Continually assessing application resilience with Amazon Resilience Hub and Amazon CodePipeline

海外精选
海外精选的内容汇集了全球优质的亚马逊云科技相关技术内容。同时,内容中提到的“AWS” 是 “Amazon Web Services” 的缩写,在此网站不作为商标展示。
0
0
{"value":"As customers commit to a DevOps mindset and embrace a nearly continuous integration/continuous delivery model to implement change with a higher velocity, assessing every change impact on an application resilience is key. This blog shows an architecture pattern for automating resiliency assessments as part of your CI/CD pipeline. Automatically running a resiliency assessment within CI/CD pipelines, development teams can fail fast and understand quickly if a change negatively impacts an applications resilience. The pipeline can stop the deployment into further environments, such as QA/UAT and Production, until the resilience issues have been improved.\n\n[AWS Resilience Hub](https://aws.amazon.com/resilience-hub/) is a managed service that gives you a central place to define, validate and track the resiliency of your AWS applications. It is integrated with [AWS Fault Injection Simulator (FIS)](https://aws.amazon.com/fis/), a chaos engineering service, to provide fault-injection simulations of real-world failures. Using AWS Resilience Hub, you can assess your applications to uncover potential resilience enhancements. This will allow you to validate your applications recovery time (RTO), recovery point (RPO) objectives and optimize business continuity while reducing recovery costs. Resilience Hub also provides APIs for you to integrate its assessment and testing into your CI/CD pipelines for ongoing resilience validation.\n\n[AWS CodePipeline](https://aws.amazon.com/codepipeline/) is a fully managed continuous delivery service for fast and reliable application and infrastructure updates. You can use AWS CodePipeline to model and automate your software release processes. This enables you to increase the speed and quality of your software updates by running all new changes through a consistent set of quality checks.\n\n\n#### **Continuous resilience assessments**\n\n\nFigure 1 shows the resilience assessments automation architecture in a multi-account setup. AWS CodePipeline, AWS Step Functions, and AWS Resilience Hub are defined in your deployment account while the application AWS CloudFormation stacks are imported from your workload account. This pattern relies on AWS Resilience Hub ability to import CloudFormation stacks from a different accounts, regions, or both, when discovering an application structure.\n\n![image.png](https://dev-media.amazoncloud.cn/fd94c76b38b04d8895548566cd46676e_image.png)\n\nFigure 1. High-level architecture pattern for automating resilience assessments\n\n\n#### **Add application to AWS Resilience Hub**\n\n\nBegin by [adding your application](https://docs.aws.amazon.com/resilience-hub/latest/userguide/describe-applicationlication.html) to AWS Resilience Hub and assigning a [resilience policy](https://docs.aws.amazon.com/resilience-hub/latest/userguide/resiliency-policies.html). This can be done via the AWS Management Console or using [CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-resiliencehub-app.html). In this instance, the application has been created through the AWS Management Console. Sebastien Stormacq’s post, [Measure and Improve Your Application Resilience with AWS Resilience Hub](https://aws.amazon.com/blogs/aws/monitor-and-improve-your-application-resiliency-with-resilience-hub/), walks you through how to add your application to AWS Resilience Hub.\n\nIn a [multi-account environment](https://aws.amazon.com/organizations/getting-started/best-practices/), customers typically have dedicated AWS workload account per environment and we recommend you [separate CI/CD capabilities](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/deployments-ou.html) into another account. In this post, the AWS Resilience Hub application has been created in the deployment account and the resources have been discovered using an CloudFormation stack from the workload account. Proper [permissions](https://docs.aws.amazon.com/resilience-hub/latest/userguide/security-iam-resilience-hub-permissions.html#security-iam-resilience-hub-multi-account) are required to use AWS Resilience Hub to manage application in multiple accounts.\n\n![image.png](https://dev-media.amazoncloud.cn/1c29494dd9024c03b4294481464c400b_image.png)\n\nFigure 2. Adding application to AWS Resilience Hub\n\n\n#### **Create AWS Step Function to run resilience assessment**\n\n\nWhenever you make a change to your application CloudFormation, you need to update and publish the latest version in AWS Resilience Hub to ensure you are assessing the latest changes. Now that [AWS Step Functions SDK integrations support AWS Resilience Hub](https://aws.amazon.com/about-aws/whats-new/2022/04/aws-step-functions-expands-support-over-20-new-aws-sdk-integrations/), you can build a state machine to coordinate the process, which will be triggered from AWS Code Pipeline.\n\n[AWS Step Functions](https://aws.amazon.com/step-functions/?step-functions.sort-by=item.additionalFields.postDateTime&step-functions.sort-order=desc) is a low-code, visual workflow service that developers use to build distributed applications, automate IT and business processes, and build data and machine learning pipelines using AWS services. Workflows manage failures, retries, parallelization, service integrations, and observability so developers can focus on higher-value business logic.\n\n![image.png](https://dev-media.amazoncloud.cn/fd2ef1432cca4c55b0f71091e6e2ec7c_image.png)\n\nFigure 3. AWS Step Function for orchestrating AWS SDK calls\n\n1. The first step in the workflow is to update the resources associated with the application defined in AWS Resilience Hub by calling [ImportResourcesToDraftApplication](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_ImportResourcesToDraftAppVersion.html).\n2. Check for the import process to complete using a wait state, a call to [DescribeDraftAppVersionResourcesImportStatus](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_DescribeDraftAppVersionResourcesImportStatus.html) and then a choice state to decide whether to progress or continue waiting.\n3. Once complete, publish the draft application by calling [PublishAppVersion](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_PublishAppVersion.html) to ensure we are assessing the latest version.\n4. Once published, call [StartAppAssessment](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_StartAppAssessment.html) to kick-off a resilience assessment.\n5. Check for the assessment to complete using a wait state, a call to [DescribeAppAssessment](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_DescribeAppAssessment.html) and then a choice state to decide whether to progress or continue waiting.\n6. In the choice state, use [assessment status](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_AppAssessment.html) from the response to determine if the assessment is pending, in progress or successful.\n7. If successful, use the compliance status from the response to determine whether to progress to success or fail. \nCompliance status will be either “PolicyMet” or “PolicyBreached”.\n8. If policy breached, publish onto SNS to alert the development team before moving to fail.\n\n\n#### **Create stage within code pipeline**\n\n\nNow that we have the AWS Step Function created, we need to integrate it into our pipeline. The post [Fine-grained Continuous Delivery With CodePipeline and AWS Step Functions demonstrates](https://aws.amazon.com/blogs/devops/new-fine-grained-continuous-delivery-with-codepipeline-and-aws-stepfunctions/) how you can trigger a step function from AWS Code Pipeline.\n\nWhen adding the stage, you need to pass the ARN of the stack which was deployed in the previous stage as well as the ARN of the application in AWS Resilience Hub. These will be required on the AWS SDK calls and you can pass this in as a literal.\n\n![image.png](https://dev-media.amazoncloud.cn/636cc0deb7e24f7d99030db6a006defa_image.png)\n\nFigure 4. AWS CodePipeline stage step function input\n\n![image.png](https://dev-media.amazoncloud.cn/e38aa298d793448fb9002730ced0216b_image.png)\n\nFigure 5. Example state using the input from AWS CodePipeline stage\n\nFor more information about these AWS SDK calls, please refer to the [AWS Resilience Hub API Reference documents](https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_Operations.html).\n\nCustomers often run their workloads in lower environments in a less resilient way to save on cost. It’s important to add the assessment stage at the appropriate point of your pipeline. We recommend adding this to your pipeline after the deployment to a test environment which mirrors production but before deploying to production. By doing this you can fail fast and halt changes which will lower resilience in production.\n\nA note on [service quotas](https://docs.aws.amazon.com/general/latest/gr/resiliencehub.html): AWS Resilience Hub allows you to run 20 assessments per month per application. If you need to increase this quota, please raise a ticket with [AWS Support](https://aws.amazon.com/premiumsupport/).\n\n\n#### **Conclusion**\n\n\nIn this post, we have seen an approach to continuously assessing resilience as part of your CI/CD pipeline using AWS Resilience Hub, AWS CodePipeline and AWS Step Functions. This approach will enable you to understand fast if a change will weaken resilience.\n\nAWS Resilience Hub also generates recommended [AWS FIS Experiments](https://docs.aws.amazon.com/resilience-hub/latest/userguide/testing.html) that you can deploy and use to test the resilience of your application. As well as assessing the resilience, we also recommend you integrate running these tests into your pipeline. The post [Chaos Testing with AWS Fault Injection Simulator and AWS CodePipeline](https://aws.amazon.com/blogs/architecture/chaos-testing-with-aws-fault-injection-simulator-and-aws-codepipeline/) demonstrates how you can active this.\n\n\n![image.png](https://dev-media.amazoncloud.cn/5f4f75a2a6b6431884e10a8f3ea8f1e6_image.png)\n\n\n#### **Scott Bryen**\n\n\nScott is a Senior Solution Architect working within AWS UK Financial Service team. He helps Financial Services customers accelerate their cloud journey and use the cloud to transform their business.\n\n![image.png](https://dev-media.amazoncloud.cn/191e6c5563cb4b7886b936fe78639ab2_image.png)\n\n\n#### **Elie El khoury**\n\n\nElie is a Financial Industry Specialist at AWS. Elie is based out New York City, where he works with Financial Services customers to help them design, deploy, and scale their applications on the cloud. Outside of work, Elie enjoys road cycling, hiking, and spending time with friends and family.","render":"<p>As customers commit to a DevOps mindset and embrace a nearly continuous integration/continuous delivery model to implement change with a higher velocity, assessing every change impact on an application resilience is key. This blog shows an architecture pattern for automating resiliency assessments as part of your CI/CD pipeline. Automatically running a resiliency assessment within CI/CD pipelines, development teams can fail fast and understand quickly if a change negatively impacts an applications resilience. The pipeline can stop the deployment into further environments, such as QA/UAT and Production, until the resilience issues have been improved.</p>\n<p><a href=\"https://aws.amazon.com/resilience-hub/\" target=\"_blank\">AWS Resilience Hub</a> is a managed service that gives you a central place to define, validate and track the resiliency of your AWS applications. It is integrated with <a href=\"https://aws.amazon.com/fis/\" target=\"_blank\">AWS Fault Injection Simulator (FIS)</a>, a chaos engineering service, to provide fault-injection simulations of real-world failures. Using AWS Resilience Hub, you can assess your applications to uncover potential resilience enhancements. This will allow you to validate your applications recovery time (RTO), recovery point (RPO) objectives and optimize business continuity while reducing recovery costs. Resilience Hub also provides APIs for you to integrate its assessment and testing into your CI/CD pipelines for ongoing resilience validation.</p>\n<p><a href=\"https://aws.amazon.com/codepipeline/\" target=\"_blank\">AWS CodePipeline</a> is a fully managed continuous delivery service for fast and reliable application and infrastructure updates. You can use AWS CodePipeline to model and automate your software release processes. This enables you to increase the speed and quality of your software updates by running all new changes through a consistent set of quality checks.</p>\n<h4><a id=\"Continuous_resilience_assessments_7\"></a><strong>Continuous resilience assessments</strong></h4>\n<p>Figure 1 shows the resilience assessments automation architecture in a multi-account setup. AWS CodePipeline, AWS Step Functions, and AWS Resilience Hub are defined in your deployment account while the application AWS CloudFormation stacks are imported from your workload account. This pattern relies on AWS Resilience Hub ability to import CloudFormation stacks from a different accounts, regions, or both, when discovering an application structure.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/fd94c76b38b04d8895548566cd46676e_image.png\" alt=\"image.png\" /></p>\n<p>Figure 1. High-level architecture pattern for automating resilience assessments</p>\n<h4><a id=\"Add_application_to_AWS_Resilience_Hub_17\"></a><strong>Add application to AWS Resilience Hub</strong></h4>\n<p>Begin by <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/userguide/describe-applicationlication.html\" target=\"_blank\">adding your application</a> to AWS Resilience Hub and assigning a <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/userguide/resiliency-policies.html\" target=\"_blank\">resilience policy</a>. This can be done via the AWS Management Console or using <a href=\"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-resiliencehub-app.html\" target=\"_blank\">CloudFormation</a>. In this instance, the application has been created through the AWS Management Console. Sebastien Stormacq’s post, <a href=\"https://aws.amazon.com/blogs/aws/monitor-and-improve-your-application-resiliency-with-resilience-hub/\" target=\"_blank\">Measure and Improve Your Application Resilience with AWS Resilience Hub</a>, walks you through how to add your application to AWS Resilience Hub.</p>\n<p>In a <a href=\"https://aws.amazon.com/organizations/getting-started/best-practices/\" target=\"_blank\">multi-account environment</a>, customers typically have dedicated AWS workload account per environment and we recommend you <a href=\"https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/deployments-ou.html\" target=\"_blank\">separate CI/CD capabilities</a> into another account. In this post, the AWS Resilience Hub application has been created in the deployment account and the resources have been discovered using an CloudFormation stack from the workload account. Proper <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/userguide/security-iam-resilience-hub-permissions.html#security-iam-resilience-hub-multi-account\" target=\"_blank\">permissions</a> are required to use AWS Resilience Hub to manage application in multiple accounts.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/1c29494dd9024c03b4294481464c400b_image.png\" alt=\"image.png\" /></p>\n<p>Figure 2. Adding application to AWS Resilience Hub</p>\n<h4><a id=\"Create_AWS_Step_Function_to_run_resilience_assessment_29\"></a><strong>Create AWS Step Function to run resilience assessment</strong></h4>\n<p>Whenever you make a change to your application CloudFormation, you need to update and publish the latest version in AWS Resilience Hub to ensure you are assessing the latest changes. Now that <a href=\"https://aws.amazon.com/about-aws/whats-new/2022/04/aws-step-functions-expands-support-over-20-new-aws-sdk-integrations/\" target=\"_blank\">AWS Step Functions SDK integrations support AWS Resilience Hub</a>, you can build a state machine to coordinate the process, which will be triggered from AWS Code Pipeline.</p>\n<p><a href=\"https://aws.amazon.com/step-functions/?step-functions.sort-by=item.additionalFields.postDateTime&amp;step-functions.sort-order=desc\" target=\"_blank\">AWS Step Functions</a> is a low-code, visual workflow service that developers use to build distributed applications, automate IT and business processes, and build data and machine learning pipelines using AWS services. Workflows manage failures, retries, parallelization, service integrations, and observability so developers can focus on higher-value business logic.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/fd2ef1432cca4c55b0f71091e6e2ec7c_image.png\" alt=\"image.png\" /></p>\n<p>Figure 3. AWS Step Function for orchestrating AWS SDK calls</p>\n<ol>\n<li>The first step in the workflow is to update the resources associated with the application defined in AWS Resilience Hub by calling <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_ImportResourcesToDraftAppVersion.html\" target=\"_blank\">ImportResourcesToDraftApplication</a>.</li>\n<li>Check for the import process to complete using a wait state, a call to <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_DescribeDraftAppVersionResourcesImportStatus.html\" target=\"_blank\">DescribeDraftAppVersionResourcesImportStatus</a> and then a choice state to decide whether to progress or continue waiting.</li>\n<li>Once complete, publish the draft application by calling <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_PublishAppVersion.html\" target=\"_blank\">PublishAppVersion</a> to ensure we are assessing the latest version.</li>\n<li>Once published, call <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_StartAppAssessment.html\" target=\"_blank\">StartAppAssessment</a> to kick-off a resilience assessment.</li>\n<li>Check for the assessment to complete using a wait state, a call to <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_DescribeAppAssessment.html\" target=\"_blank\">DescribeAppAssessment</a> and then a choice state to decide whether to progress or continue waiting.</li>\n<li>In the choice state, use <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_AppAssessment.html\" target=\"_blank\">assessment status</a> from the response to determine if the assessment is pending, in progress or successful.</li>\n<li>If successful, use the compliance status from the response to determine whether to progress to success or fail.<br />\nCompliance status will be either “PolicyMet” or “PolicyBreached”.</li>\n<li>If policy breached, publish onto SNS to alert the development team before moving to fail.</li>\n</ol>\n<h4><a id=\"Create_stage_within_code_pipeline_51\"></a><strong>Create stage within code pipeline</strong></h4>\n<p>Now that we have the AWS Step Function created, we need to integrate it into our pipeline. The post <a href=\"https://aws.amazon.com/blogs/devops/new-fine-grained-continuous-delivery-with-codepipeline-and-aws-stepfunctions/\" target=\"_blank\">Fine-grained Continuous Delivery With CodePipeline and AWS Step Functions demonstrates</a> how you can trigger a step function from AWS Code Pipeline.</p>\n<p>When adding the stage, you need to pass the ARN of the stack which was deployed in the previous stage as well as the ARN of the application in AWS Resilience Hub. These will be required on the AWS SDK calls and you can pass this in as a literal.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/636cc0deb7e24f7d99030db6a006defa_image.png\" alt=\"image.png\" /></p>\n<p>Figure 4. AWS CodePipeline stage step function input</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/e38aa298d793448fb9002730ced0216b_image.png\" alt=\"image.png\" /></p>\n<p>Figure 5. Example state using the input from AWS CodePipeline stage</p>\n<p>For more information about these AWS SDK calls, please refer to the <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/APIReference/API_Operations.html\" target=\"_blank\">AWS Resilience Hub API Reference documents</a>.</p>\n<p>Customers often run their workloads in lower environments in a less resilient way to save on cost. It’s important to add the assessment stage at the appropriate point of your pipeline. We recommend adding this to your pipeline after the deployment to a test environment which mirrors production but before deploying to production. By doing this you can fail fast and halt changes which will lower resilience in production.</p>\n<p>A note on <a href=\"https://docs.aws.amazon.com/general/latest/gr/resiliencehub.html\" target=\"_blank\">service quotas</a>: AWS Resilience Hub allows you to run 20 assessments per month per application. If you need to increase this quota, please raise a ticket with <a href=\"https://aws.amazon.com/premiumsupport/\" target=\"_blank\">AWS Support</a>.</p>\n<h4><a id=\"Conclusion_73\"></a><strong>Conclusion</strong></h4>\n<p>In this post, we have seen an approach to continuously assessing resilience as part of your CI/CD pipeline using AWS Resilience Hub, AWS CodePipeline and AWS Step Functions. This approach will enable you to understand fast if a change will weaken resilience.</p>\n<p>AWS Resilience Hub also generates recommended <a href=\"https://docs.aws.amazon.com/resilience-hub/latest/userguide/testing.html\" target=\"_blank\">AWS FIS Experiments</a> that you can deploy and use to test the resilience of your application. As well as assessing the resilience, we also recommend you integrate running these tests into your pipeline. The post <a href=\"https://aws.amazon.com/blogs/architecture/chaos-testing-with-aws-fault-injection-simulator-and-aws-codepipeline/\" target=\"_blank\">Chaos Testing with AWS Fault Injection Simulator and AWS CodePipeline</a> demonstrates how you can active this.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/5f4f75a2a6b6431884e10a8f3ea8f1e6_image.png\" alt=\"image.png\" /></p>\n<h4><a id=\"Scott_Bryen_84\"></a><strong>Scott Bryen</strong></h4>\n<p>Scott is a Senior Solution Architect working within AWS UK Financial Service team. He helps Financial Services customers accelerate their cloud journey and use the cloud to transform their business.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/191e6c5563cb4b7886b936fe78639ab2_image.png\" alt=\"image.png\" /></p>\n<h4><a id=\"Elie_El_khoury_92\"></a><strong>Elie El khoury</strong></h4>\n<p>Elie is a Financial Industry Specialist at AWS. Elie is based out New York City, where he works with Financial Services customers to help them design, deploy, and scale their applications on the cloud. Outside of work, Elie enjoys road cycling, hiking, and spending time with friends and family.</p>\n"}
目录
亚马逊云科技解决方案 基于行业客户应用场景及技术领域的解决方案
联系亚马逊云科技专家
亚马逊云科技解决方案
基于行业客户应用场景及技术领域的解决方案
联系专家
0
目录
关闭
contact-us