This solution helps you deploy data lake infrastructure on AWS using CDK Pipelines. This is based on AWS blog Deploy data lake ETL jobs using CDK Pipelines. We recommend you to read the blog before you proceed with the solution.
CDK Pipelines is a construct library module for painless continuous delivery of CDK applications. CDK stands for Cloud Development Kit. It is an open source software development framework to define your cloud application resources using familiar programming languages.
This solution helps you:
- deploy data lake infrastructure on AWS using CDK Pipelines
- leverage the benefit of self-mutating feature of CDK Pipelines. For example, whenever you check your CDK app's source code in to your version control system, CDK Pipelines can automatically build, test, and deploy your new version
- increase the speed of prototyping, testing, and deployment of new ETL workloads
- Data lake
- The solution
- Prerequisites
- Deployment
- Data lake ETL jobs
- Additional resources
- Authors and reviewers
- License Summary
In this section we talk about Data lake architecture and its infrastructure.
To level set, let us design a data lake. As shown in the figure below, we use Amazon S3 for storage. We use three S3 buckets - 1) raw bucket to store raw data in its original format 2) conformed bucket to store the data that meets the quality requirements of the lake 3) purpose-built data that is used by analysts and data consumers of the lake.
The Data Lake has one producer which ingests files into the raw bucket. We use AWS Lambda and AWS Step Functions for orchestration and scheduling of ETL workloads.
We use AWS Glue for ETL and data cataloging, Amazon Athena for interactive queries and analysis. We use various AWS services for logging, monitoring, security, authentication, authorization, notification, build, and deployment.
Note: AWS Lake Formation is a service that makes it easy to set up a secure data lake in days. Amazon QuickSight is a scalable, serverless, embeddable, machine learning-powered business intelligence (BI) service built for the cloud. These two services are not used in this solution.
Now we have the Data Lake design, let's deploy its infrastructure. It includes the following resources:
- Amazon Virtual Private Cloud (VPC)
- Subnets
- Security Groups
- Route Table(s)
- VPC Endpoints
- Amazon S3 buckets for:
- raw data
- conformed data
- purpose-built
- Amazon DynamoDB table for ETL jobs auditing
Figure below represents the infrastructure resources we provision for Data Lake.
We use a centralized deployment model to deploy data lake infrastructure across dev, test, and prod environments.
To demonstrate this solution, we need 4 AWS accounts as follows:
- Central deployment account to create CDK pipelines
- Dev account for dev data lake
- Test account for test data lake
- Prod account for production data lake
Figure below represents the centralized deployment model.
There are few interesting details to point out here:
- Data Lake infrastructure source code is organized into three branches - dev, test, and production
- Each branch is mapped to a CDK pipeline and it turn mapped to a target environment. This way, code changes made to the branches are deployed iteratively to their respective target environment
- From CDK perspective, we apply the the following bootstrapping principles
- the central deployment account will utilize a standard bootstrap
- each target account will require a cross account trust policy to allow access from the centralized deployment account
Figure below illustrates the continuous delivery of data lake infrastructure.
There are few interesting details to point out here:
- The DevOps administrator checks in the code to the repository.
- The DevOps administrator (with elevated access) facilitates a one-time manual deployment on a target environment. Elevated access includes administrative privileges on the central deployment account and target AWS environments.
- CodePipeline periodically listens to commit events on the source code repositories. This is the self-mutating nature of CodePipeline. It’s configured to work with and is able to update itself according to the provided definition.
- Code changes made to the main branch of the repo are automatically deployed to the dev environment of the data lake.
- Code changes to the test branch of the repo are automatically deployed to the test environment.
- Code changes to the prod branch of the repo are automatically deployed to the prod environment.
- Code deployment to the prod environment requires a manual approval from the system administrator
Table below explains how this source code structured:
File / Folder | Description |
---|---|
app.py | Application entry point. |
pipeline_stack.py | Pipeline stack entry point. |
pipeline_deploy_stage.py | Pipeline deploy stage entry point. |
s3_bucket_zones_stack.py | Stack creates S3 buckets - raw, conformed, and purpose-built. This also creates an S3 bucket for server access logging and AWS KMS Key to enabled server side encryption for all buckets. |
tagging.py | Program to tag all provisioned resources. |
configuration.py | Contains all custom configurations |
vpc_stack.py | Contains all resources related to the VPC used by Data Lake infrastructure and services. This includes: VPC, Security Groups, and VPC Endpoints (both Gateway and Interface types). |
redshift_serverless_namespace_stack.py | Contains redshift namspace stack such as database objects and users etc. |
redshift_serverless_workgroup_stack.py | Contains all compute resources such as RPUs, VPC subnet groups, security groups etc for redshift. |
Resources | This folder has static resources such as architecture diagrams, developer guide etc. |
This repository has the following automation scripts to complete steps before the deployment:
# | Script | Purpose |
---|---|---|
1 | bootstrap_deployment_account.sh | Used to bootstrap deployment account |
2 | bootstrap_target_account.sh | Used to bootstrap target environments for example dev, test, and production. |
3 | configure_account_secrets.py | Used to configure account secrets for e.g. GitHub access token. |
This section has various steps you need to perform before you deploy data lake resources on AWS.
-
AWS CLI - make sure you have AWS CLI configured on your system. If not, refer to Configuring the AWS CLI for more details.
-
AWS CDK - install compatible AWS CDK version (preferably the latest version)
npm install -g aws-cdk
-
Python - make sure you have Python SDK installed on your system. We recommend Python 3.7 and above.
-
GitHub Fork - we recommend you fork the repository so you are in control of deployed resources.
-
Four AWS accounts. One of them acts like a central deployment account. The other three are for dev, test, and prod accounts. Optional: To test this solution with central deployment account and one target environment for e.g. dev, refer to developer_instructions.md for detailed instructions.
-
Number of branches on your GitHub repo - You need to start with at least one branch for e.g. main to start using this solution. test and prod branches can be added at the beginning or after the deployment of data lake infrastructure on dev environment.
-
Administrator privileges - you need to administrator privileges to bootstrap your AWS environments and complete initial deployment. Usually, these steps can be performed by a DevOps administrator of your team. After these steps, you can revoke administrative privileges. Subsequent deployments are based on self-mutating natures of CDK Pipelines.
-
AWS Region selection - we recommend you to use the same AWS region (e.g. us-east-2) for deployment, dev, test, and prod accounts for simplicity. However, this is not a hard requirement.
Environment bootstrap is standard CDK process to prepare an AWS environment ready for deployment. Follow the steps:
-
Go to project root directory where app.py file exists
-
Create Python virtual environment. This is a one-time activity.
python3 -m venv .venv
-
Expected output: you will see a folder with name .venv created in project root folder. You can run the following command to see its contents
ls -lart .venv/
total 8 drwxr-xr-x 2 user_id staff 64 Jun 23 15:25 include drwxr-xr-x 3 user_id staff 96 Jun 23 15:25 lib drwxr-xr-x 6 user_id staff 192 Jun 23 15:25 . -rw-r--r-- 1 user_id staff 114 Jun 23 15:25 pyvenv.cfg drwxr-xr-x 16 user_id staff 512 Jun 23 15:27 bin drwxr-xr-x 21 user_id staff 672 Jun 23 15:28 ..
-
Activate Python virtual environment
source .venv/bin/activate
-
Install dependencies
pip install -r requirements.txt
-
Expected output: run the below command and verify all dependencies are installed
ls -lart .venv/lib/python3.9/site-packages/
-
Enable execute permissions for scripts
chmod 700 ./lib/prerequisites/bootstrap_deployment_account.sh chmod 700 ./lib/prerequisites/bootstrap_target_account.sh
-
Before you bootstrap central deployment account account, set environment variable
export AWS_PROFILE=replace_it_with_deployment_account_profile_name_b4_running
Important:
- This command is based on the feature Named Profiles.
- If you want to use an alternative option then refer to Configuring the AWS CLI and Environment variables to configure the AWS CLI for details. Be sure to follow those steps for each configuration step moving forward.
-
Bootstrap central deployment account
./lib/prerequisites/bootstrap_deployment_account.sh
-
When you see the following text, enter y, and press enter/return
Are you sure you want to bootstrap { "UserId": "user_id", "Account": "deployment_account_id", "Arn": "arn:aws:iam::deployment_account_id:user/user_id" }? (y/n)y
-
Expected outputs:
-
Before you bootstrap dev account, set environment variable
export AWS_PROFILE=replace_it_with_dev_account_profile_name_b4_running
-
Bootstrap dev account
Important: Your configured environment must target the Dev account
./lib/prerequisites/bootstrap_target_account.sh <central_deployment_account_id> arn:aws:iam::aws:policy/AdministratorAccess
When you see the following text, enter y, and press enter/return
Are you sure you want to bootstrap { "UserId": "user_id", "Account": "dev_account_id", "Arn": "arn:aws:iam::dev_account_id:user/user_id" } providing a trust relationship to: deployment_account_id using policy arn:aws:iam::aws:policy/AdministratorAccess? (y/n)
-
Expected outputs:
-
Before you bootstrap test account, set environment variable
export AWS_PROFILE=replace_it_with_test_account_profile_name_b4_running
-
Bootstrap test account
Important: Your configured environment must target the Test account
./lib/prerequisites/bootstrap_target_account.sh <central_deployment_account_id> arn:aws:iam::aws:policy/AdministratorAccess
When you see the following text, enter y, and press enter/return
Are you sure you want to bootstrap { "UserId": "user_id", "Account": "test_account_id", "Arn": "arn:aws:iam::test_account_id:user/user_id" } providing a trust relationship to: deployment_account_id using policy arn:aws:iam::aws:policy/AdministratorAccess? (y/n)
-
Expected outputs:
-
Before you bootstrap prod account, set environment variable
export AWS_PROFILE=replace_it_with_prod_account_profile_name_b4_running
-
Bootstrap Prod account
Important: Your configured environment must target the Prod account
./lib/prerequisites/bootstrap_target_account.sh <central_deployment_account_id> arn:aws:iam::aws:policy/AdministratorAccess
When you see the following text, enter y, and press enter/return
Are you sure you want to bootstrap { "UserId": "user_id", "Account": "prod_account_id", "Arn": "arn:aws:iam::prod_account_id:user/user_id" } providing a trust relationship to: deployment_account_id using policy arn:aws:iam::aws:policy/AdministratorAccess? (y/n)
-
Expected outputs:
Before we deploy our resources we must provide the manual variables and upon deployment the CDK Pipelines will programmatically export outputs for managed resources. Follow the below steps to setup your custom configuration:
-
Note: You can safely commit these values to your repository
-
Go to configuration.py and fill in values under
local_mapping
dictionary within the functionget_local_configuration
as desired.Example:
local_mapping = { DEPLOYMENT: { ACCOUNT_ID: 'add_your_deployment_account_id_here', REGION: 'us-east-2', # If you use GitHub / GitHub Enterprise, this will be the organization name GITHUB_REPOSITORY_OWNER_NAME: 'aws-samples', # Use your forked repo here! # This is used in the Logical Id of CloudFormation resources # We recommend capital case for consistency. e.g. DataLakeCdkBlog GITHUB_REPOSITORY_NAME: 'aws-cdk-pipelines-datalake-infrastructure', LOGICAL_ID_PREFIX: 'DataLakeCDKBlog', # This is used in resources that must be globally unique! # It may only contain alphanumeric characters, hyphens, and cannot contain trailing hyphens # E.g. unique-identifier-data-lake RESOURCE_NAME_PREFIX: 'cdkblog-e2e', }, DEV: { ACCOUNT_ID: 'add_your_dev_account_id_here', REGION: 'us-east-2', VPC_CIDR: '10.20.0.0/24' }, TEST: { ACCOUNT_ID: 'add_your_test_account_id_here', REGION: 'us-east-2', VPC_CIDR: '10.10.0.0/24' }, PROD: { ACCOUNT_ID: 'add_your_prod_account_id_here', REGION: 'us-east-2', VPC_CIDR: '10.0.0.0/24' } }
Integration between AWS CodePipeline and GitHub requires a personal access token. This access token is stored in Secrets Manager. This is a one-time setup and is applicable for all target AWS environments and all repositories created under the organization in GitHub.com. Follow the below steps:
-
Note: Do NOT commit these values to your repository
-
Create a personal access token in your GitHub. Refer to Creating a personal access token for details
-
Go to configure_account_secrets.py and fill in the value for attribute MY_GITHUB_TOKEN
-
Run the below command
python3 ./lib/prerequisites/configure_account_secrets.py
-
Expected output 1:
Pushing secret: /DataLake/GitHubToken
-
Expected output 2: A secret is added to AWS Secrets Manager with name /DataLake/GitHubToken
Configure your AWS profile to target the central Deployment account as an Administrator and perform the following steps:
-
Open command line (terminal)
-
Go to project root directory where
cdk.json
andapp.py
exist -
Run the command
cdk ls
-
Expected output: It lists CDK Pipelines and target account stacks on the console. A sample is below:
DevDataLakeCDKBlogInfrastructurePipeline ProdDataLakeCDKBlogInfrastructurePipeline TestDataLakeCDKBlogInfrastructurePipeline DevDataLakeCDKBlogInfrastructurePipeline/Dev/DevDataLakeCDKBlogInfrastructureIam DevDataLakeCDKBlogInfrastructurePipeline/Dev/DevDataLakeCDKBlogInfrastructureS3BucketZones DevDataLakeCDKBlogInfrastructurePipeline/Dev/DevDataLakeCDKBlogInfrastructureVpc ProdDataLakeCDKBlogInfrastructurePipeline/Prod/ProdDataLakeCDKBlogInfrastructureIam ProdDataLakeCDKBlogInfrastructurePipeline/Prod/ProdDataLakeCDKBlogInfrastructureS3BucketZones ProdDataLakeCDKBlogInfrastructurePipeline/Prod/ProdDataLakeCDKBlogInfrastructureVpc TestDataLakeCDKBlogInfrastructurePipeline/Test/TestDataLakeCDKBlogInfrastructureIam TestDataLakeCDKBlogInfrastructurePipeline/Test/TestDataLakeCDKBlogInfrastructureS3BucketZones TestDataLakeCDKBlogInfrastructurePipeline/Test/TestDataLakeCDKBlogInfrastructureVpc
Note:
- Here, DataLakeCDKBlog string literal is the value of
LOGICAL_ID_PREFIX
configured in configuration.py - The first three stacks represent the CDK Pipeline stacks which will be created in the deployment account. For each, target environment, there will be three stacks.
- Here, DataLakeCDKBlog string literal is the value of
-
Set your environment variable back to deployment account
export AWS_PROFILE=deployment_account_profile_name_here
-
Run the command
cdk deploy --all
-
Expected outputs:
-
In the deployment account's CloudFormation console, you will see the following CloudFormation stacks created
-
In the deployment account's CodePipeline console, you will see the following Pipeline triggered
-
In the dev data lake account's CloudFormation console, you will see the following stacks are completed successfully
-
Pipeline you have created using CDK Pipelines module is self mutating. That means, code checked to GitHub repository branch will kick off CDK Pipeline mapped to that branch.
You can use the data lake infrastructure to deploy ETL jobs. We provided AWS CDK Pipelines for Data Lake ETL Deployment to help you accomplish this task.
In this section, we provide some additional resources.
-
Delete stacks using the command
cdk destroy --all
. When you see the following text, enter y, and press enter/return.Are you sure you want to delete: TestDataLakeCDKBlogInfrastructurePipeline, ProdDataLakeCDKBlogInfrastructurePipeline, DevDataLakeCDKBlogInfrastructurePipeline (y/n)?
Note: This operation deletes stacks only in central deployment account
-
To delete stacks in development account, log onto Dev account, go to AWS CloudFormation console and delete the following stacks:
- Dev-DevDataLakeCDKBlogInfrastructureVpc
- Dev-DevDataLakeCDKBlogInfrastructureS3BucketZones
- Dev-DevDataLakeCDKBlogInfrastructureIam
Note:
- Deletion of Dev-DevDataLakeCDKBlogInfrastructureS3BucketZones will delete the S3 buckets (raw, conformed, and purpose-built). This behavior can be changed by modifying the retention policy in s3_bucket_zones_stack.py
-
To delete stacks in test account, log onto Dev account, go to AWS CloudFormation console and delete the following stacks:
- Test-TestDataLakeCDKBlogInfrastructureVpc
- Test-TestDataLakeCDKBlogInfrastructureS3BucketZones
- Test-TestDataLakeCDKBlogInfrastructureIam
Note:
- The S3 buckets (raw, conformed, and purpose-built) have retention policies attached and must be removed manually when they are no longer needed.
-
To delete stacks in prod account, log onto Dev account, go to AWS CloudFormation console and delete the following stacks:
- Prod-ProdDataLakeCDKBlogInfrastructureVpc
- Prod-ProdDataLakeCDKBlogInfrastructureS3BucketZones
- Prod-ProdDataLakeCDKBlogInfrastructureIam
Note:
- The S3 buckets (raw, conformed, and purpose-built) have retention policies attached and must be removed manually when they are no longer needed.
-
Optional:
-
If you are not using AWS CDK for other purposes, you can also remove
CDKToolkit
stack in each target account. -
Note: The asset S3 bucket has a retention policy and must be removed manually.
-
-
For more details refer to AWS CDK Toolkit
Refer to CDK Instructions for detailed instructions
Refer to Developer guide for more details of this project.
The following people are involved in the design, architecture, development, and testing of this solution:
- Isaiah Grant, Cloud Consultant, 2nd Watch, Inc.
- Ravi Itha, Senior Data Architect, Amazon Web Services Inc.
- Muhammad Zahid Ali, Data Architect, Amazon Web Services Inc.
The following people are involved in the reviews:
- Mike Apted, Principal Solutions Architect, Amazon Web Services Inc.
- Nikunj Vaidya, Senior DevOps Specialist, Amazon Web Services Inc.
This sample code is made available under the MIT-0 license. See the LICENSE file.