codeartifac
codeartifac
com
AWS CodeArtifact
• Software packages depend on each other to be built (also called code
dependencies), and new ones are created
• Storing and retrieving these dependencies is called ar tifact
management
• Traditionally you need to setup your own artifact management system
• CodeAr tifact is a secure, scalable, and cost-effective ar tifact
management for software development
• Works with common dependency management tools such as Maven,
Gradle, npm, yarn, twine, pip, and NuGet
• Developers and CodeBuild can then retrieve dependencies straight
from CodeAr tifact
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS CodeArtifact
VPC
npm
fetch
Public Artifact Repositories AWS CodeArtifact
JavaScript
Domain AWS CodeBuild
pip
NuGet proxy
Repository A Repository B Python
NuGet
Java
IT Leader
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeArtifact – EventBridge Integration
invoke Lambda
Function
Event is created when a Package
version is created, modified, or deleted
activate Step Functions
State Machine
events message
SNS
CodePipeline
start Rebuild & Redeploy
an Application
with the latest
security fixes
CodeCommit CodeBuild CodeDeploy
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeArtifact – Resource Policy
• Can be used to authorize another
account to access CodeArtifact
• A given principal can either read all the
packages in a repository or none of them
Account B Account A
(222333344555) (123456789012)
read packages
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeArtifact – Upstream Repositories
External
• A CodeArtifact repository can have other Repository
CodeArtifact repositories as Upstream External Connection
Repositories
CodeArtifact
• Allows a package manager client to access
the packages that are contained in more Repository A Repository B
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeArtifact – External Connection
• An External Connection is a connection between a Public
CodeArtifact Repository and an external/public repository Repository
(e.g., Maven, npm, PyPI, NuGet…)
External Connection
• Allows you to fetch packages that are not already present
in your CodeArtifact Repository CodeArtifact
• A repository has a maximum of 1 external connection
Cached
• Create many repositories for many external connections Repository A
Packages
Upstream
• Example – Connect to npmjs.com
• Configure one CodeArtifact Repository in your domain with an
external connection to npmjs.com Repo B Repo C Repo D …
• Configure all the other repositories with an upstream to it
• Packages fetched from npmjs.com are cached in the Upstream
Repository, rather than fetching and storing them in each
Repository
Developer
(npm)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeArtifact – Retention Public
Repository
Lodash
• If a requested package version is found in an Upstream (v4.17.20)
Repository, a reference to it is retained and is always available External Connection
from the Downstream Repository
• The retained package version is not affected by changes to the CodeArtifact
Upstream Repository (deleting it, updating the package...)
• Intermediate repositories do not keep the package Lodash Repository C
• Example – Fetching Package from npmjs.com (v4.17.20)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeArtifact – Domains
• Deduplicated Storage – asset only needs to be Domain Resource-based Policy
stored once in a domain, even if it's available in many
repositories (only pay once for storage) CodeArtifact Domain
• Fast Copying – only metadata record are updated
when you pull packages from an Upstream Account A Account B
CodeArtifact Repository into a Downstream
Repository A Repository B
• Easy Sharing Across Repositories and Teams – all
the assets and metadata in a domain are encrypted
with a single AWS KMS Key Account C Account D
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CodeGuru
• An ML-powered service for automated code reviews and application
performance recommendations
• Provides two functionalities
• CodeGuru Reviewer : automated code reviews for static code analysis (development)
• CodeGuru Profiler : visibility/recommendations about application performance during
runtime (production)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CodeGuru Reviewer
• Identify critical issues, security
vulnerabilities, and hard-to-find bugs
• Example: common coding best practices,
resource leaks, security detection, input
validation
• Uses Machine Learning and automated
reasoning
• Hard-learned lessons across millions of
code reviews on 1000s of open-source
and Amazon repositories
• Supports Java and Python
• Integrates with GitHub, Bitbucket, and
AWS CodeCommit
https://aws.amazon.com/codeguru/features/
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CodeGuru Profiler
• Helps understand the runtime behavior of your
application
• Example: identify if your application is consuming
excessive CPU capacity on a logging routine
• Features:
• Identify and remove code inefficiencies
• Improve application performance (e.g., reduce CPU
utilization)
• Decrease compute costs
• Provides heap summary (identify which objects using
up memory)
• Anomaly Detection
• Support applications running on AWS or on-
premise
• Minimal overhead on application
https://aws.amazon.com/codeguru/features/
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CodeGuru Reviewer - Extras
• CodeGuru Reviewer Secrets Detector
• Uses ML to identify hardcoded secrets embedded in your code (e.g., passwords,
API keys, credentials, SSH keys...)
• Besides scanning code, it scans configuration and documentation files
• Suggests remediation to automatically protect your secrets with Secrets
Manager
hardcoded secret
detected in
.travis.yml scan a repository
CodeCommit
CodeGuru Secrets
create Secret
https://aws.amazon.com/blogs/aws/codeguru-reviewer-secrets-detector-identify-hardcoded-secrets/ Reviewer AWS Access Key Manager
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CodeGuru Profiler - Extras
• Integrate and apply CodeGuru Profiler to Lambda functions either using:
• Function Decorator @with_lambda_profiler
• Add codeguru_profiler_agent dependency to your Lambda function .zip file or
use Lambda Layers
© Stephane Maarek