Skip to content

Last-Mile-Health/lmd-aws-cdk-pipelines-datalake-infrastructure

Repository files navigation

CDK Pipelines for Data Lake Infrastructure Deployment

This solution helps you deploy data lake infrastructure on AWS using CDK Pipelines. This is based on AWS blog Deploy data lake ETL jobs using CDK Pipelines. We recommend you to read the blog before you proceed with the solution.

CDK Pipelines is a construct library module for painless continuous delivery of CDK applications. CDK stands for Cloud Development Kit. It is an open source software development framework to define your cloud application resources using familiar programming languages.

This solution helps you:

  1. deploy data lake infrastructure on AWS using CDK Pipelines
  2. leverage the benefit of self-mutating feature of CDK Pipelines. For example, whenever you check your CDK app's source code in to your version control system, CDK Pipelines can automatically build, test, and deploy your new version
  3. increase the speed of prototyping, testing, and deployment of new ETL workloads

Contents


Data lake

In this section we talk about Data lake architecture and its infrastructure.


Architecture

To level set, let us design a data lake. As shown in the figure below, we use Amazon S3 for storage. We use three S3 buckets - 1) raw bucket to store raw data in its original format 2) conformed bucket to store the data that meets the quality requirements of the lake 3) purpose-built data that is used by analysts and data consumers of the lake.

The Data Lake has one producer which ingests files into the raw bucket. We use AWS Lambda and AWS Step Functions for orchestration and scheduling of ETL workloads.

We use AWS Glue for ETL and data cataloging, Amazon Athena for interactive queries and analysis. We use various AWS services for logging, monitoring, security, authentication, authorization, notification, build, and deployment.

Note: AWS Lake Formation is a service that makes it easy to set up a secure data lake in days. Amazon QuickSight is a scalable, serverless, embeddable, machine learning-powered business intelligence (BI) service built for the cloud. These two services are not used in this solution.

Conceptual Data Lake


Infrastructure

Now we have the Data Lake design, let's deploy its infrastructure. It includes the following resources:

  1. Amazon Virtual Private Cloud (VPC)
  2. Subnets
  3. Security Groups
  4. Route Table(s)
  5. VPC Endpoints
  6. Amazon S3 buckets for:
    1. raw data
    2. conformed data
    3. purpose-built
  7. Amazon DynamoDB table for ETL jobs auditing

Figure below represents the infrastructure resources we provision for Data Lake.

Data Lake Infrastructure Architecture


The solution

We use a centralized deployment model to deploy data lake infrastructure across dev, test, and prod environments.


Centralized deployment

To demonstrate this solution, we need 4 AWS accounts as follows:

  1. Central deployment account to create CDK pipelines
  2. Dev account for dev data lake
  3. Test account for test data lake
  4. Prod account for production data lake

Figure below represents the centralized deployment model.

Alt

There are few interesting details to point out here:

  1. Data Lake infrastructure source code is organized into three branches - dev, test, and production
  2. Each branch is mapped to a CDK pipeline and it turn mapped to a target environment. This way, code changes made to the branches are deployed iteratively to their respective target environment
  3. From CDK perspective, we apply the the following bootstrapping principles
    1. the central deployment account will utilize a standard bootstrap
    2. each target account will require a cross account trust policy to allow access from the centralized deployment account

Continuous delivery of data lake infrastructure using CDK Pipelines

Figure below illustrates the continuous delivery of data lake infrastructure.

Alt

There are few interesting details to point out here:

  1. The DevOps administrator checks in the code to the repository.
  2. The DevOps administrator (with elevated access) facilitates a one-time manual deployment on a target environment. Elevated access includes administrative privileges on the central deployment account and target AWS environments.
  3. CodePipeline periodically listens to commit events on the source code repositories. This is the self-mutating nature of CodePipeline. It’s configured to work with and is able to update itself according to the provided definition.
  4. Code changes made to the main branch of the repo are automatically deployed to the dev environment of the data lake.
  5. Code changes to the test branch of the repo are automatically deployed to the test environment.
  6. Code changes to the prod branch of the repo are automatically deployed to the prod environment.
  7. Code deployment to the prod environment requires a manual approval from the system administrator

Source code structure

Table below explains how this source code structured:

File / Folder Description
app.py Application entry point.
pipeline_stack.py Pipeline stack entry point.
pipeline_deploy_stage.py Pipeline deploy stage entry point.
s3_bucket_zones_stack.py Stack creates S3 buckets - raw, conformed, and purpose-built. This also creates an S3 bucket for server access logging and AWS KMS Key to enabled server side encryption for all buckets.
tagging.py Program to tag all provisioned resources.
configuration.py Contains all custom configurations
vpc_stack.py Contains all resources related to the VPC used by Data Lake infrastructure and services. This includes: VPC, Security Groups, and VPC Endpoints (both Gateway and Interface types).
redshift_serverless_namespace_stack.py Contains redshift namspace stack such as database objects and users etc.
redshift_serverless_workgroup_stack.py Contains all compute resources such as RPUs, VPC subnet groups, security groups etc for redshift.
Resources This folder has static resources such as architecture diagrams, developer guide etc.

Automation scripts

This repository has the following automation scripts to complete steps before the deployment:

# Script Purpose
1 bootstrap_deployment_account.sh Used to bootstrap deployment account
2 bootstrap_target_account.sh Used to bootstrap target environments for example dev, test, and production.
3 configure_account_secrets.py Used to configure account secrets for e.g. GitHub access token.

Prerequisites

This section has various steps you need to perform before you deploy data lake resources on AWS.


Software installation

  1. AWS CLI - make sure you have AWS CLI configured on your system. If not, refer to Configuring the AWS CLI for more details.

  2. AWS CDK - install compatible AWS CDK version (preferably the latest version)

    npm install -g aws-cdk
  3. Python - make sure you have Python SDK installed on your system. We recommend Python 3.7 and above.

  4. GitHub Fork - we recommend you fork the repository so you are in control of deployed resources.

Logistical requirements

  1. Four AWS accounts. One of them acts like a central deployment account. The other three are for dev, test, and prod accounts. Optional: To test this solution with central deployment account and one target environment for e.g. dev, refer to developer_instructions.md for detailed instructions.

  2. Number of branches on your GitHub repo - You need to start with at least one branch for e.g. main to start using this solution. test and prod branches can be added at the beginning or after the deployment of data lake infrastructure on dev environment.

  3. Administrator privileges - you need to administrator privileges to bootstrap your AWS environments and complete initial deployment. Usually, these steps can be performed by a DevOps administrator of your team. After these steps, you can revoke administrative privileges. Subsequent deployments are based on self-mutating natures of CDK Pipelines.

  4. AWS Region selection - we recommend you to use the same AWS region (e.g. us-east-2) for deployment, dev, test, and prod accounts for simplicity. However, this is not a hard requirement.


AWS environment bootstrapping

Environment bootstrap is standard CDK process to prepare an AWS environment ready for deployment. Follow the steps:

  1. Go to project root directory where app.py file exists

  2. Create Python virtual environment. This is a one-time activity.

    python3 -m venv .venv
  3. Expected output: you will see a folder with name .venv created in project root folder. You can run the following command to see its contents ls -lart .venv/

    total 8
    drwxr-xr-x   2 user_id  staff   64 Jun 23 15:25 include
    drwxr-xr-x   3 user_id  staff   96 Jun 23 15:25 lib
    drwxr-xr-x   6 user_id  staff  192 Jun 23 15:25 .
    -rw-r--r--   1 user_id  staff  114 Jun 23 15:25 pyvenv.cfg
    drwxr-xr-x  16 user_id  staff  512 Jun 23 15:27 bin
    drwxr-xr-x  21 user_id  staff  672 Jun 23 15:28 ..
  4. Activate Python virtual environment

    source .venv/bin/activate
  5. Install dependencies

    pip install -r requirements.txt
  6. Expected output: run the below command and verify all dependencies are installed

    ls -lart .venv/lib/python3.9/site-packages/
  7. Enable execute permissions for scripts

    chmod 700 ./lib/prerequisites/bootstrap_deployment_account.sh
    chmod 700 ./lib/prerequisites/bootstrap_target_account.sh
  8. Before you bootstrap central deployment account account, set environment variable

    export AWS_PROFILE=replace_it_with_deployment_account_profile_name_b4_running

    Important:

    1. This command is based on the feature Named Profiles.
    2. If you want to use an alternative option then refer to Configuring the AWS CLI and Environment variables to configure the AWS CLI for details. Be sure to follow those steps for each configuration step moving forward.
  9. Bootstrap central deployment account

    ./lib/prerequisites/bootstrap_deployment_account.sh
  10. When you see the following text, enter y, and press enter/return

    Are you sure you want to bootstrap {
       "UserId": "user_id",
       "Account": "deployment_account_id",
       "Arn": "arn:aws:iam::deployment_account_id:user/user_id"
    }? (y/n)y
  11. Expected outputs:

    1. In your terminal, you see ✅ Environment aws://deployment_account_id/us-east-2 bootstrapped.

    2. You see a stack created in your deployment account as follows

      bootstrap_central_deployment_account

    3. You see an S3 bucket created in central deployment account. The name is like cdk-hnb659fds-<assets-deployment_account_id>-us-east-2

  12. Before you bootstrap dev account, set environment variable

    export AWS_PROFILE=replace_it_with_dev_account_profile_name_b4_running
  13. Bootstrap dev account

    Important: Your configured environment must target the Dev account

    ./lib/prerequisites/bootstrap_target_account.sh <central_deployment_account_id> arn:aws:iam::aws:policy/AdministratorAccess

    When you see the following text, enter y, and press enter/return

    Are you sure you want to bootstrap {
     "UserId": "user_id",
     "Account": "dev_account_id",
     "Arn": "arn:aws:iam::dev_account_id:user/user_id"
    } providing a trust relationship to: deployment_account_id using policy arn:aws:iam::aws:policy/AdministratorAccess? (y/n)
  14. Expected outputs:

    1. In your terminal, you see ✅ Environment aws://dev_account_id/us-east-2 bootstrapped.

    2. You see a stack created in your deployment account as follows

      bootstrap_central_deployment_account

    3. You see an S3 bucket created in central deployment account. The name is like cdk-hnb659fds-assets-<dev_account_id>-us-east-2

  15. Before you bootstrap test account, set environment variable

    export AWS_PROFILE=replace_it_with_test_account_profile_name_b4_running
  16. Bootstrap test account

    Important: Your configured environment must target the Test account

    ./lib/prerequisites/bootstrap_target_account.sh <central_deployment_account_id> arn:aws:iam::aws:policy/AdministratorAccess

    When you see the following text, enter y, and press enter/return

    Are you sure you want to bootstrap {
       "UserId": "user_id",
       "Account": "test_account_id",
       "Arn": "arn:aws:iam::test_account_id:user/user_id"
    } providing a trust relationship to: deployment_account_id using policy arn:aws:iam::aws:policy/AdministratorAccess? (y/n)
  17. Expected outputs:

    1. In your terminal, you see ✅ Environment aws://test_account_id/us-east-2 bootstrapped.

    2. You see a stack created in your Deployment account as follows

      bootstrap_central_deployment_account

    3. You see an S3 bucket created in central deployment account. The name is like cdk-hnb659fds-assets-<test_account_id>-us-east-2

  18. Before you bootstrap prod account, set environment variable

    export AWS_PROFILE=replace_it_with_prod_account_profile_name_b4_running
  19. Bootstrap Prod account

    Important: Your configured environment must target the Prod account

    ./lib/prerequisites/bootstrap_target_account.sh <central_deployment_account_id> arn:aws:iam::aws:policy/AdministratorAccess

    When you see the following text, enter y, and press enter/return

    Are you sure you want to bootstrap {
       "UserId": "user_id",
       "Account": "prod_account_id",
       "Arn": "arn:aws:iam::prod_account_id:user/user_id"
    } providing a trust relationship to: deployment_account_id using policy arn:aws:iam::aws:policy/AdministratorAccess? (y/n)
  20. Expected outputs:

    1. In your terminal, you see ✅ Environment aws://prod_account_id/us-east-2 bootstrapped.

    2. You see a stack created in your Deployment account as follows

      bootstrap_central_deployment_account

    3. You see an S3 bucket created in central deployment account. The name is like cdk-hnb659fds-assets-<prod_account_id>-us-east-2


Application configuration

Before we deploy our resources we must provide the manual variables and upon deployment the CDK Pipelines will programmatically export outputs for managed resources. Follow the below steps to setup your custom configuration:

  1. Note: You can safely commit these values to your repository

  2. Go to configuration.py and fill in values under local_mapping dictionary within the function get_local_configuration as desired.

    Example:

    local_mapping = {
        DEPLOYMENT: {
            ACCOUNT_ID: 'add_your_deployment_account_id_here',
            REGION: 'us-east-2',
            # If you use GitHub / GitHub Enterprise, this will be the organization name
            GITHUB_REPOSITORY_OWNER_NAME: 'aws-samples',
            # Use your forked repo here!
            # This is used in the Logical Id of CloudFormation resources
            # We recommend capital case for consistency. e.g. DataLakeCdkBlog
            GITHUB_REPOSITORY_NAME: 'aws-cdk-pipelines-datalake-infrastructure',
            LOGICAL_ID_PREFIX: 'DataLakeCDKBlog',
            # This is used in resources that must be globally unique!
            # It may only contain alphanumeric characters, hyphens, and cannot contain trailing hyphens
            # E.g. unique-identifier-data-lake
            RESOURCE_NAME_PREFIX: 'cdkblog-e2e',
        },
        DEV: {
            ACCOUNT_ID: 'add_your_dev_account_id_here',
            REGION: 'us-east-2',
            VPC_CIDR: '10.20.0.0/24'
        },
        TEST: {
            ACCOUNT_ID: 'add_your_test_account_id_here',
            REGION: 'us-east-2',
            VPC_CIDR: '10.10.0.0/24'
        },
        PROD: {
            ACCOUNT_ID: 'add_your_prod_account_id_here',
            REGION: 'us-east-2',
            VPC_CIDR: '10.0.0.0/24'
        }
    }

AWS CodePipeline and GitHub integration

Integration between AWS CodePipeline and GitHub requires a personal access token. This access token is stored in Secrets Manager. This is a one-time setup and is applicable for all target AWS environments and all repositories created under the organization in GitHub.com. Follow the below steps:

  1. Note: Do NOT commit these values to your repository

  2. Create a personal access token in your GitHub. Refer to Creating a personal access token for details

  3. Go to configure_account_secrets.py and fill in the value for attribute MY_GITHUB_TOKEN

  4. Run the below command

    python3 ./lib/prerequisites/configure_account_secrets.py
  5. Expected output 1:

    Pushing secret: /DataLake/GitHubToken
  6. Expected output 2: A secret is added to AWS Secrets Manager with name /DataLake/GitHubToken


Deployment


Deploying for the first time

Configure your AWS profile to target the central Deployment account as an Administrator and perform the following steps:

  1. Open command line (terminal)

  2. Go to project root directory where cdk.json and app.py exist

  3. Run the command cdk ls

  4. Expected output: It lists CDK Pipelines and target account stacks on the console. A sample is below:

    DevDataLakeCDKBlogInfrastructurePipeline
    ProdDataLakeCDKBlogInfrastructurePipeline
    TestDataLakeCDKBlogInfrastructurePipeline
    DevDataLakeCDKBlogInfrastructurePipeline/Dev/DevDataLakeCDKBlogInfrastructureIam
    DevDataLakeCDKBlogInfrastructurePipeline/Dev/DevDataLakeCDKBlogInfrastructureS3BucketZones
    DevDataLakeCDKBlogInfrastructurePipeline/Dev/DevDataLakeCDKBlogInfrastructureVpc
    ProdDataLakeCDKBlogInfrastructurePipeline/Prod/ProdDataLakeCDKBlogInfrastructureIam
    ProdDataLakeCDKBlogInfrastructurePipeline/Prod/ProdDataLakeCDKBlogInfrastructureS3BucketZones
    ProdDataLakeCDKBlogInfrastructurePipeline/Prod/ProdDataLakeCDKBlogInfrastructureVpc
    TestDataLakeCDKBlogInfrastructurePipeline/Test/TestDataLakeCDKBlogInfrastructureIam
    TestDataLakeCDKBlogInfrastructurePipeline/Test/TestDataLakeCDKBlogInfrastructureS3BucketZones
    TestDataLakeCDKBlogInfrastructurePipeline/Test/TestDataLakeCDKBlogInfrastructureVpc

    Note:

    1. Here, DataLakeCDKBlog string literal is the value of LOGICAL_ID_PREFIX configured in configuration.py
    2. The first three stacks represent the CDK Pipeline stacks which will be created in the deployment account. For each, target environment, there will be three stacks.
  5. Set your environment variable back to deployment account

    export AWS_PROFILE=deployment_account_profile_name_here
  6. Run the command cdk deploy --all

  7. Expected outputs:

    1. In the deployment account's CloudFormation console, you will see the following CloudFormation stacks created

      CloudFormation_stacks_in_deployment_account

    2. In the deployment account's CodePipeline console, you will see the following Pipeline triggered

      CloudFormation_stacks_in_deployment_account

    3. In the dev data lake account's CloudFormation console, you will see the following stacks are completed successfully

      cdk_deploy_output_deployment_account_cfn_stacks


Iterative Deployment

Pipeline you have created using CDK Pipelines module is self mutating. That means, code checked to GitHub repository branch will kick off CDK Pipeline mapped to that branch.


Data lake ETL jobs

You can use the data lake infrastructure to deploy ETL jobs. We provided AWS CDK Pipelines for Data Lake ETL Deployment to help you accomplish this task.


Additional resources

In this section, we provide some additional resources.


Clean up

  1. Delete stacks using the command cdk destroy --all. When you see the following text, enter y, and press enter/return.

    Are you sure you want to delete: TestDataLakeCDKBlogInfrastructurePipeline, ProdDataLakeCDKBlogInfrastructurePipeline, DevDataLakeCDKBlogInfrastructurePipeline (y/n)?

    Note: This operation deletes stacks only in central deployment account

  2. To delete stacks in development account, log onto Dev account, go to AWS CloudFormation console and delete the following stacks:

    1. Dev-DevDataLakeCDKBlogInfrastructureVpc
    2. Dev-DevDataLakeCDKBlogInfrastructureS3BucketZones
    3. Dev-DevDataLakeCDKBlogInfrastructureIam

    Note:

    1. Deletion of Dev-DevDataLakeCDKBlogInfrastructureS3BucketZones will delete the S3 buckets (raw, conformed, and purpose-built). This behavior can be changed by modifying the retention policy in s3_bucket_zones_stack.py
  3. To delete stacks in test account, log onto Dev account, go to AWS CloudFormation console and delete the following stacks:

    1. Test-TestDataLakeCDKBlogInfrastructureVpc
    2. Test-TestDataLakeCDKBlogInfrastructureS3BucketZones
    3. Test-TestDataLakeCDKBlogInfrastructureIam

    Note:

    1. The S3 buckets (raw, conformed, and purpose-built) have retention policies attached and must be removed manually when they are no longer needed.
  4. To delete stacks in prod account, log onto Dev account, go to AWS CloudFormation console and delete the following stacks:

    1. Prod-ProdDataLakeCDKBlogInfrastructureVpc
    2. Prod-ProdDataLakeCDKBlogInfrastructureS3BucketZones
    3. Prod-ProdDataLakeCDKBlogInfrastructureIam

    Note:

    1. The S3 buckets (raw, conformed, and purpose-built) have retention policies attached and must be removed manually when they are no longer needed.
  5. Optional:

    1. If you are not using AWS CDK for other purposes, you can also remove CDKToolkit stack in each target account.

    2. Note: The asset S3 bucket has a retention policy and must be removed manually.

  6. For more details refer to AWS CDK Toolkit


AWS CDK

Refer to CDK Instructions for detailed instructions


Developer guide

Refer to Developer guide for more details of this project.


Authors and reviewers

The following people are involved in the design, architecture, development, and testing of this solution:

  1. Isaiah Grant, Cloud Consultant, 2nd Watch, Inc.
  2. Ravi Itha, Senior Data Architect, Amazon Web Services Inc.
  3. Muhammad Zahid Ali, Data Architect, Amazon Web Services Inc.

The following people are involved in the reviews:

  1. Mike Apted, Principal Solutions Architect, Amazon Web Services Inc.
  2. Nikunj Vaidya, Senior DevOps Specialist, Amazon Web Services Inc.

License Summary

This sample code is made available under the MIT-0 license. See the LICENSE file.

About

No description, website, or topics provided.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published