Jay's Blog

SDLC Topics for AWS Certified DevOps Professional

Photo by Todd Quackenbush on Unsplash

SDLC Topics for AWS Certified DevOps Professional

Jay Joshi's photo
Jay Joshi
·

5 min read

Introduction

AWS DevOps Professional is one of the toughest AWS examination as it not only tests knowledge but also requires extensive concentration during the 3 hours of your exam. It has got 6 domains, during this blog, I will cover the first domain which is Software Development Lifecycle.

Topics and AWS Services

Code Commit, triggers, notifications and integration with lambda functions Code Build Code Pipeline

Code Commit

Code commit - Version control with ability to understand changes to the code. Enabled by using a version control system such as Git AWS Code commit offers private git repository solution, no limit on repositories, fully managed and scalable. Secure and can be integrated with Jenkins, CodeBuild and other CI tools

Question: How would you restrict permissions to Junior developers to push and merge branches to AWS code commit Answer: You can do this using IAM policy and applying it to IAM group or role, here is an AWS blog on the same

Code commit integration with Lambda

I personally find this feature very cool, you can have a lambda function and setup a trigger based on Code Commit events! It's very simple,

  • On AWS Console, open Lambda console and create a function, select python 3.
  • Once you create a function, under configurations, Add a trigger
  • Configure trigger as shown in screenshot below

Screen Shot 2021-09-22 at 1.25.19 AM.png

For Python 3, add the following code to your Lambda function - 

import json
import boto3

codecommit = boto3.client('codecommit')

def lambda_handler(event, context):
    #Log the updated references from the event
    references = { reference['ref'] for reference in event['Records'][0]['codecommit']['references'] }
    print("References: "  + str(references))

    #Get the repository from the event and show its git clone URL
    repository = event['Records'][0]['eventSourceARN'].split(':')[5]
    try:
        response = codecommit.get_repository(repositoryName=repository)
        print("Clone URL: " +response['repositoryMetadata']['cloneUrlHttp'])
        return response['repositoryMetadata']['cloneUrlHttp']
    except Exception as e:
        print(e)
        print('Error getting repository {}. Make sure it exists and that your repository is in the same region as this function.'.format(repository))
        raise e

Here is a link to the full article

Code Build

Fully Managed Build service which is alternative to build tools like Jenkins Integration with KMS for encryption of build artifacts, IAM for build permission and VPC for network security, Cloud Trail for API calls logging

Points to remember -

1) Integration with source code from GitHub, Code Commit, S3 etc 2) Build instructions can be defined in buildspec.yml file 3) Logs can be sent to Cloudwatch or S3 4) Metrics to monitor Code Build statics 5) Cloud Watch events can detect failed builds and trigger notifications

Build spec.yml file -

This is a hear of Code Build, You can specify different phases of install, prebuild, build, post build, environment variable, parameter store, finally block. Here is an example of buildspec.yml file 

version: 0.2

env:
  variables:
    JAVA_HOME: "/usr/lib/jvm/java-8-openjdk-amd64"
  parameter-store:
    LOGIN_PASSWORD: /CodeBuild/dockerLoginPassword

phases:
  install:
    commands:
      - echo Entered the install phase...
      - apt-get update -y
      - apt-get install -y maven
    finally:
      - echo This always runs even if the update or install command fails 
  pre_build:
    commands:
      - echo Entered the pre_build phase...
      - docker login -u User -p $LOGIN_PASSWORD
    finally:
      - echo This always runs even if the login command fails 
  build:
    commands:
      - echo Entered the build phase...
      - echo Build started on `date`
      - mvn install
    finally:
      - echo This always runs even if the install command fails
  post_build:
    commands:
      - echo Entered the post_build phase...
      - echo Build completed on `date`

reports:
  arn:aws:codebuild:your-region:your-aws-account-id:report-group/report-group-name-1:
    files:
      - "**/*"
    base-directory: 'target/tests/reports'
    discard-paths: no
  reportGroupCucumberJson:
    files:
      - 'cucumber/target/cucumber-tests.xml'
    discard-paths: yes
    file-format: CUCUMBERJSON # default is JUNITXML
artifacts:
  files:
    - target/messageUtil-1.0.jar
  discard-paths: yes
  secondary-artifacts:
    artifact1:
      files:
        - target/artifact-1.0.jar
      discard-paths: yes
    artifact2:
      files:
        - target/artifact-2.0.jar
      discard-paths: yes
cache:
  paths:
    - '/root/.m2/**/*'

Environment Variable and it's type :

The type of environment variable. Valid values include:

PARAMETER_STORE: An environment variable stored in Systems Manager Parameter Store. To learn how to specify a parameter store environment variable, see env/parameter-store in the AWS CodeBuild User Guide.

PLAINTEXT: An environment variable in plain text format. This is the default value.

SECRETS_MANAGER: An environment variable stored in AWS Secrets Manager. To learn how to specify a secrets manager environment variable, see env/secrets-manager in the AWS CodeBuild User Guide.

Code Build Integration with cloud watch events - you can create a schedule in cloud watch event where you can set the target to code build Recommended Blog : aws.amazon.com/blogs/devops/validating-aws-..

Code Deploy

EC2 instances can be grouped by a deployment group (dev/test/prod) Lots of flexibility to define any kind of deployments Code Deploy can be chained with Code Pipeline and use artifacts from there. Code Deploy can re-use any existing setup tools, work on application, auto scaling B/G only works for EC2 instances, not on premise Support for AWS Lambda deployments, EC2

AppSpec - BeforeInstall – Use to run tasks before the replacement task set is created. One target group is associated with the original task set. If an optional test listener is specified, it is associated with the original task set. A rollback is not possible at this point.

AfterInstall – Use to run tasks after the replacement task set is created and one of the target groups is associated with it. If an optional test listener is specified, it is associated with the original task set. The results of a hook function at this lifecycle event can trigger a rollback.

AfterAllowTestTraffic – Use to run tasks after the test listener serves traffic to the replacement task set. The results of a hook function at this point can trigger a rollback.

BeforeAllowTraffic – Use to run tasks after the second target group is associated with the replacement task set, but before traffic is shifted to the replacement task set. The results of a hook function at this lifecycle event can trigger a rollback.

AfterAllowTraffic – Use to run tasks after the second target group serves traffic to the replacement task set. The results of a hook function at this lifecycle event can trigger a rollback.

Code Deploy integration with Lambda

image.png

Working with Code Deploy Configurations

Deployment configuration for different EC2/on-premise compute platform

CodeDeployDefault.AllAtOnce: In-place Deployments: Attempts to deploy an application revisions to as many instances possible at a time; For Blue/green deployments, Deployments will replace the environment

CodeDeployDefault.HalfAtATime: Deploys upto half of the instances at a time (with fractions rounded down)

Deployment configuration on an AWS lambda compute platform

Screen Shot 2022-03-03 at 12.45.49 AM.png

Devopsci-cdAWSCertification