DEV Community

Cover image for DevSecOps with AWS - Multi Environment deployments - Part 1
Alejandro Velez for AWS Community Builders

Posted on • Updated on

DevSecOps with AWS - Multi Environment deployments - Part 1

Level 200

Welcome to this series of tutorials and how-to guides about DevSecOps with AWS! This series will coverage some steps, architecture patterns, setups, bests practices and demonstrations to create a multi-environment setup using AWS for deploying applications at enterprise scale.

Suppose that you are a DevSecOps consultant and works for a fiction company “LabXl”, it has multiples applications in mind and based in your searches found that the best way to grow and be global is using the cloud and the final decision was use AWS. You must create the bases, define the best practices and minimum viable products (MVPs) to achieve those objectives.

Let’s begin, the first step is setup the bases for manage multiples application environments, a common practice is to use a sandbox, development, preproduction and production environments. But in AWS, which is the bests practice for this setup? According to AWS Security Reference Architecture (AWS SRA) and AWS Well Architect Framework the bests practice is to split in multiple AWS accounts these environments implementing services such as AWS Control Tower, IAM identity Center (before SSO), AWS Organizations of course there are other services that will be addressedin future publications. For example, the Figure 1 shows a fragment of this setup.

AWS Multi Environment Accounts
Figure 1. AWS Multi Environment Accounts

Now, you must select the tools and methods for integrate these accounts and govern the deployments, according to the best practices is common to use a central account for deployments, the DevSecOps Account that is showed in the Figure 1, there you’ll create DevSecOps pipelines and user services such as AWS CodeCommit, Amazon CodeGuru, AWS Cloud9, AWS CodeArtifact, AWS CodeDeploy, AWS CodeBuild and AWS CodePipeline.

Whit this in mind the final question is, how can you bootstrap this environment for central deployments? The answer: delegate access across AWS accounts using IAM roles, you can do the process manually but this will be a repetitive task, so the best way is using Infrastructure as Code (IaC), there are many tools for example, AWS Cloudformation, Terraform, Pulumi, SDKs, AWS CLI and AWS Cloud Development Kit (CDK), each one has advantages and disadvantages but for this case and future deployments a secure and faster way is using CDK and AWS Cloud Shell.

Hands On


  • cdk >= 2.43.0
  • AWS CLI >= 2.7.0

AWS Services

Solution Overview

Steps for bootstrapping Multi Environments
Figure 2. Solution Overview- Steps for bootstrapping Multi Environments

The Figure 2 shows the steps to accomplish this task.
1- You must login whit SSO credentials via web browser.
2- Select the profile and account to create trust relationships.
3- Open AWS CloudShell and run CDK commands.
4- Setup AWS CLI profile using aws configure command for DevSecOps Account.
5- Create CDK projects and deploy it.

Step by step

The Figure 3 shows the steps 1, 2 , 3.

Login into cloud shell using AWS SSO
Figure 3. Login into cloud shell using AWS SSO

The next step is created an initial CDK project, in future post you can find more information about this tool.

Update cdk version.

[cloudshell-user@ip-10-1-48-231 ~]$ sudo npm install -g aws-cdk
[cloudshell-user@ip-10-1-48-231 ~]$ cdk --version 
2.43.1 (build c1ebb85)
Enter fullscreen mode Exit fullscreen mode

Create project

[cloudshell-user@ip-10-1-48-231 ~]$ mkdir cdk_init_project
[cloudshell-user@ip-10-1-48-231 ~]$ cd cdk_init_project/
[cloudshell-user@ip-10-1-48-231 cdk_init_project]$ cdk init --language python
Enter fullscreen mode Exit fullscreen mode

Active environment and install dependencies

[cloudshell-user@ip-10-1-48-231 cdk_init_project]$ source .venv/bin/activate
(.venv) [cloudshell-user@ip-10-1-48-231 cdk_init_project]$ pip install -r requirements.txt 
Collecting aws-cdk-lib==2.43.1
  Downloading aws_cdk_lib-2.43.1-py3-none-any.whl (62.0 MB)
     |████████████████████████████████| 62.0 MB 2.1 MB/s 
Collecting constructs<11.0.0,>=10.0.0
  Downloading constructs-10.1.111-py3-none-any.whl (56 kB)
     |████████████████████████████████| 56 kB 6.0 MB/s 
Collecting typeguard~=2.13.3
  Downloading typeguard-2.13.3-py3-none-any.whl (17 kB)
Collecting publication>=0.0.3
  Downloading publication-0.0.3-py2.py3-none-any.whl (7.7 kB)
Collecting jsii<2.0.0,>=1.68.0
  Downloading jsii-1.68.0-py3-none-any.whl (554 kB)
     |████████████████████████████████| 554 kB 53.7 MB/s 
Collecting python-dateutil
  Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
     |████████████████████████████████| 247 kB 51.3 MB/s 
Collecting typing-extensions<5.0,>=3.7
  Downloading typing_extensions-4.3.0-py3-none-any.whl (25 kB)
Collecting attrs<23.0,>=21.2
  Downloading attrs-22.1.0-py2.py3-none-any.whl (58 kB)
     |████████████████████████████████| 58 kB 6.8 MB/s 
Collecting cattrs<22.2,>=1.8
  Downloading cattrs-22.1.0-py3-none-any.whl (33 kB)
Collecting six>=1.5
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting exceptiongroup; python_version <= "3.10"
  Downloading exceptiongroup-1.0.0rc9-py3-none-any.whl (12 kB)
Installing collected packages: typeguard, publication, six, python-dateutil, typing-extensions, attrs, exceptiongroup, cattrs, jsii, constructs, aws-cdk-lib
Successfully installed attrs-22.1.0 aws-cdk-lib-2.43.1 cattrs-22.1.0 constructs-10.1.111 exceptiongroup-1.0.0rc9 jsii-1.68.0 publication-0.0.3 python-dateutil-2.8.2 six-1.16.0 typeguard-2.13.3 typing-extensions-4.3.0
WARNING: You are using pip version 20.1.1; however, version 22.2.2 is available.
You should consider upgrading via the '/home/cloudshell-user/cdk_init_project/.venv/bin/python3 -m pip install --upgrade pip' command.
(.venv) [cloudshell-user@ip-10-1-48-231 cdk_init_project]$

Enter fullscreen mode Exit fullscreen mode

Finally, run cdk bootstrap command with trust option and pass administrator access policy for cloudformation execution when trusted account will run deployments.

cdk bootstrap --trust  123456789012 --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess 
 ⏳  Bootstrapping environment aws:// 123456789014/us-west-2...
Trusted accounts for deployment: 123456789012
Trusted accounts for lookup: (none)
Execution policies: arn:aws:iam::aws:policy/AdministratorAccess
CDKToolkit: creating CloudFormation changeset...
 ✅  Environment aws://123456789014/us-west-2 bootstrapped.
Enter fullscreen mode Exit fullscreen mode

This command creates all resources necessary for CDK deployments using a centralized account. Finally, You should watch something like this.

MultiEnvironment Accounts steps verify
Figure 3. MultiEnvironment Accounts steps verify

Repeat the steps for other accounts.
In the next post of this series, you can verify the deployment using unique credentials and central account.

Thanks for reading!

Top comments (0)