OPA on AWS. Part 8 – Orchestrating and Managing CI/CD | Amazon Web Services
- March 27, 2024
- Posted by: MainInstructor
- Category: Amazon Web Services C
Video Title: OPA on AWS. Part 8 – Orchestrating and Managing CI/CD | Amazon Web Services
Welcome back to the OPA on AWS video series I’m Anthony Watson a prototyping Solutions architect and a contributing developer on the OPA project in this video we will explore Opus cicd pipeline solutions to get the most out of this video please make sure that you have already watched the prior videos in this
Series before continuing we’ll start with a brief primer on cicd which I still recommend watching even if you are already familiar with cicd Concepts then we’ll do a deep dive into opa’s cicd approach as a quick review cicd is an automated process for building application code preparing it for
Release and possibly actually performing the release to an environment cicd is an acronym that stands for continuous integration continuous delivery it’s called continuous because the process is usually executed automatically every time changes are merged into a version control system like git the word integration means that the automated
Process uses a branch of the repository that has all the ch changes from all application developers integrated into it the word delivery means that the code is packaged up and staged in some fashion so that it is ready to be deployed using cicd is considered a best practice because it saves Time by
Removing the need for the application team to manually perform builds and releases it also reduces the potential for mistakes and can be used as an early form of quality control by automating the execution of unit and functional tests as well as running static code analysis tools finally continuously
Running a cicd process can ensure that your application environments are running the most up-to-date version of your software there are typically two highlevel components to structuring a cicd process first we have a stage which is a logical grouping of steps that Mak sense for your use case the stages don’t
Actually contain any logic they are just a highlevel step that can group together multiple actions under a meaningful name stages usually run one right after the other as opposed to to concurrently you can Define as many stages as you want and typical stages could be a build
Stage where code is compiled a test stage or a stage that updates the application in a given environment next we have jobs which contain the actual commands and scripts to run jobs can be executed in a series or in parallel jobs are typically implemented by spinning up a new Docker container creating the
Container is taken care of for you but typically you will need to configure which image to use such as a new boont image or a more specific one that already has some of the software installed that your job will need using containers ensures that your pipeline is always starting fresh
Jobs receive a copy of your application source code upon startup and then download the tools they need such as the AWS CLI before running their commands and scripts jobs can output artifacts like zip files into a shared space that can be input by subsequent jobs cicd is often represented as a pipeline because
It runs a series of steps in the order that you define and the output of one step can be used as the input into a subsequent step here we have an example Pipeline with two stages stage one has two jobs where job one must execute to completion before job two starts and job
Two creates an output artifact that is used by job 3 and there is a fourth job that runs in parallel with job 3 some cicd solution vendors take a very static approach to defining pipelines While others support dynamic capabilities for example some vendors require a pipeline to have a single hard-coded Branch name
While others allow the same pipeline definition to apply to multiple code branches another difference is that some vendors allow cicd pipelines to receive input parameters that affect pipeline Behavior While others do not finally some vendor pipelines have the list of jobs that will be run set statically by the pipeline definition whereas others
Can dynamically decide whether or not to include a job in the pipeline based upon the evaluation of some conditional rules as of this recording Opa comes out of the box with a cicd solution that utilizes gitlab CI gitlab’s implementation allows for very flexible and dynamic pipelines so let’s talk
About how this flexibility can be put to good use here we have a developer who pushes code changes to a git repository the cicd service detects this and loads the application’s cicd pipeline definition in this example our definition has a single stage that contains three jobs but these jobs are
Configured to only be included in the pipeline if their conditions are met job one only runs if the commit was pushed to the main branch and the commit message text is the phrase initial commit job two runs only if the commit was made on the developed branch and job
Three is only included in the event that a new poll request was created the cicd service will now need to evaluate the incoming event and decide which jobs to run it makes several variables available to the conditional evaluation process such as the commit message Branch stage
Name job name and how the pipeline was started by comparing the variables to job conditions the cicd service will select the jobs to include in the pipeline we can see that only job one is applicable to run in response to the developer commit so the dynamically created pipeline will only contain job
One we’ve now con included our cicd primer I hope you have your swimsuit on since we’re about to dive into opa’s cicd implementations as of this recording team Opa chose to utilize gitlab CI for its outof the-box cicd Solutions so does this mean that your company can’t use Opa if you don’t use
Gitlab not at all you can use Opa with other providers like GitHub but it will take a little bit more work either way understanding the details of opa cicd solution will be very helpful to you when you install Opa it will create a small temporary gitlab service that runs
On ec2s which is useful for demonstration purposes the first ec2 runs a free community edition of gitlab from the AWS Marketplace gitlab cicd pipelines are executed on a separate ec2 instance this solution is not intended for production use to use gitlab in a production environment you would want to
Either host it on AWS in a scalable and highly available way or pay for get lab’s SAS solution or host gitlab on premises if you are using gitlab you may find these links helpful if you want to use GitHub instead of gitlab here are some equivalent links to those provided
On the previous slide in this section we’ll examine how Opa application cicd pipelines work we’ll talk about the choices that team Opa made when implementing our out-of-the-box solution as well as ways that you can customize the implementation for your needs every business has its own processes and tool
Sets that it uses for cicd the intent behind opa’s cicd implementation is not to imply that there’s one right way to do cicd or that Opa requires a specific cicd implementation instead think of opa’s cicd solution as a reference implementation or a 90% solution that lays down a framework that you can then
Add to or alter to meet your needs before you can customize it though you’ll need to understand it so let’s get into the detail we’ll start by discussing the OPA cicd pipeline flow at a high level and how git branching strategies impact this flow Opus outof thebox application cicd
Pipelines are based on four design choices first each application environment will get a dedicated stage in the pipeline second the pipeline will include all environment stages one right after the other third the entire pipeline will run using the source code from a single commit in a single Branch
Finally the pipeline does not actually deploy the new version of the app it just builds the app and stages it to make it available for deployment this is because Opa provides the ability to actually deploy from the UI instead of the pipeline this is one of the design
Choices you may choose to change you may want the pipeline to do the deployment if so you can modify the pipeline to run the additional commands to deploy the application after it has been staged and you can modify the OPA UI to dis able to deploy button putting the idea of
Customizations aside for now let’s look at a visual representation of Opus cicd design choices to gain a better understanding here we see that a developer is merging a code change to a particular Branch let’s assume this is the main branch the pipeline will automatically kick off when the commit
Is merged the pipeline will first build and Stage the application release artifacts for the dev environment then it will do the same for QA and prod if an error happens at any stage the pipeline will stop and it will not attempt to proceed to the next stage
Let’s drill down a little deeper and see what happens in a stage remember that an Opa environment can can be associated with one or more environment providers while an environment is just metadata environment providers are a representation of an AWS account and region where the application will run when environment providers are created
They create resources in an AWS account and region that support app applications if you want your application to utilize multiple regions your platform engineer can configure Opa environments that are associated with multiple environment providers where each provider relates to a different region for our diagram we’ll keep it simple and assume that each
Environment has only one environment provider just remember that each environment stage in our pipeline would execute steps for all providers that are associated with the environment let’s continue drilling down and see see what jobs run in each stage out of the box an Opa application has two jobs that must
Be run per environment the first is to execute an infrastructure as code script that will create resources that are needed by the application these resources are application specific which is why they are not created as part of the environment provider construction an example of when you would need an
Application specific resource is if your application is containerized you would want your pipeline to be able to build the container image of your application but once it does it needs a place to store that image this is where application infrastructure as code comes in handy the IAC scripts run before the
Image is built and the IAC script could create a container image repository using the elastic container registry service to give you a place to store your application’s container images the next job of our pipeline after executing the application’s IAC scripts is to Stage the release I apologize for the
Overloaded use of the word stage here pipelines have stages and we are also trying to Stage our new application version for each environment so that it is ready for deployment examples of staging an application could be creating a container image and storing it in a registry or zipping up our built
Application and storing that somewhere such as an S3 bucket there’s one missing piece to our pipeline puzzle that we still need to talk about from our diagram it appears is that every code change that is merged by a developer to the main branch would eventually result in updating the prod environment this
Could be what you want if you do multiple application releases a day and you have sufficient automations to validate each release many organizations choose not to automatically send changes to production instead they want to have a formal approval process before code changes can be deployed to certain environments like production the outof
The-box OPA cicd solution supports the idea of protected environments that require an approval before being updated in our diagram we can see that the dev and QA environments will be updated automatically when changes are merged to the main branch but that the production environment requires manual approval
Opa’s solution is simply to Mark jobs in the protected environment stage as requiring manual approval when the pipeline sees that manual approval is needed it pauses exec ution and waits for a person to click a button in the pipeline UI before it will continue remember that it is the platform
Engineers’s responsibility to configure which environments require approvals the out-of-the-box solution may not be enough for your company remember that you can update the pipelines to do things like create a service now ticket for the release or ensure that only members of a certain group have the authority to approve deployments the OPA
Cicd solution works but it is intended to be customized to suit your company’s best practices and tool sets looking at the design overall let’s examine its pros and cons on the positive side this design has several benefits firstly it guarantees that the same git commit is used in every environment this is
Important because it allows you to test and validate the application in lower environments before promoting those changes up to the next environment with this design there’s no possibility that code changes could make it into the production environment that have not had a chance to be validated in lower environments another benefit of this
Design is that it removes the need for managing and syncing across multiple git branches which can be a tedious and error prone manual process a drawback of this design is that we won’t allow it to run to completion most of the time this is because not every commit is
Releasable to production some commits may contain bugs or incomplete functionality let’s let’s see a visual example of such a scenario here we see a pipeline execution that runs as a result of commit one being merged during the dev stage the pipeline fails due to some error in this case the pipeline stops
And never runs to QA and prod stages now we have a second commit being merged that fixes the bug but contains an incomplete implementation of a key feature assuming we are not using feature Flags to hide the incomplete feature will decline to manually approve the pipeline to continue to the prod
Stage in commit three we finally have a non- buggy and complete implementation of our code we will approve this pipeline to run completely so that prod is updated looking at all three of these pipeline executions we can see that only one of the three ran the full pipeline the incomplete pipelines will continue
To show up as incomplete and this can cause confusion to remedy this we can set pipelines to expire if they have not completed with within a certain amount of time or manually cancel pipelines that have changes that we know should never get promoted to the prod environment let’s briefly explore some
Alternatives to the outof the-box cicd design that you could use by customizing Opa for this discussion we’ll assume that your cic technology vendors implementation supports dynamically determining if a job should be included in the pipeline if it does not you can still create multiple static pipelines that do different things but you also
Have to customize Opa so that it knows when to call which pipeline let’s revisit our last example and discuss a way that we could prevent having cicd executions that never complete because the code is not ready to be deployed to production to prevent this you could customize the production environment
Cicd job so that it is only included in the pipeline if the most recent git commit message contains some special string such as release candidate equals true or something like that this would would make it so that the pipeline would usually only deploy to the dev environment and QA environment and the
Whole pipeline instance would complete if no errors occur the pipeline would only include the production deployment stage if the get commit message indicated that it should our next possible customization is to use a two- Branch strategy the first branch is a development Branch our Dev and QA deployment jobs will only trigger when
Commits are made to the development Branch we then add the concept of a release branch and our prod deployment jobs will run only when that branch is updated Opa is perfectly compliant with this strategy all you need to do to implement it is to update the job conditionals so that they reference the
Right Branch instead of always triggering based on commits to a single Branch the last alternative cicd branching strategy we’ll discuss is that you could choose to create a branch per environment the benefit of this is that you have complete and independent control of what goes into each environment the downside is that it
Relies upon having multiple longli branches which is considered an anti-pattern by many the problems include the fact that a change could make it into production that was never deployed or validated in a lower environment and that syncing between branches can be an error prone and tedious process now that we understand
Opus outof thebox cicd flow as well as some Alternatives let’s move on to discuss how Opa pipelines can deploy to multiple AWS accounts and regions before Opa cicd job can deploy anything to an AWS account it first has to know what account and region is associated with the environment provider it is currently
Processing since the running pipeline job already has all of the application source code files it can look there to find the provider’s settings this is because a provider settings file is added to the application repository when the application is associated with a new environment the pipeline job will look
For the provider provider properties files under the AWS deployment providers directory the provider properties file contains not only the AWS account number and region but other valuable information as well such as the ID of an imim role that was created specifically for this provider that has permissions
To create update and delete resources in the provider account that are specific to the application let’s see what our diagram looks like with these new pieces added we can see that the pipeline has an IM role to start with but it will need to assume the provider’s role so
That it has permissions to modify resources in the provider account the more applications you have the more cicd pipelines you have to maintain often organizations Implement a best practices pipeline standard that they want all application pipelines to adhere to this standard may continue to improve and evolve even after several application
Pipelines have been configured with the old standard Opa accounts for updating cicd configurations in a single place in a way that will not only affect all applications that are created in the future but also all existing applications let’s see how this works you might be surprised to find out that
The entire cicd pipeline configuration file that is created for an Opa application has very few lines of code the reason is that it utilizes a feature implemented by gitlab C that can import files from other repositories as part of the pipeline definition let’s study this example of an application’s pipeline
Configuration it states that the pipeline should include three additional files from the main branch of another repository these three files contain implementations of configurations and jobs that the application pipeline will use every time the application pipeline runs it will download a fresh copy of these files in this way Opa allows for
Platform Engineers to update the job definitions in a single place by modifying the files in a repository that is separate from the application you may be wondering why does the pipeline import three files instead of just a single file the answer is that the reusable implementation files are
Written in a modular fashion some files are actually shared across multiple application types whereas others are specific to a particular application template in the example shown the first file imported is named gitlab C I job default cdk this file includes implementation details for executing infrastructures code that is written
With AWS cdk the this file won’t include any details outside of that scope that means the various types of applications that use cdk can reuse this file for example a serverless app could use the same cdk config file as an app that runs on the elastic container service by
Breaking down cicd configurations into separate files Opa maximizes the ReUse of those configurations across a wider variety of applications all of the centrally managed cicd job definitions can be found in opa’s public repository on GitHub under this directory platform Engineers can customize pipeline Behavior by copying these files and then
Modifying them to meet your company’s standards it’s important to note that after the files are modified they would need to be pushed out to the git rep repository that holds all of opa’s template files known as the reference repo this will allow application pipelines to refer to them earlier in
This video we talked about how cicd pipelines can be dynamically created based on events Opa uses this technique to configure an application to run in multiple environments let’s see how this works a developer can add a new environment for her application through the OPA UI in this example the developer
Is adding a QA environment the OPA U UI will call a backend API that adds an environment provider properties file to the application’s G repository it will commit this change with a commit message of generate cicd stages when this commit is made it triggers the application cic
Pipeline which has a job that is configured to run when that exact commit message is used the job will accomplish the task of adding a new application environment by updating the application’s backstage ENT file to add a relationship with the new environment secondly creating a new cicd configuration file that contains the QA
Environment deployment jobs and finally configuring the pipeline to include that new jobs configuration file we’ve covered a lot in this video we saw Opus cicd strategy and how it can deploy to multiple AWS accounts and regions we also learned a lot about various ways that your company can customize opa’s
Out-of-the-box solution thank you for watching in and stay tuned for our next video in the OPA on AWS video series
Video Keywords: Amazon Web Services
-
Sale!
Wireless WIFI Repeater Extender Amplifier Booster 300Mbps
$29.99$14.99 Add to cartWireless WIFI Repeater Extender Amplifier Booster 300Mbps
Categories: Electronics, Wi-Fi Router, Wireless Wi-Fi Extender Tags: 300Mbps, 802.11N, Amplifier, Booster, Extender, mobile wi-fi booster, Remote, WIFI, Wireless, Wireless WIFI, Wireless WIFI Repeater, Wireless WIFI Repeater Extender, Wireless WIFI Repeater Extender Amplifier, Wireless WIFI Repeater Extender Amplifier Booster, Wireless WIFI Repeater Extender Amplifier Booster 300Mbps$29.99$14.99 -
Sale!
Full RGB Light Design Gaming Headset Headphones with Mic
$24.99$14.99 Add to cartFull RGB Light Design Gaming Headset Headphones with Mic
Categories: Electronics, Gaming, Gaming Headsets Tags: Design, Full, Full RGB Light Design Gaming Headset, Full RGB Light Design Gaming Headset Headphones, Full RGB Light Design Gaming Headset Headphones with Mic, Gamer, Gaming, Gaming Headset Headphones, gaming headset wireless, Headphone, Headphones, Headset, Light, Mic, Package, RGB$24.99$14.99 -
Sale!
Wireless BlueTooth Multi-Device Keyboard Mouse Combo
$39.99$19.99 Add to cartWireless BlueTooth Multi-Device Keyboard Mouse Combo
Categories: Electronics, Gaming, Gaming Keyboards, Keyboard Mouse Combos Tags: Combo, Keyboard, keyboard mouse combos, Mouse, MultiDevice, Set, WireKeyboard Mouse Combo, Wireless, Wireless BlueTooth Keyboard Mouse Combo, Wireless BlueTooth Keyboard Mouse Combos, Wireless BlueTooth Multi-Device Keyboard Mouse Combo, Wireless BlueTooth Multi-Device Keyboard Mouse Combos$39.99$19.99 -
Sale!
High Back Leather Executive Adjustable Swivel Gaming Chair with Headrest and Lumbar
$199.99$139.99 Add to cartHigh Back Leather Executive Adjustable Swivel Gaming Chair with Headrest and Lumbar
Categories: Gaming, Gaming Chairs Tags: Adjustable, Chair, computer chairs, Desk, Executive, Gaming, Girl, Headrest, High, High Back Leather Executive Adjustable Swivel Gaming Chair, High Back Leather Executive Adjustable Swivel Gaming Chair with Headrest, High Back Leather Executive Adjustable Swivel Gaming Chair with Headrest and Lumbar, High Back Leather Executive Adjustable Swivel Gaming Chairs, Leather, Lumbar, Office, Racing, Swivel$199.99$139.99 -
Sale!
Professional LED Light Wired Gaming Headphones with Noise Cancelling Microphone
$29.99$19.99 Select optionsProfessional LED Light Wired Gaming Headphones with Noise Cancelling Microphone
SKU: N/A Categories: Electronics, Gaming, Gaming Headsets Tags: Cancelling, Gaming, Gaming Headphones with Noise Cancelling Microphone, gaming headset, Headphones, Headset, LED, Light, Mic, Microphone, Noise, Professional, Professional LED Light Wired Gaming Headphones, Professional LED Light Wired Gaming Headphones with Noise Cancelling Microphone, Wired, Wired Gaming Headphones, Wired Gaming Headphones with Noise Cancelling Microphone$29.99$19.99 -
Sale!
Gaming Desk with LED Lights USB Power Outlets and Charging Ports
$349.99$249.99 Select optionsGaming Desk with LED Lights USB Power Outlets and Charging Ports
SKU: N/A Categories: Computer Desk, Gaming, Gaming Desk Tags: and Charging Ports, Charging, Desk, Desks, Gaming, gaming desk with led lights, Gaming Desks with LED Lights, Home, LED, Lights, Monitor, Office, Outlets, Port, Power, Room, Stand, USB, USB Power Outlets, White, Workstation$349.99$249.99 -
Sale!
Wired Mixed Backlit Anti-Ghosting Gaming Keyboard
$99.99$79.99 Add to cartWired Mixed Backlit Anti-Ghosting Gaming Keyboard
Categories: Electronics, Gaming, Gaming Keyboards Tags: Antighosting, Backlit, Blue, brown, Gaming, Gaming Keyboard, gaming keyboards, gaming keyboards and mouse, Keyboard, Laptop, Switch, Wired, Wired Mixed Backlit Anti-Ghosting Gaming Keyboard, Wired Mixed Backlit Anti-Ghosting Gaming Keyboards, Wired Mixed Backlit Gaming Keyboard$99.99$79.99 -
Sale!
Wireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headset
$119.99$59.99 Add to cartWireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headset
Categories: Electronics, Gaming, Gaming Headsets Tags: 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headset, ANC, Audio, Bluetooth, Cancellation, Ear, Earphone, gaming headset, Headphones, Headset, Hi-Res Over the Ear Headphones Headset, HiRes, Noise, Wireless, Wireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Headphones, Wireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headset, Wireless Bluetooth 5.3 ANC Noise Cancellation Hi-Res Over the Ear Headphones Headsets$119.99$59.99 -
Sale!
Wired Sports Gaming Headset Earbuds with Microphone
$19.99$9.99 Select optionsWired Sports Gaming Headset Earbuds with Microphone
SKU: N/A Categories: Gaming, Gaming Headsets Tags: Accessories, Earbud, Earphone, Earphones, Gaming, gaming headset with microphone, Headphones, Headset, IOS, Microphone, Sports, Wired, Wired Sports Gaming Headset Earbuds, Wired Sports Gaming Headset Earbuds with Microphone, Wired Sports Headset Earbuds$19.99$9.99 -
Sale!
150W Universal Multi USB Fast Charger 16 Port MAX Charging Station
$49.99$29.99 Add to cart150W Universal Multi USB Fast Charger 16 Port MAX Charging Station
Categories: Charging Stations, Electronics Tags: 150W, 150W Charging Station, 150W Universal Multi USB Charging Station, 150W Universal Multi USB Fast Charger 16 Port MAX Charging Station, 150W Universal Multi USB Fast Charger 16 Port MAX Charging Stations, 150W Universal Multi USB MAX Charging Station, 16 Port MAX Charging Station, 3.5A, Charger, Charging, Fast, laptop charging stations, Max, Multi, Port, Stand, Station, Universal, USB$49.99$29.99