The latest articles on DEV Community by Ammar Yasser (@aerosouund). https://dev.to/aerosouund https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F880358%2F0e3bc37a-8153-4805-9742-0a6fa95a4625.jpeg https://dev.to/aerosouund en Ammar Yasser Fri, 16 Sep 2022 13:05:45 +0000 https://dev.to/aerosouund/passed-aws-sap-heres-my-2-cents-about-it-2bdm https://dev.to/aerosouund/passed-aws-sap-heres-my-2-cents-about-it-2bdm <p>I'd like to start with saying that my opinions are my own. feel free to disagree with me. that being said.. wish you a good read.</p> <h2> The usual debate about certifications 😖😒 </h2> <p>You might look at the study time and resources it will take you to finish a certification like this and think wow, the industry is truly in a bad state for allowing such a phenomenon to appear. And i will tell you that sorry, this is just how the world works. We sometimes have a very difficult decision to make while selecting a leader, hiring an employee, choosing a major... etc. and we simply don't have enough data to make a choice. and so what we do is look for proxies. Same as what happens with coding interviews. the interviewer is looking for a proxy for you being a good software engineer and you solving the coding problem means there's less chance that you are a bad hire -although obviously it's not a zero chance-.</p> <p>Certification will always matter in IT especially because there are new tools appearing all the time and it's hard to gauge how experienced a candidate is in this tool. people may lie on their resume, or make up stories about problems they solved.. but they can't fake passing an exam. </p> <h2> Why the SA pro is different 🤔 </h2> <p>The SA pro is like all other certifications, a proxy. but it's a very good proxy and its a proxy for so many great skills that you will benefit from on your job. The exam is really difficult and this is a good thing. you won't be able to pass without a firm grasp of networking, automation, security, encryption and so many other topics.<br> It's also a proxy for your ability to learn and study, which is one of the most important skill you need as someone in tech. And so it means that it's successful in its job as a proxy and does indeed prove good things about its holders. </p> <h2> Play for the love of the sport. not to win 💡😎 </h2> <p>The certificate itself doesn't matter. but its the knowledge you gained while studying for it. Taking the exam and passing just helps you feel the reward of the journey and being able to tell the world how far you stand in your journey, But it isn't the true gain.<br> With that being said, don't prepare for the cert with the cert as your end goal, You'll meet products that you may have not used before while learning. Use them, implement an architecture with them. open the product page at the console and see what different options you can choose while provisioning it.<br> As a professional level solutions architect it's very normal that you get asked by your employer to implement a highly available hybrid directory solution, to build a disaster recovery plan with very few minutes of RPO for a few hundred terabytes database, or to preform zero downtime migrations of very complex legacy systems. will your cert matter when find yourself unable to preform these tasks in real life ?</p> <h2> How to actually pass ? 💯 </h2> <p>For practice exams i used the ones by <a href="https://tutorialsdojo.com/">tutorialsdojo</a> and <a href="https://www.whizlabs.com/">whizlabs</a>. A special mention has to go to Adrian Cantrill's exquisite <a href="https://cantrill.io/">course</a> and how well put it is. But mind you.. the course is a whopping 75 hours. and so the secret lies in doing it everyday. Find a way to embed your study into your routine and do it EVERYDAY!!<br> You don't have to do alot on a single day but being consistent with it is in my opinion the only way to beat this daunting challenge.<br> Also, you must be able to pinpoint your knowledge gaps, after a failed practice exam go through your incorrect answers and find out what wrong assumptions you had while answering the question and then take note of the correct fact about the product. and iterate.</p> <h2> Architectures to build as your prepare </h2> <p>You need hands on experience as you prepare, these are some architectures that i believe are essential for you to have built before the exam. Let me know your ideas in the comments:</p> <ul> <li><p>Build a three tier architecture and create failover DNS records to another region</p></li> <li><p>Serverless application using API gateway, Lambda, DynamoDB. Bonus points if you integrate a queuing service ⏩</p></li> <li><p>Launch an RDS database with some dummy data, then migrate it to another region using DMS 🎒</p></li> <li><p>Implement hybrid DNS between two VPCs.</p></li> <li><p>Connect VPCs in different ways, try a Transit gateway, try Site-to-Site VPN, then try a peering connection.🚧</p></li> <li><p>Create an organization and configure a monitoring account with an organizational trail 👀</p></li> <li><p>Launch random EC2 instances with different types and AMI's then evaluate compliance using a config rule 🛑</p></li> <li><p>Deploy a dummy app with Elastic Beanstalk using different strategies 🌱</p></li> </ul> <p>Bonus points when you only use cloudformation. feel free to reach out to me if you're trying to build these 💌</p> aws cloud devops architecture Ammar Yasser Fri, 08 Jul 2022 11:19:21 +0000 https://dev.to/aerosouund/elastic-scalable-secure-and-highly-available-three-tier-app-using-aws-cdk-and-python-4lhh https://dev.to/aerosouund/elastic-scalable-secure-and-highly-available-three-tier-app-using-aws-cdk-and-python-4lhh <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0rfzjp9no3nv5lh65mzk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0rfzjp9no3nv5lh65mzk.png" alt="high-avlb-infra"></a></p> <h2> Table of Contents </h2> <ul> <li><a href="https://dev.toIntroduction">Introduction</a></li> <li><a href="https://dev.toNetworking%20Infrastructure">Networking Infrastructure</a></li> <li><a href="https://dev.toApplication%20Layer">Application Layer</a></li> <li><a href="https://dev.toWeb%20Layer">Web Layer</a></li> <li><a href="https://dev.toData%20Layer">Data Layer</a></li> </ul> <h2> Introduction </h2> <p>The AWS CDK opens the possibilities for adding wonderful features to your IaC and help bring it to life. Today we explore how we can use it to quickly bootstrap a high security application that can be reconfigured and customized for many use cases.</p> <p>For this project we use the AWS CDK, a framework by AWS for defining your infrastructure as actual code in your programming language of choice. If you're new to the CDK then the <a href="https://cdkworkshop.com/" rel="noopener noreferrer">workshop</a> is the best introduction you can get for it.</p> <h2> Outcome </h2> <p>Creating an infrastructure that is redundant across multiple availability zones, end users can only access the app through a domain name, the database should only be accessible from the application servers. a secure way to access the servers for troubleshooting must be provided. Networking resources should be managed separately</p> <h2> Networking Infrastructure </h2> <p>For this project we have two files, A file where the network is defined and another where the app is defined on the network created. Let's look at the network file and we'll explain it bit by bit<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">Stack</span><span class="p">,</span> <span class="n">aws_ec2</span> <span class="k">as</span> <span class="n">ec2</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">vpcStack</span><span class="p">(</span><span class="n">Construct</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">vpc_cidr</span><span class="o">=</span><span class="sh">'</span><span class="s">10.0.0.0/16</span><span class="sh">'</span><span class="p">,</span> <span class="n">three_tier</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span><span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="sh">'''</span><span class="s"> AWS CDK Construct that creates a configurable VPC for hosting a three tier architecture</span><span class="sh">'''</span> </code></pre> </div> <p>First we ask the question of what is this <code>Construct</code> class that we use to define our <code>VpcStack</code> Class ?<br> A construct is a resource, when you define an EC2 Instance, a Lambda function, a DynamoDB table.. etc in a CDK template we're defining what is known as a construct. We can create our custom resources by inheriting from this class and defining the actual resources we want in this new object as attributes of our class! Quite revolutionary right ? We will see how we implement this soon.</p> <p>For now, Our class is instantiated using two extra custom parameters we provide for flexibility. <code>vpc_cidr</code> and <code>three_tier</code>.<br> The VPC is created by default with a 10.0.0.0/16 CIDR. but parametrizing this will allow us to later pass the CIDR as a command line argument. three_tier is a boolean value for conditional infrastructure creation, in case you have an existing database you may not want to create the needed resources for it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">three_tier</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">vpc</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">vpc</span><span class="sh">'</span><span class="p">,</span> <span class="n">cidr</span><span class="o">=</span><span class="n">vpc_cidr</span><span class="p">,</span> <span class="n">max_azs</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">nat_gateways</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">enable_dns_hostnames</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">enable_dns_support</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">subnet_configuration</span><span class="o">=</span><span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetConfiguration</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span> <span class="sh">'</span><span class="s">load_balancer</span><span class="sh">'</span><span class="p">,</span> <span class="n">subnet_type</span><span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PUBLIC</span><span class="p">,</span> <span class="n">cidr_mask</span><span class="o">=</span> <span class="mi">24</span> <span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetConfiguration</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span> <span class="sh">'</span><span class="s">application</span><span class="sh">'</span><span class="p">,</span> <span class="n">subnet_type</span><span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PRIVATE_WITH_NAT</span><span class="p">,</span> <span class="n">cidr_mask</span><span class="o">=</span> <span class="mi">24</span> <span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetConfiguration</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span> <span class="sh">'</span><span class="s">database</span><span class="sh">'</span><span class="p">,</span> <span class="n">subnet_type</span><span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PRIVATE_ISOLATED</span><span class="p">,</span> <span class="n">cidr_mask</span><span class="o">=</span> <span class="mi">24</span> <span class="p">)</span> <span class="p">]</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">vpc</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">vpc</span><span class="sh">'</span><span class="p">,</span> <span class="n">cidr</span><span class="o">=</span><span class="n">vpc_cidr</span><span class="p">,</span> <span class="n">max_azs</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">nat_gateways</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">enable_dns_hostnames</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">enable_dns_support</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">subnet_configuration</span><span class="o">=</span><span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetConfiguration</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span> <span class="sh">'</span><span class="s">load_balancer</span><span class="sh">'</span><span class="p">,</span> <span class="n">subnet_type</span><span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PUBLIC</span><span class="p">,</span> <span class="n">cidr_mask</span><span class="o">=</span> <span class="mi">24</span> <span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetConfiguration</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span> <span class="sh">'</span><span class="s">application</span><span class="sh">'</span><span class="p">,</span> <span class="n">subnet_type</span><span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PRIVATE_WITH_NAT</span><span class="p">,</span> <span class="n">cidr_mask</span><span class="o">=</span> <span class="mi">24</span> <span class="p">)</span> <span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p>In case we don't need a three tier app. our construct will create 2 subnets per AZ in the VPC. one will host the load balancer and is a public subnet. the other is private subnet with access to a NAT gateway. it's important to note here that if we were using any other IaC tool we would need to define an internet gateway, a NAT gateway, route tables, routes and route table associations. all of this is automated away with a few simple lines of code</p> <p>Next, let's define our security groups<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Load balancer security group </span><span class="n">self</span><span class="p">.</span><span class="n">lb_sg</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">lb-SG</span><span class="sh">'</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">allow_all_outbound</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">lb_sg</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Peer</span><span class="p">.</span><span class="nf">any_ipv4</span><span class="p">(),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">443</span><span class="p">)</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">lb_sg</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Peer</span><span class="p">.</span><span class="nf">any_ipv4</span><span class="p">(),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">80</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># Bastion security group </span><span class="n">self</span><span class="p">.</span><span class="n">bastion_sg</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">bastion-SG</span><span class="sh">'</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">allow_all_outbound</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">bastion_sg</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Peer</span><span class="p">.</span><span class="nf">any_ipv4</span><span class="p">(),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># Application layer security group </span><span class="n">self</span><span class="p">.</span><span class="n">asg_sg</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">asg-SG</span><span class="sh">'</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">allow_all_outbound</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">asg_sg</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">lb_sg</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">443</span><span class="p">)</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">asg_sg</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">lb_sg</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">80</span><span class="p">)</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">asg_sg</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">bastion_sg</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># Database security group if three tier is specified </span><span class="k">if</span> <span class="n">three_tier</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">db_SG</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">db-SG</span><span class="sh">'</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">allow_all_outbound</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">db_SG</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">asg_sg</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">5432</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>Note how all resources are created as attributes of the class. this is so we can access all resources individually later in the stack. for now we want our load balancer to be internet facing, and the application to receive web traffic only from the load balancer and SSH traffic from a bastion server. Bastion servers are a central point of access for SSH traffic, this limits the attack surface for your network and heavily restricts traffic to your servers.<br> Source targets con be written as other security groups as we see, we don't need to specify an ID, simply passing the construct of other security groups is good enough to write a valid ingress rule.</p> <p>You can read more about the numerous security benefits from this setup <a href="https://aws.amazon.com/elasticloadbalancing/application-load-balancer/" rel="noopener noreferrer">here</a>. and also more on bastion hosts <a href="https://www.twingate.com/blog/bastion-host/" rel="noopener noreferrer">here</a>.</p> <h2> Web Layer </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">Stack</span><span class="p">,</span> <span class="n">aws_ec2</span> <span class="k">as</span> <span class="n">ec2</span><span class="p">,</span> <span class="n">aws_autoscaling</span> <span class="k">as</span> <span class="n">autoscaling</span><span class="p">,</span> <span class="n">aws_elasticloadbalancingv2</span> <span class="k">as</span> <span class="n">elbv2</span><span class="p">,</span> <span class="n">aws_iam</span> <span class="k">as</span> <span class="n">iam</span><span class="p">,</span> <span class="n">aws_rds</span> <span class="k">as</span> <span class="n">rds</span><span class="p">,</span> <span class="n">Duration</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="kn">from</span> <span class="n">.vpc_stack</span> <span class="kn">import</span> <span class="n">vpcStack</span> <span class="k">class</span> <span class="nc">AppStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">three_tier</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># Attempt to get custom cidr from context if provided </span> <span class="n">context_cidr</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">node</span><span class="p">.</span><span class="nf">try_get_context</span><span class="p">(</span><span class="sh">"</span><span class="s">cidr</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Creating the networking resources </span> <span class="n">network</span> <span class="o">=</span> <span class="nf">vpcStack</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">vpc</span><span class="sh">'</span><span class="p">,</span> <span class="n">three_tier</span><span class="o">=</span><span class="n">three_tier</span><span class="p">,</span> <span class="n">vpc_cidr</span><span class="o">=</span><span class="n">context_cidr</span> <span class="k">if</span> <span class="n">context_cidr</span> <span class="k">else</span> <span class="sh">'</span><span class="s">10.0.0.0/16</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>As we see, the app it self is inheriting from the <code>Stack</code> class, unlike the networking resources. This <a href="https://stackoverflow.com/questions/67855703/the-difference-between-a-stack-and-construct-in-aws-cdk#:~:text=Stack%20represents%20CF%20template%20in,resources%20defined%20in%20this%20file." rel="noopener noreferrer">Stack overflow answer</a> clearly explains the difference between the two.<br> Here we can see the benefit from having added <code>vpc_cidr</code> as a property. we can use the context variable to pass it dynamically during deployment like this:<br> <code>cdk deploy -c cidr=172.0.0.0/16</code>. if it's not passed the default of 10.0.0.0/16 will be used. learn more about the CDK context in this <a href="https://docs.aws.amazon.com/cdk/v2/guide/context.html" rel="noopener noreferrer">link</a>.</p> <p>Now, let's define our servers..<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Define our server execution role </span> <span class="n">asg_role</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">MyRole</span><span class="sh">"</span><span class="p">,</span> <span class="n">assumed_by</span><span class="o">=</span><span class="n">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="sh">"</span><span class="s">ec2.amazonaws.com</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="n">asg_role</span><span class="p">.</span><span class="nf">add_managed_policy</span><span class="p">(</span><span class="n">iam</span><span class="p">.</span><span class="n">ManagedPolicy</span><span class="p">.</span><span class="nf">from_aws_managed_policy_name</span><span class="p">(</span><span class="sh">"</span><span class="s">service-role/AmazonEC2RoleforSSM</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># Define our servers </span> <span class="n">asg</span> <span class="o">=</span> <span class="n">autoscaling</span><span class="p">.</span><span class="nc">AutoScalingGroup</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ASG</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">network</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">instance_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceType</span><span class="p">.</span><span class="nf">of</span><span class="p">(</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceClass</span><span class="p">.</span><span class="n">BURSTABLE3</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InstanceSize</span><span class="p">.</span><span class="n">MICRO</span><span class="p">),</span> <span class="n">machine_image</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">GenericLinuxImage</span><span class="p">({</span><span class="sh">'</span><span class="s">us-east-1</span><span class="sh">'</span><span class="p">:</span><span class="sh">'</span><span class="s">ami-0cff7528ff583bf9a</span><span class="sh">'</span><span class="p">}),</span> <span class="n">security_group</span><span class="o">=</span><span class="n">network</span><span class="p">.</span><span class="n">asg_sg</span><span class="p">,</span> <span class="n">cooldown</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="n">min_capacity</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">max_capacity</span><span class="o">=</span><span class="mi">8</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="n">asg_role</span><span class="p">,</span> <span class="n">vpc_subnets</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetSelection</span><span class="p">(</span><span class="n">subnet_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PRIVATE_WITH_NAT</span><span class="p">),</span> <span class="n">user_data</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">UserData</span><span class="p">.</span><span class="nf">custom</span><span class="p">(</span> <span class="sh">'''</span><span class="s"> #!/bin/bash sudo yum update -y sudo yum install -y httpd.x86_64 sudo systemctl start httpd sudo systemctl enable httpd sudo chmod 755 -R /var/www/html sudo echo </span><span class="sh">"</span><span class="s">hello world from $(hostname -f)</span><span class="sh">"</span><span class="s"> &gt;&gt; /var/www/html/index.html </span><span class="sh">'''</span> <span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>We want our servers in private subnets but not fully isolated, which is why we specify subnets with a route to the <a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html" rel="noopener noreferrer">NAT gateway</a> for outbound only connection to the internet.<br> We want them to be granted permissions to communicate with AWS SSM for secure management in case we don't want to use the bastion.</p> <p>Also, we define our base OS using the <a href="https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-ec2.GenericLinuxImage.html" rel="noopener noreferrer">GenericLinuxImage</a> class despite that it's amazon linux. and amazon linux can be defined using a special class called <a href="https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_ec2/AmazonLinuxImage.html" rel="noopener noreferrer">AmazonlinuxImage</a>. the reason for this is that using the amazon linux image class returned a very primitive Linux image that doesn't have systemctl, grep and other important linux modules so we use the default AMI ID for Amazon Linux in the us-east-1 region.</p> <p>We also configure our servers to show a simple page for users, you can change the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html" rel="noopener noreferrer">user data script</a> to be anything else you want to deploy your own apps, such as cloning a repo and starting a nodeJS server. you can also create a machine image and deploy it instead of using Amazon Linux with user data<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Creating the bastion server </span><span class="n">bastion</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">BastionHostLinux</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">BastionHost</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">network</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">security_group</span><span class="o">=</span><span class="n">network</span><span class="p">.</span><span class="n">bastion_sg</span><span class="p">,</span> <span class="n">subnet_selection</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetSelection</span><span class="p">(</span><span class="n">subnet_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PUBLIC</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># Configure load balancer </span><span class="n">lb</span> <span class="o">=</span> <span class="n">elbv2</span><span class="p">.</span><span class="nc">ApplicationLoadBalancer</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">LB</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">network</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">internet_facing</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">security_group</span><span class="o">=</span><span class="n">network</span><span class="p">.</span><span class="n">lb_sg</span> <span class="p">)</span> <span class="n">listener</span> <span class="o">=</span> <span class="n">lb</span><span class="p">.</span><span class="nf">add_listener</span><span class="p">(</span><span class="sh">"</span><span class="s">Listener</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">80</span> <span class="p">)</span> <span class="n">listener</span><span class="p">.</span><span class="nf">add_targets</span><span class="p">(</span><span class="sh">"</span><span class="s">ApplicationFleet</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">80</span><span class="p">,</span> <span class="n">targets</span><span class="o">=</span><span class="p">[</span><span class="n">asg</span><span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p>First, we define a bastion server using the handy <code>BastionHostLinux</code> class. this host has the security group that is the only allowed source for port 22 communication with the servers.<br> We define a load balancer with the application servers as targets when receiving HTTP traffic. many other properties can be defined depending on your application use case, such as session stickiness, connection draining period.. etc. this <a href="https://docs.aws.amazon.com/cdk/api/v1/docs/aws-elasticloadbalancingv2-readme.html" rel="noopener noreferrer">Page from the docs</a> is a good summary of what you can do.</p> <h2> Data Layer </h2> <p>Again, only created if <code>three_tier</code> option is specified..<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">three_tier</span><span class="p">:</span> <span class="c1"># in case a three tier architecture is specified, create a database and a # secrets manager secret, and grants get secret value role to the # application fleet </span><span class="n">db_secrets</span> <span class="o">=</span> <span class="n">rds</span><span class="p">.</span><span class="nc">DatabaseSecret</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">postgres-secret</span><span class="sh">'</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="sh">'</span><span class="s">postgres</span><span class="sh">'</span><span class="p">,</span> <span class="n">secret_name</span><span class="o">=</span><span class="sh">'</span><span class="s">postgres-credentials</span><span class="sh">'</span> <span class="p">)</span> <span class="n">db</span> <span class="o">=</span> <span class="n">rds</span><span class="p">.</span><span class="nc">DatabaseInstance</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">db</span><span class="sh">"</span><span class="p">,</span> <span class="n">engine</span><span class="o">=</span><span class="n">rds</span><span class="p">.</span><span class="n">DatabaseInstanceEngine</span><span class="p">.</span><span class="nf">postgres</span><span class="p">(</span><span class="n">version</span><span class="o">=</span><span class="n">rds</span><span class="p">.</span><span class="n">PostgresEngineVersion</span><span class="p">.</span><span class="n">VER_13_4</span><span class="p">),</span> <span class="n">instance_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceType</span><span class="p">.</span><span class="nf">of</span><span class="p">(</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceClass</span><span class="p">.</span><span class="n">BURSTABLE3</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InstanceSize</span><span class="p">.</span><span class="n">MICRO</span><span class="p">),</span> <span class="n">credentials</span><span class="o">=</span><span class="n">rds</span><span class="p">.</span><span class="n">Credentials</span><span class="p">.</span><span class="nf">from_secret</span><span class="p">(</span><span class="n">db_secrets</span><span class="p">),</span> <span class="n">vpc</span><span class="o">=</span><span class="n">network</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">multi_az</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">security_groups</span><span class="o">=</span><span class="p">[</span><span class="n">network</span><span class="p">.</span><span class="n">db_SG</span><span class="p">],</span> <span class="n">vpc_subnets</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetSelection</span><span class="p">(</span> <span class="n">subnet_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PRIVATE_ISOLATED</span> <span class="p">)</span> <span class="p">)</span> <span class="n">asg</span><span class="p">.</span><span class="nf">add_to_role_policy</span><span class="p">(</span><span class="n">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">(</span> <span class="n">resources</span><span class="o">=</span><span class="p">[</span><span class="n">db_secrets</span><span class="p">.</span><span class="n">secret_arn</span><span class="p">],</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">secretsmanager:GetSecretValue</span><span class="sh">"</span><span class="p">]</span> <span class="p">))</span> </code></pre> </div> <p>The database lives in a private isolated subnet, the only open connection is on the default engine port which is PostgreSQL in our case, and it's only open to the application layer's security group. we also define the database password as a secrets manager secret. and giving the application layer the ability to only retrieve the value of this secret only. In accordance with the least privilege principle. read more about AWS security best practices <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" rel="noopener noreferrer">here</a></p> <h2> Conclusion </h2> <p>Application availability, security, quick and ease of deployment are no longer a hassle and are attainable for all organizations. and this is only the start...<br> this infrastructure can be easily turned to one which can stand regional failure. we can replace postgreSQL with Aurora global and configure DNS for failover routing. we can also enhance observability by exporting bastion SSH logs to Cloudwatch, and many other things.. I'm actually thinking of turning this into a mini series where i take this infrastructure and take it to its limits according to SRE principals. Let me know what you people think in the comments.</p> <p>All the code for this article is available in this <a href="https://github.com/aerosouund/secure-three-tier-arch-cdk" rel="noopener noreferrer">repo</a></p> aws cdk python devops Ammar Yasser Sat, 25 Jun 2022 16:55:12 +0000 https://dev.to/aerosouund/serverless-etl-using-aws-lambda-pandas-postgresql-aws-cdk-1l50 https://dev.to/aerosouund/serverless-etl-using-aws-lambda-pandas-postgresql-aws-cdk-1l50 <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ml5jw3y1pm98q8g97dl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ml5jw3y1pm98q8g97dl.png" alt="cloud infrastructure"></a></p> <h2> Table of contents </h2> <ul> <li>Introduction</li> <li>Compute</li> <li>Infrastructure as code</li> <li>Continuous delivery</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>Created in response to the #ACloudGuruChallenge posted by Forrest Brazeal.</p> <p>Modern data infrastructure has become so exciting and with limitless possibilities, Today we explore a use case where we pull, transform and visualize covid-19 data from several sources in a serverless and extremely quick to deploy fashion using python as our tool of choice</p> <h3> Outcome </h3> <p>Having a job that downloads data about covid-19 for case counts, deaths and recoveries for every given day, and stores them in a database for later access and reporting</p> <h3> Tech stack </h3> <p><strong>Compute</strong>: Python application on AWS Lambda<br> <strong>Storage</strong>: S3<br> <strong>Database</strong>: PostgreSQL on RDS<br> <strong>Reporting</strong>: Amazon Quicksight<br> <strong>IaaC and CI/CD</strong>: Github actions + AWS CDK</p> <h3> Data Sources </h3> <p>We pull data from <a href="https://github.com/nytimes/covid-19-data/blob/master/us.csv" rel="noopener noreferrer">This link</a> and this <a href="https://raw.githubusercontent.com/datasets/covid-19/master/data/time-series-19-covid-combined.csv" rel="noopener noreferrer">John Hopkins dataset</a></p> <h2> Compute </h2> <p>AWS Lambda is a serverless platform for running small snippets of code in the cloud, in this section we will go over the code used to achieve the end goal<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">pandas</span> <span class="k">as</span> <span class="n">pd</span> <span class="c1"># Creating a dataframe to store our data </span><span class="kn">import</span> <span class="n">io</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="c1"># accessing environment variables </span><span class="kn">from</span> <span class="n">db</span> <span class="kn">import</span> <span class="n">get_latest_date</span><span class="p">,</span> <span class="n">instantiate_db</span><span class="p">,</span> <span class="n">load_to_db</span> <span class="c1"># custom modules, will be discussed below </span><span class="kn">from</span> <span class="n">data_transformation</span> <span class="kn">import</span> <span class="n">join_dfs</span><span class="p">,</span> <span class="n">change_to_datetime</span><span class="p">,</span> <span class="n">clean_dataframe</span><span class="p">,</span> <span class="n">rename_cols</span> </code></pre> </div> <p>And now we discuss the functions defined in our handler<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># Instantiate our clients </span><span class="n">s3_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">s3</span><span class="sh">'</span><span class="p">)</span> <span class="n">s3_resource</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">s3</span><span class="sh">'</span><span class="p">)</span> <span class="n">sns_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">sns</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">download_file</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">file_name</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Downloads data from a file and saves it to s3 as an object</span><span class="sh">'''</span> <span class="n">body</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">).</span><span class="n">content</span><span class="p">.</span><span class="nf">strip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">bucket_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">S3_BUCKET</span><span class="sh">'</span><span class="p">]</span> <span class="n">s3_path</span> <span class="o">=</span> <span class="sh">"</span><span class="s">data/</span><span class="sh">"</span> <span class="o">+</span> <span class="n">file_name</span> <span class="n">s3_resource</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="n">bucket_name</span><span class="p">).</span><span class="nf">put_object</span><span class="p">(</span><span class="n">Key</span><span class="o">=</span><span class="n">s3_path</span><span class="p">,</span> <span class="n">Body</span><span class="o">=</span><span class="n">body</span><span class="p">)</span> <span class="k">def</span> <span class="nf">load_data</span><span class="p">(</span><span class="n">key</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Loads data from s3 into a pandas Dataframe</span><span class="sh">'''</span> <span class="n">obj</span> <span class="o">=</span> <span class="n">s3_client</span><span class="p">.</span><span class="nf">get_object</span><span class="p">(</span><span class="n">Bucket</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">S3_BUCKET</span><span class="sh">'</span><span class="p">],</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="n">csv_file</span> <span class="o">=</span> <span class="n">obj</span><span class="p">[</span><span class="sh">'</span><span class="s">Body</span><span class="sh">'</span><span class="p">].</span><span class="nf">read</span><span class="p">().</span><span class="nf">strip</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">df</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nf">read_csv</span><span class="p">(</span><span class="n">io</span><span class="p">.</span><span class="nc">BytesIO</span><span class="p">(</span><span class="n">csv_file</span><span class="p">),</span> <span class="n">low_memory</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="k">return</span> <span class="n">df</span> <span class="k">def</span> <span class="nf">send_db</span><span class="p">(</span><span class="n">df</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Sends the data to the database that only has a date higher than current latest in the db</span><span class="sh">'''</span> <span class="n">latest</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nf">to_datetime</span><span class="p">(</span><span class="nf">get_latest_date</span><span class="p">())</span> <span class="n">data_to_send</span> <span class="o">=</span> <span class="n">df</span><span class="p">[</span><span class="n">df</span><span class="p">[</span><span class="sh">'</span><span class="s">Date</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="n">latest</span><span class="p">]</span> <span class="n">data_to_send</span><span class="p">.</span><span class="nf">apply</span><span class="p">(</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="nf">load_to_db</span><span class="p">(</span><span class="n">x</span><span class="p">),</span> <span class="n">axis</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">data_to_send</span><span class="p">)</span> <span class="k">def</span> <span class="nf">post_to_sns</span><span class="p">(</span><span class="n">message</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Sends the output of the job to an SNS topic which fans out the result to any number of interested message consumers</span><span class="sh">'''</span> <span class="n">response</span> <span class="o">=</span> <span class="n">sns_client</span><span class="p">.</span><span class="nf">publish</span><span class="p">(</span> <span class="n">TargetArn</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">SNS_TOPIC</span><span class="sh">'</span><span class="p">],</span> <span class="n">Message</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">message</span><span class="p">)}),</span> <span class="n">MessageStructure</span><span class="o">=</span><span class="sh">'</span><span class="s">json</span><span class="sh">'</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>Our workflow starts with instantiating boto3 clients for communicating with other AWS services, its best practice to start your clients outside of the handler to speed up the execution of your function, refer to Lambda best practices <a href="https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html" rel="noopener noreferrer">Here</a></p> <p>Then we define functions to handle downloading the data and saving it to a storage platform, it's also a best practice to not hard code your s3 bucket name into you functions. especially in our case because we use infrastructure as code that creates the bucket on runtime, we don't know the bucket name in advance</p> <p>We then have a function for loading our final dataframe into the database<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">send_db</span><span class="p">(</span><span class="n">df</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Sends the data to the database that only has a date higher than current latest in the db</span><span class="sh">'''</span> <span class="n">latest</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nf">to_datetime</span><span class="p">(</span><span class="nf">get_latest_date</span><span class="p">())</span> <span class="n">data_to_send</span> <span class="o">=</span> <span class="n">df</span><span class="p">[</span><span class="n">df</span><span class="p">[</span><span class="sh">'</span><span class="s">Date</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="n">latest</span><span class="p">]</span> <span class="n">data_to_send</span><span class="p">.</span><span class="nf">apply</span><span class="p">(</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="nf">load_to_db</span><span class="p">(</span><span class="n">x</span><span class="p">),</span> <span class="n">axis</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="sb">`len(data_to_send)`</span> </code></pre> </div> <p>Let's discuss this function in detail, this job runs daily and so we only want to post the new days into the database instead of loading the entire data everytime, to handle this we query the database for its current latest date. and we apply <code>load_to_db(record)</code> only if this record has a date higher than the latest. </p> <p>this way we also have unified logic for initial loading or daily runs. and in the end we want to know how many records we processed by returning <code>len(data_to_send)</code></p> <p>Lastly, we define a function that posts the results of our run to SNS. we will see how we use all these functions in the handler after we define the functions in the other modules</p> <p>Lets inspect out data_transformation module first<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">join_dfs</span><span class="p">(</span><span class="n">df</span><span class="p">,</span> <span class="n">jh</span><span class="p">,</span> <span class="n">col</span><span class="o">=</span><span class="sh">'</span><span class="s">Date</span><span class="sh">'</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Takes in two dataframes and preforms a left join that happens on the Date column, change the col argument for a different column</span><span class="sh">'''</span> <span class="n">final</span> <span class="o">=</span> <span class="n">df</span><span class="p">.</span><span class="nf">merge</span><span class="p">(</span><span class="n">jh</span><span class="p">,</span> <span class="n">on</span><span class="o">=</span><span class="n">col</span><span class="p">,</span> <span class="n">how</span><span class="o">=</span><span class="sh">'</span><span class="s">left</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">final</span> <span class="k">def</span> <span class="nf">change_to_datetime</span><span class="p">(</span><span class="n">df</span><span class="p">,</span> <span class="n">col</span><span class="o">=</span><span class="sh">'</span><span class="s">Date</span><span class="sh">'</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Changes a column in a dataframe to type datetime</span><span class="sh">'''</span> <span class="n">df</span><span class="p">[</span><span class="n">col</span><span class="p">]</span> <span class="o">=</span> <span class="n">df</span><span class="p">[</span><span class="n">col</span><span class="p">].</span><span class="nf">astype</span><span class="p">(</span><span class="sh">'</span><span class="s">datetime64[ns]</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">rename_cols</span><span class="p">(</span><span class="n">df</span><span class="p">,</span> <span class="n">names_dict</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Renames a group of columns in a df by passing a dict of old names and new names </span><span class="sh">'''</span> <span class="n">df</span><span class="p">.</span><span class="nf">rename</span><span class="p">(</span><span class="n">columns</span><span class="o">=</span><span class="n">names_dict</span><span class="p">,</span> <span class="n">inplace</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">clean_dataframe</span><span class="p">(</span><span class="n">jh</span><span class="p">,</span> <span class="n">country</span><span class="p">,</span> <span class="n">columns</span><span class="p">,</span> <span class="n">col</span><span class="o">=</span><span class="sh">'</span><span class="s">Country/Region</span><span class="sh">'</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Filters a dataframe column from entries that don</span><span class="sh">'</span><span class="s">t match a specific condition and removes needless columns, used for cleaning the John Hopkins data</span><span class="sh">'''</span> <span class="n">jh</span><span class="p">.</span><span class="nf">drop</span><span class="p">(</span><span class="n">jh</span><span class="p">[</span><span class="n">jh</span><span class="p">[</span><span class="n">col</span><span class="p">]</span> <span class="o">!=</span> <span class="n">country</span><span class="p">].</span><span class="n">index</span><span class="p">,</span> <span class="n">inplace</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">jh</span><span class="p">.</span><span class="nf">drop</span><span class="p">(</span><span class="n">columns</span><span class="p">,</span> <span class="n">axis</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">inplace</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> </code></pre> </div> <p>Our end dataframe should combine the case counts and deaths in the first data source to the recoveries column in the second data source. the second data source also contains data from many countries, for the sake of our case we only want USA data. and so we define functions for dropping the columns and data we don't need, unifying the naming structure and data types in both dataframes, and finally join them together.</p> <p>And now, let's look at our database module<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">psycopg2</span> <span class="c1">#postgres client </span><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">sm</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">secretsmanager</span><span class="sh">'</span><span class="p">)</span> <span class="n">secret</span> <span class="o">=</span> <span class="n">sm</span><span class="p">.</span><span class="nf">get_secret_value</span><span class="p">(</span><span class="n">SecretId</span><span class="o">=</span><span class="sh">'</span><span class="s">postgres-credentials</span><span class="sh">'</span><span class="p">)</span> <span class="n">secrets_dict</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">secret</span><span class="p">[</span><span class="sh">'</span><span class="s">SecretString</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">connect</span><span class="p">():</span> <span class="sh">'''</span><span class="s"> Instantiates a connection to the db</span><span class="sh">'''</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">psycopg2</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span> <span class="n">host</span><span class="o">=</span><span class="n">secrets_dict</span><span class="p">[</span><span class="sh">'</span><span class="s">host</span><span class="sh">'</span><span class="p">],</span> <span class="n">database</span><span class="o">=</span><span class="sh">'</span><span class="s">postgres</span><span class="sh">'</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="n">secrets_dict</span><span class="p">[</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">],</span> <span class="n">password</span><span class="o">=</span><span class="n">secrets_dict</span><span class="p">[</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span> <span class="nf">instantiate_db</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">connect</span><span class="p">()</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">'</span><span class="s">SELECT * FROM covid19 LIMIT 1;</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="k">except</span> <span class="n">UndefinedTable</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">creating table</span><span class="sh">'</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">'''</span><span class="s">CREATE TABLE covid19 ( date TIMESTAMP PRIMARY KEY, cases NUMERIC, deaths NUMERIC, recovered NUMERIC ); INSERT INTO covid19 (date, cases, deaths, recovered) VALUES (</span><span class="sh">'</span><span class="s">2019-01-01</span><span class="sh">'</span><span class="s">, 0, 0, 0);</span><span class="sh">'''</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">def</span> <span class="nf">get_latest_date</span><span class="p">():</span> <span class="sh">'''</span><span class="s"> Returns the current ltest record in the db</span><span class="sh">'''</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">connect</span><span class="p">()</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">'</span><span class="s">SELECT * FROM covid19 ORDER BY date DESC LIMIT 1;</span><span class="sh">'</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchall</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">return</span> <span class="n">results</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="k">def</span> <span class="nf">load_to_db</span><span class="p">(</span><span class="n">row</span><span class="p">):</span> <span class="sh">'''</span><span class="s"> Insert new rows to the db</span><span class="sh">'''</span> <span class="n">conn</span> <span class="o">=</span> <span class="nf">connect</span><span class="p">()</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">'</span><span class="s">INSERT INTO covid19 (date, cases, deaths, recovered) VALUES (%s, %s, %s, %s)</span><span class="sh">'</span><span class="p">,</span> <span class="p">(</span><span class="n">row</span><span class="p">[</span><span class="sh">'</span><span class="s">Date</span><span class="sh">'</span><span class="p">],</span> <span class="n">row</span><span class="p">[</span><span class="sh">'</span><span class="s">cases</span><span class="sh">'</span><span class="p">],</span> <span class="n">row</span><span class="p">[</span><span class="sh">'</span><span class="s">deaths</span><span class="sh">'</span><span class="p">],</span> <span class="n">row</span><span class="p">[</span><span class="sh">'</span><span class="s">Recovered</span><span class="sh">'</span><span class="p">])</span> <span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p>Firstly, we don't have the database credentials hardcoded or even known ahead of deploying. we use AWS's secrets manager to create a secure password for us and retrieve it from the API at runtime. <br> This approach is extremely better for security as the credentials are never visible to anyone and only available during processing</p> <p>After having retrieved the credentials we instantiate a connection using psycopg2, the python API for PostgreSQL<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">connect</span><span class="p">():</span> <span class="sh">'''</span><span class="s"> Instantiates a connection to the db</span><span class="sh">'''</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">psycopg2</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span> <span class="n">host</span><span class="o">=</span><span class="n">secrets_dict</span><span class="p">[</span><span class="sh">'</span><span class="s">host</span><span class="sh">'</span><span class="p">],</span> <span class="n">database</span><span class="o">=</span><span class="sh">'</span><span class="s">postgres</span><span class="sh">'</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="n">secrets_dict</span><span class="p">[</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">],</span> <span class="n">password</span><span class="o">=</span><span class="n">secrets_dict</span><span class="p">[</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="n">conn</span> </code></pre> </div> <p>We return the connection object as its essential for any database operation, this function is a dependency for all other functions in the module.</p> <p>Second, we have a function for creating our table. this function will first attempt to query for the existence of the table and return a random record from it. if it fails to do so due to <code>UndefinedTable</code> it will create the table and insert a dummy record that dates back to before the data in our sources. this is important for the <code>get_latest_date()</code> function to work properly, because if it retrieves this dummy record, initial loading is performed.</p> <p>lastly, we have the actual function that loads a record into the database. this function expects a dataframe row as input.</p> <p>The justification behind this approach is that dataframe operations that involve iteration are slow according to this <a href="https://stackoverflow.com/questions/16476924/how-to-iterate-over-rows-in-a-dataframe-in-pandas" rel="noopener noreferrer">Stackoverflow question</a>.<br> One of the alternatives suggested is to use <code>df.apply(your_function)</code>, which is how we formulate our approach.</p> <p>And now, we look at the actual handler code that executes at invocation of the function<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="nf">download_file</span><span class="p">(</span><span class="sh">'</span><span class="s">https://raw.githubusercontent.com/nytimes/covid-19-data/master/us.csv</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">data.csv</span><span class="sh">'</span><span class="p">)</span> <span class="nf">download_file</span><span class="p">(</span><span class="sh">'</span><span class="s">https://raw.githubusercontent.com/datasets/covid-19/master/data/time-series-19-covid-combined.csv</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">john_hopkins.csv</span><span class="sh">'</span><span class="p">)</span> <span class="n">df</span> <span class="o">=</span> <span class="nf">load_data</span><span class="p">(</span><span class="sh">'</span><span class="s">data/data.csv</span><span class="sh">'</span><span class="p">)</span> <span class="n">jh</span> <span class="o">=</span> <span class="nf">load_data</span><span class="p">(</span><span class="sh">'</span><span class="s">data/john_hopkins.csv</span><span class="sh">'</span><span class="p">)</span> <span class="nf">rename_cols</span><span class="p">(</span><span class="n">df</span><span class="p">,</span> <span class="p">{</span><span class="sh">'</span><span class="s">date</span><span class="sh">'</span><span class="p">:</span><span class="sh">'</span><span class="s">Date</span><span class="sh">'</span><span class="p">})</span> <span class="c1">#unify naming method </span> <span class="nf">clean_dataframe</span><span class="p">(</span><span class="n">jh</span><span class="p">,</span> <span class="sh">'</span><span class="s">US</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">Deaths</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Country/Region</span><span class="sh">'</span> <span class="p">,</span><span class="sh">'</span><span class="s">Province/State</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Confirmed</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># remove needless columns and non US data </span> <span class="nf">change_to_datetime</span><span class="p">(</span><span class="n">df</span><span class="p">)</span> <span class="nf">change_to_datetime</span><span class="p">(</span><span class="n">jh</span><span class="p">)</span> <span class="n">final</span> <span class="o">=</span> <span class="nf">join_dfs</span><span class="p">(</span><span class="n">df</span><span class="p">,</span> <span class="n">jh</span><span class="p">)</span> <span class="nf">instantiate_db</span><span class="p">()</span> <span class="c1"># create the table if it doesnt exist </span> <span class="n">data_sent</span> <span class="o">=</span> <span class="nf">send_db</span><span class="p">(</span><span class="n">final</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="nf">post_to_sns</span><span class="p">(</span><span class="sh">'</span><span class="s">Job ran successfully, Updated {} records in the database</span><span class="sh">'</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="n">data_sent</span><span class="p">))</span> <span class="c1"># report if successful </span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">res</span> <span class="o">=</span> <span class="nf">post_to_sns</span><span class="p">(</span><span class="sh">'</span><span class="s">Job failed with error: {}</span><span class="sh">'</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="n">e</span><span class="p">))</span> <span class="c1"># report errors </span></code></pre> </div> <h2> Infrastructure as Code </h2> <p>For this project we use the AWS CDK, a framework by AWS for defining your infrastructure as actual code in your programming language of choice, which is worth saying that it is a true wonder of engineering and i had so much fun using it.<br> However it is worth saying that navigating the <a href="https://docs.aws.amazon.com/cdk/api/v2/python/index.html" rel="noopener noreferrer">docs</a> was extremely tedious and some of the processes are not straight forward. for the sake of keeping the project entirely in Python we deploy CDK in python flavor.</p> <p>Resources in a CDK stack are defined with the following parameters:</p> <ul> <li><p>the construct that will use the resource</p></li> <li><p>an identifier</p></li> <li><p>any properties specific to the resource </p></li> </ul> <p>Learn more about the CDK in this <a href="https://cdkworkshop.com/" rel="noopener noreferrer">workshop</a></p> <p>Let's take a look at our CDK stack<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">CdkStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># Define Lambda layers </span> <span class="n">pandas</span> <span class="o">=</span> <span class="n">lambda_</span><span class="p">.</span><span class="n">LayerVersion</span><span class="p">.</span><span class="nf">from_layer_version_attributes</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">Pandas</span><span class="sh">'</span><span class="p">,</span> <span class="n">layer_version_arn</span><span class="o">=</span><span class="sh">"</span><span class="s">arn:aws:lambda:us-east-1:770693421928:layer:Klayers-p39-pandas:4</span><span class="sh">"</span><span class="p">)</span> <span class="n">requests</span> <span class="o">=</span> <span class="n">lambda_</span><span class="p">.</span><span class="n">LayerVersion</span><span class="p">.</span><span class="nf">from_layer_version_attributes</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">Requests</span><span class="sh">'</span><span class="p">,</span> <span class="n">layer_version_arn</span><span class="o">=</span><span class="sh">"</span><span class="s">arn:aws:lambda:us-east-1:770693421928:layer:Klayers-p39-requests-html:4</span><span class="sh">"</span><span class="p">)</span> <span class="n">psycopg</span> <span class="o">=</span> <span class="n">lambda_</span><span class="p">.</span><span class="n">LayerVersion</span><span class="p">.</span><span class="nf">from_layer_version_attributes</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">Psycopg</span><span class="sh">'</span><span class="p">,</span> <span class="n">layer_version_arn</span><span class="o">=</span><span class="sh">"</span><span class="s">arn:aws:lambda:us-east-1:770693421928:layer:Klayers-p39-psycopg2-binary:1</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Before anything, Huge shoutout to Keith Rozario for providing us with this awesome <a href="https://github.com/keithrozario/Klayers" rel="noopener noreferrer">Repo</a>.<br> where he defined layers for lambda functions to add libraries that doesn't exist by default in the lambda runtime without you having to create them yourself. I used his repo to add the requests, pandas and psycopg2 libraries to the project.</p> <p>Next up, let's define our database..<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># instantiate DB credentials using secrets manager </span> <span class="n">db_secrets</span> <span class="o">=</span> <span class="n">rds</span><span class="p">.</span><span class="nc">DatabaseSecret</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">postgres-secret</span><span class="sh">'</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="sh">'</span><span class="s">postgres</span><span class="sh">'</span><span class="p">,</span> <span class="n">secret_name</span><span class="o">=</span><span class="sh">'</span><span class="s">postgres-credentials</span><span class="sh">'</span> <span class="p">)</span> <span class="c1"># Create the database </span> <span class="n">db</span> <span class="o">=</span> <span class="n">rds</span><span class="p">.</span><span class="nc">DatabaseInstance</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">db</span><span class="sh">"</span><span class="p">,</span> <span class="n">engine</span><span class="o">=</span><span class="n">rds</span><span class="p">.</span><span class="n">DatabaseInstanceEngine</span><span class="p">.</span><span class="nf">postgres</span><span class="p">(</span><span class="n">version</span><span class="o">=</span><span class="n">rds</span><span class="p">.</span><span class="n">PostgresEngineVersion</span><span class="p">.</span><span class="n">VER_13_4</span><span class="p">),</span> <span class="n">instance_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceType</span><span class="p">.</span><span class="nf">of</span><span class="p">(</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceClass</span><span class="p">.</span><span class="n">BURSTABLE3</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InstanceSize</span><span class="p">.</span><span class="n">MICRO</span><span class="p">),</span> <span class="n">credentials</span><span class="o">=</span><span class="n">rds</span><span class="p">.</span><span class="n">Credentials</span><span class="p">.</span><span class="nf">from_secret</span><span class="p">(</span><span class="n">db_secrets</span><span class="p">),</span> <span class="n">vpc</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">vpc</span><span class="sh">'</span><span class="p">),</span> <span class="n">vpc_subnets</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetSelection</span><span class="p">(</span> <span class="n">subnet_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PUBLIC</span> <span class="p">)</span> <span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">connections</span><span class="p">.</span><span class="nf">allow_default_port_from_any_ipv4</span><span class="p">()</span> </code></pre> </div> <p>We instantiate the database secret using Secrets Manager and then create the database using this secret using the <code>rds.Credentials.from_secret(db_secrets)</code> method, we also launch this DB in a public subnet for easier reach from AWS Lambda.<br> However in a production setting and in case the database is going to hold sensitive data its best to launch it in a private subnet and configure Lambda to work in your private network, check this <a href="https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#:~:text=When%20you%20connect%20a%20function,enabled%20function%20in%20an%20account." rel="noopener noreferrer">article</a> for more details.</p> <p>And now, let's create our S3 bucket and SNS topic. pretty straight forward<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Create the bucket used to store the data </span> <span class="n">s3_bucket</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">dataBucket</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Create the delivery topic </span> <span class="n">topic</span> <span class="o">=</span> <span class="n">sns</span><span class="p">.</span><span class="nc">Topic</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">'</span><span class="s">deliveryTopic</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>And defining our actual function with appropriate permissions..<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">lambda_role</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">lambda_role</span><span class="sh">"</span><span class="p">,</span> <span class="n">assumed_by</span><span class="o">=</span><span class="n">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="sh">"</span><span class="s">lambda.amazonaws.com</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="n">lambda_role</span><span class="p">.</span><span class="nf">add_to_policy</span><span class="p">(</span><span class="n">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">(</span> <span class="n">resources</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">s3:GetObject</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">s3:PutObject</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sns:Publish</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">secretsmanager:GetSecretValue</span><span class="sh">"</span><span class="p">]</span> <span class="p">))</span> <span class="n">function</span> <span class="o">=</span> <span class="n">lambda_</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">Serverless-ETL</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">lambda_</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_9</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">lambda_</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span><span class="sh">"</span><span class="s">./code</span><span class="sh">"</span><span class="p">),</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">lambda_function.lambda_handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">layers</span><span class="o">=</span><span class="p">[</span><span class="n">pandas</span><span class="p">,</span> <span class="n">requests</span><span class="p">,</span> <span class="n">psycopg</span><span class="p">],</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="n">role</span><span class="o">=</span><span class="n">lambda_role</span><span class="p">,</span> <span class="n">memory_size</span><span class="o">=</span><span class="mi">512</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">S3_BUCKET</span><span class="sh">'</span><span class="p">:</span><span class="n">s3_bucket</span><span class="p">.</span><span class="n">bucket_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">SNS_TOPIC</span><span class="sh">'</span><span class="p">:</span> <span class="n">topic</span><span class="p">.</span><span class="n">topic_arn</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># allow our function to post to sns </span><span class="n">topic</span><span class="p">.</span><span class="nf">grant_publish</span><span class="p">(</span><span class="n">function</span><span class="p">)</span> </code></pre> </div> <p>As we see here, the bucket name and SNS topic ARN are passed to the function on deployment through its environment variables. and we load the lambda code saved in a folder in the directory called "code" using the method <code>lambda_.Code.from_asset("./code")</code>. we also configure the function with 512MB of memory, this is because this function instantiates several clients and they take up alot of memory to work with.</p> <p>Lastly, we define the Eventbridge rule to trigger our function<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># Create the event rule and schedule </span> <span class="n">rule</span> <span class="o">=</span> <span class="n">events</span><span class="p">.</span><span class="nc">Rule</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">Rule</span><span class="sh">"</span><span class="p">,</span> <span class="n">schedule</span><span class="o">=</span><span class="n">events</span><span class="p">.</span><span class="n">Schedule</span><span class="p">.</span><span class="nf">expression</span><span class="p">(</span><span class="sh">'</span><span class="s">cron(0 0 * * ? *)</span><span class="sh">'</span><span class="p">),</span> <span class="p">)</span> <span class="n">rule</span><span class="p">.</span><span class="nf">add_target</span><span class="p">(</span><span class="n">targets</span><span class="p">.</span><span class="nc">LambdaFunction</span><span class="p">(</span><span class="n">function</span><span class="p">))</span> </code></pre> </div> <h2> Continuous Delivery </h2> <p>The beauty of using the AWS CDK as your tool of choice for deploying is its simplicity in use and maintaining of infrastructure state using Cloudformation changesets. You can read more about them <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-changesets.html" rel="noopener noreferrer">here</a></p> <p>The only commands we need to launch our infrastructure are <code>cdk diff</code> to detect changes and <code>cdk deploy</code> to commit changes. we can wrap these commands in a nice and easy Github actions workflow as after having configured your AWS access keys in Github. here's a <a href="https://github.com/aws-actions/configure-aws-credentials" rel="noopener noreferrer">link</a> explaining how its done.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># run only on commits to main</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">main"</span> <span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">main"</span> <span class="pi">]</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">aws-cdk</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check out repository code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cdk diff</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">youyo/aws-cdk-github-actions@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">cdk_version</span><span class="pi">:</span> <span class="s">2.28.1</span> <span class="na">cdk_subcommand</span><span class="pi">:</span> <span class="s1">'</span><span class="s">diff'</span> <span class="na">cdk_stack</span><span class="pi">:</span> <span class="s">CdkStack</span> <span class="na">actions_comment</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">env</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">AWS_DEFAULT_REGION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">us-east-1'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cdk deploy</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">youyo/aws-cdk-github-actions@v2.1.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">cdk_version</span><span class="pi">:</span> <span class="s">2.28.1</span> <span class="na">cdk_subcommand</span><span class="pi">:</span> <span class="s1">'</span><span class="s">deploy'</span> <span class="na">cdk_stack</span><span class="pi">:</span> <span class="s1">'</span><span class="s">CdkStack'</span> <span class="na">cdk_args</span><span class="pi">:</span> <span class="s1">'</span><span class="s">--require-approval</span><span class="nv"> </span><span class="s">never'</span> <span class="na">actions_comment</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">env</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">AWS_DEFAULT_REGION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">us-east-1</span> </code></pre> </div> <p>This workflow uses actions from the actions marketplace, find out more <a href="https://github.com/marketplace/actions/aws-cdk-github-actions" rel="noopener noreferrer">here</a>. For every new commit to change our code for the function or the infrastructure, the CDK CLI will run and show us what changed and will deploy these changes to your account.</p> <p>In the end i hooked up Amazon Quicksight to my RDS database to extract insights on the data. RDS integrates with Quicksight very seamlessly<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3rundyf62akezrl97hbg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3rundyf62akezrl97hbg.png" alt="BI reporting"></a></p> <h2> Conclusion </h2> <p>Modern cloud infrastructure is being pushed to entirely new limits and possibilities and its only up to your imagination how you will use it. I have enjoyed a lot and learned so much while creating this. all the code for this article can be found in this <a href="https://github.com/aerosouund/serverless-etl-cdk" rel="noopener noreferrer">Repo</a></p> serverless aws cdk python