Structure a Python project in hexagonal architecture using AWS Lambda

Created by Furkan Oruc (AWS), Dominik Goby (AWS), Darius Kunce (AWS), and Michal Ploski (AWS)

Environment: PoC or pilot

Technologies: Software development & testing; Cloud-native; Containers & microservices; Serverless; Modernization

AWS services: Amazon DynamoDB; AWS Lambda; Amazon API Gateway

Summary

This pattern shows how to structure a Python project in hexagonal architecture by using AWS Lambda. The pattern uses the AWS Cloud Development Kit (AWS CDK) as the infrastructure as code (IaC) tool, Amazon API Gateway as the REST API, and Amazon DynamoDB as the persistence layer. Hexagonal architecture follows domain-driven design principles. In hexagonal architecture, software consists of three components: domain, ports, and adapters. For detailed information about hexagonal architectures and their benefits, see the guide Building hexagonal architectures on AWS.

Prerequisites and limitations

Prerequisites 

• An active AWS account

• Experience in Python

• Familiarity with AWS Lambda, AWS CDK, Amazon API Gateway, and DynamoDB

• A GitHub account (see instructions for signing up)

• Git (see installation instructions)

• A code editor for making changes and pushing your code to GitHub (for example, AWS Cloud9, Visual Studio Code, or JetBrains PyCharm)

• Docker installed, and the Docker daemon up and running

Product versions

• Git version 2.24.3 or later

• Python version 3.7 or later

• AWS CDK v2

• Poetry version 1.1.13 or later

• AWS Lambda Powertools for Python version 1.25.6 or later

• pytest version 7.1.1 or later

• Moto version 3.1.9 or later

• pydantic version 1.9.0 or later

• Boto3 version 1.22.4 or later

• mypy-boto3-dynamodb version 1.24.0 or later

Architecture

Target technology stack  

The target technology stack consists of a Python service that uses API Gateway, Lambda, and DynamoDB. The service uses a DynamoDB adapter to persist data. It provides a function that uses Lambda as the entry point. The service uses Amazon API Gateway to expose a REST API. The API uses AWS Identity and Access Management (IAM) for the authentication of clients.

Target architecture 

To illustrate the implementation, this pattern deploys a serverless target architecture. Clients can send requests to an API Gateway endpoint. API Gateway forwards the request to the target Lambda function that implements the hexagonal architecture pattern. The Lambda function performs create, read, update, and delete (CRUD) operations on a DynamoDB table.

Important: This pattern was tested in a PoC environment. You must conduct a security review to identify the threat model and create a secure code base before you deploy any architecture to a production environment.

The API supports five operations on a product entity:

• GET /products returns all products.

• POST /products creates a new product.

• GET /products/{id} returns a specific product.

• PUT /products/{id} updates a specific product.

• DELETE /products/{id} deletes a specific product.

You can use the following folder structure to organize your project to follow the hexagonal architecture pattern:  

app/  # application code
|--- adapters/  # implementation of the ports defined in the domain
     |--- tests/  # adapter unit tests
|--- entrypoints/  # primary adapters, entry points
     |--- api/  # api entry point
          |--- model/  # api model
          |--- tests/  # end to end api tests
|--- domain/  # domain to implement business logic using hexagonal architecture
     |--- command_handlers/  # handlers used to execute commands on the domain
     |--- commands/  # commands on the domain
     |--- events/  # events triggered via the domain
     |--- exceptions/  # exceptions defined on the domain
     |--- model/  # domain model
     |--- ports/  # abstractions used for external communication
     |--- tests/  # domain tests
|--- libraries/  # List of 3rd party libraries used by the Lambda function
infra/  # infrastructure code
simple-crud-app.py  # AWS CDK v2 app 

Tools

AWS services

• Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale.

• Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database that is designed to run high-performance applications at any scale.

• AWS Lambda is a serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers. You can launch Lambda functions from over 200 AWS services and software as a service (SaaS) applications, and only pay for what you use.

Tools

• Git  is used as the version control system for code development in this pattern.

• Python is used as the programming language for this pattern. Python provides high-level data structures and an approach to object-oriented programming. AWS Lambda provides a built-in Python runtime that simplifies the operation of Python services.

• Visual Studio Code is used as the IDE for development and testing for this pattern. You can use any IDE that supports Python development (for example, AWS Cloud9 or PyCharm).

• AWS Cloud Development Kit (AWS CDK) is an open-source software development framework that lets you define your cloud application resources by using familiar programming languages. This pattern uses the CDK to write and deploy cloud infrastructure as code.

• Poetry is used to manage dependencies in the pattern.

• Docker is used by the AWS CDK to build the Lambda package and layer.

Code 

The code for this pattern is available in the GitHub Lambda hexagonal architecture sample repository.

Best practices

To use this pattern in a production environment, follow these best practices:

• Use customer managed keys in AWS Key Management Service (AWS KMS) to encrypt Amazon CloudWatch log groups and Amazon DynamoDB tables.

• Configure AWS WAF for Amazon API Gateway to allow access only from your organization's network.

• Consider other options for API Gateway authorization if IAM doesn’t meet your needs. For example, you can use Amazon Cognito user pools or API Gateway Lambda authorizers.

• Use DynamoDB backups.

• Configure Lambda functions with a virtual private cloud (VPC) deployment to keep network traffic inside the cloud.

• Update the allowed origin configuration for cross-origin resource sharing (CORS) preflight to restrict access to the requesting origin domain only.

• Use cdk-nag to check the AWS CDK code for security best practices.

• Consider using code scanning tools to find common security issues in the code. For example, Bandit is a tool that’s designed to find common security issues in Python code. Pip-audit scans Python environments for packages that have known vulnerabilities.

This pattern uses AWS X-Ray to trace requests through the application’s entry point, domain, and adapters. AWS X-Ray helps developers identify bottlenecks and determine high latencies to improve application performance.

Epics

Initialize the project

Task	Description	Skills required
Create your own repository.	Log in to GitHub. Create a new repository. For instructions, see the GitHub documentation. Clone and push the sample repository for this pattern into the new repository in your account.	App developer
Install dependencies.	Install Poetry. pip install poetry Install packages from the root directory. The following command installs the application and AWS CDK packages. It also installs development packages that are required for running unit tests. All installed packages are placed in a new virtual environment. poetry install To see a graphical representation of the installed packages, run the following command. poetry show --tree Update all dependencies. poetry update Open a new shell within the newly created virtual environment. It contains all installed dependencies. poetry shell	App developer
Configure your IDE.	We recommend Visual Studio Code, but you can use any IDE of your choice that supports Python. The following steps are for Visual Studio Code. Update the .vscode/settings file. { "python.testing.pytestArgs": [ "app/adapters/tests", "app/entrypoints/api/tests", "app/domain/tests" ], "python.testing.unittestEnabled": false, "python.testing.pytestEnabled": true, "python.envFile": "${workspaceFolder}/.env", } Create an .env file in the root directory of the project. This ensures that the root directory of the project is included in the PYTHONPATH so that pytest can find it and properly discover all packages. PYTHONPATH=.	App developer
Run unit tests, option 1: Use Visual Studio Code.	Choose the Python interpreter of the virtual environment that’s managed by Poetry. Run tests from Test Explorer.	App developer
Run unit tests, option 2: Use shell commands.	Start a new shell within the virtual environment. poetry shell Run the pytest command from the root directory. python -m pytest Alternatively you can run the command directly from Poetry. poetry run python -m pytest	App developer

Deploy and test the application

Task	Description	Skills required
Request temporary credentials.	To have AWS credentials on the shell when you run cdk deploy, create temporary credentials by using AWS IAM Identity Center (successor to AWS Single Sign-On). For instructions, see the blog post How to retrieve short-term credentials for CLI use with AWS IAM Identity Center.	App developer, AWS DevOps
Deploy the application.	Install the AWS CDK v2. npm install -g aws-cdk For more information, see the AWS CDK documentation. Bootstrap the AWS CDK into your account and Region. cdk bootstrap aws://12345678900/us-east-1 --profile aws-profile-name Deploy the application as an AWS CloudFormation stack by using an AWS profile. cdk deploy --profile aws-profile-name	App developer, AWS DevOps
Test the API, option 1: Use the console.	Use the API Gateway console to test the API. For more information about API operations and request/response messages, see the API usage section of the readme file in the GitHub repository.	App developer, AWS DevOps
Test the API, option 2: Use Postman.	If you want to use a tool such as Postman: Install Postman as a standalone application or browser extension. Copy the endpoint URL for the API Gateway. It will be in the following format. https://{api-id}.execute-api.{region}.amazonaws.com/{stage}/{path} Configure the AWS signature in the authorization tab. For instructions, see the AWS re:Post article on activating IAM authentication for API Gateway REST APIs. Use Postman to send requests to your API endpoint.	App developer, AWS DevOps

Develop the service

Task	Description	Skills required
Write unit tests for the business domain.	Create a Python file in the app/domain/tests folder by using the test_ file name prefix. Create a new test method to test the new business logic by using the following example. def test_create_product_should_store_in_repository(): # Arrange command = create_product_command.CreateProductCommand( name="Test Product", description="Test Description", ) # Act create_product_command_handler.handle_create_product_command( command=command, unit_of_work=mock_unit_of_work ) # Assert Create a command class in the app/domain/commands folder.  If the functionality is new, create a stub for the command handler in the app/domain/command_handlers folder. Run the unit test to see it fail, because there is still no business logic. python -m pytest	App developer
Implement commands and command handlers.	Implement business logic in the newly created command handler file.  For every dependency that interacts with external systems, declare an abstract class in the app/domain/ports folder. class ProductsRepository(ABC): @abstractmethod def add(self, product: product.Product) -> None: ... class UnitOfWork(ABC): products: ProductsRepository @abstractmethod def commit(self) -> None: ... @abstractmethod def __enter__(self) -> typing.Any: ... @abstractmethod def __exit__(self, *args) -> None: ... Update the command handler signature to accept the newly declared dependencies by using the abstract port class as type annotation. def handle_create_product_command( command: create_product_command.CreateProductCommand, unit_of_work: unit_of_work.UnitOfWork, ) -> str: ... Update the unit test to simulate the behavior of all declared dependencies for the command handler. # Arrange mock_unit_of_work = unittest.mock.create_autospec( spec=unit_of_work.UnitOfWork, instance=True ) mock_unit_of_work.products = unittest.mock.create_autospec( spec=unit_of_work.ProductsRepository, instance=True ) Update the assertion logic in the test to check for the expected dependency invocations. # Assert mock_unit_of_work.commit.assert_called_once() product = mock_unit_of_work.products.add.call_args.args[0] assertpy.assert_that(product.name).is_equal_to("Test Product") assertpy.assert_that(product.description).is_equal_to("Test Description") Run the unit test to see it succeed. python -m pytest	App developer
Write integration tests for secondary adapters.	Create a test file in the app/adapters/tests folder by using test_ as a file name prefix. Use the Moto library to mock AWS services. @pytest.fixture def mock_dynamodb(): with moto.mock_dynamodb(): yield boto3.resource("dynamodb", region_name="eu-central-1") Create a new test method for an integration test of the adapter. def test_add_and_commit_should_store_product(mock_dynamodb): # Arrange unit_of_work = dynamodb_unit_of_work.DynamoDBUnitOfWork( table_name=TEST_TABLE_NAME, dynamodb_client=mock_dynamodb.meta.client ) current_time = datetime.datetime.now(datetime.timezone.utc).isoformat() new_product_id = str(uuid.uuid4()) new_product = product.Product( id=new_product_id, name="test-name", description="test-description", createDate=current_time, lastUpdateDate=current_time, ) # Act with unit_of_work: unit_of_work.products.add(new_product) unit_of_work.commit() # Assert Create an adapter class in the app/adapters folder. Use the abstract class from the ports folder as a base class. Run the unit test to see it fail, because there is still no logic. python -m pytest	App developer
Implement secondary adapters.	Implement logic in the newly created adapter file. Update test assertions. # Assert with unit_of_work_readonly: product_from_db = unit_of_work_readonly.products.get(new_product_id) assertpy.assert_that(product_from_db).is_not_none() assertpy.assert_that(product_from_db.dict()).is_equal_to( { "id": new_product_id, "name": "test-name", "description": "test-description", "createDate": current_time, "lastUpdateDate": current_time, } ) Run the unit test to see it succeed. python -m pytest	App developer
Write end-to-end tests.	Create a test file in the app/entrypoints/api/tests folder by using test_ as a file name prefix.  Create a Lambda context fixture that will be used by the test to call Lambda. @pytest.fixture def lambda_context(): @dataclass class LambdaContext: function_name: str = "test" memory_limit_in_mb: int = 128 invoked_function_arn: str = "arn:aws:lambda:eu-west-1:809313241:function:test" aws_request_id: str = "52fdfc07-2182-154f-163f-5f0f9a621d72" return LambdaContext() Create a test method for the API invocation. def test_create_product(lambda_context): # Arrange name = "TestName" description = "Test description" request = api_model.CreateProductRequest(name=name, description=description) minimal_event = api_gateway_proxy_event.APIGatewayProxyEvent( { "path": "/products", "httpMethod": "POST", "requestContext": { # correlation ID "requestId": "c6af9ac6-7b61-11e6-9a41-93e8deadbeef" }, "body": json.dumps(request.dict()), } ) create_product_func_mock = unittest.mock.create_autospec( spec=create_product_command_handler.handle_create_product_command ) handler.create_product_command_handler.handle_create_product_command = ( create_product_func_mock ) # Act handler.handler(minimal_event, lambda_context) Run the unit test to see it fail, because there is still no logic. python -m pytest	App developer
Implement primary adapters.	Create a function for API business logic and declare it as an API resource. @tracer.capture_method @app.post("/products") @utils.parse_event(model=api_model.CreateProductRequest, app_context=app) def create_product( request: api_model.CreateProductRequest, ) -> api_model.CreateProductResponse: """Creates a product.""" ... Note: All decorators you see are features of the AWS Lambda Powertools for Python library. For details, see the AWS Lambda Powertools for Python website. Implement the API logic. id=create_product_command_handler.handle_create_product_command( command=create_product_command.CreateProductCommand( name=request.name, description=request.description, ), unit_of_work=unit_of_work, ) response = api_model.CreateProductResponse(id=id) return response.dict() Run the unit test to see it succeed. python -m pytest	App developer

Related resources

APG guide

• Building hexagonal architectures on AWS

AWS References

• AWS Lambda documentation

• AWS CDK documentation

  • Your first AWS CDK app

• API Gateway documentation

  • Control access to an API with IAM permissions

  • Use the API Gateway console to test a REST API method

• Amazon DynamoDB documentation

Tools

• git-scm.com website

• Installing Git

• Creating a new GitHub repository

• Python website

• AWS Lambda Powertools for Python

• Postman website

• Python mock object library

• Poetry website

IDEs

• Visual Studio Code website

• AWS Cloud9 documentation

• PyCharm website