> <p>In the example below we will use the following AWS services:</p> <ul> <li>aws-cdk</li> <li>Step Function</li> <li>Lambda</li> </ul> <p>The example demonstrates how Step Functions manage execution of a process, which involves external events e.g. human interaction.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Faws-step-function-with-cloudwatch-events%2Fsteps.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Faws-step-function-with-cloudwatch-events%2Fsteps.jpg" alt="steps"></a></p> <h2> Define step function </h2> <p>I will use blank infrastructure project created with<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>step-function <span class="o">&amp;&amp;</span> <span class="nb">cd </span>step-function npx cdk init <span class="nt">--language</span> typescript </code></pre> </div> <p>Next we need to add required packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>step-function npm i <span class="nt">--save</span> @aws-cdk/aws-stepfunctions <span class="se">\</span> @aws-cdk/aws-stepfunctions-tasks <span class="se">\</span> @aws-cdk/aws-lambda-nodejs <span class="se">\</span> @aws-cdk/aws-dynamodb </code></pre> </div> <p>We start with a state machine that contains a single <code>Wait</code> step as follows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">WaitTime</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/aws-stepfunctions</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Duration</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">sfn</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/aws-stepfunctions</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">StepFunctionStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">wait</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sfn</span><span class="p">.</span><span class="nc">Wait</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Wait for Event</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">time</span><span class="p">:</span> <span class="nx">WaitTime</span><span class="p">.</span><span class="nf">duration</span><span class="p">(</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">5</span><span class="p">)),</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">sfn</span><span class="p">.</span><span class="nc">StateMachine</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Step Function</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">definition</span><span class="p">:</span> <span class="nx">wait</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We deploy it with the usual aws-cdk deploy invocation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">AWS_PROFILE</span><span class="o">=</span>my-aws-profile npm run cdk deploy </code></pre> </div> <p>After a few moments we can find our brand new AWS Step Function visual representation in AWS Web Console:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Faws-step-function-with-cloudwatch-events%2Fstep-wait.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Faws-step-function-with-cloudwatch-events%2Fstep-wait.png" alt="step-wait"></a></p> <h2> Define workflow in AWS Step Function </h2> <p>In order to make our example more interesting let's add a bit complexity to it.<br> Imagine we handle a document flow, which requires two separate actors to sign it off.</p> <p>The actors act independently. The first signer, Alice, signs documents quickly.<br> The other, Bob, can take a couple of days to process a document.</p> <p>Once both actors sign the document our flow succeeds. However, if we do not collect the signatures<br> until some time elapses the flow fails.</p> <p> In order for the `@aws-cdk/aws-lambda-nodejs` to work properly you need to have Docker running </p> <p>Alice's part consists of a single task along with a lambda function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">signDocument</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambda</span><span class="p">.</span><span class="nc">NodejsFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Sign Document</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">entry</span><span class="p">:</span> <span class="nx">__dirname</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">/sign-document.ts</span><span class="dl">"</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">"</span><span class="s2">signDocument</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">aliceSignature</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sfn</span><span class="p">.</span><span class="nc">Task</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Alice Signature</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">task</span><span class="p">:</span> <span class="k">new</span> <span class="nx">tasks</span><span class="p">.</span><span class="nc">RunLambdaTask</span><span class="p">(</span><span class="nx">signDocument</span><span class="p">,</span> <span class="p">{</span> <span class="na">payload</span><span class="p">:</span> <span class="nx">sfn</span><span class="p">.</span><span class="nx">TaskInput</span><span class="p">.</span><span class="nf">fromObject</span><span class="p">({</span> <span class="na">signer</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Alice</span><span class="dl">"</span><span class="p">,</span> <span class="na">documentId</span><span class="p">:</span> <span class="nx">Data</span><span class="p">.</span><span class="nf">stringAt</span><span class="p">(</span><span class="dl">"</span><span class="s2">$.documentId</span><span class="dl">"</span><span class="p">),</span> <span class="p">}),</span> <span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <p>The <code>signDocument</code> lambda function handler defined in <code>step-function/lib/sign-document.ts</code> looks as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Handler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-lambda</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">delay</span> <span class="o">=</span> <span class="p">(</span><span class="nx">millis</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">millis</span><span class="p">));</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">signDocument</span><span class="p">:</span> <span class="nx">Handler</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">documentId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">signer</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">delay</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Sign document</span><span class="dl">"</span><span class="p">,</span> <span class="nx">event</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">result</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">signer</span><span class="p">}</span><span class="s2"> signed </span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">documentId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>Please note that the lambda function can be async as long as it completes within the regular AWS Lambda function rules.</p> <p>Bob's signature is a more complex job. Since Bob can take several days to process a request to sign a document we cannot simply use lambda.</p> <p>In order to solve that we will split the processing into 2 lambda functions using <code>ServiceIntegrationPattern.WAIT_FOR_TASK_TOKEN</code>.<br> The first one will receive step function token and store it in a DynamoDb table. That simulates reaching out to Bob e.g. through email.</p> <p>The second one will retrieve the token from the DynamoDb table and mark the Step function task as complete.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">signRequestsTable</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Signature Requests</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">billingMode</span><span class="p">:</span> <span class="nx">BillingMode</span><span class="p">.</span><span class="nx">PAY_PER_REQUEST</span><span class="p">,</span> <span class="na">partitionKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">documentId</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">requestDocumentSignature</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambda</span><span class="p">.</span><span class="nc">NodejsFunction</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Request Document Signature</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">entry</span><span class="p">:</span> <span class="nx">__dirname</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">/sign-document.ts</span><span class="dl">"</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">"</span><span class="s2">requestDocumentSignature</span><span class="dl">"</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">signRequestsTableName</span><span class="p">:</span> <span class="nx">signRequestsTable</span><span class="p">.</span><span class="nx">tableName</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">completeSignatureRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambda</span><span class="p">.</span><span class="nc">NodejsFunction</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Complete Document Signature</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">entry</span><span class="p">:</span> <span class="nx">__dirname</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">/sign-document.ts</span><span class="dl">"</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">"</span><span class="s2">completeSignatureRequest</span><span class="dl">"</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">signRequestsTableName</span><span class="p">:</span> <span class="nx">signRequestsTable</span><span class="p">.</span><span class="nx">tableName</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="nx">signRequestsTable</span><span class="p">.</span><span class="nf">grantReadWriteData</span><span class="p">(</span><span class="nx">requestDocumentSignature</span><span class="p">);</span> <span class="nx">signRequestsTable</span><span class="p">.</span><span class="nf">grantReadWriteData</span><span class="p">(</span><span class="nx">completeSignatureRequest</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bobSignature</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sfn</span><span class="p">.</span><span class="nc">Task</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Bob Signature</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">task</span><span class="p">:</span> <span class="k">new</span> <span class="nx">tasks</span><span class="p">.</span><span class="nc">RunLambdaTask</span><span class="p">(</span><span class="nx">requestDocumentSignature</span><span class="p">,</span> <span class="p">{</span> <span class="na">integrationPattern</span><span class="p">:</span> <span class="nx">ServiceIntegrationPattern</span><span class="p">.</span><span class="nx">WAIT_FOR_TASK_TOKEN</span><span class="p">,</span> <span class="na">payload</span><span class="p">:</span> <span class="nx">sfn</span><span class="p">.</span><span class="nx">TaskInput</span><span class="p">.</span><span class="nf">fromObject</span><span class="p">({</span> <span class="na">stepFunctionToken</span><span class="p">:</span> <span class="nx">sfn</span><span class="p">.</span><span class="nx">Context</span><span class="p">.</span><span class="nx">taskToken</span><span class="p">,</span> <span class="na">signer</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Bob</span><span class="dl">"</span><span class="p">,</span> <span class="na">documentId</span><span class="p">:</span> <span class="nx">Data</span><span class="p">.</span><span class="nf">stringAt</span><span class="p">(</span><span class="dl">"</span><span class="s2">$.documentId</span><span class="dl">"</span><span class="p">),</span> <span class="p">}),</span> <span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <p>Last but not least we need to allow the <code>completeSignatureRequest</code> to adjust step function state through IAM Policy Statement.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">waitForSignaturesTimeout</span> <span class="o">=</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">60</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">stateMachine</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sfn</span><span class="p">.</span><span class="nc">StateMachine</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Step Function</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">definition</span><span class="p">:</span> <span class="nx">flow</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">waitForSignaturesTimeout</span><span class="p">,</span> <span class="p">});</span> <span class="nx">completeSignatureRequest</span><span class="p">.</span><span class="nf">addToRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">states:SendTaskSuccess</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">states:SendTaskFailure</span><span class="dl">"</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">stateMachine</span><span class="p">.</span><span class="nx">stateMachineArn</span><span class="p">],</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>After we deploy our updated stack the function definition should look as follows:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Faws-step-function-with-cloudwatch-events%2Fsignatures.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Faws-step-function-with-cloudwatch-events%2Fsignatures.png" alt="alice and bob signatures"></a></p> <h2> Call Step Function callback from AWS Lambda </h2> <p>For our workflow to complete we need to implement Bob's lambda part.<br> Let's start with a function that simulates starting a long-running business process.<br> The important bit in <code>sendSignatureRequest</code> is that it stores state function task token.<br> We will use the token later on to call AWS Step Function back.<br> The callback will include result. In our case a fake signature of a document.</p> <p>First add 2 more packages to our project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm i <span class="nt">--save</span> @types/aws-lambda aws-sdk </code></pre> </div> <p>Then update the AWS Lambda <code>sendSignatureRequest</code> definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Handler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-lambda</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">DynamoDb</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">aws-sdk/clients/dynamodb</span><span class="dl">"</span><span class="p">);</span> <span class="kr">interface</span> <span class="nx">SignDocumentEvent</span> <span class="p">{</span> <span class="nl">documentId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">signer</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">stepFunctionToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">documentClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DynamoDb</span><span class="p">.</span><span class="nc">DocumentClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">signRequestsTableName</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">signRequestsTableName</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">requestDocumentSignature</span><span class="p">:</span> <span class="nx">Handler</span><span class="o">&lt;</span><span class="nx">SignDocumentEvent</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">event</span> <span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Request signature for</span><span class="dl">"</span><span class="p">,</span> <span class="nx">event</span><span class="p">);</span> <span class="k">await</span> <span class="nx">documentClient</span> <span class="p">.</span><span class="nf">put</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="nx">signRequestsTableName</span><span class="p">,</span> <span class="na">Item</span><span class="p">:</span> <span class="nx">event</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <p>The last missing piece is to implement the <code>completeSignatureRequest</code> lambda function.<br> The important bit is to call <code>sendTaskSuccess</code> to indicate that processing completed successfully.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Handler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-lambda</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">StepFunctions</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">aws-sdk/clients/stepfunctions</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">DynamoDb</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">aws-sdk/clients/dynamodb</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">documentClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DynamoDb</span><span class="p">.</span><span class="nc">DocumentClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">signRequestsTableName</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">signRequestsTableName</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">stepFunctions</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StepFunctions</span><span class="p">();</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">completeSignatureRequest</span><span class="p">:</span> <span class="nx">Handler</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">documentId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">event</span> <span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tableItem</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">documentClient</span> <span class="p">.</span><span class="nf">get</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="nx">signRequestsTableName</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="p">{</span> <span class="na">documentId</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">documentId</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="kd">const</span> <span class="na">signRequest</span><span class="p">:</span> <span class="nx">SignDocumentEvent</span> <span class="o">=</span> <span class="nx">tableItem</span><span class="p">.</span><span class="nx">Item</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Received signature for</span><span class="dl">"</span><span class="p">,</span> <span class="nx">signRequest</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">signature</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">signRequest</span><span class="p">.</span><span class="nx">signer</span><span class="p">}</span><span class="s2"> signed </span><span class="p">${</span><span class="nx">signRequest</span><span class="p">.</span><span class="nx">documentId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">stepFunctions</span> <span class="p">.</span><span class="nf">sendTaskSuccess</span><span class="p">({</span> <span class="na">output</span><span class="p">:</span> <span class="nx">output</span><span class="p">,</span> <span class="na">taskToken</span><span class="p">:</span> <span class="nx">signRequest</span><span class="p">.</span><span class="nx">stepFunctionToken</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <p>Let's test the execution by requesting a document with id equal to 3. <br> As expected Alice signs the document after couple of seconds. <br> However, for in order to get Bob's signature we invoke complete signature lambda. <br> This simulates an action that involves human interaction. <br> Note that the whole process could take months to complete! </p> <p>The AWS Step Function console depicts the current phase of processing pretty neatly.<br> <iframe src="https://player.vimeo.com/video/420803128" width="710" height="399"> </iframe> </p> <p>You can find <a href="https://github.com/miensol/miensol.github.io/tree/develop/content/posts/aws-step-function-with-cloudwatch-events/step-function" rel="noopener noreferrer">full working example in Github repository</a>.</p> <p>Leave a comment if you like the article and would like to see more!</p> eventbridge cloudwatch awscdk infrastructureascode Piotr Mionskowski Fri, 22 May 2020 22:20:40 +0000 https://forem.com/miensol/https-on-cloudfront-using-certificate-manager-and-aws-cdk-3m50 https://forem.com/miensol/https-on-cloudfront-using-certificate-manager-and-aws-cdk-3m50 <p><a href="https://miensol.pl/fast-static-website-with-aws-cdk/" rel="noopener noreferrer">The static website deployed with aws-cdk to CloudFront post</a><br> shows how to deploy static content with aws-cdk. We still miss a custom domain configuration for<br> our website though. The following example shows how to:</p> <ul> <li>setup a custom domain name for a CloudFront distribution</li> <li>enable https using AWS issued trusted certificate</li> </ul> <h2> Get a trusted certificate from AWS Certificate Manager using aws-cdk </h2> <p>Using the <a href="https://github.com/miensol/miensol.github.io/tree/develop/content/posts/cloudfront-custom-domain-https" rel="noopener noreferrer">example from previous post as a base</a>, inside <code>infrastructure</code> directory, let's add<br> additional package:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npm i <span class="nt">--save</span> @aws-cdk/aws-certificatemanager </code></pre> </div> <p>CloudFront can only use AWS Certificate Manager issued certificates inside us-east-1 region (N. Virginia).<br> We can create our <code>FrontendStack</code> in us-east-1 region. Alternatively we can create another stack with the certificate only.<br> Below I show how to use the second option.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="p">...</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ValidationMethod</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/aws-certificatemanager</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cm</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/aws-certificatemanager</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">domainName</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">fast-static-website.miensol.pl</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CertificateStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CertificateStack</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">us-east-1</span><span class="dl">"</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">certificate</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cm</span><span class="p">.</span><span class="nc">Certificate</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CustomDomainCertificate</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">domainName</span><span class="p">:</span> <span class="nx">domainName</span><span class="p">,</span> <span class="na">validationMethod</span><span class="p">:</span> <span class="nx">ValidationMethod</span><span class="p">.</span><span class="nx">DNS</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">certificateArn</span> <span class="o">=</span> <span class="nx">certificate</span><span class="p">.</span><span class="nx">certificateArn</span><span class="p">;</span> <span class="k">new</span> <span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CertificateArn</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">certificateArn</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">...</span> </code></pre> </div> <p>We request a certificate for a given domain name in us-east-1 region.<br> Before AWS Certificate Manager issues a trusted TLS certificate it needs to verify that you own<br> the domain. The validation happens using either:</p> <ul> <li>email: AWS CM sends a message to <em>admin</em> email addresses for the domain</li> <li>DNS: AWS CM requests a particular DNS record configuration</li> </ul> <p>In the example above I use <code>fast-static-website.miensol.pl</code> with DNS validation method. Since I own<br> the domain I can prove that to AWS Certificate Manager.</p> <p>We also update the <code>bin/infrastructure.ts</code> file to include our new stack:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cp"> #!/usr/bin/env node </span><span class="k">import</span> <span class="dl">"</span><span class="s2">source-map-support/register</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CertificateStack</span><span class="p">,</span> <span class="nx">FrontendStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../lib/frontend-stack</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="k">new</span> <span class="nc">CertificateStack</span><span class="p">(</span><span class="nx">app</span><span class="p">);</span> <span class="k">new</span> <span class="nc">FrontendStack</span><span class="p">(</span><span class="nx">app</span><span class="p">);</span> </code></pre> </div> <p>Let's trigger next deployment with:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npm run cdk deploy <span class="s1">'*'</span> </code></pre> </div> <p>The process will wait for a certificate request validation. The requested DNS<br> record will show up in the deployment command output:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="o">&gt;</span> npm run cdk deploy ... 1/5 | 6:03:37 PM | CREATE_IN_PROGRESS | AWS::CertificateManager::Certificate | CustomDomainCertificate <span class="o">(</span>CustomDomainCertificateXXXXX<span class="o">)</span> Content of DNS Record is: <span class="o">{</span>Name: XXXXXX.fast-static-website.miensol.pl.,Type: CNAME,Value: XXXXX.auiqqraehs.acm-validations.aws.<span class="o">}</span> 1/5 Currently <span class="k">in </span>progress: CustomDomainCertificateXXXXX </code></pre> </div> <p>You can also find the request in <a href="https://eu-central-1.console.aws.amazon.com/acm/home?region=eu-central-1#/" rel="noopener noreferrer">Certificate Manager</a> inside AWS Web console. After<br> you configure the DNS record, the process will continue. In the command output you should see a message similar to:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> CertificateStack.CertificateArn <span class="o">=</span> arn:aws:acm:us-east-1:XXXXXXX:certificate/XXXXX-XXXXX-XXXX-XXXX-XXXXXXXX </code></pre> </div> <p>Please note the above value, we will need it in the following step.</p> <h2> Attach a certificate to CloudFront distribution using aws-cdk </h2> <p>We need to tell the CloudFront distribution to use the new certificate. Let's modify the <code>FrontendStack</code><br> to accept parameters:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kr">interface</span> <span class="nx">FrontendProps</span> <span class="p">{</span> <span class="nl">certificateArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">FrontendStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">FrontendProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">"</span><span class="s2">FrontendStack</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">frontBucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">FrontendBucket</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">websiteIndexDocument</span><span class="p">:</span> <span class="dl">"</span><span class="s2">index.html</span><span class="dl">"</span><span class="p">,</span> <span class="na">publicReadAccess</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">CloudFrontWebDistribution</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Distribution</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">viewerCertificate</span><span class="p">:</span> <span class="p">{</span> <span class="na">aliases</span><span class="p">:</span> <span class="p">[</span><span class="nx">domainName</span><span class="p">],</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="na">acmCertificateArn</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">certificateArn</span><span class="p">,</span> <span class="na">sslSupportMethod</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sni-only</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">...</span> </code></pre> </div> <p>In the <code>viewerCertificate</code> section we specify domain name as well as certificate CloudFront distribution should use.<br> Next we pass CertificateStack.CertificateArn value noted above as a parameter:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="k">new</span> <span class="nc">CertificateStack</span><span class="p">(</span><span class="nx">app</span><span class="p">);</span> <span class="k">new</span> <span class="nc">FrontendStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="p">{</span> <span class="na">certificateArn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">arn:aws:acm:us-east-1:XXXXXXX:certificate/XXXXX-XXXXX-XXXX-XXXX-XXXXXXXX</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>The deployment will take a while to complete since the CF distribution has to update.<br> We can use that time to configure <code>fast-static-website.miensol.pl</code> DNS record.<br> The record needs to point to <code>FrontendStack.DistributionDomainName</code>.<br> I use CloudFlare so in my case this means creating a CNAME record:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fcloudfront-custom-domain-https%2Fcloudflare-dns-entry.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fcloudfront-custom-domain-https%2Fcloudflare-dns-entry.png" alt="cloudflare cname entry"></a></p> <p>We can now load our static website using HTTPS!</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fcloudfront-custom-domain-https%2Fcertificate.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fmiensol%2Fmiensol.github.io%2Fdevelop%2Fcontent%2Fposts%2Fcloudfront-custom-domain-https%2Fcertificate.png" alt="certificate"></a></p> <p>It is a shame that it is not possible to create <a href="https://github.com/aws/aws-cdk/issues/49#issuecomment-454800305" rel="noopener noreferrer">cross region references using aws-cdk</a>:</p> <blockquote> <p>There is not, unfortunately. You're going to have to thread the API URL across regions manually. That means:</p> <p>Deploy the ApiStackIreland first. Note the API URL (maybe make it an Output so that it's easy to get to).<br> Deploy the EdgeStack and plug in the value of API URL from the first step.<br> There are a number of ways you could do this, and honestly I'm not sure which one to recommend.</p> <p>I guess a pragmatic one would be to use <code>this.node.getContext()</code> and pass the value on the command-line when deploying the second stack (using the <code>-c KEY=VALUE fflag</code>), or put it into cdk.json under the context: {} section.</p> </blockquote> <p>The full working example is available <a href="https://github.com/miensol/miensol.github.io/tree/develop/content/posts/cloudfront-custom-domain-https" rel="noopener noreferrer">in the github repository</a>.</p> awscdk infrastructureascode cloudfront awscertificatemanager Piotr Mionskowski Sun, 17 May 2020 14:02:06 +0000 https://forem.com/miensol/deploy-fast-static-website-to-aws-like-a-pro-5gpf https://forem.com/miensol/deploy-fast-static-website-to-aws-like-a-pro-5gpf <p>In this post we'll see how to create and deploy a static website using IaC using the following technologies:</p> <ul> <li>aws-cdk</li> <li>AWS CloudFormation</li> <li>AWS Lambda</li> <li>AWS S3</li> </ul> <h2> Have a static website </h2> <p>For the sake of simplicity we'll use <a href="https://create-react-app.dev/docs/adding-typescript/">Create React App</a> in a directory called <code>my-project</code>:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>cd my-project npx create-react-app frontend --template typescript </code></pre></div> <p>Create the static website content inside <code>frontend/build</code> directory with:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>cd frontend &amp;&amp; yarn build </code></pre></div> <h2> Add aws-cdk to the project </h2> <p>Create infrastructure project with <a href="https://docs.aws.amazon.com/cdk/latest/guide/home.html">aws-cdk</a>:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>mkdir infrastructure &amp;&amp; cd infrastructure npx cdk init --language typescript </code></pre></div> <p>Note that in order to deploy you need to have AWS API credentials configured.<br> I prefer using AWS profiles, which you can set up using AWS CLI:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>aws configure --profile my-profile-name </code></pre></div> <p>The command will ask you couple of questions.<br> Please find the AWS Access Key Id and AWS Secret Access Key for your AWS account in <a href="https://console.aws.amazon.com/iam/home?region=eu-central-1">AWS Web Console IAM section</a>.<br> The AWS CLI stores configuration under <code>~/.aws</code> (Linux or Mac) or <code>%USERPROFILE%\.aws</code> (Windows).</p> <p>Please follow aws-cdk <a href="https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html">Getting Started</a> to get more details.</p> <h2> Deploy static content deployment to S3 website </h2> <p>We will deploy static content to AWS using <code>@aws-cdk/aws-s3-deployment</code> package. We need to add it to our project:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>cd infrastructure npm i --save @aws-cdk/aws-s3-deployment </code></pre></div> <p>Next, let's tell aws-cdk to deploy contents of <code>frontend/build</code> directory to AWS.<br> In our template we have <code>InfrastructureStack</code> available under <code>lib/infrastructure-stack.ts</code>. <br> Since it makes sense to have more focused CloudFormation stacks let's rename it to <code>FrontendStackStack</code>.<br> </p> <div class="highlight"><pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">s3</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-s3</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">s3deploy</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-s3-deployment</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cloudfront</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-cloudfront</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">FrontendStack</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="kd">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">FrontendStack</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>All files, which our static content consists of, will be stored on S3, so we need to create a bucket there:<br> </p> <div class="highlight"><pre class="highlight typescript"><code><span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">FrontendStack</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">frontBucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">FrontendBucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">websiteIndexDocument</span><span class="p">:</span> <span class="dl">'</span><span class="s1">index.html</span><span class="dl">'</span><span class="p">,</span> <span class="na">publicReadAccess</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> </code></pre></div> <p>Next, we need to tell <code>@aws-cdk/aws-s3-deployment</code> to push contents of <code>frontent/build</code> to the bucket created above:<br> </p> <div class="highlight"><pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">s3deploy</span><span class="p">.</span><span class="nx">BucketDeployment</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DeployWebsite</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">sources</span><span class="p">:</span> <span class="p">[</span><span class="nx">s3deploy</span><span class="p">.</span><span class="nx">Source</span><span class="p">.</span><span class="nx">asset</span><span class="p">(</span> <span class="nx">path</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">frontend</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">build</span><span class="dl">'</span><span class="p">)</span> <span class="p">)],</span> <span class="na">destinationBucket</span><span class="p">:</span> <span class="nx">frontBucket</span> <span class="p">});</span> </code></pre></div> <p>Since our aws-cdk stack uses assets we need to bootstrap our AWS account before <strong>first</strong> deployment:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nb">cd </span>infrastructure <span class="nv">AWS_PROFILE</span><span class="o">=</span>my-profile-name npx cdk bootstrap </code></pre></div> <p>Once the above command completes we can now finally deploy our website:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nb">cd </span>infrastructure <span class="nv">AWS_PROFILE</span><span class="o">=</span>my-profile-name npm run cdk deploy </code></pre></div> <p>The command will prompt for confirmation before it creates the necessary security rules. <br> You will see what resources get created or modified while the command runs. <br> Afterwards all resources created are part of AWS CloudFormation <code>FrontendStack</code> stack.<br> Most importantly the command copied all files to S3 Bucket, which in turn can host the website.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--GZMsewAx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/miensol/miensol.github.io/raw/develop/content/posts/fast-static-website-with-aws-cdk/s3-contents.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--GZMsewAx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/miensol/miensol.github.io/raw/develop/content/posts/fast-static-website-with-aws-cdk/s3-contents.png" alt="s3 bucket contents"></a></p> <p>One you find the S3 bucket created in the AWS CloudFormation stack:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--t-ZDcI5s--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/miensol/miensol.github.io/raw/develop/content/posts/fast-static-website-with-aws-cdk/cloudformation-stack.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--t-ZDcI5s--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/miensol/miensol.github.io/raw/develop/content/posts/fast-static-website-with-aws-cdk/cloudformation-stack.png" alt="cloudformation stack"></a></p> <p>Your website is now available under a URL similar to:</p> <p><code>http://frontendstack-frontendbucketefe2e19c-ixsoxq891rl1.s3-website.eu-central-1.amazonaws.com/</code></p> <h2> Improve performance of static website with CloudFront </h2> <p>The website loads files directly from S3 bucket. The S3 bucket, by default, lives inside a single AWS Region, <br> which means that visitors from far away may suffer from subpar loading speeds. </p> <p>For production setup we can use AWS CloudFront CDN, which distributes our content across over 100 locations around the globe. <br> Using this solution with <code>@aws-cdk/aws-s3-deployment</code> is a piece of cake:<br> </p> <div class="highlight"><pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">CloudFrontWebDistribution</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Distribution</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">originConfigs</span><span class="p">:</span> <span class="p">[{</span> <span class="na">s3OriginSource</span><span class="p">:</span> <span class="p">{</span> <span class="na">s3BucketSource</span><span class="p">:</span> <span class="nx">frontBucket</span> <span class="p">},</span> <span class="na">behaviors</span> <span class="p">:</span> <span class="p">[</span> <span class="p">{</span><span class="na">isDefaultBehavior</span><span class="p">:</span> <span class="kc">true</span><span class="p">}]</span> <span class="p">}]</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DistributionDomainName</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">distribution</span><span class="p">.</span><span class="nx">domainName</span> <span class="p">})</span> <span class="k">new</span> <span class="nx">s3deploy</span><span class="p">.</span><span class="nx">BucketDeployment</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DeployWebsite</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">sources</span><span class="p">:</span> <span class="p">[</span><span class="nx">s3deploy</span><span class="p">.</span><span class="nx">Source</span><span class="p">.</span><span class="nx">asset</span><span class="p">(</span> <span class="nx">path</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">frontend</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">build</span><span class="dl">'</span><span class="p">)</span> <span class="p">)],</span> <span class="na">destinationBucket</span><span class="p">:</span> <span class="nx">frontBucket</span><span class="p">,</span> <span class="na">distribution</span><span class="p">:</span> <span class="nx">distribution</span><span class="p">,</span> <span class="p">});</span> </code></pre></div> <p>After you update the stack with <code>AWS_PROFILE=my-profile-name npm run cdk deploy</code> you will find a new CloudFront distribution created.<br> Note that it make take few minutes to complete. <br> We added <code>CfnOutput</code> to make it easier to find the CloudFront distribution autogenerated domain name.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Outputs: FrontendStack.DistributionDomainName = d3a9wcc4fxw2d.cloudfront.net </code></pre></div> <p>Now the static website uses global content delivery network! </p> <p>You can find full example used in this post <a href="https://github.com/miensol/miensol.github.io/tree/develop/content/posts/fast-static-website-with-aws-cdk">in the Github repository</a></p> <p>Originally published at <a href="https://miensol.pl/fast-static-website-with-aws-cdk/">https://miensol.pl</a>.</p> cloudformation awscdk infrastructureascode cloudfront