DEV Community: Goodluck Ekeoma Adiole The latest articles on DEV Community by Goodluck Ekeoma Adiole (@goodluck_ekeoma_2c98866d0). https://dev.to/goodluck_ekeoma_2c98866d0 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2224953%2Fe6bff451-51f2-4bee-afb0-24901c7448ab.jpeg DEV Community: Goodluck Ekeoma Adiole https://dev.to/goodluck_ekeoma_2c98866d0 en AKS DISASTER RECOVERY USING VELERO Goodluck Ekeoma Adiole Wed, 29 Oct 2025 08:47:54 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/aks-disaster-recovery-using-velero-3o09 https://dev.to/goodluck_ekeoma_2c98866d0/aks-disaster-recovery-using-velero-3o09 <p>This documentation teaches you Velero from the ground up and show you exactly how to install it and use it to back up an AKS cluster. I will assume you’re a beginner, so I created the documentation to explain what each step does and give you copy-paste commands. I’ll also point out important choices (CSI snapshots vs Restic) and recommend a simple path you can follow.</p> <p><strong>Notes before we start</strong></p> <ul> <li>These instructions show the common Azure/AKS flow: Velero stores backups in an <strong>Azure Storage account (blob container)</strong> and runs inside your AKS cluster. ([Velero][2])</li> </ul> <h1> 1) Prerequisites (what you need first) </h1> <p>Make sure you have these on your laptop or a management machine:</p> <ol> <li> <code>kubectl</code> configured to talk to the AKS cluster (you should be able to run <code>kubectl get nodes</code>).</li> <li>Azure CLI (<code>az</code>) logged in as a user that can create resources and assign roles: <code>az login</code>.</li> <li> <code>helm</code> (optional — we’ll use Velero CLI approach, not helm).</li> <li>A shell (bash) and ability to create files locally.</li> <li>The Velero CLI binary (we’ll install it below).</li> <li>(Optional) <code>jq</code> helps with JSON parsing in examples.</li> </ol> <p>If any of the above are missing, install them first. The Velero docs and AKS docs show these prerequisites. ([Velero][3])</p> <h1> 2) High-level plan (what we’ll do) </h1> <ol> <li>Install Velero CLI locally.</li> <li>Create an Azure Storage account + blob container to hold backups.</li> <li>Create Azure credentials for Velero (service principal or storage key).</li> <li>Install Velero server into AKS with the Azure plugin (and optionally Restic or CSI snapshot support).</li> <li>Make a test backup of a namespace / sample app.</li> <li>Restore from that backup.</li> <li>(Optional) Set a schedule and check/monitor backups.</li> </ol> <p>Key docs (used to craft commands): Velero install docs, Velero Azure config, Velero backup/restore docs, and AKS guidance. ([Velero][3])</p> <h1> 3) Install the Velero CLI (local machine) </h1> <p>Pick the latest Velero release from the Velero releases page, then download &amp; install. Replace <code>vX.Y.Z</code> with the release version (e.g. <code>v1.16.0</code> — check releases page). Example for Linux x86_64:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># example: change v1.16.0 to the version you choose</span> <span class="nv">VERSION</span><span class="o">=</span><span class="s2">"v1.16.0"</span> curl <span class="nt">-LO</span> https://github.com/vmware-tanzu/velero/releases/download/<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>/velero-<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="nt">-linux-amd64</span>.tar.gz <span class="nb">tar</span> <span class="nt">-xvf</span> velero-<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="nt">-linux-amd64</span>.tar.gz <span class="nb">sudo mv </span>velero-<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="nt">-linux-amd64</span>/velero /usr/local/bin/velero velero version </code></pre> </div> <p>On macOS you can use <code>brew install velero</code>. The official docs show the same options. ([Velero][3])</p> <h1> 4) Create Azure storage (backup target) </h1> <p>Velero needs an object store. We’ll create a resource group, storage account, and a blob container.</p> <p>Create a Storage Location for Backups</p> <p>Velero needs a storage location — typically an Azure Blob Storage container.</p> <p>Set environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>export AZURE_RESOURCE_GROUP=&lt;your-resource-group&gt; export AZURE_STORAGE_ACCOUNT_ID=&lt;your-storage-account-name&gt; export BLOB_CONTAINER=&lt;your-container-name&gt; export AZURE_SUBSCRIPTION_ID=&lt;your-subscription-id&gt; export AZURE_TENANT_ID=&lt;your-tenant-id&gt; export AZURE_CLIENT_ID=&lt;your-app-client-id&gt; export AZURE_CLIENT_SECRET=&lt;your-app-client-secret&gt; </code></pre> </div> <p>(These credentials come from your Azure AD app with permissions to the storage account.)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># variables - change values to your naming</span> <span class="nv">SUBSCRIPTION_ID</span><span class="o">=</span><span class="si">$(</span>az account show <span class="nt">--query</span> <span class="nb">id</span> <span class="nt">-o</span> tsv<span class="si">)</span> <span class="nv">RESOURCE_GROUP</span><span class="o">=</span><span class="s2">"velero-backups-rg"</span> <span class="nv">LOCATION</span><span class="o">=</span><span class="s2">"eastus"</span> <span class="c"># choose your Azure region</span> <span class="nv">STORAGE_ACCOUNT</span><span class="o">=</span><span class="s2">"velerobackups</span><span class="nv">$RANDOM</span><span class="s2">"</span> <span class="c"># must be globally unique, lower case, numbers</span> <span class="nv">CONTAINER</span><span class="o">=</span><span class="s2">"velero"</span> <span class="c"># create resource group</span> az group create <span class="nt">-n</span> <span class="nv">$RESOURCE_GROUP</span> <span class="nt">-l</span> <span class="nv">$LOCATION</span> <span class="c"># create storage account</span> az storage account create <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$STORAGE_ACCOUNT</span> <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RESOURCE_GROUP</span> <span class="se">\</span> <span class="nt">--sku</span> Standard_LRS <span class="se">\</span> <span class="nt">--encryption-services</span> blob <span class="se">\</span> <span class="nt">--https-only</span> <span class="nb">true</span> <span class="c"># create blob container</span> az storage container create <span class="se">\</span> <span class="nt">--account-name</span> <span class="nv">$STORAGE_ACCOUNT</span> <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$CONTAINER</span> </code></pre> </div> <p>Velero requires the storage account and container to store backup tarballs and metadata. The Velero Azure plugin docs and Microsoft guidance explain this. ([GitHub][4])</p> <h1> 5) Create Azure credentials for Velero (service principal recommended) </h1> <p>Velero needs permissions to write blobs and manage snapshots (if using CSI snapshots). We’ll create a Service Principal (SP) and give it the <strong>Storage Blob Data Contributor</strong> role on the storage account and (if you want snapshotting) appropriate snapshot permissions in the AKS infrastructure resource group (the MC_* resource group AKS created).</p> <p><strong>Create SP and give access to the storage account</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># create service principal (output will include appId, password, tenant)</span> <span class="nv">AZURE_SP_NAME</span><span class="o">=</span><span class="s2">"velero-sp-</span><span class="nv">$RANDOM</span><span class="s2">"</span> az ad sp create-for-rbac <span class="nt">--name</span> <span class="nv">$AZURE_SP_NAME</span> <span class="nt">--role</span> <span class="s2">"Contributor"</span> <span class="nt">--scopes</span> <span class="s2">"/subscriptions/</span><span class="nv">$SUBSCRIPTION_ID</span><span class="s2">/resourceGroups/</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> <span class="nt">-o</span> json <span class="o">&gt;</span> velero-sp.json </code></pre> </div> <blockquote> <p>Note: using the <code>"Contributor"</code> role on the resource group is broad — for production you should scope further and create a custom role that grants only the needed permissions (blob write/list/read, snapshots). Many guides assign <code>Storage Blob Data Contributor</code> on storage account and <code>Contributor</code> or a custom role on the AKS resource group for snapshotting. ([DEV Community][5])</p> </blockquote> <p>Create a file in the format Velero expects (an example <code>credentials-velero</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example using service principal credentials</span> <span class="c"># Replace values from velero-sp.json</span> <span class="nv">AZ_CLIENT_ID</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> .appId velero-sp.json<span class="si">)</span> <span class="nv">AZ_CLIENT_SECRET</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> .password velero-sp.json<span class="si">)</span> <span class="nv">AZ_TENANT_ID</span><span class="o">=</span><span class="si">$(</span>jq <span class="nt">-r</span> .tenant velero-sp.json<span class="si">)</span> <span class="nb">cat</span> <span class="o">&gt;</span> credentials-velero <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> AZURE_SUBSCRIPTION_ID=</span><span class="k">${</span><span class="nv">SUBSCRIPTION_ID</span><span class="k">}</span><span class="sh"> AZURE_TENANT_ID=</span><span class="k">${</span><span class="nv">AZ_TENANT_ID</span><span class="k">}</span><span class="sh"> AZURE_CLIENT_ID=</span><span class="k">${</span><span class="nv">AZ_CLIENT_ID</span><span class="k">}</span><span class="sh"> AZURE_CLIENT_SECRET=</span><span class="k">${</span><span class="nv">AZ_CLIENT_SECRET</span><span class="k">}</span><span class="sh"> AZURE_RESOURCE_GROUP=</span><span class="k">${</span><span class="nv">RESOURCE_GROUP</span><span class="k">}</span><span class="sh"> AZURE_CLOUD_NAME=AzurePublicCloud </span><span class="no">EOF </span></code></pre> </div> <p>Velero can alternatively use a storage account key instead of SP; plugin docs show both options. ([GitHub][4])</p> <h1> 6) Decide: CSI snapshots vs Restic </h1> <ul> <li> <strong>CSI Volume Snapshot</strong>: snapshot of the underlying cloud disk (fast restores). Requires the CSI snapshot driver and permissions; better for block volumes (e.g., Azure Disk). You must enable the <code>EnableCSI</code> feature flag when installing Velero. ([Velero][6])</li> <li> <strong>Restic</strong>: Velero integrates restic to copy file-level data from pods to object storage. Simpler to enable (<code>--use-restic</code>) and works when snapshot support is not available, but it’s slower and requires restic to run as init/daemon pods. ([Velero][7])</li> </ul> <p><strong>For a beginner on AKS</strong>: if your AKS cluster has the Azure CSI drivers and supports snapshots, prefer <strong>CSI snapshots</strong> for PVs. If you’re unsure or want a simpler setup, enable <strong>Restic</strong> (it’s easier to get started). I’ll show the install command enabling Restic; I’ll also show how to enable CSI in case you want that.</p> <h1> 7) Install Velero into AKS (server components) </h1> <p>Run this from your local machine (the <code>velero</code> CLI will push server components into the cluster). Replace placeholders:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># variables used in install</span> <span class="nv">BUCKET</span><span class="o">=</span><span class="s2">"</span><span class="nv">$CONTAINER</span><span class="s2">"</span> <span class="nv">BACKUP_RG</span><span class="o">=</span><span class="s2">"</span><span class="nv">$RESOURCE_GROUP</span><span class="s2">"</span> <span class="nv">STORAGE_ACCOUNT</span><span class="o">=</span><span class="s2">"</span><span class="nv">$STORAGE_ACCOUNT</span><span class="s2">"</span> <span class="nv">SECRET_FILE</span><span class="o">=</span><span class="s2">"./credentials-velero"</span> <span class="c"># Basic install with Azure plugin + restic</span> velero <span class="nb">install</span> <span class="se">\</span> <span class="nt">--provider</span> azure <span class="se">\</span> <span class="nt">--plugins</span> velero/velero-plugin-for-microsoft-azure:v1.11.1 <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$BUCKET</span> <span class="se">\</span> <span class="nt">--secret-file</span> <span class="nv">$SECRET_FILE</span> <span class="se">\</span> <span class="nt">--backup-location-config</span> <span class="nv">resourceGroup</span><span class="o">=</span><span class="nv">$BACKUP_RG</span>,storageAccount<span class="o">=</span><span class="nv">$STORAGE_ACCOUNT</span> <span class="se">\</span> <span class="nt">--use-restic</span> </code></pre> </div> <p><strong>Notes &amp; options</strong></p> <ul> <li> <code>--plugins</code> points to the velero Azure plugin image. Use the plugin version that matches Velero best (check release notes). ([GitHub][4])</li> <li>To enable CSI snapshotting instead of (or in addition to) restic, add <code>--features=EnableCSI</code> and appropriate <code>--snapshot-location-config</code> values for Azure (specify the resourceGroup where snapshots belong). Example: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example install with CSI support (instead of restic)</span> velero <span class="nb">install</span> <span class="se">\</span> <span class="nt">--provider</span> azure <span class="se">\</span> <span class="nt">--plugins</span> velero/velero-plugin-for-microsoft-azure:v1.11.1 <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$BUCKET</span> <span class="se">\</span> <span class="nt">--secret-file</span> <span class="nv">$SECRET_FILE</span> <span class="se">\</span> <span class="nt">--backup-location-config</span> <span class="nv">resourceGroup</span><span class="o">=</span><span class="nv">$BACKUP_RG</span>,storageAccount<span class="o">=</span><span class="nv">$STORAGE_ACCOUNT</span> <span class="se">\</span> <span class="nt">--snapshot-location-config</span> <span class="nv">resourceGroup</span><span class="o">=</span>MC_myAksRG_myAksCluster_westeurope <span class="se">\</span> <span class="nt">--features</span><span class="o">=</span>EnableCSI </code></pre> </div> <ul> <li>If you use both, Velero can snapshot volumes via CSI when possible and fall back to restic if needed.</li> </ul> <p>The <code>velero install</code> guide and Azure config pages show these flags in detail. ([Velero][8])</p> <h1> 8) Verify Velero server is running </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> velero kubectl get deployments <span class="nt">-n</span> velero </code></pre> </div> <p>You should see <code>velero</code> pods (and <code>restic</code> pods if you used <code>--use-restic</code>). If pods are CrashLooping, check logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs deploy/velero <span class="nt">-n</span> velero </code></pre> </div> <p>If install succeeded, Velero is now watching your cluster and ready to back up resources.</p> <h1> 9) Test: deploy a sample app (optional but recommended) </h1> <p>Deploy a small nginx deployment in namespace <code>test-app</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create ns test-app kubectl <span class="nt">-n</span> test-app apply <span class="nt">-f</span> - <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.21 ports: - containerPort: 80 </span><span class="no">EOF </span></code></pre> </div> <p>Wait until pod is <code>Running</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> test-app get pods <span class="nt">-w</span> </code></pre> </div> <h1> 10) Create a backup with Velero </h1> <p>Simple namespace backup (this will back up Kubernetes resources; if you used <code>--use-restic</code> or CSI snapshotting, PVs will be saved accordingly):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># create a one-off backup of namespace test-app</span> velero backup create test-app-backup <span class="nt">--include-namespaces</span> test-app <span class="nt">--wait</span> <span class="c"># check backup status</span> velero backup describe test-app-backup <span class="nt">--details</span> velero backup logs test-app-backup </code></pre> </div> <p>Important flags:</p> <ul> <li> <code>--snapshot-volumes</code> can be added to ensure volumes are snapshotted (if CSI snapshotting is supported).</li> <li> <code>--wait</code> makes the command wait until backup completes or fails.</li> </ul> <p>Velero backup/restore docs explain scheduling, including/excluding resources, and common flags. ([Velero][9])</p> <h1> 11) Simulate disaster &amp; restore </h1> <p>Delete the namespace / app and restore:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># delete the namespace to simulate data loss</span> kubectl delete ns test-app <span class="c"># restore from the backup</span> velero restore create <span class="nt">--from-backup</span> test-app-backup <span class="nt">--wait</span> <span class="c"># watch the restore progress and logs</span> velero restore describe &lt;restore-name&gt; <span class="nt">--details</span> velero restore logs &lt;restore-name&gt; </code></pre> </div> <p>Replace <code>&lt;restore-name&gt;</code> with the name Velero gave to the restore (or use the name you supplied). After restore completes, check resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get all <span class="nt">-n</span> test-app </code></pre> </div> <p>This demonstrates a full backup → delete → restore workflow. Velero restore docs explain API fields and options. ([Velero][10])</p> <h1> 12) Useful Velero commands (cheat sheet) </h1> <ul> <li> <code>velero backup create &lt;name&gt; --include-namespaces &lt;ns&gt; --wait</code> — create backup.</li> <li> <code>velero backup get</code> — list backups.</li> <li> <code>velero backup describe &lt;name&gt;</code> — see details.</li> <li> <code>velero backup logs &lt;name&gt;</code> — logs for that backup.</li> <li> <code>velero restore create --from-backup &lt;name&gt; --wait</code> — restore backup.</li> <li> <code>velero restore logs &lt;name&gt;</code> — restore logs.</li> <li> <code>velero schedule create &lt;sched-name&gt; --schedule "0 2 * * *" --include-namespaces &lt;ns&gt;</code> — create scheduled backups.</li> <li> <code>kubectl -n velero get pods</code> — see Velero pods. (Official docs contain many more options.) ([Velero][9])</li> </ul> <h1> 13) Production considerations &amp; tips </h1> <ul> <li> <strong>Credentials &amp; least privilege</strong>: Create a minimal custom role for Velero rather than broad Contributor. Limit the scope to the storage account and the resource group that needs snapshot permissions. ([DEV Community][5])</li> <li> <strong>Test restores regularly</strong> — a backup that hasn’t been restored is not proven.</li> <li> <strong>Retention &amp; lifecycle</strong> — configure retention policies and lifecycle on storage to avoid runaway costs.</li> <li> <strong>Monitor &amp; alerts</strong> — watch Velero backups and failures; integrate with monitoring/alerts.</li> <li> <strong>Storage costs</strong> — backups in Azure Blob incur storage and egress costs; plan accordingly.</li> <li> <strong>Snapshots vs restic</strong> — prefer CSI snapshots where possible (faster, cloud-native), but use restic when snapshots are unavailable or for file-level backups. ([Velero][6])</li> </ul> <h1> 14) Troubleshooting quick hits </h1> <ul> <li>Velero pods CrashLoop? <code>kubectl logs deploy/velero -n velero</code> — common causes: bad credentials file, plugin image mismatch, or permission error.</li> <li>Restic issues: ensure restic DaemonSet is present and pods run; check annotations to include/exclude volumes. ([Velero][7])</li> <li>PVs not snapshotted: ensure CSI snapshot driver installed and <code>EnableCSI</code> feature is turned on in install. See CSI docs. ([Velero][6])</li> </ul> <h1> 15) Short checklist you can copy &amp; paste </h1> <ol> <li><code>az login</code></li> <li> <code>kubectl config current-context</code> (should point to your AKS cluster)</li> <li>Create storage account &amp; container (step 4 commands)</li> <li>Create SP &amp; credentials file (step 5 commands)</li> <li><code>velero install ... --provider azure --plugins velero/velero-plugin-for-microsoft-azure:... --bucket &lt;name&gt; --secret-file ./credentials-velero --backup-location-config resourceGroup=&lt;rg&gt;,storageAccount=&lt;sa&gt; --use-restic</code></li> <li> <code>kubectl get pods -n velero</code> ✅</li> <li>Deploy test app, <code>velero backup create ... --wait</code> </li> <li> <code>velero restore create --from-backup ... --wait</code> ✅</li> </ol> kubernetes azure devops tutorial Encrypt secrets stored in etcd with a Key Vault key Goodluck Ekeoma Adiole Mon, 01 Sep 2025 08:03:21 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/encrypt-secrets-stored-in-etcd-with-a-key-vault-key-j9 https://dev.to/goodluck_ekeoma_2c98866d0/encrypt-secrets-stored-in-etcd-with-a-key-vault-key-j9 <blockquote> <ul> <li>AKS uses the <strong>KMS (Key Management Service) plugin</strong> to encrypt secrets stored in etcd with a Key Vault key (your CMK). See Microsoft’s KMS docs. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</li> <li> <strong>KMS requires a user-assigned managed identity</strong> (system-assigned identities are not supported for KMS). You must grant that identity key permissions on the Key Vault before enabling KMS. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</li> <li> <strong>DO NOT</strong> delete the Key or Key Vault once KMS is turned on — doing so will make secrets unrecoverable. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</li> </ul> </blockquote> <h1> Quick variable setup (copy/paste and edit) </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># your cluster info (already provided)</span> <span class="nv">RG</span><span class="o">=</span><span class="s2">"MiddleWare-Dev-RG"</span> <span class="nv">CLUSTER</span><span class="o">=</span><span class="s2">"hil-middleware-staging-cluster"</span> <span class="nv">LOCATION</span><span class="o">=</span><span class="s2">"&lt;your-azure-location&gt;"</span> <span class="c"># e.g. eastus2</span> <span class="c"># choose names</span> <span class="nv">KV_NAME</span><span class="o">=</span><span class="s2">"&lt;your-keyvault-name&gt;"</span> <span class="nv">KEY_NAME</span><span class="o">=</span><span class="s2">"&lt;your-key-name&gt;"</span> <span class="nv">IDENTITY_NAME</span><span class="o">=</span><span class="s2">"&lt;your-user-identity-name&gt;"</span> </code></pre> </div> <h1> Step 1 — Ensure Azure CLI is new enough </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az <span class="nt">--version</span> <span class="c"># need recent az (see docs), update if old</span> </code></pre> </div> <h1> Step 2 — Create Key Vault + Key (public example) </h1> <p>(If you prefer a private Key Vault, I list the extra args afterwards.)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create key vault (public network access)</span> az keyvault create <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$KV_NAME</span> <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="se">\</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> <span class="c"># Create an RSA key in the vault</span> az keyvault key create <span class="se">\</span> <span class="nt">--vault-name</span> <span class="nv">$KV_NAME</span> <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$KEY_NAME</span> <span class="se">\</span> <span class="nt">--kty</span> RSA </code></pre> </div> <p>Save the key id:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">KEY_ID</span><span class="o">=</span><span class="si">$(</span>az keyvault key show <span class="nt">--vault-name</span> <span class="nv">$KV_NAME</span> <span class="nt">--name</span> <span class="nv">$KEY_NAME</span> <span class="nt">--query</span> <span class="s1">'key.kid'</span> <span class="nt">-o</span> tsv<span class="si">)</span> <span class="nb">echo</span> <span class="nv">$KEY_ID</span> <span class="c"># you'll pass this to az aks update</span> </code></pre> </div> <p>(Private vault: <code>az keyvault create --public-network-access Disabled</code> and you’ll need API Server VNet Integration on AKS — see docs. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>))</p> <h1> Step 3 — Create a user-assigned managed identity (required for KMS) </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az identity create <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="nt">--name</span> <span class="nv">$IDENTITY_NAME</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> <span class="nv">IDENTITY_PRINCIPAL_ID</span><span class="o">=</span><span class="si">$(</span>az identity show <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="nt">--name</span> <span class="nv">$IDENTITY_NAME</span> <span class="nt">--query</span> principalId <span class="nt">-o</span> tsv<span class="si">)</span> <span class="nv">IDENTITY_RESOURCE_ID</span><span class="o">=</span><span class="si">$(</span>az identity show <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="nt">--name</span> <span class="nv">$IDENTITY_NAME</span> <span class="nt">--query</span> <span class="nb">id</span> <span class="nt">-o</span> tsv<span class="si">)</span> <span class="nb">echo</span> <span class="nv">$IDENTITY_PRINCIPAL_ID</span> <span class="nb">echo</span> <span class="nv">$IDENTITY_RESOURCE_ID</span> </code></pre> </div> <h1> Step 4 — Grant the identity permissions on the Key Vault </h1> <p>Choose the correct method depending on whether your Key Vault uses Access Policies (classic) or RBAC.</p> <p><strong>If the vault uses access policies (default):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az keyvault set-policy <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$KV_NAME</span> <span class="se">\</span> <span class="nt">--object-id</span> <span class="nv">$IDENTITY_PRINCIPAL_ID</span> <span class="se">\</span> <span class="nt">--key-permissions</span> decrypt encrypt </code></pre> </div> <p><strong>If the vault uses RBAC (you created it with <code>--enable-rbac-authorization true</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">KEYVAULT_RESOURCE_ID</span><span class="o">=</span><span class="si">$(</span>az keyvault show <span class="nt">--name</span> <span class="nv">$KV_NAME</span> <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="nt">--query</span> <span class="nb">id</span> <span class="nt">-o</span> tsv<span class="si">)</span> az role assignment create <span class="se">\</span> <span class="nt">--assignee-object-id</span> <span class="nv">$IDENTITY_PRINCIPAL_ID</span> <span class="se">\</span> <span class="nt">--assignee-principal-type</span> ServicePrincipal <span class="se">\</span> <span class="nt">--role</span> <span class="s2">"Key Vault Crypto User"</span> <span class="se">\</span> <span class="nt">--scope</span> <span class="nv">$KEYVAULT_RESOURCE_ID</span> </code></pre> </div> <p>(Documentation shows both approaches — pick the one matching your Key Vault config.) (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</p> <h1> Step 5 — Attach the user-assigned identity to the AKS cluster </h1> <p>KMS requires a user-assigned identity; attach it to the control plane:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks update <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="se">\</span> <span class="nt">--enable-managed-identity</span> <span class="se">\</span> <span class="nt">--assign-identity</span> <span class="nv">$IDENTITY_RESOURCE_ID</span> </code></pre> </div> <p>You can confirm the identity was attached:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks show <span class="nt">-g</span> <span class="nv">$RG</span> <span class="nt">-n</span> <span class="nv">$CLUSTER</span> <span class="nt">--query</span> identity </code></pre> </div> <p>(If your cluster already used system-assigned identity, switching to / adding user-assigned can cause the control plane to reconfigure; monitor the cluster resource state via <code>az aks show</code>.) (<a href="https://learn.microsoft.com/en-us/azure/aks/use-managed-identity?utm_source=chatgpt.com" rel="noopener noreferrer">Microsoft Learn</a>)</p> <h1> Step 6 — Enable KMS (turn on Azure KeyVault KMS for etcd) </h1> <p>For a <strong>public</strong> Key Vault:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks update <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="se">\</span> <span class="nt">--enable-azure-keyvault-kms</span> <span class="se">\</span> <span class="nt">--azure-keyvault-kms-key-vault-network-access</span> <span class="s2">"Public"</span> <span class="se">\</span> <span class="nt">--azure-keyvault-kms-key-id</span> <span class="s2">"</span><span class="nv">$KEY_ID</span><span class="s2">"</span> </code></pre> </div> <p>For a <strong>private</strong> Key Vault (requires API server VNet integration and vault resource id):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">KEYVAULT_RESOURCE_ID</span><span class="o">=</span><span class="si">$(</span>az keyvault show <span class="nt">--name</span> <span class="nv">$KV_NAME</span> <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="nt">--query</span> <span class="nb">id</span> <span class="nt">-o</span> tsv<span class="si">)</span> az aks update <span class="se">\</span> <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="se">\</span> <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="se">\</span> <span class="nt">--enable-azure-keyvault-kms</span> <span class="se">\</span> <span class="nt">--azure-keyvault-kms-key-vault-network-access</span> <span class="s2">"Private"</span> <span class="se">\</span> <span class="nt">--azure-keyvault-kms-key-id</span> <span class="s2">"</span><span class="nv">$KEY_ID</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--azure-keyvault-kms-key-vault-resource-id</span> <span class="s2">"</span><span class="nv">$KEYVAULT_RESOURCE_ID</span><span class="s2">"</span> </code></pre> </div> <p>After this command completes, KMS will be enabled and AKS will use that Key Vault key for encrypting secrets in etcd. See the official KMS doc for the exact flags. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</p> <h1> Step 7 — Re-encrypt existing secrets (important) </h1> <p>Secrets created <em>before</em> KMS was enabled remain encrypted with the old mechanism. Run this to update them (you can scope to namespaces if desired):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secrets <span class="nt">--all-namespaces</span> <span class="nt">-o</span> json | kubectl replace <span class="nt">-f</span> - </code></pre> </div> <p>If you have many secrets, consider doing namespace-by-namespace to reduce blast radius. The docs recommend re-replacing secrets after enabling KMS. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</p> <h1> Step 8 — Verify status via CLI (recommended) </h1> <p>Check the AKS resource for the KMS block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks show <span class="nt">--resource-group</span> <span class="nv">$RG</span> <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="nt">--query</span> <span class="s2">"securityProfile.azureKeyVaultKms"</span> <span class="nt">-o</span> json </code></pre> </div> <p>Expected output when enabled (example):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"keyId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://&lt;vault&gt;.vault.azure.net/keys/&lt;key&gt;/&lt;version&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"networkAccess"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Public"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You can also inspect the whole cluster JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks show <span class="nt">-g</span> <span class="nv">$RG</span> <span class="nt">-n</span> <span class="nv">$CLUSTER</span> <span class="nt">-o</span> json | jq <span class="s1">'.securityProfile'</span> </code></pre> </div> <p>If the <code>azureKeyVaultKms</code> object appears, KMS is active. (This matches guidance in the Microsoft KMS doc.) (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>, <a href="https://github.com/Azure/kubernetes-kms/issues/99?utm_source=chatgpt.com" rel="noopener noreferrer">GitHub</a>)</p> <h1> Step 9 — Verify in Azure Portal (if you still want the Portal) </h1> <ul> <li>The Portal UI may <strong>not</strong> show a dedicated "Encryption" blade for older clusters. If a blade appears for newer clusters it will be under the cluster Settings → Security/Encryption area.</li> <li>The reliable method is CLI/JSON as above, or open the cluster resource in the Portal, click <strong>“JSON View”</strong> (or “Export template”), and inspect <code>properties.securityProfile.azureKeyVaultKms</code>. If present, CMK/KMS is configured. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</li> </ul> <h1> Safety &amp; operational cautions (read these) </h1> <ul> <li> <strong>Do not delete</strong> the Key or Vault while KMS is enabled — you will break access to secrets and potentially make the cluster unusable. The docs warn strongly about this. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</li> <li>If you rotate the key (new version), update the cluster with <code>az aks update --enable-azure-keyvault-kms --azure-keyvault-kms-key-id $NEW_KEY_ID</code> and re-replace secrets as noted. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</li> <li>If your Key Vault uses firewall rules / private endpoints, follow the API Server VNet Integration guidance in the docs before enabling KMS. (<a href="https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption" rel="noopener noreferrer">Microsoft Learn</a>)</li> </ul> <h1> Helpful one-liners (copy/paste) </h1> <ul> <li>Get the current KMS block: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks show <span class="nt">-g</span> <span class="nv">$RG</span> <span class="nt">-n</span> <span class="nv">$CLUSTER</span> <span class="nt">--query</span> <span class="s2">"securityProfile.azureKeyVaultKms"</span> <span class="nt">-o</span> json </code></pre> </div> <ul> <li>Re-encrypt secrets (all namespaces): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secrets <span class="nt">--all-namespaces</span> <span class="nt">-o</span> json | kubectl replace <span class="nt">-f</span> - </code></pre> </div> <p>If you want, I can:</p> <ul> <li>produce the exact command sequence filled with specific names (I used your RG/cluster; tell me <code>KV_NAME</code>, <code>KEY_NAME</code>, <code>IDENTITY_NAME</code>, and <code>LOCATION</code> and I’ll print the full script), <strong>or</strong> </li> <li>give the equivalent ARM template / Terraform snippet to bake this into infra-as-code.</li> </ul> <p>Which one do you want me to produce next?</p> Azure DevOps Tutorial for Beginners Goodluck Ekeoma Adiole Fri, 29 Aug 2025 05:30:01 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/azure-devops-tutorial-for-beginners-493n https://dev.to/goodluck_ekeoma_2c98866d0/azure-devops-tutorial-for-beginners-493n <h2> 1. Introduction to Azure DevOps </h2> <p>Azure DevOps is a <strong>cloud-based DevOps platform by Microsoft</strong> that provides an end-to-end set of tools to plan, develop, test, deliver, and monitor applications. It supports <strong>collaboration</strong> between development and operations teams, enabling organizations to deliver software <strong>faster, more reliably, and with higher quality</strong>.</p> <p>✅ By the end of this tutorial, beginners should understand the <strong>purpose and functionality of each Azure DevOps component</strong>, and how they work together to support modern software development and operations.</p> <ul> <li> <p><strong>Why Azure DevOps?</strong></p> <ul> <li>Supports <strong>Agile planning</strong>, CI/CD, source control, and testing in one place.</li> <li>Integrates with multiple programming languages and platforms (Java, Python, .NET, Node.js, etc.).</li> <li>Works well with cloud (Azure, AWS, GCP) and on-premises environments.</li> <li>Scalable for individuals, small teams, and enterprise organizations.</li> </ul> </li> <li><p><strong>Main Components of Azure DevOps:</strong></p></li> </ul> <ol> <li> <strong>Azure Boards</strong> – Project planning and tracking.</li> <li> <strong>Azure Repos</strong> – Source code management.</li> <li> <strong>Azure Pipelines</strong> – CI/CD automation.</li> <li> <strong>Azure Test Plans</strong> – Manual and exploratory testing.</li> <li> <strong>Azure Artifacts</strong> – Package management and sharing.</li> </ol> <h2> 2. Azure Boards </h2> <p>Azure Boards helps teams <strong>plan, track, and discuss work across the entire development cycle</strong>.</p> <ul> <li> <p><strong>Key Features:</strong></p> <ul> <li> <strong>Work Items</strong> – Units of work (tasks, bugs, features) that can be tracked.</li> <li> <strong>Boards (Kanban)</strong> – Visual boards to manage tasks in “To Do”, “Doing”, and “Done”.</li> <li> <strong>Backlogs</strong> – Organize work in product and sprint backlogs.</li> <li> <strong>Sprints</strong> – Agile iteration planning.</li> <li> <strong>Dashboards &amp; Reports</strong> – Real-time progress tracking.</li> </ul> </li> <li> <p><strong>Why Use Azure Boards?</strong></p> <ul> <li>Provides transparency and visibility into project progress.</li> <li>Supports Agile, Scrum, and Kanban methodologies.</li> <li>Integrates directly with Git commits and pipelines.</li> <li>Keeps development and project management in sync.</li> </ul> </li> </ul> <p><strong>Example Workflow:</strong></p> <ol> <li>Product Owner creates a <strong>User Story</strong> in the backlog.</li> <li>Developers break it into <strong>Tasks</strong>.</li> <li>Work is tracked on the <strong>Kanban board</strong>.</li> <li>Progress is visible in <strong>sprint reports and burndown charts</strong>.</li> </ol> <h2> 3. Azure Repos </h2> <p>Azure Repos provides <strong>source code management</strong> for teams. It allows developers to <strong>store, version, and collaborate on code</strong>.</p> <ul> <li><strong>Two Types of Repos:</strong></li> </ul> <ol> <li> <strong>Git Repos</strong> – Distributed version control system (most popular).</li> <li> <strong>TFVC (Team Foundation Version Control)</strong> – Centralized version control.</li> </ol> <ul> <li> <p><strong>Key Features:</strong></p> <ul> <li> <strong>Branching &amp; Merging</strong> – Work on features in isolation and merge to main branch.</li> <li> <strong>Pull Requests (PRs)</strong> – Collaborate on code changes before merging.</li> <li> <strong>Code Reviews</strong> – Discuss and improve code quality.</li> <li> <strong>Policies</strong> – Require reviews, checks, or tests before merging.</li> <li> <strong>Integration</strong> – Linked directly with Boards (e.g., commit messages linked to work items).</li> </ul> </li> <li> <p><strong>Best Practices:</strong></p> <ul> <li>Use <strong>feature branches</strong> for new work.</li> <li>Enforce <strong>PR reviews</strong> for quality control.</li> <li>Follow a branching strategy like <strong>GitFlow</strong> or <strong>Trunk-based development</strong>.</li> </ul> </li> </ul> <h2> 4. Azure Pipelines </h2> <p>Azure Pipelines provides <strong>Continuous Integration (CI)</strong> and <strong>Continuous Delivery (CD)</strong> automation.</p> <ul> <li> <p><strong>Continuous Integration (CI):</strong></p> <ul> <li>Automatically builds and tests code when changes are pushed.</li> <li>Ensures code always stays in a working state.</li> </ul> </li> <li> <p><strong>Continuous Delivery (CD):</strong></p> <ul> <li>Deploys applications to different environments (Dev, QA, Production).</li> <li>Supports automated approvals and release gates.</li> </ul> </li> <li> <p><strong>Key Features:</strong></p> <ul> <li> <strong>Pipeline as Code</strong> – Defined using YAML files.</li> <li> <strong>Multi-platform</strong> – Supports Windows, Linux, and macOS builds.</li> <li> <strong>Language Support</strong> – Works with .NET, Java, Python, Node.js, Go, etc.</li> <li> <strong>Integrations</strong> – Deploy to Azure, AWS, GCP, Kubernetes, or on-prem servers.</li> <li> <strong>Build Agents</strong> – Microsoft-hosted or self-hosted agents for executing pipelines.</li> </ul> </li> </ul> <p><strong>Example CI/CD Flow:</strong></p> <ol> <li>Developer pushes code → triggers pipeline.</li> <li>Pipeline builds code, runs unit tests, and creates artifacts.</li> <li>Pipeline deploys application to Azure Web App (staging).</li> <li>After approval, it promotes to production.</li> </ol> <h2> 5. Azure Test Plans </h2> <p>Azure Test Plans is a <strong>testing solution</strong> integrated into Azure DevOps for <strong>manual, exploratory, and automated testing</strong>.</p> <ul> <li> <p><strong>Key Features:</strong></p> <ul> <li> <strong>Manual Testing</strong> – Step-by-step test execution with pass/fail tracking.</li> <li> <strong>Exploratory Testing</strong> – Ad-hoc testing without predefined scripts.</li> <li> <strong>Automated Testing Integration</strong> – Link with CI/CD pipelines.</li> <li> <strong>Bug Tracking</strong> – Report bugs directly linked to builds and code commits.</li> </ul> </li> <li> <p><strong>Benefits:</strong></p> <ul> <li>Ensures quality before releases.</li> <li>Provides traceability between requirements, tests, and defects.</li> <li>Improves collaboration between testers and developers.</li> </ul> </li> </ul> <h2> 6. Azure Artifacts </h2> <p>Azure Artifacts provides a <strong>package management solution</strong> for teams. It allows developers to create, host, and share packages.</p> <ul> <li> <p><strong>Supported Package Types:</strong></p> <ul> <li>NuGet (for .NET)</li> <li>npm (for JavaScript/Node.js)</li> <li>Maven (for Java)</li> <li>Python packages</li> <li>Universal Packages</li> </ul> </li> <li> <p><strong>Key Features:</strong></p> <ul> <li> <strong>Feeds</strong> – Store and distribute packages within the organization.</li> <li> <strong>Integration with Pipelines</strong> – Automate publishing and consuming packages.</li> <li> <strong>Versioning &amp; Retention</strong> – Manage multiple versions and clean old ones.</li> </ul> </li> <li> <p><strong>Use Case Example:</strong></p> <ul> <li>A team creates a shared library in .NET.</li> <li>Publishes it as a <strong>NuGet package</strong> in Azure Artifacts.</li> <li>Other projects consume it from the feed instead of duplicating code.</li> </ul> </li> </ul> <h2> 7. How the Components Work Together </h2> <p>Here’s how the pieces fit into a <strong>DevOps lifecycle</strong>:</p> <ol> <li> <strong>Plan Work</strong> → Azure Boards (backlog, sprints, work items).</li> <li> <strong>Develop Code</strong> → Azure Repos (Git source control).</li> <li> <strong>Build &amp; Test</strong> → Azure Pipelines (CI builds, automated tests).</li> <li> <strong>Release</strong> → Azure Pipelines (CD deployment to environments).</li> <li> <strong>Test Quality</strong> → Azure Test Plans (manual/automated tests).</li> <li> <strong>Share Packages</strong> → Azure Artifacts (distribute dependencies).</li> </ol> <p>This integration ensures <strong>traceability</strong>: from a feature request in Boards → commit in Repos → build in Pipelines → test in Test Plans → deployment in Pipelines → package distribution in Artifacts.</p> <h2> 8. Benefits of Azure DevOps </h2> <ul> <li>Single integrated platform for the entire DevOps lifecycle.</li> <li>Supports both <strong>Agile</strong> and <strong>DevOps</strong> methodologies.</li> <li>Scalable for startups, mid-size companies, and enterprises.</li> <li>Strong integration with <strong>Azure cloud</strong> and other external tools (Slack, Jira, GitHub, etc.).</li> <li>Enhances <strong>collaboration, automation, and traceability</strong>.</li> </ul> <h2> 9. Getting Started </h2> <ul> <li>Sign up at <a href="https://dev.azure.com" rel="noopener noreferrer">dev.azure.com</a>.</li> <li>Create an <strong>organization</strong> and a <strong>project</strong>.</li> <li>Explore each service (Boards, Repos, Pipelines, etc.) step by step.</li> <li>Start with a small project to learn before applying to enterprise-level projects.</li> </ul> Building and Deploying a Simple Banking Application Using Containerization and Cloud Automation Goodluck Ekeoma Adiole Wed, 27 Aug 2025 06:32:56 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/building-and-deploying-a-simple-banking-application-using-containerization-and-cloud-automation-4162 https://dev.to/goodluck_ekeoma_2c98866d0/building-and-deploying-a-simple-banking-application-using-containerization-and-cloud-automation-4162 <p>This project introduces participants to the fundamentals of modern application development and deployment by combining software development, containerization, and DevOps practices.</p> <p>You will build a simple Banking API that allows basic operations such as creating accounts, deposits, withdrawals, and transfers. While the business logic is simple, the real learning comes from how the application is structured, containerized with Docker, tested with CI, and deployed automatically to an AWS EC2 instance using Bitbucket Pipelines.</p> <p>Through this project, you will gain hands-on experience with:</p> <p>Application development (Flask + SQLite)</p> <p>Containerization (Docker, Gunicorn for production serving)</p> <p>CI/CD pipelines (Bitbucket Pipelines building, testing, and pushing images)</p> <p>Cloud deployment (running the container on AWS EC2)</p> <h2> By the end, you’ll understand how modern teams package and deploy applications reliably, a foundational skill for DevOps, Cloud, and Software Engineering careers. </h2> <h1> 1) Project structure </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>banking-app/ ├─ banking_app/ │ ├─ __init__.py │ ├─ app.py │ ├─ models.py │ ├─ db.py │ └─ templates/ │ └─ index.html ├─ tests/ │ └─ test_api.py ├─ .env.example ├─ .gitignore ├─ Dockerfile ├─ gunicorn.conf.py ├─ Makefile ├─ README.md ├─ requirements.txt └─ bitbucket-pipelines.yml </code></pre> </div> <h1> 2) File contents (copy exactly) </h1> <h2> banking_app/<strong>init</strong>.py </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="kn">from</span> <span class="n">.db</span> <span class="kn">import</span> <span class="n">init_db</span><span class="p">,</span> <span class="n">db_session</span><span class="p">,</span> <span class="n">shutdown_session</span> <span class="kn">from</span> <span class="n">.app</span> <span class="kn">import</span> <span class="n">api_blueprint</span> <span class="k">def</span> <span class="nf">create_app</span><span class="p">(</span><span class="n">config_override</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="nf">from_mapping</span><span class="p">(</span> <span class="n">SECRET_KEY</span><span class="o">=</span><span class="sh">"</span><span class="s">change-me</span><span class="sh">"</span><span class="p">,</span> <span class="n">DATABASE_URL</span><span class="o">=</span><span class="sh">"</span><span class="s">sqlite:////app/data/banking.db</span><span class="sh">"</span><span class="p">,</span> <span class="n">JSON_SORT_KEYS</span><span class="o">=</span><span class="bp">False</span> <span class="p">)</span> <span class="k">if</span> <span class="n">config_override</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">config_override</span><span class="p">)</span> <span class="nf">init_db</span><span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">DATABASE_URL</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Blueprints </span> <span class="n">app</span><span class="p">.</span><span class="nf">register_blueprint</span><span class="p">(</span><span class="n">api_blueprint</span><span class="p">)</span> <span class="c1"># DB session teardown </span> <span class="n">app</span><span class="p">.</span><span class="nf">teardown_appcontext</span><span class="p">(</span><span class="k">lambda</span> <span class="n">exception</span><span class="p">:</span> <span class="nf">shutdown_session</span><span class="p">())</span> <span class="c1"># Health endpoint (for LB/containers) </span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">health</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">},</span> <span class="mi">200</span> <span class="k">return</span> <span class="n">app</span> </code></pre> </div> <h2> banking_app/db.py </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">create_engine</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">scoped_session</span><span class="p">,</span> <span class="n">sessionmaker</span><span class="p">,</span> <span class="n">declarative_base</span> <span class="n">engine</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">db_session</span> <span class="o">=</span> <span class="nf">scoped_session</span><span class="p">(</span><span class="nf">sessionmaker</span><span class="p">(</span><span class="n">autocommit</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">autoflush</span><span class="o">=</span><span class="bp">False</span><span class="p">))</span> <span class="n">Base</span> <span class="o">=</span> <span class="nf">declarative_base</span><span class="p">()</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">(</span><span class="n">database_url</span><span class="p">):</span> <span class="k">global</span> <span class="n">engine</span> <span class="n">engine</span> <span class="o">=</span> <span class="nf">create_engine</span><span class="p">(</span><span class="n">database_url</span><span class="p">,</span> <span class="n">connect_args</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">check_same_thread</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">}</span> <span class="k">if</span> <span class="n">database_url</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">sqlite</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span> <span class="p">{})</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">configure</span><span class="p">(</span><span class="n">bind</span><span class="o">=</span><span class="n">engine</span><span class="p">)</span> <span class="n">Base</span><span class="p">.</span><span class="n">query</span> <span class="o">=</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">query_property</span><span class="p">()</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Account</span><span class="p">,</span> <span class="n">Transaction</span> <span class="c1"># noqa </span> <span class="n">Base</span><span class="p">.</span><span class="n">metadata</span><span class="p">.</span><span class="nf">create_all</span><span class="p">(</span><span class="n">bind</span><span class="o">=</span><span class="n">engine</span><span class="p">)</span> <span class="k">def</span> <span class="nf">shutdown_session</span><span class="p">():</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">remove</span><span class="p">()</span> </code></pre> </div> <h2> banking_app/models.py </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">Column</span><span class="p">,</span> <span class="n">Integer</span><span class="p">,</span> <span class="n">String</span><span class="p">,</span> <span class="n">DateTime</span><span class="p">,</span> <span class="n">Float</span><span class="p">,</span> <span class="n">ForeignKey</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">relationship</span> <span class="kn">from</span> <span class="n">.db</span> <span class="kn">import</span> <span class="n">Base</span> <span class="k">class</span> <span class="nc">Account</span><span class="p">(</span><span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">accounts</span><span class="sh">"</span> <span class="nb">id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Integer</span><span class="p">,</span> <span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">name</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">balance</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Float</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="mf">0.0</span><span class="p">)</span> <span class="n">created_at</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">DateTime</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">)</span> <span class="n">transactions</span> <span class="o">=</span> <span class="nf">relationship</span><span class="p">(</span><span class="sh">"</span><span class="s">Transaction</span><span class="sh">"</span><span class="p">,</span> <span class="n">back_populates</span><span class="o">=</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">to_dict</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">balance</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="sh">"</span><span class="s">created_at</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">created_at</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">()</span> <span class="o">+</span> <span class="sh">"</span><span class="s">Z</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="k">class</span> <span class="nc">Transaction</span><span class="p">(</span><span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span> <span class="nb">id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Integer</span><span class="p">,</span> <span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nb">type</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">50</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># deposit, withdraw, transfer </span> <span class="n">amount</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Float</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">note</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">255</span><span class="p">))</span> <span class="n">created_at</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">DateTime</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="n">utcnow</span><span class="p">)</span> <span class="n">account_id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Integer</span><span class="p">,</span> <span class="nc">ForeignKey</span><span class="p">(</span><span class="sh">"</span><span class="s">accounts.id</span><span class="sh">"</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">related_account_id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Integer</span><span class="p">)</span> <span class="c1"># for transfers </span> <span class="n">account</span> <span class="o">=</span> <span class="nf">relationship</span><span class="p">(</span><span class="sh">"</span><span class="s">Account</span><span class="sh">"</span><span class="p">,</span> <span class="n">back_populates</span><span class="o">=</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">to_dict</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nb">type</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">amount</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="sh">"</span><span class="s">note</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">note</span><span class="p">,</span> <span class="sh">"</span><span class="s">created_at</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">created_at</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">()</span> <span class="o">+</span> <span class="sh">"</span><span class="s">Z</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">account_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">account_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">related_account_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">related_account_id</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h2> banking_app/app.py </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Blueprint</span><span class="p">,</span> <span class="n">jsonify</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">render_template</span> <span class="kn">from</span> <span class="n">sqlalchemy.exc</span> <span class="kn">import</span> <span class="n">IntegrityError</span> <span class="kn">from</span> <span class="n">.db</span> <span class="kn">import</span> <span class="n">db_session</span> <span class="kn">from</span> <span class="n">.models</span> <span class="kn">import</span> <span class="n">Account</span><span class="p">,</span> <span class="n">Transaction</span> <span class="n">api_blueprint</span> <span class="o">=</span> <span class="nc">Blueprint</span><span class="p">(</span><span class="sh">"</span><span class="s">api</span><span class="sh">"</span><span class="p">,</span> <span class="n">__name__</span><span class="p">)</span> <span class="nd">@api_blueprint.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">home</span><span class="p">():</span> <span class="k">return</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">index.html</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@api_blueprint.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/accounts</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">create_account</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">(</span><span class="n">silent</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">name</span> <span class="o">=</span> <span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">""</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">name</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">name is required</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="n">acct</span> <span class="o">=</span> <span class="nc">Account</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">name</span><span class="p">,</span> <span class="n">balance</span><span class="o">=</span><span class="mf">0.0</span><span class="p">)</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">acct</span><span class="p">)</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">account created</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">:</span> <span class="n">acct</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()}),</span> <span class="mi">201</span> <span class="nd">@api_blueprint.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/accounts/&lt;int:account_id&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">get_account</span><span class="p">(</span><span class="n">account_id</span><span class="p">):</span> <span class="n">acct</span> <span class="o">=</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">Account</span><span class="p">,</span> <span class="n">account_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">acct</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">account not found</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">404</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">(</span><span class="n">acct</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()),</span> <span class="mi">200</span> <span class="nd">@api_blueprint.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/accounts/&lt;int:account_id&gt;/deposit</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">deposit</span><span class="p">(</span><span class="n">account_id</span><span class="p">):</span> <span class="n">acct</span> <span class="o">=</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">Account</span><span class="p">,</span> <span class="n">account_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">acct</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">account not found</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">404</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">(</span><span class="n">silent</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="k">try</span><span class="p">:</span> <span class="n">amount</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">))</span> <span class="nf">except </span><span class="p">(</span><span class="nb">TypeError</span><span class="p">,</span> <span class="nb">ValueError</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">valid amount is required</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="k">if</span> <span class="n">amount</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">amount must be &gt; 0</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="n">acct</span><span class="p">.</span><span class="n">balance</span> <span class="o">+=</span> <span class="n">amount</span> <span class="n">tx</span> <span class="o">=</span> <span class="nc">Transaction</span><span class="p">(</span><span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">deposit</span><span class="sh">"</span><span class="p">,</span> <span class="n">amount</span><span class="o">=</span><span class="n">amount</span><span class="p">,</span> <span class="n">note</span><span class="o">=</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">note</span><span class="sh">"</span><span class="p">),</span> <span class="n">account</span><span class="o">=</span><span class="n">acct</span><span class="p">)</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">tx</span><span class="p">)</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">deposit successful</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">:</span> <span class="n">acct</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">(),</span> <span class="sh">"</span><span class="s">transaction</span><span class="sh">"</span><span class="p">:</span> <span class="n">tx</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()}),</span> <span class="mi">200</span> <span class="nd">@api_blueprint.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/accounts/&lt;int:account_id&gt;/withdraw</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">withdraw</span><span class="p">(</span><span class="n">account_id</span><span class="p">):</span> <span class="n">acct</span> <span class="o">=</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">Account</span><span class="p">,</span> <span class="n">account_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">acct</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">account not found</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">404</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">(</span><span class="n">silent</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="k">try</span><span class="p">:</span> <span class="n">amount</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">))</span> <span class="nf">except </span><span class="p">(</span><span class="nb">TypeError</span><span class="p">,</span> <span class="nb">ValueError</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">valid amount is required</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="k">if</span> <span class="n">amount</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">amount must be &gt; 0</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="k">if</span> <span class="n">acct</span><span class="p">.</span><span class="n">balance</span> <span class="o">&lt;</span> <span class="n">amount</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">insufficient funds</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="n">acct</span><span class="p">.</span><span class="n">balance</span> <span class="o">-=</span> <span class="n">amount</span> <span class="n">tx</span> <span class="o">=</span> <span class="nc">Transaction</span><span class="p">(</span><span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">withdraw</span><span class="sh">"</span><span class="p">,</span> <span class="n">amount</span><span class="o">=</span><span class="n">amount</span><span class="p">,</span> <span class="n">note</span><span class="o">=</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">note</span><span class="sh">"</span><span class="p">),</span> <span class="n">account</span><span class="o">=</span><span class="n">acct</span><span class="p">)</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">tx</span><span class="p">)</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">withdrawal successful</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">:</span> <span class="n">acct</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">(),</span> <span class="sh">"</span><span class="s">transaction</span><span class="sh">"</span><span class="p">:</span> <span class="n">tx</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()}),</span> <span class="mi">200</span> <span class="nd">@api_blueprint.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/transfer</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">transfer</span><span class="p">():</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">get_json</span><span class="p">(</span><span class="n">silent</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="k">try</span><span class="p">:</span> <span class="n">from_id</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">from_id</span><span class="sh">"</span><span class="p">))</span> <span class="n">to_id</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">to_id</span><span class="sh">"</span><span class="p">))</span> <span class="n">amount</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">))</span> <span class="nf">except </span><span class="p">(</span><span class="nb">TypeError</span><span class="p">,</span> <span class="nb">ValueError</span><span class="p">):</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">from_id, to_id and valid amount are required</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="k">if</span> <span class="n">amount</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">amount must be &gt; 0</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="k">if</span> <span class="n">from_id</span> <span class="o">==</span> <span class="n">to_id</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">cannot transfer to the same account</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="n">from_acct</span> <span class="o">=</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">Account</span><span class="p">,</span> <span class="n">from_id</span><span class="p">)</span> <span class="n">to_acct</span> <span class="o">=</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">Account</span><span class="p">,</span> <span class="n">to_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">from_acct</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">to_acct</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">one or both accounts not found</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">404</span> <span class="k">if</span> <span class="n">from_acct</span><span class="p">.</span><span class="n">balance</span> <span class="o">&lt;</span> <span class="n">amount</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">insufficient funds</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="c1"># Perform transfer atomically </span> <span class="k">try</span><span class="p">:</span> <span class="n">from_acct</span><span class="p">.</span><span class="n">balance</span> <span class="o">-=</span> <span class="n">amount</span> <span class="n">to_acct</span><span class="p">.</span><span class="n">balance</span> <span class="o">+=</span> <span class="n">amount</span> <span class="n">tx_out</span> <span class="o">=</span> <span class="nc">Transaction</span><span class="p">(</span><span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">transfer</span><span class="sh">"</span><span class="p">,</span> <span class="n">amount</span><span class="o">=-</span><span class="n">amount</span><span class="p">,</span> <span class="n">note</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">to </span><span class="si">{</span><span class="n">to_acct</span><span class="p">.</span><span class="nb">id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">account</span><span class="o">=</span><span class="n">from_acct</span><span class="p">,</span> <span class="n">related_account_id</span><span class="o">=</span><span class="n">to_acct</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="n">tx_in</span> <span class="o">=</span> <span class="nc">Transaction</span><span class="p">(</span><span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">transfer</span><span class="sh">"</span><span class="p">,</span> <span class="n">amount</span><span class="o">=</span><span class="n">amount</span><span class="p">,</span> <span class="n">note</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">from </span><span class="si">{</span><span class="n">from_acct</span><span class="p">.</span><span class="nb">id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">account</span><span class="o">=</span><span class="n">to_acct</span><span class="p">,</span> <span class="n">related_account_id</span><span class="o">=</span><span class="n">from_acct</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">add_all</span><span class="p">([</span><span class="n">tx_out</span><span class="p">,</span> <span class="n">tx_in</span><span class="p">])</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">except</span> <span class="n">IntegrityError</span><span class="p">:</span> <span class="n">db_session</span><span class="p">.</span><span class="nf">rollback</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">transfer failed</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">500</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">transfer successful</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">from</span><span class="sh">"</span><span class="p">:</span> <span class="n">from_acct</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">(),</span> <span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">:</span> <span class="n">to_acct</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="p">}),</span> <span class="mi">200</span> </code></pre> </div> <h2> banking_app/templates/index.html </h2> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!doctype html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"utf-8"</span><span class="nt">/&gt;</span> <span class="nt">&lt;title&gt;</span>Banking API<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1"</span><span class="nt">/&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">font-family</span><span class="p">:</span> <span class="n">system-ui</span><span class="p">,</span> <span class="n">-apple-system</span><span class="p">,</span> <span class="n">Segoe</span> <span class="n">UI</span><span class="p">,</span> <span class="n">Roboto</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">2rem</span><span class="p">;</span> <span class="p">}</span> <span class="nt">code</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#f5f5f5</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">0.15rem</span> <span class="m">0.3rem</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">6px</span><span class="p">;</span> <span class="p">}</span> <span class="nt">pre</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#f5f5f5</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">1rem</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">8px</span><span class="p">;</span> <span class="nl">overflow</span><span class="p">:</span> <span class="nb">auto</span><span class="p">;</span> <span class="p">}</span> <span class="nt">a</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#0a58ca</span><span class="p">;</span> <span class="nl">text-decoration</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Banking API<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>This is a beginner-level banking API you can deploy with Docker and Bitbucket Pipelines.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;h2&gt;</span>Quick endpoints<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;ul&gt;</span> <span class="nt">&lt;li&gt;</span>GET <span class="nt">&lt;code&gt;</span>/health<span class="nt">&lt;/code&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;</span>POST <span class="nt">&lt;code&gt;</span>/api/accounts<span class="nt">&lt;/code&gt;</span> – body: <span class="nt">&lt;code&gt;</span>{"name":"Alice"}<span class="nt">&lt;/code&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;</span>GET <span class="nt">&lt;code&gt;</span>/api/accounts/<span class="ni">&amp;lt;</span>id<span class="ni">&amp;gt;</span><span class="nt">&lt;/code&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;</span>POST <span class="nt">&lt;code&gt;</span>/api/accounts/<span class="ni">&amp;lt;</span>id<span class="ni">&amp;gt;</span>/deposit<span class="nt">&lt;/code&gt;</span> – body: <span class="nt">&lt;code&gt;</span>{"amount":100}<span class="nt">&lt;/code&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;</span>POST <span class="nt">&lt;code&gt;</span>/api/accounts/<span class="ni">&amp;lt;</span>id<span class="ni">&amp;gt;</span>/withdraw<span class="nt">&lt;/code&gt;</span> – body: <span class="nt">&lt;code&gt;</span>{"amount":50}<span class="nt">&lt;/code&gt;&lt;/li&gt;</span> <span class="nt">&lt;li&gt;</span>POST <span class="nt">&lt;code&gt;</span>/api/transfer<span class="nt">&lt;/code&gt;</span> – body: <span class="nt">&lt;code&gt;</span>{"from_id":1,"to_id":2,"amount":25}<span class="nt">&lt;/code&gt;&lt;/li&gt;</span> <span class="nt">&lt;/ul&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h2> tests/test_api.py </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">tempfile</span> <span class="kn">import</span> <span class="n">pytest</span> <span class="kn">from</span> <span class="n">banking_app</span> <span class="kn">import</span> <span class="n">create_app</span> <span class="kn">from</span> <span class="n">banking_app.db</span> <span class="kn">import</span> <span class="n">init_db</span> <span class="nd">@pytest.fixture</span> <span class="k">def</span> <span class="nf">client</span><span class="p">():</span> <span class="n">db_fd</span><span class="p">,</span> <span class="n">db_path</span> <span class="o">=</span> <span class="n">tempfile</span><span class="p">.</span><span class="nf">mkstemp</span><span class="p">()</span> <span class="n">os</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="n">db_fd</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nf">create_app</span><span class="p">({</span> <span class="sh">"</span><span class="s">TESTING</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">SECRET_KEY</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DATABASE_URL</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">sqlite:///</span><span class="si">{</span><span class="n">db_path</span><span class="si">}</span><span class="sh">"</span> <span class="p">})</span> <span class="k">with</span> <span class="n">app</span><span class="p">.</span><span class="nf">test_client</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="k">yield</span> <span class="n">client</span> <span class="n">os</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="n">db_path</span><span class="p">)</span> <span class="k">def</span> <span class="nf">test_health</span><span class="p">(</span><span class="n">client</span><span class="p">):</span> <span class="n">rv</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">rv</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">rv</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_create_and_get_account</span><span class="p">(</span><span class="n">client</span><span class="p">):</span> <span class="n">rv</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/accounts</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Alice</span><span class="sh">"</span><span class="p">})</span> <span class="k">assert</span> <span class="n">rv</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">201</span> <span class="n">acct_id</span> <span class="o">=</span> <span class="n">rv</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]</span> <span class="n">rv2</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">/api/accounts/</span><span class="si">{</span><span class="n">acct_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">rv2</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">rv2</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">Alice</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_deposit_withdraw_and_transfer</span><span class="p">(</span><span class="n">client</span><span class="p">):</span> <span class="n">a</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/accounts</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">}).</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]</span> <span class="n">b</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/accounts</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">B</span><span class="sh">"</span><span class="p">}).</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Deposit to A </span> <span class="n">rv</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">/api/accounts/</span><span class="si">{</span><span class="n">a</span><span class="si">}</span><span class="s">/deposit</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="mi">100</span><span class="p">})</span> <span class="k">assert</span> <span class="n">rv</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">rv</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="mi">100</span> <span class="c1"># Withdraw from A </span> <span class="n">rv</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">/api/accounts/</span><span class="si">{</span><span class="n">a</span><span class="si">}</span><span class="s">/withdraw</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="mi">40</span><span class="p">})</span> <span class="k">assert</span> <span class="n">rv</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="n">rv</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="mi">60</span> <span class="c1"># Transfer 25 from A to B </span> <span class="n">rv</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/transfer</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">from_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">a</span><span class="p">,</span> <span class="sh">"</span><span class="s">to_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">b</span><span class="p">,</span> <span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">:</span> <span class="mi">25</span><span class="p">})</span> <span class="k">assert</span> <span class="n">rv</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="n">from_balance</span> <span class="o">=</span> <span class="n">rv</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">from</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="n">to_balance</span> <span class="o">=</span> <span class="n">rv</span><span class="p">.</span><span class="nf">get_json</span><span class="p">()[</span><span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">balance</span><span class="sh">"</span><span class="p">]</span> <span class="k">assert</span> <span class="n">from_balance</span> <span class="o">==</span> <span class="mi">35</span> <span class="k">assert</span> <span class="n">to_balance</span> <span class="o">==</span> <span class="mi">25</span> </code></pre> </div> <h2> .env.example </h2> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># Copy this to .env (for local dev) or /srv/banking-app/.env (on EC2) </span><span class="py">FLASK_SECRET_KEY</span><span class="p">=</span><span class="s">change-this-in-production</span> <span class="py">DATABASE_URL</span><span class="p">=</span><span class="s">sqlite:////app/data/banking.db</span> <span class="py">LOG_LEVEL</span><span class="p">=</span><span class="s">INFO</span> </code></pre> </div> <h2> .gitignore </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>__pycache__/ *.pyc .env .env.* *.db dist/ build/ *.egg-info .pytest_cache/ data/ </code></pre> </div> <h2> Dockerfile </h2> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Simple, production-ready container</span> <span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="k">ENV</span><span class="s"> PYTHONDONTWRITEBYTECODE=1 \</span> PYTHONUNBUFFERED=1 \ PIP_NO_CACHE_DIR=1 <span class="c"># System deps</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> tini curl ca-certificates <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># App directory</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install deps first (better layer caching)</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="c"># Create a non-root user</span> <span class="k">RUN </span>useradd <span class="nt">-m</span> appuser <span class="k">RUN </span><span class="nb">mkdir</span> <span class="nt">-p</span> /app/data <span class="o">&amp;&amp;</span> <span class="nb">chown</span> <span class="nt">-R</span> appuser:appuser /app <span class="c"># Copy app</span> <span class="k">COPY</span><span class="s"> banking_app ./banking_app</span> <span class="k">COPY</span><span class="s"> gunicorn.conf.py .</span> <span class="k">COPY</span><span class="s"> .env.example ./.env.example</span> <span class="k">USER</span><span class="s"> appuser</span> <span class="k">EXPOSE</span><span class="s"> 8000</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/usr/bin/tini", "--"]</span> <span class="k">CMD</span><span class="s"> ["gunicorn", "-c", "gunicorn.conf.py", "banking_app:create_app()"]</span> </code></pre> </div> <h2> gunicorn.conf.py </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">bind</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0.0.0.0:8000</span><span class="sh">"</span> <span class="n">workers</span> <span class="o">=</span> <span class="mi">2</span> <span class="n">threads</span> <span class="o">=</span> <span class="mi">2</span> <span class="n">timeout</span> <span class="o">=</span> <span class="mi">30</span> <span class="n">graceful_timeout</span> <span class="o">=</span> <span class="mi">30</span> <span class="n">keepalive</span> <span class="o">=</span> <span class="mi">5</span> <span class="n">accesslog</span> <span class="o">=</span> <span class="sh">"</span><span class="s">-</span><span class="sh">"</span> <span class="n">errorlog</span> <span class="o">=</span> <span class="sh">"</span><span class="s">-</span><span class="sh">"</span> </code></pre> </div> <h2> Makefile </h2> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nv">IMAGE</span> <span class="o">?=</span> your-dockerhub-username/banking-app <span class="nv">TAG</span> <span class="o">?=</span> <span class="nb">local</span> <span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">run test build docker-run docker-push</span> <span class="nl">run</span><span class="o">:</span> <span class="err">\tuvicorn</span> <span class="nl">test</span><span class="o">:</span> <span class="err">\tpytest</span> <span class="err">-q</span> <span class="nl">build</span><span class="o">:</span> <span class="nl">\tdocker build -t $(IMAGE)</span><span class="o">:</span><span class="nf">$(TAG) .</span> <span class="nl">docker-run</span><span class="o">:</span> <span class="err">\tmkdir</span> <span class="err">-p</span> <span class="err">data</span> <span class="nl">\tdocker run --rm -it -p 8000</span><span class="o">:</span><span class="nf">8000 -v ${PWD}/data:/app/data --env-file .env $(IMAGE):$(TAG)</span> <span class="nl">docker-push</span><span class="o">:</span> <span class="nl">\tdocker push $(IMAGE)</span><span class="o">:</span><span class="nf">$(TAG)</span> </code></pre> </div> <h2> requirements.txt </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flask==3.0.3 SQLAlchemy==2.0.31 gunicorn==22.0.0 pytest==8.2.2 </code></pre> </div> <h2> bitbucket-pipelines.yml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">atlassian/default-image:3</span> <span class="na">options</span><span class="pi">:</span> <span class="na">docker</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">pipelines</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="na">main</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build &amp; Test</span> <span class="na">caches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "Running unit tests"</span> <span class="pi">-</span> <span class="s">pip install -r requirements.txt</span> <span class="pi">-</span> <span class="s">pytest -q</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Docker image</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">export DOCKER_IMAGE="${DOCKERHUB_USERNAME}/banking-app"</span> <span class="pi">-</span> <span class="s">export TAG="${BITBUCKET_COMMIT:0:7}"</span> <span class="pi">-</span> <span class="s">echo "$DOCKERHUB_PASSWORD" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin</span> <span class="pi">-</span> <span class="s">docker build -t "$DOCKER_IMAGE:$TAG" -t "$DOCKER_IMAGE:latest" .</span> <span class="pi">-</span> <span class="s">docker push "$DOCKER_IMAGE:$TAG"</span> <span class="pi">-</span> <span class="s">docker push "$DOCKER_IMAGE:latest"</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">deployment/**</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to EC2</span> <span class="na">deployment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pipe</span><span class="pi">:</span> <span class="s">atlassian/ssh-run:0.7.0</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">SSH_USER</span><span class="pi">:</span> <span class="s">$EC2_USER</span> <span class="na">SERVER</span><span class="pi">:</span> <span class="s">$EC2_HOST</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">22"</span> <span class="na">MODE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">command"</span> <span class="na">COMMAND</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">set -e;</span> <span class="s">sudo mkdir -p /srv/banking-app/data;</span> <span class="s">sudo chown -R $EC2_USER:$EC2_USER /srv/banking-app;</span> <span class="s">echo "$DOCKERHUB_PASSWORD" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin;</span> <span class="s">DOCKER_IMAGE="${DOCKERHUB_USERNAME}/banking-app";</span> <span class="s">TAG="${BITBUCKET_COMMIT:0:7}";</span> <span class="s">docker pull "$DOCKER_IMAGE:$TAG";</span> <span class="s">(docker rm -f banking-app || true);</span> <span class="s">docker run -d --name banking-app --restart always</span> <span class="s">-p 80:8000</span> <span class="s">--env-file /srv/banking-app/.env</span> <span class="s">-v /srv/banking-app/data:/app/data</span> <span class="s">"$DOCKER_IMAGE:$TAG";</span> <span class="na">definitions</span><span class="pi">:</span> <span class="na">services</span><span class="pi">:</span> <span class="na">docker</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="m">3072</span> </code></pre> </div> <blockquote> <p>Bitbucket Repository Variables you must add (Settings → Repository variables):</p> <ul> <li><code>DOCKERHUB_USERNAME</code></li> <li> <code>DOCKERHUB_PASSWORD</code> (use a Docker Hub access token)</li> <li> <code>EC2_HOST</code> (e.g., <code>3.XX.XX.XX</code>)</li> <li> <code>EC2_USER</code> (e.g., <code>ubuntu</code> for Ubuntu, <code>ec2-user</code> for Amazon Linux)</li> </ul> <p>SSH access: Add your Bitbucket Pipelines public key to the EC2 instance’s <code>~/.ssh/authorized_keys</code>. In Bitbucket: <strong>Repository Settings → SSH keys → Generate keys</strong>, then copy the public key to the server.</p> </blockquote> <h1> 3) README.md (instructions for completing the project) </h1> <p>Create this README.md in the repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Banking API — Docker + Bitbucket Pipelines → AWS EC2 (Beginner Friendly)</span> A tiny Flask + SQLite banking API you can build in Docker and deploy automatically to an AWS EC2 instance using Bitbucket Pipelines. <span class="gu">## Features</span> <span class="p"> -</span> Create accounts, deposit, withdraw, transfer <span class="p">-</span> SQLite database (file persisted on the server) <span class="p">-</span> Gunicorn production server <span class="p">-</span> Healthcheck <span class="sb">`/health`</span> <span class="p">-</span> Unit tests with pytest <span class="p">-</span> Bitbucket Pipelines: build → push Docker image → SSH deploy to EC2 <span class="p">-</span> Zero-downtime style (container is replaced quickly) <span class="p"> --- </span> <span class="gu">## 1) Prerequisites</span> <span class="p"> -</span> Docker &amp; Docker Compose (for local) <span class="p">-</span> A Docker Hub account (for pushing images) <span class="p">-</span> Bitbucket repository <span class="p">-</span> An EC2 instance (Ubuntu 22.04 LTS or Amazon Linux 2023 recommended) <span class="p">-</span> Security Group allows inbound TCP 80 (HTTP) from your IP/Internet <span class="p"> --- </span> <span class="gu">## 2) Run locally (optional, recommended)</span> <span class="p">```</span><span class="nl"> </span> bash # Clone and enter git clone &lt;your-repo-url&gt; banking-app cd banking-app # Create a local .env from example (you can keep defaults) cp .env.example .env # Build and run docker build -t your-dockerhub-username/banking-app:local . docker run --rm -it -p 8000:8000 \ -v ${PWD}/data:/app/data \ --env-file .env \ your-dockerhub-username/banking-app:local </code></pre> </div> <p>Test in another terminal:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash curl -s http://localhost:8000/health curl -s -X POST http://localhost:8000/api/accounts -H "Content-Type: application/json" -d '{"name":"Alice"}' </code></pre> </div> <h2> 3) Run tests locally </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash pip install -r requirements.txt pytest -q </code></pre> </div> <h2> 4) Prepare AWS EC2 (one-time) </h2> <ol> <li><strong>Launch EC2</strong></li> </ol> <ul> <li>AMI: Ubuntu 22.04 LTS (or Amazon Linux 2023)</li> <li>Instance type: t3.micro is fine for demo</li> <li>Security Group: allow inbound HTTP (80) and SSH (22) from your IP</li> </ul> <ol> <li><strong>SSH into the server</strong></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash ssh -i your-key.pem ubuntu@EC2_PUBLIC_IP </code></pre> </div> <ol> <li><strong>Install Docker</strong></li> </ol> <ul> <li> <p>Ubuntu:</p> <pre class="highlight plaintext"><code> bash sudo apt-get update sudo apt-get install -y ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release &amp;&amp; echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list &gt; /dev/null sudo apt-get update sudo apt-get install -y docker-ce docker-ce-cli containerd.io sudo usermod -aG docker $USER newgrp docker </code></pre> </li> </ul> <ol> <li><strong>Create app folder and .env</strong></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash sudo mkdir -p /srv/banking-app/data sudo chown -R $USER:$USER /srv/banking-app cat &lt;&lt; 'EOF' &gt; /srv/banking-app/.env FLASK_SECRET_KEY=change-this-in-production DATABASE_URL=sqlite:////app/data/banking.db LOG_LEVEL=INFO EOF </code></pre> </div> <ol> <li><strong>Add Bitbucket Pipelines SSH key to server</strong></li> </ol> <ul> <li>In Bitbucket: Repository Settings → <strong>SSH keys</strong> → Generate key</li> <li> <p>Copy the <strong>public key</strong> shown there and append to the server:</p> <pre class="highlight plaintext"><code> bash mkdir -p ~/.ssh chmod 700 ~/.ssh echo "&lt;PASTE_PUBLIC_KEY_HERE&gt;" &gt;&gt; ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys </code></pre> </li> </ul> <ol> <li><strong>(Optional) Open firewall for HTTP</strong></li> </ol> <ul> <li> <p>If using Ubuntu UFW:</p> <pre class="highlight plaintext"><code> bash sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw enable sudo ufw status </code></pre> </li> </ul> <h2> 5) Configure Bitbucket Pipelines </h2> <ol> <li> <strong>Enable Pipelines</strong>: Repository → Pipelines → Enable</li> <li> <strong>Repository Variables</strong> (Settings → Repository variables):</li> </ol> <ul> <li> <code>DOCKERHUB_USERNAME</code> = <code>&lt;your-dockerhub-username&gt;</code> </li> <li> <code>DOCKERHUB_PASSWORD</code> = <code>&lt;docker-hub-access-token&gt;</code> (create from Docker Hub → Security)</li> <li> <code>EC2_HOST</code> = <code>ec2-x-x-x-x.compute-1.amazonaws.com</code> or the public IP</li> <li> <p><code>EC2_USER</code> = <code>ubuntu</code> (or <code>ec2-user</code> on Amazon Linux)</p> <ol> <li> <strong>SSH key</strong>: Repository Settings → SSH keys → <strong>Generate keys</strong> </li> </ol> </li> <li><p>This is the key Pipelines uses to SSH into your EC2.</p></li> <li><p>Add the <strong>public</strong> key to your EC2 server as described above.</p></li> </ul> <h2> 6) Deploy flow </h2> <ul> <li>Push to branch <code>main</code>.</li> <li>Pipeline runs:</li> </ul> <ol> <li>Install deps + tests</li> <li>Build Docker image, tag with short commit SHA and <code>latest</code>, push to Docker Hub</li> <li>SSH into EC2:</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> * Login to Docker Hub * Pull the image * Stop and remove the running container (if any) * Run a new container on port 80 → 8000 </code></pre> </div> <p><strong>Verify:</strong><br> Visit <code>http://&lt;EC2_PUBLIC_IP&gt;/health</code> → should return <code>{"status":"ok"}</code>.</p> <h2> 7) Example API usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash # Create two accounts curl -s -X POST http://EC2_PUBLIC_IP/api/accounts -H "Content-Type: application/json" -d '{"name":"Alice"}' curl -s -X POST http://EC2_PUBLIC_IP/api/accounts -H "Content-Type: application/json" -d '{"name":"Bob"}' # Deposit to Alice (id 1) curl -s -X POST http://EC2_PUBLIC_IP/api/accounts/1/deposit -H "Content-Type: application/json" -d '{"amount": 100}' # Transfer from Alice (1) to Bob (2) curl -s -X POST http://EC2_PUBLIC_IP/api/transfer -H "Content-Type: application/json" -d '{"from_id":1,"to_id":2,"amount":25}' </code></pre> </div> <h2> 8) Common troubleshooting </h2> <ul> <li> <strong>403/timeout reaching EC2</strong>: Check Security Group allows inbound TCP 80 from your IP/Internet.</li> <li> <strong>Pipeline can’t SSH</strong>: Ensure Bitbucket Pipelines public key is in <code>~/.ssh/authorized_keys</code> on EC2 and you used the correct <code>EC2_USER</code>.</li> <li> <strong>Container fails to start</strong>: <code>docker logs banking-app</code> on EC2 to see errors.</li> <li> <strong>DB not persisting</strong>: Ensure volume <code>-v /srv/banking-app/data:/app/data</code> is present in the <code>docker run</code> command (the pipeline does this).</li> <li> <strong>Change port</strong>: Edit <code>-p 80:8000</code> in the deploy step, and adjust security group accordingly.</li> </ul> <h2> 9) Cleaning up / re-deploy manually </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash # On EC2: docker ps docker stop banking-app &amp;&amp; docker rm banking-app docker pull your-dockerhub-username/banking-app:latest docker run -d --name banking-app --restart always -p 80:8000 \ --env-file /srv/banking-app/.env \ -v /srv/banking-app/data:/app/data \ your-dockerhub-username/banking-app:latest </code></pre> </div> <h2> 10) Notes on security (basics) </h2> <ul> <li>Always use a <strong>Docker Hub access token</strong> (not your password) for <code>DOCKERHUB_PASSWORD</code>.</li> <li>Keep <code>FLASK_SECRET_KEY</code> strong and private in <code>/srv/banking-app/.env</code> (don’t commit it).</li> <li>Consider attaching an Elastic IP to the instance and setting up a domain + HTTPS with a reverse proxy later.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> </code></pre> </div> CI/CD With GitHub Actions — A Practical, End‑to‑End Tutorial Goodluck Ekeoma Adiole Sat, 16 Aug 2025 15:49:26 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/cicd-with-github-actions-a-practical-end-to-end-tutorial-3p26 https://dev.to/goodluck_ekeoma_2c98866d0/cicd-with-github-actions-a-practical-end-to-end-tutorial-3p26 <h1> What Is CI/CD? </h1> <ul> <li>Continuous Integration (CI): automate build, lint, test, and packaging on every change.</li> <li>Continuous Delivery/Deployment (CD): automate promotion to environments (staging → production), often with approvals, feature flags, and rollbacks.</li> <li>Benefits: faster feedback, fewer regressions, reproducible releases, higher confidence.</li> </ul> <h1> CI/CD Tools at a Glance (Quick Compare) </h1> <ul> <li>Jenkins: highly extensible, self‑hosted; you manage controllers/agents and plugins.</li> <li>GitLab CI: tightly integrated with GitLab; YAML pipelines, built‑in container registry.</li> <li>Azure Pipelines: great for Microsoft stacks; Windows/macOS/Linux hosted pools.</li> <li>CircleCI: cloud‑hosted, fast parallelism, orbs ecosystem.</li> <li>Bitbucket Pipelines: simple pipelines for Bitbucket repos.</li> <li>Buildkite: hybrid model; run builders on your infra.</li> <li>Tekton: Kubernetes‑native pipelines (CRDs).</li> <li>Argo CD / Flux: GitOps CD for Kubernetes (pull‑based).</li> <li>Spinnaker / Harness: powerful multi‑cloud CD, canary/blue‑green baked in.</li> </ul> <p>Why GitHub Actions? Native to GitHub, enormous marketplace, generous hosted runners, great DX, reusable workflows, and first‑class security integrations (OIDC, environments, approvals).</p> <h1> GitHub Actions Core Concepts </h1> <ul> <li>Workflow: YAML in <code>.github/workflows/*.yml</code> </li> <li>Trigger (Event): <code>push</code>, <code>pull_request</code>, <code>workflow_dispatch</code>, <code>schedule</code>, <code>release</code>, etc.</li> <li>Job: runs on a runner (<code>runs-on: ubuntu-latest</code>, <code>windows-latest</code>, etc.). Jobs can depend on others via <code>needs</code>.</li> <li>Step: individual shell command or “action” (like <code>actions/checkout</code>).</li> <li>Runners: GitHub‑hosted or self‑hosted (ephemeral or static).</li> <li>Artifacts &amp; Caching: persist build outputs; speed up installs.</li> <li>Environments: <code>dev</code>, <code>staging</code>, <code>prod</code> with protection rules, approvals, and secrets.</li> <li>Secrets &amp; Variables: org/repo/environment scope; injected at runtime.</li> <li>Permissions: least‑privilege via <code>permissions:</code> (and OIDC via <code>id-token: write</code>).</li> </ul> <h1> A Minimal CI Workflow (Node example) </h1> <p>Create <code>.github/workflows/ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">opened</span><span class="pi">,</span> <span class="nv">synchronize</span><span class="pi">,</span> <span class="nv">reopened</span><span class="pi">,</span> <span class="nv">ready_for_review</span><span class="pi">]</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">timeout-minutes</span><span class="pi">:</span> <span class="m">15</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="m">20</span> <span class="na">cache</span><span class="pi">:</span> <span class="s">npm</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run lint --if-present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test -- --ci --reporters=default --reporters=jest-junit</span> </code></pre> </div> <p>Notes:</p> <ul> <li>Runs on PRs and on pushes to <code>main</code>.</li> <li>Caches <code>node_modules</code> automatically via <code>setup-node@v4</code> + <code>cache: npm</code>.</li> </ul> <h1> Python &amp; Java Variants </h1> <p>Python (<code>.github/workflows/python-ci.yml</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Python CI</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">3.10</span><span class="pi">,</span> <span class="nv">3.11</span><span class="pi">,</span> <span class="nv">3.12</span><span class="pi">]</span> <span class="na">fail-fast</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s">${{ matrix.python-version }}</span> <span class="na">cache</span><span class="pi">:</span> <span class="s">pip</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install -r requirements.txt</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pytest -q --maxfail=1 --disable-warnings --junitxml=report.xml</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pytest-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s">report.xml</span> </code></pre> </div> <p>Java (Gradle):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Java CI</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-java@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">distribution</span><span class="pi">:</span> <span class="s">temurin</span> <span class="na">java-version</span><span class="pi">:</span> <span class="m">21</span> <span class="na">cache</span><span class="pi">:</span> <span class="s">gradle</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./gradlew build --stacktrace</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-jar</span> <span class="na">path</span><span class="pi">:</span> <span class="s">build/libs/*.jar</span> </code></pre> </div> <h1> Service Containers for Integration Tests </h1> <p>Example: test against Postgres and Redis<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Integration Tests</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">itest</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16</span> <span class="na">env</span><span class="pi">:</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">app</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">password</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">appdb</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">5432:5432"</span><span class="pi">]</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">--health-cmd="pg_isready -U app -d appdb"</span> <span class="s">--health-interval=10s --health-timeout=5s --health-retries=5</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">python-version</span><span class="pi">:</span> <span class="nv">3.11</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install -r requirements.txt</span> <span class="pi">-</span> <span class="na">env</span><span class="pi">:</span> <span class="na">DATABASE_URL</span><span class="pi">:</span> <span class="s">postgresql://app:password@localhost:5432/appdb</span> <span class="na">REDIS_URL</span><span class="pi">:</span> <span class="s">redis://localhost:6379</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pytest tests/integration -q</span> </code></pre> </div> <h1> Caching &amp; Artifacts (Speed and Traceability) </h1> <ul> <li>Use setup actions’ built‑in caching (<code>cache: npm/pip/gradle</code>).</li> <li>For custom caches: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cache build</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">.m2/repository</span> <span class="na">key</span><span class="pi">:</span> <span class="s">maven-${{ runner.os }}-${{ hashFiles('**/pom.xml') }}</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">maven-${{ runner.os }}-</span> </code></pre> </div> <ul> <li>Upload build outputs for later jobs or downloads: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dist</span> <span class="na">path</span><span class="pi">:</span> <span class="s">dist/**</span> <span class="na">if-no-files-found</span><span class="pi">:</span> <span class="s">error</span> </code></pre> </div> <h1> CD Basics: Environments, Approvals, and Secrets </h1> <ol> <li>Create environments in GitHub: <code>dev</code>, <code>staging</code>, <code>prod</code>.</li> <li>Add environment secrets/variables (e.g., <code>PROD_DB_URL</code>).</li> <li>Configure protection rules (approvers, wait timers).</li> </ol> <p>Sample CD job gated by an environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy_prod</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://app.example.com</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># for OIDC to cloud providers</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./scripts/deploy.sh</span> </code></pre> </div> <p>Approvers receive a prompt in the PR/Actions UI before the job runs.</p> <h1> Multi‑Stage CI/CD (Build → Test → Deploy) </h1> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Webapp CI/CD</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">concurrency</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">app-${{ github.ref }}</span> <span class="na">cancel-in-progress</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.tags }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry</span><span class="pi">:</span> <span class="s">ghcr.io</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ github.actor }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">meta</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/metadata-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">images</span><span class="pi">:</span> <span class="s">ghcr.io/${{ github.repository }}</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">type=ref,event=branch</span> <span class="s">type=sha</span> <span class="s">type=semver,pattern={{version}}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build &amp; Push</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v6</span> <span class="na">with</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.tags }}</span> <span class="na">labels</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.labels }}</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci &amp;&amp; npm test</span> <span class="na">deploy_staging</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">test</span><span class="pi">]</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">staging</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Staging</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./scripts/deploy_staging.sh ${{ needs.build.outputs.image }}</span> <span class="na">deploy_prod</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">deploy_staging</span><span class="pi">]</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Production</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./scripts/deploy_prod.sh ${{ needs.build.outputs.image }}</span> </code></pre> </div> <h1> Cloud Deployments via OIDC (No Long‑Lived Secrets) </h1> <h2> AWS (ECS/EKS/Lambda/etc.) </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/GHActionsDeployRole</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy infra with Terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init</span> <span class="s">terraform apply -auto-approve</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update ECS service</span> <span class="na">run</span><span class="pi">:</span> <span class="s">aws ecs update-service --cluster app --service web --force-new-deployment</span> </code></pre> </div> <p>Prereq: set IAM role with a trust policy allowing GitHub’s OIDC provider and your repo/environment.</p> <h2> Azure (Web Apps/AKS) </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/login@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">${{ secrets.AZURE_CLIENT_ID }}</span> <span class="na">tenant-id</span><span class="pi">:</span> <span class="s">${{ secrets.AZURE_TENANT_ID }}</span> <span class="na">subscription-id</span><span class="pi">:</span> <span class="s">${{ secrets.AZURE_SUBSCRIPTION_ID }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Azure Web App</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/webapps-deploy@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">app-name</span><span class="pi">:</span> <span class="s">my-webapp</span> <span class="na">images</span><span class="pi">:</span> <span class="s">ghcr.io/${{ github.repository }}:sha-${{ github.sha }}</span> </code></pre> </div> <p>Use Azure Federated Credentials for your repo/environment to avoid client secret rotation.</p> <h2> GCP (Cloud Run/GKE) </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">google-github-actions/auth@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">projects/123/locations/global/workloadIdentityPools/gh/providers/github</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">gha-deployer@myproj.iam.gserviceaccount.com</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Cloud Run</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">gcloud run deploy web --image=ghcr.io/${{ github.repository }}:${{ github.sha }} --region=europe-west1</span> </code></pre> </div> <h1> Terraform in Actions (Infra as Code) </h1> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Terraform</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">infra/**.tf"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">.github/workflows/terraform.yml"</span><span class="pi">]</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">infra/**.tf"</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">plan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform -chdir=infra init</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform -chdir=infra plan -out=plan.out</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tf-plan</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infra/plan.out</span> <span class="na">apply</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">plan</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/download-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">name</span><span class="pi">:</span> <span class="nv">tf-plan</span><span class="pi">,</span> <span class="nv">path</span><span class="pi">:</span> <span class="nv">infra</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform -chdir=infra apply -auto-approve plan.out</span> </code></pre> </div> <h1> Secure Supply Chain (SCA, SAST, Code Scanning) </h1> <ul> <li>Dependency Review on PRs: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Dependency Review</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pull_request</span><span class="pi">]</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">dep-review</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/dependency-review-action@v4</span> </code></pre> </div> <ul> <li>CodeQL (static analysis): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CodeQL</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="pi">}</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="pi">[{</span> <span class="nv">cron</span><span class="pi">:</span> <span class="s2">"</span><span class="s">35</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">1"</span> <span class="pi">}]</span> <span class="c1"># weekly</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">security-events</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">analyze</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">fail-fast</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">matrix</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">language</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">javascript</span><span class="pi">,</span> <span class="nv">python</span><span class="pi">,</span> <span class="nv">java</span><span class="pi">]</span> <span class="pi">}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/init@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">languages</span><span class="pi">:</span> <span class="nv">$</span><span class="pi">{{</span> <span class="nv">matrix.language</span> <span class="pi">}}</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/analyze@v3</span> </code></pre> </div> <ul> <li>Optional: container provenance (SLSA‑style): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Attest build provenance</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/attest-build-provenance@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">subject-name</span><span class="pi">:</span> <span class="s">ghcr.io/${{ github.repository }}</span> <span class="na">subject-digest</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.digest }}</span> </code></pre> </div> <h1> Reusable Workflows &amp; Composite Actions </h1> <h2> Reusable workflow (publisher): </h2> <p><code>.github/workflows/reusable-test.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Reusable Test</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_call</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">required</span><span class="pi">:</span> <span class="nv">true</span><span class="pi">,</span> <span class="nv">type</span><span class="pi">:</span> <span class="nv">string</span> <span class="pi">}</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">run-tests</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">node-version</span><span class="pi">:</span> <span class="nv">$</span><span class="pi">{{</span> <span class="nv">inputs.node-version</span> <span class="pi">}},</span> <span class="nv">cache</span><span class="pi">:</span> <span class="nv">npm</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci &amp;&amp; npm test</span> </code></pre> </div> <p>Caller:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">tests</span><span class="pi">:</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">your-org/your-repo/.github/workflows/reusable-test.yml@main</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">20"</span> </code></pre> </div> <h2> Composite action (encapsulate repeatable steps): </h2> <p><code>.github/actions/setup-app/action.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Setup</span><span class="nv"> </span><span class="s">App"</span> <span class="na">runs</span><span class="pi">:</span> <span class="na">using</span><span class="pi">:</span> <span class="s2">"</span><span class="s">composite"</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">node-version</span><span class="pi">:</span> <span class="nv">20</span><span class="pi">,</span> <span class="nv">cache</span><span class="pi">:</span> <span class="nv">npm</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> </code></pre> </div> <p>Use it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">./.github/actions/setup-app</span> </code></pre> </div> <h1> Monorepos &amp; Path Filters </h1> <p>Run pipelines only when relevant code changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">services/api/**"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">.github/workflows/api-*.yml"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">api-ci</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">make -C services/api test</span> </code></pre> </div> <p>Matrix by service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">api</span><span class="pi">,</span> <span class="nv">web</span><span class="pi">,</span> <span class="nv">worker</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">make -C services/${{ matrix.service }} test</span> </code></pre> </div> <h1> Branching &amp; Release Strategies </h1> <ul> <li>Trunk‑based (recommended): PRs → <code>main</code>; feature flags; short‑lived branches.</li> <li>GitFlow: <code>develop</code>, <code>release/*</code>, <code>hotfix/*</code>; more ceremony.</li> <li>Semver tags trigger releases: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">v*.*.*"</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Changelog</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx conventional-changelog -p angular -i CHANGELOG.md -s</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create GitHub Release</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">softprops/action-gh-release@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">dist/**</span> </code></pre> </div> <h1> Advanced Controls &amp; Guardrails </h1> <ul> <li> <code>concurrency:</code> to prevent overlapping deploys.</li> <li> <code>environment:</code> with required reviewers and wait timers.</li> <li> <code>timeout-minutes:</code> per job.</li> <li> <code>if:</code> conditions (e.g., only deploy on tags).</li> <li> <code>needs:</code> to enforce stage order.</li> <li> <code>permissions:</code> minimal scopes; add <code>id-token: write</code> only when needed.</li> <li>Pin actions to major versions or SHAs (for maximum supply‑chain safety).</li> <li>Secret scanning &amp; push protection: keep secrets out of code.</li> </ul> <h1> Self‑Hosted Runners (When and How) </h1> <p>Why: custom tools, private networks, GPUs, cost control, long builds.</p> <p>Basic setup steps:</p> <ol> <li>Provision VM/container with network access to targets.</li> <li>Create runner in repo/org (Settings → Actions → Runners).</li> <li>Label runners (e.g., <code>self-hosted</code>, <code>gpu</code>, <code>arm64</code>).</li> <li>Prefer ephemeral/auto‑scaled runners (clean state per job).</li> </ol> <p>Use in workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">self-hosted</span><span class="pi">,</span> <span class="nv">linux</span><span class="pi">,</span> <span class="nv">x64</span><span class="pi">,</span> <span class="nv">docker</span><span class="pi">]</span> </code></pre> </div> <p>Security tips:</p> <ul> <li>Lock runners to specific repos.</li> <li>Rotate tokens; auto‑update runner.</li> <li>Isolate with VM snapshots or ephemeral images.</li> </ul> <h1> Slide 18 — Observability, Test Reports, Coverage, and Artifacts </h1> <ul> <li>Upload test reports &amp; coverage to keep PR feedback rich.</li> <li>Publish HTML reports as artifacts or Pages in non‑prod.</li> <li>Example (Jest coverage): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run test -- --coverage</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">coverage</span> <span class="na">path</span><span class="pi">:</span> <span class="s">coverage/**</span> </code></pre> </div> <ul> <li>Annotate PRs via problem matchers or actions (eslint, flake8, etc.).</li> </ul> <h1> Scheduling, Manual Runs, and Branch Protections </h1> <ul> <li>Schedules use UTC (not repository timezone): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cron</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0</span><span class="nv"> </span><span class="s">5</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">1-5"</span> <span class="c1"># 05:00 UTC on weekdays</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">target</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Env</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">deploy"</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">staging"</span> </code></pre> </div> <ul> <li>Combine with branch protection rules (required checks before merge).</li> </ul> <h1> End‑to‑End Example: Dockerized API → Staging/Prod (ECS) </h1> <p><code>.github/workflows/api-cicd.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">API CI/CD</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">api/**"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">.github/workflows/api-cicd.yml"</span><span class="pi">]</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">api/**"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">.github/workflows/api-cicd.yml"</span><span class="pi">]</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">env</span><span class="pi">:</span> <span class="na">IMAGE_NAME</span><span class="pi">:</span> <span class="s">ghcr.io/${{ github.repository }}/api</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">ci</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">image_tag</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.version }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry</span><span class="pi">:</span> <span class="s">ghcr.io</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ github.actor }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">meta</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/metadata-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">images</span><span class="pi">:</span> <span class="s">${{ env.IMAGE_NAME }}</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">type=sha,format=long</span> <span class="s">type=ref,event=branch</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build &amp; Push</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v6</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./api</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">${{ steps.meta.outputs.tags }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">image-tags</span> <span class="na">path</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># emit a simple file with the final tag(s)</span> <span class="s">/dev/stdout</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="na">deploy_staging</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">ci</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">staging</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/gh-ecs-deployer</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update ECS service (staging)</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ecs update-service \</span> <span class="s">--cluster app-staging \</span> <span class="s">--service api \</span> <span class="s">--force-new-deployment</span> <span class="na">deploy_prod</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">startsWith(github.ref, 'refs/tags/v')</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">deploy_staging</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/gh-ecs-deployer</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update ECS service (prod)</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ecs update-service \</span> <span class="s">--cluster app-prod \</span> <span class="s">--service api \</span> <span class="s">--force-new-deployment</span> </code></pre> </div> <p>Flow:</p> <ul> <li>PR → CI only.</li> <li>Push to <code>main</code> → build/push image + deploy to <code>staging</code>.</li> <li>Create tag <code>vX.Y.Z</code> → deploy to <code>prod</code> (after staging job completes and environment approval, if configured).</li> </ul> <h1> Common Pitfalls &amp; Troubleshooting </h1> <ul> <li>“Permission denied” on checkout/push: set <code>permissions: contents: write</code> when publishing tags or creating releases.</li> <li>OIDC failing: verify correct audience/repo/environment in cloud role trust policy.</li> <li>Slow builds: add caches, narrow <code>paths</code>, enable parallel matrix, use bigger runners (e.g., <code>ubuntu-latest</code> vs <code>ubuntu-24.04</code> as available).</li> <li>Flaky tests: add service health checks and retries; separate unit vs integration; use <code>timeout-minutes</code>.</li> <li>Secrets not found: confirm secret scope (environment vs repo vs org) and name casing.</li> </ul> <h1> Security Best Practices Checklist </h1> <ul> <li>Least‑privilege <code>permissions:</code> per workflow/job.</li> <li>Use environments for prod with required reviewers.</li> <li>Prefer OIDC to cloud over static keys.</li> <li>Pin actions to major versions or commit SHAs.</li> <li>Keep runners ephemeral or routinely cleaned.</li> <li>Enable branch protections + required status checks.</li> <li>Turn on secret scanning, Dependabot alerts &amp; updates.</li> <li>Store sensitive config as environment secrets, not repo secrets if env‑specific.</li> </ul> <h1> Suggested Project Structure </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├─ api/ # your app(s) ├─ infra/ # terraform/helm ├─ scripts/ # deploy scripts ├─ .github/ │ ├─ actions/ │ │ └─ setup-app/ # composite action │ └─ workflows/ │ ├─ ci.yml │ ├─ codeql.yml │ ├─ terraform.yml │ └─ api-cicd.yml └─ Dockerfile </code></pre> </div> <h1> Quick Start Checklist </h1> <ol> <li>Add <code>.github/workflows/ci.yml</code> and run a PR.</li> <li>Add environments and secrets for <code>staging</code> and <code>prod</code>.</li> <li>Add OIDC role/federated credentials in your cloud.</li> <li>Implement build → test → deploy workflow with approvals.</li> <li>Add CodeQL + Dependency Review.</li> <li>Add path filters and caches.</li> <li>Monitor, iterate, and keep pipelines as code.</li> </ol> <h1> Copy‑Paste Starters (Grab‑Bag) </h1> <h2> Manual Deploy with Inputs </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">env</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">staging</span><span class="pi">,</span> <span class="nv">prod</span><span class="pi">]</span> <span class="na">default</span><span class="pi">:</span> <span class="s">staging</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">${{ inputs.env }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./scripts/deploy_${{ inputs.env }}.sh</span> </code></pre> </div> <h2> Blue‑Green (Feature Flag‑Style) Toggle </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Flip production traffic</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./scripts/switch_traffic.sh --to blue</span> </code></pre> </div> <h2> Conditional Job (Only on PRs from internal repo) </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">if</span><span class="pi">:</span> <span class="s">${{ github.event.pull_request.head.repo.full_name == github.repository }}</span> </code></pre> </div> <h1> What to Implement Next </h1> <ul> <li>Tracing CI duration and break‑down per step; set goals for speed.</li> <li>Parallelize test suites via matrix/shards.</li> <li>Add canary/percentage rollouts (ECS, Cloud Run, AKS/GKE).</li> <li>GitOps for Kubernetes (Argo CD/Flux) and make Actions only push manifests/images.</li> <li>DORA metrics (deployment frequency, lead time, MTTR, change‑fail rate) from Actions runs.</li> </ul> Tutorial Presentation on CI/CD with GitHub Actions Goodluck Ekeoma Adiole Sat, 16 Aug 2025 15:43:26 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/tutorial-presentation-on-cicd-with-github-actions-5820 https://dev.to/goodluck_ekeoma_2c98866d0/tutorial-presentation-on-cicd-with-github-actions-5820 <h2> <strong>1. Introduction to CI/CD</strong> </h2> <ul> <li> <p><strong>Continuous Integration (CI):</strong></p> <ul> <li>A software development practice where developers frequently merge code changes into a shared repository.</li> <li>Automated builds and tests are run to detect integration issues early.</li> <li>Benefits: faster feedback, reduced integration problems, improved collaboration.</li> </ul> </li> <li> <p><strong>Continuous Delivery (CD):</strong></p> <ul> <li>Extends CI by automatically preparing code for release to production.</li> <li>Ensures software can be deployed reliably at any time.</li> <li>Deployment can be manual but is always ready.</li> </ul> </li> <li> <p><strong>Continuous Deployment (CD - extended form):</strong></p> <ul> <li>Goes a step further: every change that passes all pipeline stages is automatically deployed to production.</li> <li>Requires very high confidence in automated testing and monitoring.</li> </ul> </li> </ul> <h2> <strong>2. Why CI/CD is Important</strong> </h2> <ul> <li>Speeds up software development lifecycle (SDLC).</li> <li>Ensures high-quality code through automated testing.</li> <li>Reduces deployment risks and downtime.</li> <li>Promotes collaboration between developers, operations, and security teams (DevOps/DevSecOps).</li> <li>Enables faster innovation while maintaining stability.</li> </ul> <h2> <strong>3. Popular CI/CD Tools (Brief Overview)</strong> </h2> <ul> <li> <strong>Jenkins:</strong> Open-source automation server, highly customizable with plugins.</li> <li> <strong>GitLab CI/CD:</strong> Integrated with GitLab repositories, offers built-in pipelines.</li> <li> <strong>CircleCI:</strong> Cloud-based CI/CD tool with container-native workflows.</li> <li> <strong>Azure DevOps Pipelines:</strong> Microsoft solution with strong integration to Azure services.</li> <li> <strong>Travis CI:</strong> Well-known CI/CD platform integrated with GitHub (mostly for open-source).</li> <li> <strong>GitHub Actions:</strong> Native CI/CD for GitHub repositories, deeply integrated into the GitHub ecosystem.</li> </ul> <p><em>(Next sections will focus deeply on GitHub Actions.)</em></p> <h2> <strong>4. Introduction to GitHub Actions</strong> </h2> <ul> <li>A <strong>CI/CD platform built directly into GitHub</strong>.</li> <li>Automates workflows across software development lifecycle: build, test, deploy.</li> <li>Event-driven: workflows can be triggered by repository events (push, pull request, release).</li> <li>Uses <strong>YAML configuration files</strong> stored in <code>.github/workflows/</code>.</li> </ul> <p><strong>Key Benefits:</strong></p> <ul> <li>Native GitHub integration.</li> <li>Free usage with GitHub-hosted runners (with limitations).</li> <li>Support for self-hosted runners (for more control).</li> <li>Large marketplace of prebuilt actions.</li> </ul> <h2> <strong>5. Core Concepts of GitHub Actions</strong> </h2> <ol> <li><strong>Workflows</strong></li> </ol> <ul> <li>Automated processes defined in <code>.yml</code> files.</li> <li>Example: "Run tests on every push."</li> </ul> <ol> <li><strong>Events</strong></li> </ol> <ul> <li>Triggers that start workflows.</li> <li>Examples: <code>push</code>, <code>pull_request</code>, <code>schedule</code>, <code>workflow_dispatch</code>.</li> </ul> <ol> <li><strong>Jobs</strong></li> </ol> <ul> <li>A set of steps executed on the same runner.</li> <li>Can run sequentially or in parallel.</li> </ul> <ol> <li><strong>Steps</strong></li> </ol> <ul> <li>Individual tasks inside a job.</li> <li>Each step can run commands or actions.</li> </ul> <ol> <li><strong>Actions</strong></li> </ol> <ul> <li>Reusable units of code packaged for specific tasks.</li> <li>Examples: checkout code, set up Node.js, deploy to AWS.</li> </ul> <ol> <li><strong>Runners</strong></li> </ol> <ul> <li>Virtual machines that execute workflows.</li> <li>Options: GitHub-hosted (Linux, Windows, macOS) or self-hosted.</li> </ul> <h2> <strong>6. Workflow Lifecycle in GitHub Actions</strong> </h2> <ol> <li>Developer pushes code to GitHub.</li> <li>Trigger event activates the workflow.</li> <li>Workflow runner executes jobs as defined.</li> <li>Steps run sequentially within each job.</li> <li>Jobs may run in parallel or depend on each other.</li> <li>Results (logs, artifacts, test results) are reported in GitHub UI.</li> <li>(Optional) Deployment to staging/production occurs.</li> </ol> <h2> <strong>7. Typical CI/CD Workflow with GitHub Actions</strong> </h2> <h3> <strong>Continuous Integration Workflow</strong> </h3> <ul> <li>Trigger: <code>push</code> or <code>pull_request</code>.</li> <li> <p>Jobs:</p> <ul> <li>Checkout code.</li> <li>Install dependencies.</li> <li>Run static analysis (linting, code quality checks).</li> <li>Run unit/integration tests.</li> <li>Build artifacts.</li> </ul> </li> </ul> <h3> <strong>Continuous Delivery Workflow</strong> </h3> <ul> <li>Trigger: Merge into <code>main</code> or tagged release.</li> <li> <p>Jobs:</p> <ul> <li>Build Docker image or application package.</li> <li>Run security scans.</li> <li>Deploy to staging environment.</li> <li>(Optional) Await manual approval for production release.</li> </ul> </li> </ul> <h3> <strong>Continuous Deployment Workflow</strong> </h3> <ul> <li>Same as delivery, but automatically deploys to production after successful tests.</li> </ul> <h2> <strong>8. Best Practices for GitHub Actions</strong> </h2> <ul> <li> <strong>Use caching</strong> (e.g., dependencies) to speed up workflows.</li> <li> <strong>Separate workflows</strong> for CI (test/build) and CD (deployment).</li> <li> <strong>Use secrets management</strong> (<code>GitHub Secrets</code>) for credentials.</li> <li> <strong>Set branch protection rules</strong> to enforce CI checks before merging.</li> <li> <strong>Reuse actions from the Marketplace</strong> to save time.</li> <li><strong>Keep workflows modular and readable.</strong></li> <li> <strong>Monitor logs and set up alerts</strong> for failed workflows.</li> </ul> <h2> <strong>9. Advantages of GitHub Actions over Other Tools</strong> </h2> <ul> <li>Direct integration with GitHub repositories (no external setup).</li> <li>Easy YAML configuration and readability.</li> <li>Access to GitHub ecosystem (Marketplace, APIs).</li> <li>Free tier sufficient for many small to medium projects.</li> <li>Supports both simple and complex workflows.</li> <li>Good balance of flexibility and ease of use compared to Jenkins or GitLab CI.</li> </ul> <h2> <strong>10. Example Use Cases</strong> </h2> <ol> <li> <strong>CI Only:</strong> Run tests and lint checks for every pull request.</li> <li> <strong>CD to Cloud:</strong> Deploy app to AWS, Azure, or GCP after successful tests.</li> <li> <strong>Security Automation:</strong> Run vulnerability scans with Dependabot or custom security actions.</li> <li> <strong>Scheduled Jobs:</strong> Nightly builds, automated backups, or dependency updates.</li> <li> <strong>Custom DevOps Pipelines:</strong> Integrate with Docker, Kubernetes, or Terraform.</li> </ol> <h2> <strong>11. Challenges &amp; Considerations</strong> </h2> <ul> <li>Limited free minutes and storage (for large projects, consider self-hosted runners).</li> <li>YAML syntax errors can break workflows—needs careful review.</li> <li>May require external integrations for advanced deployment strategies.</li> <li>Security risks if secrets are not managed properly.</li> </ul> <h2> <strong>12. Conclusion</strong> </h2> <ul> <li>CI/CD is essential for modern software delivery, improving quality and speed.</li> <li>GitHub Actions provides a <strong>powerful, integrated, and user-friendly platform</strong> for CI/CD directly within GitHub.</li> <li>By understanding workflows, jobs, steps, and runners, teams can build robust automation pipelines.</li> <li>Adoption of best practices ensures secure, efficient, and scalable software delivery pipelines.</li> </ul> Containerizing and Deploying a Simple FastAPI Application to AWS EC2. Goodluck Ekeoma Adiole Sun, 10 Aug 2025 16:27:05 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/containerizing-and-deploying-a-simple-fastapi-application-to-aws-ec2-pa2 https://dev.to/goodluck_ekeoma_2c98866d0/containerizing-and-deploying-a-simple-fastapi-application-to-aws-ec2-pa2 <p>This project demonstrates the end-to-end process of building, containerizing, and deploying a lightweight FastAPI application to an AWS EC2 instance. FastAPI, known for its high performance and intuitive API design, is paired with Docker to create a portable, consistent runtime environment. The containerized application is then hosted on AWS EC2, making it accessible over the internet.<br> The guide is intentionally simple, making it suitable for beginners who want hands-on experience with API development, containerization, and cloud deployment. By completing this project, you’ll understand how to:</p> <ul> <li>Develop a basic FastAPI application.</li> <li>Write a Dockerfile to containerize the app.</li> <li>Build, tag, and push Docker images to a registry.</li> <li>Configure and run the container on an AWS EC2 instance.</li> </ul> <p>It’s a foundational DevOps exercise that blends software development with infrastructure management — essential for modern application delivery.</p> <h1> Project layout </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fastapi-simple/ ├─ main.py ├─ requirements.txt ├─ Dockerfile ├─ .dockerignore </code></pre> </div> <h1> 1) Code — <code>main.py</code> </h1> <p>Create <code>main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span><span class="n">title</span><span class="o">=</span><span class="sh">"</span><span class="s">Simple FastAPI App</span><span class="sh">"</span><span class="p">)</span> <span class="k">class</span> <span class="nc">Echo</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">message</span><span class="p">:</span> <span class="nb">str</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">read_root</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Hello from FastAPI in Docker!</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">health</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/items/{item_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">read_item</span><span class="p">(</span><span class="n">item_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">q</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">item_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">item_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">:</span> <span class="n">q</span><span class="p">}</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/echo</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">post_echo</span><span class="p">(</span><span class="n">payload</span><span class="p">:</span> <span class="n">Echo</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">you_sent</span><span class="sh">"</span><span class="p">:</span> <span class="n">payload</span><span class="p">}</span> </code></pre> </div> <h1> 2) Dependencies — <code>requirements.txt</code> </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fastapi uvicorn[standard] </code></pre> </div> <h1> 3) Dockerfile </h1> <p>Create <code>Dockerfile</code> (uses a small Python base, installs dependencies, runs uvicorn):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Use an official Python runtime as a parent image</span> <span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="c"># Prevent Python from writing .pyc files and enable stdout buffering</span> <span class="k">ENV</span><span class="s"> PYTHONDONTWRITEBYTECODE=1</span> <span class="k">ENV</span><span class="s"> PYTHONUNBUFFERED=1</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy only requirements first for better caching</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="c"># Install pip dependencies</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="c"># Copy app source</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Expose the port uvicorn will listen on</span> <span class="k">EXPOSE</span><span class="s"> 8000</span> <span class="c"># Run the app with uvicorn</span> <span class="k">CMD</span><span class="s"> ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]</span> </code></pre> </div> <h1> 4) .dockerignore (optional but recommended) </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>__pycache__ *.pyc .env .venv .git </code></pre> </div> <h1> 5) Build &amp; run locally </h1> <p>From the project root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># build</span> docker build <span class="nt">-t</span> fastapi-simple:local <span class="nb">.</span> <span class="c"># run (maps container port 8000 -&gt; host 8000)</span> docker run <span class="nt">--rm</span> <span class="nt">-p</span> 8000:8000 fastapi-simple:local </code></pre> </div> <p>Open <code>http://localhost:8000/</code> and <code>http://localhost:8000/docs</code> (interactive API docs).</p> <h1> 6) Push to Docker Hub (simple public flow) </h1> <ol> <li>Create a repo at hub.docker.com (or use an existing one).</li> <li>Tag and push: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker login <span class="c"># enter Docker Hub credentials</span> docker tag fastapi-simple:local yourhubusername/fastapi-simple:latest docker push yourhubusername/fastapi-simple:latest </code></pre> </div> <p>If you want a private registry, consider AWS ECR (more secure for production).</p> <h1> 7) Deploy on AWS EC2 (manual steps) </h1> <p>Use an Ubuntu 22.04 (or similar) instance. Minimal overview:</p> <ol> <li>Create an EC2 instance</li> </ol> <ul> <li>AMI: Ubuntu 22.04 LTS</li> <li>Instance type: t3.micro (or as needed)</li> <li>Key pair: create/download one (you’ll use <code>.pem</code> to SSH)</li> <li>Security Group: allow inbound TCP ports 22 (SSH) and 80 (HTTP). If you plan to use 8000, open that too.</li> </ul> <ol> <li>SSH to EC2 </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> path/to/key.pem ubuntu@YOUR_EC2_PUBLIC_IP </code></pre> </div> <ol> <li>Install Docker (simple method) </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> docker.io <span class="nb">sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> docker <span class="c"># give your ubuntu user permission to use docker (you may need to logout/login)</span> <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker <span class="nv">$USER</span> </code></pre> </div> <ol> <li>Pull the image and run it (map container 8000 -&gt; host 80) </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># (optional) docker login</span> docker pull yourhubusername/fastapi-simple:latest <span class="c"># run as detached, restart automatically on reboot/crash</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> fastapi <span class="se">\</span> <span class="nt">--restart</span> unless-stopped <span class="se">\</span> <span class="nt">-p</span> 80:8000 <span class="se">\</span> yourhubusername/fastapi-simple:latest </code></pre> </div> <ol> <li>Visit <code>http://YOUR_EC2_PUBLIC_IP/</code> in your browser. API docs: <code>http://YOUR_EC2_PUBLIC_IP/docs</code>.</li> </ol> <h1> 8) Optional: run container as a systemd service (survives reboots) </h1> <p>Create <code>/etc/systemd/system/fastapi.service</code> with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Unit] Description=FastAPI Docker Container After=docker.service Requires=docker.service [Service] Restart=always ExecStartPre=-/usr/bin/docker stop fastapi ExecStartPre=-/usr/bin/docker rm fastapi ExecStart=/usr/bin/docker run --name fastapi --rm --restart unless-stopped -p 80:8000 yourhubusername/fastapi-simple:latest ExecStop=/usr/bin/docker stop fastapi [Install] WantedBy=multi-user.target </code></pre> </div> <p>Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl daemon-reload <span class="nb">sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> fastapi.service <span class="nb">sudo </span>journalctl <span class="nt">-u</span> fastapi <span class="nt">-f</span> </code></pre> </div> <h1> 9) Optional: EC2 user-data (auto bootstrap on instance creation) </h1> <p>You can use this script as user-data when launching the instance to auto-install docker and run the container. Warning: do not embed Docker Hub credentials in user-data for security — use public image or ECR + IAM role.</p> <p>Example user-data (Ubuntu):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> apt update apt <span class="nb">install</span> <span class="nt">-y</span> docker.io systemctl <span class="nb">enable</span> <span class="nt">--now</span> docker <span class="c"># pull public image</span> docker pull yourhubusername/fastapi-simple:latest docker run <span class="nt">-d</span> <span class="nt">--restart</span> unless-stopped <span class="nt">--name</span> fastapi <span class="nt">-p</span> 80:8000 yourhubusername/fastapi-simple:latest </code></pre> </div> <h1> 10) Troubleshooting tips </h1> <ul> <li>If you get a blank page: check <code>docker logs fastapi</code> on EC2.</li> <li>If EC2 public IP not serving: confirm Security Group inbound rules include port 80, and that the container is running (<code>docker ps</code>).</li> <li>If docker commands require sudo: re-login after <code>usermod -aG docker $USER</code> or run with <code>sudo</code>.</li> <li>For private images: use <code>docker login</code> on the EC2 instance before <code>docker pull</code>, or use AWS ECR with an instance role.</li> </ul> <h1> 11) Next steps / production notes (short) </h1> <ul> <li>For production, use a process manager / orchestrator (ECS, EKS, or at least systemd + reverse proxy like Nginx).</li> <li>Use HTTPS: put an nginx reverse proxy + certbot / or use a load balancer with TLS.</li> <li>Use AWS ECR + instance profile or secrets manager instead of embedding Docker Hub credentials.</li> </ul> Enterprise-Grade FastAPI Application — Containerized and Deployed on AWS EC2 Goodluck Ekeoma Adiole Sun, 10 Aug 2025 16:20:19 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/enterprise-grade-fastapi-application-containerized-and-deployed-on-aws-ec2-48h7 https://dev.to/goodluck_ekeoma_2c98866d0/enterprise-grade-fastapi-application-containerized-and-deployed-on-aws-ec2-48h7 <ol> <li>A compact enterprise-grade project layout and the key source files (ready-to-run).</li> <li>A production Dockerfile (multi-stage, non-root).</li> <li>A docker-compose for local dev (Postgres).</li> <li>Step-by-step commands to build → push to ECR → deploy to EC2 (including systemd unit example).</li> <li>Notes about security &amp; production best-practices and citations for the most important platform commands.</li> </ol> <p>I kept code pragmatic and copy-paste ready. Replace placeholders (YOUR_REGION, AWS_ACCOUNT_ID, DB creds, secret keys) with your values.</p> <h1> 1. Project layout (suggested) </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fastapi-enterprise/ ├─ app/ │ ├─ main.py │ ├─ core/ │ │ ├─ config.py │ │ ├─ logging.py │ │ └─ security.py │ ├─ db/ │ │ ├─ session.py │ │ └─ base.py │ ├─ models/ │ │ └─ user.py │ ├─ schemas/ │ │ └─ user.py │ ├─ crud/ │ │ └─ user.py │ └─ api/ │ ├─ deps.py │ └─ v1/ │ └─ routers/ │ └─ users.py ├─ alembic/ (optional migrations) ├─ requirements.txt ├─ Dockerfile ├─ docker-compose.yml ├─ .env.example └─ gunicorn_conf.py (optional) </code></pre> </div> <h1> 2. Key source files </h1> <p>All code below fits the project layout above. Keep files under <code>app/</code>.</p> <h3> app/core/config.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseSettings</span><span class="p">,</span> <span class="n">AnyUrl</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Optional</span> <span class="k">class</span> <span class="nc">Settings</span><span class="p">(</span><span class="n">BaseSettings</span><span class="p">):</span> <span class="n">APP_NAME</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">FastAPI Enterprise</span><span class="sh">"</span> <span class="n">ENV</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span> <span class="n">DEBUG</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span> <span class="c1"># Database (asyncpg example) </span> <span class="n">DATABASE_URL</span><span class="p">:</span> <span class="n">AnyUrl</span> <span class="o">=</span> <span class="sh">"</span><span class="s">postgresql+asyncpg://postgres:password@postgres:5432/appdb</span><span class="sh">"</span> <span class="c1"># Security </span> <span class="n">SECRET_KEY</span><span class="p">:</span> <span class="nb">str</span> <span class="n">ACCESS_TOKEN_EXPIRE_MINUTES</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="c1"># Gunicorn/worker tuning </span> <span class="n">WORKERS</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">4</span> <span class="k">class</span> <span class="nc">Config</span><span class="p">:</span> <span class="n">env_file</span> <span class="o">=</span> <span class="sh">"</span><span class="s">.env</span><span class="sh">"</span> <span class="n">env_file_encoding</span> <span class="o">=</span> <span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span> <span class="n">settings</span> <span class="o">=</span> <span class="nc">Settings</span><span class="p">()</span> </code></pre> </div> <h3> app/core/logging.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">sys</span> <span class="k">def</span> <span class="nf">setup_logging</span><span class="p">():</span> <span class="n">fmt</span> <span class="o">=</span> <span class="sh">"</span><span class="s">%(asctime)s - %(levelname)s - %(name)s - %(message)s</span><span class="sh">"</span> <span class="n">logging</span><span class="p">.</span><span class="nf">basicConfig</span><span class="p">(</span><span class="n">stream</span><span class="o">=</span><span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">,</span> <span class="n">level</span><span class="o">=</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="n">fmt</span><span class="p">)</span> <span class="c1"># Optionally integrate with json-loggers or structlog for structured logs </span></code></pre> </div> <h3> app/core/security.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">passlib.context</span> <span class="kn">import</span> <span class="n">CryptContext</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">app.core.config</span> <span class="kn">import</span> <span class="n">settings</span> <span class="n">pwd_context</span> <span class="o">=</span> <span class="nc">CryptContext</span><span class="p">(</span><span class="n">schemes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">bcrypt</span><span class="sh">"</span><span class="p">],</span> <span class="n">deprecated</span><span class="o">=</span><span class="sh">"</span><span class="s">auto</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">hash_password</span><span class="p">(</span><span class="n">password</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="n">pwd_context</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="k">def</span> <span class="nf">verify_password</span><span class="p">(</span><span class="n">plain</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">hashed</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">return</span> <span class="n">pwd_context</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="n">plain</span><span class="p">,</span> <span class="n">hashed</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">subject</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">expires_minutes</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="n">expire</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="p">(</span><span class="n">expires_minutes</span> <span class="ow">or</span> <span class="n">settings</span><span class="p">.</span><span class="n">ACCESS_TOKEN_EXPIRE_MINUTES</span><span class="p">))</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="n">subject</span><span class="p">,</span> <span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">expire</span><span class="p">}</span> <span class="n">token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">settings</span><span class="p">.</span><span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">token</span> </code></pre> </div> <h3> app/db/session.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy.ext.asyncio</span> <span class="kn">import</span> <span class="n">create_async_engine</span><span class="p">,</span> <span class="n">AsyncSession</span> <span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">sessionmaker</span> <span class="kn">from</span> <span class="n">app.core.config</span> <span class="kn">import</span> <span class="n">settings</span> <span class="n">engine</span> <span class="o">=</span> <span class="nf">create_async_engine</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">settings</span><span class="p">.</span><span class="n">DATABASE_URL</span><span class="p">),</span> <span class="n">future</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">echo</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">AsyncSessionLocal</span> <span class="o">=</span> <span class="nf">sessionmaker</span><span class="p">(</span><span class="n">engine</span><span class="p">,</span> <span class="n">class_</span><span class="o">=</span><span class="n">AsyncSession</span><span class="p">,</span> <span class="n">expire_on_commit</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># Dependency </span><span class="k">async</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="k">async</span> <span class="k">with</span> <span class="nc">AsyncSessionLocal</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="k">yield</span> <span class="n">session</span> </code></pre> </div> <h3> app/db/base.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy.orm</span> <span class="kn">import</span> <span class="n">declarative_base</span> <span class="n">Base</span> <span class="o">=</span> <span class="nf">declarative_base</span><span class="p">()</span> </code></pre> </div> <h3> app/models/user.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">Column</span><span class="p">,</span> <span class="n">Integer</span><span class="p">,</span> <span class="n">String</span><span class="p">,</span> <span class="n">Boolean</span> <span class="kn">from</span> <span class="n">app.db.base</span> <span class="kn">import</span> <span class="n">Base</span> <span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="n">Base</span><span class="p">):</span> <span class="n">__tablename__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">users</span><span class="sh">"</span> <span class="nb">id</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Integer</span><span class="p">,</span> <span class="n">primary_key</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">email</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">255</span><span class="p">),</span> <span class="n">unique</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">full_name</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">255</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">hashed_password</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="mi">255</span><span class="p">),</span> <span class="n">nullable</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">is_active</span> <span class="o">=</span> <span class="nc">Column</span><span class="p">(</span><span class="n">Boolean</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <h3> app/schemas/user.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span><span class="p">,</span> <span class="n">EmailStr</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Optional</span> <span class="k">class</span> <span class="nc">UserCreate</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">email</span><span class="p">:</span> <span class="n">EmailStr</span> <span class="n">full_name</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> <span class="k">class</span> <span class="nc">UserRead</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">int</span> <span class="n">email</span><span class="p">:</span> <span class="n">EmailStr</span> <span class="n">full_name</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="n">is_active</span><span class="p">:</span> <span class="nb">bool</span> <span class="k">class</span> <span class="nc">Config</span><span class="p">:</span> <span class="n">orm_mode</span> <span class="o">=</span> <span class="bp">True</span> </code></pre> </div> <h3> app/crud/user.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy.future</span> <span class="kn">import</span> <span class="n">select</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">insert</span> <span class="kn">from</span> <span class="n">sqlalchemy.exc</span> <span class="kn">import</span> <span class="n">IntegrityError</span> <span class="kn">from</span> <span class="n">app.models.user</span> <span class="kn">import</span> <span class="n">User</span> <span class="kn">from</span> <span class="n">app.core.security</span> <span class="kn">import</span> <span class="n">hash_password</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user_by_email</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">email</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">q</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">select</span><span class="p">(</span><span class="n">User</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="n">User</span><span class="p">.</span><span class="n">email</span> <span class="o">==</span> <span class="n">email</span><span class="p">))</span> <span class="k">return</span> <span class="n">q</span><span class="p">.</span><span class="nf">scalars</span><span class="p">().</span><span class="nf">first</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">create_user</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="n">user_in</span><span class="p">):</span> <span class="n">hashed</span> <span class="o">=</span> <span class="nf">hash_password</span><span class="p">(</span><span class="n">user_in</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="n">db_user</span> <span class="o">=</span> <span class="nc">User</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">user_in</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">full_name</span><span class="o">=</span><span class="n">user_in</span><span class="p">.</span><span class="n">full_name</span><span class="p">,</span> <span class="n">hashed_password</span><span class="o">=</span><span class="n">hashed</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">db_user</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">refresh</span><span class="p">(</span><span class="n">db_user</span><span class="p">)</span> <span class="k">return</span> <span class="n">db_user</span> <span class="k">except</span> <span class="n">IntegrityError</span><span class="p">:</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">rollback</span><span class="p">()</span> <span class="k">raise</span> </code></pre> </div> <h3> app/api/deps.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">Depends</span> <span class="kn">from</span> <span class="n">app.db.session</span> <span class="kn">import</span> <span class="n">get_db</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_db_dep</span><span class="p">():</span> <span class="k">async</span> <span class="k">for</span> <span class="n">s</span> <span class="ow">in</span> <span class="nf">get_db</span><span class="p">():</span> <span class="k">yield</span> <span class="n">s</span> </code></pre> </div> <h3> app/api/v1/routers/users.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">APIRouter</span><span class="p">,</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span><span class="p">,</span> <span class="n">status</span> <span class="kn">from</span> <span class="n">app.schemas.user</span> <span class="kn">import</span> <span class="n">UserCreate</span><span class="p">,</span> <span class="n">UserRead</span> <span class="kn">from</span> <span class="n">app.api.deps</span> <span class="kn">import</span> <span class="n">get_db_dep</span> <span class="kn">from</span> <span class="n">app.crud.user</span> <span class="kn">import</span> <span class="n">get_user_by_email</span><span class="p">,</span> <span class="n">create_user</span> <span class="n">router</span> <span class="o">=</span> <span class="nc">APIRouter</span><span class="p">(</span><span class="n">prefix</span><span class="o">=</span><span class="sh">"</span><span class="s">/users</span><span class="sh">"</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">users</span><span class="sh">"</span><span class="p">])</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">UserRead</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status</span><span class="p">.</span><span class="n">HTTP_201_CREATED</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">register</span><span class="p">(</span><span class="n">user_in</span><span class="p">:</span> <span class="n">UserCreate</span><span class="p">,</span> <span class="n">db</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">get_db_dep</span><span class="p">)):</span> <span class="n">existing</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">get_user_by_email</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">user_in</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="k">if</span> <span class="n">existing</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">User already exists</span><span class="sh">"</span><span class="p">)</span> <span class="n">u</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">create_user</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="n">user_in</span><span class="o">=</span><span class="n">user_in</span><span class="p">)</span> <span class="k">return</span> <span class="n">u</span> <span class="nd">@router.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/{user_id}</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">UserRead</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">read_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">db</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">get_db_dep</span><span class="p">)):</span> <span class="kn">from</span> <span class="n">sqlalchemy.future</span> <span class="kn">import</span> <span class="n">select</span> <span class="n">q</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">select</span><span class="p">(</span><span class="nf">__import__</span><span class="p">(</span><span class="sh">"</span><span class="s">app.models.user</span><span class="sh">"</span><span class="p">,</span> <span class="n">fromlist</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">]).</span><span class="n">User</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="nf">__import__</span><span class="p">(</span><span class="sh">"</span><span class="s">app.models.user</span><span class="sh">"</span><span class="p">,</span> <span class="n">fromlist</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">User</span><span class="sh">"</span><span class="p">]).</span><span class="n">User</span><span class="p">.</span><span class="nb">id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">))</span> <span class="n">user</span> <span class="o">=</span> <span class="n">q</span><span class="p">.</span><span class="nf">scalars</span><span class="p">().</span><span class="nf">first</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> </code></pre> </div> <p>(note: read_user uses inline import to keep example short — in production import models at top.)</p> <h3> app/main.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">uvicorn</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.middleware.cors</span> <span class="kn">import</span> <span class="n">CORSMiddleware</span> <span class="kn">from</span> <span class="n">app.core.config</span> <span class="kn">import</span> <span class="n">settings</span> <span class="kn">from</span> <span class="n">app.core.logging</span> <span class="kn">import</span> <span class="n">setup_logging</span> <span class="kn">from</span> <span class="n">app.api.v1.routers</span> <span class="kn">import</span> <span class="n">users</span> <span class="c1"># ensure package __init__ imports router path </span> <span class="k">def</span> <span class="nf">create_app</span><span class="p">():</span> <span class="nf">setup_logging</span><span class="p">()</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">(</span><span class="n">title</span><span class="o">=</span><span class="n">settings</span><span class="p">.</span><span class="n">APP_NAME</span><span class="p">,</span> <span class="n">debug</span><span class="o">=</span><span class="n">settings</span><span class="p">.</span><span class="n">DEBUG</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span> <span class="n">CORSMiddleware</span><span class="p">,</span> <span class="n">allow_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># restrict in prod </span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">health</span><span class="sh">"</span><span class="p">])</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">health</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">}</span> <span class="n">app</span><span class="p">.</span><span class="nf">include_router</span><span class="p">(</span><span class="n">users</span><span class="p">.</span><span class="n">router</span><span class="p">,</span> <span class="n">prefix</span><span class="o">=</span><span class="sh">"</span><span class="s">/api/v1</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">app</span> <span class="n">app</span> <span class="o">=</span> <span class="nf">create_app</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">uvicorn</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="sh">"</span><span class="s">app.main:app</span><span class="sh">"</span><span class="p">,</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8000</span><span class="p">,</span> <span class="nb">reload</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> </code></pre> </div> <h3> requirements.txt </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fastapi==0.95.2 uvicorn[standard]==0.22.0 SQLAlchemy[asyncio]==1.4.52 asyncpg==0.27.0 pydantic==1.10.10 python-jose==3.3.0 passlib[bcrypt]==1.7.4 gunicorn==21.2.0 PyJWT==2.8.0 </code></pre> </div> <p>(Adjust versions as needed; pin to your policy.)</p> <h1> 3. Dockerfile (production, multi-stage) </h1> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Stage 1: build dependencies</span> <span class="k">FROM</span><span class="w"> </span><span class="s">python:3.11-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">ENV</span><span class="s"> PYTHONDONTWRITEBYTECODE=1</span> <span class="k">ENV</span><span class="s"> PYTHONUNBUFFERED=1</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> build-essential libpq-dev gcc <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--upgrade</span> pip <span class="k">RUN </span>pip wheel <span class="nt">--no-cache-dir</span> <span class="nt">--wheel-dir</span> /wheels <span class="nt">-r</span> requirements.txt <span class="c"># Stage 2: final image</span> <span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="k">ENV</span><span class="s"> PYTHONDONTWRITEBYTECODE=1</span> <span class="k">ENV</span><span class="s"> PYTHONUNBUFFERED=1</span> <span class="c"># create non-root user</span> <span class="k">RUN </span>useradd <span class="nt">-m</span> appuser <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># copy wheels</span> <span class="k">COPY</span><span class="s"> --from=builder /wheels /wheels</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache</span> /wheels/<span class="k">*</span> <span class="c"># copy app code</span> <span class="k">COPY</span><span class="s"> . /app</span> <span class="c"># give non-root ownership</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> appuser:appuser /app <span class="k">USER</span><span class="s"> appuser</span> <span class="k">EXPOSE</span><span class="s"> 80</span> <span class="k">ENV</span><span class="s"> PYTHONPATH=/app</span> <span class="c"># Use gunicorn + uvicorn workers</span> <span class="k">CMD</span><span class="s"> ["gunicorn", "-k", "uvicorn.workers.UvicornWorker", "-w", "4", "app.main:app", "-b", "0.0.0.0:80", "--log-level", "info"]</span> </code></pre> </div> <p>Notes: the wheel stage avoids compiling at container runtime. Adjust worker count to available CPUs.</p> <h1> 4. docker-compose.yml (local dev - postgres + app) </h1> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.8"</span> <span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">password</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">appdb</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pgdata:/var/lib/postgresql/data</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5432:5432"</span> <span class="na">web</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">on-failure</span> <span class="na">env_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.env</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8000:80"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">pgdata</span><span class="pi">:</span> </code></pre> </div> <h1> 5. .env.example </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SECRET_KEY=supersecretreplace_me DATABASE_URL=postgresql+asyncpg://postgres:password@postgres:5432/appdb ENV=development DEBUG=True WORKERS=4 </code></pre> </div> <h1> 6. Build, test locally </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># build docker build -t myorg/fastapi-enterprise:latest . # run with env docker run --rm -it -p 8000:80 --env-file .env myorg/fastapi-enterprise:latest # then hit http://localhost:8000/api/v1/users or http://localhost:8000/health </code></pre> </div> <h1> 7. Deploy to AWS EC2 — step-by-step (recommended workflow) </h1> <p>We'll use Amazon ECR as image registry and a single EC2 instance that pulls &amp; runs the container. Two approaches are shown: push to Docker Hub or to ECR. ECR is preferred for private images.</p> <p>Important — key commands &amp; notes:</p> <ul> <li>Authenticate to ECR with <code>aws ecr get-login-password | docker login --username AWS --password-stdin &lt;account&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com</code>. (AWS docs on get-login-password). ([AWS Documentation][1])</li> <li>Install Docker on Amazon Linux 2: use <code>sudo amazon-linux-extras install docker</code> then <code>sudo service docker start</code>. (AWS docs). ([AWS Documentation][2])</li> <li>Docker install on Ubuntu: follow Docker Engine install instructions from Docker docs. ([Docker Documentation][3])</li> <li>Use Gunicorn with Uvicorn worker in production: <code>gunicorn -k uvicorn.workers.UvicornWorker -w 4 app.main:app</code>. ([Uvicorn][4], [FastAPI][5])</li> </ul> <p>Below are the commands.</p> <h2> A — Prepare ECR &amp; push image </h2> <p>(Assumes AWS CLI configured with credentials OR use an EC2 role that can create repos and push)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. create repo (once)</span> aws ecr create-repository <span class="nt">--repository-name</span> fastapi-enterprise <span class="nt">--region</span> YOUR_REGION <span class="c"># 2. build and tag</span> docker build <span class="nt">-t</span> fastapi-enterprise:latest <span class="nb">.</span> <span class="nv">AWS_ACCOUNT_ID</span><span class="o">=</span>YOUR_AWS_ACCOUNT_ID <span class="nv">REGION</span><span class="o">=</span>YOUR_REGION <span class="nv">ECR_URI</span><span class="o">=</span><span class="k">${</span><span class="nv">AWS_ACCOUNT_ID</span><span class="k">}</span>.dkr.ecr.<span class="k">${</span><span class="nv">REGION</span><span class="k">}</span>.amazonaws.com/fastapi-enterprise docker tag fastapi-enterprise:latest <span class="k">${</span><span class="nv">ECR_URI</span><span class="k">}</span>:latest <span class="c"># 3. login to ECR (aws cli v2)</span> aws ecr get-login-password <span class="nt">--region</span> <span class="k">${</span><span class="nv">REGION</span><span class="k">}</span> <span class="se">\</span> | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> <span class="k">${</span><span class="nv">AWS_ACCOUNT_ID</span><span class="k">}</span>.dkr.ecr.<span class="k">${</span><span class="nv">REGION</span><span class="k">}</span>.amazonaws.com <span class="c"># (source: AWS docs: pipe get-login-password to docker login). :contentReference[oaicite:4]{index=4}</span> <span class="c"># 4. push</span> docker push <span class="k">${</span><span class="nv">ECR_URI</span><span class="k">}</span>:latest </code></pre> </div> <h2> B — Provision EC2 (quick guide) </h2> <p>Choose an instance (t3.small or larger). For production scale use autoscaling groups + ALB; below is a single-instance example.</p> <ul> <li>From AWS Console or CLI create an EC2 instance (Amazon Linux 2 or Ubuntu). Give it an IAM instance profile with permission to pull from ECR (AmazonEC2ContainerRegistryReadOnly) — this avoids embedding keys.</li> </ul> <p>Basic SSH in from your workstation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> key.pem ec2-user@EC2_PUBLIC_IP </code></pre> </div> <h2> C — Install Docker on EC2 instance </h2> <p>If using Amazon Linux 2:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>yum update <span class="nt">-y</span> <span class="nb">sudo </span>amazon-linux-extras <span class="nb">install </span>docker <span class="nt">-y</span> <span class="nb">sudo </span>service docker start <span class="nb">sudo </span>usermod <span class="nt">-a</span> <span class="nt">-G</span> docker ec2-user <span class="c"># Log out and back in to apply group change or run docker with sudo</span> </code></pre> </div> <p>(Install instructions from AWS docs). ([AWS Documentation][2])</p> <p>If using Ubuntu (example):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># follow Docker official steps - e.g., for ubuntu 22.04</span> <span class="nb">sudo </span>apt-get update <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> ca-certificates curl gnupg lsb-release curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg | <span class="nb">sudo </span>gpg <span class="nt">--dearmor</span> <span class="nt">-o</span> /usr/share/keyrings/docker-archive-keyring.gpg <span class="nb">echo</span> <span class="se">\</span> <span class="s2">"deb [arch=</span><span class="si">$(</span>dpkg <span class="nt">--print-architecture</span><span class="si">)</span><span class="s2"> signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] </span><span class="se">\</span><span class="s2"> https://download.docker.com/linux/ubuntu </span><span class="si">$(</span>lsb_release <span class="nt">-cs</span><span class="si">)</span><span class="s2"> stable"</span> <span class="se">\</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/docker.list <span class="o">&gt;</span> /dev/null <span class="nb">sudo </span>apt-get update <span class="nb">sudo </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> docker-ce docker-ce-cli containerd.io <span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker <span class="nv">$USER</span> </code></pre> </div> <p>(Use Docker docs for latest specific commands). ([Docker Documentation][3])</p> <h2> D — Pull &amp; run image on EC2 </h2> <p>If your instance has an IAM role that allows ECR read, you can pull directly. Otherwise authenticate using AWS CLI (or use the instance role recommended).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># login (if needed)</span> aws ecr get-login-password <span class="nt">--region</span> YOUR_REGION <span class="se">\</span> | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> <span class="k">${</span><span class="nv">AWS_ACCOUNT_ID</span><span class="k">}</span>.dkr.ecr.<span class="k">${</span><span class="nv">REGION</span><span class="k">}</span>.amazonaws.com <span class="c"># pull</span> docker pull <span class="k">${</span><span class="nv">ECR_URI</span><span class="k">}</span>:latest <span class="c"># run (env file transferred to instance beforehand)</span> docker stop fastapi <span class="o">||</span> <span class="nb">true</span> <span class="o">&amp;&amp;</span> docker <span class="nb">rm </span>fastapi <span class="o">||</span> <span class="nb">true </span>docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> fastapi <span class="se">\</span> <span class="nt">--restart</span> unless-stopped <span class="se">\</span> <span class="nt">--env-file</span> /home/ec2-user/app/.env <span class="se">\</span> <span class="nt">-p</span> 80:80 <span class="se">\</span> <span class="k">${</span><span class="nv">ECR_URI</span><span class="k">}</span>:latest </code></pre> </div> <h2> E — Run as a systemd service (so it restarts on boot) </h2> <p>Create <code>/etc/systemd/system/fastapi.service</code> (run as root):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="s">FastAPI Container</span> <span class="py">After</span><span class="p">=</span><span class="s">docker.service</span> <span class="py">Requires</span><span class="p">=</span><span class="s">docker.service</span> <span class="nn">[Service]</span> <span class="py">Restart</span><span class="p">=</span><span class="s">always</span> <span class="py">ExecStartPre</span><span class="p">=</span><span class="s">-/usr/bin/docker stop fastapi</span> <span class="py">ExecStartPre</span><span class="p">=</span><span class="s">-/usr/bin/docker rm fastapi</span> <span class="c"># (Optional) pull latest image on start </span><span class="py">ExecStartPre</span><span class="p">=</span><span class="s">/usr/bin/aws ecr get-login-password --region YOUR_REGION | /usr/bin/docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com</span> <span class="py">ExecStartPre</span><span class="p">=</span><span class="s">/usr/bin/docker pull ${ECR_URI}:latest</span> <span class="py">ExecStart</span><span class="p">=</span><span class="s">/usr/bin/docker run --rm --name fastapi --env-file /home/ec2-user/app/.env -p 80:80 ${ECR_URI}:latest</span> <span class="py">ExecStop</span><span class="p">=</span><span class="s">/usr/bin/docker stop fastapi</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="s">multi-user.target</span> </code></pre> </div> <p>Then on the EC2 instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl daemon-reload <span class="nb">sudo </span>systemctl <span class="nb">enable </span>fastapi <span class="nb">sudo </span>systemctl start fastapi <span class="nb">sudo </span>journalctl <span class="nt">-u</span> fastapi <span class="nt">-f</span> </code></pre> </div> <h1> 8. Production best-practices &amp; notes </h1> <ul> <li>Use an IAM instance profile (role) with least-privilege for ECR access instead of embedding AWS keys on the EC2 host.</li> <li>In production use an ALB (Application Load Balancer) in front of EC2 instances, and an autoscaling group (ASG) for resilience.</li> <li>Use separate environments (dev/staging/prod) and secure secrets with AWS Secrets Manager or Parameter Store rather than <code>.env</code> checked into source.</li> <li>For database in production prefer RDS (managed Postgres) and grant network access via security groups.</li> <li>Use health checks on the load balancer pointing to <code>/health</code>.</li> <li>Set logging to stdout and ship logs to CloudWatch (or other log aggregator).</li> <li>Use metrics &amp; tracing (Prometheus + OpenTelemetry) for observability.</li> <li>Set worker counts with a formula like <code>workers = 2 * CPU_CORES + 1</code> (tune during load tests). ([Stack Overflow][6])</li> <li>Use Gunicorn + uvicorn workers for multi-process handling of CPU-bound tasks (or use uvicorn directly with process-manager if preferred). ([Uvicorn][4], [FastAPI][5])</li> </ul> <h1> 9. Quick checklist (deploy once) </h1> <ol> <li>Build &amp; test locally with <code>docker-compose up</code>.</li> <li>Create ECR repo and push image (see A).</li> <li>Provision EC2 with IAM role (ECR read).</li> <li>SSH to EC2, install Docker, configure env, pull image.</li> <li>Create systemd unit to run container and allow auto-start.</li> <li>Attach ALB &amp; set security groups.</li> </ol> <h1> 10. Useful references (sources) </h1> <ul> <li>ECR login (use <code>aws ecr get-login-password | docker login ...</code>). ([AWS Documentation][1], [AWS CLI Command Reference][7])</li> <li>Install Docker on Amazon Linux 2 (amazon-linux-extras install docker). ([AWS Documentation][2])</li> <li>Install Docker Engine on Ubuntu (official Docker docs). ([Docker Documentation][3])</li> <li>Gunicorn + Uvicorn worker pattern for FastAPI deployment. ([Uvicorn][4], [FastAPI][5])</li> <li>Worker-count guidance. ([Stack Overflow][6])</li> </ul> MongoDB/Oracle sources and MSSQL Managed Instance target Goodluck Ekeoma Adiole Thu, 07 Aug 2025 09:34:45 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/mongodboracle-sources-and-mssql-managed-instance-target-3jn6 https://dev.to/goodluck_ekeoma_2c98866d0/mongodboracle-sources-and-mssql-managed-instance-target-3jn6 <p>Based on the scripts, I'll create a detailed deployment plan for Azure Functions (v2 model) that addresses the MongoDB/Oracle sources and MSSQL Managed Instance target. The solution will include proper connection management, logging, and incremental sync logic.</p> <h3> Project Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>oracle-to-mssql-sync/ ├── .vscode/ │ └── settings.json ├── oracle/ # Oracle Instant Client for Linux │ ├── libclntsh.so │ └── ... (other Oracle libs) ├── scripts/ │ ├── __init__.py │ ├── accountstatementpremium.py │ ├── agency.py │ ├── agents.py │ ├── allocatedpremiums.py │ └── happilymaster.py ├── function_app.py ├── requirements.txt ├── host.json ├── local.settings.json └── .gitignore </code></pre> </div> <h3> Step-by-Step Deployment Guide </h3> <h4> 1. Set Up Project Directory </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>oracle-to-mssql-sync <span class="nb">cd </span>oracle-to-mssql-sync <span class="nb">mkdir</span> .vscode scripts oracle </code></pre> </div> <h4> 2. Install Oracle Instant Client </h4> <ol> <li>Download <strong>Basic Light Package</strong> from <a href="https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html" rel="noopener noreferrer">Oracle Instant Client</a> </li> <li>Unzip and place contents in <code>oracle/</code> directory</li> <li>Verify files: <code>ls oracle</code> should show <code>libclntsh.so</code> and other shared libraries</li> </ol> <h4> 3. Create Environment File (local.settings.json) </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"IsEncrypted"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"Values"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FUNCTIONS_WORKER_RUNTIME"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AzureWebJobsStorage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UseDevelopmentStorage=true"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ORACLE_CONN_STR"</span><span class="p">:</span><span class="w"> </span><span class="s2">"oracle+oracledb://reporter:reporter@40.112.50.79:1521/HEIRSDB"</span><span class="p">,</span><span class="w"> </span><span class="nl">"MONGODB_CONN_STR"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mongodb+srv://heirs-prod-retail-service:a0UQ3WLTD8J7sTng@production-middleware-d.3tprz.mongodb.net/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"MSSQL_HLA_CONN_STR"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DRIVER={ODBC Driver 18 for SQL Server};SERVER=hig-prod-sql-mi.public.ae890fe634a5.database.windows.net,3342;DATABASE=HLA;UID=heirsdata;PWD=P@ssw0rd;Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"MSSQL_MONGODB_CONN_STR"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DRIVER={ODBC Driver 18 for SQL Server};SERVER=hig-prod-sql-mi.public.ae890fe634a5.database.windows.net,3342;DATABASE=MONGODB;UID=heirsdata;PWD=P@ssw0rd;Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"LD_LIBRARY_PATH"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/home/site/wwwroot/oracle"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> 4. requirements.txt </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>azure-functions==3.3.0 pandas==1.5.3 sqlalchemy==1.4.41 pyodbc==4.0.39 pymongo==4.3.3 cx_Oracle==8.3.0 python-dotenv==0.21.0 </code></pre> </div> <h4> 5. Refactored Scripts (common pattern) </h4> <h5> scripts/<strong>init</strong>.py </h5> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">cx_Oracle</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="c1"># Initialize environment </span><span class="nf">load_dotenv</span><span class="p">()</span> <span class="c1"># Configure Oracle client </span><span class="k">try</span><span class="p">:</span> <span class="n">cx_Oracle</span><span class="p">.</span><span class="nf">init_oracle_client</span><span class="p">(</span><span class="n">lib_dir</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">LD_LIBRARY_PATH</span><span class="sh">"</span><span class="p">))</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logging</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Oracle client already initialized: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Common database functions </span><span class="k">def</span> <span class="nf">get_mssql_engine</span><span class="p">(</span><span class="n">database_type</span><span class="o">=</span><span class="sh">"</span><span class="s">HLA</span><span class="sh">"</span><span class="p">):</span> <span class="n">conn_str</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">MSSQL_</span><span class="si">{</span><span class="n">database_type</span><span class="si">}</span><span class="s">_CONN_STR</span><span class="sh">"</span><span class="p">)</span> <span class="n">quoted</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">parse</span><span class="p">.</span><span class="nf">quote_plus</span><span class="p">(</span><span class="n">conn_str</span><span class="p">)</span> <span class="k">return</span> <span class="nf">create_engine</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">mssql+pyodbc:///?odbc_connect=</span><span class="si">{</span><span class="n">quoted</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_max_value</span><span class="p">(</span><span class="n">engine</span><span class="p">,</span> <span class="n">table</span><span class="p">,</span> <span class="n">column</span><span class="p">):</span> <span class="k">with</span> <span class="n">engine</span><span class="p">.</span><span class="nf">connect</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">text</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SELECT MAX(</span><span class="si">{</span><span class="n">column</span><span class="si">}</span><span class="s">) FROM </span><span class="si">{</span><span class="n">table</span><span class="si">}</span><span class="sh">"</span><span class="p">))</span> <span class="k">return</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalar</span><span class="p">()</span> </code></pre> </div> <h5> scripts/accountstatementpremium.py (example) </h5> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pandas</span> <span class="k">as</span> <span class="n">pd</span> <span class="kn">from</span> <span class="n">.</span> <span class="kn">import</span> <span class="n">get_mssql_engine</span><span class="p">,</span> <span class="n">get_max_value</span> <span class="kn">from</span> <span class="n">pymongo</span> <span class="kn">import</span> <span class="n">MongoClient</span> <span class="kn">from</span> <span class="n">sqlalchemy</span> <span class="kn">import</span> <span class="n">text</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">os</span> <span class="k">def</span> <span class="nf">sync</span><span class="p">():</span> <span class="n">logging</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Starting AccountStatementPremium sync</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Setup connections </span> <span class="n">mongo_client</span> <span class="o">=</span> <span class="nc">MongoClient</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">MONGODB_CONN_STR</span><span class="sh">"</span><span class="p">))</span> <span class="n">db</span> <span class="o">=</span> <span class="n">mongo_client</span><span class="p">[</span><span class="sh">'</span><span class="s">production-retail-db</span><span class="sh">'</span><span class="p">]</span> <span class="n">collection</span> <span class="o">=</span> <span class="n">db</span><span class="p">[</span><span class="sh">'</span><span class="s">AccountStatementPremium</span><span class="sh">'</span><span class="p">]</span> <span class="n">sql_engine</span> <span class="o">=</span> <span class="nf">get_mssql_engine</span><span class="p">(</span><span class="sh">"</span><span class="s">MONGODB</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Get max date from target </span> <span class="n">max_date</span> <span class="o">=</span> <span class="nf">get_max_value</span><span class="p">(</span><span class="n">sql_engine</span><span class="p">,</span> <span class="sh">'</span><span class="s">AccountStatementPremium1</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">date</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Fetch new data </span> <span class="n">query</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">date</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">$gt</span><span class="sh">"</span><span class="p">:</span> <span class="n">max_date</span><span class="p">}}</span> <span class="k">if</span> <span class="n">max_date</span> <span class="k">else</span> <span class="p">{}</span> <span class="n">data</span> <span class="o">=</span> <span class="nf">list</span><span class="p">(</span><span class="n">collection</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="n">query</span><span class="p">).</span><span class="nf">sort</span><span class="p">(</span><span class="sh">"</span><span class="s">date</span><span class="sh">"</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">))</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">data</span><span class="p">:</span> <span class="n">logging</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">No new data found</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">df</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nc">DataFrame</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="c1"># ... (rest of processing logic) </span> <span class="c1"># Batch insert </span> <span class="n">batch_size</span> <span class="o">=</span> <span class="mi">10000</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">df</span><span class="p">),</span> <span class="n">batch_size</span><span class="p">):</span> <span class="n">batch</span> <span class="o">=</span> <span class="n">df</span><span class="p">.</span><span class="n">iloc</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span><span class="o">+</span><span class="n">batch_size</span><span class="p">]</span> <span class="n">batch</span><span class="p">.</span><span class="nf">to_sql</span><span class="p">(</span><span class="sh">'</span><span class="s">AccountStatementPremium1</span><span class="sh">'</span><span class="p">,</span> <span class="n">sql_engine</span><span class="p">,</span> <span class="n">if_exists</span><span class="o">=</span><span class="sh">'</span><span class="s">append</span><span class="sh">'</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">logging</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Inserted batch </span><span class="si">{</span><span class="n">i</span><span class="o">//</span><span class="n">batch_size</span> <span class="o">+</span> <span class="mi">1</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">df</span><span class="p">)</span><span class="o">//</span><span class="n">batch_size</span><span class="p">)</span><span class="o">+</span><span class="mi">1</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logging</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Completed sync: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">df</span><span class="p">)</span><span class="si">}</span><span class="s"> records</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h4> 6. function_app.py </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">azure.functions</span> <span class="k">as</span> <span class="n">func</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">scripts</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">accountstatementpremium</span><span class="p">,</span> <span class="n">agency</span><span class="p">,</span> <span class="n">agents</span><span class="p">,</span> <span class="n">allocatedpremiums</span><span class="p">,</span> <span class="n">happilymaster</span> <span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="n">func</span><span class="p">.</span><span class="nc">FunctionApp</span><span class="p">()</span> <span class="nd">@app.function_name</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AccountStatementPremiumSync</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.schedule</span><span class="p">(</span><span class="n">schedule</span><span class="o">=</span><span class="sh">"</span><span class="s">*/2 * * * *</span><span class="sh">"</span><span class="p">,</span> <span class="n">arg_name</span><span class="o">=</span><span class="sh">"</span><span class="s">timer</span><span class="sh">"</span><span class="p">,</span> <span class="n">run_on_startup</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">account_sync</span><span class="p">(</span><span class="n">timer</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">TimerRequest</span><span class="p">):</span> <span class="n">accountstatementpremium</span><span class="p">.</span><span class="nf">sync</span><span class="p">()</span> <span class="nd">@app.function_name</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AgencySync</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.schedule</span><span class="p">(</span><span class="n">schedule</span><span class="o">=</span><span class="sh">"</span><span class="s">*/2 * * * *</span><span class="sh">"</span><span class="p">,</span> <span class="n">arg_name</span><span class="o">=</span><span class="sh">"</span><span class="s">timer</span><span class="sh">"</span><span class="p">,</span> <span class="n">run_on_startup</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">agency_sync</span><span class="p">(</span><span class="n">timer</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">TimerRequest</span><span class="p">):</span> <span class="n">agency</span><span class="p">.</span><span class="nf">sync</span><span class="p">()</span> <span class="nd">@app.function_name</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AgentsSync</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.schedule</span><span class="p">(</span><span class="n">schedule</span><span class="o">=</span><span class="sh">"</span><span class="s">*/2 * * * *</span><span class="sh">"</span><span class="p">,</span> <span class="n">arg_name</span><span class="o">=</span><span class="sh">"</span><span class="s">timer</span><span class="sh">"</span><span class="p">,</span> <span class="n">run_on_startup</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">agents_sync</span><span class="p">(</span><span class="n">timer</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">TimerRequest</span><span class="p">):</span> <span class="n">agents</span><span class="p">.</span><span class="nf">sync</span><span class="p">()</span> <span class="nd">@app.function_name</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AllocatedPremiumsSync</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.schedule</span><span class="p">(</span><span class="n">schedule</span><span class="o">=</span><span class="sh">"</span><span class="s">*/2 * * * *</span><span class="sh">"</span><span class="p">,</span> <span class="n">arg_name</span><span class="o">=</span><span class="sh">"</span><span class="s">timer</span><span class="sh">"</span><span class="p">,</span> <span class="n">run_on_startup</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">allocated_sync</span><span class="p">(</span><span class="n">timer</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">TimerRequest</span><span class="p">):</span> <span class="n">allocatedpremiums</span><span class="p">.</span><span class="nf">sync</span><span class="p">()</span> <span class="nd">@app.function_name</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">HappylyMasterSync</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.schedule</span><span class="p">(</span><span class="n">schedule</span><span class="o">=</span><span class="sh">"</span><span class="s">*/2 * * * *</span><span class="sh">"</span><span class="p">,</span> <span class="n">arg_name</span><span class="o">=</span><span class="sh">"</span><span class="s">timer</span><span class="sh">"</span><span class="p">,</span> <span class="n">run_on_startup</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">happily_sync</span><span class="p">(</span><span class="n">timer</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">TimerRequest</span><span class="p">):</span> <span class="n">happilymaster</span><span class="p">.</span><span class="nf">sync</span><span class="p">()</span> </code></pre> </div> <h4> 7. host.json </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"logging"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"applicationInsights"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"samplingSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"isEnabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"excludedTypes"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Request"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"extensionBundle"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.Azure.Functions.ExtensionBundle"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[3.15.0, 4.0.0)"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> 8. .vscode/settings.json </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"azureFunctions.deploySubpath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"."</span><span class="p">,</span><span class="w"> </span><span class="nl">"azureFunctions.projectLanguage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Python"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azureFunctions.projectRuntime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"~3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azureFunctions.scmDoBuildDuringDeployment"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"azureFunctions.pythonVenv"</span><span class="p">:</span><span class="w"> </span><span class="s2">".venv"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azureFunctions.subscriptions"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;your-subscription-id&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azureFunctions.resourceGroup"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sync-resources"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> 9. .gitignore </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.venv __pycache__ .vscode local.settings.json .env *.log </code></pre> </div> <h3> Deployment to Azure </h3> <ol> <li> <strong>Create Azure Resources:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az group create <span class="nt">--name</span> sync-resources <span class="nt">--location</span> eastus az storage account create <span class="nt">--name</span> syncstorageacc <span class="nt">--location</span> eastus <span class="nt">--resource-group</span> sync-resources <span class="nt">--sku</span> Standard_LRS az functionapp create <span class="nt">--resource-group</span> sync-resources <span class="nt">--consumption-plan-location</span> eastus <span class="nt">--runtime</span> python <span class="nt">--runtime-version</span> 3.9 <span class="nt">--functions-version</span> 4 <span class="nt">--name</span> oracle-sync-app <span class="nt">--storage-account</span> syncstorageacc <span class="nt">--os-type</span> Linux </code></pre> </div> <ol> <li> <strong>Set Environment Variables in Azure:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az functionapp config appsettings <span class="nb">set</span> <span class="nt">--name</span> oracle-sync-app <span class="nt">--resource-group</span> sync-resources <span class="nt">--settings</span> <span class="se">\</span> <span class="s2">"ORACLE_CONN_STR=oracle+oracledb://reporter:reporter@40.112.50.79:1521/HEIRSDB"</span> <span class="se">\</span> <span class="s2">"MONGODB_CONN_STR=mongodb+srv://heirs-prod-retail-service:a0UQ3WLTD8J7sTng@production-middleware-d.3tprz.mongodb.net/"</span> <span class="se">\</span> <span class="s2">"MSSQL_HLA_CONN_STR=DRIVER={...};SERVER=...;DATABASE=HLA;..."</span> <span class="se">\</span> <span class="s2">"MSSQL_MONGODB_CONN_STR=DRIVER={...};SERVER=...;DATABASE=MONGODB;..."</span> <span class="se">\</span> <span class="s2">"LD_LIBRARY_PATH=/home/site/wwwroot/oracle"</span> <span class="se">\</span> <span class="s2">"WEBSITE_TIME_ZONE=Africa/Lagos"</span> </code></pre> </div> <ol> <li> <strong>Deploy from VS Code:</strong> <ul> <li>Install <a href="https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions" rel="noopener noreferrer">Azure Functions Extension</a> </li> <li>Press F1 → "Azure Functions: Deploy to Function App"</li> <li>Select your subscription and "oracle-sync-app"</li> <li>Confirm deployment</li> </ul> </li> </ol> <h3> Post-Deployment Configuration </h3> <ol> <li> <p><strong>Enable Managed Identity for SQL:</strong></p> <ul> <li>In Azure Portal, go to SQL Managed Instance</li> <li>Add function app's managed identity as login: </li> </ul> <pre class="highlight sql"><code> <span class="k">CREATE</span> <span class="k">USER</span> <span class="p">[</span><span class="n">oracle</span><span class="o">-</span><span class="n">sync</span><span class="o">-</span><span class="n">app</span><span class="p">]</span> <span class="k">FROM</span> <span class="k">EXTERNAL</span> <span class="n">PROVIDER</span> <span class="k">ALTER</span> <span class="k">ROLE</span> <span class="n">db_datareader</span> <span class="k">ADD</span> <span class="n">MEMBER</span> <span class="p">[</span><span class="n">oracle</span><span class="o">-</span><span class="n">sync</span><span class="o">-</span><span class="n">app</span><span class="p">]</span> <span class="k">ALTER</span> <span class="k">ROLE</span> <span class="n">db_datawriter</span> <span class="k">ADD</span> <span class="n">MEMBER</span> <span class="p">[</span><span class="n">oracle</span><span class="o">-</span><span class="n">sync</span><span class="o">-</span><span class="n">app</span><span class="p">]</span> </code></pre> </li> <li> <p><strong>Connection Security:</strong></p> <ul> <li>Add Azure Function's outbound IPs to MongoDB Atlas IP whitelist</li> <li>Enable VNet integration for SQL Managed Instance connectivity</li> </ul> </li> <li> <p><strong>Monitoring:</strong></p> <ul> <li>Configure Application Insights for logging</li> <li>Set up alerts for function timeouts (max duration: 10 minutes)</li> </ul> </li> </ol> <h3> Key Improvements in Refactored Code </h3> <ol> <li> <p><strong>Secure Credential Management:</strong></p> <ul> <li>All credentials moved to environment variables</li> <li>Azure Key Vault integration ready (use <code>@Microsoft.KeyVault</code> references)</li> </ul> </li> <li> <p><strong>Efficient Data Transfer:</strong></p> <ul> <li>Batched inserts (10k records/batch)</li> <li>Incremental sync using MAX(date/id) checks</li> <li>Connection pooling with SQLAlchemy</li> </ul> </li> <li> <p><strong>Error Handling:</strong></p> <ul> <li>Comprehensive logging to Application Insights</li> <li>Automatic retries built into Azure Functions</li> <li>Connection validation before data transfer</li> </ul> </li> <li> <p><strong>Oracle Client Management:</strong></p> <ul> <li>Instant client included in deployment</li> <li>Proper Linux library path configuration</li> <li>Lazy initialization of connections</li> </ul> </li> </ol> <h3> Troubleshooting Tips </h3> <ol> <li> <strong>Oracle Client Issues:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># SSH into function app</span> func azure functionapp fetch-app-settings oracle-sync-app func azure functionapp publish oracle-sync-app <span class="nt">--build-native-deps</span> <span class="c"># Check library path</span> kudu console → <span class="nb">ls</span> <span class="nt">-la</span> oracle </code></pre> </div> <ol> <li> <p><strong>Connection Problems:</strong></p> <ul> <li>Test connectivity from Kudu Console: </li> </ul> <pre class="highlight shell"><code> python <span class="nt">-c</span> <span class="s2">"import pyodbc; pyodbc.connect('DRIVER={ODBC Driver 18 for SQL Server};SERVER=...')"</span> </code></pre> </li> <li> <p><strong>Performance Optimization:</strong></p> <ul> <li>Increase timeout in host.json: </li> </ul> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"functionTimeout"</span><span class="p">:</span><span class="w"> </span><span class="s2">"00:10:00"</span><span class="w"> </span></code></pre> </li> </ol> <ul> <li>Use Premium plan for longer execution times</li> </ul> <p>This implementation provides a production-ready solution that handles the hybrid data source scenario while following Azure Functions best practices and maintaining security compliance.</p> Deploying Python Scripts to Azure Functions as a Cron Job Goodluck Ekeoma Adiole Thu, 07 Aug 2025 06:35:36 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/deploying-python-scripts-to-azure-functions-as-a-cron-job-272a https://dev.to/goodluck_ekeoma_2c98866d0/deploying-python-scripts-to-azure-functions-as-a-cron-job-272a <h3> Step-by-Step Guide: Deploying Python Scripts to Azure Functions as a Cron Job </h3> <h4> <strong>Prerequisites</strong> </h4> <ol> <li> <strong>Azure Account</strong> (with an active subscription) </li> <li> <strong>VS Code</strong> installed </li> <li> <strong>Azure Functions Core Tools</strong> installed </li> <li> <strong>Python 3.9+</strong> installed </li> <li> <strong>Azure Functions VS Code Extension</strong> (install from Extensions Marketplace) </li> </ol> <h3> <strong>Step 1: Set Up Project Structure</strong> </h3> <p>Create a root directory <code>oracle-to-mssql-sync</code> with this structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>oracle-to-mssql-sync/ ├── .vscode/ <span class="c"># VS Code settings</span> │ └── settings.json <span class="c"># Azure Functions runtime settings</span> ├── functions/ <span class="c"># Directory for all Azure Functions</span> │ ├── accountstatementpremium/ <span class="c"># Function 1</span> │ │ ├── __init__.py <span class="c"># Your script content</span> │ │ └── <span class="k">function</span>.json <span class="c"># Trigger configuration</span> │ ├── agency/ <span class="c"># Function 2</span> │ │ ├── __init__.py │ │ └── <span class="k">function</span>.json │ ├── ... <span class="c"># Repeat for agents, allocatedpremiums, happilymaster</span> ├── requirements.txt <span class="c"># Python dependencies</span> ├── local.settings.json <span class="c"># Local environment variables (NOT checked into Git)</span> └── host.json <span class="c"># Global Functions configuration</span> </code></pre> </div> <h3> <strong>Step 2: Initialize Azure Functions Project</strong> </h3> <ol> <li>Open VS Code → Terminal → Run: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">mkdir </span>oracle-to-mssql-sync <span class="nb">cd </span>oracle-to-mssql-sync func init <span class="nt">--python</span> </code></pre> </div> <ol> <li>Create folders for each script: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">cd </span>functions func new <span class="nt">--name</span> accountstatementpremium <span class="nt">--template</span> <span class="s2">"timer trigger"</span> func new <span class="nt">--name</span> agency <span class="nt">--template</span> <span class="s2">"timer trigger"</span> <span class="c"># Repeat for agents, allocatedpremiums, happilymaster</span> </code></pre> </div> <h3> <strong>Step 3: Configure Timer Triggers (Cron Jobs)</strong> </h3> <p>Modify <code>function.json</code> for <strong>each function</strong> to run every 2 minutes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scriptFile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"__init__.py"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bindings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mytimer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"timerTrigger"</span><span class="p">,</span><span class="w"> </span><span class="nl">"direction"</span><span class="p">:</span><span class="w"> </span><span class="s2">"in"</span><span class="p">,</span><span class="w"> </span><span class="nl">"schedule"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0 */2 * * * *"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Every</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="err">minutes</span><span class="w"> </span><span class="nl">"runOnStartup"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> <strong>Step 4: Add Script Code</strong> </h3> <p>Copy your scripts into <code>__init__.py</code> for each function.<br><br> Example for <code>accountstatementpremium/__init__.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">azure.functions</span> <span class="k">as</span> <span class="n">func</span> <span class="kn">import</span> <span class="n">cx_Oracle</span> <span class="kn">import</span> <span class="n">pyodbc</span> <span class="k">def</span> <span class="nf">main</span><span class="p">(</span><span class="n">mytimer</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">TimerRequest</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="c1"># 1. Connect to Oracle </span> <span class="n">oracle_conn</span> <span class="o">=</span> <span class="n">cx_Oracle</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">ORACLE_CONN_STRING</span><span class="sh">"</span><span class="p">])</span> <span class="n">oracle_cursor</span> <span class="o">=</span> <span class="n">oracle_conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">oracle_cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT * FROM your_table</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2. Connect to MSSQL </span> <span class="n">mssql_conn</span> <span class="o">=</span> <span class="n">pyodbc</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">MSSQL_CONN_STRING</span><span class="sh">"</span><span class="p">])</span> <span class="n">mssql_cursor</span> <span class="o">=</span> <span class="n">mssql_conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="c1"># 3. Sync data (your existing logic) </span> <span class="c1"># ... </span> <span class="n">logging</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Sync completed at %s</span><span class="sh">"</span><span class="p">,</span> <span class="n">utc_timestamp</span><span class="p">)</span> </code></pre> </div> <h3> <strong>Step 5: Configure Dependencies</strong> </h3> <p>Populate <code>requirements.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>azure-functions cx_Oracle==8.3.0 pyodbc==4.0.39 </code></pre> </div> <blockquote> <p><strong>Note</strong>: <code>cx_Oracle</code> requires <a href="https://www.oracle.com/database/technologies/instant-client.html" rel="noopener noreferrer">Oracle Instant Client</a>. Include it in your Azure Function App Settings (see Step 8).</p> </blockquote> <h3> <strong>Step 6: Local Environment Setup</strong> </h3> <p>Create <code>local.settings.json</code> (<strong>exclude from Git</strong>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"IsEncrypted"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"Values"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FUNCTIONS_WORKER_RUNTIME"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ORACLE_CONN_STRING"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user/password@oracle-host:port/service"</span><span class="p">,</span><span class="w"> </span><span class="nl">"MSSQL_CONN_STRING"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Driver={ODBC Driver 18 for SQL Server};Server=tcp:&lt;server&gt;.database.windows.net,1433;Database=&lt;db&gt;;Uid=&lt;user&gt;;Pwd=&lt;password&gt;;Encrypt=yes;TrustServerCertificate=no;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> <strong>Step 7: Test Locally</strong> </h3> <ol> <li>Start the Functions runtime: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> func start </code></pre> </div> <ol> <li>Verify logs show functions triggering every 2 minutes.</li> </ol> <h3> <strong>Step 8: Deploy to Azure</strong> </h3> <ol> <li> <strong>Sign in to Azure</strong> in VS Code (click the Azure icon → Sign in). </li> <li> <strong>Create Function App</strong>: <ul> <li>Azure Icon → Functions → Create New Function App </li> <li>Name: <code>oracle-mssql-sync-app</code> </li> <li>Runtime: <strong>Python 3.9</strong> </li> <li>OS: <strong>Linux</strong> </li> </ul> </li> <li> <strong>Deploy</strong>: <ul> <li>Right-click your Function App → "Deploy to Function App" </li> <li>Select the <code>oracle-to-mssql-sync</code> folder. </li> </ul> </li> </ol> <h3> <strong>Step 9: Configure Production Settings</strong> </h3> <ol> <li>In Azure Portal → Function App → Configuration → <strong>Application Settings</strong>: Add the same settings as <code>local.settings.json</code>: <ul> <li> <code>ORACLE_CONN_STRING</code> </li> <li> <code>MSSQL_CONN_STRING</code> </li> </ul> </li> <li> <strong>Add Oracle Instant Client Path</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code> <span class="err">Name</span> <span class="err">:</span> <span class="err">LD_LIBRARY_PATH</span> <span class="err">Value</span> <span class="err">:</span> <span class="err">/home/site/wwwroot/oracle_instantclient</span> </code></pre> </div> <ol> <li> <p><strong>Install Oracle Instant Client</strong> (Kudu Console): </p> <ul> <li>Open <code>https://&lt;app-name&gt;.scm.azurewebsites.net</code> </li> <li>Run: </li> </ul> <pre class="highlight shell"><code> <span class="nb">mkdir </span>oracle_instantclient <span class="nb">cd </span>oracle_instantclient wget https://download.oracle.com/otn_software/linux/instantclient/instantclient-basiclite-linuxx64.zip unzip instantclient-basiclite-linuxx64.zip </code></pre> </li> </ol> <h3> <strong>Step 10: Verify Deployment</strong> </h3> <ol> <li>In Azure Portal → Function App → Functions → Select a function → <strong>Monitor</strong>. </li> <li>Check logs for sync activity every 2 minutes. </li> </ol> <h3> <strong>Troubleshooting Tips</strong> </h3> <ol> <li> <strong>Connection Issues</strong>: <ul> <li>Use <code>ping</code> in Kudu Console to verify network access to Oracle/MSSQL. </li> <li>Enable <strong>Azure Application Insights</strong> for detailed logging. </li> </ul> </li> <li> <strong>Dependency Errors</strong>: <ul> <li>Run <code>pip install -r requirements.txt</code> in Kudu Console. </li> </ul> </li> <li> <strong>Cron Not Triggering</strong>: <ul> <li>Validate cron expression: <code>0 */2 * * * *</code> = every 2 minutes. </li> </ul> </li> </ol> <h3> <strong>Final Project Structure</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>oracle-to-mssql-sync/ ├── .vscode/ │ └── settings.json <span class="c"># { "azureFunctions.deploySubpath": "." }</span> ├── functions/ │ ├── accountstatementpremium/ │ │ ├── __init__.py <span class="c"># Your script from accountstatementpremium.py</span> │ │ └── <span class="k">function</span>.json <span class="c"># Timer config</span> │ ├── agency/ │ │ ├── __init__.py <span class="c"># agency.py content</span> │ │ └── <span class="k">function</span>.json │ ├── ... <span class="c"># Other functions</span> ├── host.json <span class="c"># { "version": "2.0" }</span> ├── local.settings.json <span class="c"># .gitignore this!</span> └── requirements.txt <span class="c"># Dependencies</span> </code></pre> </div> <p>By following these steps, your Python scripts will run as scheduled Azure Functions, syncing data between Oracle and MSSQL every 2 minutes.</p> Deploying Multiple Python Scripts to Azure Functions as a Cron Job Goodluck Ekeoma Adiole Wed, 06 Aug 2025 15:38:04 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/deploying-multiple-python-scripts-to-azure-functions-as-a-cron-job-2632 https://dev.to/goodluck_ekeoma_2c98866d0/deploying-multiple-python-scripts-to-azure-functions-as-a-cron-job-2632 <h3> <strong>Ultra-Detailed Step-by-Step Guide: Deploying 4 Python Scripts to Azure Functions as a Cron Job</strong> </h3> <p><em>For absolute beginners — no step skipped!</em></p> <h4> <strong>Before You Start: Prerequisites Checklist</strong> </h4> <ol> <li> <strong>Active Azure Account</strong> <ul> <li>Create one free at <a href="https://azure.microsoft.com/free" rel="noopener noreferrer">azure.com</a> </li> </ul> </li> <li> <strong>VS Code Installed</strong> <ul> <li>Download from <a href="https://code.visualstudio.com/" rel="noopener noreferrer">code.visualstudio.com</a> </li> </ul> </li> <li> <strong>Install These VS Code Extensions</strong> <ul> <li>Open VS Code → Extensions (Ctrl+Shift+X) → Search and install: <ul> <li> <code>Azure Functions</code> (by Microsoft) </li> <li> <code>Python</code> (by Microsoft) </li> <li> <code>Azure Account</code> (by Microsoft) </li> </ul> </li> </ul> </li> <li> <strong>Python 3.8+ Installed</strong> <ul> <li>Download from <a href="https://python.org" rel="noopener noreferrer">python.org</a> </li> <li>Verify installation: Open terminal → Type <code>python --version</code> </li> </ul> </li> <li> <strong>Node.js (for Azure Tools)</strong> <ul> <li>Download from <a href="https://nodejs.org" rel="noopener noreferrer">nodejs.org</a> </li> <li>Verify: Terminal → <code>node --version</code> </li> </ul> </li> </ol> <h3> <strong>Step 1: Setup Project Folder in VS Code</strong> </h3> <ol> <li>Create a new folder on your computer (e.g., <code>C:\db-sync-project</code>) </li> <li>Open VS Code → "File" → "Open Folder" → Select your new folder </li> <li>Create 4 Python files in VS Code: <ul> <li>Right-click in Explorer pane → "New File" → Create: <ul> <li> <code>__init__.py</code> (main function) </li> <li> <code>oracle_utils.py</code> </li> <li> <code>mssql_utils.py</code> </li> <li> <code>data_transformer.py</code> </li> </ul> </li> </ul> </li> <li>Copy your existing script code into these files </li> </ol> <h3> <strong>Step 2: Configure Azure Functions Project</strong> </h3> <ol> <li> <strong>Open Integrated Terminal</strong> <ul> <li>VS Code → Terminal → New Terminal (Ctrl+Shift+`) </li> </ul> </li> <li> <strong>Install Azure Functions Tools</strong>: <code></code><code>bash npm install -g azure-functions-core-tools@4 </code><code></code> </li> <li> <strong>Create Virtual Environment</strong>: <code></code><code>bash python -m venv .venv </code><code></code> <ul> <li> <strong>Activate Environment</strong>: <ul> <li> <em>Windows</em>: <code>.venv\Scripts\activate</code> </li> <li> <em>Mac/Linux</em>: <code>source .venv/bin/activate</code> </li> </ul> </li> </ul> </li> <li> <strong>Install Required Packages</strong>: <code></code><code>bash pip install azure-functions cx_Oracle pyodbc python-dotenv </code><code></code> </li> <li> <strong>Generate Requirements File</strong>: <code></code><code>bash pip freeze &gt; requirements.txt </code><code></code> </li> </ol> <h3> <strong>Step 3: Configure Timer Trigger</strong> </h3> <ol> <li>Create a new folder named <code>SyncFunction</code> in your project </li> <li>Inside <code>SyncFunction</code>, create <code>function.json</code> with: <code></code><code>json { "scriptFile": "../__init__.py", "bindings": [ { "name": "mytimer", "type": "timerTrigger", "direction": "in", "schedule": "*/2 * * * *" // Runs every 2 minutes } ] } </code><code></code> </li> <li>Edit <code>__init__.py</code> (main file): <code></code>`python import azure.functions as func import logging from .oracle_utils import fetch_data from .data_transformer import transform_data from .mssql_utils import update_database</li> </ol> <p>def main(mytimer: func.TimerRequest):<br> logging.info("Starting sync...")</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> # Step 1: Get data from Oracle oracle_data = fetch_data() # Step 2: Transform data transformed_data = transform_data(oracle_data) # Step 3: Update MSSQL update_database(transformed_data) logging.info("Sync completed successfully!") </code></pre> </div> <p>`<code></code> </p> <h3> <strong>Step 4: Set Environment Variables</strong> </h3> <ol> <li>Create <code>local.settings.json</code> in your main project folder: <code></code><code>json { "IsEncrypted": false, "Values": { "FUNCTIONS_WORKER_RUNTIME": "python", "AzureWebJobsStorage": "UseDevelopmentStorage=true", "ORACLE_CONN_STR": "your_oracle_connection_string", "MSSQL_CONN_STR": "your_mssql_connection_string" } } </code><code></code> </li> <li> <strong>Important!</strong> Add this file to <code>.gitignore</code>: <ul> <li>Create <code>.gitignore</code> file → Add line: <code>local.settings.json</code> </li> </ul> </li> </ol> <h3> <strong>Step 5: Configure Function Files</strong> </h3> <p><strong>File 1: <code>oracle_utils.py</code></strong><br><br> <code></code>`python<br> import cx_Oracle<br> import os<br> import logging</p> <p>def fetch_data():<br> conn_str = os.environ["ORACLE_CONN_STR"]<br> try:<br> connection = cx_Oracle.connect(conn_str)<br> cursor = connection.cursor()<br> cursor.execute("SELECT * FROM your_table")<br> return cursor.fetchall()<br> except Exception as e:<br> logging.error(f"Oracle error: {str(e)}")<br> raise<br> finally:<br> cursor.close()<br> connection.close()<br> `<code></code></p> <p><strong>File 2: <code>mssql_utils.py</code></strong><br><br> <code></code>`python<br> import pyodbc<br> import os<br> import logging</p> <p>def update_database(data):<br> conn_str = os.environ["MSSQL_CONN_STR"]<br> try:<br> conn = pyodbc.connect(conn_str)<br> cursor = conn.cursor()<br> for row in data:<br> cursor.execute("UPDATE your_table SET col1=? WHERE id=?", (row[1], row[0]))<br> conn.commit()<br> except Exception as e:<br> logging.error(f"MSSQL error: {str(e)}")<br> raise<br> finally:<br> cursor.close()<br> conn.close()<br> `<code></code></p> <p><strong>File 3: <code>data_transformer.py</code></strong><br><br> <code></code><code>python<br> def transform_data(data):<br> transformed = []<br> for row in data:<br> # Add your transformation logic here<br> transformed.append({<br> 'id': row[0],<br> 'value': row[1].upper() # Example: Convert to uppercase<br> })<br> return transformed<br> </code><code></code></p> <h3> <strong>Step 6: Test Locally</strong> </h3> <ol> <li>Start storage emulator (for Windows): <ul> <li>Install Azure Storage Emulator </li> <li>Run: <code>AzureStorageEmulator.exe start</code> </li> </ul> </li> <li>In VS Code terminal: <code></code><code>bash func start </code><code></code> </li> <li>Verify output: <code></code><code>plaintext Functions: SyncFunction: [timerTrigger] Invoked by schedule: */2 * * * * </code><code></code> </li> <li>Wait 2 minutes → Check terminal logs for sync status </li> </ol> <h3> <strong>Step 7: Deploy to Azure</strong> </h3> <ol> <li> <strong>Sign in to Azure in VS Code</strong>: <ul> <li>Click Azure icon (left sidebar) → "Sign in to Azure..." </li> <li>Follow browser login prompts </li> </ul> </li> <li> <strong>Create Function App</strong>: <ul> <li>In Azure sidebar → Click "Create Function App" icon (↑+☁️) </li> <li>Follow prompts: <ul> <li> <strong>Function App Name</strong>: <code>db-sync-app-123</code> (must be globally unique) </li> <li> <strong>Runtime</strong>: Python 3.10 </li> <li> <strong>Region</strong>: Select closest to you </li> <li> <strong>Resource Group</strong>: Create new → <code>db-sync-group</code> </li> </ul> </li> </ul> </li> <li> <strong>Deploy Code</strong>: <ul> <li>Right-click your project folder in Explorer → "Deploy to Function App" </li> <li>Select your new Function App </li> <li>Wait for deployment (watch Output window) </li> </ul> </li> </ol> <h3> <strong>Step 8: Configure Azure Settings</strong> </h3> <ol> <li>Go to <a href="https://portal.azure.com" rel="noopener noreferrer">Azure Portal</a> </li> <li>Find your Function App → "Configuration" → "Application settings" </li> <li>Add new settings: | Name | Value | |---|---| | <code>ORACLE_CONN_STR</code> | Your Oracle connection string | | <code>MSSQL_CONN_STR</code> | Your MSSQL connection string | | <code>AzureWebJobsStorage</code> | (Auto-created, don't change) | </li> <li>Click "Save" </li> </ol> <h3> <strong>Step 9: Verify Deployment</strong> </h3> <ol> <li>In Azure Portal → Function App → "Functions" </li> <li>Select your <code>SyncFunction</code> → "Code + Test" <ul> <li>Verify all 4 files appear in file list </li> </ul> </li> <li>Check logs: <ul> <li>Go to "Monitor" → "Logs" </li> <li>Run query: <code></code><code>kusto traces | order by timestamp desc </code><code></code> </li> </ul> </li> <li>Wait 2 minutes → Check for sync logs </li> </ol> <h3> <strong>Step 10: Troubleshooting Checklist</strong> </h3> <p>✅ <strong>Deployment failed?</strong> </p> <ul> <li>Run <code>func azure functionapp publish &lt;APP_NAME&gt; --build remote</code> in terminal </li> <li>Check <code>requirements.txt</code> has all packages </li> </ul> <p>✅ <strong>Script not running?</strong> </p> <ul> <li>Verify timer schedule in <code>function.json</code>: <code>"schedule": "*/2 * * * *"</code> </li> </ul> <p>✅ <strong>Database connection issues?</strong> </p> <ul> <li>Allow Azure IPs in your database firewall: <ul> <li>Oracle: Add Azure datacenter IP ranges </li> <li>MSSQL: In Azure SQL → Networking → Add firewall rule for Azure services </li> </ul> </li> </ul> <p>✅ <strong>Missing files?</strong> </p> <ul> <li>All files must be in same directory as <code>__init__.py</code> </li> <li>Redeploy entire project folder </li> </ul> <h3> <strong>Final Validation</strong> </h3> <ol> <li>Force-run the function: <ul> <li>In Azure Portal → Function → "Code + Test" → "Test/Run" </li> <li>Click "Run" </li> </ul> </li> <li>Check "Logs" panel for output </li> <li>Verify data sync in your MSSQL database </li> </ol> <p><strong>Congratulations!</strong> Your 4-script database sync is now running automatically every 2 minutes in Azure! 🎉 </p> <blockquote> <p><strong>Pro Tip</strong>: For production, use Azure Key Vault for connection strings: </p> <ol> <li>Create Key Vault in Azure </li> <li>Store connection strings as secrets </li> <li>In Function App → Configuration → Add setting: <code>@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)</code> </li> </ol> </blockquote> Deploying Oracle-to-MSSQL Sync Script to Azure Functions via VS Code. Goodluck Ekeoma Adiole Wed, 06 Aug 2025 09:53:16 +0000 https://dev.to/goodluck_ekeoma_2c98866d0/deploying-oracle-to-mssql-sync-script-to-azure-functions-via-vs-code-27hd https://dev.to/goodluck_ekeoma_2c98866d0/deploying-oracle-to-mssql-sync-script-to-azure-functions-via-vs-code-27hd <h3> <strong>Step-by-Step Guide: Deploying Oracle-to-MSSQL Sync Script to Azure Functions via VS Code</strong> </h3> <p><em>Detailed information on all steps.</em></p> <h4> <strong>Prerequisites</strong> </h4> <ol> <li> <strong>Azure Account</strong> (free tier suffices). </li> <li> <strong>VS Code</strong> installed. </li> <li> <strong>Python</strong> (3.8+ recommended). </li> <li> <strong>Azure Functions Core Tools</strong> (for local testing). </li> <li> <strong>Azure Functions VS Code Extension</strong>. </li> <li> <strong>Python Extension for VS Code</strong>. </li> </ol> <h3> <strong>Step 1: Install Required Tools</strong> </h3> <ol> <li> <strong>Install Azure Functions Core Tools</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npm <span class="nb">install</span> <span class="nt">-g</span> azure-functions-core-tools@4 </code></pre> </div> <p><em>(If you don’t have Node.js/npm, <a href="https://nodejs.org/" rel="noopener noreferrer">install Node.js</a>).</em> </p> <ol> <li> <strong>Install VS Code Extensions</strong>: <ul> <li>Open VS Code → Extensions (Ctrl+Shift+X) → Search and install: <ul> <li> <strong>Azure Functions</strong> </li> <li> <strong>Python</strong> (by Microsoft) </li> <li> <strong>Azure Account</strong> (for authentication) </li> </ul> </li> </ul> </li> </ol> <h3> <strong>Step 2: Set Up the Project Structure</strong> </h3> <ol> <li> <strong>Create a Project Folder</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">mkdir </span>oracle-to-mssql-sync <span class="nb">cd </span>oracle-to-mssql-sync code <span class="nb">.</span> <span class="c"># Opens VS Code in this folder</span> </code></pre> </div> <ol> <li> <p><strong>Create Virtual Environment</strong> (avoid dependency conflicts): </p> <ul> <li>In VS Code: <ul> <li>Open terminal (<strong>Terminal → New Terminal</strong>). </li> <li>Run: </li> </ul> </li> </ul> <pre class="highlight shell"><code> python <span class="nt">-m</span> venv .venv </code></pre> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> - Activate the environment: - **Windows**: `.venv\Scripts\activate` - **Linux/macOS**: `source .venv/bin/activate` </code></pre> </div> <ol> <li> <strong>Install Required Packages</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> pip <span class="nb">install </span>azure-functions pyodbc cx_Oracle </code></pre> </div> <p><em>(<code>cx_Oracle</code> for Oracle, <code>pyodbc</code> for MSSQL)</em> </p> <ol> <li> <p><strong>Create Key Files</strong>: </p> <ul> <li>In VS Code, create: <ul> <li> <code>__init__.py</code>: Your main script (copy your existing script here). </li> <li> <code>requirements.txt</code>: Dependencies (auto-generate with): </li> </ul> </li> </ul> <pre class="highlight shell"><code> pip freeze <span class="o">&gt;</span> requirements.txt </code></pre> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> - `local.settings.json`: For local environment variables. - `function_app.py`: Azure Functions entry point (if not using `__init__.py`). </code></pre> </div> <h3> <strong>Step 3: Configure the Timer Trigger</strong> </h3> <ol> <li> <strong>Modify <code>__init__.py</code></strong> to use a timer trigger: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">azure.functions</span> <span class="k">as</span> <span class="n">func</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="k">def</span> <span class="nf">main</span><span class="p">(</span><span class="n">mytimer</span><span class="p">:</span> <span class="n">func</span><span class="p">.</span><span class="n">TimerRequest</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">utc_timestamp</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">()</span> <span class="k">if</span> <span class="n">mytimer</span><span class="p">.</span><span class="n">past_due</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Timer is running late!</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># PASTE YOUR SCRIPT LOGIC HERE </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Oracle to MSSQL sync ran at:</span><span class="sh">"</span><span class="p">,</span> <span class="n">utc_timestamp</span><span class="p">)</span> </code></pre> </div> <ol> <li> <p><strong>Add Timer Schedule</strong>: </p> <ul> <li>Create a file named <code>function.json</code> in a new folder <code>TimerTrigger</code> (if auto-generated by Azure Tools, skip this). </li> <li>Contents of <code>function.json</code>: </li> </ul> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"scriptFile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"__init__.py"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bindings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mytimer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"timerTrigger"</span><span class="p">,</span><span class="w"> </span><span class="nl">"direction"</span><span class="p">:</span><span class="w"> </span><span class="s2">"in"</span><span class="p">,</span><span class="w"> </span><span class="nl">"schedule"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*/2 * * * *"</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Every</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="err">minutes</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </li> </ol> <h3> <strong>Step 4: Configure Environment Variables</strong> </h3> <ol> <li> <strong>For Local Testing</strong> (<code>local.settings.json</code>): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"IsEncrypted"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"Values"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FUNCTIONS_WORKER_RUNTIME"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AzureWebJobsStorage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UseDevelopmentStorage=true"</span><span class="p">,</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">For</span><span class="w"> </span><span class="err">local</span><span class="w"> </span><span class="err">storage</span><span class="w"> </span><span class="nl">"ORACLE_CONN_STR"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your-oracle-connection-string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"MSSQL_CONN_STR"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your-mssql-connection-string"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><em>Replace placeholders with your actual DB connection strings.</em> </p> <ol> <li> <strong>Access Variables in Code</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">os</span> <span class="n">oracle_conn_str</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">ORACLE_CONN_STR</span><span class="sh">"</span><span class="p">]</span> <span class="n">mssql_conn_str</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">MSSQL_CONN_STR</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h3> <strong>Step 5: Test Locally</strong> </h3> <ol> <li> <p><strong>Start Azure Functions Emulator</strong>: </p> <ul> <li>In VS Code terminal: </li> </ul> <pre class="highlight shell"><code> func start </code></pre> </li> </ol> <ul> <li> <p>Verify output:<br> </p> <pre class="highlight plaintext"><code> TimerTrigger: [GET,POST] http://localhost:7071/api/TimerTrigger </code></pre> </li> </ul> <ol> <li> <strong>Check Logs</strong>: <ul> <li>You’ll see cron-like executions every 2 minutes. </li> </ul> </li> </ol> <h3> <strong>Step 6: Deploy to Azure Functions</strong> </h3> <ol> <li> <p><strong>Sign in to Azure in VS Code</strong>: </p> <ul> <li>Click the Azure logo in the sidebar → <strong>Sign in to Azure</strong>. </li> </ul> </li> <li> <p><strong>Create a Function App in Azure</strong>: </p> <ul> <li>In the Azure Functions sidebar: <ul> <li>Click <strong>Create Function App in Azure</strong> (↑ icon). </li> <li>Follow prompts: </li> <li> <strong>Function App Name</strong>: <code>oracle-mssql-sync</code> (globally unique). </li> <li> <strong>Runtime</strong>: Python 3.9. </li> <li> <strong>Region</strong>: Pick one near you. </li> </ul> </li> </ul> </li> <li> <p><strong>Deploy Code</strong>: </p> <ul> <li>Right-click your Function App under <strong>Resources</strong> → <strong>Deploy to Function App</strong>. </li> <li>Select your project folder when prompted. </li> <li>Wait for deployment (check VS Code output terminal). </li> </ul> </li> </ol> <h3> <strong>Step 7: Configure Azure Settings</strong> </h3> <ol> <li> <p><strong>Set Connection Strings in Azure Portal</strong>: </p> <ul> <li>Go to <a href="https://portal.azure.com" rel="noopener noreferrer">Azure Portal</a> → Your Function App → <strong>Configuration</strong>. </li> <li>Under <strong>Application settings</strong>, add: <ul> <li> <code>ORACLE_CONN_STR</code> → Your Oracle connection string. </li> <li> <code>MSSQL_CONN_STR</code> → Your MSSQL connection string. </li> </ul> </li> <li> <strong>Save</strong> changes. </li> </ul> </li> <li> <p><strong>Verify Timer Schedule</strong>: </p> <ul> <li>In your Function App → <strong>Functions</strong> → select your timer function. </li> <li>Click <strong>Integration</strong> → <strong>Timer trigger</strong> → Confirm schedule is <code>*/2 * * * *</code>. </li> </ul> </li> </ol> <h3> <strong>Step 8: Test in Azure</strong> </h3> <ol> <li> <p><strong>Trigger Manually</strong>: </p> <ul> <li>In the Azure Portal → Function App → <strong>Functions</strong> → your function → <strong>Code + Test</strong> → <strong>Test/Run</strong>. </li> <li>Check <strong>Logs</strong> for output. </li> </ul> </li> <li> <p><strong>Monitor Executions</strong>: </p> <ul> <li>Go to <strong>Monitor</strong> → <strong>Logs</strong> → View real-time executions every 2 minutes. </li> </ul> </li> </ol> <h3> <strong>Troubleshooting Tips</strong> </h3> <ul> <li> <strong>Deployment Failures</strong>: <ul> <li>Check <code>requirements.txt</code> exists with correct dependencies. </li> <li>Run <code>pip install -r requirements.txt</code> locally to validate. </li> </ul> </li> <li> <strong>DB Connection Issues</strong>: <ul> <li>Verify connection strings in Azure Application Settings. </li> <li>Allow Azure IPs in your Oracle/MSSQL firewall. </li> </ul> </li> <li> <strong>Timer Not Firing</strong>: <ul> <li>Confirm cron expression <code>*/2 * * * *</code> in <code>function.json</code>. </li> <li>Check timezone (Azure uses UTC by default). </li> </ul> </li> </ul> <h3> <strong>Final Notes</strong> </h3> <ul> <li> <strong>Cost</strong>: Azure Functions has a generous free tier (1M executions/month). </li> <li> <strong>Security</strong>: Use <strong>Azure Key Vault</strong> for sensitive connection strings in production. </li> <li> <strong>Logs</strong>: Use Azure’s <strong>Application Insights</strong> for advanced monitoring. </li> </ul> <p>By following these steps, your Oracle-to-MSSQL sync will run securely in Azure every 2 minutes! 🚀</p> python azurefunctions azure database