The cloud teams at AHEAD routinely focus efforts on how new functionality being provided by public cloud providers, like Amazon, can be internalized by the enterprise. Being able to spin up new services in AWS just by swiping a credit card is awesome, but should we consider integrating the existing processes that the enterprise has in place already, such as change management and other ITIL services?

In some cases, the answer is no. Forget those old processes as they aren’t necessary for the development workloads being deployed, or they just aren’t needed anymore for a variety of reasons. In other cases, the answer is a resounding YES! These processes provide vital reporting and governance to the enterprise to know exactly where their workloads are at and what they’re doing.

Leveraging AWS CloudWatch

Consider the following scenario: Enterprise IT requires that all virtual machines being deployed must be tagged with some important information and a configuration item (CI) must be added to their configuration management database (CMDB). How do we ensure that these services are being updated while allowing the developers to quickly deploy new machines in the cloud?

One way to ensure that governance is accounted for is by leveraging AWS CloudWatch to monitor the AWS environment for events and triggering a series of Lambda functions to check the environment and provide updates to your ITIL services.

Here’s an example event where we monitor for a new EC2 instance to enter the “running” state:

{ "source": [ "aws.ec2" ], "detail-type": [ "EC2 Instance State-change Notification" ], "detail": { "state": [ "running" ] } }

When CloudWatch emits an event based on an EC2 instance changing to a “started” state, we can trigger a Lambda function to make sure the instance has a configuration item (CI) record in our ServiceNow CMDB.

The example below shows that our users can go about using Amazon EC2 while CloudWatch and Lambda provide governance to ensure our change ticketing and CMBD entries are up to date.

This is a great way to maintain your environment, but managing Lambda functions can become a tedious task in and of itself. Chaining Lambda functions requires you to have a sequence of functions being called. For example, we have a CloudWatch event trigger a Lambda function which uses the AWS API to call another Lambda function, so on and so forth.

Chaining multiple calls together may suit your needs but becomes increasingly difficult to manage error handling, etc. You would need to build in error handling and retries and a bunch of other scaffolding to get this to work. Maybe you’re storing state information in a database or queue about what phases your Lambda functions are in and the other functions can poll that state to execute when needed.

The example below has a CloudWatch event that triggers our Lambda function just as before. Only this time, state information is placed in a database or queue for the other Lambda functions to poll and execute at the appropriate time.

This way if an error occurs, the Lambda functions error handling can try to run again and wait to update the state before the other functions try to run. The unfortunate part in this example is that someone must manually code this while the business would rather have them working on something more productive.

Hopefully by now you can see that managing groups of Lambda functions can be a very tedious process. When you’re doing complex operations, there will likely be Lambda functions calling other Lambda functions and this can become cumbersome to manage. In fact, our very own Cloud Practice Manager, Nick Colyer, has championed the idea of using a visual orchestrator to manage these pieces of code.

Introducing Step Functions

At AWS re:Invent this year, AWS announced just that. A new service called “Step Functions”. A Step Function is a way for you to visually group your Lambda functions together based on rules. You can create a step function from a JSON file and see the results visually before saving them.

For example, using the CMDB examples we saw earlier, we can use a Step Function to visually orchestrate the goals of the organization.

It’s easy to read the Step Functions to determine what is happening and how the Lambda functions are orchestrated. The picture below shows a step function that ensures that any new machines are tagged and added to a CMDB. We can quickly identify that we’re looking for new machines, and then passing them through some logic functions to update our environment.

The function shown above is stored as JSON and the code can be copied and pushed into a version control repository like Github.

"StartAt": "Are there new machines?", "States": { "Are there new machines?": { "Choices": [ { "Next": "Are Machines Tagged?", "StringEquals": "yes", "Variable": "$.newmachines" }, { "Next": "No New Machines", "StringEquals": "no", "Variable": "$.newmachines" } ], "Default": "DefaultState", "Type": "Choice" }, "DefaultState": { "Cause": "No Matches!", "Type": "Fail" }, "Are Machines Tagged?": { "Choices": [ { "Next": "Tagged", "StringEquals": "yes", "Variable": "$.tagged" }, { "Next": "UnTagged", "StringEquals": "no", "Variable": "$.tagged" } ], "Default": "DefaultState", "Type": "Choice" }, "DefaultState": { "Cause": "No Matches!", "Type": "Fail" }, "Tagged": { "Resource": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:GetNewTaggedMachines", "Type": "Task", "Next": "UpdateCMDB" }, "UnTagged": { "Resource": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:GetUntaggedMachines", "Type": "Task", "Next": "Tag VMs" }, "Tag VMs": { "Resource": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:TagUntaggedMachines", "Type": "Task", "Next": "Tagged" }, "UpdateCMDB": { "End": true, "Resource": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:AddNewMachinesToCMDB", "Type": "Task" }, "No New Machines":{ "End": true, "Type":"Task" } } }

Having a way to visually execute your serverless functions will help to manage all the code you’re using to provide governance for your public cloud resources. If nothing else, it should make your troubleshooting much easier. Your System Administrators will thank you for it.

To find out more about AWS Step Functions, watch the video above from AWS re:Invent. For more information on how AHEAD can help you with this service or other AWS services, check out our demonstrations from re:Invent and schedule a personalized one of your own today!