DEV Community: Bahaa Noah

Golang Concurrency: How Confinement Improves Performance Without Locks

Bahaa Noah — Mon, 24 Feb 2025 15:09:58 +0000

Concurrency is one of Go's greatest strengths, but it can also be a source of many problems if you're not careful or don't fully understand what you're doing.

Is writing concurrent code difficult? I'd say it's one of the challenging parts in programming because so many things can go wrong. Go makes it easier with Goroutines compared to other languages, but that doesn't mean it's foolproof.

One way to avoid going the wrong way with concurrency is to use tha patterns that has been already tested overtime instead of trying to invent your own.

In this blog we will learn how you can utilize confinement pattern to improve your Go concurrency performance.

What's confinement?

Confinement is a simple yet powerful pattern that ensures data is only accessible from a single concurrent process. When done correctly, it makes a concurrent program completely safe, eliminating the need for synchronization.

In Go, the confinement pattern keeps data access and modifications restricted to a single Goroutine. This approach helps avoid race conditions and ensures safe operations without relying on synchronization tools like mutexes.

Imagine a writer keeping notes in a private journal. Since only they write and read from it, there's no risk of conflicting edits or needing coordination with others.

Similarly, in Go, if a single goroutine owns and modifies a piece of data, there's no need for synchronization mechanisms like mutexes, since no other goroutine can interfere with it.

Why Use Confinement?

Avoid race conditions without using mutexes.
Improve performance by eliminating locking overhead.
Simplify code by keeping state management within a single goroutine.

That being said nothing explains it better than some code examples.

Code Examples

Example 1: Race condition and no confinement

The code simulates processing multiple orders concurrently by spawning a goroutine for each order, which appends the processed result to a shared slice. However, since all goroutines access and modify the slice simultaneously without synchronization, a race condition occurs, leading to unpredictable results.

package main

import (
    "fmt"
    "strings"
    "sync"
)

func processOrder(order string) string {
    return fmt.Sprintf("Processed %s", order)
}

func addOrder(order string, result *[]string, wg *sync.WaitGroup) {
    processedOrder := processOrder(order)
    *result = append(*result, processedOrder) // Shared state modified by multiple goroutines (critical section)
    wg.Done()
}

func main() {
    var wg sync.WaitGroup

    orders := []string{"Burger", "Pizza", "Pasta"}
    processedOrders := make([]string, 0, len(orders))

    for _, order := range orders {
        wg.Add(1)

        go addOrder(order, &processedOrders, &wg)
    }

    wg.Wait()

    fmt.Println("Processed Orders:", strings.Join(processedOrders, ", "))
}

🔴 Issues:

Unpredictable orders value due to race conditions.
Different results on each run.

When trying to run the example above with --race flag, we can see the data race in the output.

Example 2: Using Mutex

To solve the problem above, one way is to guard the critical section with a Mutex lock (mutual exclusion lock). Mutex is a lock that we set before using a shared resource and release after using it. but it comes with a cost, it can slow down the program because it makes the program sequential.

func processOrder(order string) string {
    return fmt.Sprintf("Processed %s", order)
}

func addOrder(order string, result *[]string, wg *sync.WaitGroup, lock *sync.Mutex) {
    lock.Lock()
    processedOrder := processOrder(order)
    *result = append(*result, processedOrder) // Shared state modified by multiple goroutines (critical section)
    lock.Unlock()
    wg.Done()
}

func main() {
    var wg sync.WaitGroup
    var lock = &sync.Mutex{}

    orders := []string{"Burger", "Pizza", "Pasta"}
    processedOrders := make([]string, 0, len(orders))

    for _, order := range orders {
        wg.Add(1)

        go addOrder(order, &processedOrders, &wg, lock)
    }

    wg.Wait()

    fmt.Println("Processed Orders:", strings.Join(processedOrders, ", "))

    // Output > Processed Orders: Processed Pasta, Processed Burger, Processed Pizza
}

Let's also simulate some processing time in the processOrder func and measure the processing time to see the impact of locking.

func processOrder(order string) string {
    time.Sleep(2 * time.Second)
    return fmt.Sprintf("Processed %s", order)
}

func addOrder(order string, result *[]string, wg *sync.WaitGroup, lock *sync.Mutex) {
    lock.Lock()
    processedOrder := processOrder(order)
    *result = append(*result, processedOrder) // Shared state modified by multiple goroutines (critical section)
    lock.Unlock()
    wg.Done()
}

func main() {
    start := time.Now()

    var wg sync.WaitGroup
    var lock = &sync.Mutex{}

    orders := []string{"Burger", "Pizza", "Pasta"}
    processedOrders := make([]string, 0, len(orders))

    for _, order := range orders {
        wg.Add(1)

        go addOrder(order, &processedOrders, &wg, lock)
    }

    wg.Wait()

    fmt.Println("Processed Orders:", strings.Join(processedOrders, ", "))
    fmt.Println("Processing Time:", time.Since(start))

    // Output > Processed Orders: Processed Burger, Processed Pizza, Processed Pasta
    // > Processing Time: 6.00230125s
}

🟡 Improvements:

✅ No race conditions (mutex ensures only one goroutine modifies counter at a time).
❌ Performance overhead due to frequent locking/unlocking.

As you can see in the output above the processing time is 2 seconds per order because it's processing them sequentially.

We can improve the code above and keep the lock by moving the locking to be only on the critical section only, but will rather use confinement.

Example 3: Using Confinement

In this example with using confinement to solve the race condition, avoiding the need for Mutex locks.

func processOrder(order string) string {
    time.Sleep(2 * time.Second)
    return fmt.Sprintf("Processed %s", order)
}

func addOrder(order string, resultDest *string, wg *sync.WaitGroup) {
    processedOrder := processOrder(order)
    *resultDest = processedOrder // Shared state modified by multiple goroutines (critical section)
    wg.Done()
}

func main() {
    start := time.Now()

    var wg sync.WaitGroup

    orders := []string{"Burger", "Pizza", "Pasta"}
    processedOrders := make([]string, len(orders))

    for idx, order := range orders {
        wg.Add(1)

        go addOrder(order, &processedOrders[idx], &wg)
    }

    wg.Wait()

    fmt.Println("Processed Orders:", strings.Join(processedOrders, ", "))
    fmt.Println("Processing Time:", time.Since(start))

    // Output > Processed Orders: Processed Burger, Processed Pizza, Processed Pasta
    // > Processing Time: 2.002053625s
}

🟢 Advantages:

✅ No race conditions (single goroutine modifies orders).
✅ No mutex locking overhead.
✅ More efficient in scenarios with heavy contention.

💡 How confinement works in this example

By passing the result directly instead of modifying a shared resource (like a slice), each goroutine is given its own dedicated element in the processedOrders slice.
Each goroutine is responsible for modifying only its own element in the slice (processedOrders[idx]), which prevents contention over shared memory.
Each addOrder goroutine updates its own location in the slice rather than appending to a shared slice.

🔹 Another approach to achieve confinement with the same example can be done with channels

func processOrder(order string) string {
    time.Sleep(2 * time.Second)
    return fmt.Sprintf("Processed %s", order)
}

func addOrder(order string, resultChan chan<- string, wg *sync.WaitGroup) {
    defer wg.Done()
    processedOrder := processOrder(order)
    resultChan <- processedOrder
}

func main() {
    start := time.Now()

    orders := []string{"Burger", "Pizza", "Pasta"}
    resultChan := make(chan string, len(orders))

    var wg sync.WaitGroup

    for _, order := range orders {
        wg.Add(1)
        go addOrder(order, resultChan, &wg)
    }

    go func() {
        wg.Wait()
        close(resultChan)
    }()

    var processedOrders []string
    for order := range resultChan {
        processedOrders = append(processedOrders, order)
    }

    fmt.Println("Processed Orders:", strings.Join(processedOrders, ", "))
    fmt.Println("Processing Time:", time.Since(start))

    // Output:
    // Processed Orders: Processed Burger, Processed Pizza, Processed Pasta
    // Processing Time: 2.002053625s
}

💡 How confinement works in this example

Each goroutine sends its result to a dedicated channel (resultChan).
The channel safely handles communication between goroutines without needing locks.
The main goroutine collects results from the channel, ensuring thread-safe data collection.
A buffered channel is used to prevent blocking when sending results.
Channel communication enforces data transfer through a single point, naturally preventing race conditions.

Unlike the mutex-based solution, both of these approaches keeps the program concurrent because no goroutines need to wait for others to release a lock as we can see the difference in the processing time.

Conclusion

The Go confinement pattern is great when you need safe, sequential access to a shared resource without locks. However, if multiple goroutines require parallel access, other synchronization methods (mutexes, atomics) may be better.

✅ Use confinement when one goroutine can own the data (best for queues, worker pools).
✅ Use mutex when multiple goroutines need simultaneous access (best for shared maps, counters).
❌ Don't use confinement When multiple goroutines must access and modify the same data.
❌ Avoid shared state without synchronization (leads to race conditions).

Resources

Building Secure Software: Ten Tips for Software Developers

Bahaa Noah — Mon, 22 May 2023 19:42:35 +0000

Security is crucial in software development, and you don't have to be a security engineer to take responsibility for your software's security. Here are some tips to keep in mind to make your software more secure.

TL;DR

Don't trust the user: Implement proper validation and user input sanitization to prevent unwanted or harmful outcomes.
Validate and sanitize: Perform input validation and sanitization on both the front-end and back-end to ensure data integrity and prevent security vulnerabilities.
Limit privileges: Grant users the minimum level of access necessary to perform their tasks to minimize the risk of accidental or malicious actions.
Encrypt everything: Utilize SSL/TLS protocols and encryption mechanisms to protect sensitive information from unauthorized access or interception.
Don't trust yourself: Rely on rigorous testing, including unit tests and external security audits, to identify and address security vulnerabilities in your code.
Public vs. private data: Classify and protect data based on its sensitivity, applying appropriate security measures to safeguard private information.
Field verification: Validate and verify user-provided data to ensure accuracy, integrity, and protection against data manipulation or injection attacks.
Authenticate every interaction: Implement robust authentication mechanisms to verify the identity of users and secure interactions with your software.
Beware of leaks in the console: Utilize code linters and build tools to minimize the risk of sensitive information leaking through console logs.
Assume your walls will be breached: Adopt a proactive approach to security by performing premortem exercises, identifying potential breaches, and implementing preventive measures.

I am going to break it down to two main sections:

Human Issues

1. Don't Trust the User

When putting this phrase in the right context, it doesn't mean the user is dumb or doesn't know how to use the software, what it means is that the person using your app shouldn't be able to do anything that leads to unwanted or harmful outcomes.

Let's say you're developing a web application that allows users to upload files. One of the features of your application is a file-sharing functionality where users can share files with each other. However, you want to ensure that users cannot upload or share malicious files that may harm other users or compromise the security of the system.

In this case, you shouldn't trust the user's uploaded file blindly. Even if a user appears to be trustworthy, there's always a risk that they might unknowingly or intentionally upload a malicious file. To mitigate this risk, you should implement proper validation and sanitization mechanisms on the server-side, and that takes us to the next point which is validation and sanitization.

2. Validate and Sanitize

Validating and sanitizing all inputs is crucial for security. Validation should be performed on both the front-end and back-end, while sanitization involves stripping out any errant code and cleaning input from anything that shouldn't be there. Similar to validation, sanitization should be performed on both ends. Additionally, all outputs from the server should be sanitized before they are displayed on the front-end.

Let's imagine you're building an Authentication service that accepts email and password from the user as inputs.

Input Validation:

The email address should be in a valid format (e.g., "example@example.com").
The password should meet complexity requirements (e.g., a minimum length, including a mix of uppercase and lowercase..etc).

However, relying solely on front-end validation is not sufficient. It's important to perform server-side validation as well to prevent any malicious attempts to bypass the front-end checks. For instance:

The email address should be checked for uniqueness to avoid duplicate accounts.
Server-side validation can also include additional checks, such as verifying that the email address belongs to a valid domain or checking against a list of commonly used weak passwords.

Input Sanitization:

Input sanitization is the process of removing or neutralizing potentially harmful characters or code from user inputs. This is crucial to prevent attacks like Cross-site scripting (XSS)or SQL injection. For example:

inputs should be properly escaped or encoded before storing it in the database or using it in dynamic queries.
Special characters and tags should be sanitized from text inputs to prevent malicious scripts from being injected and executed.

Output Sanitization: It's not just important to validate and sanitize inputs; you should also ensure that any data output from the server to the front-end is properly sanitized to prevent cross-site scripting attacks. For example:

User-generated content, such as comments or forum posts, should be sanitized to prevent the execution of embedded scripts when displayed on the website.
Any dynamic content rendered on the front-end, such as user profiles, should go through output encoding or HTML sanitization to prevent injection of malicious code.

3. Limit privileges

Give people as limited access as possible, this is also one of the security pillars in AWS that they highly recommend when you set permissions with IAM policiesfor granting users access to AWS resources.

Limiting access is important for mainly two reasons:

To prevent trusted users from accidentally doing things they shouldn't.
To prevent malicious users from doing things when they gain access.

4. Encrypt everything

The internet is an information distribution network, always assume someone is listening and encrypt everything.

Implement an end-to-end encryption by using SSL/TLS protocols. SSL certificates are provided for free by services like let's encrypt to protect the confidentiality of user messages and prevent unauthorized access to sensitive information. Even if the communication is intercepted, the intercepted data will be in an encrypted form and cannot be deciphered without the recipient's private key.

And it goes without saying that encrypting sensitive information like passwords with strong one-way hashes (using cryptographic hashing algorithms like bcrypt) ensures that even if a data breach occurs, the actual passwords remain secure and cannot be easily reversed or exploited.

Furthermore, it's essential to enforce encryption and block unencrypted communication whenever possible.

5. Don't trust yourself

"Did I close the door? Is the light still on?" These are questions most of us ask ourselves when leaving the house. It's fascinating how, once doing something becomes routine, our memory of having done it becomes fleeting to the point where we often can't remember at all. Then, on the rare occasion when you actually forget to do something, the only way you'll find out is by going back and checking.

When it comes to development, we can't trust ourselves to make sure all security measures are addressed and that everything is working properly. You can't trust yourself to test your own code! Trust your test process.

To ensure security measures are addressed and that everything is working properly, follow these steps:

Implement unit tests for security, including sanitization and validation.
Have both novice and security professionals pen-test your application.
Have some security scanning tools to scan your code, like SonarQube, Snyk or Guardrails.

Software Issues

6. Public vs. private data

A good rule of thumb is to assume that all data available over the internet will eventually be compromised and accessed by someone who shouldn't have access, either by accident or intentionally.

With this in mind, for every piece of data, consider whether it should be public or private, what access level it requires, and the best way to protect it from eventual compromise.

Always ask the question: should the data be public or private? Based on your answer, apply the appropriate measures to protect it.

If you're working with a lot of private data, you might need to consider encrypting it or eliminating it altogether, and only collecting it temporarily for each interaction, such as credit card information.

7. Field verification

Validate and verify user-provided data to ensure its accuracy, integrity, and adherence to expected formats.

Use input validation techniques on the client side and server side to prevent data manipulation and injection attacks.

You usually have control over client-side verification. When relying on third parties, you also rely on their server-side validation and must build around their error reporting and messaging.

8. Authenticate every interaction

Authenticating every interaction is a best practice that dramatically increases security.

There are different levels of authentication, from base level with SSL certificates to full user accounts with authorization levels. The level of authentication necessary depends on the project, but it's important to collect as little personal information as possible while still verifying the user's identity. Two-factor authentication is a good best practice to introduce.

9. Beware of leaks in the console

Logging in the console is useful for debugging and seeing what's going on with your application. However, the console can also become a major vector for leaking information if you're not careful.

To Avoid data leaks in Console, Build tools are your friend here:

Use a code linter that flags console logs as a warning.
Use build tools to strip out console logs before deployment.
Do production tests to make sure no data is leaking into the console.

10. Assume your walls will be breached

Performing a premortem exercise during software development can help identify possible security breaches and their prevention. As per Wikipedia a premortem "is a managerial strategy in which a project team imagines that a project or organization has failed, and then works backward to determine what potentially could lead to the failure of the project or organization.".

To do this, sit down with your team and say, "Okay, it's four months from now. We've launched our project and a major newspaper's on the phone, asking for comments about the huge security breach we just experienced. What went wrong?"

Imagine a security breach has already happened and brainstorm all possible scenarios.
Then address each one by identifying how it could happen and how to prevent it.
Document how each imagined breach can be prevented and create a backlog from this list.

This exercise can be done at various stages of development to keep everyone focused on security and proactively deal with issues before launch.

Conclusion

Software security is a crucial aspect of development that should be prioritized by all developers, regardless of their role or expertise. By following these ten security tips, you can significantly enhance the security of your software.

Additionally, it is important to familiarize yourself with the OWASP Top 10.

Lastly, I highly recommend checking out the web security learning path provided by PortSwigger, they are a market leader in security and the course curriculum is well-made. I have completed the course and found it a valuable learning experience. It's completely free and comes with laps to test on as well.

Resources:

linkedin learning: ten developer security tips

Thanks for reading, I hope this was helpful. Please feel free to reach out if you need more help or have any suggestions.

7 Metrics to Evaluate your code quality using static analysis

Bahaa Noah — Mon, 20 Feb 2023 19:23:08 +0000

Have you ever wondered how to measure the quality of your code using meaningful metrics? One of the popular measures used across teams is "Code Coverage", It's a great measure that provides a lot of insights, but it's not enough, especially when multiple teams or even many developers are working on the same code base, which is a very common situation when working on a monolithic application. In this post, I will share with you 7 useful metrics that you can use to get a pulse on the quality of your code, as well as a quick demonstration with SonarQube on how to generate these metrics.

1. Code complexity

Writing, debugging, and maintaining code is a complicated process in and of itself, and it can become even more complicated as the project scope expands and changes over time. High code complexity comes at a high cost in terms of severe bugs and defects.

Many factors can contribute to code complexity and make it difficult to maintain, such as the number of nested conditions within the code, such as for, if/else, switch, while, and so on. If you want to learn more about complexity, read more about it here.

I found this article useful about explaining code complexity as well, a-simple-understanding-of-code-complexity.

2. Code coverage

Code coverage is a metric shows the percentage of code executed during testing. It aims to help you understand how much of your code is being tested. It's an important metric that can help you assess the quality of your code, deliver features with confidence that you didn't break anything that used to work, and write a testable, decoupled code.

I could go on and on about the advantages of writing tests for the rest of this post. If you haven't tested your code yet, you should start now. It may take a little longer to develop a feature, but it will definitely save you time later when you're adding new features or updating existing ones.

The question now is how much of my code should be covered by test cases. It's debatable whether you should test 100% or not; I believe if you can do so, you should because it gives you peace of mind later on, though it's difficult to maintain 100% at all times. If you can't reach 100% at least test the parts of your code if they fail your application will breakdown and might lead to losing customers.

3. Bug density

Bug density is the number of known bugs per number of lines of code. It's another metric that can help you improve the quality of your software. Most of the teams are using thousand lines of code as benchmark in the previous definition.

Defects can be detected before releasing on productions in many ways, mostly with writing tests for your code, effective code reviews or manual/automated QA. Even though some defects can escape to production, using static analysis tools can help you avoid these defects reaching your end user.

4. Duplicated code

Duplication usually occurs when multiple developers are working on different parts of the same application at the same time. Since they’re working on different tasks, they may be unaware their colleague has already written similar code that could be repurposed for their own needs.

There’s also more subtle duplication, when specific parts of code look different but actually perform the same job. This kind of duplication can be hard to find and fix.

Again, static analysis can help you detecting the first type of duplication and give you some insights to fix it and improve your code quality and make it less smelly.

5. Code maintainability

The ease of modification and maintainability of code is measured by code maintainability. It can be measured by how long it takes to make a change and the risk that the change will break something.

In other words, it refers to the Technical Debt in your application. The less there is, the better. Static analytics will provide you with details about the Code Smells in your application as well as the amount of Debt.

6. Coding standards

Compliance to coding standards is one measure that a static analysis does not provide, but I believe it contributes to the quality of your code.

We all write code in our own unique way. Working in a team and having different developers contribute to the same codebase without some predefined coding standards in place will result in a chaotic mess and poor quality code. For instance, using camel case vs. snake case with variables and classes, using spaces vs. tabs, formatting, and so on. Every programming language has its own standards, which you should enforce within your team to improve quality and make the code look consistent regardless of who wrote it.

7. Security vulnerabilities

Detecting security risks in code is an important metric to keep an eye on. It could be secrets/passwords that are hard coded in your code or a third-party package that has a vulnerability and must be updated to get the latest security patch fixed. Static code analysis tools can easily detect such issues; guardrails is a popular tool that specialises in this, I highly recommend integrate it with Github or any other version control repository you are using to run with every new code pushed.

Demo with SonarQube

One of the market leading tools that helps with measuring code quality when it comes to static analysis is SonarQube, I will show you a quick demo of what it can do for you.

I will be using it with PHP and Laravel project.

Installation

There are many ways to install SonarQube and get it up and running, I will be using brew and docker in this demo, I will leave the installation reference here and find out what works for you.

Make sure Docker is installed and running and no services are running on port 9000.

From your terminal run:

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

You should now have SonarQube server up and running on port 9000.

In your browser open `http://localhost:9000/` and you should see a login page.

Enter the default username and password

username: admin
password: admin

set a new password and you should land on create your project page.

On create your project page I choose manual setup for the purpose of the demo but feel free to choose any other available option.

Fill the project details and go to the next page.

On how do you want to analyze your repository, choose locally.

Generate a token for your project.

you will be asked what option best describes your build? in my case I will choose PHP and MacOs.

You should be provided with code to run in your project to get the code analysis.

Before you do make sure sonarScanner is installed on your machine, find all installation options here SonarScanner Installation

If you're using MacOs run:

brew install sonar-scanner

Once installed navigate to your project dir and run the following command:

sonar-scanner \ -Dsonar.projectKey={ProjectName} \ -Dsonar.sources=. \ -Dsonar.host.url=http://localhost:9000 \ -Dsonar.login={ProjectKey}

you should get an EXECUTION SUCCESS message if everything runs successfully.

Navigate to the browser again and you should be able to view the metrics for your project similar to the images below

There is much more than that there, have a look and see all of the useful insights it gives you to improve your code quality.

I would highly recommend including such analysis in your CD/CD pipelines if not all but at least code coverage and security vulnerabilities scanning, it will help you to maintain your code quality within your team.

Conclusion

These metrics provide insight into the code quality, helping to identify areas of improvement, enforce coding standards, and minimize the risk of bugs or security vulnerabilities.

That was one way to improve your code quality, but it is not the only way. According to a Smart Bear 2020 Code Review survey, the number one way a company can improve code quality is through Code Review.

And I would finish with a quote from Peter Drucker

If you can't measure it, you can't improve it.

Which is true most of the time.

Thank you for taking the time to read this; I hope you found it useful. Please contact me if you require additional assistance or have any suggestions.

Launching an Engineering Blog

Bahaa Noah — Sun, 05 Feb 2023 09:49:03 +0000

Launching a personal engineering blog has always been one of my career goals, which I had put off for a long time before finally achieving. There has been always a push back when it comes to choosing tech stack for building it, I never been a big fan of CMS solutions like wordpress and other similar CMS, there is nothing wrong with it, it's just a personal preference. The other option was to build it myself using any of the languages I am familiar with like PHP or Java but that was an over kill and too much for just a blog.

I got inspired to start when I came across a blog post from Zalando Engineering on linkedin about how they launched there engineering blog and that was the triggering point for me, you can read more about it here Launching the Engineering Blog.

In this post, I'll take you through how I built my blog using static site generator and automating publishing and deployment on AWS S3 using Github Actions.

Choosing Static Site Generator

Jamstack provides a wide range of static site generators. They are all pretty much having similar functionalities to render a website from Markdown.

I decided to choose jigsaw as I am familiar with the technologies it's built with (PHP , Tailwind for styling and Blade as template engine) as it will be easy to customize if needed besides that, it comes with decent amount of features out of the box, I barely did any customization to it, just followed the installation instructions and got started.

After installation and customizing it, I wanted to setup the infrastructure where it will be hosted. I wrote another blog post on how I used Terraform to build static website infrastructure on AWS, read more about it here.

Writing and Publishing

As it's an engineering blog writing markdown is pretty much familiar to most of software engineers given the fact we have to write markdown documentation all the time.

After writing, I wanted to automate deployment and publishing. I am using Github as a repository and I have experience with CircleCi but I wanted to learn Github Actions. I decided to take this opportunity to learn Github Actions instead of CircleCi.

here's how I automated the deployment

Create an IAM user on AWS with S3 full access permission and save the access key and secret for later.
In Github in your repository setting under security section, click on Actions option and create two new repository secrets from the keys you have from the previous step AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Finally create an action workflow that will trigger once merged on the main branch.

name: Main

on:
  push:
    branches: ["master"]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Composer Dependencies
        run: composer install
      - name: Install Npm
        run: npm install
      - name: Run Npm prod
        run: npm run prod
      - name: Build Jigsaw site
        run: ./vendor/bin/jigsaw build production

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ap-south-1 // change that to the region you are using
      - name: deploy
        run: aws s3 sync build_production/. s3://bahaanoah.com/ --region ap-south-1 --delete

And there you have it a functional blog with automated CI/CD.

Tracking

Eventually I wanted to get some insights on blog views without invading visitors privacy and being GDPR compliance without Cookie banners. I found some great options like plausible and getinsights and decided to go for getinsights because they have a free tier and I am not really expecting heavy traffic at the beginning.

Conclusion

I do strongly believe one of the best ways to learn is by teaching and that has been one of the main reasons I started blogging, besides that I am passionate about sharing knowledge and simplifying complex subjects.

I hope this was helpful and will inspire you to start your own blog and start writing as well. It can be also a good use as an engineering blog for your company that provides a good platform for engineers to publish their thoughts and share the engineering culture there.

Thanks for reading, I hope this was helpful. Please feel free to reach out if you need more help or have any suggestions.

Static Website Infrastructure on AWS with Terraform

Bahaa Noah — Sun, 05 Feb 2023 09:44:06 +0000

As a software engineer, you likely understand the importance of automation and reproducibility in your workflow. One way to achieve this is by using Terraform, it was one of the technologies that I learned in 2022 and since then it has been the goto tool for me for any infrastructure work. In this post, I'll take you through how to use Terraform to create the necessary resources for hosting a static website on AWS, making your life a lot easier.

Required Utilities

Install these tools before proceeding:

AWS CLI
Terraform - Install Terraform

Configure the AWS CLI with a user that has sufficient privileges to create all the resources we will be using in this blog, and it's always a best practice to give least privileges rather than an admin access. Verify that the CLI can authenticate properly by running aws sts get-caller-identity.

Overview

We will utilize the following services to create static website hosting infrastructure:

AWS S3 Bucket as the hosting and storage for the website files and rearouses.
Route 53 as DNS resolver.
AWS Certificate Manager for securing the website and managing the ssl certificate.
Amazon CloudFront to optimize the performance and improve security.

Using all of these services should be free of charge except for Route 53 will charge you around 00.51$ and in general if you are not in the free tier you will be charged around 3$~4$ per month based on the traffic you are getting.

Setting Up Variables

After setting up the tools, let's create the following environment variables to store commonly used values. First things first we will create our main.tf file and place the following in it.

terraform {
  required_version = "~> 1.0"

  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

locals {

  # change that to your domain name
  domain_name = "bahaanoah.com"

  # I like to tag everything that's being created by terraform
  tags = {
    "terraform" = true
  }
}

# I will be using UAE region but feel free to use whichever you prefer
provider "aws" {
  region = "me-central-1"
}

Create S3 Bucket

At this step we are going to create S3 bucket with public access and add website configuration to it using Resource: aws_s3_bucket.

Create s3.tf file and add the following code:

resource "aws_s3_bucket" "this" {
  bucket = local.domain_name
  tags = local.tags
  force_destroy = true
}

resource "aws_s3_bucket_policy" "allow_public_access" {
  bucket = aws_s3_bucket.this.id
  policy = jsonencode(
    {
      Statement = [
        {
          Action = "s3:GetObject"
          Effect = "Allow"
          Principal = "*"
          Resource = "arn:aws:s3:::${local.domain_name}/*"
          Sid = "Stmt1661600983594"
        },
      ]
      Version = "2012-10-17"
    }
  )
}

resource "aws_s3_bucket_versioning" "this" {
  bucket = aws_s3_bucket.this.id
  versioning_configuration {
    status = "Disabled"
  }
}

resource "aws_s3_bucket_website_configuration" "this" {
  bucket = aws_s3_bucket.this.bucket

  index_document {
    suffix = "index.html"
  }
  error_document {
    key = "404/index.html"
  }
}

Once done go ahead and apply what we have created so far.

terraform init
terraform apply

Create Route 53 Hosted Zone

At this step will create a hosted zone to manage our dns records using Resource: aws_route53_zone.

Create route53.tf file and place the code below:

resource "aws_route53_zone" "primary" {
  name = local.domain_name
  tags = local.tags
}

Go ahead and apply the changes.

terraform apply

After applying this change you should see a hosted zone with NS and SOA records created in route 53, copy the NS record values and update your domain nameservers, in my case I have my domain registered in Godaddy all I needed to do is change the default nameservers and use custom nameservers the add the NS values from AWS there.

Issue SSL Certificate

We will issue SSL certificate using AWS Certificate Manager with Resource: aws_acm_certificate and create some DNS records in route 53 to validate it at this step.

Create acm.tf file and place the code below:

# if you are using different region from us-east-1 you will need to do that step 
# because cloudfront only works with certificates issued in us-east-1
provider "aws" {
  alias = "virginia"
  region = "us-east-1"
}

resource "aws_acm_certificate" "this" {
  domain_name = local.domain_name
  validation_method = "DNS"

  tags = local.tags
  lifecycle {
    create_before_destroy = true
  }
  provider = aws.virginia

}

resource "aws_route53_record" "validation" {
  for_each = {
    for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
      name = dvo.resource_record_name
      record = dvo.resource_record_value
      type = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name = each.value.name
  records = [each.value.record]
  ttl = 60
  type = each.value.type
  zone_id = aws_route53_zone.primary.zone_id
  provider = aws.virginia
  depends_on = [
    aws_acm_certificate.this,
    aws_route53_zone.primary
  ]
}

Go ahead and apply the changes.

terraform apply

If you connected your domain to the NS record from previous step it should take a couple of minutes and your certificate status will change to "Issued"

Create CloudFront

At this step we will create CloudFront with Resource: aws_cloudfront_distribution and connect it to the S3 Bucket we created earlier, then eventually create an A record in the hosted zone we created that's aliased to this cloudfront distribution.

Create cloudfront.tf file and place the code below:

resource "aws_cloudfront_distribution" "this" {
  origin {
    domain_name = aws_s3_bucket_website_configuration.this.website_endpoint
    origin_id = aws_s3_bucket_website_configuration.this.website_endpoint
    connection_attempts = 3
    connection_timeout = 10

    custom_origin_config {
      http_port = 80
      https_port = 443
      origin_keepalive_timeout = 5
      origin_protocol_policy = "http-only"
      origin_read_timeout = 30
      origin_ssl_protocols = [
        "TLSv1",
        "TLSv1.1",
        "TLSv1.2",
      ]
    }
  }

  enabled = true
  is_ipv6_enabled = true

  aliases = [local.domain_name]

  default_cache_behavior {
    allowed_methods = ["GET", "HEAD"]
    cached_methods = ["GET", "HEAD"]
    target_origin_id = aws_s3_bucket_website_configuration.this.website_endpoint
    viewer_protocol_policy = "redirect-to-https"
    compress = true
    min_ttl = 0
    default_ttl = 3600 
    max_ttl = 86400
    smooth_streaming = false
    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }
  }

  restrictions {
    geo_restriction {
      locations = []
      restriction_type = "none"
    }
  }

  tags = local.tags

  viewer_certificate {
    acm_certificate_arn = aws_acm_certificate.this.arn
    cloudfront_default_certificate = false
    minimum_protocol_version = "TLSv1.2_2021"
    ssl_support_method = "sni-only"
  }

  depends_on = [
    aws_s3_bucket.this,
    aws_acm_certificate.this
  ]
}

Go ahead and apply the changes.

terraform apply

Once applied let's create the DNS record, open route53.tf file and add the code below:

# update the resource name to your domain name
resource "aws_route53_record" "bahaanoah-com" {
  name = local.domain_name
  type = "A"
  zone_id = aws_route53_zone.primary.zone_id

  alias {
    name = aws_cloudfront_distribution.this.domain_name
    zone_id = aws_cloudfront_distribution.this.hosted_zone_id
    evaluate_target_health = false
  }

}

Go ahead and apply the changes.

terraform apply

If you reached that point and got everything to be working well done!, you should have your infrastructure up and running, go ahead and upload your website in the S3 bucket we created and check it out.

Cleanup

If you are not going to use it and was just trying and would like to clean up destroy everything to avoid any charges in the future.

terraform destroy

Conclusion

Terraform is a powerful tool for automating the process of creating and managing infrastructure on AWS. By using the services outlined in this post, you can easily set up a secure and performant static website that is easy to maintain and update. However, it is important to keep in mind that this is just the basic setup and there are many other options and features that can be added and configured for different needs and use cases.

As a next step, I would suggest to have a look at this github repository that's containing the code I used to create the Infrastructure for my website it's pretty much the same as we explained with some extra steps for www redirection. I would also recommend having a look at CloudFront Invalidation to manage your cache better and finally if you are working in a team I suggest to have some CI/CD pipeline to automate your infrastructure deployments with some code review process in place, find out more here Running Terraform in Automation.

Thanks for reading, I hope this was helpful. Please feel free to reach out if you need more help or have any suggestions.

DEV Community: Bahaa Noah

Golang Concurrency: How Confinement Improves Performance Without Locks

What's confinement?

Why Use Confinement?

Code Examples

Example 1: Race condition and no confinement

🔴 Issues:

Example 2: Using Mutex

🟡 Improvements:

Example 3: Using Confinement

🟢 Advantages:

💡 How confinement works in this example

💡 How confinement works in this example

Conclusion

Resources

Building Secure Software: Ten Tips for Software Developers

TL;DR

Human Issues

1. Don't Trust the User

2. Validate and Sanitize

3. Limit privileges

4. Encrypt everything

5. Don't trust yourself

Software Issues

6. Public vs. private data

7. Field verification

8. Authenticate every interaction

9. Beware of leaks in the console

10. Assume your walls will be breached

Conclusion

Resources:

7 Metrics to Evaluate your code quality using static analysis

1. Code complexity

2. Code coverage

3. Bug density

4. Duplicated code

5. Code maintainability

6. Coding standards

7. Security vulnerabilities

Demo with SonarQube

Installation

From your terminal run:

In your browser open http://localhost:9000/ and you should see a login page.

Enter the default username and password

On create your project page I choose manual setup for the purpose of the demo but feel free to choose any other available option.

Fill the project details and go to the next page.

On how do you want to analyze your repository, choose locally.

Generate a token for your project.

you will be asked what option best describes your build? in my case I will choose PHP and MacOs.

You should be provided with code to run in your project to get the code analysis.

Before you do make sure sonarScanner is installed on your machine, find all installation options here SonarScanner Installation

Once installed navigate to your project dir and run the following command:

Navigate to the browser again and you should be able to view the metrics for your project similar to the images below

Conclusion

Launching an Engineering Blog

Choosing Static Site Generator

Writing and Publishing

here's how I automated the deployment

Tracking

Conclusion

Static Website Infrastructure on AWS with Terraform

Required Utilities

Overview

Setting Up Variables

Create S3 Bucket

Create Route 53 Hosted Zone

Issue SSL Certificate

Create CloudFront

Cleanup

Conclusion

In your browser open `http://localhost:9000/` and you should see a login page.