This post is contributed by Mahmoud ElZayet | Specialist SA – Dev Tech, AWS
Modern application development processes enable organizations to improve speed and quality continually. In this innovative culture, small, autonomous teams own the entire application life cycle. While such nimble, autonomous teams speed product delivery, they can also impose costs on compliance, quality assurance, and code deployment infrastructures.
Standardized tooling and application release code helps share best practices across teams, reduce duplicated code, speed on-boarding, create consistent governance, and prevent resource over-provisioning.
In this post, I show you how to use AWS Service Catalog to provide standardized and automated deployment blueprints. This helps accelerate and improve your product teams’ application release workflows on Amazon ECS. Follow my instructions to create a sample blueprint that your product teams can use to release containerized applications on ECS. You can also apply the blueprint concept to other technologies, such as serverless or Amazon EC2–based deployments.
The sample templates and scripts provided here are for demonstration purposes and should not be used “as-is” in your production environment. After you become familiar with these resources, create customized versions for your production environment, taking account of in-house tools and team skills, as well as all applicable standards and restrictions.
To use this solution, you need the following resources:
Example Corp. has various product teams that develop applications and services on AWS. Example Corp. teams have expressed interest in deploying their containerized applications managed by AWS Fargate on ECS. As part of Example Corp’s central tooling team, you want to enable teams to quickly release their applications on Fargate. However, you also make sure that they comply with all best practices and governance requirements.
For convenience, I also assume that you have supplied product teams working on the same domain, application, or project with a shared AWS account for service deployment. Using this account, they all deploy to the same ECS cluster.
In this scenario, you can author and provide these teams with a shared deployment blueprint on ECS Fargate. Using AWS Service Catalog, you can share the blueprint with teams as follows:
- Every time that a product team wants to release a new containerized application on ECS, they retrieve a new AWS Service Catalog ECS blueprint product. This enables them to obtain the required infrastructure, permissions, and tools. As a prerequisite, the ECS blueprint requires building blocks such as a git repository or an AWS CodeBuild project. Again, you can acquire those blocks through another AWS Service Catalog product.
- The product team completes the ECS blueprint’s required parameters, such as the desired number of ECS tasks and application name. As an administrator, you can constrain the value of some parameters such as the VPC and the cluster name. For more information, see AWS Service Catalog Template Constraints.
- The ECS blueprint product deploys all the required ECS resources, configured according to best practices. You can also use the AWS Cloud Development Kit (CDK) to maintain and provision pre-defined constructs for your infrastructure.
- A standardized CI/CD pipeline also generates, enabling your product teams to publish their application to ECS automatically. Ideally, this pipeline should have all stages, practices, security checks, and standards required for application release. Product teams must still author application code, create a Dockerfile, build specifications, run automated tests and deployment scripts, and complete other tasks required for application release.
- The ECS blueprint can be continually updated based on organization-wide feedback and to support new use cases. Your product team can always access the latest version through AWS Service Catalog. I recommend retaining multiple, customizable blueprints for various technologies.
For simplicity’s sake, my explanation envisions your environment as consisting of one AWS account. In practice, you can use IAM controls to segregate teams’ access to each other’s resources, even when they share an account. However, I recommend having at least two AWS accounts, one for testing and one for production purposes.
To see an example framework that helps deploy your AWS Service Catalog products to multiple accounts, see AWS Deployment Framework (ADF). This framework can also help you create cross-account pipelines that cater to different product teams’ needs, even when these teams deploy to the same technology stack.
To set up shared deployment blueprints for your production teams, follow the steps outlined in the following sections.
Set up the environment
In this section, I explain how to create a central ECS cluster in the appropriate VPC where teams can deploy their containers. I provide an AWS CloudFormation template to help you set up these resources. This template also creates an IAM role to be used by AWS Service Catalog later.
To run the CloudFormation template:
2. Using the AWS CLI, run the following commands. Replace <Application_Name> with a lowercase string with no spaces representing the application or microservice that your product team plans to release—for example, myapp.
3. Keep running the following command until the output reads CREATE_COMPLETE:
4. In case of error, use the describe-events CLI command or review error details on the console.
5. When the stack creation reads CREATE_COMPLETE, run the following command, and make a note of the output values in an editor of your choice. You need this information for a later step:
6. Run the following commands to copy those CloudFormation templates to Amazon S3. Replace <Template_Bucket_Name> with the template bucket output value you just copied into your editor of choice:
Create AWS Service Catalog products
In this section, I show you how to create two AWS Service Catalog products for teams to use in publishing their containerized app:
- Core Build Tools
- ECS Fargate Deployment Blueprint
To create an AWS Service Catalog portfolio that includes these products:
1. Using the AWS CLI, run the following command, replacing <Application_Name>
with the application name you defined earlier and replacing <Template_Bucket_Name>
with the template bucket output value you copied into your editor of choice:
2. After a few minutes, check the stack creation completion. Run the following command until the output reads CREATE_COMPLETE:
3. In case of error, use the describe-events CLI command or check error details in the console.
Your AWS Service Catalog configuration should now be ready.
Test product teams experience
In this section, I show you how to use IAM roles to impersonate a product team member and simulate their first experience of containerized application deployment.
Assume team role
To assume the role that you created during the environment setup step
1. In the Management console, follow the instructions in Switching a Role.
- For Account, enter the account ID used in the sample solution. To learn more about how to find an AWS account ID, see Your AWS Account ID and Its Alias.
- For Role, enter <Application_Name>-product-team-role, where <Application_Name> is the same application name you defined in Environment Setup section.
- (Optional) For Display name, enter a custom session value.
You are now logged in as a member of the product team.
Provision core build product
Next, provision the core build tools for your blueprint:
- In the Service Catalog console, you should now see the two products created earlier listed under Products.
- Select the first product, Core Build Tools.
- Choose LAUNCH PRODUCT.
- Name the product something such as <Application_Name>-build-tools, replacing <Application_Name> with the name previously defined for your application.
- Provide the same application name you defined previously.
- Leave the ContainerBuild parameter default setting as yes, as you are building a container requiring a container repository and its associated permissions.
- Choose NEXT three times, then choose LAUNCH.
- Under Events, watch the Status property. Keep refreshing until the status reads Succeeded. In case of failure, choose the URL value next to the key CloudformationStackARN. This choice takes you to the CloudFormation console, where you can find more information on the errors.
Now you have the following build tools created along with the required permissions:
- AWS CodeCommit repository to store your code
- CodeBuild project to build your container image and test your application code
- Amazon ECR repository to store your container images
- Amazon S3 bucket to store your build and release artifacts
Provision ECS Fargate deployment blueprint
In the Service Catalog console, follow the same steps to deploy the blueprint for ECS deployment. Here are the product provisioning details:
- Product Name: <Application_Name>-fargate-blueprint.
- Provisioned Product Name: <Application_Name>-ecs-fargate-blueprint.
- For the parameters Subnet1, Subnet2, VpcId, enter the output values you copied earlier into your editor of choice in the Setup Environment section.
- For other parameters, enter the following:
- ApplicationName: The same application name you defined previously.
- ClusterName: Enter the value example-corp-ecs-cluster, which is the name chosen in the template for the central cluster.
- Leave the DesiredCount and LaunchType parameters to their default values.
After the blueprint product creation completes, you should have an ECS service with a sample task definition for your product team. The build tools created earlier include the permissions required for deploying to the ECS service. Also, a CI/CD pipeline has been created to guide your product teams as they publish their application to the ECS service. Ideally, this pipeline should have all stages, practices, security checks, and standards required for application release.
Product teams still have to author application code, create a Dockerfile, build specifications, run automated tests and deployment scripts, and perform other tasks required for application release. The blueprint product can provide wiki links to reference examples for these steps, or access to pre-provisioned sample pipelines.
Test your pipeline
Now, upload a sample app to test your pipeline:
- Log in with the product team role.
- In the CodeCommit console, select the repository with the application name that you defined in the environment setup section.
- Scroll down, choose Add file, Create file.
- Paste the following in the page editor, which is a script to build the container image and push it to the ECR repository:
5. For File name, enter buildspec.yml.
6. For Author name and Email address, enter your name and your preferred email address for the commit. Although optional, the addition of a commit message is a good practice.
7. Choose Commit changes.
8. Repeat the same steps for the Dockerfile. The sample Dockerfile creates a straightforward PHP application. Typically, you add your application content to that image.
File name: Dockerfile
Your pipeline should now be ready to run successfully. Although you can list all current pipelines in the Region, you can only describe and modify pipelines that have a prefix matching your application name. To confirm:
- In the AWS CodePipeline console, select the pipeline <Application_Name>-ecs-fargate-pipeline.
- The pipeline should now be running.
Because you performed two commits to the repository from the console, you must wait for the second run to complete before successful deployment to ECS Fargate.
To clean up the environment, run the following commands in the AWS CLI, replacing <Application_Name>
with your application name, <Account_Id> with your AWS Account ID with no hyphens and <Template_Bucket_Name>
with the template bucket output value you copied into your editor of choice:
To remove the AWS Service Catalog products:
- Log in with the Product team role
- In the console, follow the instructions at Deleting Provisioned Products.
- Delete the AWS Service Catalog products in reverse order, starting with the blueprint product.
Run the following commands to delete the administrative resources:
In this post, I showed you how to design and build ECS Fargate deployment blueprints. I explained how these accelerate and standardize the release of containerized applications on AWS. Your product teams can keep getting the latest standards and coded best practices through those automated blueprints.
As always, AWS welcomes feedback. Please submit comments or questions below.