AWS Summit DC 2021: Improve the developer experience with AWS CDK

S E P T E M B E R 2 8 - 2 9 , 2 0 2 1

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Improve the developer experience
with AWS CDK
Galen Dunkleberger
U S E 3 0 1
Solutions Architect
AWS
Casey Lee
Chief Technology Officer
Gaggle

Agenda
• AWS CDK overview
• How CDK improves the developer experience on AWS
• Gaggle’s use of CDK

AWS CDK

Evolution of provisioning cloud infrastructure
Manual
Scripted
.SH
CloudFormation HashiCorp
Terraform
Declarative
AWS CDK
Imperative
GoFormation
Troposphere
Generators

AWS CDK
COMING
SOON!
new s3.Bucket(this, "my-bucket", {
bucketName: “my-bucket”
})
mybucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket
Write code Not yaml/json
CloudFormation

Benefits of CDK
Your language
Just classes and methods
Autocomplete
Inline documentation
Sane defaults
Reusable classes

CDK components
App
Stacks
Resources
Core framework AWS CDK CLI AWS Construct Library
Serverless
Containers CI/CD
App Integration / Foundational Services

Workflow
> cdk init
Generate project
> npm run build
Build project
> cdk synth
Create templates
and assets
> cdk diff
Check what will
change
> cdk deploy
Push changes
to the cloud

AWS Construct Library
Serverless Application Integration / Foundational Services
Containers CI/CD

Constructs levels
CloudFormation resources
L1
Purpose-built constructs
L3+
AWS constructs
L2

Paradigm shift
Stack A
Stack B
CDK
Typed OO language:
loops, conditions,
inheritence, etc
CDK App
Source Code
Template A
Template B
CloudFormation
CloudFormation
Parameters and
intrinsic functions
Parameterized
template
Stack 1
CloudFormation
Stack 2

How CDK improves the developer
experience on AWS

Challenge:
“Where do I put my
infrastructure as code?”

Infrastructure and application code, together

Simplified deployment
const f1 = new NodejsFunction(this, "say-hello-function",
{
memorySize: 256,
timeout: cdk.Duration.seconds(5),
runtime: lambda.Runtime.NODEJS_14_X,
handler: "index.lambdaHandler",
entry: path.join(__dirname, `/../runtime/lambda.ts`),
})
Assets
bucket
say-hello-function
"Code": {
"S3Bucket": "cdk-hnb659fds-assets",
"S3Key": “uuid1c18c5dc.zip"
}
> cdk deploy

Challenge:
“I don’t know what
IAM policy I need to
make this work…”
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}

Use grant methods to manage roles

Minimal code, minimal permissions
const myBucket = new s3.Bucket(this, "my-bucket” )
myBucket.grantRead(myRole)
mybucketroleDefaultPolicy7E8479F3:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetObject*
- s3:GetBucket*
- s3:List*
Effect: Allow
Resource:
- Fn::GetAtt:
- mybucket15D133BF
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- mybucket15D133BF
- Arn
- /*
Roles:
- Ref: myroleBCC9F6EE
cdk synth
cdk deploy

Challenge:
“I hope this change doesn’t break
anything.”

Refactor with confidence
Snapshot tests
Fine-grained assertions
Validation tests

Snapshot tests
test("Test snapshot", () => {
const app = new cdk.App();
const stack = new MyTestStack(app, "MyTestStack");
expect(Template.fromStack(stack).toJSON()).toMatchSnapshot();
});
npm run build && npm test
npm run test -- -u

Fine-grained assertions
test('Test fine-grained assertions', () => {
const app = new cdk.App();
const stack = new MyTestStack(app, "MyTestStack")
expect(stack).toHaveResource('AWS::SSM::Parameter', {
Tier: "Standard",
Name: "/dc-summit/component02/parameter",
Type : "String"
});
});

Validation tests
export interface DeadLetterQueueProps {
retentionDays?: number;
}
constructor(scope: cdk.Construct, id: string, props: DeadLetterQueueProps = {}) {
if (props.retentionDays !== undefined && props.retentionDays > 14) {
throw new Error('retentionDays may not exceed 14 days');
}
expect(() => {
new DeadLetterQueue(stack, 'DLQ', {
retentionDays: 15
});
}).toThrowError(/retentionDays may not exceed 14 days/)

Challenge:
“We’ll add monitoring next sprint…”

Use metric methods to add monitoring

Easily measure what you need

Challenge:
“We tag our resources, sometimes…”

Tagging made easy

Use aspects to enforce standards
public visit(node: IConstruct): void {
if ("tags" in node) {
const tagManager: TagManager = node["tags"];
const tags: Record<string, string> = tagManager.tagValues();
if (!("CostCenter" in tags)) {
Annotations.of(node).addError(
"All taggable resources must include a 'CostCenter' tag"
);
}
}
cdk.Tags.of(myStack).add("Costcenter", "MyCostCenter");
Aspects.of(myStack).add(new TagEnforcer());
TagEnforcer.ts
[Error at /Stack/A/B/FileRole/Resource] All taggable resources must include a 'CostCenter' tag
cdk synth

Adhere to best practices with cdk-nag
https://github.com/cdklabs/cdk-nag
Aspects.of(app).add(new AwsSolutionsChecks());
cdk synth

Challenge:
“How can I share my
infrastructure as code?”

Model constructs, not stacks
Units of deployment,
typically not reusable
Cloud components,
potentially reusable

Code organization
Component
Construct
library
or
Depends on zero or more
Team
Code
repository
Owns one
or more
Package
Contains one
or more CDK APP
Consist of
CodeArtifact
Shared via

Leverage pre-built constructs
https://constructs.dev/

CDK Pipelines

Challenge:
“Did you just delete my stack?”

Account structure

Gaggle’s transformation story
Blocked items
190,616,612
105%
Messages
5,155,335,282
350%
Files
6,276,549,392
489%
PSS
20,395
61%
Human items
38,815,291
34%
Lives saved
1,338
50%

Challenge:
“The tech team never gets
anything done...when they do,
it is months late!”

% Efficiency = (# Engineers) / (WIP)
WIP = (Lead time) x (Deploy frequency)
High WIP, low efficiency

Challenge:
Inability to
work in
isolation
results in long
feedback loops

Solution: Provision separate AWS accounts
per developer

Challenge: Unable to use existing CI/CD to deploy
into dev account

Solution: Use CDK
for each
application

Solution: Use CDK for each application
from gaggle_cdk.core import S3Website, S3JsonFile, apply_permissions_boundary
class AppStack(core.Stack):
def __init__() -> None:
s3_website = S3Website(
self,
hosted_zone=hosted_zone,
website_sources=s3deploy.Source.asset(artifact)
)
config = S3JsonFile(
bucket=s3_website.bucket,
object_key="assets/config.json",
values={
"version": os.getenv("CODEBUILD_RESOLVED_SOURCE_VERSION","-"),
"identityProviderId": user_pool_idp,
"baseApiUrl": base_url,
}
)

Solution: Automate IAM permission boundary
from gaggle_cdk.core import apply_permissions_boundary
class AppStack(core.Stack):
def __init__(self) -> None:
apply_permissions_boundary(self)

Solution: Automate tag policy
tags = GaggleTags(
application=application,
environment=environment,
team=team,
some_random_tag=”foo",
)
# Create a stack, add resources to it
stack = core.Stack(app, "my-stack")
# Apply the tags to the stack
tags.apply(stack)
# Additionally you can apply tags to the entire app
tags.apply(app)

Challenge: Deploying dependencies

Solution:
Automate
build/deploy of
dependencies
from source

Solution: Automate build/deploy of dependencies
from source
# Define the commands needed to build build:
- npm run build
# Define the dependencies to load
dependencies:
- repo: gaggle-net/service-a.git
ref: main
# Define the applications to run locally
- basedir: infrastructure
stacks: ui-stack
context:
my-context-key: my-context-value

Challenge: QA
is now a
bottleneck to
delivery
process

Solution:
Separate
integration
accounts per
team

Solution: Create
pipeline for
each service

Solution: Create pipeline for
each service
from aws_cdk import core
from gaggle_cdk.core.pipelines import DeploymentPipeline
class ExamplePipelineStack(core.Stack):
def __init__(self,scope: core.Construct):
pipeline = DeploymentPipeline(
self,
github_repo="sample-api",
github_org="gaggle-net",
integration_account="100000000000",
staging_account="200000000000",
production_account="300000000000",
)

Challenge: Many
accounts can be
expensive

Solution:
Budget
automation

# The 'org' sections defines settings for the entire organization
org:
owner: org-owner@gaggle.net
workspace: T0000000
channel: ZZZZZZZ
default_daily_limit: 5
# Teams are containers for accounts.
# 'owner' - email address to notify for overages
# 'channel' - slack channel to notify for overages
teams:
- name: FOO
owner: alice@gaggle.net
channel: YYYYYYYYYYY
# Accounts are matched by 'name'.
# - 'owner' an additional 'owner' can be specified to be included in overage emails.
# - 'daily_limit' can be overridden per team
account_costs:
- name: developer-alice
- name: developer-bob
owner: bob@gaggle.net
Solution: Budget automation

from account_budget import AccountBudget
class BudgetsStack(core.Stack):
def __init__(self) -> None:
for account in accounts:
b = AccountBudget(
self,
account_id=account.id,
daily_limit=daily_limit,
emails=[team.owner,account_cost.owner]
)
# create chatbot channel
aws_chatbot.SlackChannelConfiguration(
self,
slack_channel_id=config.org.channel,
slack_workspace_id=config.org.workspace,
notification_topics=[b.topic]
)

Results...

% Efficiency = (# Engineers) / (WIP)
WIP = (Lead time) x (Deploy frequency)
Kickoff transformation

Thank you!
Galen Dunkleberger
awsgalen@amazon.com
Casey Lee
casey@gaggle.net

Please complete
the session survey
https://onelink.to/4y9ve4
SESSION ID:
USE301

AWS Summit DC 2021: Improve the developer experience with AWS CDK

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Summit DC 2021: Improve the developer experience with AWS CDK

Similar to AWS Summit DC 2021: Improve the developer experience with AWS CDK (20)

More from Casey Lee

More from Casey Lee (11)

Recently uploaded

Recently uploaded (20)

AWS Summit DC 2021: Improve the developer experience with AWS CDK