Amazon Redshift Serverless RSQL ETL Framework

Author: lukaszbudnik

.gitignore

@@ -0,0 +1,9 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+cdk.context.json

GraphView.png

@@ -1,11 +1,65 @@
-## My Project
+# Amazon Redshift Serverless RSQL ETL Framework
 
-TODO: Fill this README out!
+The goal of the Amazon Redshift Serverless RSQL ETL Framework project is to run complex ETL jobs implemented in Amazon Redshift RSQL scripts in the AWS Cloud without having to manage any infrastructure. The solution creates a fully serverless and cost-effective Amazon Redshift ETL orchestration framework. It uses Amazon Redshift RSQL and AWS services such as AWS Batch and AWS Step Functions.
 
-Be sure to:
+The deployment is fully automated using AWS Cloud Development Kit (AWS CDK) and comprises of the following stacks:
 
-* Change the title in this README
-* Edit your repository description on GitHub
+1. `EcrRepositoryStack` - Creates a private Amazon Elastic Container Registry (Amazon ECR) repository that hosts our Docker image with Amazon Redshift RSQL
+2. `RsqlDockerImageStack` - Builds our Docker image asset and uploads it to the ECR repository
+3. `VpcStack` - Creates a VPC with isolated subnets, creates an Amazon Simple Storage Service (Amazon S3) VPC endpoint gateway, as well as Amazon ECR, Amazon Redshift, and Amazon CloudWatch VPC endpoint interfaces
+4. `RedshiftStack` - Creates an Amazon Redshift cluster, enables encryption, enforces encryption in-transit, enables auditing, and deploys the Amazon Redshift cluster in isolated subnets
+5. `BatchStack` - Creates a compute environment (using AWS Fargate), job queue, and job definition (using our Docker image with RSQL)
+6. `S3Stack` - Creates data, scripts, and logging buckets; enables encryption at-rest; enforces secure transfer; enables object versioning; and disables public access
+7. `SnsStack` - Creates an Amazon Simple Notification Service (Amazon SNS) topic and email subscription (email is passed as a parameter)
+8. `StepFunctionsStack` - Creates a state machine to orchestrate serverless RSQL ETL jobs
+9. `SampleDataDeploymentStack` - Deploys sample RSQL ETL scripts and sample TPC benchmark datasets
+
+The following diagram shows the final architecture.
+
+![Serverless RSQL ETL Framework Architecture](ServerlessRSQLETLFramework.png)
+
+## Deploy AWS CDK stacks
+
+To deploy the serverless RSQL ETL framework solution, use the following code. Replace `123456789012` with your AWS account number, `eu-west-1` with the AWS Region to which you want deploy the solution, and `[email protected]` with your email address to which ETL success and failure notifications are sent.
+
+```
+git clone https://github.com/aws-samples/amazon-redshift-serverless-rsql-etl-framework
+cd amazon-redshift-serverless-rsql-etl-framework
+npm install
+./cdk.sh 123456789012 eu-west-1 bootstrap
+./cdk.sh 123456789012 eu-west-1 deploy --all --parameters SnsStack:[email protected]
+```
+
+The whole process takes a few minutes. 
+
+## Execute Step Functions state machine
+
+After AWS CDK finishes, a new state machine is created in your account called `ServerlessRSQLETLFramework`. To run it, complete the following steps:
+
+1. Navigate to the Step Functions console.
+2. Choose the function to open the details page.
+3. Choose **Edit**, and then choose **Workflow Studio New**. The following screenshot shows our state machine.
+![Sample State Machine](StateMachine.png)
+4. Choose **Cancel** to leave Workflow Studio, then choose **Cancel** again to leave the edit mode. You will be brought back to the details page.
+5. Choose **Start execution**. A dialog box appears. By default, the **Name** parameter is set to a random identifier, and the **Input** parameter is set to a sample JSON document.
+6. Delete the **Input** parameter and choose **Start execution** to start the state machine.
+
+The Graph view on the details page updates in real time. The state machine starts with a parallel state with two branches. In the left branch, the first job loads customer data into staging table, then in the second job merges new and existing customer records. In the right branch, two smaller tables for regions and nations are loaded and then merged one after another. The parallel state waits until all branches are complete before moving to the vacuum-analyze state, which runs VACUUM and ANALYZE commands on Amazon Redshift. The sample state machine also implements the Amazon SNS Publish API actions to send notifications about success or failure.
+
+From the Graph view, you can check the status of each state by choosing it. Every state that uses an external resource has a link to it on the Details tab. In our example, next to every AWS Batch Job state, you can see a link to the AWS Batch Job details page. Here, you can view the status, runtime, parameters, IAM roles, link to Amazon CloudWatch Logs with the logs produced by ETL scripts, and more.
+
+![Graph View](GraphView.png)
+
+### Execute Step Functions state machine using AWS CLI
+
+To start the state machine using AWS CLI, use the following code:
+
+```
+# fetch the state machine ARN from CloudFormation stack
+STATE_MACHINE_ARN=$(aws cloudformation describe-stacks --stack-name StepFunctionsStack --query "Stacks[0].Outputs[?OutputKey=='StateMachineArn'].OutputValue" --output text)
+# start the state machine
+aws stepfunctions start-execution --state-machine-arn $STATE_MACHINE_ARN
+```
 
 ## Security
 
@@ -14,4 +68,3 @@ See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more inform
 ## License
 
 This project is licensed under the Apache-2.0 License.
-

README.md

@@ -0,0 +1,69 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { EcrRepositoryStack } from '../lib/ecr-stack';
+import { RsqlDockerImageStack } from '../lib/rsql-docker-image-stack';
+import { S3Stack } from '../lib/s3-stack';
+import { VpcStack } from '../lib/vpc-stack';
+import { RedshiftStack } from '../lib/redshift-stack';
+import { BatchStack } from '../lib/batch-stack';
+import { StepFunctionsStack } from '../lib/stepfunctions-stack';
+import { SnsStack } from '../lib/sns-stack';
+import { SampleDataDeploymentStack } from '../lib/sample-data-deployment-stack';
+import { Tags } from 'aws-cdk-lib';
+
+const env = {
+  account: process.env.CDK_DEPLOY_ACCOUNT || process.env.CDK_DEFAULT_ACCOUNT,
+  region: process.env.CDK_DEPLOY_REGION || process.env.CDK_DEFAULT_REGION
+};
+
+const app = new cdk.App();
+
+Tags.of(app).add('purpose', 'aws-blog-demo-serverless-rsql-etl-framework');
+
+const vpcStack = new VpcStack(app, 'VpcStack', {
+  env: env,
+});
+const s3Stack = new S3Stack(app, 'S3Stack', {
+  env: env,
+});
+const redshiftStack = new RedshiftStack(app, 'RedshiftStack', {
+  env: env,
+  vpc: vpcStack.vpc,
+  loggingBucket: s3Stack.loggingBucket,
+  scriptsBucket: s3Stack.scriptsBucket,
+  dataBucket: s3Stack.dataBucket,
+});
+const ecrRepositoryStack = new EcrRepositoryStack(app, 'EcrRepositoryStack', {
+  env: env,
+});
+const rsqlDockerImageStack = new RsqlDockerImageStack(app, 'RsqlDockerImageStack', {
+  env: env,
+  repository: ecrRepositoryStack.repository,
+  redshift: redshiftStack.redshift,
+});
+const batchStack = new BatchStack(app, 'BatchStack', {
+  env: env,
+  redshift: redshiftStack.redshift,
+  ecrRepository: ecrRepositoryStack.repository,
+  vpc: vpcStack.vpc,
+  scriptsBucket: s3Stack.scriptsBucket,
+});
+const snsStack = new SnsStack(app, 'SnsStack', {
+  env: env,
+});
+const stepFunctionsStack = new StepFunctionsStack(app, 'StepFunctionsStack', {
+  env: env,
+  jobDefinition: batchStack.jobDefinition,
+  jobQueue: batchStack.jobQueue,
+  scriptsBucket: s3Stack.scriptsBucket,
+  dataBucket: s3Stack.dataBucket,
+  redshiftRole: redshiftStack.redshiftRole,
+  snsTopic: snsStack.topic,
+  snsKey: snsStack.key,
+});
+const sampleDataDeploymentStack = new SampleDataDeploymentStack(app, 'SampleDataDeploymentStack', {
+  env: env,
+  scriptsBucket: s3Stack.scriptsBucket,
+  dataBucket: s3Stack.dataBucket,
+});

ServerlessRSQLETLFramework.png

@@ -0,0 +1,34 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/serverless_rsql_etl_framework.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}

StateMachine.png

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+if [[ $# -ge 2 ]]; then
+    export CDK_DEPLOY_ACCOUNT=$1
+    export CDK_DEPLOY_REGION=$2
+    shift; shift
+    npx [email protected] "$@"
+    exit $?
+else
+    echo 1>&2 "Provide account and region as first two args."
+    echo 1>&2 "Additional args are passed through to cdk deploy."
+    exit 1
+fi

bin/serverless_rsql_etl_framework.ts

@@ -0,0 +1,8 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};

cdk.json

@@ -0,0 +1,10 @@
+[ODBC]
+Trace=no
+
+[etl]
+Driver=/opt/amazon/redshiftodbc/lib/64/libamazonredshiftodbc64.so
+Database=demo
+DbUser=etl
+ClusterID=redshiftblogdemo
+Region=eu-west-1
+IAM=1

cdk.sh

@@ -0,0 +1,20 @@
+FROM amazonlinux:2
+
+ENV AMAZON_REDSHIFT_ODBC_VERSION=1.4.52.1000
+ENV AMAZON_REDSHIFT_RSQL_VERSION=1.0.4
+
+RUN yum install -y openssl unixODBC gettext awscli && \
+    yum clean all
+
+RUN rpm -i \
+    https://s3.amazonaws.com/redshift-downloads/drivers/odbc/${AMAZON_REDSHIFT_ODBC_VERSION}/AmazonRedshiftODBC-64-bit-${AMAZON_REDSHIFT_ODBC_VERSION}-1.x86_64.rpm \
+    https://s3.amazonaws.com/redshift-downloads/amazon-redshift-rsql/${AMAZON_REDSHIFT_RSQL_VERSION}/AmazonRedshiftRsql-${AMAZON_REDSHIFT_RSQL_VERSION}-1.x86_64.rpm
+
+COPY .odbc.ini .odbc.ini
+COPY fetch_and_run.sh /usr/local/bin/fetch_and_run.sh
+
+ENV ODBCINI=.odbc.ini
+ENV ODBCSYSINI=/opt/amazon/redshiftodbc/Setup
+ENV AMAZONREDSHIFTODBCINI=/opt/amazon/redshiftodbc/lib/64/amazon.redshiftodbc.ini
+
+ENTRYPOINT ["/usr/local/bin/fetch_and_run.sh"]

jest.config.js

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# This scripts expects the following env variables to be set:
+# BATCH_SCRIPT_LOCATION - full S3 path to RSQL script to run
+# DATA_BUCKET_NAME - S3 bucket name with the data
+# COPY_IAM_ROLE_ARN - IAM role ARN that will be used to copy the data from S3 to Redshift
+
+PATH="/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+if [ -z "${BATCH_SCRIPT_LOCATION}" ] || [ -z "${DATA_BUCKET_NAME}" ] || [ -z "${COPY_IAM_ROLE_ARN}" ]; then
+    echo "BATCH_SCRIPT_LOCATION/DATA_BUCKET_NAME/COPY_IAM_ROLE_ARN not set. No script to run."
+    exit 1
+fi
+
+# download script to a temp file
+TEMP_SCRIPT_FILE=$(mktemp)
+aws s3 cp ${BATCH_SCRIPT_LOCATION} ${TEMP_SCRIPT_FILE}
+
+# execute script
+# envsubst will replace ${COPY_IAM_ROLE_ARN} and ${COPY_IAM_ROLE_ARN} placeholders with actual values
+envsubst < ${TEMP_SCRIPT_FILE} | rsql -D etl
+
+exit $?

lib/amazonlinux-rsql/.odbc.ini

@@ -0,0 +1,97 @@
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as batch from 'aws-cdk-lib/aws-batch';
+import * as redshift from 'aws-cdk-lib/aws-redshift';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+
+interface BatchProps extends StackProps {
+    vpc: ec2.Vpc;
+    scriptsBucket: s3.Bucket;
+    redshift: redshift.CfnCluster;
+    ecrRepository: ecr.Repository;
+}
+
+export class BatchStack extends Stack {
+    readonly computeEnvironment: batch.CfnComputeEnvironment;
+    readonly jobQueue: batch.CfnJobQueue;
+    readonly jobDefinition: batch.CfnJobDefinition;
+    readonly batchExecutionRole: iam.Role;
+    readonly batchJobRole: iam.Role;
+
+    constructor(scope: Construct, id: string, props: BatchProps) {
+        super(scope, id, props);
+
+        this.batchExecutionRole = new iam.Role(this, 'DemoBatchExecutionRole', {
+            assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+            managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonECSTaskExecutionRolePolicy')],
+        });
+
+        this.batchJobRole = new iam.Role(this, 'DemoBatchJobRole', {
+            assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+        });
+
+        // batch job role needs:
+        // 1. permissions to call GetClusterCredentials for our Redshift cluster
+        this.batchJobRole.addToPolicy(new iam.PolicyStatement({
+            sid: 'DescribeClusters',
+            resources: [
+                `arn:aws:redshift:${Stack.of(this).region}:${Stack.of(this).account}:cluster:${props.redshift.clusterIdentifier}`,
+            ],
+            actions: ['redshift:DescribeClusters'],
+        }));
+        this.batchJobRole.addToPolicy(new iam.PolicyStatement({
+            sid: 'GetRedshiftClusterCredentials',
+            resources: [
+                `arn:aws:redshift:${Stack.of(this).region}:${Stack.of(this).account}:dbname:${props.redshift.clusterIdentifier}/demo`,
+                `arn:aws:redshift:${Stack.of(this).region}:${Stack.of(this).account}:dbuser:${props.redshift.clusterIdentifier}/etl`,
+            ],
+            actions: ['redshift:GetClusterCredentials'],
+        }));
+        // 2. permissions to read scripts from S3
+        props.scriptsBucket.grantRead(this.batchJobRole);
+
+        this.computeEnvironment = new batch.CfnComputeEnvironment(this, 'DemoComputeEnv', {
+            computeEnvironmentName: 'DemoComputeEnv',
+            type: 'MANAGED',
+            computeResources: {
+                subnets: props.vpc.isolatedSubnets.map(s => s.subnetId),
+                securityGroupIds: [props.vpc.vpcDefaultSecurityGroup],
+                maxvCpus: 256,
+                type: 'FARGATE'
+            }
+        });
+
+        this.jobQueue = new batch.CfnJobQueue(this, 'ETLJobQueue', {
+            jobQueueName: 'ETLJobQueue',
+            computeEnvironmentOrder: [{
+                computeEnvironment: this.computeEnvironment.ref,
+                order: 1,
+            }],
+            priority: 1
+        });
+
+        this.jobDefinition = new batch.CfnJobDefinition(this, 'RSQLETLJobDefinition', {
+            jobDefinitionName: 'RSQLETLJobDefinition',
+            type: 'container',
+            containerProperties: {
+                image: props.ecrRepository.repositoryUri,
+                executionRoleArn: this.batchExecutionRole.roleArn,
+                jobRoleArn: this.batchJobRole.roleArn,
+                fargatePlatformConfiguration: {
+                    platformVersion: 'LATEST',
+                },
+                resourceRequirements: [{
+                    type: 'VCPU',
+                    value: '0.25',
+                }, {
+                    type: 'MEMORY',
+                    value: '512',
+                }]
+            },
+            platformCapabilities: ['FARGATE'],
+        });
+    }
+}

lib/amazonlinux-rsql/Dockerfile

@@ -0,0 +1,16 @@
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+
+export class EcrRepositoryStack extends Stack {
+    readonly repository: ecr.Repository;
+
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        this.repository = new ecr.Repository(this, 'amazonlinux-rsql', {
+            imageScanOnPush: true,
+            encryption: ecr.RepositoryEncryption.KMS,
+        });
+    }
+}