Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Introduction

AWS Lambda function's code consists of scripts or compiled programs and their dependencies. We use a deployment package to deploy our function code to Lambda. Lambda supports two types of deployment packages: container images and .zip file archives. We are going to use the updateLambdaFunctionCode operation to deploy the function code. The operation can deploy the function code from the AWS ECR, S3 Bucket, and local Archive directory. We can select the option to publish a new version, by default operation will not publish the new version. Using the Environment variables file or Input Argument we can also add the function Environment variables. Operation also support encryption of the variables using AWS KMS key. Operation will use the configured AWS cloud account to perform the operation.

Objective

The goal of the tutorial is to perform the deployment in AWS Lambda using the AWS ECR and the Environment file present at the git repository and to encrypt secured variables, we will use the AWS KMS key. AWS plugin has updateLambdaFunctionCode operation, we will use this operation to perform deployment in an easy way. In this tutorial, we will use the code present at the git repository to create the docker image and then we will push it to AWS ECR. We will use that newly created image in our AWS Lambda function.

  • configuration of the properties e.g. Cloud account, and CLI path.

  • cloning the code and environment file from the Git repository.

  • create the docker image and push it to the AWS ECR registry.

  • perform the deployment.

  • verify the deployment.

Checklist

Checklist

Description

AWS Access Key

AWS Access Key of the user.

AWS Secret Key

Password for the Access Key

AWS Default Region

Default region can be set. eg. ap-south-1

AWS CLI Installation

AWS CLI needs to be installed where the plugin operation shall run (FlexDeploy server)

AWS CLI in class path

AWS CLI should be added to the class path on the FlexDeploy Server. Else the path can also be set under FlexDeploy environment level property

AWS Lambda Function

AWS Lambda Function should be already present.

AWS KMS Key

AWS KMS key to secured the environment variable.

AWS ECR

AWS Elastic Container Registry should be already created.

Configure Container Account

Configure the container account, with AWS ECR registry details.

Configure Cloud Account

To connect with AWS Lambda Function, we required to configure Cloud account, with credentials details. Configure AWS Cloud Account under Integration. FlexDeploy will connect to the Lambda Function and add the environment variables.

  1. Navigate to the Integrations

  2. Select Cloud from the left-hand pane

  3. Create a new Cloud account with the “+” button. Create a new Cloud account of provider type “AWS”

It should have a AWS Access Key and AWS Secret Key. The user must have relevant access to AWS Lambda Function.

  1. AWS Secret Key is a password field and hence needs to be kept hidden. To update the same click on the pencil icon as shown below

  2. Update the AWS Secret Key value under Secret Text. This is to make sure no one else can retrieve the password

After configuration we would be able to use the Cloud Account as a drop down from the list.

Create AWS Lambda Function

AWS Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, and logging. With Lambda, all you need to do is supply your code in one of the language runtimes that Lambda supports. Please refer to the link for more information https://docs.aws.amazon.com/lambda/latest/dg/welcome.html

To create the Lambda Function go to the AWS console

  1. Navigate to the Services

  2. Select Compute from the left-hand pane

  3. Now click on the Lambda service option

After selecting the Lambda service, new window will open and it contains detail of all the functions.

Now select the create function option, it will open window to create function and configured detail.

By default AWS creates execution role with basic Lambda permissions, we can select an existing role also. In above example we are using existing role ( basic-lambda-role ) . Please refer to the link for more information https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

The role which we are selecting must have basic Lambda permissions, the role we have selected also have permission for KMS key to decrypt the secured variables. If we are using the KMS key to encrypt the secured variables then we must have to give permission to the role to use the KMS key.

In above role we can see we have one permissions policy name as kms-access, this policy allow us to use the KMS key to decrypt the variables, which we have used to encrypt the variables.

Policy detail:

Trust relationships detail: ( Entities that can assume this role under specified conditions )

Detail of the AWS Lambda function which we have created and going to use for this tutorial:

If we check the Code details of the function, then we found we have sample code. We will update the code using our AWS plugin operation.

On testing the code, using the Test option provided by AWS Lambda we will get this response:

If we check the Environment variables details under the Configuration, there is no environment variables are present. Once successful execution of the operation we should be able to see some environment variables.

Create AWS KMS Key

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for us to create and control the cryptographic keys that are used to protect our data. Please refer to the link for more information https://aws.amazon.com/kms/

AWS KMS key is required to encrypt the secured variables before adding them to Lambda function. If we don’t have any secured variables in that case we don’t required to configure KMS key detail in the project. In our scenario we are adding both secured and non-secured variables to the Lambda function.

To create the Lambda Function go to the AWS console

  1. Navigate to the Services

  2. Select Security, Identity, & Compliance from the left-hand pane

  3. Now click on the Key Management Service service option

Detail of the KMS key which we are using for this tutorial:

We can use Key ID or Key ARN value in the project to encrypt the variables, both are accepted.

Create AWS ECR

Amazon Elastic Container Registry (Amazon ECR) is a managed container image registry service. Customers can use the familiar Docker CLI, or their preferred client, to push, pull, and manage images. Amazon ECR provides a secure, scalable, and reliable registry for your Docker or Open Container Initiative (OCI) images. Amazon ECR supports private repositories with resource-based permissions using IAM so that specific users or Amazon EC2 instances can access repositories and images.

To create the AWS ECR go to the AWS console

  1. Navigate to the Services

  2. Select Containers from the left-hand pane

  3. Now click on the Elastic Container Registry service option

After selecting the Elastic Container Registry service, new window will open and it contains detail of all the ECR details.

Now select the create repository option, it will open window to create repository and configured details.

We can see the details of ECR registry.

Configure Container account

Configure AWS Container Account under Topology. FlexDeploy will connect to the AWS private container registry and push the image.

  1. Navigate to the Integrations from the Menu.

  2. Navigate to the Containers tab under the Integrations.

  3. Create a new Containers account with the “+” button. Create a new Docker Registry account of provider type “DockerRegistry”

It should have a Registry Address, Registry User, and Registry Token/Password configured in it.

To push image to AWS private container registry, the IAM user at least have permission of AmazonEC2ContainerRegistryPowerUser.

  1. Docker Registry Token/password needs to be kept hidden. To update the same click on the pencil icon as shown below

  2. next update the AWS IAM user key under Secret Text. This is to make sure no one else can retrieve the password

Git repository structure

The Git repository should be a docker based application. Dockerfile should be present in application to build the image and environment variables file to add the variables.

The Sample Git repository structure is given below:

Pre-requisite

Configure IAM User

To access the Lambda Function we need to create an AWS IAM account with required permissions. To create the AWS IAM user navigate to the AWS Identity and Access Management (IAM) service page, and click on the Add users option. Next assign the required permission to access the Lambda Function. Once user is created, AWS secret key can be generated, this key we have to configure in Cloud account.

For more information about IAM user please ref. IAM users - AWS Identity and Access Management

CLI Installation

  • AWS CLI should be installed in the m/c where the plugin is to be executed. Preferably add AWS CLI path in m/c classpath.

Build and Deploy Workflows

Navigate to the Workflows tab and create a workflow using the “+”(Click to create new Workflow) button as highlighted below.

Next, create one Build and Deploy workflow as shown below. The workflow Type field defines the type of workflow.
Build Workflow

  1. Navigate to the Workflows

  2. Select the “+” button from the left-hand pane to create a new workflow

Deploy Workflow

  1. navigate to the Workflows

  2. Select the “+” button from the left-hand pane to create a new workflow

  • No labels