Serverless Development on AWS Building Enterprise-Scale Serverless Solutions (Sheen Brisals, Luke Hedger) (Z-Library)

Sheen Brisals & Luke Hedger Foreword by Jeff Barr Serverless Development on AWS Building Enterprise-Scale Serverless Solutions

CLOUD COMPUTING “Don’t start your serverless journey without this book—it’s your roadmap for production success.” —Luca Mezzalira Principal Serverless Specialist at AWS and author of Building Micro-Frontends (O’Reilly) “A must-read guide that blends insight and expertise with real-world applications. I wish I had this during my serverless learning journey.” —Ben Smith Principal Developer Advocate, Serverless at AWS Serverless Development on AWS Twitter: @oreillymedia linkedin.com/company/oreilly-media youtube.com/oreillymedia The adoption of serverless is on the rise, but until now, little guidance has been available for development teams that want to apply this technology on AWS. This definitive guide is packed with architectural, security, and data best practices and patterns for architects and engineers who want to build reliable enterprise-scale serverless solutions. Sheen Brisals, an AWS Serverless Hero, and Luke Hedger, an AWS Community Builder, outline the serverless adoption requirements for an enterprise, examine the development tools your team needs, and explain in depth the nuances of testing event-driven and distributed serverless services. You’ll gain practical guidance for keeping up with change and learn how to build serverless solutions with sustainability in mind. • Examine the serverless technology ecosystem and AWS services needed to develop serverless applications • Learn the approach and preparation required for a successful serverless adoption in an enterprise • Learn serverless architectures and implementation patterns • Design, develop, and test distributed serverless microservices on AWS cloud • Apply security best practices while building serverless solutions • Identify and adapt the implementation patterns for your particular use case • Incorporate the necessary measures for observable serverless applications • Implement sustainable serverless applications in the cloud Sheen Brisals is an AWS Serverless Hero who guides enterprise teams in architecting and building serverless solutions. Passionate about serverless, he loves sharing knowledge with the community. Luke Hedger is a seasoned software engineer and AWS Community Builder. Having led serverless engineering teams since 2019, he believes we’re just beginning to unlock the full potential of this technology. 9 7 8 1 0 9 8 1 4 1 9 3 6 5 6 5 9 9 US $65.99 CAN $82.99 ISBN: 978-1-098-14193-6

Sheen Brisals and Luke Hedger Foreword by Jeff Barr Serverless Development on AWS Building Enterprise-Scale Serverless Solutions Boston Farnham Sebastopol TokyoBeijing

978-1-098-14193-6 [LSI] Serverless Development on AWS by Sheen Brisals and Luke Hedger Copyright © 2024 Sheen Brisals and Luke Hedger. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Megan Laddusaw Development Editor: Sara Hunter Production Editor: Gregory Hyman Copyeditor: Rachel Head Proofreader: Kim Cofer Indexer: BIM Creatives, LLC Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea February 2024: First Edition Revision History for the First Edition 2023-01-23: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098141936 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Serverless Development on AWS, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the authors and do not represent the publisher’s views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

To my late parents, Mr. V. Brisals and Mrs. Lalitha Joylent. Their struggles and sacrifices in life made me what I am today. —Sheen Brisals For Alice and Lois. —Luke Hedger

Table of Contents Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv 1. Introduction to Serverless on AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Road to Serverless 2 From Mainframe Computing to the Modern Cloud 2 The Influence of Running Everything as a Service 6 Managed Versus Fully Managed Services 9 The Characteristics of Serverless Technology 10 Pay-per-Use 11 Autoscaling and Scale to Zero 11 High Availability 12 Cold Start 13 The Unique Benefits of Serverless 14 Individuality and Granularity of Resources 14 Ability to Optimize Services for Cost, Performance, and Sustainability 15 Support for Deeper Security and Data Privacy Measures 17 Incremental and Iterative Development 20 Multiskilled, Diverse Engineering Teams 20 The Parts of a Serverless Application and Its Ecosystem 22 Why Is AWS a Great Platform for Serverless? 24 The Popularity of Serverless Services from AWS 25 The AWS Well-Architected Framework 26 AWS Technical Support Plans 27 AWS Developer Community Support 28 Summary 30 Interview with an Industry Expert 30 v

2. Enterprise Readiness for Serverless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Preparing for “Thinking in Serverless” 36 Creating a Serverless Mindset 36 First Principles for Successful Serverless Adoption 39 Assessing Workloads for Serverless Suitability 47 How Do You Bring Serverless Awareness to Business Stakeholders? 52 The Role of Organizational Culture 57 Vendor Lock-in Demystified 60 Why Is Vendor Lock-in Seen as So Critical? 60 Is It Possible to Avoid Getting Locked In? 60 Should You Be Worried About Vendor Lock-in in Serverless? 61 Consider the Cloud Provider (AWS) as Your Partner, Not a Vendor 62 Strategies for Migrating Legacy Applications to Serverless 63 Lift-and-Shift 65 All-at-Once Service Rewrite 66 Phased Migration 69 Comparing Migration Strategies 71 Growing Serverless Talent 72 Growing Versus Building 72 Essential Ingredients for Growing a Serverless Team 74 The Structure of a Multidisciplinary Serverless Team 78 Summary 82 Interview with an Industry Expert 82 3. Software Architecture for Building Serverless Microservices. . . . . . . . . . . . . . . . . . . . . . 89 Popular Architectural Patterns 90 Event-Driven Architecture 91 Client/Server Architecture 95 Layered Versus Tiered Architecture 98 Hexagonal Architecture 101 Characteristics of a Microservice 105 Independently Deployable 106 Represents Part of a Business Domain 107 Single Purpose 108 Well-Defined Communication Boundary 109 Loosely Coupled 110 Observable at a Granular Level 110 Owned by a Single Team 112 Microservice Communication Strategies 112 Synchronous Communication 112 Asynchronous Event-Driven Communication 117 Breaking Down a Problem to Identify Its Parts 117 vi | Table of Contents

Using a Set Piece Analogy to Identify the Parts 118 Building Microservices to Serverless’s Strengths 133 Event-Driven Architecture for Microservices Development 135 Event-Driven Computing and Reactive Services 136 Is My Microservice a Reactive Service? 136 An Introduction to Amazon EventBridge 137 Domain Events, Event Categories, and Types 142 The Importance of Event Sourcing in Serverless Development 155 EventStorming 161 Summary 163 Interview with an Industry Expert 164 4. Serverless and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Security Can Be Simple 171 Security Challenges 171 Getting Started 172 Combining the Zero Trust Security Model with Least Privilege Permissions 173 The Power of AWS IAM 176 The AWS Shared Responsibility Model 178 Think Like a Hacker 179 Meet the OWASP Top 10 180 Serverless Threat Modeling 182 Securing the Serverless Supply Chain 185 Securing the Dependency Supply Chain 186 Going Further with SLSA 189 Lambda Code Signing 189 Protecting Serverless APIs 190 Securing REST APIs with Amazon Cognito 191 Securing HTTP APIs 193 Validating and Verifying API Requests 195 Message Verification in Event-Driven Architectures 197 Protecting Data 199 Data Encryption Everywhere 199 AWS KMS 201 Security in Production 202 Go-Live Security Checklist for Serverless Applications 202 Maintaining Security in Production 203 Detecting Sensitive Data Leaks 205 Summary 206 Interview with an Industry Expert 207 Table of Contents | vii

5. Serverless Implementation Patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 An Overview of Software Patterns 214 What Is a Pattern? 215 How Do Patterns Accelerate Serverless Development? 215 Serverless Migration: The Strangler Fig Pattern 219 Implementation Approaches 219 Strangling Data Processing Flows 220 Strangling API Routes to Backend Services 222 Resilient Architecture: The Circuit Breaker Pattern 226 Why Is the Circuit Breaker Pattern Relevant in Serverless? 226 Core Concepts of Circuit Breaker Implementation 226 Failing Faster When the Circuit Is Open 232 Storing Requests When the Circuit Is Open and Replaying Them When Closed 232 The Functionless Integration Pattern 236 Use Cases for Functionless Integration 238 Things to Be Aware of with Native Service Integrations 245 The Event Triage Pattern 246 What Is Event Triage? 246 Implementation Details 247 Frequently Asked Questions 249 The Gatekeeper Event Bus Pattern 251 The Need for a Gatekeeper Event Bus 252 Implementation Approach 253 Use Cases for the Gatekeeper Event Bus Pattern 254 Things to Be Aware of with the Gatekeeper Event Bus Pattern 255 Microservices Choreography 255 Things to Be Aware of While Choreographing Services 257 Service Orchestration 259 What Do You Orchestrate? 259 In-Service Orchestration 262 Cross-Service Orchestration 264 Distributed Orchestration 266 Summary 273 Interview with an Industry Expert 273 6. Implementing Serverless Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Serverless Compute with AWS Lambda 279 How to Write Lambda Functions 281 Optimizing Lambda Functions 287 Most of the Code You Write Will Be Infrastructure 291 Infrastructure as Code 291 viii | Table of Contents

Direct Service Integrations and Delegating to the Experts 295 Production Is Just a Name 298 Ship on Day 1, and Every Day After 299 Boring Delivery Pipelines—Safety, Speed, and Predictability 303 Documentation: Quality, Not Quantity 306 Summary 309 Interview with an Industry Expert 309 7. Testing Serverless Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 How Can Serverless Applications Be Tested? 317 Why Serverless Requires a Novel Approach to Testing 317 The Serverless Square of Balance: The Trade-off Between Delivery and Stability 319 Serverless Failure Modes and Effects Analysis 321 Designing a Serverless Test Strategy 322 Identifying the Critical Paths 323 Just Enough and Just-in-Time Testing 325 Upholding Standards with a Definition of Done 328 Hands-on Serverless Testing 329 Event-Driven Testing 329 Unit Testing Business Logic in Lambda Functions 332 Contract Testing Integration Points 336 Summary 339 Interview with an Industry Expert 340 8. Operating Serverless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Identifying the Units of Scale 349 Promoting Serverless Observability 350 Observing the Health of Critical Paths 351 Metrics, Alarms, and Alerts 354 Critical Health Dashboard 356 Capability Alerting 358 Event-Driven Logging 360 Using Distributed Tracing to Understand the Whole System 361 When Things Go Wrong 367 Accepting Failure and Budgeting for Errors 368 Everything Fails All the Time: Fault Tolerance and Recovery 368 Debugging with the Core Analysis Loop 370 Disaster Recovery 371 Avoiding Single Points of Failure 371 Understanding AWS Availability 372 Multi-Account, Multi-Region: Is It Worth It? 373 Table of Contents | ix

Summary 373 Interview with an Industry Expert 374 9. Cost of Serverless Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Understanding Serverless Cost Models 380 Total Cost of Ownership in the Cloud 381 Compute Costs 383 Storage Costs 385 Avoiding Serverless Cost Gotchas 388 Serverless Cost Estimation 390 How to Estimate Costs 391 The More You Use, the Less You Spend 392 How Much Can Be Done with the AWS Free Tier? 393 Serverless Cost Monitoring Best Practices 394 Creating Cost Awareness in a Serverless Team 394 Monitoring Costs with Budget Alerts 397 Reducing the Operational Cost of Serverless 398 Summary 400 Interview with an Industry Expert 401 10. Sustainability in Serverless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 So, What Is Sustainability? 406 The Three Pillars of Sustainability 407 The UN Sustainable Development Goals 407 Why Is Sustainability Thinking Necessary in Serverless? 408 The Three Elements of the Cloud 409 The Serverless Sustainability Triangle 409 Building Sustainable Serverless Applications 411 How Do You Identify Unsustainable Serverless Applications? 412 Characteristics of a Sustainable Application 413 Development Processes and Practices That Promote Sustainability 414 Follow Lean Development Principles and Reduce Resource Waste 415 Start from a Simple Set of Requirements and Scale Fast 416 Automate Everything Possible 417 Rethink the Throwaway Prototypes of the Past 417 Nurture Your Serverless Engineers 418 Sustainability and the AWS Cloud 419 Implementation Patterns and Best Practices for Sustainability 420 User Behavior 420 Software Architecture 424 Data and Storage 426 Development and Deployment 432 x | Table of Contents

Introducing Sustainability in Your Engineering Teams 433 Sustainability in Technology: Awareness Day 434 Sustainability Focus Areas for Your Team 435 Sustainability Audit Checklist 435 Summary 435 Interview with an Industry Expert 436 11. Preparing for the Future with Serverless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Emerging Trends in Serverless 440 The Low-Code and Functionless Promise 440 The Renaissance of Event-Driven Architecture 441 Multicloud Orchestration 443 Infrastructure from Code 443 The Evolution and Influence of Generative AI 445 Keeping Up with the Evolution of Serverless 447 Challenges Facing Enterprise Teams 447 Sustaining a Serverless Knowledge Pool 448 Embracing Continuous Refactoring 449 Playing the Long Game 451 Establishing a Serverless Guild and Center of Excellence 452 Becoming a Serverless Evangelist 453 Joining a Serverless Community 453 Summary 455 Interview with an Industry Expert 456 A. PostNL’s Serverless Journey. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 B. Taco Bell’s Serverless Journey. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 C. Templates and Worksheets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Table of Contents | xi

Foreword From interactive programming on minicomputers and mainframes in junior high school and high school, to taking a bit of a step back to a batch-oriented, card- powered mainframe in college, while actually earning money first selling and then later writing code for the first generation of personal computers, I have seen many forms of computers and computing come and go. While the programming models for each of these systems differed, they invariably had one thing in common—there was a fixed amount of compute power, memory, and storage. My job, as a developer, was to write code that made the best use of all three of these then-precious resources, trimming features, compressing data, and so forth. With the emergence of cloud computing in 2006 with the launch of Amazon Elastic Compute Cloud (EC2), this model began to change. Developers could pick and choose the instance size and type that was the best match for their code, make changes later, and add or remove instances quickly in response to changing work‐ loads. This was a big step forward, and one that paved the way for the introduction of serverless computing in 2014 with the launch of AWS Lambda. In the decade since the launch of Lambda, developers have used it to build applica‐ tions that are more flexible, scalable, and cost-effective than ever before. While the word “revolutionary” is used far too often in our industry, I believe that it applies here. Freed from the constraints and able to focus on applications instead of on servers, developers can devote more of their time to building applications that will meet the needs of their customers. If you want to participate in this ongoing revolution, you have come to the right place! The book that you are holding in your hands will teach you what you need to know about serverless computing so that you can put it to work in your environment. In this book, Sheen and Luke show you how to reap all of the benefits that serverless computing promises. In the succeeding chapters you will learn about how to prepare your organization for serverless, build powerful serverless architectures, understand xiii

and manage security, make use of serverless design patterns, understand serverless costs and economics, and much more. While the chapters certainly build on each other and are best read fully and in order, you can also start by sampling the ones that are of personal and immediate interest to you. Either way, I am confident that you will quickly learn something new that you can put to use on your current serverless project. The eleven chapters that make up this book contain a great mix of theoretical back‐ ground and practical advice, knowledge that Sheen and Luke have gained through years of experience designing, building, and running serverless applications at global scale. You are now in a position to learn from this experience and to get a running start on your serverless journey. — Jeff Barr VP & Chief Evangelist, Amazon Web Services Seattle, Washington January 2024 xiv | Foreword

Preface Helsinki. It was a warm spring morning in 2019, and I (Sheen) was in the city to speak at ServerlessDays. A couple of engineers I met there during the break sought my advice on taking the serverless story to the public sector department they were working in. They were looking for inspirational serverless adoption stories to bring to their team. Almost a year later, an engineer at AWS Community Day in Stockholm asked an innocent but important question: What is this “serverless,” and is it good for my company? Several similar conversations on different occasions led me to a realization: engineers who are new to serverless need a basic understanding of the technology, clarity on the applicability of serverless to enterprise workloads, and guidance on how to design, develop, and operate serverless applications. Above all, they need to know how to take the serverless story to their CTOs and stakeholders with a clear plan, get buy-in, and make the investment profitable and valuable for the organization. Though I had been writing articles about serverless on different topics, bringing everything together as a serverless development lifecycle was not in my mind then. Then one day, during the COVID-19 lockdown, a publisher approached me to discuss the possibility of developing a specific concept I had written about into a book. While I wasn’t confident enough to expand that concept into a whole book, that was the spark that led me to explore the opportunity of bringing the end-to-end serverless development spectrum into focus in one place for the benefit of all the eager engineers I interacted with. A few days later, I arranged a call with my friend Danilo Poccia, Chief Evangelist at AWS. Danilo is the author of AWS Lambda in Action: Event-Driven Serverless Applications (Manning), and a good resource on industry trends and needs. Our brief chat left me with some interesting ideas and the confidence to explore further. With a draft idea in mind, I pitched it to a few engineers to assess the need for such a book, and all the feedback was encouragingly positive. By that time, I had known Luke for a few months. During my conversations with him, I secretly admired xv

the depth of his serverless knowledge and the freshness in his thinking. Luke had previously led a serverless team at Cancer Research UK, a charitable organization, and had firsthand experience of the cost benefits of serverless. One afternoon, we sat down for a chat, and I explained in detail the outline of the book. Luke’s instant reaction was: I wish I’d had such a book on my desk when I started my serverless journey! This book is the result of that initial conversation: a comprehensive collection of our combined experiences, ideas, thoughts, lessons, and better practices designed to introduce you to serverless and show you a path to structure your development and operate your applications in a secure and sustainable way. Thank you for your interest. Let’s start our journey together! Who We Wrote This Book For Serverless as a technology continues to mature and evolve along with its industry adoption. Due to its unique benefits, it attracts a wide spectrum of technology audiences. When Luke and I were discussing the tone and depth of the content, we wanted it to appeal to developers who are new to serverless, engineers who are familiar with and progressing on their journey with serverless, and architects and CTOs who make some of the core decisions and influence the adoption of serverless in their organizations. By no means is this book a one-stop solution to all your serverless queries and worries. It is a collection of options and ideas that you can draw upon to prepare your serverless meal according to your and your organization’s dietary requirements. Along with serverless technology, the popularity of several development frameworks, runtimes, build and infrastructure tools, etc., is also on the rise. Consequently, there are as many approaches to implementing your application as there are frameworks and runtimes out there. As suggested by the widespread phrase in the software industry, the code you write today is legacy tomorrow, it is hard to maintain the code you have written today in this fast-evolving technology space. This is not a book that delves deep into hands-on implementation examples. Its aim is to teach you the underlying concepts that you can rely on in the future, regardless of your circumstances; to teach you to fish, as it were, rather than feeding you just once. The book starts with a discussion of the evolution of serverless technology and the preparations necessary for successful adoption. It then introduces you to the core security principles of serverless, leading you through event-driven architecture and implementation patterns. Understanding the core principles guides you through the xvi | Preface

development cycle and operating your serverless applications in the cloud. The cost of serverless is a key part of its adoption, and we have a chapter dedicated to making you aware of the main cost factors. In addition, modern application development requires thinking about our environmental ecosystem and the world we live in. Sustainability is an essential and core part of cloud operation, and you will learn several patterns and best practices to build and operate serverless applications in a sustainable way. The book closes with a look at how you can make your serverless journey rewarding and refreshing for decades into the future. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. Constant width italic Shows text that should be replaced with user-supplied values or by values deter‐ mined by context. This element signifies a tip or suggestion. This element signifies a general note. This element indicates a warning or caution. Preface | xvii

Supplemental Material Three online-exclusive appendices to this book are available to readers for download: • Appendix A: “PostNL’s Serverless Journey” • Appendix B: “Taco Bell’s Serverless Journey” • Appendix C: “Templates and Worksheets” O’Reilly Online Learning For more than 40 years, O’Reilly Media has provided technol‐ ogy and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-889-8969 (in the United States or Canada) 707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://www.oreilly.com/about/contact.html We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/serverless-dev-on-aws. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly-media Follow us on Twitter: https://twitter.com/oreillymedia Watch us on YouTube: https://youtube.com/oreillymedia xviii | Preface