Andrew Rich | [email protected] | LinkedIn
This document provides step-by-step instructions to prepare your Mac, clone the repository, and deploy the application using Terraform.
This SRE Kata Task demonstrates the implementation of a containerized web application and a serverless function using AWS services. The project showcases skills in infrastructure as code (IaC) using Terraform, containerization with ECS, and serverless computing with Lambda.
- Homebrew (package manager for macOS)
- GitHub account with access to the private repository
This project primarily relies on default versions provided by Terraform and AWS services to ensure compatibility and ease of maintenance. We use Terraform 1.0 or later, which automatically selects appropriate provider versions. For AWS services, we allow the use of default, up-to-date versions managed by AWS. Specific version notes:
- Terraform: 1.0 or later (latest version recommended)
- AWS Provider: Latest version compatible with used Terraform version
- ECS: Latest available Amazon ECS-Optimized Amazon Linux 2 AMI
- Lambda Runtime: Ruby 3.3
- Container Images:
- Web Application:
beamdental/sre-kata-app
(latest) - Redis:
redis:latest
- Web Application:
While we don't pin most versions explicitly, this approach allows for easier updates and maintenance. In a production environment, you might consider specifying exact versions for stricter control and reproducibility.
Homebrew is a package manager for macOS. If you don't have it installed, open your Terminal and run the following command:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
The AWS CLI tool will allow you to interact with AWS services from the command line.
-
Install AWS CLI using Homebrew:
brew install awscli
-
Configure AWS CLI with your credentials:
aws configure
You will be prompted to enter your AWS Access Key ID, Secret Access Key, Default region name, and Default output format. You should have received the necessary credentials from your team.
-
Confirm AWS CLI is configured properly:
aws sts get-caller-identity
Terraform is used for provisioning and managing your infrastructure.
-
Install Terraform using Homebrew:
brew tap hashicorp/tap brew install hashicorp/tap/terraform
-
Verify the installation:
terraform -version
-
Ensure you have Git installed:
brew install git
-
Clone the repository using SSH (recommended) or HTTPS:
git clone [email protected]:smartwatermelon/beam-sre-kata.git
Or using HTTPS:
git clone https://github.com/smartwatermelon/beam-sre-kata.git
After cloning the repository, you'll find the following structure:
beam-sre-kata/ ├── modules/ │ ├── container_service/ │ ├── networking/ │ └── serverless/ ├── main.tf ├── variables.tf ├── outputs.tf ├── providers.tf └── README.md
modules/
: Contains Terraform modules for different components of the infrastructure.main.tf
: The main Terraform configuration file that calls the modules.variables.tf
: Defines input variables for the Terraform configuration.outputs.tf
: Specifies the outputs from the Terraform apply process.providers.tf
: Configures the required providers for the project.
-
Navigate to the cloned repository directory:
cd beam-sre-kata
-
Initialize Terraform:
terraform init
-
Apply the Terraform plan to deploy the infrastructure:
terraform apply
-
Confirm the action when prompted by typing
yes
.
As part of Task-1, we've implemented a container service using AWS ECS (Elastic Container Service). Here's what we've done:
-
Created an ECS cluster to manage our containers.
-
Deployed two containers:
a. A Redis instance for data storage.
b. A web application that depends on Redis (using the
beamdental/sre-kata-app
image). -
Set up an Application Load Balancer (ALB) to route traffic to the web application.
-
Configured the necessary networking components (VPC, subnets, security groups).
-
Implemented logging to CloudWatch for both containers.
To test the deployed application:
-
After the Terraform apply completes, note the ALB DNS name from the output:
alb_dns_name = "RESOURCE_NAME.us-east-2.elb.amazonaws.com"
-
Open a web browser and navigate to the ALB DNS name. Click through the insecure warning since we have not implemented HTTPS for this demonstration.
Note: The ALB will display a 503 error until services have initialized. You can watch the initialization process in the
Tasks
view under the ECS service.
To view the ECS service details and logs:
-
Go to the AWS Console and navigate to the ECS service.
-
Find and select the
ar-sre-kata-cluster
. -
Click on the
ar-sre-kata-app-and-redis-service
to view details about the running tasks. -
To view logs:
a. Click on a running task.
b. In the "Logs" tab, you can view logs for both the web application and Redis containers.
You can also view the logs in CloudWatch:
- In the AWS Console, go to CloudWatch.
- Navigate to "Log groups" in the left sidebar.
- Find and click on the "/ecs/ar-sre-kata-app" and "/ecs/ar-sre-kata-redis" log groups.
As part of Task-3, we've implemented a serverless function that fetches brewery data from the OpenBreweryDB API. Here's what we've done:
- Created a Lambda function (
AR-BreweryParser
) that fetches brewery data for Columbus, Ohio (39°57'28.7"N, 82°59'50.5"W). - Implemented logging to CloudWatch, which outputs the brewery data in JSON format.
- Created a test runner (
AR-TestRunner
) to verify the functionality. - Integrated unit tests that run during the Terraform apply process.
To test the AR-BreweryParser
function:
- Go to the AWS Console and navigate to the Lambda service.
- Find and select the
AR-BreweryParser
function. - Click on the "Test" tab and create a new test event with an empty JSON object
{}
. - Click "Test" to run the function.
- Check the execution results and CloudWatch logs to see the brewery data output.
To view the CloudWatch logs:
- In the AWS Console, go to CloudWatch.
- Navigate to "Log groups" in the left sidebar.
- Find and click on the
/aws/lambda/AR-BreweryParser
log group. - Click on the latest log stream to view the most recent function execution logs.
The AR-TestRunner
function can be tested similarly through the AWS Console if needed. Additional IAM permissions would be required to configure EventBridge to automatically run the unit tests.
If you need to destroy the deployed infrastructure, run:
terraform destroy
Confirm the action when prompted by typing yes
.
Your AWS IAM account may not have necessary permissions to delete resources. If this happens, you can delete Terraform's local state representation of these resources.
terraform state list | grep SEARCH_TERM
terraform state rm RESOURCE1 RESOURCE2 ... RESOURCEn
While this project does not utilize any passwords, in a real-world scenario, secure password management is crucial. Here's how we would approach providing passwords securely:
-
Use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store sensitive information like passwords.
-
In your Terraform configuration, you would reference these secrets using data sources. For example:
data "aws_secretsmanager_secret_version" "db_password" { secret_id = "my-db-password" }
-
When needed in your resources, reference the secret like this:
resource "aws_db_instance" "example" { # ... other configuration ... password = data.aws_secretsmanager_secret_version.db_password.secret_string }
-
Ensure that your IAM roles have the minimum necessary permissions to access these secrets.
-
Use Terraform's sensitive output feature to prevent accidental exposure of sensitive data in logs:
output "db_password" { value = data.aws_secretsmanager_secret_version.db_password.secret_string sensitive = true }
-
For local development, consider using tools like
git-crypt
orSOPS
to encrypt sensitive files in your repository.
Remember, never hard-code passwords or other sensitive information directly in your Terraform configurations or commit them to version control.
If you encounter issues during deployment or testing, try the following:
-
Get the current Terraform state and outputs.
terraform refresh && terraform output
-
Ensure your AWS credentials are correctly configured and have the necessary permissions.
-
Check the CloudWatch logs for each service to identify any runtime errors.
-
If a Terraform apply fails, run
terraform plan
to see what changes are pending and why they might be failing. -
For networking issues, verify that security groups and VPC settings are correctly configured.
If problems persist, please refer to the AWS documentation or reach out to the contact listed at the top of this document.
To avoid unnecessary AWS charges, remember to destroy your infrastructure when you're done testing:
- Run
terraform destroy
and confirm when prompted. - Double-check the AWS Console to ensure all resources have been properly removed.
- Monitor your AWS billing dashboard for any unexpected charges.
You have now successfully prepared your Mac, cloned the repository, and deployed the application using Terraform. If you encounter any issues or need further assistance, please reach out to the contact listed at the top of this document.