This is a sample repository of how to create an Amazon EKS cluster with a k8s deployment using python, AWS CDK and cdk8s. It also includes how to expose it as service and python security and quality checks.
If you want to enable the HTTPS with TLS listener in the ALB, you will need:
- One Amazon Route53 Hosted Zone
- One certificate in AWS Certificate Manager
To install the dependencies of the project, just run the following commands:
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
You can add roles or users for your Amazon EKS cluster in the cdk.json
file:
"adminRoles": [
"Role1",
"Role2"
],
"adminUsers": [
"User1",
"User2"
]
This way you will be able to see the resources from EKS console.
First you will need to bootstrap your desired AWS region. Then you will need to create an AWS CodeCommit repository and put the code inside.
First, set the environment variables:
export ACCOUNT=your-account-id
export REGION=desired-aws-region
export ELB_ACCOUNT_ID=elb-account-id
To get this value, check this link to get it based on the target region of your deployment.
If you want to enable the HTTPS listener in the ALB (Best Practice and reommended):
export CERTIFICATE=acm-certificate-arn
export HOSTED_ZONE_ID=hosted-zone-id
export HOSTED_ZONE_NAME=hosted-zone-name
export RECORD_NAME=my-record.$HOSTED_ZONE
The values of CERTIFICATE
, HOSTED_ZONE_ID
and HOSTED_ZONE_NAME
need to be replaced using an existing AWS ACM certificate and an existing Amazon Route53 hosted zone. The value of RECORD_NAME
is the record name that you want to create inside the hosted zone.
Then, create the repository:
chmod +x init_environment.sh
./init_environment.sh
NOTE: replace the ACCOUNT
variable value with your account id and the REGION
with the desired AWS region.
Finally, run the deploy command:
cdk deploy
This will create an AWS CloudFormation stack called cdk8s-samples-pipeline-stack
and an AWS CodePipeline pipeline called cdk8s-samples-pipeline
. Once the pipeline finishes its execution you will have your Amazon EKS cluster with the resources inside deployed.
In order to run quality tools, follow the Setup instructions and also install the requirements-dev.txt dependencies:
pip3 install -r requirements-dev.txt
NOTE: All this checks will run as part of the CI/CD pipeline.
Unit tests were written using pytest library. You can find them in tests/unit
. For more information about cdk8s unit tests check:
To run unit tests, use this command with the virtual env enabled:
python3 -m pytest
To collect coverage run the following:
python3 -m coverage run -m pytest
python3 -m coverage report
The integrated linting tool is pylint library. The .pylintrc
file indicates the configuration to apply. To run the linting tool use this command with the virtual env enabled:
For a particular file:
python3 -m pylint file
For an entire python module
python3 -m pylint module
In order to run quality tools, follow the Setup instructions and also install the requirements-dev.txt dependencies:
pip3 install -r requirements-dev.txt
NOTE: All this checks will run as part of the CI/CD pipeline.
Bandit library allows you to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. The .bandit
file indicates the configuration to apply. To run bandit, use these command with the virtual env enabled:
bandit -r .
Safety library is used to scan dependencies for known vulnerabilities. To run safety, use these commands with the virtual env enabled:
safety check -r requirements.txt
safety check -r requirements-dev.txt
GitLeaks is a fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories. You can scan both the current commit or the commit history from your repository. After following the installation, you can use the following commands:
Scan all remote commits history:
gitleaks detect --source . -v
Scan only current commit:
gitleaks protect --source . -v
You can delete the pipeline stack by running this command in the root of the cloned repository:
cdk destroy
The expected output should look like this:
Are you sure you want to delete: cdk8s-samples-pipeline-stack (y/n)? y
cdk8s-samples-pipeline-stack: destroying... [1/1]
✅ cdk8s-samples-pipeline-stack: destroyed
Then, delete the resources stack:
aws cloudformation delete-stack --stack-name DEV-cdk8s-samples-app-stack --region $REGION
You can wait until the stack deletion with this command:
aws cloudformation wait stack-delete-complete --stack-name DEV-cdk8s-samples-app-stack --region $REGION
Finally, run this command to delete the CodeCommit repository:
aws codecommit delete-repository --repository-name cdk8s-samples --region $REGION
The expected output should look like this:
{
"repositoryId": "0de60c79-c170-4f98-acd7-8105b51d3daf"
}
In case you don't need AWS CDK in your region, you can delete the CDKToolkit stack with this command:
aws cloudformation delete-stack --stack-name CDKToolkit --region $REGION
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.