Serverless in Production, an experience report (cloudXchange)
1 like278 views
This document provides advice on preparing serverless applications for production based on the author's experience deploying 170 Lambda functions to production. It covers important areas to consider like testing at the unit, integration, and acceptance levels; setting up CI/CD pipelines; monitoring, logging, and alerting; distributed tracing; security; and configuration management. The author emphasizes the importance of testing end-to-end without mocking external services, setting up production-ready monitoring and metrics dashboards, and choosing deployment frameworks that are tried and tested.
![if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION
elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run int-$STAGE
elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run acceptance-$STAGE
else
usage
exit 1
fi](https://image.slidesharecdn.com/serverlessinprodcloudxchange-180622140252/85/Serverless-in-Production-an-experience-report-cloudXchange-72-320.jpg)
![if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION
elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run int-$STAGE
elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run acceptance-$STAGE
else
usage
exit 1
fi
install Serverless framework
as dev dependency](https://image.slidesharecdn.com/serverlessinprodcloudxchange-180622140252/85/Serverless-in-Production-an-experience-report-cloudXchange-73-320.jpg)
![if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION
elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run int-$STAGE
elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then
STAGE=$2
REGION=$3
PROFILE=$4
npm install
AWS_PROFILE=$PROFILE npm run acceptance-$STAGE
else
usage
exit 1
fi
install Serverless framework
as dev dependency
mitigate version conflicts](https://image.slidesharecdn.com/serverlessinprodcloudxchange-180622140252/85/Serverless-in-Production-an-experience-report-cloudXchange-74-320.jpg)
Serverless in Production, an experience report (cloudXchange)
- 1. in production an experience reportan experience report what you should know before you go to production ServerlessServerless
- 4. apr, 2016
- 6. hey guys, vote on this post and I’ll announce a winner at 10PM tonight
- 7. 10PM traffic
- 9. low utilisation to leave room for spikes EC2 scaling is slow, so scale earlier
- 10. lots of $$$ for unused resources
- 11. up to 30 mins for deployment deployment required downtime
- 12. be small be fast have zero downtime have no lock-step DEPLOYMENTS SHOULD...
- 13. FEATURES SHOULD... be deployable independently be loosely-coupled
- 14. WE WANT TO... minimise cost for unused resources minimise ops effort reduce tech mess deliver visible improvements faster
- 15. nov, 2016
- 16. 170 Lambda functions in prod 1.2 GB deployment packages in prod 95% cost saving vs EC2 15x no. of prod releases per month
- 17. time is a good fit
- 18. 1st function in prod! time is a good fit
- 19. ? time is a good fit 1st function in prod!
- 21. 170 functions ? ? time is a good fit 1st function in prod!
- 24. rebuilt search
- 25. Legacy Monolith Amazon Kinesis Amazon Lambda Amazon CloudSearch
- 26. Legacy Monolith Amazon Kinesis Amazon Lambda Amazon CloudSearchAmazon API Gateway Amazon Lambda
- 36. choose a tried-and-tested deployment framework, don’t invent your own
- 39. TESTING
- 40. amzn.to/29Lxuzu
- 41. Level of Testing 1.Unit do our objects do the right thing? are they easy to work with?
- 43. Level of Testing 1.Unit 2.Integration does our code work against code we can’t change?
- 44. handler
- 45. handler test by invoking the handler
- 46. Level of Testing 1.Unit 2.Integration 3.Acceptance does the whole system work?
- 48. “…We find that tests that mock external libraries often need to be complex to get the code into the right state for the functionality we need to exercise. The mess in such tests is telling us that the design isn’t right but, instead of fixing the problem by improving the code, we have to carry the extra complexity in both code and test…” Don’t Mock Types You Can’t Change
- 49. “…The second risk is that we have to be sure that the behaviour we stub or mock matches what the external library will actually do… Even if we get it right once, we have to make sure that the tests remain valid when we upgrade the libraries…” Don’t Mock Types You Can’t Change
- 50. Don’t Mock Types You Can’t Change Services
- 51. Paul Johnston The serverless approach to testing is different and may actually be easier. http://bit.ly/2t5viwK
- 53. LambdaAPI Gateway DynamoDB Unit Tests
- 54. LambdaAPI Gateway DynamoDB Unit Tests Mock/Stub
- 55. is our request correct? is the request mapping set up correctly?is the API resources configured correctly? are we assuming the correct schema? LambdaAPI Gateway DynamoDB is Lambda proxy configured correctly? is IAM policy set up correctly? is the table created? what unit tests will not tell you…
- 57. most Lambda functions are simple have single purpose, the risk of shipping broken software has largely shifted to how they integrate with external services observation
- 59. optimize towards shipping working software, even if it means slowing down your feedback loop…
- 60. “…Wherever possible, an acceptance test should exercise the system end-to- end without directly calling its internal code. An end-to-end test interacts with the system only from the outside: through its interface…” Testing End-to-End
- 61. Legacy Monolith Amazon Kinesis Amazon Lambda Amazon CloudSearchAmazon API Gateway Amazon Lambda
- 62. Legacy Monolith Amazon Kinesis Amazon Lambda Amazon CloudSearchAmazon API Gateway Amazon Lambda Test Input
- 63. Legacy Monolith Amazon Kinesis Amazon Lambda Amazon CloudSearchAmazon API Gateway Amazon Lambda Test Input Validate
- 64. integration tests exercise system’s Integration with its external dependencies my code
- 65. acceptance tests exercise system End-to-End from the outside my code
- 66. integration tests differ from acceptance tests only in HOW the Lambda functions are invoked observation
- 69. CI + CD PIPELINE
- 70. me deployment scripts that only live on the CI box is a disaster waiting to happen…
- 71. Jenkins build config deploys and tests unit + integration tests deploy acceptance tests
- 72. if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE npm run int-$STAGE elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE npm run acceptance-$STAGE else usage exit 1 fi
- 73. if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE npm run int-$STAGE elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE npm run acceptance-$STAGE else usage exit 1 fi install Serverless framework as dev dependency
- 74. if [ "$1" = "deploy" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE 'node_modules/.bin/sls' deploy -s $STAGE -r $REGION elif [ "$1" = "int-test" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE npm run int-$STAGE elif [ "$1" = "acceptance-test" ] && [ $# -eq 4 ]; then STAGE=$2 REGION=$3 PROFILE=$4 npm install AWS_PROFILE=$PROFILE npm run acceptance-$STAGE else usage exit 1 fi install Serverless framework as dev dependency mitigate version conflicts
- 75. build.sh allows repeatable builds on both local & CI
- 77. Auto Auto Manual
- 79. LOGGING
- 81. 2016-07-12T12:24:37.571Z 994f18f9-482b-11e6-8668-53e4eab441ae GOT is off air, what do I do now?
- 82. 2016-07-12T12:24:37.571Z 994f18f9-482b-11e6-8668-53e4eab441ae GOT is off air, what do I do now? UTC Timestamp API Gateway Request Id your log message
- 83. me Logs are not easily searchable in CloudWatch Logs.
- 84. CloudWatch Logs
- 85. CloudWatch Logs AWS Lambda ELK stack
- 90. a user my followers didn’t receive my new post!
- 91. where could the problem be?
- 92. correlation IDs* * eg. request-id, user-id, yubl-id, etc.
- 93. wrap HTTP client & AWS SDK clients to forward captured correlation IDs
- 94. kinesis client http client sns client
- 95. Amazon X-Ray
- 96. Amazon X-Ray
- 97. X-Ray traces do not span over API Gateway, or async event sources
- 99. no place to install agents/daemons
- 100. • invocation Count • error Count • latency • throttling • granular to the minute • support custom metrics
- 102. my code
- 103. my code
- 104. my code internet internet press button something happens
- 105. console.log(“hydrating yubls from db…”); console.log(“fetching user info from user-api”); console.log(“MONITORING|1489795335|27.4|latency|user-api-latency”); console.log(“MONITORING|1489795335|8|count|yubls-served”); timestamp metric value metric type metric namemetrics logs
- 106. CloudWatch Logs AWS Lambda ELK stack logs metrics CloudWatch
- 107. don’t forget to setup dashboards & CW alarms
- 108. CONFIG MANAGEMENT
- 109. sensitive data should be encrypted in-flight, and at-rest
- 110. enforce role-based access to sensitive configuration values
- 111. SSM Parameter Store HTTPS role-based access encrypted in-flight
- 112. SSM Parameter Store encrypt role-based access
- 113. SSM Parameter Store encrypted at-rest
- 114. HTTPS role-based access SSM Parameter Store encrypted in-flight
- 115. API Gateway and Kinesis Authentication & authorisation (IAM, Cognito) Testing Running & Debugging functions locally Log aggregation Monitoring & Alerting X-Ray Correlation IDs CI/CD Performance and Cost optimisation Error Handling Configuration management VPC Security Leading practices (API Gateway, Kinesis, Lambda) Canary deployments http://bit.ly/production-ready-serverless get 40% off with: ytcui