DEV Community: Igor Soroka

AWS Certification Exam Preparation. An Ultimate Guide

Igor Soroka — Tue, 14 Mar 2023 07:44:29 +0000

As the demand for cloud computing continues to grow, Amazon Web Services has become one of the industry's most popular cloud service providers. Consequently, AWS certifications are highly sought-after by professionals and teams looking to validate their skills and knowledge in cloud computing.

However, passing these exams can be challenging, especially for those new to the cloud. Here are some tips and strategies to help you prepare for and confidently pass the AWS certification exams based on my experience passing seven exams. If you're looking to boost your career in cloud computing or expand your knowledge in this field, keep reading to learn more!

Find the Motivation

Experience with the public cloud or strong motivation to learn about it should always be the starting point for your exam preparation journey. With proper reason, it will be easier to achieve the result. Are you working on developing a specific skill set to add to the ongoing project or hope to build your credibility for future roles? Find what works best for you, even if it is pretty abstract. And commit to it.

Select the Right Exam for You

This step is crucial, especially if it is your first certification. By choosing a level that is too challenging for you, you risk burning out and abandoning the idea of getting certified altogether. There are four basic types of exams: foundational, associate, professional, and specialty.

I usually start by mapping out what I want to achieve with this exam and which skills I want to validate. In doing so, researching the key areas and structure of the exam proves helpful. An excellent place to start is the official AWS Certification page.

Now let's talk about levels. The only foundational exam is Cloud Practitioner, which is for a reason.
It validates a high-level understanding of AWS cloud services. However, many people I know are jumping straight into the first associate exam.

It makes life more challenging. The certification journey should start from the beginning, like learning the alphabet before speaking the language.

The CP exam makes it easy to understand 'cloud' language. The introductory terms like scaling, load balancing, and foundational services like EC2, Lambda, RDS, DynamoDB, and S3 will be familiar to you. Also, the most significant advantage of going and passing the Cloud Practitioner exam is that you become familiar with the exam process, software, and style of questions.

If you are still determining which associate level exam to take, Developer or Architect, these levels are quite similar.
If you are choosing between the first associate level exam, choose Architect. The difference in content between it and the Developer one is considerably low.
The ways of preparation would be almost the same. Read more about it later.

Next Steps: Preparation Begins

Go through the exam guide carefully. Try to answer these questions and put answers into your 'Notes':
What is the exam structure? (questions, duration, etc.)
Which domains are essential, and what is their percentage in the overall score?

For example: AWS Certified Solutions Architect - Associate.
Let's go to this link. There, you will find the way to download an exam guide. It is heavily focused on the domain of designing secure architectures. It takes 30% of the whole exam. Approximately 20 out of 60 questions will be on this topic. It will help us later in the preparation.
Take note of the table in the 'Content Outline' section.

Usually, I spend 1-2 hours studying the course outline and practicalities. Downloading the whitepapers listed as recommended for the exam is also helpful. I recommend also booking the time for the exam well in advance to help you mentally prepare.

Depending on your workload and the point in the cloud journey, it will take around 2-3 months, with studying 6-7 hours a week except for the foundation exam. Last but not least, notify your partner and family that you are taking the professional challenge of getting well-recognized achievements in your sphere.

It will help you to receive their support and also manage expectations. For example, it will be a bad idea to plan a vacation four days before the exam unless, of course, you are a superhuman who can study anywhere.

Core Preparation

The core of the preparation should be a comprehensive course on one of the learning platforms.
There are many to choose from. As I have asked in my LinkedIn, learners tend to favor ACloudGuru. Also, many say that Adrian Cantrill's courses make outstanding courses. I also heard about Stephane Maarek, who is teaching on Udemy.

From my experience, starting with any of the courses is essential. Styles are different. In most cases, you must balance theory and practice in the study process. If you are taking your first exam, I recommend reading FAQs about services as additional reading. There are multiple services that you meet most in the exams: EC2, RDS, S3, IAM, SQS, SNS, API Gateway, CloudFront, Lambda, and Route 53.

Also, in the evening, it is helpful to have a routine of reading a whitepaper from your e-book or tablet for about 30 minutes. I also like to study in the mornings before the chaos of emails, PRs, and business meetings.

Preliminary Tests

The core preparation should end with completing the main online course, excluding the final test. Also, finishing some of the whitepapers is worth spending time on because they expand knowledge on various matters. Try to start the testing stage 1-2 weeks before the exam. If you are doing a first associate exam, it will probably take two weeks.

How could you test yourself:

Final exam in the main course
AWS Sample questions on the page of the exam
AWS Skill Builder:
- Exam Readiness: (name of your exam)
- (name of your exam) Official Practice Question Set (exam code - English)
TutorialsDojo practice exams.

Try to go into the last one after finishing everything. It will help you most if you have experience with questions and understanding the exam. Try to complete as many questions as possible. I found it helpful on the actual exam. Also, reading the explanations after finishing the practice exams is the key to success here.

Take notes of the most complicated parts for yourself.
It would be related to the differences between security groups and Network Access Control Lists.
Note the tricky sections for yourself.

Prepare for the Exam Day

Consider finishing all the steps above while having 1-2 days before the actual exam. From now on, your main activity will be to read through all your notes and check TutorialsDojo cheatsheets for the services you have difficulties with.

Also, put the most effort into the sections with the most significant percentage of the exam and the ones which are the points that are most vulnerable for you after passing practice tests.

Get good sleep during the last 1-2 days. On exam day, walk for 1 hour around a block or to the nearest park.
It usually clears the mind and gives a natural energy boost to your mind and body.

Take a snack and water bottle with you. What about making it in the comfort of your sofa with the cat on your lap?
Unfortunately, it isn't effortless, and cleaning and preparing the room according to the standards takes time. Also, it feels creepy when somebody is silently watching you struggling with the cloud questions.

I took only one exam at home. It was an experience that I would rather skip. Taking Cloud Practitioner home is probably not a bad idea as it is straightforward and takes less time. Going to the test center helps me to be in the mode of testing myself. Also, during the exam, there would be the opportunity to take a break for eating, drinking, and walking. It becomes necessary at the professional and specialty levels as you spend more time pondering the questions.

During the Exam
Checking your name on the screen is a vital thing to do. Please read the questions carefully, and use the paper they give you in the center. It is not possible with the online proctoring option, by the way. Also, you can ask for a change of paper when you finish. First, strive to complete the questions in which you are sure. Use the 'Flag for review' feature because it allows returning after finishing the first round. My experience showed me that you should only mark answers in the problems where you are 95-100% sure. If not, simply mark them later and move forward. You have time to get back to all questions. But if you spend 15 minutes on one question, you will feel more time pressure.

Life After Submitting

Be prepared that, in most cases, the final screen will not show you PASS/FAIL score. Get some rest after the exam. I also prefer a day off when there is an exam. Your brain needs a recharge. In any scenario, you did a fantastic job preparing for the exam and learned a lot! High five!

Validity of the Certificates

Every exam result will last three years. Remember that every associate exam prolongs the validity of the foundational one. The same happens with the associate exam when you get the professional-level certificate. For example, if you pass Solutions Architect Professional, you will automatically renew the underneath ones like Solutions Architect Associate and Cloud Practitioner. However, Specialty ones do not work like that.

All these steps will help you to improve your knowledge and advance your career in the cloud.
Certificates help me understand the logic behind the services and their interaction in my day-to-day practice.
Also, they help to keep in mind the most secure and available solutions for the cloud architecture.
And, of course, they give you the credit you deserve for learning all the cool cloud tech!

Thanks for reading! Good luck, and feel free to reach me for everything related to AWS, serverless, and cloud training.

Reach me on LinkedIn.

Very Nordic Problem: In search of great skiing track

Igor Soroka — Thu, 27 Jan 2022 08:41:45 +0000

Finland is the happiest country on Earth. It has endless forests and lakes. During wintertime, most of the territory has snow. People are using this combo of cold conditions and excellent services. Cross-country skiing is becoming very popular. However, I noticed that the municipality should prepare the forest tracks properly using heavy machinery.

As a ski track user, I would like to be notified when the tracks are fresh and cleaned. If there were maintenance in the morning, the ice on the trails would be an obstacle for comfortable skating-style skiing. In theory, I would like to avoid it.

Map of the tracks called Outdoor Exercise Map shows the tracks' state. If I want to get the latest data about maintenance, there is the only way - go to the website and check. My motivation behind making the Ski Track Notifier is to stop doing these repetitive tasks. I decided to solve the issue with my favorite technologies: AWS, CDK, Serverless. All the code examples in this article focus on Typescript. The project code is on GitHub.

Architecture

The idea behind the application is to use as many managed services as possible. It will mean that the price will be only for the invocations. AWS Lambda is the primary business logic executor. The app calls it periodically to check the Helsinki region Service Map API.

The flow is going as follows. The EventBridge rule calls AWS Lambda every 30 minutes. The function checks the API and filters out the ski tracks which were not ready inside the time interval of 60 minutes. There is an SNS topic to gather the PublishCommands from Lambda. It has an e-mail subscription as a notification target. Here is the architecture of the solution.

Tooling

I decided to make development and deployment as easy as possible. It is a small project which should be free for hosting and fast to put into production. This section will speak about the technologies used for the application. I would start from the cloud resources to the actual business logic.

Cloud Resources

Infrastructure as Code and CI/CD pipeline allow me to make my application available in minutes from the 'master' branch. I used CDK with CDK Pipelines for provisioning resources. I talked about the CI/CD process more in this article.

Because I am working alone on this project, there is no need for a multi-branch setup. There are two CloudFormation stacks in the project. One is responsible for CI/CD pipeline made with the CodePipeline service. Another stack is for implementation. It consists of Lambda, SNS, permissions, and EventBridge Trigger Rule in a nutshell.

Project Structure

I used the monorepo approach, where the implementation and the infrastructure instructions live in the same codebase. Beforehand there were two issues with this approach:
Two 'package.json' files in the source folder and the 'infra' one for dependencies created a dependency mess. It means that there will be two package-lock and two folders with node_modules.

Packaging lambda code dependencies meant having an extra step of the building and packing it. One could do it via lambda layer or external bundler like webpack.

Thanks to CDK team, now there is a construct called NodejsFunction. It solves precisely these problems by simplifying the build process and code structure. According to the creators, it uses an esbuild that should be 'extremely fast'. I tried it, and it blew my mind with simplicity. My function resource looks like this with just an entry point to generate a valid bundled js file with the tree-shaking. This approach will pack exactly this function without having a whole folder in the cloud.

const getSkiTrackStateHandler = new aws_lambda_nodejs.NodejsFunction(this, 'MyFunction', {
      entry: path.join(__dirname, '../../src/functions/get-ski-track-state.ts'),
    });

One will run only four commands to complete building a valid CloudFormation template. The instructions generated from this array:

const buildCommands = [
 'npm i', 
 'npm run build', 
 'npm run test', 
 'npx cdk synth'
];

Business Logic

I mainly used the TDD (Test-Driven Development) approach to develop the implementation. My idea was to decouple the API call made with Axios GET request from the actual filtering. Keeping this in mind helps to test it faster. I could create a fixture with the sample ski tracks. For the tests, I used jest.

The API returns a JSON object. Every ski track has a key called observations. It is an array of objects that should have property each.

      observations: [
        {
          unit: 54322,
          id: 545294,
          property: 'ski_trail_condition',
          time: '2022-01-07T23:18:48.129560+0200',
          expiration_time: null,
          name: {
            fi: 'Hyvä',
            sv: 'Bra',
            en: 'Good condition',
          },
          quality: 'good',
          value: 'good',
          primary: true,
        },
        {
          unit: 54322,
          id: 545293,
          property: 'ski_trail_maintenance',
          time: '2022-01-07T23:18:48.129560+0200',
          expiration_time: null,
          name: {
            fi: 'Kunnostettu',
            sv: 'Iståndsatt',
            en: 'Maintenance finished',
          },
          quality: 'unknown',
          value: 'maintenance_finished',
          primary: false,
        }
]

I need to have ski_trail_condition with the good value. Also, there is ski_trail_maintenance. It should have value with the maintenance_finished. One more condition is to have it in the last hour. For the time comparisons, there is a library called luxon.

Example

Here is the screenshot of the letter sent to the e-mail. It has the track's name, parsed date, and address. Surprisingly, maintenance data comes with the delay to the API. That is why it is essential to have this ratio between running each lambda and checks of the track update age. After couple of experiments it was like 30/60 minutes.

Future work

Of course, there are more insights about the tracks in the API. For example, 'valaistu' means the availability of artificial light on the tracks. Also, there is a distance shown in kilometers.

Now the application supports only one subscriber. In the future, it would be great to have multiple subscribers, the ability to choose municipality, and track choice of the main focus. Also, it would be nice to connect something like an Amazon Lex-powered bot for multiple channels.

One other idea is to send notifications in batches. The current implementation has the drawback of sending multiple e-mails if there are recent maintained tracks. Today, there is no separate check that the notification about a particular object has been sent to the subscriber.

It took a couple of evenings to create a small full-fetched application to notify myself about the changes found in the public API. With the power of serverless and event-driven architecture, one could deliver business value fast without worrying about servers, virtual machines, or containers. Thanks for reading! Follow me on twitter:

Igor Soroka

@grenguar

After watching cloud educational content on 2x speed, I noticed that every instructor sounds sad at normal playback.

10:21 AM - 17 Jan 2022

How could you be certified with AWS DevOps Professional?

Igor Soroka — Thu, 20 Jan 2022 10:27:23 +0000

Last year, I felt that it was time to have more certifications. I have a Developer Associate certificate, so getting a Solutions Architect Associate one should not be an issue. I was wrong. It took time to get into the flow of the studying. Passing exams is a skill you should develop through an effective routine and development mindset.

Recently I went to certification on DevOps professional. My background is in Development mostly. However, I spent my time setting up environments and infrastructure during recent years. It is worth mentioning that my typical stack includes AWS Lambda, DynamoDB, S3, API Gateway, and SNS/SQS. Here is my list of tips and materials for passing your DevOps professional certificate. You could combine them in any order.

General recommendations. Do not underestimate the content, syllabus, and time during the exam preparation. Sitting on the exam for 3 hours could be challenging. I took the exam in the Pearson VUE accredited test center. I got two A4 papers for writing. With the online option, you will not have a chance to write anything. The notes during the exam helped to map the question and refresh it during the review part.

Pass SysOps Administrator

Try to focus on on monitoring, deployments. This exam will benefit the parts regarding deployments, auditing, and monitoring. Take 1-2 months for the DevOps preparation.

Read whitepapers

I was skipping them during associate ones. They build the correct mindset towards implementation on how to follow AWS practices. I advise you to read them before sleep. Here is the official list

Main Course

Complete one course with Labs. Any platform will work. There are plenty of them, but the most accessible ones are ACloudGuru or CloudAcademy. Making quick hand-written notes is helpful on the last days before the exam.

Use Skill Builder

It is a new official online learning platform from the AWS itself. The quality of the content is outstanding. One drawback is that you need to register but it is for free.

I recommend these courses:

Getting Started with DevOps on AWS
AWS Certification Official Practice Question Sets (sample test is free now for any of the exams)
Exam Readiness: AWS Certified DevOps Engineer - Professional

Train yourself

Sit the actual 75 questions in one go (TutorialsDojo practice exams or the one at the end of the course). Do not be demotivated by the results of the practice exams.

Topics and services to concentrate on: Beanstalk, Config, Trusted Advisor, Auto Scaling, CloudFront, CodeDeploy, Systems Manager, S3, Logging, CloudTrail, CodeCommit.

If you have a couple of days before an exam - concentrate on the most complicated areas. Read tutorialsdojo's cheatsheets. They are enormously helpful.

Config (cheatsheet)
CodeDeploy (cheatsheet)
Deployment tools comparison (cheatsheet)
Installation of CodeDeploy Agent (video)
Systems Manager (cheatsheet)

Physical aspect

Sleep well, do physical exercises, spend time outdoors. Take a break during the exam for standing and stretching. Avoid consuming too much caffeine and sugar especially in the last week before the exam. In the end, all of these factors accumulates into tiredness and lack of concentration. For improving focus, it is nice to do meditation or yoga.

The exam is challenging, but you could become an AWS-certified professional with extensive preparation and discipline. If you could learn at least one lesson from this article, it would mean for me that it was worth sharing. Thanks for reading! Follow me on Twitter also:

// Detect dark theme var iframe = document.getElementById('tweet-1483021717874388994-863'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1483021717874388994&theme=dark" }

Story about my cloud journey and becoming an AWS Community Builder

Igor Soroka — Thu, 11 Nov 2021 15:11:07 +0000

More than a month passed after the news that I became an AWS Community Builder in Serverless Category. Today I would like to tell a story about my path to the cloud. I would also reflect on why it is essential to be a part of this community.

Public Cloud Start

My path to the cloud started with a stupid idea. It was to make a telegram bot that could show the menus of the restaurants on the university campus. There were approximately five places to eat with a very varied quality of food. Some days the choice was obvious - visit Restaurant X. Other days it was challenging to decide. My bot would have the ability to get the menu in the palm of my hand without going and checking the website.

The language was NodeJS, and the cloud provider was Heroku. It was my first trial to do something with server-side javascript. At the same time, I learned about this great tool called Cloud9. Now it is a part of AWS. Those times I was impressed that I could run my bot from any computer (my laptop or the school one). Also, I could prototype fast and check the solution in the Telegram messenger.

JS Conference and first Lambda

After my playground with the chatbot, I got a real programming job. The technology stack consisted of a Java monolith with an on-premise server. I took a challenge because my primary language was Java those times. However, secretly I was excited about NodeJS world with a lot of exciting things happening around it.

That is why I decided to visit a conference about JavaScript called HolyJS in Saint-Petersburg. There I chose almost randomly the session about AWS Lambda conducted by Slobodan Stojanović. It was a revelation. At this time, I have spent half a year deploying Java modules to a running app from the CLI.

How can it be possible? No patching, no infrastructure to manage. It blew my mind. I returned to Finland and started creating my first API with API Gateway backed by Lambdas. I made my first AWS account which was incredible and strange. There was an endless amount of unfamiliar services.

Corporate world and certificate

It has taken a while after I took a new position in an IT consulting company. Again it was a Java monolith but deployed to AWS with automatic deployments. I learned a lot about working in different locations with distributed teams.

There was a company-wide program for being certified with AWS. It was amazing that now I could have time to know all these tiles in the console. I started to study and experiment with various services. Then I was certified as a Developer Associate. It gave me confidence that now I could use AWS in all of my projects.

The next project in a corporation gave me a chance to deploy my lambdas to production. There I learned more about Terraform, CloudFormation, and Serverless framework. It felt so cool to write the infrastructure which could be re-created by one-line command. I learned more about CI/CD. Like in many cases, nobody wanted to set up deployments and connect all parts.

We deployed the ECS cluster with Docker containers. I learned that serverless is not only Lambdas. It is more like philosophy where one is not provisioning virtual machines but focusing on the application code and business logic.

Freelancing and community

I took a chance to jump into individual contracting in the middle of 2020 after an unexpected call from a recruiter. It was a 100% serverless project with a geographically distributed team. I learned so much from the people with whom I worked. It happened to be the exact match for the technology stack. We used SQS/SNS, S3, Lambdas, Kinesis, and CloudFormation/SAM. It became a standard for me to find such teams and work with them. I learned a lot about provisioning infrastructure with code.

In 2021 I spent time setting up cloud-native projects mainly using CDK. The stack that drives me is still serverless, but now I can write application code and infrastructure one with the same language, Typescript. I have started to write about this more and more. Blogging allows me to stop and reflect on the topics that re-ignite my passion for building new things.

In August, I applied to the AWS Community Builders program because I started to feel the idea of unity that technology gives us. Sharing knowledge and meeting new people online became important. In my application, I said honestly that this would motivate me to write more about my path in the cloud.

In October, the letter said that people from AWS accepted me. I got an invitation to the community in Slack. After the first days, I was astonished by the idea that there are program participants from worldwide. It was a revelation for me. People are writing blogs, shooting videos, sharing knowledge. I am learning every day about new features and things people experiment with at their time. Also, I resumed my path with achieving AWS certificates partly because of how many people are doing them inside the community.

My journey in the cloud is continuing. I am working with AWS every day as a consultant and engineer. Also, now I am speaking more often about my infrastructure-as-code findings with CDK and serverless. Thanks for reading this article. You can find me on Twitter and LinkedIn. Do not hesitate to write and ask questions about AWS, Serverless, and IaC. I will be happy to answer them.

Igor Soroka

@grenguar

Excited to speak about CDK magic for serverless! twitter.com/jawsdays/statu…

13:51 PM - 09 Nov 2021

JAWS-UG @jawsdays
#jawspankration セッション紹介/Session Introduction🤼‍♂️ @grenguar https://t.co/xeqfpQgXZL 🥊イベント参加申込はこちら/Click here to register for the event. https://t.co/usvK3fZYAD #aws #jawsug #jawspankration2021 https://t.co/uRAeeXsXOl

Migration to CDK with existing infrastructure

Igor Soroka — Thu, 04 Nov 2021 08:27:02 +0000

Yesterday (November 3, 2021), I presented on the November meetup of ServerlessDays Amsterdam, where I introduced using CDK with serverless use-cases. After that, I thought about migrating to CDK for the teams that have already chosen this fantastic deployment framework.

Here is the link for the recording.

Time codes: 3:20 - 23:30

Examples from the presentation:

You sold me CDK! What's next?

Let's imagine the debate over using Infrastructure as a Code tool is over. One could go and start with Cloud Formation Kit. There are other options, of course. I spoke of them in my other article. What steps could one take for migrations?

Greenfield project

We are developing a developer's dream project with the latest and freshest tools. With this in mind, let's create new infrastructure stacks. The most important is to go straight to CDK. The one issue will be choosing the language. Here it depends on the primary language of the team. The front-end teams would prefer Typescript. Java backend people will use this language.

From No-Infrastructure-as-Code

This case can be a challenge. Here try to group resources in stacks and find a way to connect them. If you have more than 20 resources, it could be better to create a separate stack. Also, using constructs could help for logical grouping. Think of them as modules.

From Cloudformation/other tools

One could use the hybrid approach where the template will be together in the same project with the CDK application. An example could be a pipeline provisioned with CloudFormation. The infra for business logic would use a programming language.

A similar approach could work with other deployment tools. There are multiple ways to connect stacks:

By outputs
By creating shared SSM Parameter Store/Secrets Manager

The latter one gives the ability to create a resource, save its id in one stack. One could use it in a different stack as a parameter. However, both approaches could work depending on the needs. Usage of outputs is widespread because one does not care which tool was used. However, secrets give a way to use any resource from any stack that other teams created.

Thanks for reading and watching me! Follow me on Twitter:
// Detect dark theme var iframe = document.getElementById('tweet-1447457840562593796-864'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1447457840562593796&theme=dark" }

Checklist for securing the usage of AWS account from unexpected events

Igor Soroka — Thu, 28 Oct 2021 05:45:38 +0000

Last month I got the bill of 60 USD dollars for the usage of the AWS account. It was too much for my small experiments and blogs articles. That is why I decided to write this checklist about securing your account and making the expenses manageable for your account. As a bonus, I made a CDK project for deploying the billing alarm in the last chapter of this article.

The steps are:

Add MFA
Create admin user
Renew CLI access credentials
Double-check all regions for resources
Setup billing alert (cdk project in this guide)

Add MFA on root user

Passwords are already not helping with account protection. So, having one more authentication method will prevent it from being hacked. My preferred way is to use 1Password. It has built-in support for one-time codes. I found it handy when once a phone has stayed at home during my day in coworking. The 1Password application was running on my laptop with the MFA connected to the AWS account. It saved my day.

Separate user with AdministratorAccess

There is a temptation to skip tedious user setup on a freshly created AWS account. The one wants to start using the cloud as fast as possible. I was in that situation. However, it is considered a bad practice to manage the resources from the root user.

If a hacker gets account access, it will be a real issue. Somebody will have the ability to mine cryptocurrency with the EC2 instances. So, to avoid this issue - create a separate user with Console and programmatic access who has the AdministratorAccess role. Do not forget to add MFA to this account also.

Re-new programmatic access

I had credentials for CLI access created more than 365 days ago. It is a security risk also. The main idea here is to refresh them not tomorrow but today. Also, do not expose access key ID and secret access key, especially when committing to GitHub.

Double-check all regions for resources

There can be a situation when some costs are always in the bill. It means that something is still eating the budget. The most dangerous AWS services in terms of costs are VPC, ECS, and EC2. These have a pay-as-you-go model.

It means that every instance of EC2 has billing in seconds. Another trick is that the ECS cluster with Fargate services running will have costs. For example, it is a Java Spring app with logging every second. Fargate is a serverless way of running containers, which does not have a hefty invoice at the end of the month. Logging will require spinning up the service over and over again to infinity. That is what happened to me when I got the bill.

Setup a billing alert

Billing issues are the motivation for this article, as one could guess. That is why I am suggesting setting up a billing alarm. It will send the notification to the email when the threshold crosses the desired amount in USD. For my case, I took 5 dollars.

I have created a small CDK project for that. One could find it on GitHub here. What are we doing here? The billing alarm will have a metric for the EstimatedCharges. It will notify SNS topic with an email subscription. The best part of this is that the project is entirely serverless. It will cost you nothing for the timebeing.

There are several steps to achieve a calm mind regarding your expenses in the cloud:

Set email with SSM, like:

aws ssm put-parameter --name "/billing/email" --type "String" --value "<your email>" --profile <if you are using it>

Clone the repo and install dependencies (in Linux/macOS case)

git clone https://github.com/Grenguar/cdk-billing-alert.git
cd cdk-billing-alert
cd infra
npm i

If you want to change the threshold, do it in the infra/bin/infra.ts file. There is a parameter called monetaryLimit
Do the deployment:

npx cdk deploy --profile <if you are using it>

Here is the result in the CloudWatch -> Alarms -> All alarms.

Of course, these actions are not giving 100% protection from hackers or unexpected bills. However, the chance of getting strange news from AWS about your cloud resources decreases with every completed point from this checklist. Do you have any actions of improving the security and stabilizing your bill with AWS?

How to automate the deployment with CDK Pipelines

Igor Soroka — Thu, 21 Oct 2021 07:01:09 +0000

Modern software projects are going to be complicated to develop and maintain without automation. The most sophisticated way will be to create a pipeline for the project for sourcing, building, and deploying new changes. This article continues the previous one that was telling about the deployment of public serverless API. Here we will be doing further automation.

What was the project? It gives the ability to store, retrieve, edit and delete books from the Rest API. If you are going to follow instructions, it will be worth having the git repository cloned. It is situated here. First, it is crucial to have a common vocabulary.

Glossary

Used terms:

implementation code - the main application situated in the root folder
implementation stack - the one which has the infra code for lambdas, API GW and
pipeline stack - magical one which has the CI/CD logic in it, including self-mutation.

Overview of Manual Steps

In a nutshell, there are a couple of manual steps for succeeding. However, in the end, we will create the pipeline that will be getting the changes and check them in the infrastructure and implementation both. Here they are:

Creating GitHub Connection using AWS Codestar
Provisioning CDKToolkit (new or updated)
Provisioning of CodePipeline from CLI

Connect GitHub as a source

Let's start with the very beginning of the project building process. The pipeline should be able to get the code from the GitHub repository. In old times, one should store the secret of the GitHub webhook. Now there is a second version of it.

For using that, we will be setting up a connection. It is a region-specific service situated in 'Developer Tools -> Connections'. One should click 'Create Connection.' In this step, there are three options: BitBucket, GitHub, AWS Connector for GitHub.

The connection requires the installation of 'AWS Connector for GitHub.' There are options to choose either all repositories from the account or selected ones.

After the next screen, there is an ARN of this connection. One should write it down because the first stage of the pipeline will use it. From experience, it is better to save it into SSM Parameter Store situated here. The path to the secret could be like
/serverless-api/git/connection-arn.

Preparing pipeline stack

The traditional approach of creating the CodePipeline projects is to have every stage described like sourcing, building, and deploying. The main issue was that everything like output artifacts and execution roles would be described from the ground-up.

However, IaC tools are evolving. CDK has the concept of 'Construct,' which is basically a group of resources. There is a new one called aws-cdk-lib/pipelines. It solves the above-mentioned problems of provisioning additional resources by hand.

const connectionArn = 
  ssm.StringParameter.valueForStringParameter(
    this, 
    '/serverless-api/git/connection-arn', 1
  );

const pipeline = new CodePipeline(this, 'Pipeline', {
    pipelineName: 'ServerlessAPI-Pipeline',
    synth: new ShellStep('Build', {
        input: CodePipelineSource.connection(
          'Grenguar/aws-cdk-api-workshop', 
          'main', {
            connectionArn: connectionArn,
          }),
        commands: [
            'npm ci',
            'npm run build',
            'cd infra',
            'npm ci',
            'npm run build',
            'npx cdk synth',
            'mv cdk.out ../'
        ]
    }),
    selfMutation: true,
});
pipeline.addStage(new MyPipelineAppStage(this, "Deploy"));

The synth option is the first we can start to discuss. It is basically our build stage all-in-one stop. SSM stores the connection ARN. It is a comprehensive security practice for putting it into managed service for secrets. The first argument for input connection is <owner>/<repository_name>. This will work with the corporate accounts also.

The commands option is basically a replacement for the buildspec. It is a sequence of commands which will be executed by the builder. In CDK, it is implemented as an array of strings. It can be handy for parametrization. It is important to note that first, the webpack project should be dealt with. Only after that will there be code folder with our lambdas. Without that, infrastructure will fail.

Self mutation gives the ability for the pipeline to be changed by itself. Previously, it was painful to change the settings of it. Now there are two stacks: implementation and pipeline. Both of them would be checked and deployed. 'MyPipelineAppStage' is the stack that has API Gateway, Lambdas, and DynamoDB table.

Choosing the main stack

Previously there was only one CloudFormation stack - ApiStack. Now our primary stack is becoming the Pipeline one. In this case, the implementation stack becomes a Stage. It is a unit that has one or more stacks that would be deployed together. In this case, infra/bin/infra.ts is the application entry. It will have only one stack to provision the pipeline (PipelineStack), whereas implementation one will be packed as a stage for ShellStep. The code example is here.

export class MyPipelineAppStage extends Stage {

    constructor(scope: Construct, id: string, props?: StageProps) {
        super(scope, id, props);
        new ApiStack(this, 'APIStack');
    }
}

Provisioning CDK Tools

If one wants to use cdk, it is necessary to provision CDKToolkit. There is a one-line command for that. However, there are multiple versions of these tools. When I was preparing this article, my case was a problematic one. Deployments were not successful because of not enough rights for the CloudFormation to provision resources. For that case, I created Troubleshooting part of this article. Refer to it before having issues with deployments. For the first-timers:

export CDK_NEW_BOOTSTRAP=1
npx cdk bootstrap aws://$ACCOUNT/REGION

Why are we using npx? In short: it will run cdk without the need to have it globally. From npx docs:

Executes <command> either from a local node_modules/.bin, 
or from a central cache, installing any packages 
needed in order for <command> to run.

Time to build and deploy

We are almost done. Now the only thing is to run the command to provision pipeline from the infra folder. It would be:

npx cdk deploy

That's it! Now we can relax and wait for a couple of minutes for the pipeline to succeed. The image shows the pipeline generated after that.

It is sourcing the code from the latest git commit. After that, it builds the code according to the instructions in ShellStep. The third stage is checking the changes in the pipeline itself. The next one is interesting because it has two groups of artifacts. One is for the implementation code of lambdas. Another one is a handler for the custom Lambda resource for creating log groups and retention policies. The deployment stage will check the changeset of the generated CloudFormation project.

In this article, I presented the modern way of creating CI/CD pipelines. The serverless use case is the most natural for me. However, one can use these findings for provisioning EC2 instances or ECS clusters.

Troubleshooting

If the stack on the deployment stage is failing. Probably, you have issues with the 'CDKToolkit'. You will need to do these actions.

So, what I did:

Found ‘CDKToolkit’ in CFN. There I noted the S3 bucket.
Deleted the toolkit stack.
Deleted the bucket
Did exactly like it was said in tutorial:

npx cdk bootstrap aws://<account>/eu-west-1 --profile <profile> \
    --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
    aws://<account>/<region>

Then, did

npx cdk deploy

On the last step of the pipeline: checked that IAM Role for CFN deployment stack had AdminAccess policy in the role.

Resources

Reflections on Passing AWS Solutions Architect Associate Exam

Igor Soroka — Tue, 12 Oct 2021 06:21:11 +0000

With the distribution of remote work, one has more time for personal and career development. Since winter 2020, I have been working entirely remotely. It gave the enormous possibilities to excel career-wise also.

Cloud certifications are significant in terms of structuring the knowledge and improving it.
I started with AWS in 2018 with the corporate program for upskilling the employees by nurturing the program of certification.
With zero experience back then, I passed the AWS Developer Associate exam.

Community

People are social creatures. That is why we need to go and do something together. I did my first certificate with my peers from the big company. Many people also did the same studies. Most of them had zero or minimal knowledge of the AWS ecosystem. The atmosphere was very supportive.

This time I studied alone with no extrinsic motivation like extra cash to the salary because of my contracting endeavors. However, I have created a challenge with a couple of people from the community. There we were posting every day about the actions for the studying. It was looking like that:

Watching lecture on Cloud Guru about Load Balancers - 30 minutes #dayN

Consistency and Passive Learning

I had doubts in the middle of the challenge that it would work. But the everyday work on the topics related to the exam helped to be in the context. Our brain is wired to like repetitive things.

Another point relates to the idea of learning when one is not focused primarily on the task. During this certification, I studied more while doing my jogging routine or driving. If the topic is familiar to the person, it will be beneficial to listen without watching. I think summary videos of ACloudGuru courses were helpful.

Big Picture

The questions in the Solutions Architect exam are more scenario-based. I have experience with passing the Developer one. It is important not only how to use services in combination. The key for passing is to look at the interaction between the elements together with the technical requirements.

For the practice in architecting, it would be great to watch short videos on the various topics (This is my architecture). At least, it gives the idea of how to think in scenarios and particular situations. Exam-wise, practice tests are helping for solving cases. The official one from the AWS itself or Udemy ones.

My tips on passing the exam

Course on preparation - ACloudGuru or CloudAcademy
Focus on practical knowledge
- QwikLabs
- Above mentioned cloud schools
Topics: VPC (very important to know how to set up end-to-end), On-premises migration and integration, Storage options for S3, EBS/EFS difference and types, Auto-scaling groups, EC2 types usage scenarios
Practice Exams (Udemy course or book)

The Five Dysfunctions of Serverless Development

Igor Soroka — Thu, 07 Oct 2021 06:38:43 +0000

Function as a Service gives magnificent power for shipping software faster without operational overhead. AWS Lambda is a service which used in e-commerce, healthcare, fin-tech, and other industries. Corporations and startups are jumping into the train of the Serverless movement.

The technology advantages always come with hiccups. During my day-to-day work in different teams, I have noticed multiple issues with the development process while using AWS Lambda and related Serverless stack. In this article, I will mention few ones from my practice. There will be solutions that could help to avoid these issues. Disclaimer: I would mostly talk about my experience with the NodeJS ecosystem.

Top issues with AWS Lambda Development:

Package size
Too much focus on Local running
One function has all routing inside (like express)
Too long function timeout
Fear of vendor-locking

Package Size

Lambda function is sent as ZIP to the AWS. When one uses AWS SDK and native language features, there are no problems. In the case of NodeJS, the function which calls the third-party REST API endpoint will have approximately 500 bytes. In a real project, it is not enough to have just one call. In most cases, there is a need for other dependencies.

The real-life scenario can be like that. The project has started, the business needs results. In the first sprint, the development team took the stories. It is going fine. Now there is 5th one. The CI/CD pipeline became quite slow, the Lambda AWS console is not showing the code and every lambda deployment has all the code for the whole project. The code could easily be up to 20 MBs now. This size is not worth it. Uploading this amount of data is a waste of resources and time.

How to avoid this?

Use code bundler like webpack. It will pack all the external dependencies into one file. It can be handy to minimize your functions.
Use lambda layers. It will help to put all the needed node_modules into separate packages keeping Lambda small in size. The advantage can be that common dependency like 'axios' could be shared between various lambda functions with no extra costs.

The first approach is the one I have been used, but the latter one looks promising. I am planning to try it at some point. I have not seen it to be used.

Too much focus on Local running

It is quite common to use SAM with the Serverless app. It provides this great feature of running your lambdas locally. Sounds cool, but in most cases, it would not help you to achieve an error-prone solution.

Running in the local environment won't save you from the problems with existing infrastructure. In the case of serverless, it is relatively easy to set up multiple environments with lambdas calling other AWS services. For example, it is much faster to deploy and test on the cloud than doing so with local dynamo DB tables.

My latest successful backend project had Lambdas, Dynamo DB table, SQS queues. We were using the approach where all parts were divided into lambda functions, services, and connectors. Unit tests covered the code by these parts. When there was a need to see functionality working, the test branch could cover it without issues.

One Lambda - serves it all

There is a temptation for Node developers to take the Express application and 'decouple' it with Lambda. I think this is a bad idea. For example, one needs a CRUD application backed by API. Many people would prefer to start by initializing the express app and putting all routes into it.

In the end, this attempt will be the issue of having a code-heavy lambda function. It will be like a multitool or 'All-in-one' package. 'Fat' lambdas are hard to test and follow when something goes wrong, which is always mysteriously happening.

I like to think about lambdas as atoms or nanoservices. Just do one call to the third-party API or AWS service with the logic in it. When there is a case of multiple actions, consider switching to more event-driven architecture.

Decoupling Ideas

Possible ways could be:

SQS/SNS for scale
Step Functions for less frequent jobs

Loooooong timeouts

There is no need to have a function with a timeout of 30 seconds that will finish its execution in 10 seconds. It is a good idea to change it at some point in time after the deployment. This action saves money at scale and computing power. One could call it responsible cloud computing when one is not trying to get all the resources but having only needed ones.

Vendor-locking fear

Teams and companies tend to be afraid of this word. In my opinion, they rely too much on multi-cloud. Serverless will lock you to the provider. It is not an issue now because AWS has all you need. Of course, there is a risk that the company will choose another public cloud. However, it is too much effort to do so.

The teams that are using the Lambdas will most likely use API Gateway, DynamoDB, and SQS. It is not worth it to migrate after a while because of the effort needed for a change. Many teams have been happily using one public cloud for years.
There are companies out there that had started to use AWS Lambda in 2014 when it first appeared. If they need container workloads - they use Fargate with ECS. Maybe Kubernetes is not required on every use case, they think. It comes to a mindset.

This is an excellent practice to be aware of the issues mentioned in this article because it will save time for the future. These dysfunctions are the ones I encountered in my serverless-related projects. Do you have any bad practices from your experience?

I am an AWS Community Builder writing about AWS, CDK, Infrastructure-as-Code, Serverless, and Node development. There is one more article about lessons I learned after switching from CloudFormation to CDK.

How to build Serverless API with database using AWS CDK

Igor Soroka — Mon, 27 Sep 2021 08:09:18 +0000

Serverless gives us tremendous opportunities to ship new digital products faster at no cost in the beginning. The most classical way of using serverless is to have API backed by AWS Lambdas. This blog will guide the provision and deployment of an application using AWS CDK version 2. However, when I have started implementing it, issues started to appear. I would tell about them while depicting the process and code. Serverless will give the ability to have a full API setup for free.

First of all, what are we building? It will be an API Gateway backed by AWS Lambdas. They will be reading and writing items to the DynamoDB table. So, here we are, creating the CRUD with REST API. One can find the GitHub repository here.

API Gateway -> AWS Lambda -> DynamoDB

Reading is great for many things. So our items will be books! The model will be like that:

{
   "title": "name of the book>",
   "author": "<author of the book>",
   "yearPublished": "<published year of the book>",
   "isbn": "<universal identifier of the book>"
}

Implementation

In this demo application, we are using Dynamo DB. It is a NoSQL database where AWS manages infrastructure. It is working like a magic spell with the Lambda functions. This app will do classic CRUD operations.

import { DocumentClient } from 'aws-sdk/clients/dynamodb';
import { Book } from '../models/book';
import uuid from 'uuid';

const dynamo = new DocumentClient();

export async function create(table: string, book: Book) {
  const params = {
    TableName: table,
    Item: {
      id: uuid.v4(),
      ...book
    }
  }
  const dbResponse = await dynamo.put(params).promise();
  return params.Item;
}

The start will be related to the writing items to the table. Typescript allows having a strongly typed object. The only thing which will be great to have as unique as possible is UUID. In this case, getting a book by the ID will be straightforward. The deleting operation will be very similar.

export async function get(table: string, id: string) {
  const params = {
    TableName: table,
    Key: {
      id
    }
  };

  const dbResponse = await dynamo.get(params).promise();
  return dbResponse.Item;
}

export async function deleteItem(table: string, id: string) {
  const params = {
    TableName: table,
    Key: {
      id
    }
  }
  await dynamo.delete(params).promise();
}

It would be great also to check the created items. Here I am using the 'Scan' operation, which goes through the whole table. For demo purposes, this should be enough. Whenever possible, one should use 'Query.'

export async function list(table: string): Promise<DocumentClient.ItemList> {
  const params = {
    TableName: table,
  }
  const dbResponse = await dynamo.scan(params).promise();
  if (dbResponse.Items) {
    return dbResponse.Items;
  }
  throw new Error('Cannot get all books');
}

The most complicated request is to update the book from the database. It needs to have parameters and values to edit.

export async function update(table: string, id: string, book: Book) {
  const params = {
    TableName: table,
    Key: {
      id,
    },
    ExpressionAttributeValues: {
      ':title': book.title,
      ':author': book.author,
      ':yearPublished': book.yearPublished,
      ':isbn': book.isbn
    },
    UpdateExpression: 'SET title = :title, ' +
        'author = :author, yearPublished = :yearPublished, isbn = :isbn',
    ReturnValues: 'UPDATED_NEW',
  }
  await dynamo.update(params).promise();
}

Dependency injection is the first complication that is happening with lambdas. If one packs it to the AWS by using CDK or CloudFormation, there will be no dependencies. I am using typescript in the project, so in theory, running will create a working js file:

npm i -D typescript
tsc init
tsc

However, it is not so straightforward. There are two issues here:

packing additional files with functionality because having Lambda with the implementation inside one file is a bad practice
packing external dependencies. In our case, it will be UUID one.

I tried to pack just src/functions/create. Running Lambda will give that:

That is why the next logical step will be to find out how to pack Lambda code together with dependencies and don't upload 100 Mb of node_modules. I decided to use webpack for that. It does the job right and will allow running just this command after installation: webpack

Lambdas' main handler functions will be as simple as calling the DynamoDB file with the needed operations. For example, creating the item would be like that.

import { APIGatewayProxyEventV2, Callback, Context } from 'aws-lambda';
import { create } from '../connectors/dynamo-db-connector';

export async function handler (event: APIGatewayProxyEventV2, context: Context, callback: Callback) {
  if (typeof event.body === 'string') {
    const bookItem = JSON.parse(event.body);
    const createBook = await create(process.env.table as string, bookItem);
    const response = {
      statusCode: 201,
    }
    callback(null, response);
  }
  callback(null, {
    statusCode: 400,
    body: JSON.stringify('Request body is empty!')
  });
}

One could find handlers for other operations in the repository.

Infrastructure

As previously mentioned, CDK will be in charge of the infrastructure provisioning. I will be using just one stack with DynamoDB, 5 Lambdas, Rest API, permissions for table connections, and integrations for endpoints. We will put the infrastructure application in a separate folder /infra.

To create DynamoDB with Lambda calling it, one will need ready-made typed constructs for DynamoDB, Lambda, and permissions. The code is situated one level above, so it is essential to put it like this. The good thing here is that CDK will error when one calls the template's 'synthesizing' with the wrong parameters. After that, Lambda will need a permission to put an item to DynamoDB. One could do this by adding one line of code.

const dynamoTable = new ddb.Table(this, 'BookTable', {
  tableName: 'BookStorage',
  readCapacity: 1,
  writeCapacity: 1,
  partitionKey: {
    name: 'id',
    type: ddb.AttributeType.STRING,
  },
})

const createBookFunction = new lambda.Function(this, 'CreateHandler', {
  runtime: lambda.Runtime.NODEJS_14_X,
  code: lambda.Code.fromAsset('../code'),
  handler: 'create.handler',
  environment: {
    table: dynamoTable.tableName
  },
  logRetention: RetentionDays.ONE_WEEK
});

dynamoTable.grant(createBookFunction, 'dynamodb:PutItem')

After that, the function could be attached to the API. First, we are initializing RestAPI. Then, we add a resource to root for having a path like POST /.

const api = new apigw.RestApi(this, `BookAPI`, {
  restApiName: `book-rest-api`,
});

const mainPath = api.root.addResource('books');

const createBookIntegration = new apigw.LambdaIntegration(createBookFunction);

mainPath.addMethod('POST', createBookIntegration);

The steps shown in this section will be repeated for other endpoints also. The best part comes when one can see that lambda creation is the same but with different parameters. CDK could wrap it into the function for saving space and having reusable code for provisioning handlers.

Testing endpoints

After the manipulations mentioned in the previous sections, we can try out the API mentioned in this article. Let's start with the list of all books. The result should be empty.

curl --location --request GET 'https://<api-id>.execute-api.<region>.amazonaws.com/prod/books'
RESPONSE:
Status: 200
[]

After that, let's create a couple of books.

curl --location --request POST 'https://<api-id>.execute-api.<region>.amazonaws.com/prod/books' \
--header 'Content-Type: application/json' \
--data-raw '{
"title": "Life of PI",
"author": "Yann Martel",
"yearPublished": "2000",
"isbn": "0-676-97376-0"
}'

RESPONSE:
Status: 201

And one more:

curl --location --request POST 'https://<api-id>.execute-api.<region>.amazonaws.com/prod/books' \
--header 'Content-Type: application/json' \
--data-raw '{
"title": "Simulacra and Simulation",
"author": "Jean Baudrillard",
"yearPublished": "0-472-06521-1",
"isbn": "0-676-97376-0"
}'

RESPONSE:
Status: 201

Now we can call a list to make sure that all the books are in their places.

curl --location --request GET 'https://<api-id>.execute-api.<region>.amazonaws.com/prod/books'

RESPONSE:
Status: 200
[{
   "isbn": "0-676-97376-0",
   "id": "617d6b3e-ce6d-4e8d-a10f-05d6703ad7ac",
   "yearPublished": "2000",
   "title": "Life of PI",
   "author": "Yann Martel"
}, {
   "isbn": "0-676-97376-0",
   "id": "2a8251ee-73ee-4717-8f6f-0f11dd2b861f",
   "yearPublished": "0-472-06521-1",
   "title": "Simulacra and Simulation",
   "author": "Jean Baudrillard"
}]

Lambda added the books, and a listing is also working. However, there is an error in the database. I noticed that 'Life of PI' was published in 2001 and not in 2000. So, we need to call the update endpoint.

curl --location --request PUT 'https://y55xcv8jmc.execute-api.eu-west-1.amazonaws.com/prod/books/617d6b3e-ce6d-4e8d-a10f-05d6703ad7ac' \
--header 'Content-Type: application/json' \
--data-raw '{
  "isbn": "0-676-97376-0",
  "yearPublished": "2001",
  "title": "Life of PI",
  "author": "Yann Martel"
}'

Status: 200

Another list call will show that the book was successfully updated.

[{
  "isbn": "0-676-97376-0",
  "id": "617d6b3e-ce6d-4e8d-a10f-05d6703ad7ac",
  "yearPublished": "2001",
  "author": "Yann Martel",
  "title": "Life of PI"
}, {
  "isbn": "0-676-97376-0",
  "id": "2a8251ee-73ee-4717-8f6f-0f11dd2b861f",
  "yearPublished": "0-472-06521-1",
  "title": "Simulacra and Simulation",
  "author": "Jean Baudrillard"
}]

Let's delete one of the books by calling the DELETE endpoint.

curl --location --request DELETE 'https://<api-id>.execute-api.<region>.amazonaws.com/prod/books/2a8251ee-73ee-4717-8f6f-0f11dd2b861f'
Status: 200

After calling it multiple times with different ids, one will get empty response for the list of books. This is what we are expecting here.

In this article, I showed how to deploy Serverless API with the NoSQL Database using AWS Lambda, DynamoDB, and API Gateway deployed by CDK. Lambdas have all permissions for CRUD operations. This can be a sample project for a more complicated setup. Also, I was using the webpack to have all the node dependencies in place. The future work will include the CodePipeline for CI/CD connected to the GitHub hook. Thanks for reading this article!

Want to learn more about AWS, Serverless, and CDK? Subscribe to my blog where I am posting about these topics on a regular basis.

My lessons after moving from CloudFormation to CDK

Igor Soroka — Wed, 15 Sep 2021 07:04:06 +0000

Nowadays there is no doubt that 'Infrastructure as real code' is a way of cloud resources provisioning. CDK is an incredible way of doing this in the AWS ecosystem. This article will talk about the situation when the Cloudformation template is in place and you want to make a new setup with the CDK using Typescript. The opinions are my own.

The Case

Let's imagine you have a new project in a team where CFN was used for a long time. There is a lot of boilerplate already and people are repeating the same things over and over again. There is also some custom CI/CD setup in place. With this background - you are set to start a new project with CDK.

Excited? Me too. But there are some complications because CFN is a YAML/JSON-based templating mechanism. CDK in short is an abstraction on top of CFN which is using a programming language for provisioning infrastructure in a structured way. Here are my tips on how to start switching from Cloudformation/SAM after using the tool for almost a year now.

Start with a small project

Consider a project without many elements. Try to avoid projects where you need to set up VPC by yourself. Also, it will be better to avoid projects with container orchestrations using ECS or Kubernetes. The ideal first project will be the one having S3, Lambda, CloudFront, API Gateway, DynamoDB, and IAM permissions. Example projects can be:

Scheduled event placing data into S3/DynamoDB
Event from Github/Bitbucket
The API call to do some simple job like routing request to another party.

Another important point is to use CDK version 2. x. In most of the guides, it will be suggested to utilize the first one. It is outdated and has many dependencies issues. The developing experience will be much more delightful. For installing it - run:

npm install cdk@next

Study CDK basic concepts

There are multiple important terms when it comes to CDK. The first one is 'App'. It is the root element of the structure. There you can describe the stacks and their creation.
The most interesting concept is a construct. From AWS docs:

Constructs are the basic building blocks of AWS CDK apps. A construct represents a "cloud component" and encapsulates everything AWS CloudFormation needs to create the component.

It is basically a module of the resources packed together as a logical unit. The constructs are having different levels of abstraction. There are ones that are the closest to the CloudFormation. Typically, they have poor typing.

There are 3 levels of abstraction:

CFN resources - they are mapped to the underlined CFN resources.
Level 2 - they give the abstractions and typing. The constructs can be also coming from the library here. Many constructs will allow having types and making fewer mistakes.
Level 3 - these are the whole patterns. They can be done by AWS or other developers. The ones coming from AWS advocates and heroes could be found here.

From my point of view, the power of CDK lies in the third level. It gives the possibility to automate the creation of very common patterns in your team. For example, it can be a custom domain or pipeline setup.

Planning the stacks

Another important point is to have an idea of how many stacks will you need to succeed in the provisioning of the infrastructure. One stack is not helpful in many cases. It means that stacks should be architecture in a way that each of them solves one problem. It can be an issue to determine whether to use the construct or the stack.

According to AWS documentation: "A stack is a collection of AWS resources that you can manage as a single unit." When you have an API with Lambdas - this can be a stack. However, if you have databases and other types of storage - this can be another stack.

One more thing which comes quite often, in the end, is how the stacks will talk with each other. There are multiple ways of doing this. You can either pass general props or the whole stack as an input to the next one, for example.

Always check original documentation

The CDK is just awesome, from my point of view. But it is not saving us from reading and understanding Cloudformation. De-facto CDK is synthesizing the CloudFormation template in JSON format. Thus, it is obligatory to see what it is doing for us.

There are great tricks hidden in the official documentation when you are actually reading it. Most of the time, I am googling something like 'AWS::DynamoDB::Table'. The response will give the needed documentation page for the infrastructure element.

Failures are essential

My journey with CDK started with the failure of deployment when I tried to have an S3 bucket created. It took 15 minutes to deploy it with no success. It is ok to fail with CDK in the beginning. Do not try to hurry and migrate the whole application at once.

During one of the projects, I had a CI/CD setup done with SAM and CloudFormation. Migration of it completely to CDK would take time from the actual feature development. So the solution was to migrate the implementation code infrastructure to CDK and rest the pipeline with the same setup. I learned a lot during this transition for the next project where I took the whole infrastructure into CDK.

All in all, CDK is worth to be tried on the next PoC or internal tool because it gives the real coding experience while doing infrastructure. This is especially important when you are going to use a DevOps mindset for the new features where engineers are responsible for not only the implementation. Usage of the same language for the IaC tool eliminates the context switching between TypeScript and YAML. Thus, it will increase the productivity of the whole team.