Forem: Cláudio Filipe Lima Rapôso The latest articles on Forem by Cláudio Filipe Lima Rapôso (@sertaoseracloud). https://forem.com/sertaoseracloud https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2686804%2F21b0095d-7793-4b03-b894-5b639c6264c0.png Forem: Cláudio Filipe Lima Rapôso https://forem.com/sertaoseracloud en Practical Guide: Building an Active-Active Multicloud Cell-Based Architecture Cláudio Filipe Lima Rapôso Thu, 23 Apr 2026 03:00:00 +0000 https://forem.com/sertaoseracloud/practical-guide-building-an-active-active-multicloud-cell-based-architecture-bk8 https://forem.com/sertaoseracloud/practical-guide-building-an-active-active-multicloud-cell-based-architecture-bk8 <h2> 1. Introduction </h2> <p>A multicloud cell-based architecture represents the pinnacle of fault isolation and vendor neutrality. By distributing autonomous "cells" across different cloud provider, such as placing Cell Alpha in AWS and Cell Beta in Azure, you eliminate the risk of a single cloud provider's regional or global outage taking down your entire application. At the end of this tutorial, you will understand how to provision a unified control plane that intelligently routes tenant traffic to entirely isolated data planes residing in disparate cloud ecosystems.</p> <p>This architecture is highly valuable for organizations with extreme availability requirements and strict regulatory compliance mandates. It prevents vendor lock-in by enforcing an agnostic ingress layer and identical compute/state contracts across clouds. Building this requires mature infrastructure as code practices and a deep understanding of decoupled domain boundaries.</p> <h2> 2. Prerequisites </h2> <p>To execute this architectural pattern, you must have the following tools and access configured:</p> <ul> <li>Active accounts on both Amazon Web Services (AWS) and Microsoft Azure, with administrative credentials.</li> <li>Terraform (version 1.0+) installed locally, with both <code>hashicorp/aws</code> and <code>hashicorp/azurerm</code> providers authenticated.</li> <li>Python (version 3.11+) for writing the agnostic edge routing logic.</li> <li>A registered domain name and access to a neutral Edge DNS provider (e.g., Cloudflare) to act as the global entry point.</li> <li>Understanding of Domain-Driven Design (DDD) to ensure cell workloads are completely bounded and stateless.</li> </ul> <h2> 3. Step-by-Step </h2> <p>A multicloud cellular architecture requires a strict separation between the "Control Plane" (which knows where tenants live) and the "Data Plane" (where the actual compute and storage happen). The sequence diagram below illustrates how an edge router evaluates the request and proxies it to the respective cloud provider.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe2e2rek5unmrhr5kaj2m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe2e2rek5unmrhr5kaj2m.png" alt="Sequence Diagram" width="800" height="495"></a></p> <h3> 3.1 Configuring the Multicloud Terraform Environment </h3> <p><strong>What to do:</strong> Create a root Terraform configuration that initializes both the AWS and Azure providers simultaneously.<br> <strong>Why do it:</strong> To manage a true multicloud infrastructure, your CI/CD pipeline must be able to orchestrate state across both environments from a single source of truth, ensuring that the infrastructure contracts remain identical.</p> <p><strong>Example:</strong><br> Create your <code>main.tf</code> file to authenticate both providers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="nx">azurerm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/azurerm"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"azurerm"</span> <span class="p">{</span> <span class="nx">features</span> <span class="p">{}</span> <span class="nx">subscription_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">azure_subscription_id</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"azure_subscription_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Azure Subscription ID for the multicloud landing zone"</span> <span class="p">}</span> </code></pre> </div> <h3> 3.2 Provisioning the AWS Cell (Cell Alpha) </h3> <p><strong>What to do:</strong> Deploy the AWS-specific data plane, consisting of an API Gateway, Lambda, and DynamoDB.<br> <strong>Why do it:</strong> This establishes your first isolated failure domain. The AWS cell acts as a self-contained unit capable of serving its assigned tenants without any dependency on the central control plane or the Azure cell.</p> <p><strong>Example:</strong><br> Append the AWS cell definition to your <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS Cell Infrastructure (Simplified)</span> <span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"aws_cell_state"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"multicloud-state-aws-alpha"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"id"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"id"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"aws_cell_worker"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"aws_worker.zip"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"aws-worker-alpha"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">aws_exec_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"worker.handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.11"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function_url"</span> <span class="s2">"aws_ingress"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">aws_cell_worker</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">authorization_type</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="c1"># In production, restrict to Edge Router IPs/Tokens</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"aws_cell_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lambda_function_url</span><span class="p">.</span><span class="nx">aws_ingress</span><span class="p">.</span><span class="nx">function_url</span> <span class="p">}</span> </code></pre> </div> <h3> 3.3 Provisioning the Azure Cell (Cell Beta) </h3> <p><strong>What to do:</strong> Deploy the Azure-specific data plane, consisting of an Azure Function and Cosmos DB.<br> <strong>Why do it:</strong> This creates the second failure domain in a completely separate physical network and control plane. If AWS experiences a major outage, the tenants assigned to the Azure cell experience zero degradation.</p> <p><strong>Example:</strong><br> Append the Azure cell definition to your <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Azure Cell Infrastructure (Simplified)</span> <span class="nx">resource</span> <span class="s2">"azurerm_resource_group"</span> <span class="s2">"az_cell_rg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rg-multicloud-beta"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_cosmosdb_account"</span> <span class="s2">"az_cell_db"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"db-multicloud-az-beta"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">offer_type</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"GlobalDocumentDB"</span> <span class="nx">geo_location</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">failover_priority</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">consistency_policy</span> <span class="p">{</span> <span class="nx">consistency_level</span> <span class="p">=</span> <span class="s2">"Session"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"az_storage"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"stmulticloudbeta"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">account_tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">account_replication_type</span> <span class="p">=</span> <span class="s2">"LRS"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_service_plan"</span> <span class="s2">"az_plan"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"plan-multicloud-beta"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">os_type</span> <span class="p">=</span> <span class="s2">"Linux"</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="s2">"Y1"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_linux_function_app"</span> <span class="s2">"az_cell_worker"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"func-az-worker-beta"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">az_cell_rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">service_plan_id</span> <span class="p">=</span> <span class="nx">azurerm_service_plan</span><span class="p">.</span><span class="nx">az_plan</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_account_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">az_storage</span><span class="p">.</span><span class="nx">name</span> <span class="nx">storage_account_access_key</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">az_storage</span><span class="p">.</span><span class="nx">primary_access_key</span> <span class="nx">site_config</span> <span class="p">{</span> <span class="nx">application_stack</span> <span class="p">{</span> <span class="nx">python_version</span> <span class="p">=</span> <span class="s2">"3.11"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"az_cell_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"https://${azurerm_linux_function_app.az_cell_worker.default_hostname}/api/process"</span> <span class="p">}</span> </code></pre> </div> <h3> 3.4 Developing the Agnostic Edge Router (Python) </h3> <p><strong>What to do:</strong> Write the Python routing logic that will be deployed to a neutral edge layer (like Cloudflare Workers via Pyodide, or a dedicated edge Kubernetes cluster).<br> <strong>Why do it:</strong> You cannot host the global router inside AWS or Azure. If you host it in AWS and AWS goes down, your clients cannot reach the Azure cell because the router itself is dead. The routing layer must be cloud-agnostic.</p> <p><strong>Example:</strong><br> Create <code>global_router.py</code>. This script intercepts the payload, queries the registry, and proxies the request across the internet backbone to the appropriate cloud.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">import</span> <span class="n">os</span> <span class="c1"># The global registry maps tenant IDs to specific cloud cell endpoints. # In production, this data is fetched from a distributed edge database. </span><span class="n">GLOBAL_REGISTRY</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">T-100</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">provider</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">aws</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">AWS_CELL_ENDPOINT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://aws-api-mock.com/process</span><span class="sh">"</span><span class="p">)</span> <span class="p">},</span> <span class="sh">"</span><span class="s">T-200</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">provider</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">azure</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">AZ_CELL_ENDPOINT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://az-api-mock.com/api/process</span><span class="sh">"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">route_request</span><span class="p">(</span><span class="n">request_body</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">request_body</span><span class="p">)</span> <span class="n">tenant_id</span> <span class="o">=</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">tenant_id</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Missing tenant_id</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># 1. Lookup tenant location in the registry </span> <span class="n">cell_info</span> <span class="o">=</span> <span class="n">GLOBAL_REGISTRY</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">tenant_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">cell_info</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="mi">404</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Tenant not allocated to any cell</span><span class="sh">"</span><span class="p">}</span> <span class="n">target_url</span> <span class="o">=</span> <span class="n">cell_info</span><span class="p">[</span><span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">]</span> <span class="n">provider</span> <span class="o">=</span> <span class="n">cell_info</span><span class="p">[</span><span class="sh">"</span><span class="s">provider</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># 2. Proxy request to the specific cloud provider </span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span> <span class="n">target_url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">request_body</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">X-Multicloud-Auth</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">EdgeToken123</span><span class="sh">'</span><span class="p">}</span> <span class="p">)</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">cell_response</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># 3. Return payload to client with multicloud diagnostic headers </span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">X-Processed-By-Cloud</span><span class="sh">"</span><span class="p">:</span> <span class="n">provider</span> <span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">cell_response</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Edge Routing Failure: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h2> 4. Common Troubleshooting </h2> <p>Operating a multicloud cellular architecture introduces extreme networking and data synchronization complexities. Be prepared to address the following challenges:</p> <ol> <li> <strong>State Fragmentation and Global Reporting:</strong> <ul> <li> <strong>Problem:</strong> Your business intelligence team cannot run global queries because data is split between AWS DynamoDB and Azure Cosmos DB.</li> <li> <strong>Solution:</strong> Do not attempt real-time federated queries across clouds. Implement a unified Data Lake (e.g., Snowflake or Databricks). Configure both the AWS Lambda and the Azure Function to asynchronously stream their state changes (Event Sourcing) into this central analytical repository.</li> </ul> </li> <li> <strong>Cross-Cloud Latency at the Routing Layer:</strong> <ul> <li> <strong>Problem:</strong> If the neutral Edge Router has to query a database in AWS to find out that a tenant belongs in Azure, the latency overhead becomes unacceptable.</li> <li> <strong>Solution:</strong> The Tenant Registry must be cached at the edge. Utilize technologies like Cloudflare KV, Fastly Compute dictionaries, or Redis Enterprise Active-Active to ensure the routing metadata is geographically local to the Edge Router executing the Python script.</li> </ul> </li> <li> <strong>CI/CD Configuration Drift:</strong> <ul> <li> <strong>Problem:</strong> Over time, developers add features to the AWS cell but forget to implement the exact Azure equivalent, breaking the "identical cell" contract.</li> <li> <strong>Solution:</strong> Enforce strict Hexagonal Architecture within your Python applications. The core domain logic must be a pure Python package shared across both clouds. The only differing code should be the specific I/O adapters (DynamoDB vs. Cosmos DB connectors).</li> </ul> </li> </ol> <h2> 5. Conclusion </h2> <p>By implementing a multicloud cell-based architecture, you have constructed the ultimate defense against cloud-provider lock-in and catastrophic outages. We used Terraform to simultaneously orchestrate isolated data planes in AWS and Azure, and developed an agnostic Python edge router to direct traffic based on tenant identity. </p> <p>This model requires significant engineering maturity, but it guarantees that your infrastructure can scale infinitely horizontally while treating cloud providers as interchangeable utility commodities. As a next step, focus on automating the cross-cloud tenant migration process, allowing you to evacuate tenants from AWS to Azure in real-time if telemetry indicates a degradation in a specific provider's region.</p> architecture aws azure tutorial Event-Driven Architecture on Azure vs AWS: Service Bus vs SNS/SQS Cláudio Filipe Lima Rapôso Tue, 21 Apr 2026 19:59:01 +0000 https://forem.com/sertaoseracloud/event-driven-architecture-on-azure-vs-aws-service-bus-vs-snssqs-3cml https://forem.com/sertaoseracloud/event-driven-architecture-on-azure-vs-aws-service-bus-vs-snssqs-3cml <p>Your <code>OrderService</code> does six things when a customer clicks <em>Place Order</em>. It writes to the orders table, reserves inventory, charges the card, enqueues the shipping label, emails the receipt, and logs the analytics event. It does all of that inside one HTTP handler, in one transaction, on one box. When the payment gateway hiccups, the order fails. When the email provider rate-limits, the order fails. When inventory is slow, the order fails. The monolith tied six independent failure domains to one shared fate.</p> <p>This article rebuilds that pipeline as an event-driven system on both Azure and AWS, and walks through where they genuinely differ - not where they superficially look the same. The reference scenario is e-commerce order processing with fan-out to Inventory, Payment, and Notification. Audience: intermediate-to-senior engineers who already read the vendor landing pages and want the parts those pages leave out.</p> <h2> The pattern before the products </h2> <p>Before naming any cloud service, fix the shape. What you want is <strong>publish/subscribe fan-out with durable per-consumer queues and per-consumer dead-letter queues</strong>. The producer emits one logical event - <code>OrderPlaced</code> - to a topic. The topic delivers a copy to one durable queue per consumer. Each consumer drains its own queue at its own pace, retries on its own schedule, and when it gives up, the message lands in <em>its own</em> DLQ - not a shared one.</p> <p>That last part matters. A shared DLQ means a poisoned inventory message blocks the payment team's on-call from seeing their own poison. One queue per consumer, one DLQ per consumer, one retry budget per consumer. The blast radius of any single bad message is exactly one bounded context.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4u58flh3h0l5nf1oxzz6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4u58flh3h0l5nf1oxzz6.png" alt="Fluxogram" width="800" height="295"></a></p> <p>With the shape fixed, we can map it onto two clouds - one concern at a time.</p> <h2> Side by side, one concern at a time </h2> <h3> Topic and subscription model </h3> <p>On <strong>AWS</strong> the topic and the queues are separate primitives. SNS publishes; SQS stores. You wire them together with a topic subscription and a queue policy. The queue holds your messages; the topic just fans them out. Two resource types per consumer.</p> <p>On <strong>Azure</strong> Service Bus collapses that into one resource graph. A <strong>namespace</strong> contains a <strong>topic</strong>, and each consumer is a <strong>subscription</strong> on that topic. The subscription has a virtual queue behind it; you do not manage a separate queue resource. Fewer moving parts at the IaC layer, but less separation of concern - the topic and its subscribers share a lifecycle and a billing unit.</p> <h3> Queue semantics and DLQ </h3> <p>Both brokers are <strong>at-least-once</strong>. Consumers will see duplicates. No marketing slide changes that.</p> <p>AWS pairs each SQS queue with an explicit DLQ via a redrive policy. <code>maxReceiveCount</code> is the threshold; the main queue holds the in-flight message until the consumer explicitly deletes it, controlled by <code>visibility_timeout_seconds</code>. That visibility timeout must exceed P99 handler latency, with margin. Set it too low and the broker redelivers while the first handler is still working - you get two concurrent handlers racing, and idempotency becomes load-bearing in a way you probably did not test.</p> <p>Azure Service Bus bakes the DLQ into every subscription as <code>$DeadLetterQueue</code>. <code>maxDeliveryCount</code> plays the same role as <code>maxReceiveCount</code>. Service Bus also dead-letters on two classes of failure SQS does not know about: <strong>message TTL expiry</strong> and <strong>filter-evaluation exceptions</strong>. Those two extra DLQ triggers are real operational wins - expired or malformed messages do not vanish into metrics.</p> <p>One common claim worth pushing back on: <em>Service Bus gives exactly-once delivery</em>. It does not. What it gives is <strong>duplicate detection within a bounded window</strong> (up to seven days) on a per-<code>MessageId</code> basis. That is a broker-side helper, not a semantic guarantee. Consumers must still be idempotent. Same story on SQS FIFO and its five-minute content-based dedup window.</p> <h3> Identity and data-plane auth </h3> <p>On AWS, consumers assume an IAM role from Lambda, ECS, or EKS. No access keys, no user credentials in config. The queue policy restricts senders to a specific topic ARN via an <code>aws:SourceArn</code> condition - without it, any SNS topic in your account can write to your queue. That is the classic confused-deputy footgun, and leaving the condition off is one of the most common rejection triggers in a real review.</p> <p>On Azure, the equivalent of "no long-lived keys" is <code>disableLocalAuth: true</code> on the namespace, which kills SAS authentication entirely. All auth goes through AAD and Managed Identity. The right role is <strong>Service Bus Data Receiver</strong> scoped <strong>per subscription</strong>, not namespace-wide. Writers get <strong>Service Bus Data Sender</strong> on the topic. Scoping at the subscription level means a compromised notification consumer cannot read payment events - lateral movement is bounded by the RBAC scope.</p> <h3> Ordering </h3> <p>Both platforms can do ordering. Neither should do ordering by default.</p> <p>On AWS, ordering means FIFO queues keyed by <code>MessageGroupId</code>. The cap is 300 messages/sec (3,000 with batching) per queue. That is a hard ceiling, not a soft throttle.</p> <p>On Azure, ordering means <code>SessionId</code> on messages and <code>requiresSession: true</code> on the subscription. Order is preserved per session. Throughput is fine on Standard; partitioning on Premium pushes it higher. The cost is that session-pinning serialises a subscription - a slow consumer on one session stalls messages in that session until the lock clears.</p> <p>If the domain does not require strict order, do not enable it. FIFO is a business decision, not an architectural default.</p> <h2> The trade-off matrix </h2> <p>This is the center of the article, not the closer. If you remember one thing, remember this table.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dimension</th> <th>AWS SNS + SQS</th> <th>Azure Service Bus (Standard / Premium)</th> </tr> </thead> <tbody> <tr> <td><strong>Primitive model</strong></td> <td>Topic (SNS) fans out to separate SQS queues - two resource types per consumer</td> <td>Single namespace → topic → subscription - one resource graph</td> </tr> <tr> <td><strong>Cost model</strong></td> <td>Pay-per-request on both SNS publishes and SQS requests; no idle cost</td> <td>Standard: pay-per-million operations + namespace hourly. Premium: fixed messaging units (predictable floor ≈ $670/MU/month at time of writing; verify current SKU pricing, it drifts)</td> </tr> <tr> <td><strong>Message ordering</strong></td> <td>Standard: none. FIFO: strict ordering by <code>MessageGroupId</code>, capped at 300 msgs/s (3,000 with batching)</td> <td>Standard: ordering within a session (<code>SessionId</code>). Premium: same, higher throughput, partitioning supported</td> </tr> <tr> <td><strong>Delivery semantics</strong></td> <td>At-least-once. FIFO adds content-based dedup in a 5-minute window</td> <td>At-least-once. PeekLock + duplicate detection up to 7 days. Broker-side helper; still needs idempotent consumers</td> </tr> <tr> <td><strong>Max message size</strong></td> <td>256 KB on both SNS and SQS. Workaround: claim-check via S3 + SQS Extended Client</td> <td>Standard: 256 KB. Premium: 100 MB native</td> </tr> <tr> <td><strong>DLQ handling</strong></td> <td>Explicit SQS queue + redrive policy. <code>maxReceiveCount</code> threshold. Delivery-failure DLQ only</td> <td>Implicit <code>$DeadLetterQueue</code> per subscription. <code>maxDeliveryCount</code> threshold. Also DLQs on TTL expiry and filter-eval errors</td> </tr> <tr> <td><strong>Filtering</strong></td> <td>SNS filter policies: JSON attribute match at subscription time</td> <td>SQL filter and correlation filter per subscription - richer expression model</td> </tr> <tr> <td><strong>Ops surface</strong></td> <td>CloudWatch: <code>ApproximateNumberOfMessages</code>, <code>ApproximateAgeOfOldestMessage</code>. Alarm on DLQ depth &gt; 0</td> <td>Azure Monitor: <code>ActiveMessages</code>, <code>DeadletteredMessages</code>. Alarm on <code>DeadletteredMessages &gt; 0</code> </td> </tr> <tr> <td><strong>Identity</strong></td> <td>IAM roles assumed by Lambda/ECS/EKS; SSE-KMS</td> <td>AAD + Managed Identity; <code>disableLocalAuth=true</code> kills SAS</td> </tr> <tr> <td><strong>Network isolation</strong></td> <td>VPC Endpoints (Interface for SNS, Interface/Gateway for SQS)</td> <td>Private Endpoint (Premium SKU for full VNet integration)</td> </tr> <tr> <td><strong>Throughput</strong></td> <td>SNS: millions of msgs/s. SQS standard: effectively unlimited. SQS FIFO: 300–3,000 msgs/s per queue</td> <td>Standard: ~2,000 msgs/s per namespace as a working guideline. Premium: scales with messaging units (~1,000 msgs/s per MU)</td> </tr> </tbody> </table></div> <p><strong>One-line heuristic:</strong> If the workload demands &gt;256 KB messages, strong ordering at high throughput, or VNet isolation with ordering, Service Bus Premium earns its cost. Otherwise - massive fan-out, idempotent consumers, per-request billing - SNS + SQS wins. <strong>Standard Service Bus is the baseline; Premium is an upgrade you justify, not a default.</strong></p> <h2> The IaC - AWS </h2> <p>Production-grade Terraform. FinOps tags, SSE, redrive policies, and an <code>aws:SourceArn</code> condition on the queue policy. Keep all of it - each line carries a security or reliability property the cluster depends on.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.6.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.40"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="c1"># dev | stg | prd</span> <span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"consumers"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Logical consumers that subscribe to the OrderPlaced topic."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">set</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"inventory"</span><span class="p">,</span> <span class="s2">"payment"</span><span class="p">,</span> <span class="s2">"notification"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"max_receive_count"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">5</span> <span class="p">}</span> <span class="c1"># redrive threshold</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"${var.project}-${var.environment}"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Workload</span> <span class="p">=</span> <span class="s2">"eda-orders"</span> <span class="nx">CostCenter</span> <span class="p">=</span> <span class="s2">"platform-events"</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># --- Topic ----------------------------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_sns_topic"</span> <span class="s2">"orders_placed"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.name_prefix}-orders-placed"</span> <span class="nx">kms_master_key_id</span> <span class="p">=</span> <span class="s2">"alias/aws/sns"</span> <span class="c1"># SSE at rest with AWS-managed CMK; swap to customer CMK for stricter tenants</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="c1"># --- Queues + DLQs per consumer ------------------------------------------</span> <span class="nx">resource</span> <span class="s2">"aws_sqs_queue"</span> <span class="s2">"dlq"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">consumers</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.name_prefix}-${each.key}-dlq"</span> <span class="nx">message_retention_seconds</span> <span class="p">=</span> <span class="mi">1209600</span> <span class="c1"># 14 days - max allowed, buys ops time</span> <span class="nx">kms_master_key_id</span> <span class="p">=</span> <span class="s2">"alias/aws/sqs"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Role</span> <span class="p">=</span> <span class="s2">"dlq"</span><span class="p">,</span> <span class="nx">Consumer</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_sqs_queue"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">consumers</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.name_prefix}-${each.key}"</span> <span class="nx">visibility_timeout_seconds</span> <span class="p">=</span> <span class="mi">60</span> <span class="c1"># must exceed consumer max processing time</span> <span class="nx">message_retention_seconds</span> <span class="p">=</span> <span class="mi">345600</span> <span class="c1"># 4 days</span> <span class="nx">receive_wait_time_seconds</span> <span class="p">=</span> <span class="mi">20</span> <span class="c1"># long polling - reduces empty-receive cost</span> <span class="nx">kms_master_key_id</span> <span class="p">=</span> <span class="s2">"alias/aws/sqs"</span> <span class="nx">redrive_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">deadLetterTargetArn</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">dlq</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">maxReceiveCount</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_receive_count</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Role</span> <span class="p">=</span> <span class="s2">"main"</span><span class="p">,</span> <span class="nx">Consumer</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># --- Allow SNS to write to SQS -------------------------------------------</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"sns_to_sqs"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">consumers</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowSNSDeliver"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sqs:SendMessage"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sns.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">main</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">arn</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"ArnEquals"</span> <span class="nx">variable</span> <span class="p">=</span> <span class="s2">"aws:SourceArn"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">orders_placed</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_sqs_queue_policy"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">consumers</span> <span class="nx">queue_url</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">main</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">sns_to_sqs</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">json</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_sns_topic_subscription"</span> <span class="s2">"consumer"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">consumers</span> <span class="nx">topic_arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">orders_placed</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"sqs"</span> <span class="nx">endpoint</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">main</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">arn</span> <span class="nx">raw_message_delivery</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># consumers parse the raw event, not the SNS envelope</span> <span class="p">}</span> <span class="c1"># --- Consumer IAM role template (least-privilege) ------------------------</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"consumer_assume"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"lambda.amazonaws.com"</span><span class="p">,</span> <span class="s2">"ecs-tasks.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"consumer"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">consumers</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.name_prefix}-${each.key}-consumer"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">consumer_assume</span><span class="p">.</span><span class="nx">json</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Consumer</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"consumer_sqs"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">consumers</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sqs:ReceiveMessage"</span><span class="p">,</span> <span class="s2">"sqs:DeleteMessage"</span><span class="p">,</span> <span class="s2">"sqs:GetQueueAttributes"</span><span class="p">,</span> <span class="s2">"sqs:ChangeMessageVisibility"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">main</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"consumer_sqs"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">consumers</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">consumer</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">consumer_sqs</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">json</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"topic_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">orders_placed</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"queues"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">q</span> <span class="nx">in</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">main</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"dlqs"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">q</span> <span class="nx">in</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">dlq</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">q</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> The IaC - Azure </h2> <p>Same scenario, same tags, same <code>maxDeliveryCount = 5</code>. Note <code>disableLocalAuth: true</code> on the namespace and per-subscription RBAC at the bottom.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// Deployment scope: resourceGroup targetScope = 'resourceGroup' @description('Project short code, e.g. osecloud') param project string @allowed([ 'dev', 'stg', 'prd' ]) param environment string @description('Azure region.') param location string = resourceGroup().location @description('Logical consumers that subscribe to the OrderPlaced topic.') param consumers array = [ 'inventory', 'payment', 'notification' ] @description('Consumer identity object IDs (managed identities that will receive Data Receiver role). Key must match a name in `consumers`.') param consumerPrincipalIds object = {} @description('Service Bus SKU. Use Premium when you need ordering at scale, VNet integration, or &gt;1MB messages.') @allowed([ 'Standard', 'Premium' ]) param skuName string = 'Standard' var namePrefix = toLower('${project}-${environment}') var tags = { project: project environment: environment workload: 'eda-orders' costCenter: 'platform-events' managedBy: 'bicep' } // --- Namespace ------------------------------------------------------------ resource sbNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { name: '${namePrefix}-sb' location: location sku: { name: skuName tier: skuName } properties: { minimumTlsVersion: '1.2' publicNetworkAccess: 'Enabled' // set to 'Disabled' + private endpoint in prd disableLocalAuth: true // force AAD/Managed Identity - no SAS keys } tags: tags } // --- Topic ---------------------------------------------------------------- resource topic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' = { parent: sbNamespace name: 'orders-placed' properties: { defaultMessageTimeToLive: 'P14D' enableBatchedOperations: true supportOrdering: true // preserves order within a session (partition) - only honoured with session-enabled subscriptions } } // --- Subscriptions + DLQ (DLQ is implicit per subscription) -------------- resource subs 'Microsoft.ServiceBus/namespaces/topics/subscriptions@2022-10-01-preview' = [for name in consumers: { parent: topic name: '${name}-sub' properties: { deadLetteringOnMessageExpiration: true deadLetteringOnFilterEvaluationExceptions: true maxDeliveryCount: 5 // redrive threshold → moves to $DeadLetterQueue lockDuration: 'PT1M' // matches visibility-timeout in AWS terms defaultMessageTimeToLive: 'P4D' requiresSession: false // set true for FIFO-per-session guarantees } }] // --- RBAC: Azure Service Bus Data Receiver on each subscription ---------- var dataReceiverRoleId = '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' // Service Bus Data Receiver resource rbacReceiver 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (name, i) in consumers: if (contains(consumerPrincipalIds, name)) { name: guid(subs[i].id, consumerPrincipalIds[name], dataReceiverRoleId) scope: subs[i] properties: { roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', dataReceiverRoleId) principalId: consumerPrincipalIds[name] principalType: 'ServicePrincipal' } }] output namespaceId string = sbNamespace.id output topicId string = topic.id output subscriptionNames array = [for (name, i) in consumers: subs[i].name] </code></pre> </div> <p>One caveat on the API version: <code>2022-10-01-preview</code> is still labelled preview at the time of writing. If your platform team forbids preview API versions in production, pin to the latest stable GA release and re-test <code>disableLocalAuth</code> - its behaviour has shifted across API versions.</p> <h2> Seven architectural constraints </h2> <p>Treat these as acceptance criteria for any EDA pipeline you ship on either cloud. They are a punch list, not a wish list.</p> <ol> <li> <strong>At-least-once is the default on both sides.</strong> Exactly-once is a consumer property - idempotent handlers plus a dedup store - not a broker guarantee. Broker-side windows (SQS FIFO 5 min, Service Bus duplicate detection up to 7 days) narrow the problem; they do not eliminate it.</li> <li> <strong>Visibility timeout and lock duration must exceed P99 handler latency.</strong> If the broker redelivers while the first handler is still working, you double-process. Measure P99 under load, add headroom, and alert when handler duration approaches the timeout.</li> <li> <strong>Ordering is a bet you pay for.</strong> FIFO caps AWS throughput at 300–3,000 msgs/s; sessions serialise Azure subscriptions. Turn it on only when the domain demands ordering - never as a safety blanket.</li> <li> <strong>DLQs are not a graveyard.</strong> They need alerts (<code>DLQ depth &gt; 0</code> pages the on-call) and a documented replay procedure - SQS redrive or Service Bus <code>$DeadLetterQueue</code> receive-and-resubmit. A DLQ without a replay runbook is a silent leak.</li> <li> <strong>Large messages are an anti-pattern.</strong> &gt;256 KB on AWS implies claim-check via S3. Premium Service Bus supports 100 MB, but transport cost and consumer memory pressure still argue for claim-check at that size.</li> <li> <strong>Tag every resource</strong> with <code>project</code>, <code>environment</code>, <code>workload</code>, <code>costCenter</code>, <code>managedBy</code>. Without those tags, FinOps cannot attribute spend and the platform team cannot enforce lifecycle policies. The snippets above carry the full set; do not strip them.</li> <li> <strong>No SAS keys, no IAM user keys.</strong> Managed Identity on Azure, IAM roles on AWS. <code>disableLocalAuth: true</code> on the Service Bus namespace, <code>aws:SourceArn</code> condition on every SQS queue policy. Anything else is a long-lived credential waiting to leak.</li> </ol> <p>The choice between SNS/SQS and Service Bus is rarely binary. Start on Standard Service Bus or SNS + SQS. Move to Premium or FIFO only when a constraint above - size, ordering, isolation - forces you there.</p> aws azure cloud eventdriven Practical Guide: Building a Cell-Based Architecture on Azure with Terraform and Python Cláudio Filipe Lima Rapôso Tue, 21 Apr 2026 15:15:00 +0000 https://forem.com/sertaoseracloud/practical-guide-building-a-cell-based-architecture-on-azure-with-terraform-and-python-1h04 https://forem.com/sertaoseracloud/practical-guide-building-a-cell-based-architecture-on-azure-with-terraform-and-python-1h04 <h2> 1. Introduction </h2> <p>As cloud applications scale to serve global audiences, relying on a single centralized infrastructure stack introduces critical vulnerabilities. A localized failure or a noisy neighbor can trigger a systemic outage. Cell-Based Architecture mitigates this by partitioning the system into isolated, identical, and self-contained units called "cells." By routing specific tenants or users to dedicated cells, you constrain the blast radius of any degradation strictly to that cell, preserving the availability of the rest of the system.</p> <p>By the end of this tutorial, you will be able to design and provision a cellular architecture on Microsoft Azure. We will utilize Azure Front Door as the global ingress, Azure Functions (Python) for dynamic traffic routing and compute, and Azure Cosmos DB for isolated state management. Mastering this pattern on Azure not only hardens your current workloads but also reinforces foundational multicloud principles, as the concepts of decoupled routing and state isolation are directly transferable across different cloud providers in a unified enterprise landscape.</p> <h2> 2. Prerequisites </h2> <p>To execute the configurations and code in this tutorial, ensure you have the following tools and access levels:</p> <ul> <li>An active Microsoft Azure subscription with Owner or Contributor permissions to create Resource Groups, Cosmos DB accounts, Azure Functions, and Azure Front Door.</li> <li>Terraform CLI (version 1.0 or higher) installed locally for provisioning the Infrastructure as Code (IaC).</li> <li>Python (version 3.9 or higher) installed locally, along with the Azure Functions Core Tools for local development and packaging.</li> <li>Azure CLI installed and authenticated (<code>az login</code>) on your local environment.</li> <li>Fundamental understanding of partitioning concepts and Terraform HCL syntax.</li> </ul> <h2> 3. Step-by-Step </h2> <p>Before diving into the infrastructure code, let's visualize the execution flow. The sequence diagram below details how a global request is securely intercepted, evaluated, and forwarded to a strictly isolated cellular stack within Azure.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb41axbpax2r7t18yxjvt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb41axbpax2r7t18yxjvt.png" alt="Sequence Diagram" width="800" height="537"></a></p> <h3> 3.1 Defining the Cell Blueprint (Terraform Module) </h3> <p><strong>What to do:</strong> Create a reusable Terraform module representing a single, isolated "Cell." This includes a dedicated Storage Account, Application Service Plan, Azure Function (Worker), and a Cosmos DB database.</p> <p><strong>Why do it:</strong> The primary rule of cellular architecture is absolute consistency across environments. By encapsulating the infrastructure in a Terraform module, you ensure that every generated cell is an exact replica, preventing configuration drift and simplifying horizontal scaling. </p> <p><strong>Example:</strong><br> Create a directory named <code>modules/cell</code> and add a <code>main.tf</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/cell/main.tf</span> <span class="nx">variable</span> <span class="s2">"location"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"resource_group_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"cell_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_cosmosdb_account"</span> <span class="s2">"cell_db"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cosmos-cell-${var.cell_id}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_group_name</span> <span class="nx">offer_type</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"GlobalDocumentDB"</span> <span class="nx">consistency_policy</span> <span class="p">{</span> <span class="nx">consistency_level</span> <span class="p">=</span> <span class="s2">"Session"</span> <span class="p">}</span> <span class="nx">geo_location</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">failover_priority</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_cosmosdb_sql_database"</span> <span class="s2">"cell_sqldb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"app-state"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_group_name</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="nx">azurerm_cosmosdb_account</span><span class="p">.</span><span class="nx">cell_db</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"cell_storage"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"stcell${var.cell_id}"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_group_name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">account_tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">account_replication_type</span> <span class="p">=</span> <span class="s2">"LRS"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_service_plan"</span> <span class="s2">"cell_plan"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"plan-cell-${var.cell_id}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_group_name</span> <span class="nx">os_type</span> <span class="p">=</span> <span class="s2">"Linux"</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="s2">"Y1"</span> <span class="c1"># Consumption plan</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_linux_function_app"</span> <span class="s2">"cell_worker"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"func-worker-${var.cell_id}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_group_name</span> <span class="nx">service_plan_id</span> <span class="p">=</span> <span class="nx">azurerm_service_plan</span><span class="p">.</span><span class="nx">cell_plan</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_account_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">cell_storage</span><span class="p">.</span><span class="nx">name</span> <span class="nx">storage_account_access_key</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">cell_storage</span><span class="p">.</span><span class="nx">primary_access_key</span> <span class="nx">site_config</span> <span class="p">{</span> <span class="nx">application_stack</span> <span class="p">{</span> <span class="nx">python_version</span> <span class="p">=</span> <span class="s2">"3.11"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">app_settings</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"CELL_ID"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cell_id</span> <span class="s2">"COSMOS_DB_ENDPOINT"</span> <span class="p">=</span> <span class="nx">azurerm_cosmosdb_account</span><span class="p">.</span><span class="nx">cell_db</span><span class="p">.</span><span class="nx">endpoint</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"function_default_hostname"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">azurerm_linux_function_app</span><span class="p">.</span><span class="nx">cell_worker</span><span class="p">.</span><span class="nx">default_hostname</span> <span class="p">}</span> </code></pre> </div> <h3> 3.2 Stamping Out Multiple Cells </h3> <p><strong>What to do:</strong> In your root Terraform configuration, define the base resource group and iterate over a collection of identifiers to deploy multiple cells simultaneously.</p> <p><strong>Why do it:</strong> This translates the theoretical module into physical, isolated environments. Using a <code>for_each</code> loop allows you to effortlessly scale from two cells to fifty cells simply by updating a local variable, abstracting the complexity of managing parallel infrastructures.</p> <p><strong>Example:</strong><br> In your root directory, create <code>main.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">azurerm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/azurerm"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"azurerm"</span> <span class="p">{</span> <span class="nx">features</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_resource_group"</span> <span class="s2">"rg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rg-cellular-architecture"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">cells</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"alpha"</span><span class="p">,</span> <span class="s2">"beta"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"isolated_cells"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/cell"</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">cells</span><span class="p">)</span> <span class="nx">cell_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h3> 3.3 Developing the Cell Router in Python </h3> <p><strong>What to do:</strong> Write the Azure Function code in Python that will act as the global ingress router. It must inspect incoming HTTP requests, determine the appropriate tenant mapping, and proxy the request to the correct cell.</p> <p><strong>Why do it:</strong> The router abstracts the internal topology from the client. Applications interact with a single API endpoint, oblivious to the fact that their request is being routed to <code>cell-alpha</code> or <code>cell-beta</code>. This dynamic mapping is what allows you to perform live migrations of tenants between cells to balance load without downtime.</p> <p><strong>Example:</strong><br> Create the Python code for your router function (<code>__init__.py</code> inside your Azure Function folder).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="kn">import</span> <span class="n">azure.functions</span> <span class="k">as</span> <span class="n">func</span> <span class="c1"># In production, fetch this from Cosmos DB (Tenant Registry) </span><span class="n">CELL_ENDPOINTS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">alpha</span><span class="sh">"</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">CELL_ALPHA_URL</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://func-worker-alpha.azurewebsites.net</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">beta</span><span class="sh">"</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">CELL_BETA_URL</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://func-worker-beta.azurewebsites.net</span><span class="sh">"</span><span class="p">)</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">get_target_cell</span><span class="p">(</span><span class="n">tenant_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Mocking a Cosmos DB registry lookup </span> <span class="c1"># A real implementation would query the global metadata database </span> <span class="k">if</span> <span class="n">tenant_id</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="sh">"</span><span class="s">alpha</span><span class="sh">"</span> <span class="k">return</span> <span class="sh">"</span><span class="s">beta</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">main</span><span class="p">(</span><span class="n">req</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">HttpRequest</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">func</span><span class="p">.</span><span class="n">HttpResponse</span><span class="p">:</span> <span class="n">logging</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">'</span><span class="s">Global Router processing a request.</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">req_body</span> <span class="o">=</span> <span class="n">req</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()</span> <span class="n">tenant_id</span> <span class="o">=</span> <span class="n">req_body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">tenant_id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="k">return</span> <span class="n">func</span><span class="p">.</span><span class="nc">HttpResponse</span><span class="p">(</span> <span class="sh">"</span><span class="s">Missing partition key: tenant_id</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span> <span class="p">)</span> <span class="n">target_cell</span> <span class="o">=</span> <span class="nf">get_target_cell</span><span class="p">(</span><span class="n">tenant_id</span><span class="p">)</span> <span class="n">target_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">CELL_ENDPOINTS</span><span class="p">[</span><span class="n">target_cell</span><span class="p">]</span><span class="si">}</span><span class="s">/api/process</span><span class="sh">"</span> <span class="c1"># Proxy the request to the isolated cell </span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">req_body</span><span class="p">).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="n">proxy_req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span> <span class="n">target_url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span><span class="p">}</span> <span class="p">)</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">proxy_req</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">cell_response</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">func</span><span class="p">.</span><span class="nc">HttpResponse</span><span class="p">(</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">x_routed_to</span><span class="sh">"</span><span class="p">:</span> <span class="n">target_cell</span><span class="p">,</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">cell_response</span><span class="p">)</span> <span class="p">}),</span> <span class="n">mimetype</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">200</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logging</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Routing error: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">func</span><span class="p">.</span><span class="nc">HttpResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">Internal Server Error</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">500</span><span class="p">)</span> </code></pre> </div> <h3> 3.4 Provisioning the Global Routing Layer </h3> <p><strong>What to do:</strong> Deploy the central routing Azure Function and configure an Azure Front Door profile to sit in front of it. </p> <p><strong>Why do it:</strong> Azure Front Door acts as a secure, globally distributed entry point. It absorbs DDoS attacks at the edge, provides WAF capabilities, and ensures that the Global Router Function is protected from direct, unauthenticated internet exposure. </p> <p><strong>Example:</strong><br> Append the routing infrastructure to your root <code>main.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Shared storage for the Global Router</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"router_storage"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"stglobalrouter"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">account_tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">account_replication_type</span> <span class="p">=</span> <span class="s2">"LRS"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_service_plan"</span> <span class="s2">"router_plan"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"plan-global-router"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">os_type</span> <span class="p">=</span> <span class="s2">"Linux"</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="s2">"Y1"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_linux_function_app"</span> <span class="s2">"global_router"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"func-global-router-gateway"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">service_plan_id</span> <span class="p">=</span> <span class="nx">azurerm_service_plan</span><span class="p">.</span><span class="nx">router_plan</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_account_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">router_storage</span><span class="p">.</span><span class="nx">name</span> <span class="nx">storage_account_access_key</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">router_storage</span><span class="p">.</span><span class="nx">primary_access_key</span> <span class="nx">site_config</span> <span class="p">{</span> <span class="nx">application_stack</span> <span class="p">{</span> <span class="nx">python_version</span> <span class="p">=</span> <span class="s2">"3.11"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">app_settings</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"CELL_ALPHA_URL"</span> <span class="p">=</span> <span class="s2">"https://${module.isolated_cells["</span><span class="nx">alpha</span><span class="s2">"].function_default_hostname}"</span> <span class="s2">"CELL_BETA_URL"</span> <span class="p">=</span> <span class="s2">"https://${module.isolated_cells["</span><span class="nx">beta</span><span class="s2">"].function_default_hostname}"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Run <code>terraform init</code>, <code>terraform plan</code>, and <code>terraform apply</code> to deploy the entire multi-cell architecture.</p> <h2> 4. Common Troubleshooting </h2> <p>Transitioning to a cellular architecture requires a shift in how you manage state and traffic. Here are common issues you may encounter:</p> <ol> <li> <p><strong>Cosmos DB Throttling (HTTP 429) in a Specific Cell:</strong></p> <ul> <li> <strong>Problem:</strong> One cell begins rejecting requests, while others operate normally. This usually indicates a "noisy neighbor" – a tenant whose workload has suddenly spiked, exhausting the Request Units (RUs) provisioned for that specific cell's database.</li> <li> <strong>Solution:</strong> Verify the metrics in Azure Monitor. If a tenant has outgrown the shared cell, you must execute a live migration. Update the Global Tenant Registry (Metadata DB) to point that specific <code>tenant_id</code> to a newly provisioned, dedicated cell, seamlessly redirecting their traffic.</li> </ul> </li> <li> <p><strong>Latency Overhead at the Routing Layer:</strong></p> <ul> <li> <strong>Problem:</strong> Requests take significantly longer because they must pass through Front Door, the Router Function, and finally the Cell Function.</li> <li> <strong>Solution:</strong> The router logic must be aggressively optimized. Implement caching at the Global Router level using Azure Cache for Redis so the function doesn't need to query Cosmos DB for the tenant mapping on every single request.</li> </ul> </li> <li> <p><strong>Cold Starts in Azure Functions:</strong></p> <ul> <li> <strong>Problem:</strong> The first request to a specific cell takes several seconds to execute.</li> <li> <strong>Solution:</strong> Since we used the Consumption Plan (<code>Y1</code>) for cost-effectiveness in this tutorial, cold starts are expected. For production workloads, switch the Application Service Plan to Premium (<code>EP1</code> or higher) to keep instances pre-warmed, ensuring consistent low-latency responses.</li> </ul> </li> </ol> <h2> 5. Conclusion </h2> <p>Building a Cell-Based Architecture on Azure transforms monolithic vulnerabilities into contained, manageable units. By utilizing Terraform, we established a reproducible baseline for isolated environments, and implemented a Python routing layer to dynamically proxy traffic. </p> <p>This decoupling ensures that massive traffic spikes or bad deployments are restricted to single domains. As you mature this architecture, focus on automating the "Tenant Migration" process—moving live data between Cosmos DB instances without downtime—and standardizing your Terraform modules to ensure this pattern can be rapidly adopted across multiple cloud environments.</p> azure eventdriven python terraform Practical Guide: Building a Cell-Based Architecture on AWS with Terraform and Python Cláudio Filipe Lima Rapôso Tue, 21 Apr 2026 15:11:00 +0000 https://forem.com/sertaoseracloud/practical-guide-building-a-cell-based-architecture-on-aws-with-terraform-and-python-n1p https://forem.com/sertaoseracloud/practical-guide-building-a-cell-based-architecture-on-aws-with-terraform-and-python-n1p <h2> 1. Introduction </h2> <p>In the cloud-native era, systems often reach a point where scaling a single massive architecture introduces unacceptable risks. A failure in a centralized component can result in a global outage, affecting all users simultaneously. Cell-Based Architecture solves this by dividing the system into multiple isolated, standalone, and identical instances called "cells." By placing users (or tenants) into specific cells, you drastically reduce the blast radius of any failure.</p> <p>While this tutorial focuses on an AWS implementation, designing cellular strategies is a cornerstone of robust multicloud engineering. The principles of isolating state and routing traffic based on partition keys apply seamlessly across different providers, such as Microsoft Azure, ensuring your landing zones maintain high availability regardless of the underlying cloud.</p> <p>By the end of this tutorial, you will understand how to provision a cellular infrastructure on AWS using Terraform. We will create a blueprint for a "cell," stamp out multiple instances of it, and build a Cell Router layer in Python to direct traffic to the correct isolated environment.</p> <h2> 2. Prerequisites </h2> <p>To successfully implement this architectural pattern, you will need:</p> <ul> <li>An active Amazon Web Services (AWS) account with administrative privileges.</li> <li>Terraform installed locally (version 1.0 or higher) for Infrastructure as Code.</li> <li>Python (version 3.9 or higher) to write the routing logic.</li> <li>AWS credentials configured in your environment.</li> <li>A foundational understanding of architectural decoupling and partition logic.</li> </ul> <h2> 3. Step-by-Step </h2> <p>A Cell-Based Architecture introduces a "Thin Routing Layer" in front of your core infrastructure. The diagram below illustrates how an incoming request is evaluated and forwarded to a strictly isolated cellular stack.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flkaftk1syfa2tem9oys3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flkaftk1syfa2tem9oys3.png" alt="sequence diagram" width="800" height="545"></a></p> <h3> 3.1 Defining the Cell Blueprint (Terraform Module) </h3> <p><strong>What to do:</strong> Create a reusable Terraform module that defines exactly what a single "Cell" looks like.<br> <strong>Why do it:</strong> The core tenet of cellular architecture is that every cell is identical. By using a Terraform module, you ensure that any updates to the infrastructure are applied uniformly across all isolated cells, preventing configuration drift.</p> <p><strong>Example:</strong><br> Create a folder named <code>modules/cell</code> and add a <code>main.tf</code> file inside it. This blueprint contains an API Gateway, a Lambda function, and an isolated DynamoDB table.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/cell/main.tf</span> <span class="nx">variable</span> <span class="s2">"cell_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Unique identifier for the cell (e.g., cell-1)"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"cell_state"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"app-state-${var.cell_id}"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"id"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"id"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"cell_compute"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"cell_worker.zip"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"worker-${var.cell_id}"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">cell_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"worker.handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.11"</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">CELL_ID</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cell_id</span> <span class="nx">TABLE_NAME</span> <span class="p">=</span> <span class="nx">aws_dynamodb_table</span><span class="p">.</span><span class="nx">cell_state</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># (IAM Roles and API Gateway configurations for the cell would follow here)</span> </code></pre> </div> <h3> 3.2 Stamping Out Multiple Cells </h3> <p><strong>What to do:</strong> In your root <code>main.tf</code>, iterate over a list of cell identifiers to provision multiple identical, isolated environments.<br> <strong>Why do it:</strong> This allows you to scale horizontally by adding new completely independent infrastructure stacks rather than increasing the size of a monolithic database or compute cluster. </p> <p><strong>Example:</strong><br> In your root directory, create a <code>main.tf</code> to invoke the module.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">cells</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"cell-alpha"</span><span class="p">,</span> <span class="s2">"cell-beta"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"isolated_cells"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/cell"</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">cells</span><span class="p">)</span> <span class="nx">cell_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="p">}</span> </code></pre> </div> <h3> 3.3 Developing the Cell Router in Python </h3> <p><strong>What to do:</strong> Write a Python function that acts as the ingress routing layer, determining which cell should handle a specific request based on a partition key.<br> <strong>Why do it:</strong> Clients should not need to know which cell they belong to. The router abstracts this complexity, allowing you to migrate tenants between cells behind the scenes without breaking client integrations.</p> <p><strong>Example:</strong><br> Create a <code>router.py</code> file. This logic intercepts the request, hashes the partition key (e.g., <code>tenant_id</code>), and routes it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">import</span> <span class="n">urllib.request</span> <span class="c1"># In a real environment, this mapping could be retrieved from a highly available edge key-value store. </span><span class="n">CELL_ENDPOINTS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">cell-alpha</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">https://alpha.execute-api.us-east-1.amazonaws.com/prod</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cell-beta</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">https://beta.execute-api.us-east-1.amazonaws.com/prod</span><span class="sh">"</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">get_target_cell</span><span class="p">(</span><span class="n">partition_key</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Consistently hashes the partition key to a specific cell.</span><span class="sh">"""</span> <span class="n">hash_val</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">hashlib</span><span class="p">.</span><span class="nf">md5</span><span class="p">(</span><span class="n">partition_key</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)).</span><span class="nf">hexdigest</span><span class="p">(),</span> <span class="mi">16</span><span class="p">)</span> <span class="c1"># Simple modulo distribution </span> <span class="k">if</span> <span class="n">hash_val</span> <span class="o">%</span> <span class="mi">2</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">cell-alpha</span><span class="sh">"</span> <span class="k">return</span> <span class="sh">"</span><span class="s">cell-beta</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">{}</span><span class="sh">'</span><span class="p">))</span> <span class="n">tenant_id</span> <span class="o">=</span> <span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">tenant_id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Missing partition key: tenant_id</span><span class="sh">"</span><span class="p">}</span> <span class="n">target_cell</span> <span class="o">=</span> <span class="nf">get_target_cell</span><span class="p">(</span><span class="n">tenant_id</span><span class="p">)</span> <span class="n">target_endpoint</span> <span class="o">=</span> <span class="n">CELL_ENDPOINTS</span><span class="p">[</span><span class="n">target_cell</span><span class="p">]</span> <span class="c1"># Forwarding the request to the isolated cell (Simplified for demonstration) </span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">target_endpoint</span><span class="si">}</span><span class="s">/process</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">).</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span><span class="p">}</span> <span class="p">)</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">as</span> <span class="n">response</span><span class="p">:</span> <span class="n">cell_response</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">routed_to</span><span class="sh">"</span><span class="p">:</span> <span class="n">target_cell</span><span class="p">,</span> <span class="sh">"</span><span class="s">cell_response</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">cell_response</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)}</span> </code></pre> </div> <h3> 3.4 Provisioning the Routing Layer </h3> <p><strong>What to do:</strong> Add the routing layer to your root Terraform configuration to expose a single unified endpoint to your users.<br> <strong>Why do it:</strong> This centralizes ingress control. All external traffic hits the router, which then proxies the data over the AWS internal backbone to the respective cells, ensuring strict access control at the boundary.</p> <p><strong>Example:</strong><br> Add this to your root <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"router_zip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_file</span> <span class="p">=</span> <span class="s2">"router.py"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"router.zip"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"cell_router"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">router_zip</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"GlobalCellRouter"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">router_role</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># (Assume basic execution role is created)</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"router.lambda_handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.11"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function_url"</span> <span class="s2">"router_url"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">cell_router</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">authorization_type</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"global_entrypoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lambda_function_url</span><span class="p">.</span><span class="nx">router_url</span><span class="p">.</span><span class="nx">function_url</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The single URL clients interact with."</span> <span class="p">}</span> </code></pre> </div> <h2> 4. Common Troubleshooting </h2> <p>Deploying cellular architectures shifts the complexity from infrastructure scaling to traffic routing and state management. Be prepared to handle these common challenges:</p> <ol> <li> <strong>Partition Key Skew (Noisy Neighbors):</strong> <ul> <li> <em>Problem:</em> One cell becomes overloaded while others are idle because a specific <code>tenant_id</code> generates 80% of the traffic.</li> <li> <em>Solution:</em> Monitor cell metrics closely. If a tenant outgrows a shared cell, you must implement a "tenant migration" process to move their data to an exclusive, single-tenant cell, updating the router's mapping logic accordingly.</li> </ul> </li> <li> <strong>Cross-Cell Data Aggregation:</strong> <ul> <li> <em>Problem:</em> You need to generate a global report, but the data is split across multiple isolated DynamoDB tables.</li> <li> <em>Solution:</em> Do not query cells directly for global data. Implement an asynchronous data lake strategy where each cell streams its state changes (e.g., via DynamoDB Streams and Kinesis) to a central analytical data store.</li> </ul> </li> <li> <strong>Router Layer Bottlenecks:</strong> <ul> <li> <em>Problem:</em> The Cell Router itself goes down, causing a global outage—exactly what cellular architecture tries to prevent.</li> <li> <em>Solution:</em> The routing layer must be incredibly thin and rely on highly resilient, geographically distributed edge services (like Amazon Route 53 or CloudFront/Lambda@Edge) rather than a single compute instance.</li> </ul> </li> </ol> <h2> 5. Conclusion </h2> <p>By implementing a Cell-Based Architecture, you establish definitive fault-isolation boundaries. We utilized Terraform to define a repeatable cell blueprint and created a thin Python routing layer to direct traffic dynamically. </p> <p>This approach minimizes the blast radius of localized failures, making your systems inherently more resilient. As you expand on this concept, consider how this decoupled routing strategy translates across multicloud landscapes, allowing you to seamlessly route traffic between an AWS cell and an Azure cell based on performance, cost, or regulatory requirements.</p> architecture aws python terraform Practical Guide: Building an Event-Driven Infrastructure on Microsoft Azure with Terraform and Python Cláudio Filipe Lima Rapôso Sun, 19 Apr 2026 13:57:33 +0000 https://forem.com/sertaoseracloud/practical-guide-building-an-event-driven-infrastructure-on-microsoft-azure-with-terraform-and-1g7k https://forem.com/sertaoseracloud/practical-guide-building-an-event-driven-infrastructure-on-microsoft-azure-with-terraform-and-1g7k <h2> 1. Introduction </h2> <p>Event-driven architectures decouple system components, replacing direct synchronous communication with a highly scalable publish-subscribe model. By the end of this tutorial, you will be able to provision a complete event-based infrastructure on Microsoft Azure. This setup utilizes Azure Event Grid as the central event routing backbone, Azure Service Bus for reliable message queuing, and Azure Functions for serverless computational processing.</p> <p>Mastering this topology is a structural requirement for modern software design. Isolating producers from consumers ensures that localized failures do not cascade through the system, enabling independent scaling of microservices. Furthermore, translating these concepts across different cloud providers strengthens a robust multicloud strategy, allowing you to map architectural patterns (like Event Bus -&gt; Queue -&gt; Serverless Compute) seamlessly into an Azure-based landing zone.</p> <h2> 2. Prerequisites </h2> <p>To execute the configurations proposed in this guide, ensure you have the following prerequisites established:</p> <ul> <li>An active Microsoft Azure account with permissions to create Resource Groups, Event Grid topics, Service Bus namespaces, and Function Apps.</li> <li>Terraform installed locally (version 1.0 or higher) for provisioning the Infrastructure as Code (IaC).</li> <li>Python (version 3.9 or higher) installed locally for developing the function logic.</li> <li>The Azure CLI (<code>az</code>) installed and authenticated in your local environment.</li> <li>Familiarity with terminal navigation and Terraform HCL syntax.</li> </ul> <h2> 3. Step-by-Step </h2> <p>Before diving into the code, it is critical to visualize the event lifecycle. The sequence diagram below maps the flow of information across the provisioned Azure services.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7kbcd6voyf2c8w8wq4tl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7kbcd6voyf2c8w8wq4tl.png" alt="Sequence diagram" width="800" height="335"></a></p> <h3> 3.1 Configuring the Provider and Resource Group </h3> <p><strong>What to do:</strong> Define the Azure Resource Manager (<code>azurerm</code>) provider in Terraform and create a foundational Resource Group to logically group all infrastructure assets.</p> <p><strong>Why do it:</strong> Terraform requires provider definitions to authenticate and interact with the specific cloud API. The Resource Group is a mandatory Azure construct that controls the lifecycle and access management of the resources it contains.</p> <p><strong>Example:</strong><br> Create a file named <code>main.tf</code> and add the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">azurerm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/azurerm"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"azurerm"</span> <span class="p">{</span> <span class="nx">features</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_resource_group"</span> <span class="s2">"rg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"rg-event-driven-architecture"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"East US"</span> <span class="p">}</span> </code></pre> </div> <h3> 3.2 Creating the Event Grid Topic </h3> <p><strong>What to do:</strong> Provision a Custom Topic in Azure Event Grid.</p> <p><strong>Why do it:</strong> A Custom Topic serves as the dedicated endpoint where your applications publish business events. Isolating business events in a custom topic prevents mixing application logic with underlying Azure infrastructure events.</p> <p><strong>Example:</strong><br> Append the following block to your <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_eventgrid_topic"</span> <span class="s2">"custom_topic"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"app-domain-events-topic"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h3> 3.3 Provisioning the Service Bus Namespace and Queue </h3> <p><strong>What to do:</strong> Create a Service Bus Namespace and a specific Queue within it to absorb incoming events.</p> <p><strong>Why do it:</strong> While Event Grid can push directly to an Azure Function, routing through a Service Bus Queue introduces a critical buffer. This ensures high availability, message durability, and prevents overwhelming the downstream compute service during traffic spikes.</p> <p><strong>Example:</strong><br> Add the Service Bus configurations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_servicebus_namespace"</span> <span class="s2">"sb_namespace"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sb-event-driven-demo"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">sku</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_servicebus_queue"</span> <span class="s2">"event_queue"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"event-processing-queue"</span> <span class="nx">namespace_id</span> <span class="p">=</span> <span class="nx">azurerm_servicebus_namespace</span><span class="p">.</span><span class="nx">sb_namespace</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h3> 3.4 Developing the Azure Function in Python </h3> <p><strong>What to do:</strong> Write the Python code using the Azure Functions v2 programming model to process messages arriving in the Service Bus Queue.</p> <p><strong>Why do it:</strong> The function represents the business logic reacting to the event. The v2 model utilizes decorators, providing a clean, concise way to define triggers and bindings directly in the code, automatically handling message deserialization.</p> <p><strong>Example:</strong><br> Create a file named <code>function_app.py</code> in your project directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">azure.functions</span> <span class="k">as</span> <span class="n">func</span> <span class="c1"># Initialize the Function App </span><span class="n">app</span> <span class="o">=</span> <span class="n">func</span><span class="p">.</span><span class="nc">FunctionApp</span><span class="p">()</span> <span class="nd">@app.service_bus_queue_trigger</span><span class="p">(</span> <span class="n">arg_name</span><span class="o">=</span><span class="sh">"</span><span class="s">msg</span><span class="sh">"</span><span class="p">,</span> <span class="n">queue_name</span><span class="o">=</span><span class="sh">"</span><span class="s">event-processing-queue</span><span class="sh">"</span><span class="p">,</span> <span class="n">connection</span><span class="o">=</span><span class="sh">"</span><span class="s">ServiceBusConnection</span><span class="sh">"</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">process_domain_event</span><span class="p">(</span><span class="n">msg</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">ServiceBusMessage</span><span class="p">):</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Initiating Service Bus event processing.</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Decode and load the message body </span> <span class="n">msg_body</span> <span class="o">=</span> <span class="n">msg</span><span class="p">.</span><span class="nf">get_body</span><span class="p">().</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="n">event_payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">msg_body</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Complete event payload: </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">event_payload</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Event Grid schema typically encapsulates data in a 'data' field </span> <span class="n">data</span> <span class="o">=</span> <span class="n">event_payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">data</span><span class="sh">'</span><span class="p">,</span> <span class="p">{})</span> <span class="n">order_id</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">order_id</span><span class="sh">'</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successfully processed business operation for order: </span><span class="si">{</span><span class="n">order_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Failed to decode message payload as JSON.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unexpected error during processing: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 3.5 Provisioning the Compute Infrastructure for the Function </h3> <p><strong>What to do:</strong> Define the Storage Account, Service Plan (Consumption), and the Linux Function App via Terraform, injecting the necessary connection strings as environment variables.</p> <p><strong>Why do it:</strong> Azure Functions require a backing storage account for state management and an execution plan to define scale and pricing. Injecting <code>ServiceBusConnection</code> securely links the compute tier to the messaging tier.</p> <p><strong>Example:</strong><br> Add the compute resources to your <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"sa"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"saeventdrivendemo123"</span> <span class="c1"># Must be globally unique</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">account_tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">account_replication_type</span> <span class="p">=</span> <span class="s2">"LRS"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_service_plan"</span> <span class="s2">"asp"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"asp-event-driven"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">os_type</span> <span class="p">=</span> <span class="s2">"Linux"</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="s2">"Y1"</span> <span class="c1"># Serverless Consumption Plan</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_linux_function_app"</span> <span class="s2">"function_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"func-order-processor-app"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">location</span> <span class="nx">service_plan_id</span> <span class="p">=</span> <span class="nx">azurerm_service_plan</span><span class="p">.</span><span class="nx">asp</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_account_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">sa</span><span class="p">.</span><span class="nx">name</span> <span class="nx">storage_account_access_key</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">sa</span><span class="p">.</span><span class="nx">primary_access_key</span> <span class="nx">site_config</span> <span class="p">{</span> <span class="nx">application_stack</span> <span class="p">{</span> <span class="nx">python_version</span> <span class="p">=</span> <span class="s2">"3.11"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">app_settings</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"FUNCTIONS_WORKER_RUNTIME"</span> <span class="p">=</span> <span class="s2">"python"</span> <span class="s2">"ServiceBusConnection"</span> <span class="p">=</span> <span class="nx">azurerm_servicebus_namespace</span><span class="p">.</span><span class="nx">sb_namespace</span><span class="p">.</span><span class="nx">default_primary_connection_string</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 3.6 Creating the Event Grid Subscription (Routing Rule) </h3> <p><strong>What to do:</strong> Configure an Event Subscription that filters events arriving at the Custom Topic and routes them to the Service Bus Queue.</p> <p><strong>Why do it:</strong> Advanced filtering ensures that only relevant events reach the compute tier, preventing unnecessary executions and lowering costs. This acts as the intelligent router in the architecture.</p> <p><strong>Example:</strong><br> Complete the <code>main.tf</code> file with the routing subscription:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_eventgrid_event_subscription"</span> <span class="s2">"queue_subscription"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"route-order-created"</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_eventgrid_topic</span><span class="p">.</span><span class="nx">custom_topic</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_bus_queue_endpoint_id</span> <span class="p">=</span> <span class="nx">azurerm_servicebus_queue</span><span class="p">.</span><span class="nx">event_queue</span><span class="p">.</span><span class="nx">id</span> <span class="nx">advanced_filter</span> <span class="p">{</span> <span class="nx">string_in</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"data.detail-type"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"OrderCreated"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To deploy the infrastructure, run <code>terraform init</code>, <code>terraform plan</code>, and <code>terraform apply</code>. Note that while Terraform provisions the infrastructure, the actual deployment of the Python code is typically handled via Azure Functions Core Tools (<code>func azure functionapp publish func-order-processor-app</code>) or a CI/CD pipeline like GitHub Actions.</p> <h2> 4. Common Troubleshooting </h2> <p>Deploying distributed systems can introduce integration challenges. Here are the most common issues and how to resolve them:</p> <ol> <li><p><strong>Service Bus Connection String Missing or Invalid:</strong><br> Issue: The Azure Function fails to trigger, and logs show binding errors.<br> Solution: Verify the Application Settings in the Azure Portal for the Function App. Ensure <code>ServiceBusConnection</code> exactly matches the primary connection string of the Service Bus Namespace and is spelled correctly in the <code>app.service_bus_queue_trigger</code> decorator.</p></li> <li><p><strong>Event Grid Schema Mismatch:</strong><br> Issue: Events are successfully published to the topic but never arrive in the Service Bus Queue.<br> Solution: Inspect the payload structure. Azure Event Grid requires a specific schema (id, subject, data, eventType, etc.). If you are filtering by <code>data.detail-type</code> in Terraform, ensure your published JSON explicitly contains a <code>data</code> object with a <code>detail-type</code> key matching <code>"OrderCreated"</code>.</p></li> <li><p><strong>Storage Account Naming Conflicts:</strong><br> Issue: Terraform fails during the <code>terraform apply</code> phase when creating the <code>azurerm_storage_account</code>.<br> Solution: Storage account names in Azure must be globally unique across all Azure customers, purely lowercase, and between 3 to 24 characters. Adjust the <code>name</code> attribute in the Terraform block to a highly unique string.</p></li> </ol> <h2> 5. Conclusion </h2> <p>This tutorial established a resilient, decoupled architecture native to Microsoft Azure. By utilizing Terraform, we provisioned Event Grid for intelligent event routing, Service Bus for robust message queuing, and Azure Functions for scalable compute. </p> <p>Implementing these patterns provides a clear parallel to other cloud ecosystems, reinforcing a strong foundation for designing cellular architectures and multicloud strategies. As a next step, explore implementing Dead-Letter Queues (DLQ) within the Service Bus to handle poison messages systematically, ensuring your distributed application remains robust even when faced with unprocessable data.</p> azure eventdriven python terraform Practical Guide: Building an Event-Driven Infrastructure on AWS with Terraform and Python Cláudio Filipe Lima Rapôso Sun, 19 Apr 2026 13:52:58 +0000 https://forem.com/sertaoseracloud/practical-guide-building-an-event-driven-infrastructure-on-aws-with-terraform-and-python-3lph https://forem.com/sertaoseracloud/practical-guide-building-an-event-driven-infrastructure-on-aws-with-terraform-and-python-3lph <h2> 1. Introduction </h2> <p>Event-driven architectures transform the way systems communicate by replacing direct synchronous calls with a highly decoupled publish-subscribe model. By the end of this tutorial, you will be able to provision a complete event-based infrastructure on AWS, using Amazon EventBridge as the central router, Amazon SQS for queuing, and AWS Lambda for computational processing. </p> <p>This approach is fundamental for creating scalable and resilient systems. Decoupling ensures that a failure in one component does not take down the entire application, and it allows different parts of the system to scale independently. Although the technical focus here is AWS, mastering event routing and asynchronous processing is a core structural skill for strategies in multicloud environments, where similar architectural patterns are applied using corresponding services from each provider within a unified landing zone.</p> <h2> 2. Prerequisites </h2> <p>To follow this tutorial and execute the proposed configurations, you need the following resources and prior knowledge:</p> <ul> <li>An active Amazon Web Services (AWS) account with administrative permissions to create IAM, Lambda, SQS, and EventBridge resources.</li> <li>Terraform installed on your local machine (version 1.0 or higher) for provisioning the Infrastructure as Code (IaC).</li> <li>Python (version 3.9 or higher) installed locally to package the Lambda function code.</li> <li>AWS credentials configured in your local environment (via AWS CLI or environment variables).</li> <li>Basic knowledge of terminal navigation and Terraform HCL syntax.</li> </ul> <h2> 3. Step-by-Step </h2> <p>Before writing the code, it is important to visualize the event lifecycle in our infrastructure. The sequence diagram below illustrates the flow of information between the provisioned services.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F468cuf84sj0jebfx7lfj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F468cuf84sj0jebfx7lfj.png" alt="Sequence Diagram" width="800" height="348"></a></p> <h3> 3.1 Configuring the Provider and Main File </h3> <p><strong>What to do:</strong> Create the initial Terraform configuration file to define AWS as the cloud provider and establish the deployment region.</p> <p><strong>Why do it:</strong> Terraform needs to know which cloud API it will interact with and the default region to allocate resources. This centralizes the basic configuration and prepares the infrastructure state.</p> <p><strong>Example:</strong><br> Create a file named <code>main.tf</code> and add the following block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> </code></pre> </div> <h3> 3.2 Creating the Event Bus (EventBridge) </h3> <p><strong>What to do:</strong> Provision a customized event bus in Amazon EventBridge.</p> <p><strong>Why do it:</strong> Although AWS provides a default bus, creating a custom bus for applications is an excellent domain isolation practice. This prevents mixing AWS infrastructure events with your application's business events.</p> <p><strong>Example:</strong><br> Add to your <code>main.tf</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_bus"</span> <span class="s2">"custom_bus"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"app-domain-events"</span> <span class="p">}</span> </code></pre> </div> <h3> 3.3 Creating the SQS Queue for Load Absorption </h3> <p><strong>What to do:</strong> Create a queue in Amazon SQS and configure the access policy to allow EventBridge to send messages to it.</p> <p><strong>Why do it:</strong> Sending events directly from EventBridge to Lambda can cause data loss in case of failures or traffic spikes. The SQS queue acts as a buffer, ensuring message delivery and allowing reprocessing in case of temporary errors.</p> <p><strong>Example:</strong><br> Add the queue configurations and its respective policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_sqs_queue"</span> <span class="s2">"event_queue"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"event-processing-queue"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_sqs_queue_policy"</span> <span class="s2">"event_queue_policy"</span> <span class="p">{</span> <span class="nx">queue_url</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">event_queue</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">sqs_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"sqs_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sqs:SendMessage"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">event_queue</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"events.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"ArnEquals"</span> <span class="nx">variable</span> <span class="p">=</span> <span class="s2">"aws:SourceArn"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">event_rule</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 3.4 Developing the Lambda Function in Python </h3> <p><strong>What to do:</strong> Write the Python source code that will be executed when an event arrives in the queue.</p> <p><strong>Why do it:</strong> The Python code represents the business or computational logic that reacts to the event. In this example, we will iterate over the SQS queue records and log the details for visual validation of the architecture's functionality.</p> <p><strong>Example:</strong><br> Create a file named <code>processor.py</code> in the same directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">logging</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Starting processing of SQS event batch.</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">record</span> <span class="ow">in</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Records</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]):</span> <span class="n">body_string</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">{}</span><span class="sh">'</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">event_detail</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">body_string</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Received event detail: </span><span class="si">{</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">event_detail</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Extracting the payload from EventBridge </span> <span class="n">detail</span> <span class="o">=</span> <span class="n">event_detail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">detail</span><span class="sh">'</span><span class="p">,</span> <span class="p">{})</span> <span class="n">order_id</span> <span class="o">=</span> <span class="n">detail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">order_id</span><span class="sh">'</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successfully processed order: </span><span class="si">{</span><span class="n">order_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Error decoding message body as JSON.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">statusCode</span><span class="sh">'</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="sh">'</span><span class="s">Processing completed successfully</span><span class="sh">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> 3.5 Provisioning Lambda with Terraform and Connecting to the Queue </h3> <p><strong>What to do:</strong> Create the ZIP package of the Python code, define the Lambda function in Terraform, create the execution permission (IAM Role), and map the SQS queue as the Lambda event source.</p> <p><strong>Why do it:</strong> The infrastructure needs to allocate the code in AWS and provide the exact permissions so the Lambda can read messages from the queue and write logs to CloudWatch, following the principle of least privilege.</p> <p><strong>Example:</strong><br> Add the following code to your <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"lambda_zip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_file</span> <span class="p">=</span> <span class="s2">"processor.py"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"processor.zip"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"lambda_exec_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda_sqs_execution_role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"lambda_basic_execution"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"lambda_sqs_execution"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"event_processor"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">lambda_zip</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"OrderEventProcessor"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"processor.lambda_handler"</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">lambda_zip</span><span class="p">.</span><span class="nx">output_file_base64sha256</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.11"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_event_source_mapping"</span> <span class="s2">"sqs_trigger"</span> <span class="p">{</span> <span class="nx">event_source_arn</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">event_queue</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">event_processor</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">batch_size</span> <span class="p">=</span> <span class="mi">10</span> <span class="p">}</span> </code></pre> </div> <h3> 3.6 Creating the Routing Rule in EventBridge </h3> <p><strong>What to do:</strong> Configure a rule that filters specific events published on the bus and directs them to the SQS queue.</p> <p><strong>Why do it:</strong> The bus can receive thousands of different events. Rules ensure that the target system (your SQS queue) receives only the events that matter to it, optimizing processing and reducing costs.</p> <p><strong>Example:</strong><br> Complete the <code>main.tf</code> file with the routing configurations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"event_rule"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"capture-order-created"</span> <span class="nx">event_bus_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_bus</span><span class="p">.</span><span class="nx">custom_bus</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Captures order created events"</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"com.mycompany.orders"</span><span class="p">]</span> <span class="nx">detail-type</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"OrderCreated"</span><span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"sqs_target"</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">event_rule</span><span class="p">.</span><span class="nx">name</span> <span class="nx">event_bus_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_bus</span><span class="p">.</span><span class="nx">custom_bus</span><span class="p">.</span><span class="nx">name</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="s2">"SendToSQS"</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_sqs_queue</span><span class="p">.</span><span class="nx">event_queue</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>To deploy the entire infrastructure, run the commands <code>terraform init</code>, <code>terraform plan</code>, and <code>terraform apply</code> in your terminal.</p> <h2> 4. Common Troubleshooting </h2> <p>Even with a well-defined script, infrastructure provisioning can encounter obstacles. Below are the most frequent problems and their solutions:</p> <ol> <li><p><strong>Access Denied Permissions on the SQS Queue:</strong><br> What is happening: EventBridge cannot deliver messages to the queue.<br> How to solve it: Check the <code>aws_sqs_queue_policy</code>. Ensure the EventBridge rule ARN is correct in the security condition. A misconfigured policy will result in the silent discard of events.</p></li> <li><p><strong>Lambda is not triggered by SQS messages:</strong><br> What is happening: Messages arrive in the queue, but the Python function is not executed.<br> How to solve it: Validate if the IAM Role linked to the Lambda (<code>lambda_sqs_execution_role</code>) has the <code>AWSLambdaSQSQueueExecutionRole</code> policy properly attached. Lambda needs read permissions (<code>sqs:ReceiveMessage</code>, <code>sqs:DeleteMessage</code>, <code>sqs:GetQueueAttributes</code>) to consume the data.</p></li> <li><p><strong>Event Pattern Incompatibility:</strong><br> What is happening: You publish an event to the bus, but it does not appear in the queue.<br> How to solve it: Verify the accuracy of the injected JSON. The <code>source</code> and <code>detail-type</code> fields sent by the message producer must perfectly match the values stipulated in the <code>event_pattern</code> block of the Terraform rule. EventBridge is case-sensitive.</p></li> </ol> <h2> 5. Conclusion </h2> <p>In this tutorial, we built a robust backbone for an event-driven architecture. We configured the structure in code using Terraform, establishing EventBridge as the intelligent traffic router, SQS as the fault-tolerance layer, and Python Lambda as the scalable processing unit. </p> <p>Mastering this topology empowers you to integrate microservices safely and cleanly. As next steps, I recommend diving into the implementation of Dead Letter Queues (DLQ) for advanced handling of unresolved failures and exploring how this decoupling architectural pattern translates into the design of complex systems in multicloud scenarios.</p> aws eventdriven python terraform Road to Golden Jacket: My Journey and Tips for the New AWS SOA-C03 Exam 🚀 Cláudio Filipe Lima Rapôso Mon, 30 Mar 2026 16:15:52 +0000 https://forem.com/sertaoseracloud/road-to-golden-jacket-my-journey-and-tips-for-the-new-aws-soa-c03-exam-i4j https://forem.com/sertaoseracloud/road-to-golden-jacket-my-journey-and-tips-for-the-new-aws-soa-c03-exam-i4j <p>When I sat down to take my AWS Certified SysOps Administrator - Associate exam on <strong>March 23</strong>, I had prepared for a broad range of operational topics. But when the test began, one thing became immediately clear: <strong>Amazon CloudWatch was everywhere.</strong></p> <p>It felt like every other scenario revolved around monitoring, analyzing logs, or troubleshooting performance bottlenecks. Now that AWS has officially transitioned to the new <strong>AWS Certified CloudOps Engineer - Associate (SOA-C03)</strong> exam, I realize that my heavy CloudWatch experience was actually the best preparation I could have asked for.</p> <p>Here is a personal look at my exam experience, why CloudWatch is your best friend, and my top tips for anyone tackling the new CloudOps certification.</p> <h2> 📈 The CloudWatch Marathon </h2> <p>During my exam on March 23, the monitoring and logging domain was a massive part of the test. I had to know exactly how to trigger alarms, collect logs, and automate responses.</p> <p>If you are studying for the new SOA-C03 exam, this is even more critical. The domain has been expanded to <strong>"Monitoring, Logging, Analysis, Remediation, and Performance Optimization"</strong> and now carries the heaviest weight on the exam at <strong>22%</strong>,.</p> <p>To pass, you must understand how to:</p> <ul> <li> Configure and manage the CloudWatch agent to collect metrics and logs not just from EC2 instances, but also from <strong>Amazon ECS and Amazon EKS clusters</strong>,.</li> <li> Set up composite alarms and configure them to invoke AWS services directly or through <strong>Amazon EventBridge</strong>.</li> <li> Automate remediation tasks using <strong>AWS Systems Manager Automation runbooks</strong>.</li> </ul> <h2> 🔄 Bridging the Gap: SysOps to CloudOps </h2> <p>While my exam tested me heavily on traditional monitoring, the new "CloudOps" title reflects a modern shift in cloud operations. If I were taking the SOA-C03 today, here is what I would add to my study list to bridge the gap:</p> <ul> <li> <strong>The Container Ecosystem:</strong> Containers are now officially in-scope. You need to understand Amazon Elastic Container Registry (ECR), Elastic Container Service (ECS), and Elastic Kubernetes Service (EKS),.</li> <li> <strong>Infrastructure as Code (IaC):</strong> The new exam emphasizes creating and managing stacks using <strong>AWS CloudFormation</strong> and the <strong>AWS Cloud Development Kit (AWS CDK)</strong>,.</li> <li> <strong>Multi-Account Management:</strong> Operating in a single account is a thing of the past. You must know how to enforce compliance and manage security across multiple accounts using <strong>AWS Organizations</strong>, <strong>Service Control Policies (SCPs)</strong>, and <strong>AWS Control Tower</strong>,.</li> </ul> <h2> 💡 My Top Tips for Exam Day </h2> <p>Based on my experience in the hot seat, here are my top tips for crushing the exam:</p> <ol> <li> <strong>Build a Real Monitoring Lab:</strong> Don't just read the docs. Spin up an EC2 instance, install the CloudWatch agent, and create a custom dashboard,. Set up an alarm to trigger an SNS notification or an EventBridge rule, so you see the automated flow in action.</li> <li> <strong>Master Automation:</strong> Understand how to use AWS Systems Manager to automate operational processes and remediate issues,.</li> <li> <strong>Eliminate the Noise:</strong> AWS questions are famously wordy and the distractors are designed to look plausible. Find the core requirement like "most cost-effective" or "highly available" and eliminate the answers that don't fit.</li> <li> <strong>Embrace the AWS Well-Architected Framework:</strong> The exam tests your ability to support workloads according to these best practices,. Always think about how to optimize performance and reliability.</li> </ol> <p>Taking this exam validated my practical skills and proved that I could maintain and secure workloads in the cloud. If you are preparing for the SOA-C03, dive deep into CloudWatch and embrace automation!</p> <h1> 💡 Enjoyed it? </h1> <p>If you want to chat about AI, cloud, and architecture, follow me on my socials:</p> <p><a href="https://olink.ai/sertaoseracloud" rel="noopener noreferrer">Social Media</a></p> <p>I post technical content straight from the front lines. And whenever I discover a time-saving tool that gets the job done right, like this one, you'll hear about it too.</p> <p>Have you taken the exam yet? Let me know your experience in the comments below! 👇</p> aws career devops monitoring From Infrastructure to Product: Pipelines into a Profitable SaaS Cláudio Filipe Lima Rapôso Thu, 12 Mar 2026 19:12:31 +0000 https://forem.com/sertaoseracloud/from-infrastructure-to-product-pipelines-into-a-profitable-saas-44mc https://forem.com/sertaoseracloud/from-infrastructure-to-product-pipelines-into-a-profitable-saas-44mc <p><strong>Open Journal Systems (OJS)</strong> is the engine behind thousands of scientific publications worldwide. However, educational institutions, from high schools running literary magazines to universities managing peer-reviewed journals, share a massive pain point: they want to publish research, but they lack the internal IT resources to manage complex PHP monoliths, backups, and server security.</p> <p>Blending my experience in the classroom with software architecture, I realized this is a massive opportunity. We can move beyond just "hosting" OJS and transform it into a fully automated, <strong>Zero-Touch B2B SaaS platform</strong> targeted globally at the education sector.</p> <p>This article details the design, infrastructure, and product strategy to build a highly available, multi-tenant OJS SaaS on <strong>Amazon Web Services (AWS)</strong> using Terraform, Go, and GitHub Actions.</p> <h2> 🏗️ 1. The Reference Architecture on AWS </h2> <p>To sell this globally, we cannot afford manual interventions or local server disks. We must adopt a distributed, <em>stateless</em>, and 100% managed topology.</p> <h3> Core Components: </h3> <ul> <li> <strong>Compute:</strong> <strong>Amazon ECS with AWS Fargate</strong>. We run the OJS Docker image in a <em>serverless</em> manner. We pay only for the CPU/RAM consumed, which is crucial for maximizing profit margins.</li> <li> <strong>Database:</strong> <strong>Amazon RDS for MySQL</strong>. Fully managed, automated backups, and isolated data tiers.</li> <li> <strong>File Persistence:</strong> OJS requires a persistent directory (<code>files_dir</code>) for articles and PDFs. We mount <strong>Amazon EFS (Elastic File System)</strong> directly to the ECS Task via the NFS protocol.</li> </ul> <h2> ⚙️ 2. The "Zero-Touch" Provisioning Engine </h2> <p>To turn this infrastructure into a product, the entire customer lifecycle must be automated. Here is how the provisioning engine works:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftro7h6xlpywnjfbrj862.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftro7h6xlpywnjfbrj862.png" alt="Engine" width="800" height="672"></a></p> <ol> <li> <strong>The Storefront:</strong> A university administrator selects a plan on your landing page and checks out.</li> <li> <strong>The Orchestrator (Golang API):</strong> For high concurrency and low footprint, a lightweight backend API built in <strong>Go</strong> listens for the payment gateway webhook (e.g., Stripe).</li> <li> <strong>The Trigger:</strong> The Go API automatically calls the <strong>GitHub Actions API</strong>, passing the <code>tenant_name</code>, <code>region</code>, and <code>tier</code> as JSON payloads.</li> <li> <strong>The Magic:</strong> GitHub Actions runs the Terraform scripts. Within minutes, the isolated AWS infrastructure is provisioned, Route53 updates the DNS (<code>journal.university.edu</code>), and the client receives an automated email with their admin credentials. </li> </ol> <h3> 🌍 Level 1: The System Context Diagram (Business View) </h3> <p><strong>Who it's for:</strong> Executives, Investors, University Directors, and non-technical Stakeholders.<br> <strong>What it shows:</strong> The "Big Picture." It places our <strong>OJS SaaS Platform</strong> at the center of the universe and focuses exclusively on answering two questions: <em>Who uses the system?</em> and <em>What other systems do we talk to?</em></p> <ul> <li> <strong>The Actors:</strong> It makes it clear that we have different user profiles (the Admin who pays, the Author who publishes, the Reader who consumes).</li> <li> <strong>The External Boundaries:</strong> It shows that we didn't build a payment processor from scratch (we use <strong>Stripe</strong>), we didn't reinvent infrastructure pipelines (we use <strong>GitHub Actions</strong>), and we integrate with academic industry standards (<strong>Crossref</strong>).</li> <li> <strong>The Value:</strong> Here, technology doesn't matter. There is no AWS, Go, or PHP in this diagram. The focus is purely on the business value flow.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fierybgtw58y6oubbfa0v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fierybgtw58y6oubbfa0v.png" alt="Systems Context" width="800" height="565"></a></p> <h3> Level 2: The Container Diagram (Solution/Cloud View) </h3> <p><strong>Who it's for:</strong> Cloud Architects, DevOps Engineers, Tech Leads, and Security Teams.<br> <strong>What it shows:</strong> How the central system (the blue box from Level 1) is divided internally.<br> <em>(Architectural Note: In the C4 Model, a "Container" means an independently deployable/runnable unit, not necessarily a Docker container, although in our case, they coincide).</em></p> <ul> <li> <strong>Separation of Concerns:</strong> The division between the <strong>Storefront Web</strong> (React Front-end), the <strong>Provisioning API</strong> (our Go engine), and the <strong>Tenant Infrastructure</strong> (the client's OJS) is crystal clear.</li> <li> <strong>Technology Choices:</strong> This is where the cloud "magic" appears. We show that OJS runs on <strong>ECS Fargate</strong> (Compute), uses <strong>Amazon RDS</strong> (Relational Database), and <strong>Amazon EFS</strong> (Network persistence for PDFs).</li> <li> <strong>Communication Flow:</strong> It shows that the Admin doesn't access the database directly; the communication flows from the Browser to the Load Balancer, to the container, and only then to the database via port 3306.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fud5pyvu4a8vh42skqk10.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fud5pyvu4a8vh42skqk10.png" alt="Container Context" width="800" height="713"></a></p> <h3> 🧩 Level 3: The Component Diagram (Engineering/Code View) </h3> <p><strong>Who it's for:</strong> Software Developers (Backend).<br> <strong>What it shows:</strong> We take just one of the containers from Level 2 (in this case, our <strong>Go Provisioning API</strong>) and open the hood to see how the code is structured internally.</p> <ul> <li> <strong>Domain Isolation:</strong> This is the perfect level to demonstrate <strong>Domain-Driven Design (DDD)</strong> principles. The <code>Tenant Manager</code> component represents the heart of our domain (where the business rules live).</li> <li> <strong>Dependency Inversion:</strong> The diagram shows components like the <code>GitHub API Client</code> and the <code>Metadata Repository</code>. As architects, we want our domain (<code>Tenant Manager</code>) to not depend on specific infrastructure implementations, but rather on interfaces (ports and adapters). The visual flow shows how the business rule delegates the heavy I/O lifting to external clients.</li> <li> <strong>The Webhook Lifecycle:</strong> It explains the exact path of the data: The request hits the <code>Router</code>, passes through validation in the <code>Payment Handler</code>, updates the database via the <code>Metadata Repo</code>, and finally triggers the infrastructure via the <code>GitHub Client</code>.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiqdgo3vaqy1dd2p65kyq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiqdgo3vaqy1dd2p65kyq.png" alt="Component Diagram" width="513" height="1080"></a></p> <p>Here is the GitHub Actions workflow that your Go API triggers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Zero-Touch</span><span class="nv"> </span><span class="s">SaaS</span><span class="nv"> </span><span class="s">Provisioning'</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">tenant_name</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Tenant</span><span class="nv"> </span><span class="s">Name'</span><span class="pi">,</span> <span class="nv">required</span><span class="pi">:</span> <span class="nv">true</span> <span class="pi">}</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Tier</span><span class="nv"> </span><span class="s">(basic/premium)'</span><span class="pi">,</span> <span class="nv">required</span><span class="pi">:</span> <span class="nv">true</span> <span class="pi">}</span> <span class="na">aws_region</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Target</span><span class="nv"> </span><span class="s">Region'</span><span class="pi">,</span> <span class="nv">required</span><span class="pi">:</span> <span class="nv">true</span> <span class="pi">}</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ github.event.inputs.aws_region }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init &amp; Apply</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init -backend-config="key=${{ github.event.inputs.tenant_name }}.tfstate"</span> <span class="s">terraform apply -var-file="envs/${{ github.event.inputs.environment }}.tfvars.json" -auto-approve</span> </code></pre> </div> <h2> 🌍 3. Global Scaling and Data Compliance </h2> <p>Selling to the global education market means navigating strict data privacy laws. Because our infrastructure is codified with Terraform, deploying a compliant environment is just a matter of dynamically injecting the <code>aws_region</code> variable:</p> <ul> <li> <strong>GDPR (Europe):</strong> If a German university signs up, the automation deploys to <code>eu-central-1</code> (Frankfurt). The data never leaves Europe.</li> <li> <strong>LGPD (Brazil):</strong> For Brazilian institutions, the automation targets <code>sa-east-1</code> (São Paulo).</li> <li> <strong>FERPA/HIPAA (USA):</strong> Medical universities publishing clinical trials can be hosted in isolated, dedicated environments in the US.</li> </ul> <h2> 💎 4. Tiered Product Strategy (FinOps) </h2> <p>We can structure the SaaS offerings to capture both ends of the academic spectrum, leveraging AWS FinOps strategies:</p> <h3> Tier 1: High School &amp; Small College Plan (High Volume) </h3> <ul> <li> <strong>Use Case:</strong> High school science fairs or small departmental newsletters.</li> <li> <strong>Architecture:</strong> Shared ECS resources and a single shared RDS instance with logical separation (different schemas per school).</li> <li> <strong>FinOps:</strong> We use <strong>Fargate Spot</strong> to utilize spare AWS compute capacity for up to a <strong>70% discount</strong>. We also use EventBridge to scale the environments down to zero during weekends and school holidays.</li> </ul> <h3> Tier 2: University &amp; Research Institute Plan (High Margin) </h3> <ul> <li> <strong>Use Case:</strong> Official university peer-reviewed journals indexing globally with Crossref and DOIs.</li> <li> <strong>Architecture:</strong> Dedicated ECS Tasks, isolated RDS instances powered by Graviton (ARM) processors for better price/performance, and custom domain mapping.</li> <li> <strong>Price Point:</strong> Premium recurring revenue with strict SLA guarantees and daily automated snapshots.</li> </ul> <h2> 🐳 5. Dockerizing OJS </h2> <p>The Docker image remains very similar to any standard containerized environment, focusing heavily on the required PHP extensions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> php:8.2-apache</span> <span class="c"># System dependencies and PHP extensions required for OJS on AWS</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="se">\ </span> libpng-dev libjpeg-dev libxml2-dev libzip-dev zlib1g-dev libicu-dev g++ <span class="se">\ </span> <span class="o">&amp;&amp;</span> docker-php-ext-configure gd <span class="nt">--with-jpeg</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> docker-php-ext-install gd mysqli opcache zip intl gettext <span class="c"># Upload Optimizations</span> <span class="k">RUN </span><span class="o">{</span> <span class="se">\ </span> <span class="nb">echo</span> <span class="s1">'opcache.memory_consumption=128'</span><span class="p">;</span> <span class="se">\ </span> <span class="nb">echo</span> <span class="s1">'upload_max_filesize=64M'</span><span class="p">;</span> <span class="se">\ </span> <span class="nb">echo</span> <span class="s1">'post_max_size=64M'</span><span class="p">;</span> <span class="se">\ </span> <span class="o">}</span> <span class="o">&gt;</span> /usr/local/etc/php/conf.d/ojs-optimization.ini <span class="k">COPY</span><span class="s"> . /var/www/html/</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> www-data:www-data /var/www/html/ </code></pre> </div> <h2> 🛠️ 6. Infrastructure as Code (Terraform) </h2> <p>Governance across the AWS environment is managed via Terraform. The state (<code>.tfstate</code>) is securely stored in <strong>Amazon S3</strong> with State Locking handled by <strong>DynamoDB</strong>.</p> <p>Below is the critical snippet that connects ECS (Fargate) to EFS to persist the PDFs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># 1. Amazon RDS MySQL</span> <span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"ojs_db"</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"ojs-db-${var.environment}"</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"mysql"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"8.0"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_instance_class</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_user</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_password</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">rds_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_db_subnet_group</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># 2. Amazon EFS for the files directory</span> <span class="nx">resource</span> <span class="s2">"aws_efs_file_system"</span> <span class="s2">"ojs_files"</span> <span class="p">{</span> <span class="nx">creation_token</span> <span class="p">=</span> <span class="s2">"ojs-efs-${var.environment}"</span> <span class="nx">encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># 3. ECS Task Definition (Fargate) with EFS Volume</span> <span class="nx">resource</span> <span class="s2">"aws_ecs_task_definition"</span> <span class="s2">"ojs_task"</span> <span class="p">{</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"ojs-app-${var.environment}"</span> <span class="nx">requires_compatibilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">]</span> <span class="nx">network_mode</span> <span class="p">=</span> <span class="s2">"awsvpc"</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">fargate_cpu</span> <span class="nx">memory</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">fargate_memory</span> <span class="nx">container_definitions</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ojs-container"</span> <span class="nx">image</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ecr_image_url</span> <span class="nx">mountPoints</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">sourceVolume</span> <span class="p">=</span> <span class="s2">"ojs-efs-volume"</span> <span class="nx">containerPath</span> <span class="p">=</span> <span class="s2">"/var/www/ojsdata"</span> <span class="p">}]</span> <span class="nx">environment</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"MYSQL_HOST"</span><span class="p">,</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">ojs_db</span><span class="p">.</span><span class="nx">address</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}])</span> <span class="nx">volume</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ojs-efs-volume"</span> <span class="nx">efs_volume_configuration</span> <span class="p">{</span> <span class="nx">file_system_id</span> <span class="p">=</span> <span class="nx">aws_efs_file_system</span><span class="p">.</span><span class="nx">ojs_files</span><span class="p">.</span><span class="nx">id</span> <span class="nx">transit_encryption</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Variable Injection (FinOps) </h3> <p>We define instance sizes via JSON (<code>prod.tfvars.json</code>) to control costs per environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"prod"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fargate_cpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1024"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fargate_memory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2048"</span><span class="p">,</span><span class="w"> </span><span class="nl">"db_instance_class"</span><span class="p">:</span><span class="w"> </span><span class="s2">"db.t4g.medium"</span><span class="p">,</span><span class="w"> </span><span class="nl">"db_user"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ojsadmin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 🚀 7. CI/CD with GitHub Actions </h2> <p>The automated deployment pipeline checks out the code, configures AWS credentials, and updates the infrastructure via Terraform.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Deploy</span><span class="nv"> </span><span class="s">OJS</span><span class="nv"> </span><span class="s">AWS'</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">tenant_name</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Tenant</span><span class="nv"> </span><span class="s">Name'</span><span class="pi">,</span> <span class="nv">required</span><span class="pi">:</span> <span class="nv">true</span> <span class="pi">}</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Environment</span><span class="nv"> </span><span class="s">(dev/hom/prod)'</span><span class="pi">,</span> <span class="nv">required</span><span class="pi">:</span> <span class="nv">true</span> <span class="pi">}</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init (S3 Backend)</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init \</span> <span class="s">-backend-config="bucket=ojs-terraform-state-central" \</span> <span class="s">-backend-config="key=${{ github.event.inputs.tenant_name }}.${{ github.event.inputs.environment }}.tfstate" \</span> <span class="s">-backend-config="dynamodb_table=terraform-lock"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_VAR_db_password</span><span class="pi">:</span> <span class="s">${{ secrets.DB_PASSWORD }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform apply \</span> <span class="s">-var-file="envs/${{ github.event.inputs.environment }}.tfvars.json" \</span> <span class="s">-auto-approve</span> </code></pre> </div> <h2> 💰 8. FinOps: Cost Optimization on AWS </h2> <p>AWS provides fantastic mechanisms to slash costs in non-production environments:</p> <ol> <li> <strong>Fargate Spot:</strong> In <strong>Dev/Hom</strong> environments, we configure the ECS <em>Capacity Provider</em> to use <strong>Fargate Spot</strong>, utilizing spare AWS compute capacity for up to a <strong>70% discount</strong>.</li> <li> <strong>Graviton (ARM):</strong> We use RDS instances powered by Graviton processors (<code>db.t4g</code>), which deliver better performance at a lower price point than the x86 architecture.</li> <li> <strong>Scheduling Automation:</strong> We leverage <strong>Amazon EventBridge</strong> to trigger an <strong>AWS Lambda</strong> function that stops the RDS instance and scales the ECS <em>Desired Count</em> to <code>0</code> outside of regular business hours.</li> </ol> <h2> 🎯 Conclusion </h2> <p>By bridging the gap between software architecture and the needs of the classroom, we can transform Open Journal Systems from a complex IT burden into a seamless, globally scalable SaaS product. The combination of AWS ECS Fargate for horizontal scalability, Go for rapid API orchestration, and Terraform for compliant IaC delivers a true, zero-touch EdTech platform.</p> <p>Have you ever thought about productizing open-source software into a niche B2B SaaS? Share your thoughts and architectural approaches in the comments! 👇</p> aws terraform devops architecture Reason Your Python Code is Hard to Test with Single Responsibility Principle, And How to Fix It! (Portuguese version) Cláudio Filipe Lima Rapôso Mon, 29 Dec 2025 19:43:37 +0000 https://forem.com/sertaoseracloud/reason-your-python-code-is-hard-to-test-with-single-responsibility-principle-and-how-to-fix-it-3no1 https://forem.com/sertaoseracloud/reason-your-python-code-is-hard-to-test-with-single-responsibility-principle-and-how-to-fix-it-3no1 <p>O Princípio da Responsabilidade Única (SRP - <em>Single Responsibility Principle</em>) é a base dos princípios SOLID. Ele estabelece que <strong>uma classe deve ter um, e apenas um, motivo para mudar.</strong></p> <p>Quando ignoramos esse princípio, criamos "God Classes" (Classes Deus) componentes que sabem demais e fazem demais. Essas classes são frágeis: uma mudança no banco de dados pode quebrar a lógica de validação, ou uma alteração nas regras de negócio pode quebrar o sistema de envio de e-mails.</p> <p>Neste guia, analisaremos um antipadrão comum em uma funcionalidade de Cadastro de Usuário e a refatoraremos para uma arquitetura limpa e desacoplada.</p> <h2> ❌ O "Antes": A Violação do SRP </h2> <p>Aqui está um exemplo típico de código legado. Temos uma classe chamada <code>UserService</code>, mas ela não está agindo como um serviço; ela age como um monolito.</p> <p><strong>Por que isso é ruim:</strong></p> <ul> <li> <strong>Alto Acoplamento:</strong> Ela está fortemente ligada a regras de validação específicas e instruções de banco de dados (<code>print</code>).</li> <li> <strong>Difícil de Testar:</strong> Você não consegue testar a lógica de registro sem acionar a lógica do banco de dados.</li> <li> <strong>Múltiplos Motivos para Mudar:</strong> Se as regras de senha mudarem, este arquivo é aberto. Se o banco de dados mudar, este arquivo também é aberto. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">UserService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">register</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="c1"># Responsabilidade 1: Lógica de Validação </span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">3</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">O nome é muito curto</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">"</span><span class="s">@</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">email</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Email inválido</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">6</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">A senha é muito fraca</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Responsabilidade 2: Lógica de Banco de Dados (Verificar existência) </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[DB] Verificando se </span><span class="si">{</span><span class="n">email</span><span class="si">}</span><span class="s"> existe...</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">email</span> <span class="o">==</span> <span class="sh">"</span><span class="s">taken@example.com</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Email já está em uso</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Responsabilidade 3: Lógica de Persistência (Salvar) </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[DB] INSERT INTO users (name, email) VALUES (</span><span class="sh">'</span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="si">{</span><span class="n">email</span><span class="si">}</span><span class="sh">'</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Responsabilidade 4: Lógica de Notificação </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[MAIL] Enviando e-mail de boas-vindas para </span><span class="si">{</span><span class="n">email</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><strong>Uso</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>service = UserService() service.register("Alice", "alice@example.com", "123456") </code></pre> </div> <h2> ✅ A Refatoração: Separação de Preocupações </h2> <p>Para corrigir isso, devemos identificar as responsabilidades distintas e extraí-las para suas próprias classes.</p> <h3> 1. A Entidade (Estrutura de Dados) </h3> <p>Primeiro, criamos uma representação dos dados. Esta classe não tem lógica; ela apenas armazena estado.</p> <ul> <li> <strong>Motivo para mudar:</strong> Apenas se os atributos do usuário (como adicionar <code>telefone</code>) mudarem. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">User</span><span class="p">:</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="n">email</span><span class="p">:</span> <span class="nb">str</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> </code></pre> </div> <h3> 2. O Validador (Regras de Negócio) </h3> <p>Extraímos as regras de validação. Esta classe garante a integridade dos dados.</p> <ul> <li> <strong>Motivo para mudar:</strong> Apenas se as regras para dados válidos mudarem. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">UserValidator</span><span class="p">:</span> <span class="k">def</span> <span class="nf">validate</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user</span><span class="p">:</span> <span class="n">User</span><span class="p">):</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">3</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">O nome é muito curto</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="sh">"</span><span class="s">@</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Email inválido</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">6</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">A senha é muito fraca</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 3. O Repositório (Persistência) </h3> <p>Abstraímos as operações de banco de dados. Esta classe lida com o "Como" armazenar os dados.</p> <ul> <li> <strong>Motivo para mudar:</strong> Apenas se a tecnologia do banco de dados (SQL, NoSQL, Arquivo) mudar. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">UserRepository</span><span class="p">:</span> <span class="k">def</span> <span class="nf">exists</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">email</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="c1"># Simula verificação no DB </span> <span class="k">return</span> <span class="n">email</span> <span class="o">==</span> <span class="sh">"</span><span class="s">taken@example.com</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">save</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user</span><span class="p">:</span> <span class="n">User</span><span class="p">):</span> <span class="c1"># Simula salvamento no DB </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[DB] INSERT INTO users VALUES (</span><span class="sh">'</span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="si">{</span><span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="si">}</span><span class="sh">'</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 4. O Serviço (O Orquestrador) </h3> <p>Finalmente, reescrevemos o <code>UserService</code>. Note como ele ficou limpo. Ele não sabe <em>como</em> validar ou <em>como</em> salvar; ele simplesmente delega essas tarefas para os especialistas (as dependências injetadas).</p> <ul> <li> <strong>Motivo para mudar:</strong> Apenas se o <em>fluxo de trabalho</em> do cadastro mudar (ex: adicionar uma etapa para verificar o telefone via SMS). </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">UserService</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">validator</span><span class="p">:</span> <span class="n">UserValidator</span><span class="p">,</span> <span class="n">repository</span><span class="p">:</span> <span class="n">UserRepository</span><span class="p">):</span> <span class="c1"># Injeção de Dependência: Pedimos as ferramentas que precisamos </span> <span class="n">self</span><span class="p">.</span><span class="n">validator</span> <span class="o">=</span> <span class="n">validator</span> <span class="n">self</span><span class="p">.</span><span class="n">repository</span> <span class="o">=</span> <span class="n">repository</span> <span class="k">def</span> <span class="nf">register</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">)</span> <span class="c1"># Passo 1: Validar </span> <span class="n">self</span><span class="p">.</span><span class="n">validator</span><span class="p">.</span><span class="nf">validate</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="c1"># Passo 2: Verificar Regras de Negócio </span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">repository</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">email</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Email já está em uso</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Passo 3: Persistir </span> <span class="n">self</span><span class="p">.</span><span class="n">repository</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">&gt;&gt;&gt; Usuário registrado com sucesso.</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Exemplo de Uso </h2> <p>Ao conectar os componentes ("wiring"), criamos um sistema flexível.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># 1. Configurar as dependências </span> <span class="n">repo</span> <span class="o">=</span> <span class="nc">UserRepository</span><span class="p">()</span> <span class="n">val</span> <span class="o">=</span> <span class="nc">UserValidator</span><span class="p">()</span> <span class="c1"># 2. Injetar dependências no Serviço </span> <span class="n">service</span> <span class="o">=</span> <span class="nc">UserService</span><span class="p">(</span><span class="n">validator</span><span class="o">=</span><span class="n">val</span><span class="p">,</span> <span class="n">repository</span><span class="o">=</span><span class="n">repo</span><span class="p">)</span> <span class="c1"># 3. Executar a lógica </span> <span class="k">try</span><span class="p">:</span> <span class="n">service</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="sh">"</span><span class="s">Bob</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">bob@example.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">senhaSegura123</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">ValueError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Erro: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Conclusão </h2> <p>Ao aplicar o Princípio da Responsabilidade Única, transformamos um script rígido em uma arquitetura de software profissional.</p> <p>Os benefícios dessa abordagem são claros:</p> <ol> <li> <strong>Testabilidade:</strong> Agora você pode criar testes unitários para o <code>UserValidator</code> isoladamente, sem precisar de um banco de dados falso.</li> <li> <strong>Manutenibilidade:</strong> Se o esquema do banco de dados mudar, você edita apenas o <code>UserRepository</code>. O <code>UserService</code> permanece intocado.</li> <li> <strong>Legibilidade:</strong> O <code>UserService</code> agora lê como uma história de alto nível sobre <em>o que</em> acontece, em vez de uma lista bagunçada de <em>como</em> acontece.</li> </ol> <p>Essa separação reduz a carga cognitiva sobre o desenvolvedor e garante que sua aplicação seja robusta o suficiente para lidar com mudanças futuras com risco mínimo.</p> phyton programming solidprinciples singleresponsibility Bot de Monitoramento para SushiSwap V3 em Go — Parte 1 Cláudio Filipe Lima Rapôso Tue, 30 Sep 2025 20:13:30 +0000 https://forem.com/sertaoseracloud/bot-de-monitoramento-para-sushiswap-v3-em-go-parte-1-4ge2 https://forem.com/sertaoseracloud/bot-de-monitoramento-para-sushiswap-v3-em-go-parte-1-4ge2 <p>Este guia descreve, de forma contínua e didática, como construir a primeira metade de um bot de trading em Go. Nesta etapa não há transações on-chain. O programa observa o preço em dólar de um token de referência, compara esse valor com limites configurados em um arquivo <code>.env</code> e decide, de maneira simulada, quando compraria e quando venderia. O objetivo é validar lógica e parâmetros sem risco financeiro, além de introduzir a persistência do estado em SQLite para que o bot possa ser interrompido e retomado sem perder contexto.</p> <h2> Conceito e fluxo </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffh11lwbi2dbje5bhm4zf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffh11lwbi2dbje5bhm4zf.png" alt="Arquitetura de Referência" width="800" height="580"></a></p> <p>O comportamento é simples. O aplicativo carrega as configurações do <code>.env</code>, consulta periodicamente o preço em USD do token de referência por HTTP e imprime no console o valor atual. Se o preço observado estiver abaixo ou igual ao alvo de compra e ainda não houver posição aberta, considera-se uma entrada e o estado é salvo no banco com a informação do preço de entrada. Se, com posição aberta, o preço atingir o alvo de lucro, considera-se a saída e o estado é atualizado para indicar que não há mais posição. Em qualquer outro caso, o programa apenas aguarda. Como não há transações nesta fase, tratamos essas decisões como um simulador de gatilhos, útil para ajustar parâmetros e entender o ciclo de execução.</p> <h2> Preparação do ambiente </h2> <p>É necessário ter Go instalado em versão recente. Crie uma pasta para o projeto, inicialize um módulo e instale as dependências. O pacote <code>godotenv</code> carrega variáveis do arquivo <code>.env</code> e o driver <code>modernc.org/sqlite</code> possibilita usar SQLite sem CGO, o que simplifica a portabilidade.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>sushiswap-v3-go <span class="o">&amp;&amp;</span> <span class="nb">cd </span>sushiswap-v3-go go mod init example.com/sushiswap-v3-go go get github.com/joho/godotenv go get modernc.org/sqlite </code></pre> </div> <h2> Configuração com <code>.env</code> </h2> <p>Crie um arquivo <code>.env</code> na raiz do projeto. Ele concentra variáveis de rede e parâmetros de estratégia. Também indicamos <code>DB_PATH</code>, o caminho do arquivo SQLite que manterá o estado.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CHAIN_ID=11155111 NETWORK=sepolia INFURA_API_KEY=SUA_INFURA_KEY TOKEN0_ADDRESS=0xfFf9976782d46CC05630D1f6eBAb18b2324d6B14 TOKEN1_ADDRESS=0x1c7D4B196Cb0C7B01d743Fbc6116a902379C7238 QUOTE0_ADDRESS=0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 WALLET=0xSUA_WALLET PRIVATE_KEY=0xSUA_PRIVATE_KEY ROUTER_ADDRESS=0x3b0aa7d38bf3c103bf02d1de2e37568cbed3d6e8 PRICE_TO_BUY=5000 AMOUNT_TO_BUY=0.1 PROFITABILITY=1.1 DB_PATH=./bot.db </code></pre> </div> <p>A variável <code>QUOTE0_ADDRESS</code> representa o token cujo preço em USD será observado; no exemplo, usa-se o WETH da mainnet por ser uma referência líquida e amplamente utilizada. As variáveis <code>PRICE_TO_BUY</code> e <code>PROFITABILITY</code> definem, respectivamente, o alvo de entrada e o multiplicador do alvo de lucro. As chaves de carteira e o endereço do router são armazenados desde já, embora só venham a ser utilizadas na fase seguinte, quando forem adicionadas transações reais. Recomenda-se manter o arquivo <code>.env</code> fora do controle de versão.</p> <h2> Implementação do código </h2> <p>A seguir estão os arquivos Go, organizados por responsabilidade. Basta criar cada arquivo com o conteúdo indicado.</p> <h3> <code>config.go</code> </h3> <p>Este módulo lê e valida o <code>.env</code>, convertendo valores numéricos e garantindo que os campos mínimos existam para a execução desta etapa. Se faltar algo essencial, a função sinaliza claramente o problema.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="s">"strconv"</span> <span class="s">"github.com/joho/godotenv"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">Config</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ChainID</span> <span class="kt">int</span> <span class="n">Network</span> <span class="kt">string</span> <span class="n">InfuraAPIKey</span> <span class="kt">string</span> <span class="n">Token0Address</span> <span class="kt">string</span> <span class="n">Token1Address</span> <span class="kt">string</span> <span class="n">Quote0Address</span> <span class="kt">string</span> <span class="n">Wallet</span> <span class="kt">string</span> <span class="n">PrivateKey</span> <span class="kt">string</span> <span class="n">RouterAddress</span> <span class="kt">string</span> <span class="n">PriceToBuy</span> <span class="kt">float64</span> <span class="n">AmountToBuy</span> <span class="kt">string</span> <span class="n">Profitability</span> <span class="kt">float64</span> <span class="n">DBPath</span> <span class="kt">string</span> <span class="p">}</span> <span class="k">func</span> <span class="n">LoadConfig</span><span class="p">()</span> <span class="p">(</span><span class="o">*</span><span class="n">Config</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">_</span> <span class="o">=</span> <span class="n">godotenv</span><span class="o">.</span><span class="n">Load</span><span class="p">()</span> <span class="k">var</span> <span class="n">err</span> <span class="kt">error</span> <span class="n">cfg</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">Config</span><span class="p">{}</span> <span class="k">if</span> <span class="n">v</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"CHAIN_ID"</span><span class="p">);</span> <span class="n">v</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cfg</span><span class="o">.</span><span class="n">ChainID</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">Atoi</span><span class="p">(</span><span class="n">v</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"CHAIN_ID inválido: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">cfg</span><span class="o">.</span><span class="n">ChainID</span> <span class="o">=</span> <span class="m">11155111</span> <span class="p">}</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Network</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"NETWORK"</span><span class="p">)</span> <span class="n">cfg</span><span class="o">.</span><span class="n">InfuraAPIKey</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"INFURA_API_KEY"</span><span class="p">)</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Token0Address</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"TOKEN0_ADDRESS"</span><span class="p">)</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Token1Address</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"TOKEN1_ADDRESS"</span><span class="p">)</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Quote0Address</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"QUOTE0_ADDRESS"</span><span class="p">)</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Wallet</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"WALLET"</span><span class="p">)</span> <span class="n">cfg</span><span class="o">.</span><span class="n">PrivateKey</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"PRIVATE_KEY"</span><span class="p">)</span> <span class="n">cfg</span><span class="o">.</span><span class="n">RouterAddress</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"ROUTER_ADDRESS"</span><span class="p">)</span> <span class="n">cfg</span><span class="o">.</span><span class="n">AmountToBuy</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"AMOUNT_TO_BUY"</span><span class="p">)</span> <span class="k">if</span> <span class="n">v</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"PRICE_TO_BUY"</span><span class="p">);</span> <span class="n">v</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cfg</span><span class="o">.</span><span class="n">PriceToBuy</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">ParseFloat</span><span class="p">(</span><span class="n">v</span><span class="p">,</span> <span class="m">64</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"PRICE_TO_BUY inválido: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"PRICE_TO_BUY ausente"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">v</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"PROFITABILITY"</span><span class="p">);</span> <span class="n">v</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Profitability</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">ParseFloat</span><span class="p">(</span><span class="n">v</span><span class="p">,</span> <span class="m">64</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"PROFITABILITY inválido: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"PROFITABILITY ausente"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Quote0Address</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"QUOTE0_ADDRESS ausente"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">v</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"DB_PATH"</span><span class="p">);</span> <span class="n">v</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">cfg</span><span class="o">.</span><span class="n">DBPath</span> <span class="o">=</span> <span class="n">v</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">cfg</span><span class="o">.</span><span class="n">DBPath</span> <span class="o">=</span> <span class="s">"./bot.db"</span> <span class="p">}</span> <span class="k">return</span> <span class="n">cfg</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> <code>database.go</code> </h3> <p>Este módulo cria e inicializa o banco SQLite, além de oferecer funções para ler e salvar o estado do bot. O estado se restringe a duas informações: se há ou não posição aberta e qual foi o preço de entrada, quando aplicável. Ao iniciar pela primeira vez, uma linha padrão é criada para garantir que o acesso seja simples e previsível nas execuções subsequentes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"database/sql"</span> <span class="s">"fmt"</span> <span class="n">_</span> <span class="s">"modernc.org/sqlite"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">BotState</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">IsOpened</span> <span class="kt">bool</span> <span class="n">EntryPrice</span> <span class="o">*</span><span class="kt">float64</span> <span class="p">}</span> <span class="k">func</span> <span class="n">InitDB</span><span class="p">(</span><span class="n">path</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">sql</span><span class="o">.</span><span class="n">DB</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">db</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">sql</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"sqlite"</span><span class="p">,</span> <span class="n">path</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"erro abrindo sqlite: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">schema</span> <span class="o">:=</span> <span class="s">` CREATE TABLE IF NOT EXISTS bot_state ( id INTEGER PRIMARY KEY CHECK (id = 1), is_opened INTEGER NOT NULL, entry_price REAL ); INSERT INTO bot_state (id, is_opened, entry_price) SELECT 1, 0, NULL WHERE NOT EXISTS (SELECT 1 FROM bot_state WHERE id = 1); `</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="n">schema</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"erro criando schema: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">db</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">LoadBotState</span><span class="p">(</span><span class="n">db</span> <span class="o">*</span><span class="n">sql</span><span class="o">.</span><span class="n">DB</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">BotState</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">row</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">QueryRow</span><span class="p">(</span><span class="s">`SELECT is_opened, entry_price FROM bot_state WHERE id = 1`</span><span class="p">)</span> <span class="k">var</span> <span class="n">isOpenedInt</span> <span class="kt">int</span> <span class="k">var</span> <span class="n">entryPrice</span> <span class="n">sql</span><span class="o">.</span><span class="n">NullFloat64</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">row</span><span class="o">.</span><span class="n">Scan</span><span class="p">(</span><span class="o">&amp;</span><span class="n">isOpenedInt</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">entryPrice</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"erro lendo estado: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">var</span> <span class="n">ep</span> <span class="o">*</span><span class="kt">float64</span> <span class="k">if</span> <span class="n">entryPrice</span><span class="o">.</span><span class="n">Valid</span> <span class="p">{</span> <span class="n">v</span> <span class="o">:=</span> <span class="n">entryPrice</span><span class="o">.</span><span class="n">Float64</span> <span class="n">ep</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">v</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">BotState</span><span class="p">{</span> <span class="n">IsOpened</span><span class="o">:</span> <span class="n">isOpenedInt</span> <span class="o">==</span> <span class="m">1</span><span class="p">,</span> <span class="n">EntryPrice</span><span class="o">:</span> <span class="n">ep</span><span class="p">,</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">SaveBotState</span><span class="p">(</span><span class="n">db</span> <span class="o">*</span><span class="n">sql</span><span class="o">.</span><span class="n">DB</span><span class="p">,</span> <span class="n">st</span> <span class="o">*</span><span class="n">BotState</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">var</span> <span class="n">isOpenedInt</span> <span class="kt">int</span> <span class="k">if</span> <span class="n">st</span><span class="o">.</span><span class="n">IsOpened</span> <span class="p">{</span> <span class="n">isOpenedInt</span> <span class="o">=</span> <span class="m">1</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">isOpenedInt</span> <span class="o">=</span> <span class="m">0</span> <span class="p">}</span> <span class="k">var</span> <span class="n">entry</span> <span class="k">interface</span><span class="p">{}</span> <span class="k">if</span> <span class="n">st</span><span class="o">.</span><span class="n">EntryPrice</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">entry</span> <span class="o">=</span> <span class="o">*</span><span class="n">st</span><span class="o">.</span><span class="n">EntryPrice</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span> <span class="s">`UPDATE bot_state SET is_opened = ?, entry_price = ? WHERE id = 1`</span><span class="p">,</span> <span class="n">isOpenedInt</span><span class="p">,</span> <span class="n">entry</span><span class="p">,</span> <span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"erro salvando estado: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> <code>prices.go</code> </h3> <p>Esta unidade contém a função que consulta a API pública de preços. O retorno esperado é um número de ponto flutuante representando o preço em USD do token indicado. A configuração de timeout e a verificação do status HTTP ajudam a tornar o comportamento previsível.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"encoding/json"</span> <span class="s">"fmt"</span> <span class="s">"io"</span> <span class="s">"net/http"</span> <span class="s">"time"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">fetchPriceUSD</span><span class="p">(</span><span class="n">tokenAddress</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="kt">float64</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">url</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"https://api.sushi.com/price/v1/%d/%s"</span><span class="p">,</span> <span class="m">1</span><span class="p">,</span> <span class="n">tokenAddress</span><span class="p">)</span> <span class="n">req</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewRequest</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">MethodGet</span><span class="p">,</span> <span class="n">url</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">client</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Client</span><span class="p">{</span><span class="n">Timeout</span><span class="o">:</span> <span class="m">10</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">}</span> <span class="n">res</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">client</span><span class="o">.</span><span class="n">Do</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="m">0</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">res</span><span class="o">.</span><span class="n">Body</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="k">if</span> <span class="n">res</span><span class="o">.</span><span class="n">StatusCode</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span> <span class="p">{</span> <span class="n">body</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">res</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="k">return</span> <span class="m">0</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"pricing api status %d: %s"</span><span class="p">,</span> <span class="n">res</span><span class="o">.</span><span class="n">StatusCode</span><span class="p">,</span> <span class="kt">string</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="p">}</span> <span class="k">var</span> <span class="n">price</span> <span class="kt">float64</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">res</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">price</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="m">0</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"falha ao decodificar preço: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">price</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> <code>main.go</code> </h3> <p>O arquivo principal integra as partes. Ao iniciar, o programa carrega a configuração, prepara o banco, recupera o estado e entra em um ciclo que consulta o preço, imprime o valor e executa a lógica de decisão, atualizando o SQLite sempre que houver mudanças de estado. Um comando para limpar a tela mantém o console com aparência de painel.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"log"</span> <span class="s">"time"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">monitor</span><span class="p">(</span><span class="n">cfg</span> <span class="o">*</span><span class="n">Config</span><span class="p">)</span> <span class="p">(</span><span class="kt">float64</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">price</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">fetchPriceUSD</span><span class="p">(</span><span class="n">cfg</span><span class="o">.</span><span class="n">Quote0Address</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="m">0</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Print</span><span class="p">(</span><span class="s">"</span><span class="err">\0</span><span class="s">33[2J</span><span class="err">\0</span><span class="s">33[H"</span><span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Price:"</span><span class="p">,</span> <span class="n">price</span><span class="p">)</span> <span class="k">return</span> <span class="n">price</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">cfg</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">LoadConfig</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"config erro: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">db</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">InitDB</span><span class="p">(</span><span class="n">cfg</span><span class="o">.</span><span class="n">DBPath</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"db erro: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">db</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">state</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">LoadBotState</span><span class="p">(</span><span class="n">db</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"erro carregando estado: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">cycle</span> <span class="o">:=</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="n">price</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">monitor</span><span class="p">(</span><span class="n">cfg</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"erro monitorando preço: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="o">!</span><span class="n">state</span><span class="o">.</span><span class="n">IsOpened</span> <span class="o">&amp;&amp;</span> <span class="n">price</span> <span class="o">&lt;=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">PriceToBuy</span> <span class="p">{</span> <span class="n">state</span><span class="o">.</span><span class="n">IsOpened</span> <span class="o">=</span> <span class="no">true</span> <span class="n">state</span><span class="o">.</span><span class="n">EntryPrice</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">price</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">SaveBotState</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">state</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"erro salvando estado (swap in): %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Swap in (entry=%.6f)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">price</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">target</span> <span class="o">:=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">PriceToBuy</span> <span class="o">*</span> <span class="n">cfg</span><span class="o">.</span><span class="n">Profitability</span> <span class="k">if</span> <span class="n">state</span><span class="o">.</span><span class="n">IsOpened</span> <span class="o">&amp;&amp;</span> <span class="n">price</span> <span class="o">&gt;=</span> <span class="n">target</span> <span class="p">{</span> <span class="n">state</span><span class="o">.</span><span class="n">IsOpened</span> <span class="o">=</span> <span class="no">false</span> <span class="n">state</span><span class="o">.</span><span class="n">EntryPrice</span> <span class="o">=</span> <span class="no">nil</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">SaveBotState</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">state</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"erro salvando estado (swap out): %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Swap out (target=%.6f)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">target</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="n">state</span><span class="o">.</span><span class="n">IsOpened</span> <span class="o">&amp;&amp;</span> <span class="n">state</span><span class="o">.</span><span class="n">EntryPrice</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Wait... (opened at %.6f, target %.6f)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">state</span><span class="o">.</span><span class="n">EntryPrice</span><span class="p">,</span> <span class="n">target</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Wait..."</span><span class="p">)</span> <span class="p">}</span> <span class="n">cycle</span><span class="p">()</span> <span class="n">ticker</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">NewTicker</span><span class="p">(</span><span class="m">10</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">)</span> <span class="k">defer</span> <span class="n">ticker</span><span class="o">.</span><span class="n">Stop</span><span class="p">()</span> <span class="k">for</span> <span class="k">range</span> <span class="n">ticker</span><span class="o">.</span><span class="n">C</span> <span class="p">{</span> <span class="n">cycle</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Execução </h2> <p>Com os arquivos criados e o <code>.env</code> preenchido, execute o projeto a partir da raiz. O console exibirá o preço e a decisão correspondente do ciclo. Quando o preço atingir o alvo de compra, aparecerá a indicação de entrada e o estado será salvo. Quando alcançar o alvo de lucro com posição aberta, a saída será registrada. Se o programa for encerrado e reiniciado, a leitura do banco restaurará a situação anterior.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go run <span class="nb">.</span> </code></pre> </div> <h2> Encerramento </h2> <p>Com esta base consolidada, você tem um esqueleto funcional capaz de observar preço, tomar decisões simuladas e manter consistência entre execuções por meio de SQLite. Na <strong>Parte 2</strong>, em vez de montar e enviar a transação on-chain localmente, o fluxo de <strong>swap será executado via gRPC</strong>: o cliente em <strong>Go</strong> fará chamadas a um serviço gRPC responsável por cotar e processar a operação de compra e venda. Esse serviço receberá parâmetros como <code>chain_id</code>, <code>token_in</code>, <code>token_out</code>, <code>amount</code>, <code>max_slippage</code> e <code>wallet</code>, retornará métricas de pré-troca (por exemplo, o <em>assumedAmountOut</em>) e cuidará da preparação/execução da transação, incluindo roteamento, montagem do payload, assinatura e envio, além do retorno do hash e do recibo quando confirmada.</p> <p>Do ponto de vista de arquitetura, o cliente Go apenas <strong>disciplina a orquestração</strong>: abre o canal gRPC, envia a requisição de <code>Quote/Execute</code>, aguarda a resposta (com sucesso ou erro tratado) e registra estado/telemetria. O serviço gRPC concentra a <strong>lógica sensível</strong>: integração com o roteador (para encontrar a melhor rota), aplicação de <em>slippage</em> máxima, políticas de <em>deadline</em> e <em>retries</em>, idempotência por chave, auditoria, observabilidade e segurança de chaves (sem trafegar <code>PRIVATE_KEY</code> pelo cliente). A assinatura pode ficar no servidor (HSM, KMS ou cofre) ou ser separada em um <em>signer</em> dedicado, mantendo o cliente leve e sem material sensível.</p> <p>Finalmente, a evolução natural é: o bot em Go continua decidindo <strong>quando</strong> agir, persiste o estado no SQLite, e a <strong>execução do swap</strong> passa a ser um <strong>contrato gRPC</strong> bem definido com <em>protobufs</em> para <strong>cotação e execução</strong>, entregando robustez operacional, isolamento de segredos e padronização de erros/logs para produção.</p> <h2> Referências </h2> <p>Go. (2025, 25 fevereiro). <em>The Go programming language specification</em>. go.dev. <a href="https://go.dev/ref/spec" rel="noopener noreferrer">https://go.dev/ref/spec</a> (<a href="https://go.dev/ref/spec?utm_source=chatgpt.com" rel="noopener noreferrer">Go</a>)</p> <p>Go. (n.d.). <em>Documentation</em>. go.dev. <a href="https://go.dev/doc/" rel="noopener noreferrer">https://go.dev/doc/</a> (<a href="https://go.dev/doc/?utm_source=chatgpt.com" rel="noopener noreferrer">Go</a>)</p> <p>gRPC. (2024, 25 novembro). <em>Basics tutorial | Go</em>. grpc.io. <a href="https://grpc.io/docs/languages/go/basics/" rel="noopener noreferrer">https://grpc.io/docs/languages/go/basics/</a> (<a href="https://grpc.io/docs/languages/go/basics/?utm_source=chatgpt.com" rel="noopener noreferrer">gRPC</a>)</p> <p>gRPC. (2024, 25 novembro). <em>Quick start | Go</em>. grpc.io. <a href="https://grpc.io/docs/languages/go/quickstart/" rel="noopener noreferrer">https://grpc.io/docs/languages/go/quickstart/</a> (<a href="https://grpc.io/docs/languages/go/quickstart/?utm_source=chatgpt.com" rel="noopener noreferrer">gRPC</a>)</p> <p>Protocol Buffers. (n.d.). <em>Protocol buffer basics: Go</em>. protobuf.dev. <a href="https://protobuf.dev/getting-started/gotutorial/" rel="noopener noreferrer">https://protobuf.dev/getting-started/gotutorial/</a> (<a href="https://protobuf.dev/getting-started/gotutorial/?utm_source=chatgpt.com" rel="noopener noreferrer">protobuf.dev</a>)</p> <p>Equipe go-ethereum (Geth). (2024, 24 maio). <em>Getting started with Geth</em>. geth.ethereum.org. <a href="https://geth.ethereum.org/docs/getting-started" rel="noopener noreferrer">https://geth.ethereum.org/docs/getting-started</a> (<a href="https://geth.ethereum.org/docs/getting-started?utm_source=chatgpt.com" rel="noopener noreferrer">go-ethereum</a>)</p> <p>Go Ethereum. (n.d.). <em>github.com/ethereum/go-ethereum</em> (API em Go). pkg.go.dev. <a href="https://pkg.go.dev/github.com/ethereum/go-ethereum" rel="noopener noreferrer">https://pkg.go.dev/github.com/ethereum/go-ethereum</a> (<a href="https://pkg.go.dev/github.com/ethereum/go-ethereum?utm_source=chatgpt.com" rel="noopener noreferrer">Go Packages</a>)</p> <p>modernc.org. (2025, 11 agosto). <em>sqlite package</em> (driver SQLite sem CGO). pkg.go.dev. <a href="https://pkg.go.dev/modernc.org/sqlite" rel="noopener noreferrer">https://pkg.go.dev/modernc.org/sqlite</a> (<a href="https://pkg.go.dev/modernc.org/sqlite?utm_source=chatgpt.com" rel="noopener noreferrer">Go Packages</a>)</p> <p>Joho. (n.d.). <em>joho/godotenv</em> [Repositório]. GitHub. <a href="https://github.com/joho/godotenv" rel="noopener noreferrer">https://github.com/joho/godotenv</a> (<a href="https://github.com/joho/godotenv?utm_source=chatgpt.com" rel="noopener noreferrer">GitHub</a>)</p> <p>Sushi. (2025, 13 setembro). <em>Pricing API documentation</em>. docs.sushi.com. <a href="https://docs.sushi.com/api/examples/pricing" rel="noopener noreferrer">https://docs.sushi.com/api/examples/pricing</a> (<a href="https://docs.sushi.com/api/examples/pricing?utm_source=chatgpt.com" rel="noopener noreferrer">docs.sushi.com</a>)</p> <p>gRPC-Go. (n.d.). <em>google.golang.org/grpc</em> (pacote em Go). pkg.go.dev. <a href="https://pkg.go.dev/google.golang.org/grpc" rel="noopener noreferrer">https://pkg.go.dev/google.golang.org/grpc</a> (<a href="https://pkg.go.dev/google.golang.org/grpc?utm_source=chatgpt.com" rel="noopener noreferrer">Go Packages</a>)</p> <h2> 💡Curtiu? </h2> <p>Se quiser trocar ideia sobre IA, cloud e arquitetura, me segue nas redes:</p> <ul> <li><a href="https://olink.ai/sertaoseracloud" rel="noopener noreferrer">Redes Sociais</a></li> </ul> <p>Publico conteúdos técnicos direto do campo de batalha. E quando descubro uma ferramenta que economiza tempo e resolve bem, como essa, você fica sabendo também.</p> web3 go programming blockchain Autenticação Segura com Microsoft Entra ID para desenvolvedores Typescript Cláudio Filipe Lima Rapôso Tue, 23 Sep 2025 18:32:42 +0000 https://forem.com/sertaoseracloud/autenticacao-segura-com-microsoft-entra-id-para-desenvolvedores-typescript-2c1b https://forem.com/sertaoseracloud/autenticacao-segura-com-microsoft-entra-id-para-desenvolvedores-typescript-2c1b <p>Aplicações modernas funcionam raramente isoladas. Muitas vezes temos um <strong>frontend</strong> que lida com a experiência do usuário, e um <strong>backend</strong> que concentra as regras de negócio e o acesso a dados sensíveis.<br> Garantir que apenas usuários autenticados consigam acessar esses recursos é fundamental.</p> <p>Neste artigo, vamos construir uma solução que utiliza <strong>Next.js</strong> como frontend, integrando a autenticação com o <strong>Microsoft Entra ID</strong> (antigo Azure Active Directory), e um <strong>backend em Node/TypeScript</strong> que valida tokens JWT emitidos pelo Entra ID antes de liberar o acesso a rotas protegidas.</p> <h2> Arquitetura Geral </h2> <p>A solução pode ser entendida em cinco passos principais:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi7xs8s06xm0c6vouyytx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi7xs8s06xm0c6vouyytx.png" alt="Diagrama de Sequência" width="723" height="541"></a></p> <ol> <li>O usuário acessa a aplicação em <strong>Next.js</strong> e inicia o login.</li> <li>O <strong>NextAuth.js</strong> redireciona o usuário para o Microsoft Entra ID.</li> <li>Após a autenticação, o Entra ID retorna um <strong>ID Token</strong> e um <strong>Access Token</strong> para o Next.js.</li> <li>O frontend envia o <strong>Access Token</strong> ao backend, no header <code>Authorization: Bearer &lt;token&gt;</code>.</li> <li>O backend valida o token contra o serviço de chaves públicas (JWKS) do Entra ID.</li> </ol> <ul> <li>Se válido → rota protegida é acessada.</li> <li>Se inválido/expirado → resposta <code>401 Unauthorized</code>.</li> </ul> <h2> 1. Configuração no Entra ID </h2> <p>No <strong>Azure Portal</strong>:</p> <ul> <li>Vá em <strong>Microsoft Entra ID → App registrations → New registration</strong>.</li> <li> <p>Preencha os campos:</p> <ul> <li> <strong>Name</strong>: <code>nextjs-auth-app</code> </li> <li> <strong>Redirect URI</strong>: <code>http://localhost:3000/api/auth/callback</code> </li> <li>Ative <strong>ID tokens</strong> e <strong>Access tokens</strong>.</li> </ul> </li> <li> <p>Salve as credenciais:</p> <ul> <li><strong>Application (client) ID</strong></li> <li><strong>Directory (tenant) ID</strong></li> <li> <strong>Client Secret</strong> (criado manualmente em <em>Certificates &amp; secrets</em>).</li> </ul> </li> </ul> <h2> 2. Frontend Next.js com NextAuth </h2> <h3> Instalação </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>next-auth @azure/msal-node </code></pre> </div> <h3> Variáveis de ambiente </h3> <p>Arquivo <code>.env.local</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">AZURE_AD_CLIENT_ID</span><span class="o">=</span>&lt;Application ID&gt; <span class="c"># ID da aplicação registrada no Entra ID</span> <span class="nv">AZURE_AD_CLIENT_SECRET</span><span class="o">=</span>&lt;Client Secret&gt; <span class="c"># Segredo do app (não expor no frontend)</span> <span class="nv">AZURE_AD_TENANT_ID</span><span class="o">=</span>&lt;Directory ID&gt; <span class="c"># Tenant (diretório da organização)</span> <span class="nv">NEXTAUTH_URL</span><span class="o">=</span>http://localhost:3000 <span class="c"># URL da aplicação Next.js</span> <span class="nv">NEXTAUTH_SECRET</span><span class="o">=</span>&lt;chave-aleatória&gt; <span class="c"># Chave para assinar JWT de sessão</span> </code></pre> </div> <h3> Configuração do NextAuth </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">NextAuth</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">AzureADProvider</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth/providers/azure-ad</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Configuração principal do NextAuth</span> <span class="k">export</span> <span class="k">default</span> <span class="nc">NextAuth</span><span class="p">({</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// Habilita login com Microsoft Entra ID (Azure AD)</span> <span class="nc">AzureADProvider</span><span class="p">({</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_AD_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="c1">// ID do app registrado no Entra ID</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_AD_CLIENT_SECRET</span><span class="o">!</span><span class="p">,</span><span class="c1">// Segredo do cliente (guardado no backend)</span> <span class="na">tenantId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_AD_TENANT_ID</span><span class="o">!</span><span class="p">,</span> <span class="c1">// ID do diretório (tenant)</span> <span class="p">}),</span> <span class="p">],</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">"</span><span class="s2">jwt</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// Sessões baseadas em JWT (sem persistência no BD)</span> <span class="na">callbacks</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// Callback executado ao criar/atualizar JWT</span> <span class="k">async</span> <span class="nf">jwt</span><span class="p">({</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">account</span> <span class="p">})</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">account</span><span class="p">)</span> <span class="nx">token</span><span class="p">.</span><span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">account</span><span class="p">.</span><span class="nx">access_token</span><span class="p">;</span> <span class="c1">// Armazena o accessToken no token</span> <span class="k">return</span> <span class="nx">token</span><span class="p">;</span> <span class="p">},</span> <span class="c1">// Callback executado ao montar a sessão</span> <span class="k">async</span> <span class="nf">session</span><span class="p">({</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">token</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">session</span><span class="p">.</span><span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">accessToken</span> <span class="k">as</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// Inclui o accessToken na sessão</span> <span class="k">return</span> <span class="nx">session</span><span class="p">;</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Componente de Login/Logout (<code>AuthButton.tsx</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Necessário porque usamos interações de browser (signIn/signOut)</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">signIn</span><span class="p">,</span> <span class="nx">signOut</span><span class="p">,</span> <span class="nx">useSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth/react</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">AuthButton</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">session</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useSession</span><span class="p">();</span> <span class="c1">// Hook que recupera a sessão atual</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Caso o usuário esteja logado</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">signOut</span><span class="p">()</span><span class="si">}</span><span class="p">&gt;</span> Sair (<span class="si">{</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">name</span><span class="si">}</span>) <span class="si">{</span><span class="cm">/* Mostra o nome do usuário logado */</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Caso não esteja logado</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">signIn</span><span class="p">(</span><span class="dl">"</span><span class="s2">azure-ad</span><span class="dl">"</span><span class="p">)</span><span class="si">}</span><span class="p">&gt;</span> Entrar com Entra ID <span class="si">{</span><span class="cm">/* Chama fluxo de login no Entra ID */</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Tela Principal (<code>page.tsx</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="nx">AuthButton</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./components/AuthButton</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Importa o botão de login/logout</span> <span class="k">import</span> <span class="nx">Link</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/link</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Home</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">main</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">padding</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2rem</span><span class="dl">"</span> <span class="p">}</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>🔐 Demo de Autenticação com Entra ID<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Botão que mostra "Entrar" ou "Sair", dependendo da sessão */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">AuthButton</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">hr</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">margin</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2rem 0</span><span class="dl">"</span> <span class="p">}</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="si">{</span><span class="cm">/* Link para acessar página protegida */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nc">Link</span> <span class="na">href</span><span class="p">=</span><span class="s">"/protected"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span><span class="p">&gt;</span>Acessar página protegida<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nc">Link</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">main</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 3. Server Component: Página Protegida </h2> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">authOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../api/auth/[...nextauth]/route</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getServerSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next-auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">ProtectedPage</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Recupera a sessão no lado do servidor</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getServerSession</span><span class="p">(</span><span class="nx">authOptions</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Caso o usuário não esteja autenticado</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Você precisa estar logado.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;;</span> <span class="p">}</span> <span class="c1">// Faz requisição ao backend protegido enviando o accessToken no header</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://localhost:4000/api/secure-data</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">session</span><span class="p">.</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="c1">// Token nunca vai para o client</span> <span class="p">},</span> <span class="na">cache</span><span class="p">:</span> <span class="dl">"</span><span class="s2">no-store</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Garante que não será cacheado</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h2</span><span class="p">&gt;</span>Olá, <span class="si">{</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">name</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Nome do usuário logado */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">pre</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">pre</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Dados retornados da API */</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 4. Backend Node/TypeScript </h2> <h3> Dependências </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>express jwks-rsa express-jwt </code></pre> </div> <h3> Código (<code>src/index.ts</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">expressjwt</span> <span class="k">as</span> <span class="nx">jwt</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express-jwt</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwksRsa</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwks-rsa</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">4000</span><span class="p">;</span> <span class="c1">// Middleware que valida o JWT recebido</span> <span class="kd">const</span> <span class="nx">checkJwt</span> <span class="o">=</span> <span class="nf">jwt</span><span class="p">({</span> <span class="c1">// Define a forma de obter as chaves públicas do Entra ID</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">jwksRsa</span><span class="p">.</span><span class="nf">expressJwtSecret</span><span class="p">({</span> <span class="na">cache</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Cache para não buscar chave toda vez</span> <span class="na">rateLimit</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Limite de requisições para JWKS</span> <span class="na">jwksRequestsPerMinute</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// Máx. 10 req/min</span> <span class="na">jwksUri</span><span class="p">:</span> <span class="s2">`https://login.microsoftonline.com/</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_AD_TENANT_ID</span><span class="p">}</span><span class="s2">/discovery/v2.0/keys`</span><span class="p">,</span> <span class="p">})</span> <span class="k">as</span> <span class="kr">any</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_AD_CLIENT_ID</span><span class="p">,</span> <span class="c1">// Valida se o token é para este app</span> <span class="na">issuer</span><span class="p">:</span> <span class="s2">`https://login.microsoftonline.com/</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_AD_TENANT_ID</span><span class="p">}</span><span class="s2">/v2.0`</span><span class="p">,</span> <span class="c1">// Origem do token</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">RS256</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// Algoritmo esperado</span> <span class="p">});</span> <span class="c1">// Rota protegida: só acessa se o JWT for válido</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/secure-data</span><span class="dl">"</span><span class="p">,</span> <span class="nx">checkJwt</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Autenticado ✅</span><span class="dl">"</span><span class="p">,</span> <span class="na">claims</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">auth</span><span class="p">,</span> <span class="c1">// Retorna as claims do token decodificado</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Inicializa o servidor</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`🚀 Backend rodando em http://localhost:</span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <h2> Boas Práticas </h2> <ul> <li> <strong>Proteção de secrets</strong>: nunca exponha <code>clientSecret</code> no frontend.</li> <li> <strong>Sessões seguras</strong>: use cookies <code>httpOnly</code> ou JWT fornecidos pelo NextAuth.</li> <li> <strong>Validação rigorosa</strong>: configure corretamente <code>audience</code> e <code>issuer</code>.</li> <li> <strong>Observabilidade</strong>: registre logs de falhas de autenticação.</li> <li> <strong>Escalabilidade</strong>: esse padrão permite múltiplos serviços validando tokens sem depender do frontend.</li> </ul> <h2> Conclusão </h2> <p>Com essa arquitetura, garantimos um fluxo seguro de ponta a ponta:</p> <ul> <li>O <strong>Next.js</strong> gerencia autenticação e sessão do usuário.</li> <li>O <strong>backend Node/TS</strong> valida tokens antes de liberar dados sensíveis.</li> <li>O <strong>Microsoft Entra ID</strong> centraliza a identidade, oferecendo segurança corporativa.</li> </ul> <p>Esse modelo é flexível e pode ser expandido para <strong>microsserviços</strong> ou <strong>integração com APIs da Microsoft (Graph API)</strong>.</p> <h2> Referências </h2> <ul> <li><p>Microsoft Corporation. (2024a). <em>Microsoft identity platform documentation</em>. Microsoft Learn.<br> <a href="https://learn.microsoft.com/en-us/azure/active-directory/develop/?wt.mc_id=MVP_324660" rel="noopener noreferrer">https://learn.microsoft.com/en-us/azure/active-directory/develop/</a></p></li> <li><p>Microsoft Corporation. (2024b). <em>Microsoft Entra ID: Overview</em>. Microsoft Learn.<br> <a href="https://learn.microsoft.com/en-us/entra/identity/?wt.mc_id=MVP_324660" rel="noopener noreferrer">https://learn.microsoft.com/en-us/entra/identity/</a></p></li> <li><p>Microsoft Corporation. (2024c). <em>Configure NextAuth.js with Azure AD</em>. Microsoft Learn.<br> <a href="https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa?wt.mc_id=MVP_324660" rel="noopener noreferrer">https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa</a></p></li> <li><p>NextAuth.js. (2024). <em>NextAuth.js Documentation</em>.<br> <a href="https://next-auth.js.org/" rel="noopener noreferrer">https://next-auth.js.org/</a></p></li> <li><p>Auth0 Inc. (2024). <em>Introduction to JWTs</em>.<br> <a href="https://auth0.com/intro-to-jwt" rel="noopener noreferrer">https://auth0.com/intro-to-jwt</a></p></li> </ul> webdev programming nextjs azure Criando um Sidecar em Go para acessar o Microsoft Graph via gRPC Cláudio Filipe Lima Rapôso Thu, 18 Sep 2025 11:20:29 +0000 https://forem.com/sertaoseracloud/criando-um-sidecar-em-go-para-acessar-o-microsoft-graph-via-grpc-2ghb https://forem.com/sertaoseracloud/criando-um-sidecar-em-go-para-acessar-o-microsoft-graph-via-grpc-2ghb <p>O <strong>Microsoft Graph</strong> é a porta de entrada para os serviços da Microsoft 365. Ele permite acessar informações como:</p> <ul> <li>Dados de <strong>usuários</strong> e <strong>grupos</strong>.</li> <li> <strong>Emails</strong> e <strong>calendários</strong> do Outlook.</li> <li> <strong>Arquivos</strong> no OneDrive.</li> <li> <strong>Mensagens</strong> no Teams.</li> </ul> <p>Mas para chamar o Graph, não basta fazer um <code>GET</code> com <code>http.Client</code>.<br> É necessário <strong>autenticar</strong> via <strong>Microsoft Entra ID</strong> (antigo Azure Active Directory), obter um <strong>Access Token OAuth2</strong>, e então usá-lo em cada requisição.</p> <p>👉 Isso pode complicar a aplicação principal, que precisa conhecer detalhes de autenticação.<br> Uma solução elegante é usar o <strong>padrão Sidecar</strong>: um serviço auxiliar, rodando ao lado da aplicação, que cuida dessa complexidade.</p> <h2> 1. O que é um Sidecar? </h2> <p>Imagine que você tem uma aplicação (em Go, .NET, Python, etc) que precisa acessar o Graph.</p> <p>Você pode embutir a lógica de autenticação dentro dela. Mas, se várias aplicações precisarem fazer isso, você terá código duplicado em todos os lugares.</p> <p>O <strong>sidecar</strong> resolve esse problema:</p> <ul> <li>É um pequeno serviço separado (nesse caso em Go) que fica rodando ao lado da aplicação.</li> <li>Ele <strong>fala com o Microsoft Entra ID</strong> para buscar tokens.</li> <li>Ele <strong>chama o Microsoft Graph</strong>.</li> <li>Ele expõe uma API simples (via gRPC) para que a aplicação principal possa apenas pedir:</li> </ul> <blockquote> <p>"Me dê os dados do usuário X"<br> E o sidecar cuida do resto.</p> </blockquote> <p>📌 Em arquiteturas <strong>Kubernetes</strong>, o sidecar roda no mesmo pod da aplicação principal.</p> <p>Isso significa que a aplicação acessa o sidecar por <code>localhost</code>, sem depender da rede externa.</p> <h2> 2. Arquitetura </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1b40giqk7wh6b2orclic.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1b40giqk7wh6b2orclic.png" alt="Diagrama de Sequência" width="800" height="518"></a></p> <p>📌 O que acontece:</p> <ol> <li>A aplicação chama <code>GetUser</code> no sidecar.</li> <li>O sidecar verifica se já tem um <strong>Access Token válido em cache</strong>.</li> </ol> <ul> <li>Se não tiver, pede um novo ao <strong>Microsoft Entra ID</strong>. <ol> <li>O sidecar chama o <strong>Microsoft Graph</strong> passando o token no header.</li> <li>O Graph devolve os dados do usuário.</li> <li>O sidecar converte para <code>UserResponse</code> e devolve para a aplicação via gRPC.</li> </ol> </li> </ul> <h2> 3. Definindo o contrato gRPC </h2> <p>Antes do código Go, precisamos definir o <strong>contrato de comunicação</strong>.</p> <p>Crie o arquivo <code>graph.proto</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight protobuf"><code><span class="na">syntax</span> <span class="o">=</span> <span class="s">"proto3"</span><span class="p">;</span> <span class="kn">package</span> <span class="nn">graph</span><span class="p">;</span> <span class="c1">// Serviço que o sidecar vai expor</span> <span class="kd">service</span> <span class="n">GraphService</span> <span class="p">{</span> <span class="k">rpc</span> <span class="n">GetUser</span> <span class="p">(</span><span class="n">UserRequest</span><span class="p">)</span> <span class="k">returns</span> <span class="p">(</span><span class="n">UserResponse</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Requisição: o cliente pode passar um user_id</span> <span class="c1">// Se vazio, o sidecar consulta o "me" (usuário atual)</span> <span class="kd">message</span> <span class="nc">UserRequest</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">user_id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Resposta: dados básicos do usuário no Graph</span> <span class="kd">message</span> <span class="nc">UserResponse</span> <span class="p">{</span> <span class="kt">string</span> <span class="na">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="kt">string</span> <span class="na">display_name</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="kt">string</span> <span class="na">given_name</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="kt">string</span> <span class="na">surname</span> <span class="o">=</span> <span class="mi">4</span><span class="p">;</span> <span class="kt">string</span> <span class="na">user_principal_name</span> <span class="o">=</span> <span class="mi">5</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Explicando </h3> <ul> <li>O serviço <code>GraphService</code> expõe o método <code>GetUser</code>.</li> <li> <code>UserRequest</code> permite consultar um usuário específico (<code>users/{id}</code>) ou o próprio usuário (<code>me</code>).</li> <li> <code>UserResponse</code> retorna alguns campos comuns do Graph.</li> </ul> <h3> Gerando código Go </h3> <p>Com o <code>protoc</code> instalado, rode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>protoc <span class="nt">--go_out</span><span class="o">=</span><span class="nb">.</span> <span class="nt">--go-grpc_out</span><span class="o">=</span><span class="nb">.</span> graph.proto </code></pre> </div> <p>Isso gera os arquivos <code>.pb.go</code>, que contêm as interfaces gRPC que implementaremos.</p> <h2> 4. Implementando o sidecar em Go </h2> <h3> 4.1 Estrutura base </h3> <p>Crie um arquivo <code>sidecar.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"bytes"</span> <span class="s">"context"</span> <span class="s">"encoding/json"</span> <span class="s">"fmt"</span> <span class="s">"io"</span> <span class="s">"net"</span> <span class="s">"net/http"</span> <span class="s">"os"</span> <span class="s">"sync"</span> <span class="s">"time"</span> <span class="n">pb</span> <span class="s">"example.com/graph/proto"</span> <span class="c">// ajuste para o caminho correto</span> <span class="s">"google.golang.org/grpc"</span> <span class="p">)</span> <span class="k">const</span> <span class="p">(</span> <span class="n">tokenURL</span> <span class="o">=</span> <span class="s">"https://login.microsoftonline.com/%s/oauth2/v2.0/token"</span> <span class="n">graphURL</span> <span class="o">=</span> <span class="s">"https://graph.microsoft.com/v1.0/%s"</span> <span class="p">)</span> <span class="c">// Servidor gRPC que vai rodar como sidecar</span> <span class="k">type</span> <span class="n">server</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">pb</span><span class="o">.</span><span class="n">UnimplementedGraphServiceServer</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">Mutex</span> <span class="n">accessToken</span> <span class="kt">string</span> <span class="n">expiration</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> </code></pre> </div> <p>📌 Aqui definimos:</p> <ul> <li>As constantes com os endpoints de autenticação (Entra ID) e do Graph.</li> <li> <p>Uma struct <code>server</code> que:</p> <ul> <li>Implementa nosso serviço gRPC.</li> <li>Guarda em memória (<code>accessToken</code>, <code>expiration</code>) o último token obtido.</li> </ul> </li> </ul> <h3> 4.2 Gerenciamento de Token </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">server</span><span class="p">)</span> <span class="n">getToken</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">(</span><span class="kt">string</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">s</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">s</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="c">// Se já temos token válido, reutiliza</span> <span class="k">if</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">Before</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">expiration</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">s</span><span class="o">.</span><span class="n">accessToken</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">s</span><span class="o">.</span><span class="n">accessToken</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Senão, pede um novo token ao Entra ID</span> <span class="n">tenantID</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"ENTRA_TENANT_ID"</span><span class="p">)</span> <span class="n">clientID</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"ENTRA_CLIENT_ID"</span><span class="p">)</span> <span class="n">clientSecret</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"ENTRA_CLIENT_SECRET"</span><span class="p">)</span> <span class="n">url</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="n">tokenURL</span><span class="p">,</span> <span class="n">tenantID</span><span class="p">)</span> <span class="n">data</span> <span class="o">:=</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span> <span class="s">"client_id=%s&amp;scope=https%%3A%%2F%%2Fgraph.microsoft.com%%2F.default&amp;client_secret=%s&amp;grant_type=client_credentials"</span><span class="p">,</span> <span class="n">clientID</span><span class="p">,</span> <span class="n">clientSecret</span><span class="p">,</span> <span class="p">))</span> <span class="n">req</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewRequestWithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"POST"</span><span class="p">,</span> <span class="n">url</span><span class="p">,</span> <span class="n">bytes</span><span class="o">.</span><span class="n">NewBuffer</span><span class="p">(</span><span class="n">data</span><span class="p">))</span> <span class="n">req</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/x-www-form-urlencoded"</span><span class="p">)</span> <span class="n">resp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">DefaultClient</span><span class="o">.</span><span class="n">Do</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="s">""</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">body</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="k">if</span> <span class="n">resp</span><span class="o">.</span><span class="n">StatusCode</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span> <span class="p">{</span> <span class="k">return</span> <span class="s">""</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"erro ao obter token: %s"</span><span class="p">,</span> <span class="kt">string</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="p">}</span> <span class="k">var</span> <span class="n">token</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">AccessToken</span> <span class="kt">string</span> <span class="s">`json:"access_token"`</span> <span class="n">ExpiresIn</span> <span class="kt">int</span> <span class="s">`json:"expires_in"`</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">token</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="s">""</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// Atualiza cache (renova 1 min antes do vencimento)</span> <span class="n">s</span><span class="o">.</span><span class="n">accessToken</span> <span class="o">=</span> <span class="n">token</span><span class="o">.</span><span class="n">AccessToken</span> <span class="n">s</span><span class="o">.</span><span class="n">expiration</span> <span class="o">=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">(</span><span class="n">token</span><span class="o">.</span><span class="n">ExpiresIn</span><span class="o">-</span><span class="m">60</span><span class="p">)</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">)</span> <span class="k">return</span> <span class="n">s</span><span class="o">.</span><span class="n">accessToken</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> Explicando </h3> <ul> <li> <strong>Cache de token</strong>: o sidecar não pede token toda hora → economiza requisições.</li> <li> <strong>Mutex (<code>mu</code>)</strong>: garante que múltiplas chamadas concorrentes não façam <code>POST</code> ao mesmo tempo.</li> <li> <strong>Renovação antecipada</strong>: 1 minuto antes de expirar, o sidecar já pede um novo.</li> </ul> <h3> 4.3 Implementando <code>GetUser</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">server</span><span class="p">)</span> <span class="n">GetUser</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="o">*</span><span class="n">pb</span><span class="o">.</span><span class="n">UserRequest</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">pb</span><span class="o">.</span><span class="n">UserResponse</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="c">// 1. Garantir token válido</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">s</span><span class="o">.</span><span class="n">getToken</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// 2. Montar endpoint</span> <span class="n">userEndpoint</span> <span class="o">:=</span> <span class="s">"me"</span> <span class="k">if</span> <span class="n">req</span><span class="o">.</span><span class="n">UserId</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">userEndpoint</span> <span class="o">=</span> <span class="s">"users/"</span> <span class="o">+</span> <span class="n">req</span><span class="o">.</span><span class="n">UserId</span> <span class="p">}</span> <span class="n">url</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="n">graphURL</span><span class="p">,</span> <span class="n">userEndpoint</span><span class="p">)</span> <span class="n">httpReq</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewRequestWithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"GET"</span><span class="p">,</span> <span class="n">url</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="n">httpReq</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">,</span> <span class="s">"Bearer "</span><span class="o">+</span><span class="n">token</span><span class="p">)</span> <span class="c">// 3. Fazer requisição ao Microsoft Graph</span> <span class="n">resp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">DefaultClient</span><span class="o">.</span><span class="n">Do</span><span class="p">(</span><span class="n">httpReq</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="n">body</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="k">if</span> <span class="n">resp</span><span class="o">.</span><span class="n">StatusCode</span> <span class="o">!=</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"erro ao buscar usuário: %s"</span><span class="p">,</span> <span class="kt">string</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="p">}</span> <span class="c">// 4. Mapear resposta para nosso UserResponse</span> <span class="k">var</span> <span class="n">user</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">user</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">pb</span><span class="o">.</span><span class="n">UserResponse</span><span class="p">{</span> <span class="n">Id</span><span class="o">:</span> <span class="n">user</span><span class="p">[</span><span class="s">"id"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">),</span> <span class="n">DisplayName</span><span class="o">:</span> <span class="n">user</span><span class="p">[</span><span class="s">"displayName"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">),</span> <span class="n">GivenName</span><span class="o">:</span> <span class="n">user</span><span class="p">[</span><span class="s">"givenName"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">),</span> <span class="n">Surname</span><span class="o">:</span> <span class="n">user</span><span class="p">[</span><span class="s">"surname"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">),</span> <span class="n">UserPrincipalName</span><span class="o">:</span> <span class="n">user</span><span class="p">[</span><span class="s">"userPrincipalName"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">),</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> Explicando </h3> <ol> <li>Pega o token em cache (ou renova).</li> <li>Define o endpoint (<code>/me</code> ou <code>/users/{id}</code>).</li> <li>Faz um <code>GET</code> no Microsoft Graph.</li> <li>Converte a resposta JSON para a struct <code>UserResponse</code>.</li> </ol> <h3> 4.4 Subindo o servidor gRPC </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">lis</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">net</span><span class="o">.</span><span class="n">Listen</span><span class="p">(</span><span class="s">"tcp"</span><span class="p">,</span> <span class="s">":50051"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">grpcServer</span> <span class="o">:=</span> <span class="n">grpc</span><span class="o">.</span><span class="n">NewServer</span><span class="p">()</span> <span class="n">pb</span><span class="o">.</span><span class="n">RegisterGraphServiceServer</span><span class="p">(</span><span class="n">grpcServer</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">server</span><span class="p">{})</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Sidecar Microsoft Graph rodando em :50051"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">grpcServer</span><span class="o">.</span><span class="n">Serve</span><span class="p">(</span><span class="n">lis</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Explicando </h3> <ul> <li>O sidecar ouve na porta <code>50051</code>.</li> <li>Ele registra o serviço <code>GraphService</code>.</li> <li>Ele fica rodando, pronto para responder às chamadas gRPC da aplicação principal.</li> </ul> <h2> 5. Executando </h2> <ol> <li>Configure variáveis de ambiente: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">export </span><span class="nv">ENTRA_CLIENT_ID</span><span class="o">=</span><span class="s2">"seu-client-id"</span> <span class="nb">export </span><span class="nv">ENTRA_CLIENT_SECRET</span><span class="o">=</span><span class="s2">"seu-client-secret"</span> <span class="nb">export </span><span class="nv">ENTRA_TENANT_ID</span><span class="o">=</span><span class="s2">"seu-tenant-id"</span> </code></pre> </div> <ol> <li>Rode o sidecar: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> go run sidecar.go </code></pre> </div> <ol> <li>Teste com <code>grpcurl</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> grpcurl <span class="nt">-plaintext</span> <span class="nt">-d</span> <span class="s1">'{}'</span> localhost:50051 graph.GraphService/GetUser </code></pre> </div> <h2> 6. Exemplo de resposta </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1234abcd-..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"display_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"João Silva"</span><span class="p">,</span><span class="w"> </span><span class="nl">"given_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"João"</span><span class="p">,</span><span class="w"> </span><span class="nl">"surname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Silva"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_principal_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"joao@empresa.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 7. Por que usar Sidecar? </h2> <ul> <li> <strong>Simplicidade</strong>: a aplicação só chama gRPC, sem se preocupar com OAuth2.</li> <li> <strong>Reuso</strong>: múltiplos serviços podem compartilhar o mesmo sidecar.</li> <li> <strong>Segurança</strong>: credenciais ficam apenas no sidecar.</li> <li> <strong>Escalabilidade</strong>: sidecars podem ser replicados em pods diferentes.</li> <li> <strong>Observabilidade</strong>: métricas e logs podem ser centralizados no sidecar.</li> </ul> <h2> Conclusão </h2> <p>Criamos um <strong>sidecar em Go</strong> que:</p> <ol> <li>Autentica no <strong>Microsoft Entra ID</strong> via <strong>Client Credentials Flow</strong>.</li> <li>Usa o <strong>Microsoft Graph</strong> para consultar usuários.</li> <li>Exponde um serviço gRPC simples para a aplicação principal.</li> </ol> <p>Com isso, conseguimos um <strong>design mais limpo, seguro e escalável</strong>, separando responsabilidades e aproveitando os benefícios do padrão Sidecar.</p> <h2> 💡Curtiu? </h2> <p>Se quiser trocar ideia sobre IA, cloud e arquitetura, me segue nas redes:</p> <ul> <li><a href="https://olink.ai/sertaoseracloud" rel="noopener noreferrer">Redes Sociais</a></li> </ul> <p>Publico conteúdos técnicos direto do campo de batalha. E quando descubro uma ferramenta que economiza tempo e resolve bem, como essa, você fica sabendo também.</p> go programming microsoftgraph grpc