In this post you can construct a cdk pipeline using Azure DevOps and based on first part of this series.
For this post the language for deployment will be .net, just to look from developer perspective for serveless deployment. Focus just in CDK application deployment rather than in the application indeed in other post the application will be the center.
Hands On
First review the requirements:
Requirements
cdk >= 2.66.0
AWS CLI >= 2.7.0
Dotnet >= 6.0.405
cdk-nag >=2.21.69
checkov >= 2.1.229
AWS Toolkit for Azure DevOps
Azure DevOps Account
AWS Services and tools
AWS Cloud Development Kit (CDK): is an open-source software development framework to define your cloud application resources using familiar programming languages.
AWS Key Management Service (AWS KMS): lets you create, manage, and control cryptographic keys across your applications and more than 100 AWS services.
AWS CloudFormation: Speed up cloud provisioning with infrastructure as code as code
AWS Security Token Service: web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate (federated users).
AWS Toolkit for Azure DevOps: adds tasks to easily enable build and release pipelines in Azure DevOps (formerly VSTS) and Azure DevOps Server (previously known as Team Foundation Server (TFS)) to work with AWS services including Amazon S3, AWS Elastic Beanstalk, AWS CodeDeploy, AWS Lambda, AWS CloudFormation, Amazon Simple Queue Service and Amazon Simple Notification Service, and run commands using the AWS Tools for Windows PowerShell module and the AWS CLI.
Step by step
First, the code follows a clean structure, for this example the main stack deploys a simple microservice compose for a SQS queue, a lambda and dynamodb table. The developer teams must use trunk-base development (trunkbaseddevelopment ). Figure 1 depicts the microservice architecture.
Finally, For environment properties for this setup are loaded from environment variables. This block is in the main file program.cs
...
Env = new Amazon.CDK.Environment
{
Account = System.Environment.GetEnvironmentVariable("CDK_DEFAULT_ACCOUNT"),
Region = System.Environment.GetEnvironmentVariable("CDK_DEFAULT_REGION"),
}
...
⚠️ The ReadMessageStack.cs contains the stack for the microservice architecture, in this case some values are hardcoded, but this isn’t recommended for production environments, ever use properties in a yaml file or json.
In the next section you'll find the pipeline configuration in deep.
The Figure 2 depicts the final structure for your CDK project.
Figure 2. CDK simple project
Azure DevOps Pipeline
Create azure DevOps template’s structure.
For other hand, as a DevSecOps engineer you must grant the compliance, automate deployments, and best practices in the applications code, so the first step is creating a central templates repository for reuse and scale easily, the structure is depicted in the Figure 3, usually these templates are storage and governed in an independent azure project, for this blog its name is DevSecOps:
Figure 3. Azure DevOps pipelines Templates
The template repository is composed of a template folder will have three files:
ci_cd.yaml: define a multistage pipeline with the main steps for synth and deploy application trough different environments up to production.
pull_request.yaml: define simple steps for validate a pull request, apply sast, sca, unit test, and deploy steps into development environment.
features.yaml: define the pipeline for deployment feature scenarios in development environment or account and include a destroy step to reclaim the resources for development purposes clear. Of course, each feature branch must be start with feature/.
Also, in this repository, you can find a common folder that contains the common steps and settings for all CDK projects.
For example the Figure 4 depicts the structure for this repository:
Figure 4. CDK Pipelines Template Repository
For this blog the sast practice for application business code wouldn't applied, in future post could be explained.
Repository with CDK pipelines definitios in yaml files for azure devops.
CDK Pipelines in azure DevOps
This repository contains de CDK pipelines definitions for integrating azure DevOps and AWS, based on simple authentication and multi account setup in AWS.
Architecture Diagram
Requirements
Bootstrap accounts for CDK deployments.
A Service Connection with right permissions.
How to
Create a variable group with values for environments, for example:
az pipelines variable-group create --name cdk_pipelines_delivery --variables dev_account=123456789012 dev_region=us-east-2 --authorize true --description "Group for lab Pipelines Delivery" --project Delivery
Create an azure pipeline file into cdk project to use these templates, for example: