Introduction
AWS Lambda function's code consists of scripts or compiled programs and their dependencies. We use a deployment package to deploy our function code to Lambda. Lambda supports two types of deployment packages: container images and .zip file archives. We are going to use the updateLambdaFunctionCode operation to deploy the function code. The operation can deploy the function code from the AWS ECR, S3 Bucket, and local Archive directory. We can select the option to publish a new version, by default operation will not publish the new version. Using the Environment variables file or Input Argument we can also add the function Environment variables. Operation also support encryption of the variables using AWS KMS key. Operation will use the configured AWS cloud account to perform the operation.
Objective
The goal of the tutorial is to perform the Blue/Green deployment in AWS Lambda. We will use the function code available at S3 bucket and the Environment file present at the git repository, and to encrypt secured variables, we will use the AWS KMS key. AWS plugin has updateLambdaFunctionCode, getLambdaAlias, and upsertLambdaAlias operations, these operations we can use to perform the Blue/Green deployment in an easy way. Blue Green Deployment is just like we deploy two versions of our application, one is the stable version, and another is a new feature or bug fix let’s say, forwarding a certain percentage of traffic to the second version as well in production to ensure that everything is working fine. The Blue environment represents the currently active version of the Lambda function. In contrast, the Green environment is a development version of code where new changes are deployed and tested. Once the changes in the Green environment are verified, green deployment will be promoted to Blue, enabling seamless and zero-downtime deployments. With Blue Green deployment we can test our application with real-time users, without replacing the production workload completely.
configuration of the properties e.g. Cloud account, and CLI path.
cloning the environment file from Git repository.
create an Alias to Maintain Blue/Green Deployment. ( Alias map to the stable version that is Blue )
deploy the function code with the environment variables and publish a new version (Green)
update Alias to Map new version (Green), weighted at some X% (Blue version at (100-X)% of traffic)
Verify that the new version is healthy
Detail of Blue/Green Deployment
Blue-Green Deployment in AWS Lambda involves two services, API Gateway and AWS Lambda, we’ll use API Gateway’s Lambda integration with an alias to shape it as Blue-Green Deployment, here Lambda Function Consists of two different but identical environments called Blue and Green respectively.
These two different lambda versions, mapped to a single Lambda alias, a pointer to one (or another additional weighted version) version of the Lambda function. Lambda Versions are revisions of our code, we can create new versions of code without disturbing the production workload.
API Gateway: Allows us to specify a lambda alias as a target, so we can specify a lambda alias that has a Blue-Green Deployment setup configured, i.e. routing traffic to two different environments using the single API.
Blue Deployment: It’s the primary Deployment which is stable, and being used as production.
Green Deployment: It’s a kind of clone version, but it has additional changes in it, we can route the traffic to the Green deployment so that if any issues are there in the Deployment we can fix them and then promote it to Blue, so that reducing the chances of failures in production environment.
Advantage of Blue-Green Deployment:
Zero Downtime: Blue-Green Deployment eliminates downtime during the deployment process since the switch from the blue to the green environment is instantaneous. This ensures uninterrupted service availability for users.
Fast Rollback: In case any issues or failures occur during the deployment of the new version in the green environment, rolling back to the stable version in the blue environment is quick and straightforward.
Reliable Testing: Blue-Green Deployment allows comprehensive testing of the new version in an environment that mirrors the production setup. This ensures a higher level of confidence in the stability and compatibility of the new version before directing user traffic to it and many more…
Checklist
Checklist | Description |
AWS Access Key | AWS Access Key of the user. |
AWS Secret Key | Password for the Access Key |
AWS Default Region | Default region can be set. eg. ap-south-1 |
AWS CLI installation | AWS CLI needs to be installed where the plugin operation shall run (FlexDeploy server) |
AWS CLI in class path | AWS CLI should be added to the class path on the FlexDeploy Server. Else the path can also be set under FlexDeploy environment level property |
AWS Lambda Function | AWS Lambda Function should be already present. |
AWS KMS Key | AWS KMS key to secured the environment variable. |
Configure Cloud account
To connect with AWS Lambda Function, we required to configure Cloud account, with credentials details. Configure AWS Cloud Account under Integration. FlexDeploy will connect to the Lambda Function and add the environment variables.
Navigate to the Integrations
Select Cloud from the left-hand pane
Create a new Cloud account with the “+” button. Create a new Cloud account of provider type “AWS”
It should have a AWS Access Key and AWS Secret Key. The user must have relevant access to AWS Lambda Function.
AWS Secret Key is a password field and hence needs to be kept hidden. To update the same click on the pencil icon as shown below
Update the AWS Secret Key value under Secret Text. This is to make sure no one else can retrieve the password
After configuration we would be able to use the Cloud Account as a drop down from the list.
Create AWS Lambda Function
AWS Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, and logging. With Lambda, all you need to do is supply your code in one of the language runtimes that Lambda supports. Please refer to the link for more information https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
To create the Lambda Function go to the AWS console
Navigate to the Services
Select Compute from the left-hand pane
Now click on the Lambda service option
After selecting the Lambda service, new window will open and it contains detail of all the functions.
Now select the create function option, it will open window to create function and configured detail.
By default AWS creates execution role with basic Lambda permissions, we can select an existing role also. In above example we are using existing role ( basic-lambda-role ) . Please refer to the link for more information https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
The role which we are selecting must have basic Lambda permissions, the role we have selected also have permission for KMS key to decrypt the secured variables. If we are using the KMS key to encrypt the secured variables then we must have to give permission to the role to use the KMS key.
In above role we can see we have one permissions policy name as kms-access, this policy allow us to use the KMS key to decrypt the variables, which we have used to encrypt the variables.
Policy detail:
Trust relationships detail: ( Entities that can assume this role under specified conditions )
Detail of the AWS Lambda function which we have created and going to use for this tutorial:
If we check the Code details of the function, then we found we have sample code. We will update the code using our AWS plugin operation.
On testing the code, using the Test option provided by AWS Lambda we will get this response:
If we check the Environment variables details under the Configuration, there is no environment variables are present. Once successful execution of the operation we should be able to see some environment variables.
Create AWS KMS Key
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for us to create and control the cryptographic keys that are used to protect our data. Please refer to the link for more information https://aws.amazon.com/kms/
AWS KMS key is required to encrypt the secured variables before adding them to Lambda function. If we don’t have any secured variables in that case we don’t required to configure KMS key detail in the project. In our scenario we are adding both secured and non-secured variables to the Lambda function.
To create the Lambda Function go to the AWS console
Navigate to the Services
Select Security, Identity, & Compliance from the left-hand pane
Now click on the Key Management Service service option
Detail of the KMS key which we are using for this tutorial:
We can use Key ID or Key ARN value in the project to encrypt the variables, both are accepted.
Create AWS Alias
To create or update the Lambda Alias we can use the upsertLambdaAlias operation available in the AWS plugin, please refer to the tutorial document for more information.
Create AWS S3 bucket
Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and performance. Customers of all sizes and industries can store and protect any amount of data for virtually any use case, such as data lakes, cloud-native applications, and mobile apps. With cost-effective storage classes and easy-to-use management features, you can optimize costs, organize data, and configure fine-tuned access controls to meet specific business, organizational, and compliance requirements.Please refer to the link for more information https://aws.amazon.com/s3/
To create the Lambda S3 go to the AWS console
Navigate to the Services
Select Storage from the left-hand pane
Now click on the S3 service option
After selecting the S3 service, new window will open and it contains detail of all the S3 buckets.
Now select the create bucket option, it will open window to create S3 bucket and configured detail.
We can also Enable Bucket Versioning, by default it’s Disable. Please refer to the link for more information https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
We have created S3 bucket, we can see the details and Upload the AWS Lambda function code.
Once we upload the object, we can see the details.
We have enabled the object versioning, we can see the details about different versions.
Git repository structure
The Git repository contains the Environment file. The Sample Git repository structure is given below.
Pre-requisite
Configure IAM user
To access the Lambda Function we need to create an AWS IAM account with required permissions. To create the AWS IAM user navigate to the AWS Identity and Access Management (IAM) service page, and click on the Add users option. Next assign the required permission to access the Lambda Function. Once user is created, AWS secret key can be generated, this key we have to configure in Cloud account.
For more information about IAM user please ref. IAM users - AWS Identity and Access Management
CLI installation
AWS CLI should be installed in the m/c where the plugin is to be executed. Preferably add AWS CLI path in m/c classpath.
Build and Deploy Workflows
Navigate to the Workflows tab and create a workflow using the “+”(Click to create new Workflow) button as highlighted below.
Next, create one Build and Deploy workflow as shown below. The workflow Type field defines the type of workflow.
Build Workflow
Navigate to the Workflows
Select the “+” button from the left-hand pane to create a new workflow
Deploy Workflow
navigate to the Workflows
Select the “+” button from the left-hand pane to create a new workflow
