DVA-C02 Study Guide: Managing Code Module Dependencies
Manage the dependencies of the code module (for example, environment variables, configuration files, container images) within the package
Managing Code Module Dependencies
This guide covers the essential skills for Content Domain 3 (Deployment) of the AWS Certified Developer - Associate exam. Specifically, it focuses on how to package and manage external dependencies, environment variables, and configuration files to ensure application portability and security.
Learning Objectives
- Differentiate between build-time and runtime dependencies.
- Configure environment variables using AWS Systems Manager Parameter Store and AWS Secrets Manager.
- Manage container images using Amazon Elastic Container Registry (ECR).
- Utilize AWS AppConfig for dynamic configuration management without code redeployment.
- Organize application artifacts within
buildspec.ymland Task Definitions.
Key Terms & Glossary
- Artifact: The deployable package produced by a build process (e.g., a .zip file for Lambda or a Docker image for ECS).
- Environment Variable: A dynamic-named value that can affect the way running processes will behave on a computer or in a container.
- ECR (Elastic Container Registry): A fully managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.
- Task Definition: A blueprint that describes how a docker container should launch in Amazon ECS, including CPU/Memory limits and environment variables.
- Lambda Layer: A distribution mechanism for libraries, custom runtimes, and other function dependencies.
The "Big Idea"
In modern cloud development, the code should be decoupled from its environment. This means the same code package (artifact) should be able to run in Development, Staging, and Production environments without being rewritten. We achieve this by "injecting" dependencies and configurations at runtime, rather than hard-coding them into the application logic.
Formula / Concept Box
| Feature | AWS Systems Manager Parameter Store | AWS Secrets Manager |
|---|---|---|
| Primary Use | General configuration, plain-text or encrypted strings. | Sensitive secrets, DB credentials, API keys. |
| Rotation | No native automatic rotation. | Built-in rotation for RDS, Redshift, DocumentDB. |
| Cost | Standard parameters are free. | Paid monthly per secret + per 10k API calls. |
| Versioning | Supports parameter versioning. | Supports secret versioning and staging labels. |
Hierarchical Outline
- Dependency Categories
- External Libraries: Python
requirements.txt, Node.jspackage.json— managed via Lambda Layers or bundled in Docker images. - Environment Variables: Key-value pairs used for database endpoints, API URLs, and feature flags.
- Container Images: Packaged runtimes including OS-level dependencies, stored in ECR.
- External Libraries: Python
- Configuration Injection
- Build-time: Defined in
buildspec.ymlfor CodeBuild. - Runtime: Injected via ECS Task Definitions or Lambda Environment Variables.
- Dynamic Configuration: Managed via AWS AppConfig to update settings without restarting services.
- Build-time: Defined in
- Security & Access Control
- IAM Roles: Task Execution Roles (to pull images) and Task Roles (to access Secrets Manager).
- Encryption: Use of KMS to encrypt sensitive environment variables.
Visual Anchors
Dependency Workflow
ECS Task Definition Components
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum height=1cm, text centered, font=\small}] \node (task) [fill=blue!10] {ECS Task Definition}; \node (image) [below left of=task, xshift=-1cm, fill=green!10] {Container Image (ECR)}; \node (cpu) [below of=task, fill=yellow!10] {CPU/Memory Limits}; \node (env) [below right of=task, xshift=1cm, fill=orange!10] {Env Variables}; \node (sec) [below of=env, yshift=0.5cm, fill=red!10] {Secrets Reference};
\draw[->, thick] (task) -- (image);
\draw[->, thick] (task) -- (cpu);
\draw[->, thick] (task) -- (env);
\draw[->, thick] (env) -- (sec);
\node[draw=none, fill=none, right of=sec, xshift=1.5cm] (note) {Pulled via IAM Task Role};
\draw[dotted] (sec) -- (note);\end{tikzpicture}
Definition-Example Pairs
-
Static Dependency
- Definition: A library or module required for the code to compile or run, typically included in the package.
- Example: Adding
boto3to arequirements.txtfile for a Python Lambda function.
-
Dynamic Dependency
- Definition: Configuration values or external assets fetched at runtime depending on the environment.
- Example: A Lambda function fetching a Database Password from AWS Secrets Manager using the secret's ARN.
-
Runtime Configuration
- Definition: Settings that can be changed while the application is running without changing the code.
- Example: Using an API Gateway "Stage Variable" to point a function to a development versus production database.
Worked Examples
Injecting Secrets into AWS CodeBuild
In a buildspec.yml file, you need to use a GitHub token stored in Secrets Manager to authenticate during the build phase.
Step 1: Define the variable in the env section.
version: 0.2
env:
secrets-manager:
# Key: Secret Name : JSON Key
GITHUB_TOKEN: "prod/github/token:api_key"
phases:
build:
commands:
- echo "Building application..."
- curl -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/user[!IMPORTANT] Ensure the CodeBuild service role has the
secretsmanager:GetSecretValuepermission for the specified ARN.
Checkpoint Questions
- What is the main advantage of using AWS AppConfig over standard Lambda environment variables?
- When deploying a container to ECS, which IAM role is responsible for allowing the agent to pull the image from Amazon ECR?
- How can you manage shared code across multiple Lambda functions without duplicating the code in every deployment package?
- True or False: Environment variables defined in a
buildspec.ymlfile are automatically available to the application once it is deployed to an EC2 instance.
▶Click to view answers
- AppConfig allows you to update configurations in real-time with safety guardrails (validators) and rollbacks without requiring a redeployment or function restart.
- The Task Execution Role (not the Task Role).
- Use Lambda Layers.
- False.
buildspec.ymlenvironment variables are only available during the build phase. You must inject them into the target environment (e.g., via Task Definition or System Manager) separately.