DEV Community: Tom Spencer The latest articles on DEV Community by Tom Spencer (@tomspencerlondon). https://dev.to/tomspencerlondon https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F501468%2Fcf860fa3-1054-4408-b6b9-fbf50c5084fa.jpeg DEV Community: Tom Spencer https://dev.to/tomspencerlondon en Unspam Your AWS Service: Conquer Pristine Inbox Delivery Tom Spencer Mon, 08 Jan 2024 18:18:45 +0000 https://dev.to/tomspencerlondon/how-to-avoid-your-domain-emails-being-reported-as-spam-43em https://dev.to/tomspencerlondon/how-to-avoid-your-domain-emails-being-reported-as-spam-43em <h2> Problem </h2> <p>Was Completely frustated with emails landing in spam...<br> <strong>How?</strong> So I was meticulously setting up AWS SES to send emails from my movie booking application hosted on ECS and routed through Route53 domain, but rather reaching the eager customers, mails were getting unceremoniously dumped into spam folders. </p> <p>But you relax, because I have figured out cause &amp; effective solution. Just follow along !!!</p> <h2> Cause </h2> <p>So culprit here is <strong>email spoofing</strong>. <br> Have you ever opened an email claiming to be from a bank, only to find a suspicious offer or a phishing link? This could be the work of email spoofing, a deceptive technique where bad actors impersonate legitimate senders to deceive recipients.</p> <p>Think of it like this: imagine someone forging your signature on a letter and sending it out under your name. Spoofing does the same thing in the digital world, manipulating email headers to make it appear as if the message originates from someone else.</p> <p>Motto of email spoofing includes phishing, spamming and fraud etc. Thankfully, email servers and services today employ various authentication protocols to unmask spoofing attempts. These protocols act like digital gatekeepers, verifying the sender's identity before letting the email pass through.</p> <p>Catching our problem here, that we too need to prove these gatekeepers the authenticity of our service. </p> <h2> Solution </h2> <p>Building a Fortress of Trust: The <strong>SPF, DKIM, and DMARC Trifecta</strong></p> <p>In the bustling world of email, trust is a precious commodity. To ensure that only legitimate emails reach their intended inboxes, a trio of authentication protocols stands guard: SPF, DKIM, and DMARC.</p> <p>Here's how they work in coordination to create a dependable verification system:</p> <p><em>1. SPF (Sender Policy Framework):</em></p> <p><strong>The Gatekeeper:</strong> SPF establishes a clear list of authorized mail servers for a domain.<br> <strong>Think of it as a VIP guest list:</strong> Only those with their names on it (i.e., approved IP addresses) can send emails on behalf of the domain.<br> <strong>How it works:</strong> Receiving servers check incoming emails against the SPF record in the domain's DNS. If the sender's IP doesn't match, the email may be flagged as suspicious.</p> <p><em>2. DKIM (DomainKeys Identified Mail):</em></p> <p><strong>The Seal of Authenticity:</strong> DKIM adds a digital signature to emails, guaranteeing their integrity and sender verification.<br> <strong>Imagine a tamper-proof seal:</strong> It ensures the email hasn't been altered in transit and originates from the rightful sender.<br> <strong>How it works:</strong> The signature is generated using a private key known only to the domain owner. Receiving servers use the corresponding public key to verify the signature's authenticity.</p> <p><em>3. DMARC (Domain-based Message Authentication, Reporting &amp; Conformance):</em></p> <p><strong>The Orchestrator:</strong> DMARC builds upon SPF and DKIM, providing policy enforcement and reporting capabilities.<br> <strong>Think of it as a watchful manager:</strong> It instructs receiving servers on what actions to take when emails fail authentication checks.<br> <strong>How it works:</strong> Domain owners set DMARC policies to specify how to handle unauthenticated emails (e.g., quarantine or reject). They also receive reports on authentication results, aiding in identifying and addressing potential spoofing attempts.</p> <p>Now as we know, lets implement above mechanism !!!</p> <h2> Implementation </h2> <p>Lets do it then, follow me:</p> <h2> SPF </h2> <p>Create a record set in the sender domain, as follows:<br> <em>Value</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"v={spf version} {mechanisms}{directive} {qualifier}all" </code></pre> </div> <p><em>Type</em><br> <code>TXT</code></p> <p>So for me, all mails from SES are authorized to get soft pass(all servers except SES, will be considered as spam). </p> <p><code>include:amazonses.com</code> ensures authorizing SES<br> <code>~all</code> instructs soft pass</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhyjdqys7r7w3h9jxead8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhyjdqys7r7w3h9jxead8.png" alt="Image description" width="718" height="680"></a></p> <p>Done TADA... Lets go to, DKIM signatures. </p> <h2> DKIM </h2> <p>Follow along please:</p> <p><em>1. Go to verified identities in SES</em></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F09yzftnbqhzawd4uefja.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F09yzftnbqhzawd4uefja.png" alt="Image description" width="568" height="1074"></a></p> <p><em>2. Get your domain verified</em></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6nv92fm00tlrw1c33isw.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6nv92fm00tlrw1c33isw.png" alt="Image description" width="800" height="417"></a></p> <p><em>3. Enabling DKIM signature on domain, you will get public keys</em></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn5yddwv87czjx1dkpdy1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn5yddwv87czjx1dkpdy1.png" alt="Image description" width="800" height="424"></a><br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr8zgnvvc5i6dtrjmq7wq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr8zgnvvc5i6dtrjmq7wq.png" alt="Image description" width="800" height="269"></a></p> <p><em>4. Create the generated record sets in Route 53</em></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fifbsqkt52s9n68qanoqd.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fifbsqkt52s9n68qanoqd.png" alt="Image description" width="800" height="152"></a></p> <p><strong>Now, there will be in total 5 records to add,</strong><br> 3 will be having public key matching for reciever to read, <br> <code>publicKey1._domainkey.yourhosteddomain</code><br> <code>publicKey2._domainkey.yourhosteddomain</code><br> <code>publicKey3._domainkey.yourhosteddomain</code></p> <p>2 record sets for configuring MAIL FROM, <br> Value:<code>subdomain.yourhosteddomain</code> Type:<code>MX</code><br> Value:<code>subdomain.yourhosteddomain</code> Type:<code>TXT</code></p> <p>Done! Done! Done! Be ready for last &amp; least DMARC</p> <h2> DMARC </h2> <p>Set up a DMARC record set, with<br> Type: <code>TXT</code><br> Value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"v:DMARC1;p=reject;pct=100;rua=mailto:support@ahtcloud.com:fo=1;adkim=s;aspf=s;" </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmxsz0fayhqbrfqwnczz8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmxsz0fayhqbrfqwnczz8.png" alt="Image description" width="800" height="1041"></a></p> <p><em><strong>That's it! Now your domain is fully authorized to act as email sender...</strong></em></p> How to connect securely to an RDS instance running in a private Subnet Tom Spencer Fri, 22 Dec 2023 16:30:23 +0000 https://dev.to/tomspencerlondon/how-to-connect-securely-to-an-rds-instance-running-in-a-private-subnet-p5d https://dev.to/tomspencerlondon/how-to-connect-securely-to-an-rds-instance-running-in-a-private-subnet-p5d <p>In this article we will connect to an RDS instance locally using an SSH tunnel. <a href="https://youtu.be/ypWzL3PdKx0?si=piXeesMo-KeYPhcu">This</a> video was useful.</p> <h2> Goal </h2> <p>Need to connect to an RDS instance present within a private subnet, which lacks public accessibility. </p> <h2> Problem </h2> <p>A public subnet has a route to an internet gateway configured in its route table. This helps making a connection between the VPC and the internet.<br> A private subnet does not have any route to an internet gateway. We cannot access resources within the private subnet from outside the VPC.<br> We should not put our RDS instances in public subnets only for the purpose of accessing them because this leads to direct public access of our data which is a security concern.<br> However, at times, we may want to access our data locally for debugging purposes. Therefore, we need a mechanism to connect to our database in a private subnet.</p> <h2> Resolution </h2> <p>Get along, till end, you will find out.</p> <h3> Create an EC2 instance </h3> <p>We need to create an EC2 instance keeping the following features:</p> <ol> <li>Locate the EC2 instance in a public subnet</li> <li>Make sure it is the same VPC in which we have put the RDS instance</li> <li>Don't forget to download the .pem file to access the EC2 instance</li> <li>Associate the EC2 with a security group which has inbound access from anywhere (or at least your own IP) <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--FZPLsfJy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/euigi3nmm622iei0uib6.jpeg" alt="Image description" width="800" height="379"> </li> </ol> <p>Once you follow above steps, you have a pem file, and an EC2 host, with you, which we are going to utilize later using the universal ec2 user, which is ec2-user. </p> <h3> Testing local EC2 connection </h3> <p>To test the local connection to EC2, we are using jetbrains Intellij, and will be following below steps:</p> <ol> <li>Go to data sources and drivers, then the SSH tunnel tab. </li> <li>Set an SSH configuration, mentioning the </li> <li>EC2 host</li> <li>EC2 user (default user: ec2-user)</li> <li>Select the authentication method as key pair, then locate the pem file we downloaded earlier for EC2 connection.</li> <li>Now, check if correct, by testing connection. <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--zVJVbPMg--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xp4d4envscphranplykd.png" alt="Image description" width="800" height="433"> </li> </ol> <p>Now, we have EC2 securely connected on our local, which we are going to use for connecting with database now. </p> <h3> Configuring local Database connection </h3> <p>To connect with DB, again we will use intelliJ IDE. For making connection with the DB, you need following details:</p> <ul> <li>RDS instance host</li> <li>DB username</li> <li>DB password</li> <li>DB Port </li> <li>DB name</li> </ul> <p>Go to the general tab, enter above details. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vY3r9Qnb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4qlc6xn2vzgiroyih73v.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vY3r9Qnb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4qlc6xn2vzgiroyih73v.png" alt="Image description" width="800" height="432"></a></p> <p>Once filled, test the connection, if you have followed above steps along with me, we will surely see below prompt.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--P2v9zLRp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9ank1fnydaxm2lc81r3s.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--P2v9zLRp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9ank1fnydaxm2lc81r3s.png" alt="Image description" width="800" height="433"></a></p> <h3> Note </h3> <p>There is also a super easy way to connect to private RDS with <a href="https://dev.to/slootjes/aws-rds-elasticache-remote-access-with-port7777-2hpn">7777 and RDS</a></p> Spring Boot and AWS Tom Spencer Mon, 03 Apr 2023 08:21:14 +0000 https://dev.to/tomspencerlondon/spring-boot-and-aws-lla https://dev.to/tomspencerlondon/spring-boot-and-aws-lla <h3> Introduction </h3> <p>In this article we will learn about everything that is required for deploying a Spring Boot application<br> to AWS. We will deploy a Docker container and learn how to use AWS CloudFormation and the AWS Cloud Development kit (CDK)<br> to automate deployments and build a continuous deployment pipeline with Github Actions.</p> <p>We will also learn about several AWS services that we can use for common tasks. We will build a user registration and login by<br> leveraging Amazon Cognito. We will connect our Spring Boot application with a relational database.<br> We will also build a feature to share todos between users fully managed by AWS.</p> <p>We will then look at some of the important aspects for running an application in production. We will learn how to use Amazon CloudWatch<br> to view logs and metrics. By actively monitoring our application and creating alerts we will be able to detect failures quickly.</p> <p>Useful links:<br> <a href="https://github.com/stratospheric-dev/stratospheric/tree/main/chapters" rel="noopener noreferrer">https://github.com/stratospheric-dev/stratospheric/tree/main/chapters</a><br> <a href="https://stratospheric.dev/" rel="noopener noreferrer">https://stratospheric.dev/</a></p> <h3> Spring Boot and AWS </h3> <p>Spring Boot is the leading framework for building applications with Java. With Spring Boot we can quickly build<br> production-ready software. AWS is the leading cloud platform and we can make use of a vast array of AWS cloud services<br> to help us architect, build and deploy software applications. Netflix and Atlassian use AWS and run all of their <br> Software as a Service applications on AWS infrastructure. This article will help you to integrate Spring Boot applications with<br> AWS. Operational work can seem daunting as a developer particularly since we are used to depending on operations teams to<br> deploy our code. However, the control that is offered by becoming a Devops engineer is empowering and learning a few AWS services<br> and tips and tricks can help take your devops skills to the next level.</p> <p>In this article we will learn hands-on how to get a Spring Boot application into the cloud and operate it on the cloud.<br> We will build a continuous deployment pipeline, access AWS services from the Spring Boot application and learn how to monitor <br> the application on the cloud. </p> <h3> Deploying with AWS </h3> <p>This link is useful for setting up the aws cli:<br> <a href="https://docs.aws.amazon.com/cli/latest/reference/" rel="noopener noreferrer">https://docs.aws.amazon.com/cli/latest/reference/</a></p> <p>These are commands to create a vpc:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 create-vpc <span class="nt">--cidr-block</span> 10.0.0.0/16 <span class="nt">--region</span> ap-southeast-2 aws ec2 describe-vpcs <span class="nt">--region</span> ap-southeast-2 aws ec2 delete-vpc <span class="nt">--region</span> ap-southeast-2 <span class="nt">--vpc-id</span><span class="o">=</span>&lt;VPC-ID&gt; aws ec2 describe-vpcs <span class="nt">--region</span> ap-southeast-2 </code></pre> </div> <p>This is an example vpc configuration using CloudFormation. This file contains a stack of resources.<br> This file describes a stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Deploys a VPC</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">VPC</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s1">'</span><span class="s">10.0.0.0/16'</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">VPCId</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ID of the VPC that this stack is deployed in</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">VPC'</span> </code></pre> </div> <p>We can use these commands to create and delete a CloudFormation stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation deploy <span class="nt">--template-file</span> vpc-stack.yml <span class="nt">--stack-name</span> vpc-stack <span class="nt">--region</span> ap-southeast-2 aws cloudformation delete-stack <span class="nt">--stack-name</span> vpc-stack <span class="nt">--region</span> ap-southeast-2 aws cloudformation describe-stacks <span class="nt">--region</span> ap-southeast-2 </code></pre> </div> <p>We can also use the CDK to deploy a stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">CdkApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="k">new</span> <span class="nf">CdkStack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"CdkStack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="s">"221875718260"</span><span class="o">)</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="s">"ap-southeast-2"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This is the Stack for the CdkApp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CdkStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">CdkStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="nf">CdkStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="k">new</span> <span class="nf">Vpc</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"vpc"</span><span class="o">,</span> <span class="nc">VpcProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">cidr</span><span class="o">(</span><span class="s">"10.0.0.0/24"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The above stack creates VPC. CDK calls the CloudFormation API. This allows us to build our own construct libraries.<br> This makes the configuration more useful. In order to run the CDK code we should use the CDK command line tool which we<br> can install with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> aws-cdk <span class="c"># install latest version</span> </code></pre> </div> <p>AWS allows us to use the services via the web console, AWS CLI, CloudFormation and CDK.<br> CloudFormation allows us to declare resources and deploy them with a single command. CDK allows<br> us to combine resources to "constructs" and share them as Java libraries.</p> <h3> Using AWS (setup) </h3> <ul> <li><a href="https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&amp;all-free-tier.sort-order=asc&amp;awsf.Free%20Tier%20Types=*all&amp;awsf.Free%20Tier%20Categories=*all" rel="noopener noreferrer">AWS Sign up</a></li> <li><a href="https://aws.amazon.com/" rel="noopener noreferrer">AWS Sign in</a></li> <li><a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" rel="noopener noreferrer">Guide to install the AWS CLI</a></li> <li>AWS CLI commands </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws <span class="nt">--version</span> aws configure aws configure <span class="nt">--profile</span> stratospheric <span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>stratospheric aws ec2 describe-vpcs <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>This is how to check your configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/.aws<span class="nv">$ </span>aws configure <span class="nt">--profile</span> default AWS Access Key ID <span class="o">[</span><span class="k">****************</span>HJEB]: AWS Secret Access Key <span class="o">[</span><span class="k">****************</span>mdFI]: Default region name <span class="o">[</span>eu-west-2]: Default output format <span class="o">[</span>None]: </code></pre> </div> <p>We can update our cli with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip3 <span class="nb">install </span>awscli <span class="nt">--upgrade</span> <span class="nt">--user</span> </code></pre> </div> <p>We should add our configuration for a different profile with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>We then add the credentials and configuration we wish to use with the profile. The profile information<br> is kept in the .aws folder.<br> In this section we have looked at creating a "free" AWS account. We have installed the AWS CLI and we can use profiles<br> if we want to manage multiple AWS accounts with the AWS CLI.</p> <h3> Elastic Container Registry </h3> <p>Here we will learn how to wrap an app into a Docker image. We will also learn how to create a Docker repository with Amazon<br> Elastic Container Registry (ECR) and how to publish a Docker image to an Elastic Container Registry (ECR)<br> repository.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228086206-499a178c-237a-4689-a6c4-afdb829c74c6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228086206-499a178c-237a-4689-a6c4-afdb829c74c6.png" alt="image"></a></p> <p>The application that we will deploy is a simple Hello World app. This is the Dockerfile for the deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> eclipse-temurin:17-jre</span> <span class="k">ARG</span><span class="s"> JAR_FILE=build/libs/*.jar</span> <span class="k">COPY</span><span class="s"> ${JAR_FILE} app.jar</span> <span class="k">ENTRYPOINT</span><span class="s"> ["java", "-jar", "/app.jar"]</span> </code></pre> </div> <p>This Dockerfile downloads Java 17, builds the application to a Docker image with an entry point to the jar file.<br> We build the jar file with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./gradlew clean build </code></pre> </div> <p>We then build the docker image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> hello-world-app <span class="nb">.</span> </code></pre> </div> <p>Here we give the docker image the name hello-world-app.<br> We check for our docker image with the follow grep on docker image ls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric-dev<span class="nv">$ </span>docker image <span class="nb">ls</span> | <span class="nb">grep </span>hello-world-app hello-world-app latest f1307dc16f7e 48 seconds ago 288MB </code></pre> </div> <p>We can then run the application and expose the app to port 8080 on our host computer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-p</span> 8080:8080 hello-world-app </code></pre> </div> <p>We can now see the application on port 8080:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228090110-97714941-4bde-4d15-975b-61afe94a347f.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228090110-97714941-4bde-4d15-975b-61afe94a347f.png" alt="image"></a></p> <p>We are now going to create a docker repository on Amazon ECR. We now go to Amazon Elastic Container Registry on AWS.<br> We should enable tag immutability to avoid changing tags later.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228090443-13b96768-ad9e-4ce8-ba4d-ccc8d8a909b7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228090443-13b96768-ad9e-4ce8-ba4d-ccc8d8a909b7.png" alt="image"></a></p> <p>We then create the repository.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228090503-74083a52-8014-4cba-986e-3091288e6884.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228090503-74083a52-8014-4cba-986e-3091288e6884.png" alt="image"></a></p> <p>For the moment it has no Docker images:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228090543-70e8f754-d374-4f72-8990-e9779697c472.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228090543-70e8f754-d374-4f72-8990-e9779697c472.png" alt="image"></a></p> <p>We now tag our image locally with the url of our new docker repository and the tags latest and v1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric/helloWorld<span class="nv">$ </span>docker tag hello-world-app 706054169063.dkr.ecr.us-east-1.amazonaws.com/hello-world-app:latest tom@tom-ubuntu:~/Projects/stratospheric/helloWorld<span class="nv">$ </span>docker tag hello-world-app 706054169063.dkr.ecr.us-east-1.amazonaws.com/hello-world-app:v1 </code></pre> </div> <p>We can check the tags by looking for our images in our local repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric/helloWorld<span class="nv">$ </span>docker image <span class="nb">ls</span> | <span class="nb">grep </span>hello-world-app 706054169063.dkr.ecr.us-east-1.amazonaws.com/hello-world-app latest e4d2957745e5 3 minutes ago 288MB 706054169063.dkr.ecr.us-east-1.amazonaws.com/hello-world-app v1 e4d2957745e5 3 minutes ago 288MB hello-world-app latest e4d2957745e5 3 minutes ago 288MB </code></pre> </div> <p>We now have two images with the url of our ECR repository and tagged with latest and v1 respectively.<br> We now log into the docker repository to publish our image. We use the AWS cli and login to docker with our aws repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric/helloWorld<span class="nv">$ </span>aws ecr get-login-password <span class="nt">--region</span> us-east-1 | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> 706054169063.dkr.ecr.us-east-1.amazonaws.com WARNING! Your password will be stored unencrypted <span class="k">in</span> /home/tom/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded </code></pre> </div> <p>We then push the latest image to our repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric/helloWorld<span class="nv">$ </span>docker push 706054169063.dkr.ecr.us-east-1.amazonaws.com/hello-world-app:latest </code></pre> </div> <p>We can now see the image in our ECR repository:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228092241-08562c73-46e7-40fa-836a-16d7073425a2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228092241-08562c73-46e7-40fa-836a-16d7073425a2.png" alt="image"></a></p> <p>We also push v1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric/helloWorld<span class="nv">$ </span>docker push 706054169063.dkr.ecr.us-east-1.amazonaws.com/hello-world-app:v1 The push refers to repository <span class="o">[</span>706054169063.dkr.ecr.us-east-1.amazonaws.com/hello-world-app] 8e12efddf5f4: Layer already exists 5ff725d720ec: Layer already exists 3b028c775252: Layer already exists f3a12c51479f: Layer already exists b93c1bd012ab: Layer already exists v1: digest: sha256:5b1075ab16f8bfdd00930963af1bfaca318fd73715aaccdb1e77c865d6dd1d40 size: 1372 </code></pre> </div> <p>We now have the tag of v1 and latest in our repository:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228092462-bae26fb7-0156-4c5f-9ea5-0876cd72e99c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228092462-bae26fb7-0156-4c5f-9ea5-0876cd72e99c.png" alt="image"></a></p> <p>So far we have created a Docker repository with ECR. We create one Docker repository per app. We can also pull and push to the ECR repository<br> from the AWS CLI.</p> <h4> CloudFormation </h4> <p>CloudFormation is the AWS service for infrastructure as code. AWS creates the resources that we declare in our CloudFormation file.<br> We now look at resources and stacks. We will look at how to create a stack template in yaml and how to create a stack from<br> a template file. We will also find our stack on the AWS web console.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228094645-7efebfc7-b999-4940-9677-8b8f2780ecb5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228094645-7efebfc7-b999-4940-9677-8b8f2780ecb5.png" alt="image"></a><br> We declare the resources we need in a stack template. These might include a VPC, Load balancer and a database. We declare the<br> resources in a stack file and CloudFormation deploys the resources for us. The CloudFormation docs list all the resources<br> we can deploy with CloudFormation:<br> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html</a></p> <p>For each of the resources we need to refer to the documentation for each resource. A stack is a group of resources that belong<br> together. All the resources in the stack are created updated and deleted together.<br> We are now going to create a CloudFormation stack to create an ECR repository:</p> <p>We will create a Docker repository stack:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228096362-770b5794-ecf3-4cea-830b-30305b5414d1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228096362-770b5794-ecf3-4cea-830b-30305b5414d1.png" alt="image"></a></p> <p>We first need to look at the CloudFormation docs and ECR repository in particular:<br> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html</a></p> <p>This shows us the options that we can use for our stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECR::Repository</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">EncryptionConfiguration</span><span class="pi">:</span> <span class="s">EncryptionConfiguration</span> <span class="na">ImageScanningConfiguration</span><span class="pi">:</span> <span class="s">ImageScanningConfiguration</span> <span class="na">ImageTagMutability</span><span class="pi">:</span> <span class="s">String</span> <span class="na">LifecyclePolicy</span><span class="pi">:</span> <span class="s">LifecyclePolicy</span> <span class="na">RepositoryName</span><span class="pi">:</span> <span class="s">String</span> <span class="na">RepositoryPolicyText</span><span class="pi">:</span> <span class="s">Json</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Tag</span> </code></pre> </div> <p>Each of the options are documented on the page. We can use the configuration details given on the page to create ecr.yml page:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Deploys a Docker container registry.</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">RegistryName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the container registry</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">Registry</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECR::Repository</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RepositoryName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">RegistryName'</span> <span class="na">LifecyclePolicy</span><span class="pi">:</span> <span class="na">LifecyclePolicyText</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">{</span> <span class="s">"rules": [</span> <span class="s">{</span> <span class="s">"rulePriority": 10,</span> <span class="s">"description": "Limit to 10 images",</span> <span class="s">"selection": {</span> <span class="s">"tagStatus": "any",</span> <span class="s">"countType": "imageCountMoreThan",</span> <span class="s">"countNumber": 10</span> <span class="s">},</span> <span class="s">"action": {</span> <span class="s">"type": "expire"</span> <span class="s">}</span> <span class="s">}</span> <span class="s">]</span> <span class="s">}</span> <span class="na">RepositoryPolicyText</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">AllowPushPull</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">arn:aws:iam::706054169063:user/tom-developer"</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:GetDownloadUrlForLayer"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:BatchGetImage"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:BatchCheckLayerAvailability"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:PutImage"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:InitiateLayerUpload"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:UploadLayerPart"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:CompleteLayerUpload"</span> </code></pre> </div> <p>The parameters section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Parameters</span><span class="pi">:</span> <span class="na">RegistryName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the container registry</span> </code></pre> </div> <p>means that when we deploy the stack we can add a parameter with the registry name. This means we can<br> reuse the stack. We set the name of the repository (RepositoryName) with the input parameter we added earlier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Resources</span><span class="pi">:</span> <span class="na">Registry</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECR::Repository</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RepositoryName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">RegistryName'</span> </code></pre> </div> <p>Here the lifecycle policy sets a limit of 10 images and will delete images when the number of images is above that number:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">LifecyclePolicy</span><span class="pi">:</span> <span class="na">LifecyclePolicyText</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">{</span> <span class="s">"rules": [</span> <span class="s">{</span> <span class="s">"rulePriority": 10,</span> <span class="s">"description": "Limit to 10 images",</span> <span class="s">"selection": {</span> <span class="s">"tagStatus": "any",</span> <span class="s">"countType": "imageCountMoreThan",</span> <span class="s">"countNumber": 10</span> <span class="s">},</span> <span class="s">"action": {</span> <span class="s">"type": "expire"</span> <span class="s">}</span> <span class="s">}</span> <span class="s">]</span> <span class="s">}</span> </code></pre> </div> <p>The repository policy text specifies the allowed actions on the repository for the Principal users that we define.<br> The actions include sending images to the repository and downloading images.<br> We deploy the stack with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric/cloudformation<span class="nv">$ </span>aws cloudformation deploy <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--stack-name</span><span class="o">=</span>hello-world-docker-repository <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--template-file</span> ecr.yml <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--parameter-overrides</span> <span class="nv">RegistryName</span><span class="o">=</span>hello-world-app <span class="se">\</span> <span class="o">&gt;</span> <span class="nt">--profile</span> stratospheric Waiting <span class="k">for </span>changeset to be created.. Waiting <span class="k">for </span>stack create/update to <span class="nb">complete </span>Successfully created/updated stack - hello-world-docker-repository </code></pre> </div> <p>This has created a Docker ECR repository in the eu-west-2 region:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228100382-2dd3dff3-bb87-4a1d-9bba-189381557cc1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228100382-2dd3dff3-bb87-4a1d-9bba-189381557cc1.png" alt="image"></a></p> <p>If we use the same stack-name we can change the properties of the same stack.<br> We can also see the CloudFormation stack on the CloudFormation page:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228100696-a5b4bf0f-ce29-4e1b-9743-d4959a05fd85.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228100696-a5b4bf0f-ce29-4e1b-9743-d4959a05fd85.png" alt="image"></a></p> <p>We can also look at the hollow-world-docker-repository and the actions and events for the CloudFormation stack:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228100840-c14277fe-43b8-42ac-bf80-fba78d2c0fed.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228100840-c14277fe-43b8-42ac-bf80-fba78d2c0fed.png" alt="image"></a></p> <p>So far we have declared resources in a stack file. CloudFormation has taken care of the lifecycle of the resources that we<br> defined. We have parameterised the stack file so that we can use the stack file for multiple deployments with different parameters.</p> <h3> Deploying a Network Stack with Cloud Formation </h3> <p>In this section we will look at why we use separate CloudFormation stacks for Network deployments.<br> We will look at the networking resources AWS provides. We will also learn more about the CloudFormation stack file<br> syntax.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228186447-f3c90300-de92-42a2-b26b-31dd7c79ccc0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228186447-f3c90300-de92-42a2-b26b-31dd7c79ccc0.png" alt="image"></a></p> <p>The above network stack contains all the resources we need so that our users can access the internet. It also includes<br> internal networking so that our application can access the database for example. We deploy a network stack which can be deployed<br> once. The application is deployed in the service stack which includes the compute resources that we require for our application.<br> There will be different requirements in different contexts.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228189708-39fefa05-6763-4115-839e-16bfcbfd6029.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228189708-39fefa05-6763-4115-839e-16bfcbfd6029.png" alt="image"></a></p> <p>The above is an overview of the main resources that our stack will contain. This is what the network stack yaml file will<br> look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">A basic network stack that creates a VPC with a single public subnet and some ECS resources that we need to start a Docker container within this subnet.</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">VPC</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s1">'</span><span class="s">10.0.0.0/16'</span> <span class="na">PublicSubnet</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="na">Fn::Select</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">Fn::GetAZs</span><span class="pi">:</span> <span class="pi">{</span><span class="nv">Ref</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::Region'</span><span class="pi">}</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">VPC'</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s1">'</span><span class="s">10.0.1.0/24'</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">InternetGateway</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::InternetGateway</span> <span class="na">GatewayAttachment</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPCGatewayAttachment</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">VPC'</span> <span class="na">InternetGatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">InternetGateway'</span> <span class="na">PublicRouteTable</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">VPC'</span> <span class="na">PublicSubnetRouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicRouteTable</span> <span class="na">PublicRoute</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">GatewayAttachment</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">PublicRouteTable'</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0.0.0.0/0'</span> <span class="na">GatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">InternetGateway'</span> <span class="na">ECSCluster</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::Cluster</span> <span class="na">ECSSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Access to the ECS containers</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">VPC'</span> <span class="na">ECSSecurityGroupIngressFromAnywhere</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroupIngress</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Allows inbound traffic from anywhere</span> <span class="na">GroupId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ECSSecurityGroup'</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">-1</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">ECSRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">ecs.amazonaws.com</span><span class="pi">]</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">sts:AssumeRole'</span><span class="pi">]</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">ecs-service</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="c1"># Rules which allow ECS to attach network interfaces to instances</span> <span class="c1"># on your behalf in order for awsvpc networking mode to work right</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:AttachNetworkInterface'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:CreateNetworkInterface'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:CreateNetworkInterfacePermission'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:DeleteNetworkInterface'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:DeleteNetworkInterfacePermission'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:Describe*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ec2:DetachNetworkInterface'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">ECSTaskExecutionRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">ecs-tasks.amazonaws.com</span><span class="pi">]</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">sts:AssumeRole'</span><span class="pi">]</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">AmazonECSTaskExecutionRolePolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="c1"># Allow the ECS Tasks to download images from ECR</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ecr:GetAuthorizationToken'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ecr:BatchCheckLayerAvailability'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ecr:GetDownloadUrlForLayer'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ecr:BatchGetImage'</span> <span class="c1"># Allow the ECS tasks to upload logs to CloudWatch</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">logs:CreateLogStream'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">logs:PutLogEvents'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">ClusterName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the ECS cluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ECSCluster'</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">AWS::StackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">ClusterName'</span> <span class="pi">]</span> <span class="pi">]</span> <span class="na">ECSRole</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ARN of the ECS role</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s1">'</span><span class="s">ECSRole.Arn'</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">AWS::StackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">ECSRole'</span> <span class="pi">]</span> <span class="pi">]</span> <span class="na">ECSTaskExecutionRole</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ARN of the ECS role</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s1">'</span><span class="s">ECSTaskExecutionRole.Arn'</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">AWS::StackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">ECSTaskExecutionRole'</span> <span class="pi">]</span> <span class="pi">]</span> <span class="na">VPCId</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ID of the VPC that this stack is deployed in</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">VPC'</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">AWS::StackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">VPCId'</span> <span class="pi">]</span> <span class="pi">]</span> <span class="na">PublicSubnet</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Public subnet one</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">PublicSubnet'</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">AWS::StackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">PublicSubnet'</span> <span class="pi">]</span> <span class="pi">]</span> <span class="na">ECSSecurityGroup</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">A security group used to allow ECS containers to receive traffic</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ECSSecurityGroup'</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">AWS::StackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">ECSSecurityGroup'</span> <span class="pi">]</span> <span class="pi">]</span> </code></pre> </div> <p>This link is useful for considering the built in functions that we can use with AWS CloudFormation:<br> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference.html</a><br> In the above stack we are using two CloudFormation intrinsic functions in particular<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> and ```Fn::GetAZs``` . ```Fn::Select``` returns a single object from a list of objects by index. ```Fn::GetAZs``` returns an array that lists Availability Zones for a specified region in alphabetical order. So the following section of the above CloudFormation stack: ```yaml Fn::Select: - 0 - Fn::GetAZs: {Ref: 'AWS::Region'} </code></pre> </div> <p>selects the first Availability Zone returned from the region inputted by the command calling the above CloudFormation template.<br> This doc is useful for <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html" rel="noopener noreferrer">AWS::EC2::VPC</a>.<br> The command specifies a virtual private cloud (VPC). In the above example we have specified a CIDR block for our VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">VPC</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s1">'</span><span class="s">10.0.0.0/16'</span> </code></pre> </div> <p>This CIDR block contains IP addresses from 10.0.0.0 to 10.0.255.255. The 16 means that we can select any number between 0 and 256 on<br> the second to last and last sections of the 4 section IP address.<br> This doc is useful for <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html" rel="noopener noreferrer">AWS::EC2::Subnet</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">PublicSubnet</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="na">Fn::Select</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">Fn::GetAZs</span><span class="pi">:</span> <span class="pi">{</span><span class="nv">Ref</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::Region'</span><span class="pi">}</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">VPC'</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s1">'</span><span class="s">10.0.1.0/24'</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>The<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> specifies a subnet for the specified VPC. Here we have selected the same Availability Zone as the above VPC and use the command line argument to set the id of the VPC. The number 24 means that the earlier sections are fixed and we can only use a range from 10.0.1.0 to 10.0.1.255 for our IP address. The entry ```MapPublicIpOnLaunch``` indicates whether instances launched in the subnet receive a public IPv4 address. The default value is ```false``` . Here we have selected true. This doc is useful for [AWS::EC2::InternetGateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-internetgateway.html). It allocates an internet gateful for use with our VPC. After creating the Internet Gateway we attach it to the VPC with VPCId entry. We also add an [AWS::EC2::RouteTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-routetable.html). A route table is a set of rules, called routes, that determine where the network traffic from our subnet or gateway is directed. Here we attach the Route Table to our VPC. We also use [AWS::EC2::AWS::EC2::SubnetRouteTableAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnetroutetableassociation.html) to associate the subnet with the route table. The [AWS::EC2::Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html) specifies the route table within the VPC. Here we specify the ```DestinationCidrBlock``` as 0.0.0.0/0. We also add the Public Gateway as a parameter on our command line argument. ```yaml InternetGateway: Type: AWS::EC2::InternetGateway GatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref 'VPC' InternetGatewayId: !Ref 'InternetGateway' PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' PublicSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet RouteTableId: !Ref PublicRouteTable PublicRoute: Type: AWS::EC2::Route DependsOn: GatewayAttachment Properties: RouteTableId: !Ref 'PublicRouteTable' DestinationCidrBlock: '0.0.0.0/0' GatewayId: !Ref 'InternetGateway' </code></pre> </div> <p>We use the following command to deploy the above network stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">aws cloudformation deploy \</span> <span class="s">--stack-name=dev-network \</span> <span class="s">--template-file network.yml \</span> <span class="s">--capabilities CAPABILITY_IAM \</span> <span class="s">--profile stratospheric</span> </code></pre> </div> <p>The Elastic Container Stack (ECS) cluster is the service we use to contain the resources we want to deploy. It is in the network stack<br> because we will only deploy the ECS cluster once. We run the above command and can see that the stack has been created:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228232253-81b6be5e-be9f-4fae-a7d7-bd05ab409d9c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228232253-81b6be5e-be9f-4fae-a7d7-bd05ab409d9c.png" alt="image"></a></p> <p>We have created a network stack which will not need to change. We have added input parameters which we then use in the stack template.<br> We have also used the CloudFormation docs to explore the available AWS resources.</p> <h3> Deploying Service Stack with CloudFormation </h3> <p>Here we will learn about ECS basics including clusters, services and tasks. We will define ECS resources with CloudFormation<br> and we will learn about the interactions that are possible between CloudFormation stacks.</p> <h4> ECS Basics </h4> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228235829-8392ec96-a701-42fc-800a-74e13ab598d8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228235829-8392ec96-a701-42fc-800a-74e13ab598d8.png" alt="image"></a></p> <p>Elastic Container Service (ECS) is an AWS self service container orchestration service. The applications to deploy are called tasks.<br> In the diagram above we have multiple tasks. Service A runs two instances of Task 1 and one of Task 2. The application may need more resources<br> for Task 1 so that is why we have included them within this service. The cluster is a wrapper around one or more services and binds the services<br> to a specific AWS region and VPC. Each task is a process. We can now look at how each Task is assigned a process:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228239310-5b6508e7-ac80-4b85-8e8f-321fb5314800.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228239310-5b6508e7-ac80-4b85-8e8f-321fb5314800.png" alt="image"></a></p> <p>The Task Definition tells us what Docker image to run and then we use the image within that Docker Repository. There are two<br> different launch types for ECS - Fargate and EC2. The Fargate launch type does work for us. Fargate spins a fleet of required EC2 instances and manages<br> them for us after we have specified which tasks to run and how many task instances we want to have running at all times. The EC2<br> launch type allows us to control the EC2 instances that are running our tasks and we have to manage this process. We can define<br> auto scaling rules but have to define our own auto-scaling group. We are going to use the Fargate Launch type.<br> We have defined ECS in our network.yml file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">ECSCluster</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::Cluster</span> <span class="na">ECSSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Access to the ECS containers</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">VPC'</span> <span class="na">ECSSecurityGroupIngressFromAnywhere</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroupIngress</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Allows inbound traffic from anywhere</span> <span class="na">GroupId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ECSSecurityGroup'</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">-1</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> </code></pre> </div> <p>Here we define a security group that allows inbound traffic from anywhere. We set the IpProtocol to -1 which means any <br> ip protocol. Later in the file we add IAM role for permission for ECS and logging. We are using the same ECS cluster for all<br> services.</p> <h3> Deploying the Service Stack with CloudFormation </h3> <p>For our Service Stack we have added several parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Parameters</span><span class="pi">:</span> <span class="na">NetworkStackName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the networking stack that</span> <span class="s">these resources are put into.</span> <span class="na">ServiceName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">A human-readable name for the service.</span> <span class="na">ImageUrl</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The url of a docker image that will handle incoming traffic.</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">80</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The port number the application inside the docker container</span> <span class="s">is binding to.</span> <span class="na">ContainerCpu</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">256</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">How much CPU to give the container. 1024 is 1 CPU.</span> <span class="na">ContainerMemory</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">512</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">How much memory in megabytes to give the container.</span> <span class="na">DesiredCount</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">1</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">How many copies of the service task to run.</span> </code></pre> </div> <p>These include the network stack name, service name, image url and container port for each service that we want to deploy<br> within the cluster. We have a Task section to define the task within our service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">TaskDefinition</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::TaskDefinition</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Family</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ServiceName'</span> <span class="na">Cpu</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ContainerCpu'</span> <span class="na">Memory</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ContainerMemory'</span> <span class="na">NetworkMode</span><span class="pi">:</span> <span class="s">awsvpc</span> <span class="na">RequiresCompatibilities</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FARGATE</span> <span class="na">ExecutionRoleArn</span><span class="pi">:</span> <span class="na">Fn::ImportValue</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="s1">'</span><span class="s">NetworkStackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">ECSTaskExecutionRole'</span><span class="pi">]]</span> <span class="na">ContainerDefinitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ServiceName'</span> <span class="na">Cpu</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ContainerCpu'</span> <span class="na">Memory</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ContainerMemory'</span> <span class="na">Image</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ImageUrl'</span> <span class="na">PortMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ContainerPort'</span> <span class="na">LogConfiguration</span><span class="pi">:</span> <span class="na">LogDriver</span><span class="pi">:</span> <span class="s1">'</span><span class="s">awslogs'</span> <span class="na">Options</span><span class="pi">:</span> <span class="na">awslogs-group</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ServiceName'</span> <span class="na">awslogs-region</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::Region</span> <span class="na">awslogs-stream-prefix</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ServiceName'</span> </code></pre> </div> <p>We also define the service with a maximum percent deployment configuration for when we redeploy Tasks within the service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">Service</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::Service</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ServiceName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">ServiceName'</span> <span class="na">Cluster</span><span class="pi">:</span> <span class="na">Fn::ImportValue</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="s1">'</span><span class="s">NetworkStackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">ClusterName'</span><span class="pi">]]</span> <span class="na">LaunchType</span><span class="pi">:</span> <span class="s">FARGATE</span> <span class="na">DeploymentConfiguration</span><span class="pi">:</span> <span class="na">MaximumPercent</span><span class="pi">:</span> <span class="m">200</span> <span class="na">MinimumHealthyPercent</span><span class="pi">:</span> <span class="m">50</span> <span class="na">DesiredCount</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">DesiredCount'</span> <span class="na">NetworkConfiguration</span><span class="pi">:</span> <span class="na">AwsvpcConfiguration</span><span class="pi">:</span> <span class="na">AssignPublicIp</span><span class="pi">:</span> <span class="s">ENABLED</span> <span class="na">SecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Fn::ImportValue</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="s1">'</span><span class="s">NetworkStackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">ECSSecurityGroup'</span><span class="pi">]]</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Fn::ImportValue</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s1">'</span><span class="s">:'</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="s1">'</span><span class="s">NetworkStackName'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">PublicSubnet'</span><span class="pi">]]</span> <span class="na">TaskDefinition</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s1">'</span><span class="s">TaskDefinition'</span> </code></pre> </div> <p>We will use the hello-world-app for deploying our service. We need the url of our hello-world-app.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228247393-17e9f8d5-cf00-448f-9c36-be3747cf5c5c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228247393-17e9f8d5-cf00-448f-9c36-be3747cf5c5c.png" alt="image"></a></p> <p>This is the command for deploying the service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">aws cloudformation deploy \</span> <span class="s">--stack-name dev-service \</span> <span class="s">--template-file service.yml \</span> <span class="s">--profile stratospheric \</span> <span class="s">--parameter-overrides \</span> <span class="s">NetworkStackName=dev-network \</span> <span class="s">ServiceName=hello-world-app \</span> <span class="s">ImageUrl=706054169063.dkr.ecr.us-east-1.amazonaws.com/hello-world-app:latest</span> <span class="s">ContainerPort=8080</span> </code></pre> </div> <p>We can then see the created stack on CloudFormation Stacks:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228248932-1bb1981f-c12d-44ee-a375-e0dec7b0f002.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228248932-1bb1981f-c12d-44ee-a375-e0dec7b0f002.png" alt="image"></a></p> <p>We also now have one cluster running with one service and one running task:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228249482-e3f285de-e9d2-4f0f-b5dd-edec5b286a9a.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228249482-e3f285de-e9d2-4f0f-b5dd-edec5b286a9a.png" alt="image"></a></p> <p>If we check the Task for the running Service we see that we have a running task and we can also see a public IP address:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228250488-1c72c1a3-b127-4d3b-bcf5-4e40f6107d18.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228250488-1c72c1a3-b127-4d3b-bcf5-4e40f6107d18.png" alt="image"></a></p> <p>We can now type in the ip address at the port 8080:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228251115-bd13b3be-dc8a-4e57-95f2-18660e6e5602.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228251115-bd13b3be-dc8a-4e57-95f2-18660e6e5602.png" alt="image"></a></p> <p>and we can see our running task using the Docker image that we deployed to ECR.</p> <p>We have looked at ECS tasks which run docker images that run in an ECS service and ECS cluster.<br> A task can run one or more Docker images and we can use resources across different CloudFormation stacks using output and input<br> parameters. In order to replace our ip address we will use a load balancer as a single point of entry for the stack with a fixed host name.</p> <h3> Using Cloud Development Kit (CDK) </h3> <p>With CloudFormation we declared the resources we want in a cloud yaml file. We will now use Infrastructure as Code with Java to describe<br> the cloud resources required. CDK is an abstraction on top of CloudFormation.<br> CDK introduces the idea of a construct to combine multiple resources. Level 1 constructs represent one CloudFormation Resource.<br> Level 2 Constructs represent a set of resources. Level 2 Constructs infer some of the options for us and set sensible defaults.<br> Level 3 Constructs create patterns for several resources.</p> <p>We install the CDK CLI with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric/cloudformation<span class="nv">$ </span>npm <span class="nb">install</span> <span class="nt">-g</span> aws-cdk tom@tom-ubuntu:~/Projects/stratospheric/cloudformation<span class="nv">$ </span>cdk <span class="nt">--version</span> 2.70.0 <span class="o">(</span>build c13a0f1<span class="o">)</span> </code></pre> </div> <p>We create a new cdk app with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">cdk init app --language=java</span> </code></pre> </div> <p>This creates an application with two main parts. The App:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CdkExampleApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="k">new</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"CdkExampleStack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This class creates an App object and a stack object linked to the app. The synth command creates a synthesis<br> step to create a CloudFormation template from the Java code.</p> <p>The Stack class is where we define the resources that we want to deploy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CdkExampleStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This is a maven project and we can use the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>It is a <span class="o">[</span>Maven]<span class="o">(</span>https://maven.apache.org/<span class="o">)</span> based project, so you can open this project with any Maven compatible Java IDE to build and run tests. <span class="c">## Useful commands</span> <span class="k">*</span> <span class="sb">`</span>mvn package<span class="sb">`</span> compile and run tests <span class="k">*</span> <span class="sb">`</span>cdk <span class="nb">ls</span><span class="sb">`</span> list all stacks <span class="k">in </span>the app <span class="k">*</span> <span class="sb">`</span>cdk synth<span class="sb">`</span> emits the synthesized CloudFormation template <span class="k">*</span> <span class="sb">`</span>cdk deploy<span class="sb">`</span> deploy this stack to your default AWS account/region <span class="k">*</span> <span class="sb">`</span>cdk diff<span class="sb">`</span> compare deployed stack with current state <span class="k">*</span> <span class="sb">`</span>cdk docs<span class="sb">`</span> open CDK documentation </code></pre> </div> <p>We need maven versions to be shared across different environments. This will help us to install the correct<br> maven version. We install the maven wrapper with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mvn wrapper:wrapper </code></pre> </div> <p>This installs the .mvn file:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228281294-b317cdde-7692-4620-b332-e05439ae8a0c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228281294-b317cdde-7692-4620-b332-e05439ae8a0c.png" alt="image"></a></p> <p>We can now use the command<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> with the same maven commands as before. We also change the cdk.json to refer to the mvnw command: ```yaml { "app": "mvnw -e -q compile exec:java" } </code></pre> </div> <p>We now need to run the following command to create infrastructure for cdk to deploy apps to CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk bootstrap <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>This creates an S3 bucket and IAM roles for the deployment.<br> We can now deploy the application with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>We can now see the CloudFormation stack in the CloudFormation web console:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228283658-8d12172c-be82-4c3c-b734-a5f577ccb918.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228283658-8d12172c-be82-4c3c-b734-a5f577ccb918.png" alt="image"></a></p> <p>At the moment the stack is empty. We can now create the ECS repository with CDK using the following doc:<br> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecr.Repository.html" rel="noopener noreferrer">https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecr.Repository.html</a></p> <p>Level 2 Constructs are listed as Constructs. The level 1 Constructs are listed as Cfn... For the moment<br> we will stick with Level 2 Constructs. We get the correct methods for our CDK Stack with the following:<br> <a href="https://docs.aws.amazon.com/cdk/api/v2/java/index.html?software/amazon/awscdk/services/ecr/Repository.html" rel="noopener noreferrer">https://docs.aws.amazon.com/cdk/api/v2/java/index.html?software/amazon/awscdk/services/ecr/Repository.html</a></p> <p>Our CdkExampleStack now looks like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CdkExampleStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="nc">Repository</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"repository"</span><span class="o">)</span> <span class="o">.</span><span class="na">repositoryName</span><span class="o">(</span><span class="s">"hello-world-repo"</span><span class="o">)</span> <span class="o">.</span><span class="na">imageScanOnPush</span><span class="o">(</span><span class="nc">Boolean</span><span class="o">.</span><span class="na">TRUE</span><span class="o">)</span> <span class="o">.</span><span class="na">lifecycleRules</span><span class="o">(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="nc">LifecycleRule</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">maxImageCount</span><span class="o">(</span><span class="mi">10</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">()))</span> <span class="o">.</span><span class="na">imageTagMutability</span><span class="o">(</span><span class="nc">TagMutability</span><span class="o">.</span><span class="na">IMMUTABLE</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We can now deploy our cdk app with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>This has created a CloudFormation stack<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228288969-2b1ea3bc-36ce-4357-807f-780d5cf633a9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228288969-2b1ea3bc-36ce-4357-807f-780d5cf633a9.png" alt="image"></a></p> <p>and a hello-world-repo ECR repository:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228289184-d94ff025-5e04-4095-a606-7f523dfbce24.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228289184-d94ff025-5e04-4095-a606-7f523dfbce24.png" alt="image"></a></p> <p>For now this repository is empty. We will use the Stratospheric cdk construct maven dependency <a href="https://github.com/stratospheric-dev/cdk-constructs/blob/main/src/main/java/dev/stratospheric/cdk/DockerRepository.java" rel="noopener noreferrer">here</a><br> to add more to our repository configuration. We will add this configuration with the following maven dependency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">&lt;dependency&gt;</span> <span class="err">&lt;groupId&gt;dev.stratospheric&lt;/groupId&gt;</span> <span class="err">&lt;artifactId&gt;cdk-constructs&lt;/artifactId&gt;</span> <span class="err">&lt;version&gt;0.1.13&lt;/version&gt;</span> <span class="err">&lt;/dependency&gt;</span> </code></pre> </div> <p>We can now reduce the code using the stratospheric cdk-constructs dependency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CdkExampleStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="nc">String</span> <span class="n">accountId</span> <span class="o">=</span> <span class="s">"12345"</span><span class="o">;</span> <span class="nc">Environment</span> <span class="n">environment</span> <span class="o">=</span> <span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="n">accountId</span><span class="o">)</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="s">"ap-southeast-2"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">DockerRepository</span> <span class="n">repo</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DockerRepository</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"repo"</span><span class="o">,</span> <span class="n">environment</span><span class="o">,</span> <span class="k">new</span> <span class="nc">DockerRepository</span><span class="o">.</span><span class="na">DockerRepositoryInputParameters</span><span class="o">(</span> <span class="s">"hello-world-repo"</span><span class="o">,</span> <span class="n">accountId</span><span class="o">,</span> <span class="mi">10</span> <span class="o">));</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This will do the same as above but also add push and pull permissions. We can delete the hello-world-repo<br> and create a new stack with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>This fails because we have the incorrect AccountID in /stratospheric/cdk-example/cdk.out/CdkExampleStack.template.json:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="s2">"arn:"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Ref"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS::Partition"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="s2">":iam::12345:root"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>We will look at how to fix this error in the next section.</p> <p>In this section, we have abstracted some of CloudFormation's complexity with Constructs and used some of our knowledge of<br> CloudFormation resources. We have also used a shared library to share the construct across projects.</p> <h3> CDK Best Practices </h3> <p>We will now learn how to debug a CDK app. We will manage different environments with CDK, manage input parameters and<br> also manage multiple stacks.</p> <p>First we correct the above code with an environment object:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CdkExampleApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="nc">String</span> <span class="n">accountId</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"accountId"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">region</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"region"</span><span class="o">);</span> <span class="nc">Environment</span> <span class="n">environment</span> <span class="o">=</span> <span class="n">makeEnv</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="n">region</span><span class="o">);</span> <span class="k">new</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"CdkExampleStack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="n">environment</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">Environment</span> <span class="nf">makeEnv</span><span class="o">(</span><span class="nc">String</span> <span class="n">account</span><span class="o">,</span> <span class="nc">String</span> <span class="n">region</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="n">account</span><span class="o">)</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="n">region</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The environment can then be used in the Stack directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CdkExampleStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="nf">CdkExampleStack</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">StackProps</span> <span class="n">props</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="n">props</span><span class="o">);</span> <span class="nc">Environment</span> <span class="n">env</span> <span class="o">=</span> <span class="n">props</span><span class="o">.</span><span class="na">getEnv</span><span class="o">();</span> <span class="nc">DockerRepository</span> <span class="n">repo</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DockerRepository</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"repo"</span><span class="o">,</span> <span class="n">env</span><span class="o">,</span> <span class="k">new</span> <span class="nc">DockerRepository</span><span class="o">.</span><span class="na">DockerRepositoryInputParameters</span><span class="o">(</span> <span class="s">"hello-world-repo"</span><span class="o">,</span> <span class="n">env</span><span class="o">.</span><span class="na">getAccount</span><span class="o">(),</span> <span class="mi">10</span> <span class="o">));</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We now need to pass the accountId into our command. We can call the above code with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy <span class="nt">-c</span> <span class="nv">accountId</span><span class="o">=</span>&lt;ACCOUNT_ID&gt; <span class="nv">region</span><span class="o">=</span>eu-west-2 </code></pre> </div> <p>This successfully creates the hello-world-repo on ECR.</p> <h3> AWS AppConfig Agent for Containers </h3> <ul> <li>What is AWS AppConfig?</li> <li>Why did we develop an agent?</li> <li>About the agent</li> <li>Container image</li> <li>Demo: Using the agent in ECS</li> </ul> <h4> What is AWS AppConfig? </h4> <p>AppConfig is changing the way software is developed released and run. It is a dynamic configuration service.<br> Configuration changes the way the software runs depending on the environment. For instance we may want to use different<br> databases for different environments. Before dynamic configuration we had static configuration.<br> For applications we have source code and configuration data. Static Configuration can be time consuming.<br> In order to change endpoints we would have to roll back the application.<br> Dynamic configuration allows us to deploy the configuration data from a remote service at runtime.<br> If we use AppConfig we can change configuration separately from the deployment.<br> There are deployment safety configurations we can use with AppConfig which allow us to deploy the configuration changes<br> gradually. AppConfig includes Feature Flags, Access Control Lists and throttling limits.<br> Throttling is a DDOS protection mechanism which allows a limit of requests to the service. You can allow overrides for<br> particular users.</p> <h4> AppConfig Agent </h4> <p>Before AppConfig Agent management logic including caching, background polling and session management needed to be contained<br> within AppConfig directly. The agent is a sidecar process that runs alongside the application. It allows us to add configuration<br> separately. Customers can then set their own config themselves. This is the image gallery:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228269559-1bc3b3f6-d720-454f-b31e-18a7bfa6eb74.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228269559-1bc3b3f6-d720-454f-b31e-18a7bfa6eb74.png" alt="image"></a></p> <p>These doc is useful for AWS AppConfig integration with Amazon ECS and Amazon EKS:<br> <a href="https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-containers-agent.html" rel="noopener noreferrer">https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-containers-agent.html</a></p> <p>We have now added two Apps to be deployed and deleted the plugin code relating to the default App:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> &lt;plugin&gt; &lt;groupId&gt;org.codehaus.mojo&lt;/groupId&gt; &lt;artifactId&gt;exec-maven-plugin&lt;/artifactId&gt; &lt;version&gt;3.0.0&lt;/version&gt; &lt;configuration&gt; &lt;mainClass&gt;com.myorg.CdkExampleApp&lt;/mainClass&gt; &lt;/configuration&gt; &lt;/plugin&gt; </code></pre> </div> <p>This does mean that we have to add the App name as parameter when we deploy our App.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Projects/stratospheric/cdk-example<span class="nv">$ </span>cdk deploy <span class="nt">--app</span> <span class="s2">"./mvnw -e -q compile exec:java -Dex ec.mainClass=com.myorg.CdkExampleApp2"</span> <span class="se">\</span> <span class="nt">--profile</span> stratospheric <span class="se">\</span> <span class="nt">-c</span> <span class="nv">accountId</span><span class="o">=</span>&lt;ACCOUNT_ID&gt; <span class="se">\</span> <span class="nt">-c</span> <span class="nv">region</span><span class="o">=</span>eu-west-2 <span class="se">\</span> <span class="nt">-c</span> <span class="nv">repoName</span><span class="o">=</span>foo </code></pre> </div> <p>We can also add the arguments to the cdk.json file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{</span> <span class="s2">"</span><span class="s">context"</span><span class="pi">:</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">region"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">eu-west-2"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">accountId"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">706054169063"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">repoName"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">my-cool-repo"</span> <span class="pi">}</span> <span class="pi">}</span> </code></pre> </div> <p>This shortens our command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy <span class="nt">--app</span> <span class="s2">"./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.CdkExampleApp2"</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>We can also create a package.json file to deploy and destroy our apps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"name"</span>: <span class="s2">"hello-cdk"</span>, <span class="s2">"version"</span>: <span class="s2">"0.1.0"</span>, <span class="s2">"private"</span>: <span class="nb">true</span>, <span class="s2">"scripts"</span>: <span class="o">{</span> <span class="s2">"stack1:deploy"</span>: <span class="s2">"cdk deploy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.CdkExampleApp </span><span class="se">\"</span><span class="s2"> --require-approval never --profile stratospheric"</span>, <span class="s2">"stack1:destroy"</span>: <span class="s2">"cdk destroy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.CdkExampleApp </span><span class="se">\"</span><span class="s2"> --require-approval never --profile stratospheric"</span>, <span class="s2">"stack2:deploy"</span>: <span class="s2">"cdk deploy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.CdkExampleApp2 </span><span class="se">\"</span><span class="s2"> --require-approval never --profile stratospheric"</span>, <span class="s2">"stack2:destroy"</span>: <span class="s2">"cdk destroy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.CdkExampleApp2 </span><span class="se">\"</span><span class="s2"> --require-approval never --profile stratospheric"</span>, <span class="o">}</span>, <span class="s2">"devDependencies"</span>: <span class="o">{</span> <span class="s2">"aws-sdk"</span>: <span class="s2">"2.43.1"</span> <span class="o">}</span>, <span class="s2">"engines"</span>: <span class="o">{</span> <span class="s2">"node"</span>: <span class="s2">"&gt;=16"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We run npm install to initialize the npm project and can run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run stack2:deploy </code></pre> </div> <p>The parameters for the deploy are still kept in the cdk.json file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"accountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"706054169063"</span><span class="p">,</span><span class="w"> </span><span class="nl">"repoName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-cool-repo"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>We could override the values in the cdk.json file from the command line.</p> <p>So far we have looked at debugging CloudFormation scripts by using the cdk.out file.<br> We have tried to stick to the rule of using one stack per app and we have used the cdk.json<br> and npm to save retyping scripts and parameters.</p> <h3> Deploying a Network Stack with CDK </h3> <p>In this section we will build a CDK app to deploy a network. We will explore the Network construct and experiment with<br> sharing parameters between CDK constructs with SSM.<br> This is a cleaned up version of the DockerRepositoryApp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">DockerRepositoryApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="nc">String</span> <span class="n">accountId</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"accountId"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="s">"context variable 'accountId' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">region</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"region"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">region</span><span class="o">,</span> <span class="s">"context variable 'region' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">applicationName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"applicationName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">applicationName</span><span class="o">,</span> <span class="s">"context variable 'applicationName' must not be null"</span><span class="o">);</span> <span class="nc">Environment</span> <span class="n">awsEnvironment</span> <span class="o">=</span> <span class="n">makeEnv</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="n">region</span><span class="o">);</span> <span class="nc">Stack</span> <span class="n">dockerRepositoryStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"DockerRepositoryStack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">stackName</span><span class="o">(</span><span class="n">applicationName</span> <span class="o">+</span> <span class="s">"-DockerRepository"</span><span class="o">)</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="n">awsEnvironment</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">()</span> <span class="o">);</span> <span class="nc">DockerRepository</span> <span class="n">dockerRepository</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DockerRepository</span><span class="o">(</span> <span class="n">dockerRepositoryStack</span><span class="o">,</span> <span class="s">"DockerRepository"</span><span class="o">,</span> <span class="n">awsEnvironment</span><span class="o">,</span> <span class="k">new</span> <span class="nc">DockerRepository</span><span class="o">.</span><span class="na">DockerRepositoryInputParameters</span><span class="o">(</span><span class="n">applicationName</span><span class="o">,</span> <span class="n">accountId</span><span class="o">)</span> <span class="o">);</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">Environment</span> <span class="nf">makeEnv</span><span class="o">(</span><span class="nc">String</span> <span class="n">account</span><span class="o">,</span> <span class="nc">String</span> <span class="n">region</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="n">account</span><span class="o">)</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="n">region</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We then create the NetworApp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">NetworkApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="nc">String</span> <span class="n">accountId</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"accountId"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="s">"context variable 'accountId' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">region</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"region"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">region</span><span class="o">,</span> <span class="s">"context variable 'region' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">applicationName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"applicationName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">applicationName</span><span class="o">,</span> <span class="s">"context variable 'applicationName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">environmentName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"environmentName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">environmentName</span><span class="o">,</span> <span class="s">"context variable 'environmentName' must not be null"</span><span class="o">);</span> <span class="nc">Environment</span> <span class="n">env</span> <span class="o">=</span> <span class="n">makeEnv</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="n">region</span><span class="o">);</span> <span class="nc">Stack</span> <span class="n">networkStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"NetworkStack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">stackName</span><span class="o">(</span><span class="n">environmentName</span> <span class="o">+</span> <span class="s">"-Network"</span><span class="o">)</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="n">env</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">()</span> <span class="o">);</span> <span class="nc">Network</span> <span class="n">network</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Network</span><span class="o">(</span> <span class="n">networkStack</span><span class="o">,</span> <span class="s">"Network"</span><span class="o">,</span> <span class="n">env</span><span class="o">,</span> <span class="n">environmentName</span><span class="o">,</span> <span class="k">new</span> <span class="nc">Network</span><span class="o">.</span><span class="na">NetworkInputParameters</span><span class="o">());</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">Environment</span> <span class="nf">makeEnv</span><span class="o">(</span><span class="nc">String</span> <span class="n">account</span><span class="o">,</span> <span class="nc">String</span> <span class="n">region</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="n">account</span><span class="o">)</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="n">region</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We then add the NetworkApp to the package.json:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk-example"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.1.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"private"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"repository:deploy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk deploy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.DockerRepositoryApp </span><span class="se">\"</span><span class="s2"> --require-approval never --profile stratospheric"</span><span class="p">,</span><span class="w"> </span><span class="nl">"repository:destroy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk destroy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.DockerRepositoryApp </span><span class="se">\"</span><span class="s2"> --require-approval never --profile stratospheric"</span><span class="w"> </span><span class="nl">"network:deploy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk deploy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.NetworkApp </span><span class="se">\"</span><span class="s2"> --require-approval never --profile stratospheric"</span><span class="p">,</span><span class="w"> </span><span class="nl">"network:destroy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk destroy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=com.myorg.NetworkApp </span><span class="se">\"</span><span class="s2"> --require-approval never --profile stratospheric"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"devDependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws-cdk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.70.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"engines"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&gt;=16"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Here we are using the Network Construct to create the network:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">Network</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">Network</span><span class="o">(</span><span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="nc">Environment</span> <span class="n">environment</span><span class="o">,</span> <span class="nc">String</span> <span class="n">environmentName</span><span class="o">,</span> <span class="nc">NetworkInputParameters</span> <span class="n">networkInputParameters</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">environmentName</span> <span class="o">=</span> <span class="n">environmentName</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">vpc</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">createVpc</span><span class="o">(</span><span class="n">environmentName</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">ecsCluster</span> <span class="o">=</span> <span class="nc">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"cluster"</span><span class="o">).</span><span class="na">vpc</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">vpc</span><span class="o">).</span><span class="na">clusterName</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">prefixWithEnvironmentName</span><span class="o">(</span><span class="s">"ecsCluster"</span><span class="o">)).</span><span class="na">build</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">createLoadBalancer</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">vpc</span><span class="o">,</span> <span class="n">networkInputParameters</span><span class="o">.</span><span class="na">getSslCertificateArn</span><span class="o">());</span> <span class="nc">Tags</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="k">this</span><span class="o">).</span><span class="na">add</span><span class="o">(</span><span class="s">"environment"</span><span class="o">,</span> <span class="n">environmentName</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">createLoadBalancer</span><span class="o">(</span><span class="nc">IVpc</span> <span class="n">vpc</span><span class="o">,</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">sslCertificateArn</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">loadbalancerSecurityGroup</span> <span class="o">=</span> <span class="n">software</span><span class="o">.</span><span class="na">amazon</span><span class="o">.</span><span class="na">awscdk</span><span class="o">.</span><span class="na">services</span><span class="o">.</span><span class="na">ec2</span><span class="o">.</span><span class="na">SecurityGroup</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"loadbalancerSecurityGroup"</span><span class="o">).</span><span class="na">securityGroupName</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">prefixWithEnvironmentName</span><span class="o">(</span><span class="s">"loadbalancerSecurityGroup"</span><span class="o">)).</span><span class="na">description</span><span class="o">(</span><span class="s">"Public access to the load balancer."</span><span class="o">).</span><span class="na">vpc</span><span class="o">(</span><span class="n">vpc</span><span class="o">).</span><span class="na">build</span><span class="o">();</span> <span class="nc">CfnSecurityGroupIngress</span> <span class="n">ingressFromPublic</span> <span class="o">=</span> <span class="n">software</span><span class="o">.</span><span class="na">amazon</span><span class="o">.</span><span class="na">awscdk</span><span class="o">.</span><span class="na">services</span><span class="o">.</span><span class="na">ec2</span><span class="o">.</span><span class="na">CfnSecurityGroupIngress</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"ingressToLoadbalancer"</span><span class="o">).</span><span class="na">groupId</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">loadbalancerSecurityGroup</span><span class="o">.</span><span class="na">getSecurityGroupId</span><span class="o">()).</span><span class="na">cidrIp</span><span class="o">(</span><span class="s">"0.0.0.0/0"</span><span class="o">).</span><span class="na">ipProtocol</span><span class="o">(</span><span class="s">"-1"</span><span class="o">).</span><span class="na">build</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">loadBalancer</span> <span class="o">=</span> <span class="n">software</span><span class="o">.</span><span class="na">amazon</span><span class="o">.</span><span class="na">awscdk</span><span class="o">.</span><span class="na">services</span><span class="o">.</span><span class="na">elasticloadbalancingv2</span><span class="o">.</span><span class="na">ApplicationLoadBalancer</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"loadbalancer"</span><span class="o">).</span><span class="na">loadBalancerName</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">prefixWithEnvironmentName</span><span class="o">(</span><span class="s">"loadbalancer"</span><span class="o">)).</span><span class="na">vpc</span><span class="o">(</span><span class="n">vpc</span><span class="o">).</span><span class="na">internetFacing</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">securityGroup</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">loadbalancerSecurityGroup</span><span class="o">).</span><span class="na">build</span><span class="o">();</span> <span class="nc">IApplicationTargetGroup</span> <span class="n">dummyTargetGroup</span> <span class="o">=</span> <span class="n">software</span><span class="o">.</span><span class="na">amazon</span><span class="o">.</span><span class="na">awscdk</span><span class="o">.</span><span class="na">services</span><span class="o">.</span><span class="na">elasticloadbalancingv2</span><span class="o">.</span><span class="na">ApplicationTargetGroup</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"defaultTargetGroup"</span><span class="o">).</span><span class="na">vpc</span><span class="o">(</span><span class="n">vpc</span><span class="o">).</span><span class="na">port</span><span class="o">(</span><span class="mi">8080</span><span class="o">).</span><span class="na">protocol</span><span class="o">(</span><span class="nc">ApplicationProtocol</span><span class="o">.</span><span class="na">HTTP</span><span class="o">).</span><span class="na">targetGroupName</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">prefixWithEnvironmentName</span><span class="o">(</span><span class="s">"no-op-targetGroup"</span><span class="o">)).</span><span class="na">targetType</span><span class="o">(</span><span class="nc">TargetType</span><span class="o">.</span><span class="na">IP</span><span class="o">).</span><span class="na">deregistrationDelay</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">seconds</span><span class="o">(</span><span class="mi">5</span><span class="o">)).</span><span class="na">healthCheck</span><span class="o">(</span><span class="nc">HealthCheck</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">healthyThresholdCount</span><span class="o">(</span><span class="mi">2</span><span class="o">).</span><span class="na">interval</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">seconds</span><span class="o">(</span><span class="mi">10</span><span class="o">)).</span><span class="na">timeout</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">seconds</span><span class="o">(</span><span class="mi">5</span><span class="o">)).</span><span class="na">build</span><span class="o">()).</span><span class="na">build</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">httpListener</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">loadBalancer</span><span class="o">.</span><span class="na">addListener</span><span class="o">(</span><span class="s">"httpListener"</span><span class="o">,</span> <span class="nc">BaseApplicationListenerProps</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">port</span><span class="o">(</span><span class="mi">80</span><span class="o">).</span><span class="na">protocol</span><span class="o">(</span><span class="nc">ApplicationProtocol</span><span class="o">.</span><span class="na">HTTP</span><span class="o">).</span><span class="na">open</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">httpListener</span><span class="o">.</span><span class="na">addTargetGroups</span><span class="o">(</span><span class="s">"http-defaultTargetGroup"</span><span class="o">,</span> <span class="nc">AddApplicationTargetGroupsProps</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">targetGroups</span><span class="o">(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="n">dummyTargetGroup</span><span class="o">)).</span><span class="na">build</span><span class="o">());</span> <span class="k">if</span> <span class="o">(</span><span class="n">sslCertificateArn</span><span class="o">.</span><span class="na">isPresent</span><span class="o">())</span> <span class="o">{</span> <span class="nc">IListenerCertificate</span> <span class="n">certificate</span> <span class="o">=</span> <span class="nc">ListenerCertificate</span><span class="o">.</span><span class="na">fromArn</span><span class="o">((</span><span class="nc">String</span><span class="o">)</span><span class="n">sslCertificateArn</span><span class="o">.</span><span class="na">get</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">httpsListener</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">loadBalancer</span><span class="o">.</span><span class="na">addListener</span><span class="o">(</span><span class="s">"httpsListener"</span><span class="o">,</span> <span class="nc">BaseApplicationListenerProps</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">port</span><span class="o">(</span><span class="mi">443</span><span class="o">).</span><span class="na">protocol</span><span class="o">(</span><span class="nc">ApplicationProtocol</span><span class="o">.</span><span class="na">HTTPS</span><span class="o">).</span><span class="na">certificates</span><span class="o">(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="n">certificate</span><span class="o">)).</span><span class="na">open</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">httpsListener</span><span class="o">.</span><span class="na">addTargetGroups</span><span class="o">(</span><span class="s">"https-defaultTargetGroup"</span><span class="o">,</span> <span class="nc">AddApplicationTargetGroupsProps</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">targetGroups</span><span class="o">(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="n">dummyTargetGroup</span><span class="o">)).</span><span class="na">build</span><span class="o">());</span> <span class="nc">ListenerAction</span> <span class="n">redirectAction</span> <span class="o">=</span> <span class="nc">ListenerAction</span><span class="o">.</span><span class="na">redirect</span><span class="o">(</span><span class="nc">RedirectOptions</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">protocol</span><span class="o">(</span><span class="s">"HTTPS"</span><span class="o">).</span><span class="na">port</span><span class="o">(</span><span class="s">"443"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">new</span> <span class="nf">ApplicationListenerRule</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"HttpListenerRule"</span><span class="o">,</span> <span class="nc">ApplicationListenerRuleProps</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">listener</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">httpListener</span><span class="o">).</span><span class="na">priority</span><span class="o">(</span><span class="mi">1</span><span class="o">).</span><span class="na">conditions</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="nc">ListenerCondition</span><span class="o">.</span><span class="na">pathPatterns</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="s">"*"</span><span class="o">)))).</span><span class="na">action</span><span class="o">(</span><span class="n">redirectAction</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">createOutputParameters</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This Construct creates a VPC, ECSCluster and Load Balancer for us. The VPC Construct creates the Internet Gateway and Routing Table for us also.<br> CDK abstracts the details for us. For each construct the Network construct creates StringParameters which are accessible through AWS Systems Manager.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228353250-2a0ebcd0-1684-4667-bc8b-1c20cfcf0f54.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228353250-2a0ebcd0-1684-4667-bc8b-1c20cfcf0f54.png" alt="image"></a></p> <p>We can deploy the stack with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run network:deploy <span class="nt">--</span> <span class="nt">-c</span> <span class="nv">environmentName</span><span class="o">=</span>staging </code></pre> </div> <p>We can also deploy the stack for production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run network:deploy <span class="nt">--</span> <span class="nt">-c</span> <span class="nv">environmentName</span><span class="o">=</span>prod </code></pre> </div> <p>We can look on CloudFormation to see all the Network resources that have been deployed for us:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228351453-a3eb005c-fd46-4e38-bb43-d0798098c373.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228351453-a3eb005c-fd46-4e38-bb43-d0798098c373.png" alt="image"></a></p> <p>We can now see how Constructs can abstract a lot of the complexity of deploying a full stack application. Using the <br> We have also seen how the Construct creates entries in AWS Systems Manager for the parameters that are related to the resources<br> we have deployed.</p> <h3> Deploying a Service Stack with CDK </h3> <p>We will now use the Service Construct to create a service on AWS ECS.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228356531-a6d84f03-3bb7-4091-95a6-cdd53eade21b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228356531-a6d84f03-3bb7-4091-95a6-cdd53eade21b.png" alt="image"></a></p> <p>The above image describes the main parts of the service app.</p> <p>We now create a Service Stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ServiceApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="nc">String</span> <span class="n">accountId</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"accountId"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="s">"context variable 'accountId' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">region</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"region"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">region</span><span class="o">,</span> <span class="s">"context variable 'region' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">applicationName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"applicationName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">applicationName</span><span class="o">,</span> <span class="s">"context variable 'applicationName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">environmentName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"environmentName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">environmentName</span><span class="o">,</span> <span class="s">"context variable 'environmentName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">dockerRepositoryName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"dockerRepositoryName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">dockerRepositoryName</span><span class="o">,</span> <span class="s">"context variable 'dockerRepositoryName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">dockerImageTag</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"dockerImageTag"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">dockerImageTag</span><span class="o">,</span> <span class="s">"context variable 'dockerImageTag' must not be null"</span><span class="o">);</span> <span class="nc">Environment</span> <span class="n">env</span> <span class="o">=</span> <span class="n">makeEnv</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="n">region</span><span class="o">);</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApplicationEnvironment</span><span class="o">(</span> <span class="n">applicationName</span><span class="o">,</span> <span class="n">environmentName</span><span class="o">);</span> <span class="nc">Stack</span> <span class="n">serviceStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"ServiceStack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">stackName</span><span class="o">(</span><span class="n">environmentName</span> <span class="o">+</span> <span class="s">"-Service"</span><span class="o">)</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="n">env</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">()</span> <span class="o">);</span> <span class="nc">Network</span><span class="o">.</span><span class="na">NetworkOutputParameters</span> <span class="n">networkOutputParameters</span> <span class="o">=</span> <span class="nc">Network</span><span class="o">.</span><span class="na">getOutputParametersFromParameterStore</span><span class="o">(</span><span class="n">serviceStack</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">getEnvironmentName</span><span class="o">());</span> <span class="nc">Service</span> <span class="n">service</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Service</span><span class="o">(</span> <span class="n">serviceStack</span><span class="o">,</span> <span class="s">"Service"</span><span class="o">,</span> <span class="n">env</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">,</span> <span class="k">new</span> <span class="nc">Service</span><span class="o">.</span><span class="na">ServiceInputParameters</span><span class="o">(</span> <span class="k">new</span> <span class="nc">Service</span><span class="o">.</span><span class="na">DockerImageSource</span><span class="o">(</span><span class="n">dockerRepositoryName</span><span class="o">,</span> <span class="n">dockerImageTag</span><span class="o">),</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;()),</span> <span class="n">networkOutputParameters</span> <span class="o">);</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">Environment</span> <span class="nf">makeEnv</span><span class="o">(</span><span class="nc">String</span> <span class="n">account</span><span class="o">,</span> <span class="nc">String</span> <span class="n">region</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="n">account</span><span class="o">)</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="n">region</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We are going to refer to the hello-world-app on ECR:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228363818-fcaa19d1-544d-40e1-891e-0e815b7a6e51.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228363818-fcaa19d1-544d-40e1-891e-0e815b7a6e51.png" alt="image"></a></p> <p>We can now deploy our service with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run service:deploy <span class="nt">--</span> <span class="nt">-c</span> <span class="nv">environmentName</span><span class="o">=</span>staging </code></pre> </div> <p>We can now see all the Constructs created as part of our deployment:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228364864-68681890-1c1a-4072-beda-e14ed35edf62.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228364864-68681890-1c1a-4072-beda-e14ed35edf62.png" alt="image"></a></p> <p>We can view the logs of the deployment:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228365292-d41cd9e8-1277-4716-b93c-23b3957f86bb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228365292-d41cd9e8-1277-4716-b93c-23b3957f86bb.png" alt="image"></a></p> <p>We can also see the app running on the loadbalancer associated with our target group:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228365967-e24adf7e-859f-48ad-83b1-46d46ea80160.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228365967-e24adf7e-859f-48ad-83b1-46d46ea80160.png" alt="image"></a></p> <p>So, we have deployed a SpringBoot application to the cloud using CDK. The CDK and CloudFormation did a lot of the hard work by spinning up the<br> Application Load Balancer and EC2 instances. We have built loosely coupled stacks. The Constructs have protected us from a lot of the<br> complexity of building the resources.</p> <h3> Continuous Deployment with CDK and Github Actions </h3> <p>We can now practice deploying our application to the cloud using Github Actions and build a CD pipeline.</p> <h1> Hello Stratospheric </h1> <p>This is the link for our Continuous Deployment github actions example:<br> <a href="https://github.com/TomSpencerLondon/hello-stratospheric" rel="noopener noreferrer">https://github.com/TomSpencerLondon/hello-stratospheric</a></p> <p>A Hello World app to showcase a continuous deployment pipeline with Spring Boot, CDK, and AWS.</p> <h3> Build app </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./gradlew build </code></pre> </div> <p>We have a Dockerfile for building the application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> eclipse-temurin:17-jre</span> <span class="k">ARG</span><span class="s"> JAR_FILE=build/libs/*.jar</span> <span class="k">COPY</span><span class="s"> ${JAR_FILE} app.jar</span> <span class="k">ENTRYPOINT</span><span class="s"> ["java", "-jar", "/app.jar"]</span> </code></pre> </div> <p>We can query our AWS credentials with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity </code></pre> </div> <h3> Continuous Deployment </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228384793-5de2fcd2-a737-4d4a-8558-07b89e1be581.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228384793-5de2fcd2-a737-4d4a-8558-07b89e1be581.png" alt="image"></a></p> <p>In the first lane of the diagram above we have the main pipeline which runs tests and builds for a jar file. This is then converted to an image that is published to ECR.<br> The deploy step deploys the application using the Service App from our repository. The ECS Service requires a VPC and an ECR<br> Repository. We manually create teh Docker Repository and Network before creating the Service. When we push to the git repository the app will be built and then published to the ECR repository. If the publish step is successful<br> the deploy step deploys the Docker image. The ECS Service requires a VPC and ECR Repository. The ECR Repository and the Network will not change<br> frequently so they are not included in the pipeline. We create the Docker Repository and Network manually.<br> In GitHub Actions we have a workflow which is a series of actions that are triggered for instance by a push to the main branch.<br> The Workflow contains one or more jobs and jobs contain one or more steps. Steps in a job always run in sequence.<br> We will start with a Bootstrap command pushing to the Docker repository.</p> <p>We will have to enter the secrets in the github repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">AWS_ACCOUNT_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCOUNT_ID }}</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">AWS_DEFAULT_REGION</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_REGION }}</span> </code></pre> </div> <p>We are keeping all the folders for AWS deployment with CDK in the CDK folder. The github workflows are kept in the .github folder.<br> As part of the manual section of the deploy we bootstrap the environment for the DockerRepository. Bootstrapping is the deployment of an<br> AWS CloudFormation template to a specific AWS environment (account and Region). The bootstrapping template accepts parameters that customize<br> some aspects of the bootstrapped resources. We can see the github actions on the Actions tab of our repository:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228491420-345ee44c-103a-414f-bbcc-2e7d40127ba9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228491420-345ee44c-103a-414f-bbcc-2e7d40127ba9.png" alt="image"></a></p> <p>The instructions for the manual deploy are kept in 01-bootstrap.yml and 02-create-environment.yml. The build and deploy commands are kept in<br> 03-build-and-deploy.yml. This runs every time there is a push to the main branch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> </code></pre> </div> <p>We also have a concurrency entry on deploy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-20.04</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Todo App (Demo)</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build-and-publish</span> <span class="na">timeout-minutes</span><span class="pi">:</span> <span class="m">15</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">concurrency</span><span class="pi">:</span> <span class="s">hello-world-deployment</span> <span class="na">steps</span><span class="pi">:</span> </code></pre> </div> <p>This avoids conflicts if two people merge code in the same timeframe. This <a href="https://docs.github.com/en/actions/using-jobs/using-concurrency" rel="noopener noreferrer">doc</a> is<br> useful on concurrency. We can now see the staging-Service on CloudFormation:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228494858-b363b897-5dcb-4484-89e2-0b9bc03fdd43.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228494858-b363b897-5dcb-4484-89e2-0b9bc03fdd43.png" alt="image"></a></p> <p>If we click on the Load Balancer url in Resources we can see our app is up and running:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228495152-34b45823-bf30-4bd4-9743-708bd0cb524c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228495152-34b45823-bf30-4bd4-9743-708bd0cb524c.png" alt="image"></a></p> <p>We have now wrapped the cdk commands in a GitHub workflow. We had two forms of workflow: manual triggers and on push.</p> <h3> Spring Boot &amp; AWS </h3> <p>We are going to build an application with Spring Boot and deploy it to AWS Cloud.<br> This application includes:</p> <ul> <li>Registration and login</li> <li>CRUD: Viewing, adding and deleting Todos</li> <li>Sharing Todos</li> <li>Email notifications</li> <li>Push notifications</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228534282-5d963e84-e43c-41a3-868a-6100dc20c131.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228534282-5d963e84-e43c-41a3-868a-6100dc20c131.png" alt="image"></a></p> <p>The above architecture describes the features we will implement. We interact with a REST API for showing thymeleaf pages.<br> We use an RDS database on RDS and a DynamoDB database for storage. We will decouple sending emails with SQS. We will allow<br> push notifications for collaboration with Amazon MQ with a websocket broker relay.</p> <h3> Local Development </h3> <p>We will learn about the challenges of local cloud development.<br> We will also learn about LocalStack and Drop-in replacements for Amazon RDS and Amazon Cognito.<br> The goal is to make local development as easy as possible. LocalStack is a fully functional<br> AWS Cloud stack:<br> <a href="https://localstack.cloud/" rel="noopener noreferrer">https://localstack.cloud/</a></p> <p>We will use the localstack docker image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-p</span> 4566:4566 <span class="nt">-e</span> <span class="nv">SERVICES</span><span class="o">=</span>s3 localstack/localstack </code></pre> </div> <p>To use localstack we can use the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws s3api create-bucket <span class="nt">--bucket</span> toms-s3-bucket <span class="nt">--endpoint-url</span> http://localhost:4566 <span class="nt">--create-bucket-configuration</span> <span class="nv">LocationConstraint</span><span class="o">=</span>eu-west-1 <span class="o">{</span> <span class="s2">"Location"</span>: <span class="s2">"http://toms-s3-bucket.s3.localhost.localstack.cloud:4566/"</span> <span class="o">}</span> </code></pre> </div> <p>With local development, we now need to connect to the LocalStack instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">cloud</span><span class="pi">:</span> <span class="na">aws</span><span class="pi">:</span> <span class="na">rds</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">sqs</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">http://localhost:4566</span> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-central-1</span> <span class="na">mail</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">http://localhost:4566</span> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-central-1</span> <span class="na">credentials</span><span class="pi">:</span> <span class="na">secret-key</span><span class="pi">:</span> <span class="s">foo</span> <span class="na">access-key</span><span class="pi">:</span> <span class="s">bar</span> </code></pre> </div> <p>We also hard code our credentials above. We then create our resources on LocalStack. We will use docker-compose.yml for this.<br> We use local-aws-infrastructure.sh to create our services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>awslocal sqs create-queue <span class="nt">--queue-name</span> stratospheric-todo-sharing </code></pre> </div> <p>We use a local docker image for postgres to replace AWS RDS. We will also use KeyCloak to replace Amazon Cognito:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">keycloak</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/keycloak/keycloak:18.0.0-legacy</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">8888:8080</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">KEYCLOAK_USER=keycloak</span> <span class="pi">-</span> <span class="s">KEYCLOAK_PASSWORD=keycloak</span> <span class="pi">-</span> <span class="s">DB_VENDOR=h2</span> <span class="pi">-</span> <span class="s">JAVA_OPTS=-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/tmp/stratospheric-realm.json</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./src/test/resources/keycloak/stratospheric-realm.json:/tmp/stratospheric-realm.json</span> </code></pre> </div> <p>We will use docker compose before starting our application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose up </code></pre> </div> <p>We now have two properties application-dev and application-aws for local development.<br> We have learnt about the approaches for local cloud development, using the LocalStack and Docker and we have replaced<br> RDS and Cognito with a local postgres instance and KeyCloak.</p> <h3> Todo App Design </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228904750-5a3fe117-0e2b-4324-b33b-3165c86225f2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228904750-5a3fe117-0e2b-4324-b33b-3165c86225f2.png" alt="image"></a></p> <h3> Building User Registration and Login with Amazon Cognito </h3> <p>We will now learn how to add User Registration and Login using AWS Cognito. We will first learn about Amazon Cognito.<br> We will then look at OAuth 2.0 and OpenID Connect and look at the OAuth Authorization Code Grant Flow.<br> Amazon Cognito is a managed service that provides authentication, authorization and user management for applications.<br> This allows us to delegate user management to AWS.</p> <h4> OAuth 2.0 </h4> <p>Open Authorization is the industry standard for authentication and authorization. It provides a protocol for login for applications.<br> When we sign up we are asked to grant access to the site for specific tasks. We are redirected to another site to grant permissions.<br> Once we have granted permission the application has access to data shared by our identifying website. We will now learn about<br> Resource Owners (end users who own resources in a third party application), Resource Sever (provides protected resources),<br> Client for accessing resources and Authorization Server (a server dedicated to authorization). There are different Grant Types which<br> might be Authorization Codes, Client Codes and Refresh Tokens.</p> <h4> OpenID Connect 1.0 </h4> <p>OpenID connect is a protocol for identity authentication. With OpenID Connect the end user entity becomes the protected resource.<br> This authentication mechanism is most commonly used with the Authorization Code grant type. When we see login with Google<br> the application is most commonly using OpenID Connect.</p> <h4> OAuth Authorization Code Grant Flow </h4> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228911198-bf7f9126-a966-4803-aafa-8c8edc32ad4b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228911198-bf7f9126-a966-4803-aafa-8c8edc32ad4b.png" alt="image"></a></p> <p>Above we describe user management with OAuth2. Here the resource owner asks to access the application.<br> The application requests authorization for Github repos from the user. The user authenticates at Github and grants authorization.<br> The Authorization server then sends an authorization code. The application then exchanges the authorization code for an access token<br> which is then returned by the authorization server. The application then requests the protected resources (in this case Github repos) with<br> the access token. If the access token is correct then the resource server returns information about the resource.</p> <p>Here we have learnt about OAuth and OpenID Connect and the Authentication and Authorization Flows. We will now learn about<br> Amazon Cognito.</p> <h4> Amazon Cognito </h4> <p>We will now learn about creating AWS Cognito resources with CDK. We will now look at some of the terms that Amazon Cognito uses.<br> A User Pool stores and manages User information. The User Pool App Client runs operations on a User Pool.<br> The Identity Pool works with IAM roles. For our application, we will create a single user pool to store all our users.<br> In the User Pool we will configure our password policy, define required and optional user attributes, enable password recovery and customize email notifications.<br> We will register our application as a User Pool app client to enable user login with OIDC and OAuth 2.0.<br> This is the setup for the CognitoApp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CognitoApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="nc">String</span> <span class="n">environmentName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"environmentName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">environmentName</span><span class="o">,</span> <span class="s">"context variable 'environmentName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">applicationName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"applicationName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">applicationName</span><span class="o">,</span> <span class="s">"context variable 'applicationName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">accountId</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"accountId"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="s">"context variable 'accountId' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">region</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"region"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">region</span><span class="o">,</span> <span class="s">"context variable 'region' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">applicationUrl</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"applicationUrl"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">applicationUrl</span><span class="o">,</span> <span class="s">"context variable 'applicationUrl' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">loginPageDomainPrefix</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"loginPageDomainPrefix"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">loginPageDomainPrefix</span><span class="o">,</span> <span class="s">"context variable 'loginPageDomainPrefix' must not be null"</span><span class="o">);</span> <span class="nc">Environment</span> <span class="n">awsEnvironment</span> <span class="o">=</span> <span class="n">makeEnv</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="n">region</span><span class="o">);</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApplicationEnvironment</span><span class="o">(</span> <span class="n">applicationName</span><span class="o">,</span> <span class="n">environmentName</span> <span class="o">);</span> <span class="k">new</span> <span class="nf">CognitoStack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"cognito"</span><span class="o">,</span> <span class="n">awsEnvironment</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">,</span> <span class="k">new</span> <span class="nc">CognitoStack</span><span class="o">.</span><span class="na">CognitoInputParameters</span><span class="o">(</span> <span class="n">applicationName</span><span class="o">,</span> <span class="n">applicationUrl</span><span class="o">,</span> <span class="n">loginPageDomainPrefix</span><span class="o">));</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">Environment</span> <span class="nf">makeEnv</span><span class="o">(</span><span class="nc">String</span> <span class="n">account</span><span class="o">,</span> <span class="nc">String</span> <span class="n">region</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Environment</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">account</span><span class="o">(</span><span class="n">account</span><span class="o">)</span> <span class="o">.</span><span class="na">region</span><span class="o">(</span><span class="n">region</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Here we add the domain name of our application with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">CognitoApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="c1">// ...</span> <span class="nc">String</span> <span class="n">applicationUrl</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"applicationUrl"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">applicationUrl</span><span class="o">,</span> <span class="s">"context variable 'applicationUrl' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">loginPageDomainPrefix</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"loginPageDomainPrefix"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">loginPageDomainPrefix</span><span class="o">,</span> <span class="s">"context variable 'loginPageDomainPrefix' must not be null"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The application url parameter is the final url of our application. Stack sets up the application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">class</span> <span class="nc">CognitoStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">UserPool</span> <span class="n">userPool</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">UserPoolClient</span> <span class="n">userPoolClient</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">UserPoolDomain</span> <span class="n">userPoolDomain</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">userPoolClientSecret</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">logoutUrl</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">CognitoStack</span><span class="o">(</span> <span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">Environment</span> <span class="n">awsEnvironment</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">CognitoInputParameters</span> <span class="n">inputParameters</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">stackName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"Cognito"</span><span class="o">))</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="n">awsEnvironment</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">applicationEnvironment</span> <span class="o">=</span> <span class="n">applicationEnvironment</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">logoutUrl</span> <span class="o">=</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"https://%s.auth.%s.amazoncognito.com/logout"</span><span class="o">,</span> <span class="n">inputParameters</span><span class="o">.</span><span class="na">loginPageDomainPrefix</span><span class="o">,</span> <span class="n">awsEnvironment</span><span class="o">.</span><span class="na">getRegion</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">userPool</span> <span class="o">=</span> <span class="nc">UserPool</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"userPool"</span><span class="o">)</span> <span class="o">.</span><span class="na">userPoolName</span><span class="o">(</span><span class="n">inputParameters</span><span class="o">.</span><span class="na">applicationName</span> <span class="o">+</span> <span class="s">"-user-pool"</span><span class="o">)</span> <span class="o">.</span><span class="na">selfSignUpEnabled</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">accountRecovery</span><span class="o">(</span><span class="nc">AccountRecovery</span><span class="o">.</span><span class="na">EMAIL_ONLY</span><span class="o">)</span> <span class="o">.</span><span class="na">autoVerify</span><span class="o">(</span><span class="nc">AutoVerifiedAttrs</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">email</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">signInAliases</span><span class="o">(</span><span class="nc">SignInAliases</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">username</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">email</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">signInCaseSensitive</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">standardAttributes</span><span class="o">(</span><span class="nc">StandardAttributes</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">email</span><span class="o">(</span><span class="nc">StandardAttribute</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">required</span><span class="o">(</span><span class="kc">true</span><span class="o">).</span><span class="na">mutable</span><span class="o">(</span><span class="kc">false</span><span class="o">).</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">mfa</span><span class="o">(</span><span class="nc">Mfa</span><span class="o">.</span><span class="na">OFF</span><span class="o">)</span> <span class="o">.</span><span class="na">passwordPolicy</span><span class="o">(</span><span class="nc">PasswordPolicy</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">requireLowercase</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireDigits</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireSymbols</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">requireUppercase</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">minLength</span><span class="o">(</span><span class="mi">12</span><span class="o">)</span> <span class="o">.</span><span class="na">tempPasswordValidity</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">days</span><span class="o">(</span><span class="mi">7</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">userPoolClient</span> <span class="o">=</span> <span class="nc">UserPoolClient</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"userPoolClient"</span><span class="o">)</span> <span class="o">.</span><span class="na">userPoolClientName</span><span class="o">(</span><span class="n">inputParameters</span><span class="o">.</span><span class="na">applicationName</span> <span class="o">+</span> <span class="s">"-client"</span><span class="o">)</span> <span class="o">.</span><span class="na">generateSecret</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">userPool</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">userPool</span><span class="o">)</span> <span class="o">.</span><span class="na">oAuth</span><span class="o">(</span><span class="nc">OAuthSettings</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">callbackUrls</span><span class="o">(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"%s/login/oauth2/code/cognito"</span><span class="o">,</span> <span class="n">inputParameters</span><span class="o">.</span><span class="na">applicationUrl</span><span class="o">),</span> <span class="s">"http://localhost:8080/login/oauth2/code/cognito"</span> <span class="o">))</span> <span class="o">.</span><span class="na">logoutUrls</span><span class="o">(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">inputParameters</span><span class="o">.</span><span class="na">applicationUrl</span><span class="o">,</span> <span class="s">"http://localhost:8080"</span><span class="o">))</span> <span class="o">.</span><span class="na">flows</span><span class="o">(</span><span class="nc">OAuthFlows</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizationCodeGrant</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">scopes</span><span class="o">(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="nc">OAuthScope</span><span class="o">.</span><span class="na">EMAIL</span><span class="o">,</span> <span class="nc">OAuthScope</span><span class="o">.</span><span class="na">OPENID</span><span class="o">,</span> <span class="nc">OAuthScope</span><span class="o">.</span><span class="na">PROFILE</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">supportedIdentityProviders</span><span class="o">(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="nc">UserPoolClientIdentityProvider</span><span class="o">.</span><span class="na">COGNITO</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">userPoolDomain</span> <span class="o">=</span> <span class="nc">UserPoolDomain</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"userPoolDomain"</span><span class="o">)</span> <span class="o">.</span><span class="na">userPool</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">userPool</span><span class="o">)</span> <span class="o">.</span><span class="na">cognitoDomain</span><span class="o">(</span><span class="nc">CognitoDomainOptions</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">domainPrefix</span><span class="o">(</span><span class="n">inputParameters</span><span class="o">.</span><span class="na">loginPageDomainPrefix</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">createOutputParameters</span><span class="o">();</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">tag</span><span class="o">(</span><span class="k">this</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Here we have avoided using MFA and set a password policy for the user. We also set the configuration for the User Pool Client.<br> We also add a list of UserPoolClientIdentityProviders. We also create output parameters for the Spring application.</p> <p>We have learnt about Cognito Resources and Infrastructure. This is a useful link for Amazon Cognito:<br> <a href="https://aws.amazon.com/cognito/" rel="noopener noreferrer">https://aws.amazon.com/cognito/</a><br> This is a useful link for more information about OAuth:<br> <a href="https://oauth.net/2/" rel="noopener noreferrer">https://oauth.net/2/</a></p> <h4> Connecting to Database with Amazon RDS </h4> <p>In this section we will learn how to work with AWS RDS.<br> We will learn about RDS and also develop the infrastructure we will deploy.<br> AWS RDS offers supports PostgreSQL, MySQL, MariaDB, Oracle, Microsoft and Aurora.<br> It allows us to manage relational databases with tools such as AWS CLI, IAM, CloudFormation and CDK.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228945157-2b1a86e9-a467-4f64-82f3-414277c535d7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228945157-2b1a86e9-a467-4f64-82f3-414277c535d7.png" alt="image"></a></p> <p>Above is a diagram of the database setup. We put a database instance into a private subnet. The application in our<br> Service stack would connect to the RDS database. The ECS Task represents a Docker image and the ECS Service wraps<br> several Docker images into a Service. The overall infrastructure runs on a VPC. We will use an Application Load Balancer<br> and Internet Gateway to enable access for the internet.</p> <p>Here we have learnt about working with relational databases on AWS. In the next section we will learn about configuring IAM permissions<br> for RDS access. We will deploy a database related infrastructure and use the RDS database from our SpringBoot application.</p> <h4> Connecting to the Database with AWS RDS </h4> <p>Here we will look at setting up the required IAM permissions. We will then deploy RDS with CDK and then configure the RDS<br> databaes with our SpringBoot application.</p> <h4> Setting up the requisite IAM permissions </h4> <p>We need to add the RDSFullAccess policy for our developer user account:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228948472-55654f36-5c05-4ac1-a97f-1a5818c9be8e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228948472-55654f36-5c05-4ac1-a97f-1a5818c9be8e.png" alt="image"></a></p> <p>The application will have access to the database through the CDK app. We will deploy a database infrastructure with CDK and use the<br> Postgres Database Construct. The<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">PostgresDatabase</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="o">{</span> <span class="kd">public</span> <span class="nf">PostgresDatabase</span><span class="o">(</span> <span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">Environment</span> <span class="n">awsEnvironment</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">DatabaseInputParameters</span> <span class="n">databaseInputParameters</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">applicationEnvironment</span> <span class="o">=</span> <span class="n">applicationEnvironment</span><span class="o">;</span> <span class="c1">// Sadly, we cannot use VPC.fromLookup() to resolve a VPC object from this VpcId, because it's broken</span> <span class="c1">// (https://github.com/aws/aws-cdk/issues/3600). So, we have to resolve all properties we need from the VPC</span> <span class="c1">// via SSM parameter store.</span> <span class="nc">Network</span><span class="o">.</span><span class="na">NetworkOutputParameters</span> <span class="n">networkOutputParameters</span> <span class="o">=</span> <span class="nc">Network</span><span class="o">.</span><span class="na">getOutputParametersFromParameterStore</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">getEnvironmentName</span><span class="o">());</span> <span class="nc">String</span> <span class="n">username</span> <span class="o">=</span> <span class="n">sanitizeDbParameterName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"dbUser"</span><span class="o">));</span> <span class="n">databaseSecurityGroup</span> <span class="o">=</span> <span class="nc">CfnSecurityGroup</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"databaseSecurityGroup"</span><span class="o">)</span> <span class="o">.</span><span class="na">vpcId</span><span class="o">(</span><span class="n">networkOutputParameters</span><span class="o">.</span><span class="na">getVpcId</span><span class="o">())</span> <span class="o">.</span><span class="na">groupDescription</span><span class="o">(</span><span class="s">"Security Group for the database instance"</span><span class="o">)</span> <span class="o">.</span><span class="na">groupName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"dbSecurityGroup"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="c1">// This will generate a JSON object with the keys "username" and "password".</span> <span class="n">databaseSecret</span> <span class="o">=</span> <span class="nc">Secret</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"databaseSecret"</span><span class="o">)</span> <span class="o">.</span><span class="na">secretName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"DatabaseSecret"</span><span class="o">))</span> <span class="o">.</span><span class="na">description</span><span class="o">(</span><span class="s">"Credentials to the RDS instance"</span><span class="o">)</span> <span class="o">.</span><span class="na">generateSecretString</span><span class="o">(</span><span class="nc">SecretStringGenerator</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">secretStringTemplate</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"{\"username\": \"%s\"}"</span><span class="o">,</span> <span class="n">username</span><span class="o">))</span> <span class="o">.</span><span class="na">generateStringKey</span><span class="o">(</span><span class="s">"password"</span><span class="o">)</span> <span class="o">.</span><span class="na">passwordLength</span><span class="o">(</span><span class="mi">32</span><span class="o">)</span> <span class="o">.</span><span class="na">excludeCharacters</span><span class="o">(</span><span class="s">"@/\\\" "</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">CfnDBSubnetGroup</span> <span class="n">subnetGroup</span> <span class="o">=</span> <span class="nc">CfnDBSubnetGroup</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"dbSubnetGroup"</span><span class="o">)</span> <span class="o">.</span><span class="na">dbSubnetGroupDescription</span><span class="o">(</span><span class="s">"Subnet group for the RDS instance"</span><span class="o">)</span> <span class="o">.</span><span class="na">dbSubnetGroupName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"dbSubnetGroup"</span><span class="o">))</span> <span class="o">.</span><span class="na">subnetIds</span><span class="o">(</span><span class="n">networkOutputParameters</span><span class="o">.</span><span class="na">getIsolatedSubnets</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">dbInstance</span> <span class="o">=</span> <span class="nc">CfnDBInstance</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"postgresInstance"</span><span class="o">)</span> <span class="o">.</span><span class="na">dbInstanceIdentifier</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"database"</span><span class="o">))</span> <span class="o">.</span><span class="na">allocatedStorage</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">valueOf</span><span class="o">(</span><span class="n">databaseInputParameters</span><span class="o">.</span><span class="na">storageInGb</span><span class="o">))</span> <span class="o">.</span><span class="na">availabilityZone</span><span class="o">(</span><span class="n">networkOutputParameters</span><span class="o">.</span><span class="na">getAvailabilityZones</span><span class="o">().</span><span class="na">get</span><span class="o">(</span><span class="mi">0</span><span class="o">))</span> <span class="o">.</span><span class="na">dbInstanceClass</span><span class="o">(</span><span class="n">databaseInputParameters</span><span class="o">.</span><span class="na">instanceClass</span><span class="o">)</span> <span class="o">.</span><span class="na">dbName</span><span class="o">(</span><span class="n">sanitizeDbParameterName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"database"</span><span class="o">)))</span> <span class="o">.</span><span class="na">dbSubnetGroupName</span><span class="o">(</span><span class="n">subnetGroup</span><span class="o">.</span><span class="na">getDbSubnetGroupName</span><span class="o">())</span> <span class="o">.</span><span class="na">engine</span><span class="o">(</span><span class="s">"postgres"</span><span class="o">)</span> <span class="o">.</span><span class="na">engineVersion</span><span class="o">(</span><span class="n">databaseInputParameters</span><span class="o">.</span><span class="na">postgresVersion</span><span class="o">)</span> <span class="o">.</span><span class="na">masterUsername</span><span class="o">(</span><span class="n">username</span><span class="o">)</span> <span class="o">.</span><span class="na">masterUserPassword</span><span class="o">(</span><span class="n">databaseSecret</span><span class="o">.</span><span class="na">secretValueFromJson</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">toString</span><span class="o">())</span> <span class="o">.</span><span class="na">publiclyAccessible</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="o">.</span><span class="na">vpcSecurityGroups</span><span class="o">(</span><span class="nc">Collections</span><span class="o">.</span><span class="na">singletonList</span><span class="o">(</span><span class="n">databaseSecurityGroup</span><span class="o">.</span><span class="na">getAttrGroupId</span><span class="o">()))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">CfnSecretTargetAttachment</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"secretTargetAttachment"</span><span class="o">)</span> <span class="o">.</span><span class="na">secretId</span><span class="o">(</span><span class="n">databaseSecret</span><span class="o">.</span><span class="na">getSecretArn</span><span class="o">())</span> <span class="o">.</span><span class="na">targetId</span><span class="o">(</span><span class="n">dbInstance</span><span class="o">.</span><span class="na">getRef</span><span class="o">())</span> <span class="o">.</span><span class="na">targetType</span><span class="o">(</span><span class="s">"AWS::RDS::DBInstance"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">createOutputParameters</span><span class="o">();</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">tag</span><span class="o">(</span><span class="k">this</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>First the construct creates a database security group. We also define subnets which will be used by the database instance. We also create a database secret<br> and then create the Postgres Database. We can then deploy and destroy the application with our package.json script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"database:deploy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk deploy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=dev.stratospheric.todoapp.cdk.DatabaseApp</span><span class="se">\"</span><span class="s2"> --require-approval never"</span><span class="p">,</span><span class="w"> </span><span class="nl">"database:destroy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk destroy --app </span><span class="se">\"</span><span class="s2">./mvnw -e -q compile exec:java -Dexec.mainClass=dev.stratospheric.todoapp.cdk.DatabaseApp</span><span class="se">\"</span><span class="s2"> --force --require-approval never"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>We run the command and create and instantiate the database and server that we will use.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run database:deploy </code></pre> </div> <p>AWS will instantiate the Postgres server and the other resources we need. The above command runs the cdk deploy.<br> If we want to use a different profile we can use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run database:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>Here the double dash tells npm not to evaluate what is after it so the --profile is sent on to the aws script.</p> <p>We now have a database running so we can now setup our SpringBoot application. We do this with the ServiceApp inside the CDK folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ServiceApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">App</span> <span class="n">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="o">();</span> <span class="nc">String</span> <span class="n">environmentName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"environmentName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">environmentName</span><span class="o">,</span> <span class="s">"context variable 'environmentName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">applicationName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"applicationName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">applicationName</span><span class="o">,</span> <span class="s">"context variable 'applicationName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">accountId</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"accountId"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="s">"context variable 'accountId' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">springProfile</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"springProfile"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">springProfile</span><span class="o">,</span> <span class="s">"context variable 'springProfile' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">dockerRepositoryName</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"dockerRepositoryName"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">dockerRepositoryName</span><span class="o">,</span> <span class="s">"context variable 'dockerRepositoryName' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">dockerImageTag</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"dockerImageTag"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">dockerImageTag</span><span class="o">,</span> <span class="s">"context variable 'dockerImageTag' must not be null"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">region</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">app</span><span class="o">.</span><span class="na">getNode</span><span class="o">().</span><span class="na">tryGetContext</span><span class="o">(</span><span class="s">"region"</span><span class="o">);</span> <span class="nc">Validations</span><span class="o">.</span><span class="na">requireNonEmpty</span><span class="o">(</span><span class="n">region</span><span class="o">,</span> <span class="s">"context variable 'region' must not be null"</span><span class="o">);</span> <span class="nc">Environment</span> <span class="n">awsEnvironment</span> <span class="o">=</span> <span class="n">makeEnv</span><span class="o">(</span><span class="n">accountId</span><span class="o">,</span> <span class="n">region</span><span class="o">);</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApplicationEnvironment</span><span class="o">(</span> <span class="n">applicationName</span><span class="o">,</span> <span class="n">environmentName</span> <span class="o">);</span> <span class="c1">// This stack is just a container for the parameters below, because they need a Stack as a scope.</span> <span class="c1">// We're making this parameters stack unique with each deployment by adding a timestamp, because updating an existing</span> <span class="c1">// parameters stack will fail because the parameters may be used by an old service stack.</span> <span class="c1">// This means that each update will generate a new parameters stack that needs to be cleaned up manually!</span> <span class="kt">long</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="nc">System</span><span class="o">.</span><span class="na">currentTimeMillis</span><span class="o">();</span> <span class="nc">Stack</span> <span class="n">parametersStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"ServiceParameters-"</span> <span class="o">+</span> <span class="n">timestamp</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">stackName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"Service-Parameters-"</span> <span class="o">+</span> <span class="n">timestamp</span><span class="o">))</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="n">awsEnvironment</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="nc">Stack</span> <span class="n">serviceStack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stack</span><span class="o">(</span><span class="n">app</span><span class="o">,</span> <span class="s">"ServiceStack"</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">stackName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"Service"</span><span class="o">))</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="n">awsEnvironment</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="nc">PostgresDatabase</span><span class="o">.</span><span class="na">DatabaseOutputParameters</span> <span class="n">databaseOutputParameters</span> <span class="o">=</span> <span class="nc">PostgresDatabase</span><span class="o">.</span><span class="na">getOutputParametersFromParameterStore</span><span class="o">(</span><span class="n">parametersStack</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">);</span> <span class="nc">CognitoStack</span><span class="o">.</span><span class="na">CognitoOutputParameters</span> <span class="n">cognitoOutputParameters</span> <span class="o">=</span> <span class="nc">CognitoStack</span><span class="o">.</span><span class="na">getOutputParametersFromParameterStore</span><span class="o">(</span><span class="n">parametersStack</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">);</span> <span class="nc">MessagingStack</span><span class="o">.</span><span class="na">MessagingOutputParameters</span> <span class="n">messagingOutputParameters</span> <span class="o">=</span> <span class="nc">MessagingStack</span><span class="o">.</span><span class="na">getOutputParametersFromParameterStore</span><span class="o">(</span><span class="n">parametersStack</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">);</span> <span class="nc">ActiveMqStack</span><span class="o">.</span><span class="na">ActiveMqOutputParameters</span> <span class="n">activeMqOutputParameters</span> <span class="o">=</span> <span class="nc">ActiveMqStack</span><span class="o">.</span><span class="na">getOutputParametersFromParameterStore</span><span class="o">(</span><span class="n">parametersStack</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">);</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">securityGroupIdsToGrantIngressFromEcs</span> <span class="o">=</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span> <span class="n">databaseOutputParameters</span><span class="o">.</span><span class="na">getDatabaseSecurityGroupId</span><span class="o">(),</span> <span class="n">activeMqOutputParameters</span><span class="o">.</span><span class="na">getActiveMqSecurityGroupId</span><span class="o">()</span> <span class="o">);</span> <span class="k">new</span> <span class="nf">Service</span><span class="o">(</span> <span class="n">serviceStack</span><span class="o">,</span> <span class="s">"Service"</span><span class="o">,</span> <span class="n">awsEnvironment</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">,</span> <span class="k">new</span> <span class="nc">Service</span><span class="o">.</span><span class="na">ServiceInputParameters</span><span class="o">(</span> <span class="k">new</span> <span class="nc">Service</span><span class="o">.</span><span class="na">DockerImageSource</span><span class="o">(</span><span class="n">dockerRepositoryName</span><span class="o">,</span> <span class="n">dockerImageTag</span><span class="o">),</span> <span class="n">securityGroupIdsToGrantIngressFromEcs</span><span class="o">,</span> <span class="n">environmentVariables</span><span class="o">(</span> <span class="n">serviceStack</span><span class="o">,</span> <span class="n">databaseOutputParameters</span><span class="o">,</span> <span class="n">cognitoOutputParameters</span><span class="o">,</span> <span class="n">messagingOutputParameters</span><span class="o">,</span> <span class="n">activeMqOutputParameters</span><span class="o">,</span> <span class="n">springProfile</span><span class="o">,</span> <span class="n">environmentName</span><span class="o">))</span> <span class="o">.</span><span class="na">withTaskRolePolicyStatements</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">sid</span><span class="o">(</span><span class="s">"AllowSQSAccess"</span><span class="o">)</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"arn:aws:sqs:%s:%s:%s"</span><span class="o">,</span> <span class="n">region</span><span class="o">,</span> <span class="n">accountId</span><span class="o">,</span> <span class="n">messagingOutputParameters</span><span class="o">.</span><span class="na">getTodoSharingQueueName</span><span class="o">())</span> <span class="o">))</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span> <span class="s">"sqs:DeleteMessage"</span><span class="o">,</span> <span class="s">"sqs:GetQueueUrl"</span><span class="o">,</span> <span class="s">"sqs:ListDeadLetterSourceQueues"</span><span class="o">,</span> <span class="s">"sqs:ListQueues"</span><span class="o">,</span> <span class="s">"sqs:ListQueueTags"</span><span class="o">,</span> <span class="s">"sqs:ReceiveMessage"</span><span class="o">,</span> <span class="s">"sqs:SendMessage"</span><span class="o">,</span> <span class="s">"sqs:ChangeMessageVisibility"</span><span class="o">,</span> <span class="s">"sqs:GetQueueAttributes"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">(),</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">sid</span><span class="o">(</span><span class="s">"AllowCreatingUsers"</span><span class="o">)</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"arn:aws:cognito-idp:%s:%s:userpool/%s"</span><span class="o">,</span> <span class="n">region</span><span class="o">,</span> <span class="n">accountId</span><span class="o">,</span> <span class="n">cognitoOutputParameters</span><span class="o">.</span><span class="na">getUserPoolId</span><span class="o">()))</span> <span class="o">)</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"cognito-idp:AdminCreateUser"</span> <span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">(),</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">sid</span><span class="o">(</span><span class="s">"AllowSendingEmails"</span><span class="o">)</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"arn:aws:ses:%s:%s:identity/stratospheric.dev"</span><span class="o">,</span> <span class="n">region</span><span class="o">,</span> <span class="n">accountId</span><span class="o">))</span> <span class="o">)</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"ses:SendEmail"</span><span class="o">,</span> <span class="s">"ses:SendRawEmail"</span> <span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">(),</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">sid</span><span class="o">(</span><span class="s">"AllowDynamoTableAccess"</span><span class="o">)</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"arn:aws:dynamodb:%s:%s:table/%s"</span><span class="o">,</span> <span class="n">region</span><span class="o">,</span> <span class="n">accountId</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"breadcrumb"</span><span class="o">)))</span> <span class="o">)</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"dynamodb:Scan"</span><span class="o">,</span> <span class="s">"dynamodb:Query"</span><span class="o">,</span> <span class="s">"dynamodb:PutItem"</span><span class="o">,</span> <span class="s">"dynamodb:GetItem"</span><span class="o">,</span> <span class="s">"dynamodb:BatchWriteItem"</span><span class="o">,</span> <span class="s">"dynamodb:BatchWriteGet"</span> <span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">(),</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">sid</span><span class="o">(</span><span class="s">"AllowSendingMetricsToCloudWatch"</span><span class="o">)</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span><span class="n">singletonList</span><span class="o">(</span><span class="s">"*"</span><span class="o">))</span> <span class="c1">// CloudWatch does not have any resource-level permissions, see https://stackoverflow.com/a/38055068/9085273</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span><span class="n">singletonList</span><span class="o">(</span><span class="s">"cloudwatch:PutMetricData"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">()</span> <span class="o">))</span> <span class="o">.</span><span class="na">withStickySessionsEnabled</span><span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">.</span><span class="na">withHealthCheckPath</span><span class="o">(</span><span class="s">"/actuator/health"</span><span class="o">)</span> <span class="o">.</span><span class="na">withAwsLogsDateTimeFormat</span><span class="o">(</span><span class="s">"%Y-%m-%dT%H:%M:%S.%f%z"</span><span class="o">)</span> <span class="o">.</span><span class="na">withHealthCheckIntervalSeconds</span><span class="o">(</span><span class="mi">30</span><span class="o">),</span> <span class="c1">// needs to be long enough to allow for slow start up with low-end computing instances</span> <span class="nc">Network</span><span class="o">.</span><span class="na">getOutputParametersFromParameterStore</span><span class="o">(</span><span class="n">serviceStack</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">getEnvironmentName</span><span class="o">()));</span> <span class="n">app</span><span class="o">.</span><span class="na">synth</span><span class="o">();</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="nf">environmentVariables</span><span class="o">(</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="nc">PostgresDatabase</span><span class="o">.</span><span class="na">DatabaseOutputParameters</span> <span class="n">databaseOutputParameters</span><span class="o">,</span> <span class="nc">CognitoStack</span><span class="o">.</span><span class="na">CognitoOutputParameters</span> <span class="n">cognitoOutputParameters</span><span class="o">,</span> <span class="nc">MessagingStack</span><span class="o">.</span><span class="na">MessagingOutputParameters</span> <span class="n">messagingOutputParameters</span><span class="o">,</span> <span class="nc">ActiveMqStack</span><span class="o">.</span><span class="na">ActiveMqOutputParameters</span> <span class="n">activeMqOutputParameters</span><span class="o">,</span> <span class="nc">String</span> <span class="n">springProfile</span><span class="o">,</span> <span class="nc">String</span> <span class="n">environmentName</span> <span class="o">)</span> <span class="o">{</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="n">vars</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="nc">String</span> <span class="n">databaseSecretArn</span> <span class="o">=</span> <span class="n">databaseOutputParameters</span><span class="o">.</span><span class="na">getDatabaseSecretArn</span><span class="o">();</span> <span class="nc">ISecret</span> <span class="n">databaseSecret</span> <span class="o">=</span> <span class="nc">Secret</span><span class="o">.</span><span class="na">fromSecretCompleteArn</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="s">"databaseSecret"</span><span class="o">,</span> <span class="n">databaseSecretArn</span><span class="o">);</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"SPRING_PROFILES_ACTIVE"</span><span class="o">,</span> <span class="n">springProfile</span><span class="o">);</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"SPRING_DATASOURCE_URL"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"jdbc:postgresql://%s:%s/%s"</span><span class="o">,</span> <span class="n">databaseOutputParameters</span><span class="o">.</span><span class="na">getEndpointAddress</span><span class="o">(),</span> <span class="n">databaseOutputParameters</span><span class="o">.</span><span class="na">getEndpointPort</span><span class="o">(),</span> <span class="n">databaseOutputParameters</span><span class="o">.</span><span class="na">getDbName</span><span class="o">()));</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"SPRING_DATASOURCE_USERNAME"</span><span class="o">,</span> <span class="n">databaseSecret</span><span class="o">.</span><span class="na">secretValueFromJson</span><span class="o">(</span><span class="s">"username"</span><span class="o">).</span><span class="na">toString</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"SPRING_DATASOURCE_PASSWORD"</span><span class="o">,</span> <span class="n">databaseSecret</span><span class="o">.</span><span class="na">secretValueFromJson</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">toString</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"COGNITO_CLIENT_ID"</span><span class="o">,</span> <span class="n">cognitoOutputParameters</span><span class="o">.</span><span class="na">getUserPoolClientId</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"COGNITO_CLIENT_SECRET"</span><span class="o">,</span> <span class="n">cognitoOutputParameters</span><span class="o">.</span><span class="na">getUserPoolClientSecret</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"COGNITO_USER_POOL_ID"</span><span class="o">,</span> <span class="n">cognitoOutputParameters</span><span class="o">.</span><span class="na">getUserPoolId</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"COGNITO_LOGOUT_URL"</span><span class="o">,</span> <span class="n">cognitoOutputParameters</span><span class="o">.</span><span class="na">getLogoutUrl</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"COGNITO_PROVIDER_URL"</span><span class="o">,</span> <span class="n">cognitoOutputParameters</span><span class="o">.</span><span class="na">getProviderUrl</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"TODO_SHARING_QUEUE_NAME"</span><span class="o">,</span> <span class="n">messagingOutputParameters</span><span class="o">.</span><span class="na">getTodoSharingQueueName</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"WEB_SOCKET_RELAY_ENDPOINT"</span><span class="o">,</span> <span class="n">activeMqOutputParameters</span><span class="o">.</span><span class="na">getStompEndpoint</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"WEB_SOCKET_RELAY_USERNAME"</span><span class="o">,</span> <span class="n">activeMqOutputParameters</span><span class="o">.</span><span class="na">getActiveMqUsername</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"WEB_SOCKET_RELAY_PASSWORD"</span><span class="o">,</span> <span class="n">activeMqOutputParameters</span><span class="o">.</span><span class="na">getActiveMqPassword</span><span class="o">());</span> <span class="n">vars</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"ENVIRONMENT_NAME"</span><span class="o">,</span> <span class="n">environmentName</span><span class="o">);</span> <span class="k">return</span> <span class="n">vars</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Here we create the SpringBoot Service with the correct environment variables for configuring the database connection.<br> The AWS specific database stack can then be used with the Spring application. Spring uses the environment variables to<br> configure the database connection on SpringBoot start.</p> <p>We have seen how to configure IAM permissions for RDS access. We have deployed the database and are now using the RDS database from<br> our Spring application.</p> <h3> Sharing Todos with Amazon SQS and Amazon SES </h3> <p>Here we will integrate two new AWS services, AWS Simple Queue Service (<a href="https://aws.amazon.com/sqs/" rel="noopener noreferrer">SQS</a>) and<br> AWS Simple Email Service (<a href="https://aws.amazon.com/ses/" rel="noopener noreferrer">SES</a>) so that we can share Todos with other users so that they<br> can collaborate. Users accept collaboration by email and then collaborate. When users share their todos we put the request<br> into an SQS queue and then send out emails to the requested other user.</p> <h4> Introduction to Amazon SQS </h4> <p>Amazon SQS is a fully managed messaging service for queueing messages to different parts of our application. SQS can<br> also decouple components in a microservices distributed architecture. We interact with SQS via an https API.<br> SQS can persist our messages for up to 14 days. The standard queue type delivers on a best effort ordering. FIFO SQS<br> guarantees messages are sent in the same order as they are sent. Each message remains on the queue until the consumer<br> acknowledges its delivery by deleting the message. We set up our messaging queue with the MessagingStack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">class</span> <span class="nc">MessagingStack</span> <span class="kd">extends</span> <span class="nc">Stack</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">IQueue</span> <span class="n">todoSharingQueue</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">IQueue</span> <span class="n">todoSharingDlq</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">MessagingStack</span><span class="o">(</span> <span class="kd">final</span> <span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">id</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">Environment</span> <span class="n">awsEnvironment</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span><span class="o">)</span> <span class="o">{</span> <span class="kd">super</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">id</span><span class="o">,</span> <span class="nc">StackProps</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">stackName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"Messaging"</span><span class="o">))</span> <span class="o">.</span><span class="na">env</span><span class="o">(</span><span class="n">awsEnvironment</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">this</span><span class="o">.</span><span class="na">applicationEnvironment</span> <span class="o">=</span> <span class="n">applicationEnvironment</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">todoSharingDlq</span> <span class="o">=</span> <span class="nc">Queue</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"todoSharingDlq"</span><span class="o">)</span> <span class="o">.</span><span class="na">queueName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"todo-sharing-dead-letter-queue"</span><span class="o">))</span> <span class="o">.</span><span class="na">retentionPeriod</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">days</span><span class="o">(</span><span class="mi">14</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="k">this</span><span class="o">.</span><span class="na">todoSharingQueue</span> <span class="o">=</span> <span class="nc">Queue</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"todoSharingQueue"</span><span class="o">)</span> <span class="o">.</span><span class="na">queueName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">prefix</span><span class="o">(</span><span class="s">"todo-sharing-queue"</span><span class="o">))</span> <span class="o">.</span><span class="na">visibilityTimeout</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">seconds</span><span class="o">(</span><span class="mi">30</span><span class="o">))</span> <span class="o">.</span><span class="na">retentionPeriod</span><span class="o">(</span><span class="nc">Duration</span><span class="o">.</span><span class="na">days</span><span class="o">(</span><span class="mi">14</span><span class="o">))</span> <span class="o">.</span><span class="na">deadLetterQueue</span><span class="o">(</span><span class="nc">DeadLetterQueue</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">queue</span><span class="o">(</span><span class="n">todoSharingDlq</span><span class="o">)</span> <span class="o">.</span><span class="na">maxReceiveCount</span><span class="o">(</span><span class="mi">3</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">createOutputParameters</span><span class="o">();</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">tag</span><span class="o">(</span><span class="k">this</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">PARAMETER_TODO_SHARING_QUEUE_NAME</span> <span class="o">=</span> <span class="s">"todoSharingQueueName"</span><span class="o">;</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">createOutputParameters</span><span class="o">()</span> <span class="o">{</span> <span class="nc">StringParameter</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="no">PARAMETER_TODO_SHARING_QUEUE_NAME</span><span class="o">)</span> <span class="o">.</span><span class="na">parameterName</span><span class="o">(</span><span class="n">createParameterName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">,</span> <span class="no">PARAMETER_TODO_SHARING_QUEUE_NAME</span><span class="o">))</span> <span class="o">.</span><span class="na">stringValue</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">todoSharingQueue</span><span class="o">.</span><span class="na">getQueueName</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">createParameterName</span><span class="o">(</span><span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span><span class="o">,</span> <span class="nc">String</span> <span class="n">parameterName</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">getEnvironmentName</span><span class="o">()</span> <span class="o">+</span> <span class="s">"-"</span> <span class="o">+</span> <span class="n">applicationEnvironment</span><span class="o">.</span><span class="na">getApplicationName</span><span class="o">()</span> <span class="o">+</span> <span class="s">"-Messaging-"</span> <span class="o">+</span> <span class="n">parameterName</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">getTodoSharingQueueName</span><span class="o">(</span><span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">StringParameter</span><span class="o">.</span><span class="na">fromStringParameterName</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="no">PARAMETER_TODO_SHARING_QUEUE_NAME</span><span class="o">,</span> <span class="n">createParameterName</span><span class="o">(</span><span class="n">applicationEnvironment</span><span class="o">,</span> <span class="no">PARAMETER_TODO_SHARING_QUEUE_NAME</span><span class="o">))</span> <span class="o">.</span><span class="na">getStringValue</span><span class="o">();</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">MessagingOutputParameters</span> <span class="nf">getOutputParametersFromParameterStore</span><span class="o">(</span><span class="nc">Construct</span> <span class="n">scope</span><span class="o">,</span> <span class="nc">ApplicationEnvironment</span> <span class="n">applicationEnvironment</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">MessagingOutputParameters</span><span class="o">(</span> <span class="n">getTodoSharingQueueName</span><span class="o">(</span><span class="n">scope</span><span class="o">,</span> <span class="n">applicationEnvironment</span><span class="o">)</span> <span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">MessagingOutputParameters</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">todoSharingQueueName</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">MessagingOutputParameters</span><span class="o">(</span><span class="nc">String</span> <span class="n">todoSharingQueueName</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">todoSharingQueueName</span> <span class="o">=</span> <span class="n">todoSharingQueueName</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getTodoSharingQueueName</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">todoSharingQueueName</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Here we set up the queue and set the Deadletter queue to accept messages after four attempts. We also need to set up<br> SQS as a dependency in our build.gradle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">implementation</span> <span class="s1">'io.awspring.cloud:spring-cloud-aws-starter-sqs'</span> </code></pre> </div> <p>We then send the todo with a form on our dashboard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"dropdown-menu"</span> <span class="na">aria-labelledby=</span><span class="s">"dropdownMenuLink"</span><span class="nt">&gt;</span> <span class="nt">&lt;span</span> <span class="na">class=</span><span class="s">"dropdown-item"</span> <span class="na">th:if=</span><span class="s">"${collaborators.isEmpty()}"</span><span class="nt">&gt;</span> No collaborator available <span class="nt">&lt;/span&gt;</span> <span class="nt">&lt;form</span> <span class="na">th:method=</span><span class="s">"POST"</span> <span class="na">th:each=</span><span class="s">"collaborator : ${collaborators}"</span> <span class="na">th:action=</span><span class="s">"@{/todo/{todoId}/collaborations/{collaboratorId}(todoId=${todo.id}, collaboratorId=${collaborator.id})}"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">th:text=</span><span class="s">"${collaborator.name}"</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">name=</span><span class="s">"submit"</span> <span class="na">class=</span><span class="s">"dropdown-item"</span><span class="nt">&gt;</span> <span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <p>We also have a post endpoint on our controller to share todos:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Controller</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/todo"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TodoCollaborationController</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">TodoCollaborationService</span> <span class="n">todoCollaborationService</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">TodoCollaborationController</span><span class="o">(</span><span class="nc">TodoCollaborationService</span> <span class="n">todoCollaborationService</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">todoCollaborationService</span> <span class="o">=</span> <span class="n">todoCollaborationService</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Timed</span><span class="o">(</span> <span class="n">value</span> <span class="o">=</span> <span class="s">"stratospheric.collaboration.sharing"</span><span class="o">,</span> <span class="n">description</span> <span class="o">=</span> <span class="s">"Measure the time how long it takes to share a todo"</span> <span class="o">)</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/{todoId}/collaborations/{collaboratorId}"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">shareTodoWithCollaborator</span><span class="o">(</span> <span class="nd">@PathVariable</span><span class="o">(</span><span class="s">"todoId"</span><span class="o">)</span> <span class="nc">Long</span> <span class="n">todoId</span><span class="o">,</span> <span class="nd">@PathVariable</span><span class="o">(</span><span class="s">"collaboratorId"</span><span class="o">)</span> <span class="nc">Long</span> <span class="n">collaboratorId</span><span class="o">,</span> <span class="nd">@AuthenticationPrincipal</span> <span class="nc">OidcUser</span> <span class="n">user</span><span class="o">,</span> <span class="nc">RedirectAttributes</span> <span class="n">redirectAttributes</span> <span class="o">)</span> <span class="kd">throws</span> <span class="nc">JsonProcessingException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">collaboratorName</span> <span class="o">=</span> <span class="n">todoCollaborationService</span><span class="o">.</span><span class="na">shareWithCollaborator</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getEmail</span><span class="o">(),</span> <span class="n">todoId</span><span class="o">,</span> <span class="n">collaboratorId</span><span class="o">);</span> <span class="n">redirectAttributes</span><span class="o">.</span><span class="na">addFlashAttribute</span><span class="o">(</span><span class="s">"message"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"You successfully shared your todo with the user %s. "</span> <span class="o">+</span> <span class="s">"Once the user accepts the invite, you'll see them as a collaborator on your todo."</span><span class="o">,</span> <span class="n">collaboratorName</span><span class="o">));</span> <span class="n">redirectAttributes</span><span class="o">.</span><span class="na">addFlashAttribute</span><span class="o">(</span><span class="s">"messageType"</span><span class="o">,</span> <span class="s">"success"</span><span class="o">);</span> <span class="k">return</span> <span class="s">"redirect:/dashboard"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The TodoCollaboration controller takes collaboration requests and sharings them using the todoCollaborationService.<br> The Service then shares the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Service</span> <span class="nd">@Transactional</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TodoCollaborationService</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">TodoRepository</span> <span class="n">todoRepository</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">PersonRepository</span> <span class="n">personRepository</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">TodoCollaborationRequestRepository</span> <span class="n">todoCollaborationRequestRepository</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">SqsTemplate</span> <span class="n">sqsTemplate</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">todoSharingQueueName</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">SimpMessagingTemplate</span> <span class="n">simpMessagingTemplate</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Logger</span> <span class="no">LOG</span> <span class="o">=</span> <span class="nc">LoggerFactory</span><span class="o">.</span><span class="na">getLogger</span><span class="o">(</span><span class="nc">TodoCollaborationService</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">getName</span><span class="o">());</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">INVALID_TODO_ID</span> <span class="o">=</span> <span class="s">"Invalid todo ID: "</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">INVALID_PERSON_ID</span> <span class="o">=</span> <span class="s">"Invalid person ID: "</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">INVALID_PERSON_EMAIL</span> <span class="o">=</span> <span class="s">"Invalid person Email: "</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">TodoCollaborationService</span><span class="o">(</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${custom.sharing-queue}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">todoSharingQueueName</span><span class="o">,</span> <span class="nc">TodoRepository</span> <span class="n">todoRepository</span><span class="o">,</span> <span class="nc">PersonRepository</span> <span class="n">personRepository</span><span class="o">,</span> <span class="nc">TodoCollaborationRequestRepository</span> <span class="n">todoCollaborationRequestRepository</span><span class="o">,</span> <span class="nc">SqsTemplate</span> <span class="n">sqsTemplate</span><span class="o">,</span> <span class="nc">SimpMessagingTemplate</span> <span class="n">simpMessagingTemplate</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">todoRepository</span> <span class="o">=</span> <span class="n">todoRepository</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">personRepository</span> <span class="o">=</span> <span class="n">personRepository</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">todoCollaborationRequestRepository</span> <span class="o">=</span> <span class="n">todoCollaborationRequestRepository</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">sqsTemplate</span> <span class="o">=</span> <span class="n">sqsTemplate</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">todoSharingQueueName</span> <span class="o">=</span> <span class="n">todoSharingQueueName</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">simpMessagingTemplate</span> <span class="o">=</span> <span class="n">simpMessagingTemplate</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">shareWithCollaborator</span><span class="o">(</span><span class="nc">String</span> <span class="n">todoOwnerEmail</span><span class="o">,</span> <span class="nc">Long</span> <span class="n">todoId</span><span class="o">,</span> <span class="nc">Long</span> <span class="n">collaboratorId</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Todo</span> <span class="n">todo</span> <span class="o">=</span> <span class="n">todoRepository</span> <span class="o">.</span><span class="na">findByIdAndOwnerEmail</span><span class="o">(</span><span class="n">todoId</span><span class="o">,</span> <span class="n">todoOwnerEmail</span><span class="o">)</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">IllegalArgumentException</span><span class="o">(</span><span class="no">INVALID_TODO_ID</span> <span class="o">+</span> <span class="n">todoId</span><span class="o">));</span> <span class="nc">Person</span> <span class="n">collaborator</span> <span class="o">=</span> <span class="n">personRepository</span> <span class="o">.</span><span class="na">findById</span><span class="o">(</span><span class="n">collaboratorId</span><span class="o">)</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">IllegalArgumentException</span><span class="o">(</span><span class="no">INVALID_PERSON_ID</span> <span class="o">+</span> <span class="n">collaboratorId</span><span class="o">));</span> <span class="k">if</span> <span class="o">(</span><span class="n">todoCollaborationRequestRepository</span><span class="o">.</span><span class="na">findByTodoAndCollaborator</span><span class="o">(</span><span class="n">todo</span><span class="o">,</span> <span class="n">collaborator</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Collaboration request for todo {} with collaborator {} already exists"</span><span class="o">,</span> <span class="n">todoId</span><span class="o">,</span> <span class="n">collaboratorId</span><span class="o">);</span> <span class="k">return</span> <span class="n">collaborator</span><span class="o">.</span><span class="na">getName</span><span class="o">();</span> <span class="o">}</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"About to share todo with id {} with collaborator {}"</span><span class="o">,</span> <span class="n">todoId</span><span class="o">,</span> <span class="n">collaboratorId</span><span class="o">);</span> <span class="nc">TodoCollaborationRequest</span> <span class="n">collaboration</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TodoCollaborationRequest</span><span class="o">();</span> <span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">();</span> <span class="n">collaboration</span><span class="o">.</span><span class="na">setToken</span><span class="o">(</span><span class="n">token</span><span class="o">);</span> <span class="n">collaboration</span><span class="o">.</span><span class="na">setCollaborator</span><span class="o">(</span><span class="n">collaborator</span><span class="o">);</span> <span class="n">collaboration</span><span class="o">.</span><span class="na">setTodo</span><span class="o">(</span><span class="n">todo</span><span class="o">);</span> <span class="n">todo</span><span class="o">.</span><span class="na">getCollaborationRequests</span><span class="o">().</span><span class="na">add</span><span class="o">(</span><span class="n">collaboration</span><span class="o">);</span> <span class="n">todoCollaborationRequestRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">collaboration</span><span class="o">);</span> <span class="n">sqsTemplate</span><span class="o">.</span><span class="na">send</span><span class="o">(</span><span class="n">todoSharingQueueName</span><span class="o">,</span> <span class="k">new</span> <span class="nc">TodoCollaborationNotification</span><span class="o">(</span><span class="n">collaboration</span><span class="o">));</span> <span class="k">return</span> <span class="n">collaborator</span><span class="o">.</span><span class="na">getName</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We then listen for the request with our TodoSharingListener:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TodoSharingListener</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">MailSender</span> <span class="n">mailSender</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">TodoCollaborationService</span> <span class="n">todoCollaborationService</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="kt">boolean</span> <span class="n">autoConfirmCollaborations</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">confirmEmailFromAddress</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">externalUrl</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Logger</span> <span class="no">LOG</span> <span class="o">=</span> <span class="nc">LoggerFactory</span><span class="o">.</span><span class="na">getLogger</span><span class="o">(</span><span class="nc">TodoSharingListener</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">getName</span><span class="o">());</span> <span class="kd">public</span> <span class="nf">TodoSharingListener</span><span class="o">(</span> <span class="nc">MailSender</span> <span class="n">mailSender</span><span class="o">,</span> <span class="nc">TodoCollaborationService</span> <span class="n">todoCollaborationService</span><span class="o">,</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${custom.auto-confirm-collaborations}"</span><span class="o">)</span> <span class="kt">boolean</span> <span class="n">autoConfirmCollaborations</span><span class="o">,</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${custom.confirm-email-from-address}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">confirmEmailFromAddress</span><span class="o">,</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${custom.external-url}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">externalUrl</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">mailSender</span> <span class="o">=</span> <span class="n">mailSender</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">todoCollaborationService</span> <span class="o">=</span> <span class="n">todoCollaborationService</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">autoConfirmCollaborations</span> <span class="o">=</span> <span class="n">autoConfirmCollaborations</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">confirmEmailFromAddress</span> <span class="o">=</span> <span class="n">confirmEmailFromAddress</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">externalUrl</span> <span class="o">=</span> <span class="n">externalUrl</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@SqsListener</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"${custom.sharing-queue}"</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">listenToSharingMessages</span><span class="o">(</span><span class="nc">TodoCollaborationNotification</span> <span class="n">payload</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">InterruptedException</span> <span class="o">{</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Incoming todo sharing payload: {}"</span><span class="o">,</span> <span class="n">payload</span><span class="o">);</span> <span class="nc">SimpleMailMessage</span> <span class="n">message</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SimpleMailMessage</span><span class="o">();</span> <span class="n">message</span><span class="o">.</span><span class="na">setFrom</span><span class="o">(</span><span class="n">confirmEmailFromAddress</span><span class="o">);</span> <span class="n">message</span><span class="o">.</span><span class="na">setTo</span><span class="o">(</span><span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorEmail</span><span class="o">());</span> <span class="n">message</span><span class="o">.</span><span class="na">setSubject</span><span class="o">(</span><span class="s">"A todo was shared with you"</span><span class="o">);</span> <span class="n">message</span><span class="o">.</span><span class="na">setText</span><span class="o">(</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span> <span class="sh">""" Hi %s,\s someone shared a Todo from %s with you. Information about the shared Todo item:\s Title: %s\s Description: %s\s Priority: %s\s You can accept the collaboration by clicking this link: %s/todo/%s/collaborations/%s/confirm?token=%s\s Kind regards,\s Stratospheric"""</span><span class="o">,</span> <span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorEmail</span><span class="o">(),</span> <span class="n">externalUrl</span><span class="o">,</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoTitle</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoDescription</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoPriority</span><span class="o">(),</span> <span class="n">externalUrl</span><span class="o">,</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoId</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorId</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getToken</span><span class="o">()</span> <span class="o">)</span> <span class="o">);</span> <span class="n">mailSender</span><span class="o">.</span><span class="na">send</span><span class="o">(</span><span class="n">message</span><span class="o">);</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Successfully informed collaborator about shared todo."</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">autoConfirmCollaborations</span><span class="o">)</span> <span class="o">{</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Auto-confirmed collaboration request for todo: {}"</span><span class="o">,</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoId</span><span class="o">());</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">sleep</span><span class="o">(</span><span class="mi">2_500</span><span class="o">);</span> <span class="n">todoCollaborationService</span><span class="o">.</span><span class="na">confirmCollaboration</span><span class="o">(</span><span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorEmail</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoId</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorId</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getToken</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Here we have learnt about implementing collaboration features with SQS for decoupling events from behaviour.</p> <h3> Sharing Todos with Amazon SQS and Amazon SES </h3> <p>Here, we will use Amazon SES for sending emails to collaborators. Amazon SES is an easy to set up email service.<br> We interact with the SES service with CDK or an API. We could use this service for marketing, sign up or email news services.<br> Amazon SES is available in several regions. We allow sending emails with the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">ServiceApp</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// ...</span> <span class="nc">PolicyStatement</span><span class="o">.</span><span class="na">Builder</span><span class="o">.</span><span class="na">create</span><span class="o">()</span> <span class="o">.</span><span class="na">sid</span><span class="o">(</span><span class="s">"AllowSendingEmails"</span><span class="o">)</span> <span class="o">.</span><span class="na">effect</span><span class="o">(</span><span class="nc">Effect</span><span class="o">.</span><span class="na">ALLOW</span><span class="o">)</span> <span class="o">.</span><span class="na">resources</span><span class="o">(</span> <span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"arn:aws:ses:%s:%s:identity/stratospheric.dev"</span><span class="o">,</span> <span class="n">region</span><span class="o">,</span> <span class="n">accountId</span><span class="o">))</span> <span class="o">)</span> <span class="o">.</span><span class="na">actions</span><span class="o">(</span><span class="nc">List</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"ses:SendEmail"</span><span class="o">,</span> <span class="s">"ses:SendRawEmail"</span> <span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="c1">// ...</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Spring defines two interfaces for sending emails: MailSender and JavaMailSender. We also add the ses dependency to our<br> build.gradle file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gradle"><code> <span class="n">implementation</span> <span class="s1">'io.awspring.cloud:spring-cloud-aws-starter-ses'</span> </code></pre> </div> <p>We send the email from our TodoSharingListener:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TodoSharingListener</span> <span class="o">{</span> <span class="c1">// ...</span> <span class="nd">@SqsListener</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"${custom.sharing-queue}"</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">listenToSharingMessages</span><span class="o">(</span><span class="nc">TodoCollaborationNotification</span> <span class="n">payload</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">InterruptedException</span> <span class="o">{</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Incoming todo sharing payload: {}"</span><span class="o">,</span> <span class="n">payload</span><span class="o">);</span> <span class="nc">SimpleMailMessage</span> <span class="n">message</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SimpleMailMessage</span><span class="o">();</span> <span class="n">message</span><span class="o">.</span><span class="na">setFrom</span><span class="o">(</span><span class="n">confirmEmailFromAddress</span><span class="o">);</span> <span class="n">message</span><span class="o">.</span><span class="na">setTo</span><span class="o">(</span><span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorEmail</span><span class="o">());</span> <span class="n">message</span><span class="o">.</span><span class="na">setSubject</span><span class="o">(</span><span class="s">"A todo was shared with you"</span><span class="o">);</span> <span class="n">message</span><span class="o">.</span><span class="na">setText</span><span class="o">(</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span> <span class="sh">""" Hi %s,\s someone shared a Todo from %s with you. Information about the shared Todo item:\s Title: %s\s Description: %s\s Priority: %s\s You can accept the collaboration by clicking this link: %s/todo/%s/collaborations/%s/confirm?token=%s\s Kind regards,\s Stratospheric"""</span><span class="o">,</span> <span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorEmail</span><span class="o">(),</span> <span class="n">externalUrl</span><span class="o">,</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoTitle</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoDescription</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoPriority</span><span class="o">(),</span> <span class="n">externalUrl</span><span class="o">,</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoId</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorId</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getToken</span><span class="o">()</span> <span class="o">)</span> <span class="o">);</span> <span class="n">mailSender</span><span class="o">.</span><span class="na">send</span><span class="o">(</span><span class="n">message</span><span class="o">);</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Successfully informed collaborator about shared todo."</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">autoConfirmCollaborations</span><span class="o">)</span> <span class="o">{</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Auto-confirmed collaboration request for todo: {}"</span><span class="o">,</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoId</span><span class="o">());</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">sleep</span><span class="o">(</span><span class="mi">2_500</span><span class="o">);</span> <span class="n">todoCollaborationService</span><span class="o">.</span><span class="na">confirmCollaboration</span><span class="o">(</span><span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorEmail</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getTodoId</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getCollaboratorId</span><span class="o">(),</span> <span class="n">payload</span><span class="o">.</span><span class="na">getToken</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The mailSender#send function hands the delivery of the email to Amazon SES. We handle the user's response to the email in<br> the TodoCollaborationController:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Controller</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/todo"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TodoCollaborationController</span> <span class="o">{</span> <span class="c1">//...</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/{todoId}/collaborations/{collaboratorId}/confirm"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">confirmCollaboration</span><span class="o">(</span> <span class="nd">@PathVariable</span><span class="o">(</span><span class="s">"todoId"</span><span class="o">)</span> <span class="nc">Long</span> <span class="n">todoId</span><span class="o">,</span> <span class="nd">@PathVariable</span><span class="o">(</span><span class="s">"collaboratorId"</span><span class="o">)</span> <span class="nc">Long</span> <span class="n">collaboratorId</span><span class="o">,</span> <span class="nd">@RequestParam</span><span class="o">(</span><span class="s">"token"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">token</span><span class="o">,</span> <span class="nd">@AuthenticationPrincipal</span> <span class="nc">OidcUser</span> <span class="n">user</span><span class="o">,</span> <span class="nc">RedirectAttributes</span> <span class="n">redirectAttributes</span> <span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">todoCollaborationService</span><span class="o">.</span><span class="na">confirmCollaboration</span><span class="o">(</span><span class="n">user</span><span class="o">.</span><span class="na">getEmail</span><span class="o">(),</span> <span class="n">todoId</span><span class="o">,</span> <span class="n">collaboratorId</span><span class="o">,</span> <span class="n">token</span><span class="o">))</span> <span class="o">{</span> <span class="n">redirectAttributes</span><span class="o">.</span><span class="na">addFlashAttribute</span><span class="o">(</span><span class="s">"message"</span><span class="o">,</span> <span class="s">"You've confirmed that you'd like to collaborate on this todo."</span><span class="o">);</span> <span class="n">redirectAttributes</span><span class="o">.</span><span class="na">addFlashAttribute</span><span class="o">(</span><span class="s">"messageType"</span><span class="o">,</span> <span class="s">"success"</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">redirectAttributes</span><span class="o">.</span><span class="na">addFlashAttribute</span><span class="o">(</span><span class="s">"message"</span><span class="o">,</span> <span class="s">"Invalid collaboration request."</span><span class="o">);</span> <span class="n">redirectAttributes</span><span class="o">.</span><span class="na">addFlashAttribute</span><span class="o">(</span><span class="s">"messageType"</span><span class="o">,</span> <span class="s">"danger"</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="s">"redirect:/dashboard"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We confirm the collaboration with the TodoCollaborationService:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Service</span> <span class="nd">@Transactional</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TodoCollaborationService</span> <span class="o">{</span> <span class="c1">// ...</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">confirmCollaboration</span><span class="o">(</span><span class="nc">String</span> <span class="n">authenticatedUserEmail</span><span class="o">,</span> <span class="nc">Long</span> <span class="n">todoId</span><span class="o">,</span> <span class="nc">Long</span> <span class="n">collaboratorId</span><span class="o">,</span> <span class="nc">String</span> <span class="n">token</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Person</span> <span class="n">collaborator</span> <span class="o">=</span> <span class="n">personRepository</span> <span class="o">.</span><span class="na">findByEmail</span><span class="o">(</span><span class="n">authenticatedUserEmail</span><span class="o">)</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">IllegalArgumentException</span><span class="o">(</span><span class="no">INVALID_PERSON_EMAIL</span> <span class="o">+</span> <span class="n">authenticatedUserEmail</span><span class="o">));</span> <span class="k">if</span> <span class="o">(!</span><span class="n">collaborator</span><span class="o">.</span><span class="na">getId</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="n">collaboratorId</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="nc">TodoCollaborationRequest</span> <span class="n">collaborationRequest</span> <span class="o">=</span> <span class="n">todoCollaborationRequestRepository</span> <span class="o">.</span><span class="na">findByTodoIdAndCollaboratorId</span><span class="o">(</span><span class="n">todoId</span><span class="o">,</span> <span class="n">collaboratorId</span><span class="o">);</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Collaboration request: {}"</span><span class="o">,</span> <span class="n">collaborationRequest</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">collaborationRequest</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">||</span> <span class="o">!</span><span class="n">collaborationRequest</span><span class="o">.</span><span class="na">getToken</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="n">token</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Original collaboration token: {}"</span><span class="o">,</span> <span class="n">collaborationRequest</span><span class="o">.</span><span class="na">getToken</span><span class="o">());</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Request token: {}"</span><span class="o">,</span> <span class="n">token</span><span class="o">);</span> <span class="nc">Todo</span> <span class="n">todo</span> <span class="o">=</span> <span class="n">todoRepository</span> <span class="o">.</span><span class="na">findById</span><span class="o">(</span><span class="n">todoId</span><span class="o">)</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">IllegalArgumentException</span><span class="o">(</span><span class="no">INVALID_TODO_ID</span> <span class="o">+</span> <span class="n">todoId</span><span class="o">));</span> <span class="n">todo</span><span class="o">.</span><span class="na">addCollaborator</span><span class="o">(</span><span class="n">collaborator</span><span class="o">);</span> <span class="n">todoCollaborationRequestRepository</span><span class="o">.</span><span class="na">delete</span><span class="o">(</span><span class="n">collaborationRequest</span><span class="o">);</span> <span class="nc">String</span> <span class="n">name</span> <span class="o">=</span> <span class="n">collaborationRequest</span><span class="o">.</span><span class="na">getCollaborator</span><span class="o">().</span><span class="na">getName</span><span class="o">();</span> <span class="nc">String</span> <span class="n">subject</span> <span class="o">=</span> <span class="s">"Collaboration confirmed."</span><span class="o">;</span> <span class="nc">String</span> <span class="n">message</span> <span class="o">=</span> <span class="s">"User "</span> <span class="o">+</span> <span class="n">name</span> <span class="o">+</span> <span class="s">" has accepted your collaboration request for todo #"</span> <span class="o">+</span> <span class="n">collaborationRequest</span><span class="o">.</span><span class="na">getTodo</span><span class="o">().</span><span class="na">getId</span><span class="o">()</span> <span class="o">+</span> <span class="s">"."</span><span class="o">;</span> <span class="nc">String</span> <span class="n">ownerEmail</span> <span class="o">=</span> <span class="n">collaborationRequest</span><span class="o">.</span><span class="na">getTodo</span><span class="o">().</span><span class="na">getOwner</span><span class="o">().</span><span class="na">getEmail</span><span class="o">();</span> <span class="n">simpMessagingTemplate</span><span class="o">.</span><span class="na">convertAndSend</span><span class="o">(</span><span class="s">"/topic/todoUpdates/"</span> <span class="o">+</span> <span class="n">ownerEmail</span><span class="o">,</span> <span class="n">subject</span> <span class="o">+</span> <span class="s">" "</span> <span class="o">+</span> <span class="n">message</span><span class="o">);</span> <span class="no">LOG</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Successfully informed owner about accepted request."</span><span class="o">);</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>For local testing with LocalStack we use the following definition in our docker-compose.yml:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">localstack</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">localstack/localstack:0.14.4</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">4566:4566</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SERVICES=sqs,ses,dynamodb</span> <span class="pi">-</span> <span class="s">DEFAULT_REGION=eu-central-1</span> <span class="pi">-</span> <span class="s">USE_SINGLE_REGION=true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./src/test/resources/localstack/local-aws-infrastructure.sh:/docker-entrypoint-initaws.d/init.sh</span> </code></pre> </div> <p>To set up our local environment we use the following script in local-aws-infrastructure.sh:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/sh</span> awslocal sqs create-queue <span class="nt">--queue-name</span> stratospheric-todo-sharing awslocal ses verify-email-identity <span class="nt">--email-address</span> noreply@stratospheric.dev awslocal ses verify-email-identity <span class="nt">--email-address</span> info@stratospheric.dev awslocal ses verify-email-identity <span class="nt">--email-address</span> tom@stratospheric.dev awslocal ses verify-email-identity <span class="nt">--email-address</span> bjoern@stratospheric.dev awslocal ses verify-email-identity <span class="nt">--email-address</span> philip@stratospheric.dev awslocal dynamodb create-table <span class="se">\</span> <span class="nt">--table-name</span> local-todo-app-breadcrumb <span class="se">\</span> <span class="nt">--attribute-definitions</span> <span class="nv">AttributeName</span><span class="o">=</span><span class="nb">id</span>,AttributeType<span class="o">=</span>S <span class="se">\</span> <span class="nt">--key-schema</span> <span class="nv">AttributeName</span><span class="o">=</span><span class="nb">id</span>,KeyType<span class="o">=</span>HASH <span class="se">\</span> <span class="nt">--provisioned-throughput</span> <span class="nv">ReadCapacityUnits</span><span class="o">=</span>10,WriteCapacityUnits<span class="o">=</span>10 <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Initialized."</span> </code></pre> </div> <p>For local development we override the url endpoint with our application-dev.yml:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">cloud</span><span class="pi">:</span> <span class="na">aws</span><span class="pi">:</span> <span class="na">rds</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">sqs</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">http://localhost:4566</span> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-central-1</span> <span class="na">mail</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">http://localhost:4566</span> <span class="na">region</span><span class="pi">:</span> <span class="s">eu-central-1</span> <span class="na">credentials</span><span class="pi">:</span> <span class="na">secret-key</span><span class="pi">:</span> <span class="s">foo</span> <span class="na">access-key</span><span class="pi">:</span> <span class="s">bar</span> </code></pre> </div> <p>We set auto-confirm-collaborations to true to enable email success:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">auto-confirm-collaborations</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>This is then used in the autoConfirmCollaborations parameter in our TodoSharingListener:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">TodoSharingListener</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">MailSender</span> <span class="n">mailSender</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">TodoCollaborationService</span> <span class="n">todoCollaborationService</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="kt">boolean</span> <span class="n">autoConfirmCollaborations</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">confirmEmailFromAddress</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">externalUrl</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">Logger</span> <span class="no">LOG</span> <span class="o">=</span> <span class="nc">LoggerFactory</span><span class="o">.</span><span class="na">getLogger</span><span class="o">(</span><span class="nc">TodoSharingListener</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">getName</span><span class="o">());</span> <span class="kd">public</span> <span class="nf">TodoSharingListener</span><span class="o">(</span> <span class="nc">MailSender</span> <span class="n">mailSender</span><span class="o">,</span> <span class="nc">TodoCollaborationService</span> <span class="n">todoCollaborationService</span><span class="o">,</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${custom.auto-confirm-collaborations}"</span><span class="o">)</span> <span class="kt">boolean</span> <span class="n">autoConfirmCollaborations</span><span class="o">,</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${custom.confirm-email-from-address}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">confirmEmailFromAddress</span><span class="o">,</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${custom.external-url}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">externalUrl</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">mailSender</span> <span class="o">=</span> <span class="n">mailSender</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">todoCollaborationService</span> <span class="o">=</span> <span class="n">todoCollaborationService</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">autoConfirmCollaborations</span> <span class="o">=</span> <span class="n">autoConfirmCollaborations</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">confirmEmailFromAddress</span> <span class="o">=</span> <span class="n">confirmEmailFromAddress</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">externalUrl</span> <span class="o">=</span> <span class="n">externalUrl</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Here we have learnt about sending and receiving emails with AWS SES and we have looked at implementing email functionality<br> in a Spring Boot application.</p> <h3> Production Readiness with AWS </h3> <p>We will now look at Amazon CloudWatch and send log data to this service. We will set up metrics for CloudWatch and alarms if<br> thresholds are breached. We will also make the application production-ready by securing it with HTTPS and hosting it on a custom<br> domain.</p> <p>We will use Spring Boot Logback for logging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;include</span> <span class="na">resource=</span><span class="s">"org/springframework/boot/logging/logback/defaults.xml"</span><span class="nt">/&gt;</span> <span class="nt">&lt;include</span> <span class="na">resource=</span><span class="s">"org/springframework/boot/logging/logback/console-appender.xml"</span><span class="nt">/&gt;</span> <span class="nt">&lt;appender</span> <span class="na">name=</span><span class="s">"JSON"</span> <span class="na">class=</span><span class="s">"ch.qos.logback.core.ConsoleAppender"</span><span class="nt">&gt;</span> <span class="nt">&lt;encoder</span> <span class="na">class=</span><span class="s">"de.siegmar.logbackawslogsjsonencoder.AwsJsonLogEncoder"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/appender&gt;</span> <span class="nt">&lt;root</span> <span class="na">level=</span><span class="s">"INFO"</span><span class="nt">&gt;</span> <span class="nt">&lt;appender-ref</span> <span class="na">ref=</span><span class="s">"CONSOLE"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/root&gt;</span> <span class="nt">&lt;/configuration&gt;</span> </code></pre> </div> <p>Here we will use centralized logging. We will use CloudWatch logging and learn how to send logs from ECS Fargate<br> to Amazon CloudWatch.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228988138-00f0fb54-4738-45fb-8c8a-b68bd21cec23.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228988138-00f0fb54-4738-45fb-8c8a-b68bd21cec23.png" alt="image"></a></p> <p>Above, we can see that we are running our application in an ECS Cluster. The Fargate Task runs our Docker images<br> and we will send logs to Amazon CloudWatch so that we can keep our logs in a centralized location.</p> <h3> Deploying the application </h3> <p>We first need to set up our cdk.json to the correct configuration for our account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">{</span> <span class="s2">"</span><span class="s">context"</span><span class="pi">:</span> <span class="pi">{</span> <span class="s2">"</span><span class="s">applicationName"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">todo-maker"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">region"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">eu-west-2"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">accountId"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">706054169063"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">dockerRepositoryName"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">todo-maker"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">dockerImageTag"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">applicationUrl"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://app.drspencer.io"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">loginPageDomainPrefix"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">stratospheric-staging"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">environmentName"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">staging"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">springProfile"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">aws"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">activeMqUsername"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">activemqUser"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">canaryUsername"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">canary"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">canaryUserPassword"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SECRET_OVERRIDDEN_BY_WORKFLOW"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">confirmationEmail"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">info@stratospheric.dev"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">applicationDomain"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">app.drspencer.io"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">sslCertificateArn"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:acm:eu-west-2:706054169063:certificate/ab9a0a58-cd09-493f-84cb-b42f9db0902a"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">hostedZoneDomain"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">drspencer.io"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">githubToken"</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SECRET_OVERRIDDEN_BY_WORKFLOW"</span> <span class="pi">}</span> <span class="pi">}</span> </code></pre> </div> <p>We then bootstrap the resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run bootstrap <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>We then create an SSL Certificate for my domain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run certificate:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>We then deploy the NetworkStack-dependent infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run network:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric npm run database:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric npm run activeMq:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>Next we deploy the NetworkStack-independent infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run repository:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric npm run messaging:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric npm run cognito:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>Then we run the command to route traffic from our custom domain to the ELB:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run domain:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <h4> Build and Push the First Docker Image </h4> <p>First we go to the root of the application and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./gradlew build docker build <span class="nt">-t</span> &lt;accountId&gt;.dkr.ecr.&lt;region&gt;.amazonaws.com/&lt;applicationName&gt;:1 aws ecr get-login-password <span class="nt">--region</span> &lt;region&gt; <span class="nt">--profile</span> stratospheric | docker login <span class="se">\</span> <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> &lt;accountId&gt;.drk.ecr. docker push &lt;accountId&gt;.drk.ecr.&lt;region&gt;.amazonaws.com/&lt;applicationName&gt;:1 </code></pre> </div> <h4> Deploy the Docker image to the ECS Cluster </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run service:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <h4> Deploy monitoring Infrastructure </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>cdk npm run monitoring:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <h4> Deploy Canary stack </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>cdk npm run canary:deploy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <h4> Destroy everything </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run <span class="k">*</span>:destroy <span class="nt">--</span> <span class="nt">--profile</span> stratospheric </code></pre> </div> <p>Run the above command with all the earlier scripts to ensure that all stacks are removed</p> <p>This is what the app looks like after deploy:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F229370825-ccbcc867-86ab-486a-9bfe-391dbb503290.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F229370825-ccbcc867-86ab-486a-9bfe-391dbb503290.png" alt="drspencer_2023-4-2T19-7-49"></a></p> <h3> CloudWatch Logging Terminology </h3> <ul> <li>Log Stream: stream of logs from the same source (e.g. a single Docker Container)</li> <li>Log Group: An aggregation of log streams to group logs together</li> <li>CloudWatch Log Insights: Service that provides UI and query language to search one or log groups</li> </ul> <p>Example queries to CloudWatch could include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>fields @timestamp, @message | <span class="nb">sort</span> @timestamp desc | limit 20 </code></pre> </div> spring aws Spring Framework DevOps on AWS Tom Spencer Mon, 27 Mar 2023 19:01:38 +0000 https://dev.to/aws-builders/spring-framework-devops-on-aws-156h https://dev.to/aws-builders/spring-framework-devops-on-aws-156h <p>This is an overview of how to use Spring with AWS. We will look at some of the tools we can use and also provision ec2 instances<br> for each of the services. I have enjoyed creating this overview for you. The github for this repo is:<br> <a href="https://github.com/TomSpencerLondon/spring-boot-docker" rel="noopener noreferrer">https://github.com/TomSpencerLondon/spring-boot-docker</a></p> <p>Thanks again!</p> <h3> Externalising Properties </h3> <p>First we externalise properties to make our build portable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Configuration</span> <span class="nd">@PropertySource</span><span class="o">(</span><span class="s">"classpath:testing.properties"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ExternalPropsPropertySourceTestConfig</span> <span class="o">{</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${guru.jms.server}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">jmsServer</span><span class="o">;</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${guru.jms.port}"</span><span class="o">)</span> <span class="nc">Integer</span> <span class="n">jmsPort</span><span class="o">;</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${guru.jms.user}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">jmsUser</span><span class="o">;</span> <span class="nd">@Value</span><span class="o">(</span><span class="s">"${guru.jms.password}"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">jmsPassword</span><span class="o">;</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">PropertySourcesPlaceholderConfigurer</span> <span class="nf">properties</span><span class="o">()</span> <span class="o">{</span> <span class="nc">PropertySourcesPlaceholderConfigurer</span> <span class="n">propertySourcesPlaceholderConfigurer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PropertySourcesPlaceholderConfigurer</span><span class="o">();</span> <span class="k">return</span> <span class="n">propertySourcesPlaceholderConfigurer</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">FakeJmsBroker</span> <span class="nf">fakeJmsBroker</span><span class="o">()</span> <span class="o">{</span> <span class="nc">FakeJmsBroker</span> <span class="n">fakeJmsBroker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FakeJmsBroker</span><span class="o">();</span> <span class="n">fakeJmsBroker</span><span class="o">.</span><span class="na">setUrl</span><span class="o">(</span><span class="n">jmsServer</span><span class="o">);</span> <span class="n">fakeJmsBroker</span><span class="o">.</span><span class="na">setPort</span><span class="o">(</span><span class="n">jmsPort</span><span class="o">);</span> <span class="n">fakeJmsBroker</span><span class="o">.</span><span class="na">setUser</span><span class="o">(</span><span class="n">jmsUser</span><span class="o">);</span> <span class="n">fakeJmsBroker</span><span class="o">.</span><span class="na">setPassword</span><span class="o">(</span><span class="n">jmsPassword</span><span class="o">);</span> <span class="k">return</span> <span class="n">fakeJmsBroker</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This refers to testing.properties in the test folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">guru.jms.server</span><span class="p">=</span><span class="s">10.10.10.123</span> <span class="py">guru.jms.port</span><span class="p">=</span><span class="s">3330</span> <span class="py">guru.jms.user</span><span class="p">=</span><span class="s">Ron</span> <span class="py">guru.jms.password</span><span class="p">=</span><span class="s">Burgundy</span> </code></pre> </div> <p>The properties can be overridden by environment variables. Spring Boot lets you externalize your configuration so that you can work with the same application code in different environments. You can use properties files, YAML files, environment variables, and command-line arguments to externalize configuration. Property values can be injected directly into your beans by using the @Value annotation, accessed through Spring’s Environment abstraction, or be bound to structured objects through @ConfigurationProperties.<br> Spring Boot uses a very particular PropertySource order that is designed to allow sensible overriding of values. Properties are considered in the following order:</p> <ol> <li>Devtools global settings properties on your home directory (~/.spring-boot-devtools.properties when devtools is active).</li> <li>@TestPropertySource annotations on your tests.</li> <li>properties attribute on your tests. Available on @SpringBootTest and the test annotations for testing a particular slice of your application.</li> <li>Command line arguments.</li> <li>Properties from SPRING_APPLICATION_JSON (inline JSON embedded in an environment variable or system property).</li> <li>ServletConfig init parameters.</li> <li>ServletContext init parameters.</li> <li>JNDI attributes from java:comp/env.</li> <li>Java System properties (System.getProperties()).</li> <li>OS environment variables.</li> <li>A RandomValuePropertySource that has properties only in random.*.</li> <li>Profile-specific application properties outside of your packaged jar (application-{profile}.properties and YAML variants).</li> <li>Profile-specific application properties packaged inside your jar (application-{profile}.properties and YAML variants).</li> <li>Application properties outside of your packaged jar (application.properties and YAML variants).</li> <li>Application properties packaged inside your jar (application.properties and YAML variants).</li> <li>@PropertySource annotations on your @Configuration classes.</li> <li>Default properties (specified by setting SpringApplication.setDefaultProperties).</li> </ol> <h3> Using Spring Profiles </h3> <p>We can use Spring Profiles to load the appropriate data source. If the bean does not have an active profile it is brought in.<br> Beans with a dev profile will get ignored in production.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">interface</span> <span class="nc">FakeDataSource</span> <span class="o">{</span> <span class="nc">String</span> <span class="nf">getConnectionInfo</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>We then have different profiles for each source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Component</span> <span class="nd">@Profile</span><span class="o">(</span><span class="s">"dev"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DevDataSource</span> <span class="kd">implements</span> <span class="nc">FakeDataSource</span><span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getConnectionInfo</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"I'm dev data source"</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We can then use one of those profiles in our test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@ExtendWith</span><span class="o">(</span><span class="nc">SpringExtension</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="nd">@ContextConfiguration</span><span class="o">(</span><span class="n">classes</span> <span class="o">=</span> <span class="nc">DataSourceConfig</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="nd">@ActiveProfiles</span><span class="o">(</span><span class="s">"dev"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DataSourceTest</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">FakeDataSource</span> <span class="n">fakeDataSource</span><span class="o">;</span> <span class="nd">@Autowired</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">setFakeDataSource</span><span class="o">(</span><span class="nc">FakeDataSource</span> <span class="n">fakeDataSource</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">fakeDataSource</span> <span class="o">=</span> <span class="n">fakeDataSource</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">testDataSource</span><span class="o">()</span> <span class="o">{</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">fakeDataSource</span><span class="o">.</span><span class="na">toString</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Setting the active profile at runtime </h3> <p>Spring offers a number of ways to set the active profile at runtime.</p> <h3> Using Databases </h3> <p>We are going to use AWS RDS for our production environment. We will have h2 for dev.<br> MySQL local for QA and in production we will use AWS. We will use a separate jar for our pom for mysql data source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>com.h2database<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>h2<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;scope&gt;</span>runtime<span class="nt">&lt;/scope&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>mysql<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>mysql-connector-java<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;scope&gt;</span>runtime<span class="nt">&lt;/scope&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>Here we have added h2 for dev and the mysql connector jar. Set up mysql locally and check the connection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/.m2/repository/org<span class="nv">$ </span><span class="nb">sudo </span>mysql <span class="nt">-u</span> root Welcome to the MySQL monitor. Commands end with <span class="p">;</span> or <span class="se">\g</span><span class="nb">.</span> Your MySQL connection <span class="nb">id </span>is 9 Server version: 8.0.32-0ubuntu0.22.10.2 <span class="o">(</span>Ubuntu<span class="o">)</span> Copyright <span class="o">(</span>c<span class="o">)</span> 2000, 2023, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type <span class="s1">'help;'</span> or <span class="s1">'\h'</span> <span class="k">for </span>help. Type <span class="s1">'\c'</span> to clear the current input statement. mysql&gt; create database springguru -&gt; <span class="p">;</span> Query OK, 1 row affected <span class="o">(</span>0.01 sec<span class="o">)</span> mysql&gt; </code></pre> </div> <p>Here we are using the root user. We then set the properties for our QA environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">spring.datasource.driver-class-name</span><span class="p">=</span><span class="s">com.mysql.cj.jdbc.Driver</span> <span class="py">spring.jpa.properties.hibernate.dialect</span><span class="p">=</span><span class="s">org.hibernate.dialect.MySQL8Dialect</span> <span class="py">spring.datasource.url</span><span class="p">=</span><span class="s">jdbc:mysql://localhost:3306/springguru</span> <span class="py">spring.datasource.username</span><span class="p">=</span><span class="s">root</span> <span class="py">spring.datasource.password</span><span class="p">=</span> <span class="py">spring.jpa.hibernate.ddl-auto</span><span class="p">=</span><span class="s">update</span> </code></pre> </div> <p>We then set the active profile to qa. You may need to change the permissions for connecting to mysql:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mysql <span class="o">&gt;</span> ALTER USER <span class="s1">'root'</span>@<span class="s1">'localhost'</span> IDENTIFIED WITH mysql_native_password BY <span class="s1">''</span><span class="p">;</span> mysql <span class="o">&gt;</span> FLUSH PRIVILEGES<span class="p">;</span> </code></pre> </div> <p>Mysql Workbench connection issues on linux. On a terminal window, run the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># snap connect mysql-workbench-community:password-manager-service</span> <span class="c"># snap connect mysql-workbench-community:ssh-keys</span> </code></pre> </div> <h3> Entity diagram of database </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226150009-807edbc2-d297-4dc6-a299-3dd637888147.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226150009-807edbc2-d297-4dc6-a299-3dd637888147.png" alt="springguru"></a></p> <h3> Creating a service account </h3> <p>We will create a user with restricted access. No create tables or moderate tables. This is standard practice in enterprise<br> applications.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">USER</span> <span class="s1">'springframework'</span><span class="o">@</span><span class="s1">'localhost'</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="s1">'guru'</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">SELECT</span> <span class="k">ON</span> <span class="n">springguru</span><span class="p">.</span><span class="o">*</span> <span class="k">to</span> <span class="s1">'springframework'</span><span class="o">@</span><span class="s1">'localhost'</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">INSERT</span> <span class="k">ON</span> <span class="n">springguru</span><span class="p">.</span><span class="o">*</span> <span class="k">to</span> <span class="s1">'springframework'</span><span class="o">@</span><span class="s1">'localhost'</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">springguru</span><span class="p">.</span><span class="o">*</span> <span class="k">to</span> <span class="s1">'springframework'</span><span class="o">@</span><span class="s1">'localhost'</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">springguru</span><span class="p">.</span><span class="o">*</span> <span class="k">to</span> <span class="s1">'springframework'</span><span class="o">@</span><span class="s1">'localhost'</span><span class="p">;</span> </code></pre> </div> <p>If we check in MySQL Workbench we see that our new user has limited privileges:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226191730-242a9258-d00c-4d9f-bc6b-8d2482033655.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226191730-242a9258-d00c-4d9f-bc6b-8d2482033655.png" alt="image"></a></p> <p>We can then add this user for testing with the qa profile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">spring.datasource.driver-class-name</span><span class="p">=</span><span class="s">com.mysql.cj.jdbc.Driver</span> <span class="py">spring.jpa.properties.hibernate.dialect</span><span class="p">=</span><span class="s">org.hibernate.dialect.MySQL8Dialect</span> <span class="py">spring.datasource.url</span><span class="p">=</span><span class="s">jdbc:mysql://localhost:3306/springguru</span> <span class="py">spring.datasource.username</span><span class="p">=</span><span class="s">springframework</span> <span class="py">spring.datasource.password</span><span class="p">=</span><span class="s">guru</span> <span class="py">spring.jpa.hibernate.ddl-auto</span><span class="p">=</span><span class="s">update</span> </code></pre> </div> <p>It is now best practice to use a service account with restricted privileges.</p> <h3> Encrypting Properties </h3> <p>We can use Jasypt for encryption of the database password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>com.github.ulisesbocchio<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>jasypt-spring-boot-starter<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>3.0.5<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>We can then encrypt the username and password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ./encrypt.sh <span class="nv">input</span><span class="o">=</span>springframework <span class="nv">password</span><span class="o">=</span>password </code></pre> </div> <p>We then add the encrypted username and password to the application.properties:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">spring.datasource.driver-class-name</span><span class="p">=</span><span class="s">com.mysql.cj.jdbc.Driver</span> <span class="py">spring.jpa.properties.hibernate.dialect</span><span class="p">=</span><span class="s">org.hibernate.dialect.MySQL8Dialect</span> <span class="py">spring.datasource.url</span><span class="p">=</span><span class="s">jdbc:mysql://localhost:3306/springguru</span> <span class="py">jasypt.encryptor.password</span><span class="p">=</span><span class="s">password</span> <span class="py">jasypt.encryptor.iv-generator-classname</span><span class="p">=</span><span class="s">org.jasypt.iv.NoIvGenerator</span> <span class="py">jasypt.encryptor.algorithm</span><span class="p">=</span><span class="s">PBEWithMD5AndTripleDES</span> <span class="py">spring.datasource.username</span><span class="p">=</span><span class="s">ENC(3ZeqNvW+Rm0DgOkkVVXgPBxIEeyXsKQ6)</span> <span class="py">spring.datasource.password</span><span class="p">=</span><span class="s">ENC(1qHrTuI0RB4Qzl3zPE3FmQ==)</span> <span class="py">spring.jpa.hibernate.ddl-auto</span><span class="p">=</span><span class="s">update</span> </code></pre> </div> <h3> Continuous Integration </h3> <p>We are now going to provision services in the cloud such as jenkins and a dns for the<br> jenkins instance. We will also set up Artifactory with docker so that we can deploy jenkins builds<br> to deploy maven artifacts to the Artifactory repository.</p> <h3> Introduction to AWS </h3> <p>We will now look in more detail at Amazon Web Services. AWS cloud compute was created because they were not using<br> servers during the year. This business has now grown to make them a true leader in the space. Companies like Netflix<br> use AWS for deployments. It is an incredible collection of resources:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226225255-34c043ff-efb3-4d24-8f18-d609762dc2ff.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226225255-34c043ff-efb3-4d24-8f18-d609762dc2ff.png" alt="image"></a></p> <p>For our application we will use EC2 virtual servers in the cloud to provision a server in the cloud to run our jenkins instance.<br> We will use Elastic Beanstalk for deploying our Tomcat instance. We will also use RDS to provision our mysql database managed<br> by Amazon. Amazon will handle all backups and software upgrades on the database. This is useful for small startups who want to<br> out source the management of their databases. We will also use Route 53 to host our domain and DNS. We will then point traffic<br> at this domain.</p> <h3> Linux distributions </h3> <p>We will use the Redhat flavour of linux. There are two branches: debian (ubuntu) and fedora. In enterprise applications<br> Redhat or Fedora is frequently used. The fedora linuxes are mostly standard in enterprise applications. Most often Redhat<br> enterprise linux is used.</p> <h3> Provisioning a server on AWS </h3> <p>We will now go to the AWS console to set up an AMI to use jenkins.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226227223-06c07c7a-1212-40ca-a9cd-b61fa90bfca8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226227223-06c07c7a-1212-40ca-a9cd-b61fa90bfca8.png" alt="image"></a></p> <p>I have set up a Redhat linux instance and added a security group with a port range inbound traffic on port 8080.<br> We now install oracle jdk and set up jenkins. Our instance is a t2 micro and will reference the private IP address. We can<br> also use ssh to connect to the instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tom@tom-ubuntu:~/Desktop<span class="nv">$ </span><span class="nb">chmod </span>400 springguru.pem tom@tom-ubuntu:~/Desktop<span class="nv">$ </span>ssh <span class="nt">-i</span> <span class="s2">"springguru.pem"</span> ec2-user@ec2-54-236-41-164.compute-1.amazonaws.com Register this system with Red Hat Insights: insights-client <span class="nt">--register</span> Create an account or view all your systems at https://red.ht/insights-dashboard <span class="o">[</span>ec2-user@ip-172-31-52-103 ~]<span class="err">$</span> </code></pre> </div> <p>We are now inside the amazon instance. We will use wget to get the oracle instance of jdk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> <span class="nb">sudo </span>su <span class="o">&gt;</span> yum <span class="nb">install </span>wget <span class="o">&gt;</span> wget https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.tar.gz <span class="o">&gt;</span> <span class="nb">tar </span>xzf amazon-corretto-11-x64-linux-jdk.tar.gz <span class="o">&gt;</span> <span class="nb">cp</span> <span class="nt">-r</span> ./amazon-corretto-11.0.18.10.1-linux-x64/ /opt/ <span class="o">&gt;</span> <span class="nb">cd</span> /opt <span class="o">&gt;</span> alternatives <span class="nt">--install</span> /usr/bin/java java /opt/amazon-corretto-11.0.18.10.1-linux-x64/bin/java 2 <span class="o">&gt;</span> alternatives config java <span class="o">[</span>root@ip-172-31-52-103 opt]# java <span class="nt">-version</span> openjdk version <span class="s2">"11.0.18"</span> 2023-01-17 LTS OpenJDK Runtime Environment Corretto-11.0.18.10.1 <span class="o">(</span>build 11.0.18+10-LTS<span class="o">)</span> OpenJDK 64-Bit Server VM Corretto-11.0.18.10.1 <span class="o">(</span>build 11.0.18+10-LTS, mixed mode<span class="o">)</span> <span class="o">&gt;</span> alternatives <span class="nt">--install</span> /usr/bin/jar jar /opt/amazon-corretto-11.0.18.10.1-linux-x64/bin/jar 2 <span class="o">&gt;</span> alternatives <span class="nt">--install</span> /usr/bin/javac javac /opt/amazon-corretto-11.0.18.10.1-linux-x64/bin/javac 2 <span class="o">&gt;</span> alternatives <span class="nt">--set</span> jar /opt/amazon-corretto-11.0.18.10.1-linux-x64/bin/jar <span class="o">&gt;</span> alternatives <span class="nt">--set</span> javac /opt/amazon-corretto-11.0.18.10.1-linux-x64/bin/javac </code></pre> </div> <p>A new release is produced weekly to deliver bug fixes and features to users and plugin developers. It can be installed from the redhat yum repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>wget <span class="nt">-O</span> /etc/yum.repos.d/jenkins.repo <span class="se">\</span> https://pkg.jenkins.io/redhat/jenkins.repo <span class="nb">sudo </span>rpm <span class="nt">--import</span> https://pkg.jenkins.io/redhat/jenkins.io.key <span class="nb">sudo </span>yum upgrade <span class="nb">sudo </span>yum <span class="nb">install </span>jenkins </code></pre> </div> <h1> Add required dependencies for the jenkins package </h1> <p><a href="https://www.jenkins.io/doc/book/installing/linux/" rel="noopener noreferrer">https://www.jenkins.io/doc/book/installing/linux/</a></p> <p>You can enable the Jenkins service to start at boot with the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl <span class="nb">enable </span>jenkins </code></pre> </div> <p>You can start the Jenkins service with the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>systemctl start jenkins </code></pre> </div> <p>You can check the status of the Jenkins service using the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>systemctl status jenkins </code></pre> </div> <p>We have now installed jenkins-2 on our EC2 instance and start the service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> service jenkins start <span class="o">&gt;</span> ps <span class="nt">-ef</span> | <span class="nb">grep </span>jenkins root 11000 1029 0 02:17 pts/0 00:00:00 <span class="nb">grep</span> <span class="nt">--color</span><span class="o">=</span>auto jenkins </code></pre> </div> <p>This link is very good for setting up jenkins:<br> <a href="https://www.jenkins.io/doc/tutorials/tutorial-for-installing-jenkins-on-AWS/" rel="noopener noreferrer">https://www.jenkins.io/doc/tutorials/tutorial-for-installing-jenkins-on-AWS/</a></p> <p>This link is useful for font errors with headless java:<br> <a href="https://wiki.jenkins.io/display/JENKINS/Jenkins+got+java.awt.headless+problem" rel="noopener noreferrer">https://wiki.jenkins.io/display/JENKINS/Jenkins+got+java.awt.headless+problem</a></p> <p>In particular this command is useful for fonts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>yum <span class="nb">install </span>xorg-x11-server-Xvfb </code></pre> </div> <p>We now get this page on <a href="http://ec2-100-26-253-161.compute-1.amazonaws.com:8080/login?from=%2F" rel="noopener noreferrer">http://ec2-100-26-253-161.compute-1.amazonaws.com:8080/login?from=%2F</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226494197-b5bdb0b4-baf0-494c-8eb3-7eb03e9cb4b0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226494197-b5bdb0b4-baf0-494c-8eb3-7eb03e9cb4b0.png" alt="image"></a></p> <p>We get the admin password by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user ~]<span class="nv">$ </span><span class="nb">sudo cat</span> /var/lib/jenkins/secrets/initialAdminPassword </code></pre> </div> <p>We then install the suggested plugins and add our first user:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226494602-26a30619-01de-4820-a8f7-ea8389c89d65.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226494602-26a30619-01de-4820-a8f7-ea8389c89d65.png" alt="image"></a></p> <p>We now have a jenkins server for configuring builds:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226494792-09b0b82f-e6cc-4d38-bd1a-8e0981650053.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226494792-09b0b82f-e6cc-4d38-bd1a-8e0981650053.png" alt="image"></a></p> <h3> How DNS works </h3> <ul> <li>stands for domain name services or domain name server</li> <li>gets you an ip address associated with a human readable text address</li> <li>springframework.guru is IP address 172.66.43.56 </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user@ip-172-31-63-3 ~]<span class="nv">$ </span>nslookup springframework.guru Non-authoritative answer: Name: springframework.guru Address: 172.66.43.56 Name: springframework.guru Address: 172.66.40.200 Name: springframework.guru Address: 2606:4700:3108::ac42:28c8 Name: springframework.guru Address: 2606:4700:3108::ac42:2b38 </code></pre> </div> <p>This is the result for my own dns on route 53:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user@ip-172-31-63-3 ~]<span class="nv">$ </span>nslookup drspencer.io Non-authoritative answer: Name: drspencer.io Address: 18.67.76.121 Name: drspencer.io Address: 18.67.76.122 Name: drspencer.io Address: 18.67.76.43 Name: drspencer.io Address: 18.67.76.113 </code></pre> </div> <p>How DNS works:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226501471-b389a40d-ae08-4d40-9a99-880835ed1691.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226501471-b389a40d-ae08-4d40-9a99-880835ed1691.png" alt="image"></a></p> <p>When your computer boots up it asks for an IP address. This is where it looks names up from. When we request<br> springframework.guru it works with top level domain. This request goes to find the dns server registered with the Internet<br> Server Provider. The route then goes to dns record sets which are then returned to your local machine. Cname records take<br> a url and convert it to springframework.guru. The DNS record then responds back with the IP address so that the computer<br> can find the server by the IP address. It can take time for address changes to propagate through all the global DNS servers.</p> <h3> Using Route 53 </h3> <p>We are now going to set a domain and subdomain for our jenkins address using Route 53. We will point a subdomain at the ec2 instance<br> ip address. Now when we go to <a href="http://jenkins.drspencer.io:8080/login?from=%2F" rel="noopener noreferrer">http://jenkins.drspencer.io:8080/login?from=%2F</a> we can see the login page for jenkins.<br> Browsers run on port 80 but our jenkins server is running on 8080. We are overriding port 80 in the browser.<br> We now need to set up Apache to do port forwarding between 80 and 8080. Apache routes the war file running on 8080 to 80 so<br> that we can view the application directly in the browser.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user@ip-172-31-63-3 ~]<span class="nv">$ </span><span class="nb">sudo </span>yum <span class="nb">install </span>httpd Last metadata expiration check: 1:42:53 ago on Tue Mar 21 00:26:29 2023. Dependencies resolved. <span class="o">===========================================================================================</span> Package Arch Version Repository Size <span class="o">===========================================================================================</span> Installing: httpd x86_64 2.4.55-1.amzn2023 amazonlinux 48 k Installing dependencies: apr x86_64 1.7.2-2.amzn2023.0.2 amazonlinux 129 k apr-util x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 98 k generic-logos-httpd noarch 18.0.0-12.amzn2023.0.3 amazonlinux 19 k httpd-core x86_64 2.4.55-1.amzn2023 amazonlinux 1.4 M httpd-filesystem noarch 2.4.55-1.amzn2023 amazonlinux 15 k httpd-tools x86_64 2.4.55-1.amzn2023 amazonlinux 82 k mailcap noarch 2.1.49-3.amzn2023.0.3 amazonlinux 33 k Installing weak dependencies: apr-util-openssl x86_64 1.6.3-1.amzn2023.0.1 amazonlinux 17 k mod_http2 x86_64 2.0.11-2.amzn2023 amazonlinux 150 k mod_lua x86_64 2.4.55-1.amzn2023 amazonlinux 62 k Transaction Summary <span class="o">===========================================================================================</span> Install 11 Packages Total download size: 2.0 M Installed size: 6.1 M Is this ok <span class="o">[</span>y/N]: y <span class="o">[</span>ec2-user@ip-172-31-63-3 ~]<span class="nv">$ </span><span class="nb">sudo </span>service httpd start Redirecting to /bin/systemctl start httpd.service </code></pre> </div> <p>We now have apache up and running:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226503394-8f1e9c60-725c-447d-a093-81e80b777e49.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226503394-8f1e9c60-725c-447d-a093-81e80b777e49.png" alt="image"></a></p> <p>but we are not redirecting to jenkins yet. We need to go to configure the apache daemon:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user@ip-172-31-63-3 ~]<span class="nv">$ </span><span class="nb">sudo </span>service httpd start Redirecting to /bin/systemctl start httpd.service <span class="o">[</span>ec2-user@ip-172-31-63-3 ~]<span class="nv">$ </span><span class="nb">cd</span> /etc/httpd/conf <span class="o">[</span>ec2-user@ip-172-31-63-3 conf]<span class="nv">$ </span><span class="nb">ls </span>httpd.conf magic </code></pre> </div> <p>We now add our jenkins setup in the apache httpd.conf file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Jenkins setup</span> &lt;VirtualHost <span class="k">*</span>:80&gt; ServerName jenkins.drspencer.io ProxyRequests Off ProxyPreserveHost On AllowEncodedSlashes NoDecode ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ ProxyPassReverse / http://jenkins.drspencer.io &lt;Proxy http://localhost:8080/<span class="k">*</span> <span class="o">&gt;</span> Order deny,allow Allow from all &lt;/Proxy&gt; &lt;/VirtualHost&gt; </code></pre> </div> <p>This sets up a proxy for the server and reverses traffic from 8080. We now do an apache restart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user@ip-172-31-63-3 conf]<span class="nv">$ </span>service httpd restart Redirecting to /bin/systemctl restart httpd.service Failed to restart httpd.service: Access denied See system logs and <span class="s1">'systemctl status httpd.service'</span> <span class="k">for </span>details. <span class="o">[</span>ec2-user@ip-172-31-63-3 conf]<span class="nv">$ </span><span class="nb">sudo </span>service httpd restart Redirecting to /bin/systemctl restart httpd.service Job <span class="k">for </span>httpd.service failed because the control process exited with error code. See <span class="s2">"systemctl status httpd.service"</span> and <span class="s2">"journalctl -xeu httpd.service"</span> <span class="k">for </span>details. <span class="o">[</span>ec2-user@ip-172-31-63-3 conf]<span class="nv">$ </span>setsebool <span class="nt">-P</span> httpd_can_network_connect <span class="nb">true </span>Cannot <span class="nb">set </span>persistent booleans, please try as root. <span class="o">[</span>ec2-user@ip-172-31-63-3 conf]<span class="nv">$ </span><span class="nb">sudo </span>setsebool <span class="nt">-P</span> httpd_can_network_connect <span class="nb">true</span> </code></pre> </div> <p>Because we are running on a Security-Enhanced Linux machine we have to make SE-Linux allow restart.<br> <a href="https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-apache/#mod_proxy:%7E:text=If%20you%20are,P%20httpd_can_network_connect%20true" rel="noopener noreferrer">https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-apache/#mod_proxy:~:text=If%20you%20are,P%20httpd_can_network_connect%20true</a><br> Our configuration is trying to connect to the tomcat instance running on 8080 and the Security settings are not allowing us.<br> This command allows apache to connect to the network:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>setsebool <span class="nt">-P</span> httpd_can_network_connect <span class="nb">true</span> </code></pre> </div> <p>We can now connect to jenkins via the domain jenkins.drspencer.io directly:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226509814-b0e73eb9-1b12-49d4-8881-3142465665d9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226509814-b0e73eb9-1b12-49d4-8881-3142465665d9.png" alt="image"></a></p> <p>We can now block port 8080. We go to the jenkins file in /etc/sysconfig and open jenkins with vim.<br> We then use cntrl f to page down and add a Jenkins listen address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">JENKINS_PORT</span><span class="o">=</span><span class="s2">"8080"</span> <span class="c">## Type: string</span> <span class="c">## Default: ""</span> <span class="c">## ServiceRestart: jenkins</span> <span class="c">#</span> <span class="c"># IP address Jenkins listens on for HTTP requests.</span> <span class="c"># Default is all interfaces (0.0.0.0).</span> <span class="c">#</span> <span class="nv">JENKINS_LISTEN_ADDRESS</span><span class="o">=</span><span class="s2">"127.0.0.1"</span> </code></pre> </div> <p>This blocks jenkins listening to the world on port 8080.<br> We then restart jenkins:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@ip-172-31-63-3 sysconfig]# service jenkins restart Restarting jenkins <span class="o">(</span>via systemctl<span class="o">)</span>: <span class="o">[</span> OK <span class="o">]</span> </code></pre> </div> <p>and check for the jenkins port run information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@ip-172-31-63-3 sysconfig]# ps <span class="nt">-f</span> | <span class="nb">grep </span>jenkins root 20945 20524 0 09:17 pts/0 00:00:00 <span class="nb">grep</span> <span class="nt">--color</span><span class="o">=</span>auto jenkins </code></pre> </div> <p>Jenkins is now running on jenkins, its own user account.<br> This is a good security set up so it is locked to the outside world.<br> Jenkins is available on port 80 but no longer 8080.</p> <p>This is not quite enough on aws linux. I had to add iptables to block all non-local access to port 8080:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 8080 <span class="nt">-s</span> localhost <span class="nt">-j</span> ACCEPT iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 8080 <span class="nt">-j</span> DROP </code></pre> </div> <p>Now we can't access <a href="http://jenkins.drspencer.io:8080" rel="noopener noreferrer">http://jenkins.drspencer.io:8080</a> from the browser. We can only access <a href="http://jenkins.drspencer.io" rel="noopener noreferrer">http://jenkins.drspencer.io</a></p> <h3> Creating ssh keys </h3> <p>When we are working with github and jenkins we can use a username and password for checking into git. This is not security<br> best practice. A great way to enable communication between github is to use ssh keys. Ssh is a great way to enable encrypted<br> communication between two servers and also to avoid sharing secrets. We are now going to create an ssh key from the linux<br> command line. We are currently under the username root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@ip-172-31-63-3 sysconfig]# su jenkins <span class="o">[</span>root@ip-172-31-63-3 sysconfig]# <span class="nb">whoami </span>root <span class="o">[</span>root@ip-172-31-63-3 sysconfig]# ps <span class="nt">-ef</span> | <span class="nb">grep </span>jenkins jenkins 25804 1 0 10:18 ? 00:01:47 /usr/bin/java <span class="nt">-Djava</span>.awt.headless<span class="o">=</span><span class="nb">true</span> <span class="nt">-jar</span> /usr/share/java/jenkins.war <span class="nt">--webroot</span><span class="o">=</span>/var/cache/jenkins/war <span class="nt">--httpPort</span><span class="o">=</span>8080 root 56019 20524 0 20:30 pts/0 00:00:00 <span class="nb">grep</span> <span class="nt">--color</span><span class="o">=</span>auto jenkins </code></pre> </div> <p>Jenkins has non user account so we need to run the bash shell as jenkins:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@ip-172-31-63-3 sysconfig]# su <span class="nt">-s</span> /bin/bash jenkins bash-5.2<span class="nv">$ </span><span class="nb">whoami </span>jenkins bash-5.2<span class="err">$</span> </code></pre> </div> <p>We now go into the jenkins folder on our linux instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash-5.2<span class="nv">$ </span><span class="nb">ls </span>acpid console i18n man-db nftables.conf selinux atd cpupower irqbalance modules rngd sshd chronyd firewalld jenkins network rpcbind sysstat clock htcacheclean keyboard network-scripts run-parts sysstat.ioconf bash-5.2<span class="nv">$ </span><span class="nb">cd </span>bash-5.2<span class="nv">$ </span><span class="nb">ls </span>config.xml nodeMonitors.xml hudson.model.UpdateCenter.xml nodes hudson.plugins.git.GitTool.xml plugins identity.key.enc queue.xml.bak jenkins.install.InstallUtil.lastExecVersion secret.key jenkins.install.UpgradeWizard.state secret.key.not-so-secret jenkins.model.JenkinsLocationConfiguration.xml secrets jenkins.telemetry.Correlator.xml updates <span class="nb">jobs </span>userContent logs <span class="nb">users </span>bash-5.2<span class="nv">$ </span><span class="nb">pwd</span> /var/lib/jenkins bash-5.2<span class="err">$</span> </code></pre> </div> <p>We create an .ssh folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash-5.2<span class="nv">$ </span><span class="nb">mkdir</span> .ssh bash-5.2<span class="nv">$ </span><span class="nb">cd</span> .ssh/ bash-5.2<span class="nv">$ </span><span class="nb">pwd</span> /var/lib/jenkins/.ssh bash-5.2<span class="err">$</span> </code></pre> </div> <p>We now want to generate an ssh key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash-5.2<span class="nv">$ </span>ssh-keygen <span class="nt">-t</span> rsa <span class="nt">-C</span> <span class="s1">'jenkins@example.com'</span> Generating public/private rsa key pair. Enter file <span class="k">in </span>which to save the key <span class="o">(</span>/var/lib/jenkins/.ssh/id_rsa<span class="o">)</span>: Enter passphrase <span class="o">(</span>empty <span class="k">for </span>no passphrase<span class="o">)</span>: Enter same passphrase again: Your identification has been saved <span class="k">in</span> /var/lib/jenkins/.ssh/id_rsa Your public key has been saved <span class="k">in</span> /var/lib/jenkins/.ssh/id_rsa.pub The key fingerprint is: SHA256:3cre8EzGxywgkHxfchhxxceb0YEj5S6eRz4zAEan2Bs jenkins@example.com The key<span class="s1">'s randomart image is: +---[RSA 3072]----+ | .ooo+ooo| | . .+ o=.o..+| | +..Eo +...+| | o.o+=. o | | S.+o.o | | o.+*o | | +o=*+ | | . B.o+ | | . + | +----[SHA256]-----+ </span></code></pre> </div> <p>We add the public key to github:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226736467-ba252008-a6db-4407-8855-ed6782240707.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226736467-ba252008-a6db-4407-8855-ed6782240707.png" alt="image"></a></p> <p>We now need to install git on our linux instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> <span class="nb">sudo </span>yum <span class="nb">install </span>git <span class="o">&gt;</span> git <span class="nt">--version</span> git version 2.39.2 </code></pre> </div> <p>We are now going to setup the credentials in jenkins to use them for builds.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226741252-5312bdc4-4e19-4258-bfb1-7e35875abcfb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226741252-5312bdc4-4e19-4258-bfb1-7e35875abcfb.png" alt="image"></a></p> <p>We also want to add maven to jenkins:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226743299-d3f5b23a-efaf-43bc-99ad-a621e1743761.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226743299-d3f5b23a-efaf-43bc-99ad-a621e1743761.png" alt="image"></a></p> <h3> Build configuration </h3> <p>We are now going to create a build configuration in jenkins. We are now going to set up the build and get things cooking<br> in jenkins.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226744537-8cb8e0b2-8d7b-4006-be38-65d630dcec7d.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226744537-8cb8e0b2-8d7b-4006-be38-65d630dcec7d.png" alt="image"></a></p> <p>We also have to add our private key to the jenkins build configuration and a git webhook:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226747793-afd920cc-f8ea-44c6-8abb-3ee2ca2a1999.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226747793-afd920cc-f8ea-44c6-8abb-3ee2ca2a1999.png" alt="image"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226748751-cf554bc8-159a-4dc0-a905-36ac7fbb1ff8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226748751-cf554bc8-159a-4dc0-a905-36ac7fbb1ff8.png" alt="image"></a></p> <p>and set up the build:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226749135-7e4aaa8a-4c48-4f8a-9909-71f0daaf6bd9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226749135-7e4aaa8a-4c48-4f8a-9909-71f0daaf6bd9.png" alt="image"></a></p> <p>We can check console output:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226906390-56a1d15e-0205-497c-8075-a1aad10bb5e3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226906390-56a1d15e-0205-497c-8075-a1aad10bb5e3.png" alt="image"></a></p> <p>Now we have running builds in jenkins. We can now test the change by pushing to github.<br> We can test this with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git commit <span class="nt">--allow-empty</span> <span class="nt">-m</span> <span class="s2">"Empty commit"</span> </code></pre> </div> <p>on our repository.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226961267-a011fae1-81b1-4ff3-b27f-e38ad1998eb2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226961267-a011fae1-81b1-4ff3-b27f-e38ad1998eb2.png" alt="image"></a></p> <h3> Artifactory </h3> <p>We are now going to use Artifactory to store the jar builds. The advantage of Artifactory is that it is a private repository<br> where we can save our images. We are going to deploy Artifactory in a docker container.<br> We will create a new ec2 server on AWS and install docker.<br> To get Docker running on the AWS AMI will follow the steps below (these are all assuming you have ssh'd on to the EC2 instance).</p> <ol> <li>Update the packages on our instance </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user ~]<span class="nv">$ </span><span class="nb">sudo </span>yum update <span class="nt">-y</span> </code></pre> </div> <ol> <li>Install Docker </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user ~]<span class="nv">$ </span><span class="nb">sudo </span>yum <span class="nb">install </span>docker <span class="nt">-y</span> </code></pre> </div> <ol> <li>Start the Docker Service </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user ~]<span class="nv">$ </span><span class="nb">sudo </span>service docker start </code></pre> </div> <ol> <li>Add the ec2-user to the docker group so you can execute Docker commands without using sudo. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user ~]<span class="nv">$ </span><span class="nb">sudo </span>usermod <span class="nt">-a</span> <span class="nt">-G</span> docker ec2-user </code></pre> </div> <h3> Containers </h3> <ul> <li>Have their own process space</li> <li>Their own network interface</li> <li>'Run' processes as root (inside the container)</li> <li>Have their own disk space</li> <li>(can share with host too)</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226969173-32fa0ed1-2318-4842-83a7-f27b3b1db0ae.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226969173-32fa0ed1-2318-4842-83a7-f27b3b1db0ae.png" alt="image"></a></p> <p>Containers have no Guest operating system so we are running from the operating system of the original machine.<br> Docker containers are upto 30% more efficient than virtual machines.</p> <h3> Docker terminology </h3> <ul> <li>Docker image - the representation of a docker container. Like a jar file in Java</li> <li>Docker container - standard runtime of Docker. Effectively a deployed and running Docker Image.</li> <li>Docker Engine - The code which manages Docker stuff. Creates and runs Docker Containers</li> </ul> <p>Here we see the way in which Docker is put together:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226971788-a9e0ba92-9fb9-4e87-90ce-de1cce7e9ed5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F226971788-a9e0ba92-9fb9-4e87-90ce-de1cce7e9ed5.png" alt="image"></a></p> <p>We are going to install Artifactory using volumes so that we can persist the maven repository using Artifactory.<br> This link was helpful:<br> <a href="https://medium.com/@raguyazhin/step-by-step-guide-to-install-jfrog-artifactory-on-amazon-linux-6b832dd8097b" rel="noopener noreferrer">https://medium.com/@raguyazhin/step-by-step-guide-to-install-jfrog-artifactory-on-amazon-linux-6b832dd8097b</a><br> and this one was excellent:<br> <a href="https://www.coachdevops.com/search?q=docker+artifactory" rel="noopener noreferrer">https://www.coachdevops.com/search?q=docker+artifactory</a><br> In particular, remember to allow ports 8081 and 8082 on your aws ec2 security group.</p> <h3> Resolving artifacts through Artifactory </h3> <p>In maven 3.9 we need https for artifactory to include these in our maven pom.<br> We first need to request an ssl certificate.<br> We will follow the instructions here:<br> <a href="https://levelup.gitconnected.com/adding-a-custom-domain-and-ssl-to-aws-ec2-a2eca296facd" rel="noopener noreferrer">https://levelup.gitconnected.com/adding-a-custom-domain-and-ssl-to-aws-ec2-a2eca296facd</a></p> <p>The SSL certificate does take a few minutes to create so we do need to be patient:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227237035-38fae4f1-9902-4a79-b634-c41d6d4aef9c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227237035-38fae4f1-9902-4a79-b634-c41d6d4aef9c.png" alt="image"></a></p> <p>Now the certificate is showing as issued:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227237878-2550434c-adc0-4db5-9491-cc02f9d3c4bd.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227237878-2550434c-adc0-4db5-9491-cc02f9d3c4bd.png" alt="image"></a></p> <p>We can now create a target group. I have a few target groups already:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227238416-7e8e9c24-9bf1-4b94-a3dc-0dd26005f036.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227238416-7e8e9c24-9bf1-4b94-a3dc-0dd26005f036.png" alt="image"></a></p> <p>We want to create one for our EC2 instance.<br> We then register our instance to the target group:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227239645-d8f0b141-26db-4975-8c01-9e45f0c710f2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227239645-d8f0b141-26db-4975-8c01-9e45f0c710f2.png" alt="image"></a></p> <p>Next we need to create an application load balancer. We will choose the application load balancer.<br> We also need to set up a target group as described in the article above.<br> I have set up https and a DNS for the artifactory instance because we need to use<br> https with maven3. I added the following reverse proxy to<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> on the ec2 ubuntu linux instance: ```bash ServerName jfrog.drspencer.io ProxyPass / http://localhost:8082/ ProxyPassReverse / http://localhost:8082/ </code></pre> </div> <p>using Apache3.</p> <p>Now we have working artifactory instance on <a href="https://jfrog.drspencer.io:" rel="noopener noreferrer">https://jfrog.drspencer.io:</a><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227302591-05513572-9618-4cfe-90c6-4f98fbb01d80.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227302591-05513572-9618-4cfe-90c6-4f98fbb01d80.png" alt="image"></a></p> <p>We can now use the correct settings in our settings.xml to deploy the jar:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Uploading to central: https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/0.0.3/spring-core-devops-0.0.3.jar Uploaded to central: https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/0.0.3/spring-core-devops-0.0.3.jar <span class="o">(</span>63 MB at 2.0 MB/s<span class="o">)</span> Uploading to central: https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/0.0.3/spring-core-devops-0.0.3.pom Uploaded to central: https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/0.0.3/spring-core-devops-0.0.3.pom <span class="o">(</span>3.9 kB at 6.2 kB/s<span class="o">)</span> Downloading from central: https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/maven-metadata.xml Downloaded from central: https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/maven-metadata.xml <span class="o">(</span>393 B at 1.5 kB/s<span class="o">)</span> Uploading to central: https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/maven-metadata.xml Uploaded to central: https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/maven-metadata.xml <span class="o">(</span>345 B at 559 B/s<span class="o">)</span> <span class="o">[</span>INFO] <span class="nt">------------------------------------------------------------------------</span> <span class="o">[</span>INFO] BUILD SUCCESS <span class="o">[</span>INFO] <span class="nt">------------------------------------------------------------------------</span> <span class="o">[</span>INFO] Total <span class="nb">time</span>: 35.186 s <span class="o">[</span>INFO] Finished at: 2023-03-24T14:02:35Z <span class="o">[</span>INFO] <span class="nt">------------------------------------------------------------------------</span> </code></pre> </div> <p>We now see the release on our artifactory repository browser:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227556194-db0dfd0e-b99a-4bc6-ac85-dce2191208af.png" class="article-body-image-wrapper"><img alt="image" src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227556194-db0dfd0e-b99a-4bc6-ac85-dce2191208af.png"></a></p> <h3> Jenkins with Artifactory </h3> <p>We now set up Jenkins to look at the maven home directory to get changes uploaded to artifactory.<br> We go to our operating system's home directory for jenkins:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/var/lib/jenkins </code></pre> </div> <p>We first log into our ec2 instance and then change to jenkins user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user@ip-172-31-91-7 ~]<span class="nv">$ </span><span class="nb">sudo </span>su <span class="nt">-s</span> /bin/bash jenkins bash-5.2<span class="err">$</span> bash-5.2<span class="nv">$ </span><span class="nb">whoami </span>jenkins </code></pre> </div> <p>We then add the same configuration from our settings.xml to /var/lib/jenkins/settings.xml. Now we return to jenkins and add a build.<br> We can now see that we are using our artifactory instance to download the required dependencies:<br> <br> Artifactory is important so that we can host the jars that we are building. It also works as read cache to save dependencies.<br> Other tools on Artifactory such as Xray can help ensure that we are careful with open source software and have a history of what we<br> are using. Xray checks dependencies for security issues.</p> <h3> Virtualised cloud deployment </h3> <p>We will now set up a docker container for our mysql database. We will then deploy our application.<br> We will create a new ec2 instance and install docker with the same commands as before. We will then<br> add mysql with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker run <span class="nt">-d</span> <span class="nt">--name</span> mysql <span class="nt">-p</span> 3306:3306 <span class="nt">-v</span> /home/ec2-user/mysql_data:/var/lib/mysql <span class="nt">-e</span> <span class="nv">MYSQL_ROOT_PASSWORD</span><span class="o">=</span>password mysql:latest </code></pre> </div> <p>We can now check our running docker container and connect to mysql:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># check running instances</span> <span class="nb">sudo </span>docker ps <span class="c"># connect to container</span> <span class="nb">sudo </span>docker <span class="nb">exec</span> <span class="nt">-it</span> mysql bash <span class="c"># connect to MySQL</span> mysql <span class="nt">-p</span> <span class="c"># create database</span> CREATE DATABASE springguru<span class="p">;</span> create user <span class="s1">'spring_guru_owner'</span>@<span class="s1">'localhost'</span> identified with mysq_native_password by <span class="s1">'password'</span><span class="p">;</span> GRANT ALL PRIVILEGES ON springguru.<span class="k">*</span> to <span class="s1">'spring_guru_owner'</span>@<span class="s1">'localhost'</span><span class="p">;</span> </code></pre> </div> <p>Here we are connecting to mysql and creating the springguru database. We then create a new user account for interacting with the<br> springguru database. This is not appropriate on a production database. In a major application the application would not be<br> able to update the schema.</p> <h3> ec2 Docker application </h3> <p>We can run the application in the command line with properties so it is better to run with a file that can be kept on the<br> ec2 instance. We can set up a service with an external application.properties file on the operating system.<br> We put an application.properties file the same directory as the jar.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>ec2-user@ip-172-31-83-176 ~]<span class="nv">$ </span><span class="nb">ls </span>amazon-corretto-11-x64-linux-jdk.tar.gz application.properties amazon-corretto-11.0.18.10.1-linux-x64 spring-core-devops-0.0.3.jar </code></pre> </div> <p>These are the contents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">spring.datasource.url</span><span class="p">=</span><span class="s">jdbc:mysql://54.82.50.187:3306/springguru</span> <span class="py">spring.datasource.username</span><span class="p">=</span><span class="s">spring_guru_owner</span> <span class="py">spring.datasource.password</span><span class="p">=</span><span class="s">GuruPassword</span> <span class="py">spring.jpa.hibernate.ddl-auto</span><span class="p">=</span><span class="s">update</span> </code></pre> </div> <p>If we wanted to add the same as environment variables we would do the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">SPRING_DATASOURCE_URL</span><span class="o">=</span>jdbc:mysql://54.82.50.187:3306/springguru <span class="nb">export </span><span class="nv">SPRING_DATASOURCE_USERNAME</span><span class="o">=</span>spring_guru_owner <span class="nb">export </span><span class="nv">SPRING_DATASOURCE_PASSWORD</span><span class="o">=</span>GuruPassword </code></pre> </div> <p>We would then run the application with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>java <span class="nt">-jar</span> ./spring-core-devops-0.0.3.jar </code></pre> </div> <p>Instead we are going to run the application with systemd to ensure we keep environment variables each time.</p> <h3> Running Spring ec2 with persistent env </h3> <p>We then add a service file on the spring boot ec2 instance:</p> <ol> <li>change to root and go to the system file on the linux instance </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>su <span class="nb">cd</span> /etc/systemd/system </code></pre> </div> <p>Save the following to spring.service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>Unit] <span class="nv">Description</span><span class="o">=</span>Spring Boot Service <span class="nv">After</span><span class="o">=</span>syslog.target <span class="o">[</span>Service] <span class="nv">User</span><span class="o">=</span>ec2-user <span class="c"># set di to location of application.properties and springboot jar</span> <span class="nv">WorkingDirectory</span><span class="o">=</span>/home/ec2-user <span class="nv">ExecStart</span><span class="o">=</span>/usr/bin/java <span class="nt">-jar</span> spring-core-devops-0.0.3.jar <span class="nv">SuccessExitStatus</span><span class="o">=</span>143 <span class="o">[</span>Install] <span class="nv">WantedBy</span><span class="o">=</span>multi-user.target </code></pre> </div> <p>The above is in /etc to run services. We run the jar as ec2-user and tell the application where java is<br> and run the jar file.</p> <ol> <li>Reload service definitions: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl daemon-reload </code></pre> </div> <ol> <li>Add start on boot: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl <span class="nb">enable </span>springboot.service </code></pre> </div> <ol> <li>Start the application: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl start springboot </code></pre> </div> <p>We can now see the service is running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>root@ip-172-31-83-176 system]# ps <span class="nt">-ef</span> | <span class="nb">grep </span>java ec2-user 29225 1 99 12:21 ? 00:00:12 /bin/java <span class="nt">-jar</span> spring-core-devops-0.0.3.jar root 29250 28901 0 12:21 pts/1 00:00:00 <span class="nb">grep</span> <span class="nt">--color</span><span class="o">=</span>auto java </code></pre> </div> <p>In order to view the spring logs we can run the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-f</span> /var/log/messages </code></pre> </div> <p>If we want to remove services we can run the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl stop spring systemctl disable spring <span class="nb">rm</span> /etc/systemd/system/spring <span class="nb">rm</span> /etc/systemd/system/spring <span class="c"># and symlinks that might be related</span> <span class="nb">rm</span> /usr/lib/systemd/system/spring <span class="nb">rm</span> /usr/lib/systemd/system/spring <span class="c"># and symlinks that might be related</span> systemctl daemon-reload systemctl reset-failed </code></pre> </div> <p>We can check the systemctl services running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl | <span class="nb">grep </span>spring </code></pre> </div> <p>We can see the logs for the service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>journalctl <span class="nt">-u</span> service-name.service </code></pre> </div> <p>You can also stop overrun for the logs with<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> . You We can see the application running at the public address for the ec2 instance (port 8080): ![image](https://user-images.githubusercontent.com/27693622/227719004-83520eb4-97b8-4d52-aa8d-3cfb31e1e602.png) We can also view logs for a certain time frame: ```bash journalctl -u springboot.service --since "2023-03-25 13:36:00" | less </code></pre> </div> <h3> Amazon RDS </h3> <p>We are now going to get our feet wet with Amazon RDS. We will use RDS to manage our mysql database.<br> Amazon backs up the database, applies patches and allows us to offload the management of the database to Amazon.<br> Amazon RDS allows us not to have to manage the database administration. AWS also helps us with security and patching.<br> We will provision an Amazon database on RDS and then update our configuration for our application to use the RDS database.<br> We will leverage the properties for the new database. Everything should work the same.</p> <h4> Provision Mysql database on RDS </h4> <p>We will start by provisioning a database on Amazon RDS.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227983403-7d5e3e2f-7cac-4991-8af0-019cc3315407.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227983403-7d5e3e2f-7cac-4991-8af0-019cc3315407.png" alt="image"></a><br> This takes a while to set up the database:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227985399-b48aff81-0b1a-444c-8bf3-fbd4208e4efb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F227985399-b48aff81-0b1a-444c-8bf3-fbd4208e4efb.png" alt="image"></a><br> We can now connect to the database using the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">guru.springframework.profile.message</span><span class="p">=</span><span class="s">This is mysql rds Profile</span> <span class="py">spring.jpa.properties.hibernate.dialect</span><span class="p">=</span><span class="s">org.hibernate.dialect.MySQL8Dialect</span> <span class="py">spring.datasource.url</span><span class="p">=</span><span class="s">jdbc:mysql://&lt;YOUR MYSQL INSTANCE URL&gt;:3306/springgurudb</span> <span class="py">spring.jpa.hibernate.ddl-auto</span><span class="p">=</span><span class="s">update</span> <span class="py">spring.datasource.username</span><span class="p">=</span><span class="s">spring</span> <span class="py">spring.datasource.password</span><span class="p">=</span><span class="s">password</span> </code></pre> </div> <p>Our application is now running against the rds database locally.<br> We now deploy our application using artifactory and then pull the new jar onto our ec2 instance.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228001418-ebfd5241-3aa8-4438-84c0-a96ef80527b9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228001418-ebfd5241-3aa8-4438-84c0-a96ef80527b9.png" alt="image"></a><br> We can now pull the jar to our ec2 instance using wget:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>wget <span class="nt">--user</span><span class="o">=</span>tom <span class="nt">--password</span><span class="o">=</span>AKCp8nzqSiJFSBYhrCe4q14oDSSsJUH7dhivt4q2Y8ym8igR3fRxdJ3tGSnebXX68aq6CfvKM https://jfrog.drspencer.io/artifactory/libs-release-local/guru/springframework/spring-core-devops/0.0.4/spring-core-devops-0.0.4.jar </code></pre> </div> <p>We then run the application jar:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>java <span class="nt">-jar</span> spring-core-devops-0.0.4.jar </code></pre> </div> <p>Our application is now running on port 8080 on our ec2 instance:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228028858-fc043fc2-32b8-42ae-b715-4183113abc76.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F27693622%2F228028858-fc043fc2-32b8-42ae-b715-4183113abc76.png" alt="image"></a><br> I hope you find this intro to Spring with AWS helpful!</p> spring aws devops Top Tips for the AWS Certified Cloud Practitioner Exam! Tom Spencer Sat, 20 Mar 2021 13:53:33 +0000 https://dev.to/tomspencerlondon/top-tips-for-the-aws-certified-cloud-practitioner-exam-5d1n https://dev.to/tomspencerlondon/top-tips-for-the-aws-certified-cloud-practitioner-exam-5d1n <p><iframe width="710" height="399" src="https://www.youtube.com/embed/5VpzQFJIWW0"> </iframe> </p> <p>I was really pleased to receive the AWS Cloud Practitioner exam this month. It was also great fun to take the opportunity to talk about this shared achievement with Brian Hough, Shubham and Parth. In this video we discussed best approaches for the Cloud Practitioner.</p> <h2>  Resources: </h2> <ol> <li><p><a href="https://acloudguru.com/?utm_source=google&amp;utm_medium=cpc&amp;utm_campaign=1054963165&amp;utm_content=505272982292&amp;utm_term=p_cloudguru&amp;adgroupid=58597121944&amp;gclid=Cj0KCQjwutaCBhDfARIsAJHWnHumaQfuD93ip2RPFDkCab7T0soe94p0jg51g55zVl0JlM9Es4Qf_gAaAuxmEALw_wcB">A Cloud Guru</a>.<br> A Cloud Guru is a nice mix of practical and theory and this was very useful for revising for the exam.</p></li> <li><p><a href="https://www.qwiklabs.com/">Qwik Labs</a><br> I really like working on the Qwiklabs training which includes labs on a wide range of AWS Cloud resources including Serverless Design and Big Data. Very useful for slightly more practical experience using Cloud without the worry of destroying resources.</p></li> <li><p><a href="https://www.udemy.com/course/aws-certified-cloud-practitioner-training-course/learn/lecture/20898054?start=15#overview">Digital Cloud</a><br> This was a really nice overview of the exam. I used the Exam Cram sessions for last minute revision before the exam.</p></li> <li><p><a href="https://pages.awscloud.com/awspowerhour_cloud_practitioner_resources.html">AWS Power Hour</a></p></li> </ol> <p>AWS Power Hour was a very useful overview of the fundamentals of AWS.</p> <ol> <li><p><a href="https://www.youtube.com/watch?v=3hLmDS179YE">Free Code Camp</a><br> I really liked this video from Andrew Brown which gave a really useful high level view of the Cloud services.</p></li> <li><p><a href="https://www.whizlabs.com/login/">Whizlabs</a><br> Whizlabs was very useful for past papers and questions for AWS Cloud Practitioner.</p></li> </ol> <p>The Cloud Practitioner has increased my confidence immensely and I have plans to move onto the AWS Cloud Developer exam. Go AWS!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Ono2tqk4--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jydpduha0my7bnqiusbr.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Ono2tqk4--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jydpduha0my7bnqiusbr.png" alt="109174575-df3e8a80-777c-11eb-8033-8ad7d2be62ba"></a></p> aws AWS S3: A great way to share files through your browser! Tom Spencer Fri, 19 Feb 2021 19:59:59 +0000 https://dev.to/tomspencerlondon/aws-s3-a-dope-way-to-share-files-through-your-browser-156f https://dev.to/tomspencerlondon/aws-s3-a-dope-way-to-share-files-through-your-browser-156f <p><iframe width="710" height="399" src="https://www.youtube.com/embed/THdZRpFacZY"> </iframe> </p> <p>This article forms part of a series of articles about the range of services that are available on AWS! In an <a href="https://dev.to/tomspencerlondon/aws-power-hour-great-series-of-lessons-to-help-with-aws-cloud-practitioner-exam-2anm">earlier article</a> I described why <a href="https://pages.awscloud.com/awspowerhour_cloud_practitioner_resources.html" rel="noopener noreferrer">AWS Power Hour</a> is such a great resource for learning about the wide range of AWS services. In this article I am continuing the theme of AWS dopeness by using S3 to share files.</p> <h2> WTF is S3? </h2> <p>Amazon Simple Storage Service (Amazon S3) is a safe, secure and highly scalable solution for object storage in the cloud. It is used for backup and storage, application or media hosting, high traffic website hosting or software delivery. To really understand S3 we need to clarify a few simple concepts. So let's get some points clear before we start:</p> <ul> <li>AWS S3 stores data as objects within buckets. An object contains a file and optionally any metadata that describes the file.</li> <li>In order to store objects in S3 you need to upload to a bucket. When you upload to your bucket you can set permissions on each of the objects within your buckets as well as any metadata.</li> <li>You can also control access to your bucket, defining who can create, delete and list objects in the bucket.</li> </ul> <h3> Why is S3 good for me? </h3> <p>Everyone deserves a good series of holiday pics after busting their guts over Christmas.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F9bbpn5unjqrwkdky6y5e.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F9bbpn5unjqrwkdky6y5e.jpg" alt="Remote_Holidays_lzkzce"></a><br> Send it through S3!</p> <h3> Publishing data on Amazon S3 </h3> <p>You are on holiday and want to share some of your pictures with the world. How would you share if you forgot your web server?<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fkdv2k66omz7vlvhn8vfw.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fkdv2k66omz7vlvhn8vfw.jpg" alt="server"></a><br> Amazon S3 is a perfect means by which to store and retrieve any files from anywhere on the internet. Amazon S3 is a web server for your data but save you from paying for keeping a web server. When you store pictures or data on S3 you are only charged for data storage and requests and data transfer.<br> In this article we are going to show you how to share your holiday pics on Amazon S3!</p> <p>In this article I presume you have set up your own AWS account. If you haven't done this check out the instructions <a href="https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/" rel="noopener noreferrer">here</a>.</p> <h2> Create an AWS S3 Bucket </h2> <p>First create your bucket<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F82006r620w014455g9hb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F82006r620w014455g9hb.png" alt="Screenshot 2021-01-21 at 14.33.27"></a><br> Then upload files:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F9j1i24vebb1you67hq8q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F9j1i24vebb1you67hq8q.png" alt="Screenshot 2021-01-21 at 14.35.29"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Ff3oi2crjaazryigme38u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Ff3oi2crjaazryigme38u.png" alt="footprint-bucket"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F235z6ofr7lm0cmftg221.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F235z6ofr7lm0cmftg221.png" alt="Screenshot 2021-01-21 at 14.45.18"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F3sy8kuivqdfmey8cpoay.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F3sy8kuivqdfmey8cpoay.png" alt="Screenshot 2021-01-21 at 14.47.02"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fbl6jk64nxxbfld1tgjjk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fbl6jk64nxxbfld1tgjjk.png" alt="Screenshot 2021-01-21 at 14.47.09"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fd0r52g01iejwq9m7vywz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fd0r52g01iejwq9m7vywz.png" alt="Screenshot 2021-01-21 at 14.48.10"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F4xci7kmrmhct53vmiq85.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F4xci7kmrmhct53vmiq85.png" alt="Screenshot 2021-01-21 at 14.48.18"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fplql5dgn3d4mjov4y4i6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fplql5dgn3d4mjov4y4i6.png" alt="Screenshot 2021-01-21 at 14.54.48"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F0jgbouxu5xmg9ohe1cmb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F0jgbouxu5xmg9ohe1cmb.png" alt="add-files"></a></p> <h2> Grant access to the bucket </h2> <p>Go into your bucket and choose edit under block public access. Deselect the Block all public access option and then leave all the options unselected.<br> You will also need to add a bucket policy under bucket policy:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foh7hoxz4af596a5ol7m0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foh7hoxz4af596a5ol7m0.png" alt="Screenshot 2021-02-19 at 20.06.34"></a></p> <p>You should add the correct configuration for your bucket then save the changes. </p> <h2> Configure static website hosting </h2> <p>Next you should choose edit on static website hosting and enable static website hosting. You will then have options to configure the index document and error document.</p> <h2> Enable Cross-Origin Resource Sharing </h2> <p>Finally, you should enable CORS with the following policy under CORS configuration:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fva6n8540e3e6l8gjmy23.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fva6n8540e3e6l8gjmy23.png" alt="Screenshot 2021-02-19 at 20.08.42"></a></p> aws AWS Power Hour: Great series of lessons to help with AWS Cloud Practitioner exam Tom Spencer Sat, 09 Jan 2021 20:08:40 +0000 https://dev.to/tomspencerlondon/aws-power-hour-great-series-of-lessons-to-help-with-aws-cloud-practitioner-exam-2anm https://dev.to/tomspencerlondon/aws-power-hour-great-series-of-lessons-to-help-with-aws-cloud-practitioner-exam-2anm <p>AWS Power Hour is a great course to help learn AWS!</p> <h3> <a href="https://pages.awscloud.com/awspowerhour_cloud_practitioner_resources.html">AWS Power Hour</a> </h3> <p>It includes quizzes, videos, links to important resources and all in a six episode series that encapsulates everything you need to know for your Cloud Practitioner exam. And what's more... it's free! I want to take a moment to explain why I love this course.</p> <p>The course is wide ranging but also the best aspect was the inclusive approach that the AWS Technical Evangelists brought to the twitch series that accompanied AWS Power Hour.</p> <h3> <a href="https://www.twitch.tv/videos/775346474">AWS </a> </h3> <h5> Diagrams </h5> <p>One aspect of the teaching during the AWS Power Hour course was the emphasis on improving our diagrams. Our homework included a task to draw a highly available web application running on Amazon EC2 within a region. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--1thhRvQJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104107253-c7857280-52b2-11eb-980e-595000c64d90.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--1thhRvQJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104107253-c7857280-52b2-11eb-980e-595000c64d90.png" alt="Screenshot 2021-01-09 at 19 42 02"></a></p> <p>My diagram used an Elastic Load Balancer, Virtual Private Cloud and EC2 instances running in separate regions and public subnets. Not great for security but highly available at least!<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--B4eik6gC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104106927-da974300-52b0-11eb-849d-09af0f90694b.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--B4eik6gC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104106927-da974300-52b0-11eb-849d-09af0f90694b.png" alt="Screenshot 2021-01-09 at 09 01 31"></a></p> <p>Another homework asked us to draw a highly available and automatically scaled </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--hzyfFQeF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104107609-76c34900-52b5-11eb-9356-d5943c0b0278.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--hzyfFQeF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104107609-76c34900-52b5-11eb-9356-d5943c0b0278.png" alt="Screenshot 2021-01-09 at 19 42 11"></a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--CSHBJ0nZ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104107713-5647be80-52b6-11eb-9606-84aca354dab0.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--CSHBJ0nZ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104107713-5647be80-52b6-11eb-9606-84aca354dab0.png" alt="Screenshot 2021-01-09 at 20 07 32"></a></p> <p>This is a great course and I look forward to sharing progress. </p> <h5> Andrew Brown's Cloud Practitioner Overview </h5> <p>Another useful video is Andrew Brown's epic overview of the AWS Cloud Practitioner exam:<br> <a href="https://www.youtube.com/watch?v=3hLmDS179YE"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--bwByne1e--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://user-images.githubusercontent.com/27693622/104126422-5d250e80-5354-11eb-861e-1aedd0cd457f.png" alt="Screenshot 2021-01-10 at 14 58 31"></a></p> aws cloud Top Ten AWS Services Tom Spencer Mon, 07 Dec 2020 22:50:46 +0000 https://dev.to/tomspencerlondon/top-ten-aws-services-556g https://dev.to/tomspencerlondon/top-ten-aws-services-556g <p>There are a huge amount of AWS services with more being added and updated all the time as <a href="https://markn.ca/2020/andy-jassy-keynote-aws-reinvent/">re:Invent</a> shows. In this article we will give some context by showing you the top ten AWS services.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--TAmmDcl1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.gliffy.com/sites/gliffy/files/image/2020-06/Amazon-EC2_dark-bg.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--TAmmDcl1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.gliffy.com/sites/gliffy/files/image/2020-06/Amazon-EC2_dark-bg.jpg" alt="image"></a></p> <h1> 1. AWS EC2 </h1> <p>The first service allows businesses to do away with physical services. Instead, developers and operations teams can use virtual machines with Amazon EC2 while managing other server features such as ports, security, and storage. Amazon EC2 is the vanilla option for servers on AWS and is extremely popular.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cthBeC52--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://d1.awsstatic.com/icons/jp/rds_icon_concole.fe14dd124ff0ce7cd8f55f63e0112170c35885f1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cthBeC52--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://d1.awsstatic.com/icons/jp/rds_icon_concole.fe14dd124ff0ce7cd8f55f63e0112170c35885f1.png" alt="image"></a></p> <h1>  2. Amazon RDS </h1> <p>Amazon Relational Database Service (RDS) allows developers to create dedicated database instances within minutes. These instances can then support database engines such as SQL, PostgresQL.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--pFlxWYZN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://d1.awsstatic.com/icons/jp/console_s3_icon.64795d08c5e23e92c12fe08c2dd5bd99255af047.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--pFlxWYZN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://d1.awsstatic.com/icons/jp/console_s3_icon.64795d08c5e23e92c12fe08c2dd5bd99255af047.png" alt="image"></a></p> <h1> 3. Amazon RDS </h1> <p>Amazon Simple Storage Service (S3) offers highly secure and redundant file storage. With Amazon S3 we can get flexibility with low latency.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--A1m-8eoH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn2.iconfinder.com/data/icons/amazon-aws-stencils/100/Storage__Content_Delivery_Amazon_CloudFront-512.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--A1m-8eoH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn2.iconfinder.com/data/icons/amazon-aws-stencils/100/Storage__Content_Delivery_Amazon_CloudFront-512.png" alt="image"></a></p> <h1>  4. Amazon CloudFront </h1> <p>CloudFront works as a Global content delivery service (CDN) to improve end user content delivery. CloudFront helps to increase web page loading speed and can even pull website static files from data centres for efficient delivery.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--jGFpXCwT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.ajsnetworking.com/wp-content/uploads/2018/01/vpc-vpn-logo.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--jGFpXCwT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.ajsnetworking.com/wp-content/uploads/2018/01/vpc-vpn-logo.png" alt="image"></a></p> <h1> 5. Amazon VPC </h1> <p>With VPC (Virtual Private Cloud) we can create a private virtual network that cannot be accessed by anyone or anything except the people and systems we choose.</p> <p>We can create a VPC with our AWS Management Console and then immediately access route tables, security groups, IP ranges and subnets. Some extras include security features such as network access control lists and security groups.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--d_HvBjXa--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn2.iconfinder.com/data/icons/amazon-aws-stencils/100/App_Services_copy_Amazon_SNS-512.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--d_HvBjXa--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn2.iconfinder.com/data/icons/amazon-aws-stencils/100/App_Services_copy_Amazon_SNS-512.png" alt="image"></a></p> <h1> 6. Amazon SNS </h1> <p>Amazon SNS is an event-driven system that alerts subscribers to perform tasks in response to specified triggers. SNS allows us to send notifications to users on any platform. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--s03JqHab--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://d1.awsstatic.com/icons/console_elasticbeanstalk_icon.0f7eb0140e1ef6c718d3f806beb7183d06756901.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--s03JqHab--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://d1.awsstatic.com/icons/console_elasticbeanstalk_icon.0f7eb0140e1ef6c718d3f806beb7183d06756901.png" alt="image"></a></p> <h1> 7. AWS Beanstalk </h1> <p>With Elastic Beanstalk allows developers to quickly deploy and manage applications in the AWS Cloud without having to learn about the infrastructure that runs those applications. Elastic Beanstalk reduces management complexity but also allows builders to retain choice and control. Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--z1sHMWFD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://miro.medium.com/max/5600/1%2AGxz-GjfXj4nzJxU472kvzw.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--z1sHMWFD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://miro.medium.com/max/5600/1%2AGxz-GjfXj4nzJxU472kvzw.png" alt="image"></a></p> <h1> 8. AWS Lambda </h1> <p>AWS Lambda is a compute service that allows builders to run code without provisioning or managing servers. The service only runs code when it is needed and scales automatically from a few requests a day to thousands a second. Lambda runs on high availability compute infrastructure and performs server and operating system maintenance, capacity provisioning and automatic scaling, code monitoring and logging.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--0o-hAlxV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://media.graphcms.com/AlOkB7lQIiWghXsJPhyH" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--0o-hAlxV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://media.graphcms.com/AlOkB7lQIiWghXsJPhyH" alt="image"></a></p> <h1> 9. AWS Autoscaling </h1> <p>AWS Auto Scaling lets developers build scaling plans that automate how groups of different resources respond to changes in demand. AWS Auto Scaling automatically creates all scaling policies and sets targets for you based on your preference regarding cost or availability.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--XUDg4uwu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn2.iconfinder.com/data/icons/amazon-aws-stencils/100/Deployment__Management_copy_IAM-512.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--XUDg4uwu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn2.iconfinder.com/data/icons/amazon-aws-stencils/100/Deployment__Management_copy_IAM-512.png" alt="image"></a></p> <h1> 10. AWS IAM </h1> <p>AWS Identity Access Management fortifies sensitive data and AWS resources. It can be used together with 2FA and MFA and provides a useful extra layer of security. IAM allows users to manage users, roles and groups and decide how much or how little access to provide. Developers can also use service linked roles to delegate permissions to AWS services that create and manage AWS resources on their behalf.</p> aws AWS Community Builders react to AWS re:Invent 2020🤯 Tom Spencer Sat, 05 Dec 2020 17:39:32 +0000 https://dev.to/tomspencerlondon/aws-community-builder-reacts-to-aws-re-invent-2020-31bg https://dev.to/tomspencerlondon/aws-community-builder-reacts-to-aws-re-invent-2020-31bg <p>👉👉 Jump to the reactions 👈👈</p> <h2> Intro </h2> <h3> What is re:Invent? </h3> <p>Packed with keynote announcements, training opportunities, and more than 2,500 technical sessions, re:Invent is a chance for the global cloud computing community to find out the latest news from AWS HQ, brush up on their skills, and take valuable insight back to their teams and businesses.</p> <h3> Why is re:Invent so important? </h3> <p>AWS re:Invent 2020 is the Amazon Web Services annual user conference that focuses on:</p> <ul> <li>Cloud strategies</li> <li>Cloud operations</li> <li>Security and developer productivity</li> <li>IT architecture and infrastructure</li> </ul> <h3> What is different about re:Invent this year? </h3> <p>Like everything in 2020, this year’s AWS re:Invent will be different. But unlike everything else about this year, there could be a massive upside because AWS re:Invent 2020 is free and entirely virtual.</p> <h3> What is an AWS Community Builder? </h3> <p>Community Builders are individuals who are passionate about using AWS and share what they have learned through blog posts, online articles like this one, teaching others, and more. The idea is the community builder shares their experience to help others either not make the same mistakes, or look at a problem differently and consider other solutions.</p> <h4> Why write this article? </h4> <p>I wanted to give a short overview of each of the AWS announcements with some expert reactions in order to assess the advantages of new developments in the AWS stack.</p> <h1> AWS Community Builder Reactions and Analysis<a></a> </h1> <h3> <a href="https://markn.ca/2020/andy-jassy-keynote-aws-reinvent/">Andy Jassy Keynote, AWS Re:Invent 2020</a> </h3> <p>The following are the list of key service updates announced by Andy Jassy in his keynote speech today (December 1).</p> <h3> Instances </h3> <h4>  Habana Gaudi-based Amazon EC2 instances </h4> <p>ML training powered by new processors from Intel.</p> <h4> AWS Trainium </h4> <p>ML Training Chip custom designed by AWS to deliver the most cost-effective training in the cloud. Available on EC2 or Sage Maker <a href="https://medium.com/techprimers/aws-re-invent-2020-andy-jassy-keynote-highlights-7e554c9c6c1f">(read full article)</a></p> <div class="ltag__link"> <a href="/movingtoweb" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--o4r66g54--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/practicaldev/image/fetch/s--5vHha-2Q--/c_fill%2Cf_auto%2Cfl_progressive%2Ch_150%2Cq_auto%2Cw_150/https://dev-to-uploads.s3.amazonaws.com/uploads/user/profile_image/463641/dc6bd12e-5228-4cb2-980b-d21057d9c6c6.jpg" alt="movingtoweb image"> </div> </a> <a href="/aws-builders/aws-re-invent-2020-andy-jassy-keynote-highlights-2cok" class="ltag__link__link"> <div class="ltag__link__content"> <h2>AWS re:Invent 2020 - Andy Jassy Keynote Highlights</h2> <h3>Ajay Kumar S ・ Dec 1 '20 ・ 4 min read</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#aws</span> <span class="ltag__link__tag">#cloud</span> <span class="ltag__link__tag">#serverless</span> <span class="ltag__link__tag">#reinvent</span> </div> </div> </a> </div> <h3> <a href="https://dev.to/aws-builders/whats-new-in-data-re-invent-andy-jassy-keynote-7fa">Whats New In Data: re:invent Andy Jassy Keynote</a> </h3> <p>It's a different experience this year. The chat with my teammates is a mixture of discussion about new features and pictures of good times in Vegas from previous re:Invent conferences.</p> <p>Andy Jassy has finished the first keynote of 2020 and I was not disappointed. Lots of great new features that we have use cases for.</p> <p>Here are my favourite data related features announced during the Andy Jassy re:Invent keynote.<br> </p> <div class="ltag__link"> <a href="/mattdevdba" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--QxVtZ8Pl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/practicaldev/image/fetch/s--JKQbNSb5--/c_fill%2Cf_auto%2Cfl_progressive%2Ch_150%2Cq_auto%2Cw_150/https://dev-to-uploads.s3.amazonaws.com/uploads/user/profile_image/497647/ac802119-2e79-43b5-a5c9-dee3eb517124.jpg" alt="mattdevdba image"> </div> </a> <a href="/aws-builders/whats-new-in-data-re-invent-andy-jassy-keynote-7fa" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Whats New In Data: re:invent Andy Jassy Keynote</h2> <h3>Matt Houghton ・ Dec 1 '20 ・ 5 min read</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#datascience</span> <span class="ltag__link__tag">#analytics</span> <span class="ltag__link__tag">#database</span> <span class="ltag__link__tag">#aws</span> </div> </div> </a> </div> <h3> <a href="https://aws.amazon.com/blogs/aws/preview-aws-proton-automated-management-for-container-and-serverless-deployments/">AWS Proton</a> </h3> <p>The process of defining a service template involves the definition of cloud resources, continuous integration and continuous delivery (CI/CD) pipelines, and observability tools. AWS Proton will integrate with commonly used CI/CD pipelines and observability tools such as CodePipeline and CloudWatch. It also provides curated templates that follow AWS best practices for common use cases such as web services running on AWS Fargate or stream processing apps built on AWS Lambda.</p> <p>Infrastructure teams can visualize and manage the list of service templates in the AWS Management Console.</p> <p>This is what the list of templates looks like. <a href="https://aws.amazon.com/blogs/aws/preview-aws-proton-automated-management-for-container-and-serverless-deployments/">(read full article)</a></p> <div class="ltag__link"> <a href="/mubbashir10" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--razrZp_G--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/practicaldev/image/fetch/s--772GqnnK--/c_fill%2Cf_auto%2Cfl_progressive%2Ch_150%2Cq_auto%2Cw_150/https://dev-to-uploads.s3.amazonaws.com/uploads/user/profile_image/342158/ace1bad3-8147-420d-9e3a-1bb8c1b4940e.jpg" alt="mubbashir10 image"> </div> </a> <a href="/mubbashir10/aws-proton-tutorial-sample-nodejs-app-2f9k" class="ltag__link__link"> <div class="ltag__link__content"> <h2>AWS Proton Tutorial - Sample NodeJS App</h2> <h3>Mubbashir Mustafa ・ Dec 4 '20 ・ 6 min read</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#aws</span> <span class="ltag__link__tag">#devops</span> <span class="ltag__link__tag">#docker</span> <span class="ltag__link__tag">#tutorial</span> </div> </div> </a> </div> aws OWASP Top Ten Tom Spencer Thu, 01 Oct 2020 00:00:00 +0000 https://dev.to/tomspencerlondon/owasp-top-ten-9nc https://dev.to/tomspencerlondon/owasp-top-ten-9nc <p>In this article, we discuss why the Open Web Application Security Project Top Ten is important in a developer context. The Open Web Application Security Project is a non-profit foundation that works to improve the security of software. The OWASP Top Ten raises vital issues of software security regularly based on most recent security breaches in the industry. Security can no longer be an afterthought, developers and <a href="https://codurance.com/2020/09/07/why-is-owasp-important-for-business-leaders/">business leaders</a> need to bake in security to their applications and be ready to explain to senior management how to protect the company.</p> <p>Application security is of paramount importance for companies. Breaches of application security can lead to regulatory fines, identity theft and fraud. Poor security can damage an organisation, its finances and personnel. In 2017 the Wannacry virus hit a perhaps overly complacent Talk Talk and reportedly cost the NHS £92 million, impacting the provision of care to <a href="https://eandt.theiet.org/content/articles/2017/05/wannacry-and-ransomware-impact-on-patient-care-could-cause-fatalities/">patients</a>. The <a href="https://www.theguardian.com/business/2014/may/05/target-chief-executive-steps-down-data-breach">CEO of Target resigned</a> after a serious data breach. Other data breaches include <a href="https://www.bbc.co.uk/news/world-us-canada-49159859">Capital One</a> which was fined $80 million for a data breach affecting up to 100 million users. </p> <p>In this article, we will consider the Top Ten application vulnerabilities as laid out by the <a href="https://owasp.org/www-project-top-ten/">Open Web Application Security Project</a> (OWASP).</p> <h2> OWASP </h2> <p>The Open Web Application Security Project is an online community that produces freely available articles on cyber security. The OWASP foundation also releases a regular update on the top ten security threats. The OWASP Top Ten is a regularly updated catalogue of app security incidents and vulnerabilities, first published in 2003. The mission of the OWASP foundation is to raise awareness about application security by identifying the current most critical risks companies are facing. This article reviews these vulnerabilities and also explores possible solutions for each of them.</p> <h2> 1. Injection </h2> <h2> SQL Injection </h2> <p>SQL injection involves the contamination of ordinary user input in order to turn one SQL statement into more than one. The archetypal example is the <a href="https://xkcd.com/327/">Bobby Tables attack</a>.<br> In this amusing tale, the boy’s first name is “Robert’);” and his last name is “DROP TABLE Students;-- ”. The records application at Bobby’s school has concatenated strings in order to make queries to the database. The bracket in Bobby’s first name prematurely terminates the original query. Then his last name does its damage. The double hyphen at the end of Bobby’s surname acts as a comment so that the database will ignore the remainder of the input and the originally intended query.</p> <p>In order to avoid SQL injection developers should avoid using a plain SQL statement in Java:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> String query = "SELECT * FROM STUDENT WHERE NAME = '" + name + "‘;" </code></pre> </div> <p>Instead, developers should rather use a prepared statement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> String query = “SELECT * FROM STUDENT WHERE NAME = ?;”; PreparedStatement stmt = connection.prepareStatement(query); stmt.setString(1, name); ResultSet results = stmt.executeQuery(); </code></pre> </div> <p>Here we prepare the SQL statement and turn the SQL into parameterized code without danger of injecting arbitrary SQL into the program.</p> <h2> Tips: </h2> <ul> <li>Use positive or “whitelist” server-side input validation</li> <li>Escape special characters for inputs</li> </ul> <h2> 2. Broken Authentication and Session Management </h2> <p>Authentication is the process of verifying that a user, or application, is who or what they claim to be. Authentication is usually carried out through the user inputting private information.</p> <p>Session management is the process whereby the server maintains the state of the entity it is interacting with. This is necessary because HTTP is a stateless protocol meaning that it does not keep context information from earlier sent packets of information. Each transmission via HTTP can be understood in isolation without reference to other sent packets. Websites requiring sign-in use sessions in order to persist the user’s interaction with the site.</p> <p>Sessions are maintained on the server through a session identifier which is passed back and forth with the client when transmitting and receiving requests. As a first precaution application should not include session IDs in their URLs.</p> <p>“Session hijacking” is a major vulnerability for applications. In this form of attack, a session ID in plain text might be duplicated by the attacker. An attacker might have found a session identifier in the front end in order to carry out this attack, so ensuring that session identifiers are hidden is a good best practice. </p> <p>There are many areas to consider when preparing a business case for a modernisation project. Still, most of the time, you can be quite safe if you focus on these three factors: the audience, what they need to know, and what they pay off is.</p> <h2> Tips: </h2> <ul> <li>Session IDs should be randomly generated and regenerated each time the user authenticates.</li> <li>Avoid allowing unlimited authentication attempts as this can be an invitation for hackers.</li> </ul> <h2> 3. Sensitive Data Exposure </h2> <p>Sensitive data can be loosely defined as valuable information that can be stolen or used against the victim. Sensitive data includes credit card details, medical records, email and even purchasing records.</p> <p>Sensitive data exposure is often headline-worthy and can be incredibly damaging for companies. Here, it is useful to differentiate between data at rest and data in transit. Data in transit is data actively moving from one location to another. Data at rest is data stored on any device or network. Attackers are more likely to raid data in transit than attempt to break cryptographic protections. An attack might take place at points in the network where there is no TLS and information is passed through REST or HTTP (perhaps internally). An attacker could also target a stolen laptop with unencrypted information.</p> <p>Teams should apply mutual authentication between microservices using TLS. This has the added advantage of encrypting data transmission between microservices.<br> It is also important to ensure sensitive data is encrypted in the database and to decrypt data based on the user’s authorization as opposed to that of the server. Avoid <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">storing passwords</a> in plain text.</p> <h2> Tips: </h2> <ul> <li>Classify and identify sensitive data in applications according to privacy laws or business needs</li> <li>Don’t store sensitive data unnecessarily</li> <li>Encrypt all sensitive data at rest</li> <li>Encrypt all data in transit with secure protocols such as TLS</li> </ul> <h2> 4. XML External Entities (XXE) </h2> <p>XML or External Entity Injection is a web vulnerability which allows the attacker to interfere with the processing of XML data. Here is an example of Java code that is open to an XML injection attack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> File xmlFile = new File(“c://input.xml”); DocumentBuilder dBuilder = dbFactory.newDocumentBuilder(); Document doc = dBuilder.parse(xmlFile); </code></pre> </div> <p>The referenced XML file contains a further reference to a potentially malicious external (secret.txt):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> &lt;?xml version=”1.0”?&gt; &lt;DOCTYPE test [ &lt;!ENTITY xxe SYSTEM “c://secret.txt” &gt; ]&gt; &lt;test&gt;&amp;xxe;&lt;/test&gt; </code></pre> </div> <p>The insertion of the secret.txt file could allow the attacker to embed malicious code within the XML parser code. In order to protect against this form of attack we should add the following to our Java code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> DocumentBuilderFactor dbFactory = DocumentBuilderFactory.newInstance(); dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); </code></pre> </div> <p>Here the secure processing feature is set to true in order to ensure that our XML is safe from <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">injection attacks</a>.</p> <h2> Tips: </h2> <ul> <li>Wherever possible use less complex data formats such as JSON and avoid serialization of sensitive data</li> <li>Upgrade all XML processors and libraries in use. Use SOAP 1.2 or higher</li> <li>Disable XML external entity in all XML parsers</li> </ul> <h2> 5. Broken Access Control </h2> <p>Broken access control is when a user can access a resource or perform an action that they are not authorized to access. Broken access control can occur when attackers are able to directly access objects on the server. The following code uses unverified data from a request in an SQL query that is accessing information from the database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> stmt.setString(1, request.getParameter(“#123”); ResultSet results = stmt.executeQuery(); </code></pre> </div> <p>The attacker is, therefore, able to modify the URL in the browser to query any account they want:</p> <blockquote> <p><a href="http://mybank.com/app/accountInfo?acct=#456">http://mybank.com/app/accountInfo?acct=#456</a></p> </blockquote> <p>There are two possible means by which this form of attack might be mitigated.</p> <p>The first, and perhaps more obvious protection against broken access control, would be to avoid including sensitive information in URLs. A further extension of this approach would be to use session specific mapping from random IDs to real IDs or use generic URLs that are session sensitive. </p> <p>The second, more general, rule to follow would be that if a caller is not authorized to see the contents of a resource it should be as if the resource does not exist. In Java this is relatively easy to implement with @Preauthorize:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> @PreAuthorize(“hasAuthority(‘Admin’)”) @RequestMapping(“/restricted”) @ResponseBody public String restricted() { return “restricted”; } </code></pre> </div> <p>The @Preauthorize annotation ensures that an attacker would get a 403 response if they tried to access the resource.</p> <h2> Tips: </h2> <ul> <li>JWT tokens should be invalidated on the server after logout</li> <li>Log access control failures and alert admins for repeated failures</li> <li>With the exception of public resources, deny by default</li> </ul> <h2> 6. Security Misconfiguration </h2> <p>Security misconfiguration occurs when developers fail to implement all the security controls for a server or web application, or worse, implement security controls with errors. In 2017 an unknown group of hackers were able to gain access to thousands of MongoDB databases by using the default passwords. The lesson is clear, forbid default passwords. Default passwords are a serious hazard.</p> <p>Another metric for security configuration is an overexposed "attack surface", meaning the sum of IP addresses ports and protocols open to attackers. This vulnerability can be easily reduced by splitting internal traffic into its own interface separate from public facing traffic. It is also important to have a clear inventory of applications that are exposed on production. A sample server application released inadvertently to <a href="https://codurance.com/2020/09/25/how-can-i-streamline-a-path-to-production/">production</a> can be an attractive target for attackers particularly since some of them are well known and are never updated. Reducing the “attack surface” is also a responsibility of the wider team in ensuring that release processes are robust in order to monitor and test non-production hardened applications.</p> <h2> Tips: </h2> <ul> <li>Automate processes to verify effectiveness of configurations in all environments</li> <li>Keep platforms minimal without unnecessary features, components, documentation and samples</li> <li>Remove or do not install unused features and frameworks</li> </ul> <h2> 7. Cross Site Scripting (XSS) </h2> <p>Cross site Scripting, or XSS, is when an attacker deceives the client into running JavaScript in the victim’s browser. Reflected XXS occurs when attackers manipulate the DOM in order to add their own data. Vulnerability to this kind of attack is even possible in <a href="https://medium.com/node-security/the-most-common-xss-vulnerability-in-react-js-applications-2bdffbcc1fa0">modern JS applications</a>. Vulnerable code would look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> &lt;script&gt;window.__STATE__ = $(JSON.stringify({data})&lt;/script&gt; </code></pre> </div> <p>Here, JSON.stringify() will turn data into a string as long as it is valid JSON for rendering on the page. Accordingly, attackers might add scripts to usernames or bios:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> { username: “LOL”, bio: “&lt;/script&gt;&lt;script&gt;alert(“XSS attack!”)&lt;/script&gt; } </code></pre> </div> <p>One solution to this vulnerability is to use the serialize-javascript npm module to escape the rendered JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> &gt; npm install --save serialize-javascript </code></pre> </div> <p>The window variable can then be wrapped in the method serialise():<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> &lt;script&gt;window.__STATE__ = ${ serialize( data, { isJSON: true } ) }&lt;/script&gt; </code></pre> </div> <p>Serializing and deserializing data is a common source of vulnerability and we will revisit this issue later in the article.</p> <h2> Tips: </h2> <ul> <li>Use frameworks that automatically escape XSS by design</li> <li>Escape untrusted HTTP request data</li> <li>Apply context sensitive encoding to protect against DOM XSS</li> </ul> <h2> 8. Insecure deserialization </h2> <p>Serialization, aka marshalling in some languages, involves the conversion of objects to byte streams for transmission so that the object can then be reverted to a copy of the object. In this process, objects are converted into a format that can be saved to the database or transferred over a network. The reverse, deserialization, is when a serialized object is read from a file or network and converted back into an object.</p> <p>Insecure deserialization can result in arbitrary code execution, granting attackers a wide range of capabilities. It occurs when attackers are able to manipulate serialized objects and authenticate as someone they are not. If an application uses insecure deserialization malicious users might even be able to embed code snippets in the object for execution during deserialization. Generally, deserialization of user input should be avoided unless absolutely necessary. Attacks involving insecure deserialization can also be used to inflict a DoS attack, execute code, whether through SQL injection, XSS.</p> <h2> Tips: </h2> <ul> <li>Enforce strict type constraints during deserialization before object creation</li> <li>Log deserialization exceptions and failures</li> <li>Monitor deserialization and alert if a user deserializes constantly</li> </ul> <h2> 9. Using components with Known vulnerabilities </h2> <p>Known vulnerabilities are publicly disclosed security bugs. Attackers use these public vulnerabilities to target applications so it is important to ensure that security is up to date. Snyk is a good resource for checking vulnerabilities. For node applications Snyk can be installed via npm and authenticated on the command line. We can then use the command ‘snyk test’ to check the project for known vulnerabilities. Snyk is available in many other languages including Java.</p> <p>It is extremely important for teams to stay ahead of potential vulnerabilities. Apache Struts 2 was a particularly notorious example of a third party vulnerability that was exploited by attackers. Apache Struts 2 is an open-source Java web application <a href="https://www.youtube.com/watch?v=Ks46P0Wsi-U">framework</a>.</p> <h2> Tips: </h2> <ul> <li>Remove unused dependencies, unnecessary features, components, files and documentation</li> <li>Continuously inventory versions of client side and server side components</li> <li>Monitor for unmaintained libraries and components without security patches for older versions</li> </ul> <h2> 10. Insufficient logging and monitoring </h2> <p>A good definition of monitoring was laid out by Greg Poirier put it at the Monitorama 2016 <a href="https://vimeo.com/173610062">conference</a>:</p> <blockquote> <p>Monitoring is the action of observing and checking the behavior and outputs of a system and its components over time.</p> </blockquote> <p>Exploiting insufficient logging and monitoring is the bedrock of nearly every major data breach or security incident. Attackers rely on the lack of monitoring and timely response to avoid detection. Unfortunately, there is no magic silver bullet to resolve lack of monitoring in your <a href="https://www.goodreads.com/book/show/17346927-the-practice-of-network-security-monitoring">organisation</a>.<br> For organisations running large infrastructure paying monitoring servers is not sufficient but needs to be combined with monitoring network infrastructure and applications.</p> <p>Many software attacks use rootkits in order to gain access level to a computer or network. Rootkits are programs that apply concealment techniques to malicious code and activities in order to avoid detection. Rootkits can be difficult to detect. Rkhunter is one example of a security monitoring tool which scans for rootkits and other vulnerabilities. This can be a useful addition to your monitoring toolkit.</p> <h2> Tips: </h2> <ul> <li>Establish effective monitoring and alerting to detect and respond to suspicious activities quickly and efficiently</li> <li>Ensure logs are generated in a format that is easily consumed by centralized log management solutions</li> <li>Ensure an audit trail for high value transactions</li> </ul> <h2> Conclusion </h2> <p>The wide range of companies that have fallen victim to malicious breaches and the widely publicised mega breaches of recent years shows the importance of making security assessment part of the everyday work of developers, architects and business leaders. Possible team wide initiatives to improve security awareness could include a bug bounty, gamifying clearer developer understanding through regular email challenges or even a monthly cybersecurity quiz night. The most important point is to build a learners’ mindset amongst teams regarding cybersecurity and the OWASP Top Ten is a first port of call for better understanding in order to plan and defend against possible threats. The findings regularly remind us of the importance of baking security into the development process in order to manage security risks <a href="https://www.goodreads.com/en/book/show/34695178-securing-devops">effectively</a>.</p> <p>For developers interested in developing awareness of the OWASP top ten amongst business leaders we have another article directed at <a href="https://codurance.com/2020/09/07/why-is-owasp-important-for-business-leaders/">business leaders</a>.</p> <p>If you wish to learn more about refactoring and improving security for your business please fill out the form below to access the handout.</p>