DEV Community: Chathra Serasinghe

4K Resolution in Amazon AppStream 2.0

Chathra Serasinghe — Mon, 18 Sep 2023 12:52:04 +0000

Introduction

Amazon AppStream 2.0, a fully managed application streaming service, has recently introduced support for 4K resolution. This enhancement promises a significant upgrade for users who require high-definition visuals for their applications. But why is 4K resolution a pivotal addition to AppStream, and how can you deploy it using CloudFormation? Let's explore.

Why we need 4K resolution?

For the Professionals: Think of graphic designers working on intricate artwork, video editors piecing together 4K footage, architects visualizing detailed structures, or medical professionals analyzing high-res medical images.If they want to stream those applications using AppStream, 4K support is quite important.

Sharper, Clearer, More Detailed: With 4096 x 2160 pixels, 4K offers four times the pixel density of Full HD. This means applications on AppStream will now look crisper.

Elevated User Experience: Even for normal users, With 4K , Texts are sharper, icons pop out, and visuals are just a treat to the eyes. It's all about offering an unmatched user experience.

Lets stream your application in 4K

Before you jump into the 4K bandwagon, here are a few things to keep in mind:

Must use AppStream Client: Make sure you're using the latest AppStream Windows client.Go to this link to download Appstream Client
Choose the Graphic Instances: 4K is gorgeous but demands its fair share of resources. Opt for on-demand or always-on graphic instances to ensure smooth streaming.You cannot use AppStream elastic fleet(No server-less unfortunately)

Quick guide to deploy:

1) First you need to create an Image Builder.This is a required step to create a Custom image which includes your application and configurations.

AWSTemplateFormatVersion: '2010-09-09'
Description: AppStream 2.0 Custom Image Builder
Parameters:
  InstanceType:
    Type: String
    Default: stream.graphics-design.xlarge
  ImageBuilderName:
    Type: String
    Default: 4KImageBuilder
  VpcId:
    Type: AWS::EC2::VPC::Id
  Subnet1Id:
    Type: AWS::EC2::Subnet::Id
Resources:
  AppStreamImageBuilder:
    Type: 'AWS::AppStream::ImageBuilder'
    Properties:
      Name: !Ref ImageBuilderName
      InstanceType: !Ref InstanceType
      ImageArn: !Sub arn:aws:appstream:${AWS::Region}::image/AppStream-Graphics-Design-WinServer2019-06-12-2023
      IamRoleArn: !GetAtt AppStreamIAMRole.Arn
      EnableDefaultInternetAccess: false
      DisplayName: 4K image builder
      Description: 4K image builder
      VpcConfig:
        SecurityGroupIds: 
          - !Ref AppStreamSecurityGroup
        SubnetIds:
          - !Ref Subnet1Id
  AppStreamSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: AppStream Security Group
      SecurityGroupIngress:
        - IpProtocol: -1
          CidrIp: 10.0.0.0/8
      VpcId: !Ref VpcId
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-SecurityGroup"
  AppStreamIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: appstream.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonAppStreamServiceAccess
      Policies:
        - PolicyName: AppStreamIAMPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: s3:*
                Resource:
                  - "arn:aws:s3:::appstream*/*"

This template will create the image builder.

2)Connect to AppStream Image Builder instance and install and configure the application.

More info: https://docs.aws.amazon.com/appstream2/latest/developerguide/managing-image-builders-connect.html

3) Using Image Assistant, create an Appstream Image called 4k-appstream-app which is used to define Appstream fleet in next step. You may replace variables according to your application in following script and run it script inside the Image builder to create the image.

  ##*===============================================
    ##* APPSTREAM VARIABLE DECLARATION
    ##*===============================================
    [string]$AppName = '4k-appstream-app'
    [string]$AppPath = 'C:\4k-appstream-app\4k-appstream-app.exe'
    [string]$AppDisplayName = '4k-appstream-app'
    [string]$AppParameters = ''
    [string]$AppWorkingDir = ''
    [string]$AppIconPath =  ''
    [string]$ManifestPath = "C:\Users\ImageBuilderAdmin\Documents\optimization_manifest.txt"

    [string]$ImageAssistantPath = "C:\Program Files\Amazon\Photon\ConsoleImageBuilder\image-assistant.exe"

    ##*===============================================
    ##* ADD APPLICATION TO APPSTREAM CATALOG
    ##*===============================================
    #AppStream's Image Assistant Required Parameters
    $Params = " --name " + $AppName + " --absolute-app-path """ + $AppPath + """"     

    #AppStream's Image Assistant Optional Parameters
    if ($AppDisplayName) { $Params += " --display-name """ + $AppDisplayName + """" }
    if ($AppWorkingDir) { $Params += " --working-directory """ + $AppWorkingDir + """" }
    if ($AppIconPath) { $Params += " --absolute-icon-path """ + $AppIconPath + """" }      
    if ($AppParameters) { $Params += " --launch-parameters """ + $AppParameters + """" }     
    if ($ManifestPath) { $Params += " --absolute-manifest-path """ + $ManifestPath + """" }

    #Escape spaces in EXE path
    $ImageAssistantPath = $ImageAssistantPath -replace ' ','` '

    #Assemble Image Assistant API command to add applications
    $AddAppCMD = $ImageAssistantPath + ' add-application' + $Params

    Write-Host "Adding $AppDisplayName to AppStream Image Catalog using command $AddAppCMD"

    #Run Image Assistant command and parameters
    $AddApp = Invoke-Expression $AddAppCMD | ConvertFrom-Json
    if ($AddApp.status -eq 0) {
        Write-Host "SUCCESS adding $AppName to the AppStream catalog."
    } else {
        Write-Host "ERROR adding $AppName to the AppStream catalog." 
        Write-Host $AddApp.message

    }
    #AppStream's Image Assistant Required Parameters
    $Params = " --name " + $AppName + " --display-name  """ + $AppName + """"     

    #Assemble Image Assistant API command to add applications
    $CreateImgCMD = $ImageAssistantPath + ' create-image' + $Params

    Write-Host "Creating image $AppName using command $CreateImgCMD"

    #Run Image Assistant command and parameters
    $createImg = Invoke-Expression $CreateImgCMD | ConvertFrom-Json
    if ($createImg.status -eq 0) {
        Write-Host "SUCCESS creating image $AppName"
    } else {
        Write-Host "ERROR creating image $AppName" 
        Write-Host $createImg.message

  }

Once you run the script successfully you will notice image created 4k-appstream-app under Appstream images.

4) Deploy AppStream fleet and Stack using Cloudformation template

AWSTemplateFormatVersion: 2010-09-09
Description: "Provision AppStream 2.0 Fleet and Stack"
Parameters:
  FleetName:
    Type: String

  FleetInstanceType:
    Type: String
    Default: stream.graphics-design.large

  StackName:
    Type: String

  SecurityGroupId:
    Type: String
    Default: ""

  VpcId:
    Type: String

  Subnet1Id:
    Type: String

  Subnet2Id:
    Type: String

  FileUploadPermission:
    Type: String

  FileDownloadPermission:
    Type: String

  ClipboardCopyToLocalDevice:
    Type: String

  ClipboardCopyFromLocalDevice:
    Type: String

  PrintingToLocalDevice:
    Type: String


Conditions:
  SecurityGroupIdNotGiven: !Equals [!Ref SecurityGroupId, ""]

Resources:
  4KAppStreamFleet:
    Type: AWS::AppStream::Fleet
    Properties:
      Name: !Ref FleetName
      ComputeCapacity:
        DesiredInstances: 1
      InstanceType: !Ref FleetInstanceType
      # replace the Image Arn of previously created Image
      ImageArn: !Sub arn:aws:appstream:${AWS::Region}:${AWS::AccountId}:image/4k-appstream
      FleetType: "ON_DEMAND"
      VpcConfig:
        SecurityGroupIds:
          - !If [
              SecurityGroupIdNotGiven,
              !Ref AppStreamSecurityGroup,
              !Ref SecurityGroupId,
            ]
        SubnetIds:
          - !Ref Subnet1Id
          - !Ref Subnet2Id
      EnableDefaultInternetAccess: False
      MaxUserDurationInSeconds: "57600"
      DisconnectTimeoutInSeconds: "900"
      IdleDisconnectTimeoutInSeconds: "900"
      StreamView: APP
    CreationPolicy:
      StartFleet: True

  AppStreamSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: AppStream Security Group
      SecurityGroupIngress:
        - IpProtocol: -1
          CidrIp: 10.0.0.0/8
      VpcId: !Ref VpcId
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-SecurityGroup"

  # Create AppStream Stack
  AppStreamStack:
    Type: AWS::AppStream::Stack
    Properties:
      Name: !Ref StackName
      Description: This demo stack was created using CloudFormation
      ApplicationSettings:
        Enabled: false
      UserSettings:
        - Action: CLIPBOARD_COPY_TO_LOCAL_DEVICE
          Permission: !Ref ClipboardCopyToLocalDevice
        - Action: FILE_DOWNLOAD
          Permission: !Ref FileDownloadPermission
        - Action: FILE_UPLOAD
          Permission: !Ref FileUploadPermission
        - Action: CLIPBOARD_COPY_FROM_LOCAL_DEVICE
          Permission: !Ref ClipboardCopyFromLocalDevice
        - Action: PRINTING_TO_LOCAL_DEVICE
          Permission: !Ref PrintingToLocalDevice

  # Create Association between fleet and stack
  4KAppStreamDemoStackFleetAssociation:
    Type: AWS::AppStream::StackFleetAssociation
    Properties:
      FleetName: !Ref 4KAppStreamFleet
      StackName: !Ref AppStreamStack

6) Launch Appstream URL using AppStream Windows client

You have to base64 encode the AppStream url and add amazonappstream: so you can launch the application from Browser using AppStream client.You may use code similar to following to covert your AppStream url, so that it will launch the AppStream session through AppStream Client.

function stringToBase64WithPrefix(appstreamUrl: string): string {
    const base64Encoded=Buffer.from(appstreamUrl).toString('base64');
    return `amazonappstream:${base64Encoded}`
}

Once you launch your AppStream session using Appstream URL, you should be able to see the option in AppStream menu to change the resolution to 4K.

How to Seamlessly Integrate GitHub with AWS using OpenID Connect for GitHub Actions

Chathra Serasinghe — Sat, 22 Apr 2023 13:47:16 +0000

As more and more organizations adopt a DevOps approach to software development, seamless and secure integration between different tools and platforms is becoming increasingly important. In this blog post, I'll show you how to integrate GitHub with AWS using OpenID Connect for GitHub Actions.

What is OpenID Connect?

OpenID Connect is an authentication protocol that allows users to authenticate themselves to an application by using a third-party identity provider, such as GitHub. OpenID Connect provides a standard way to exchange authentication and authorization data between different systems, making it a popular choice for integrating different platforms securely.

Why Integrate GitHub with AWS using OpenID Connect?

Without OIDC, When GitHub Actions workflows need to access cloud providers for deployment or using their services, requiring credentials to be stored as secrets in GitHub. However, this method of hardcoding secrets requires duplicating them in both the cloud provider and GitHub.This is not secure.

With OIDC, we don't have to store any secrets.

How to Integrate GitHub with AWS using OpenID Connect for GitHub Actions?

To integrate GitHub with AWS using OpenID Connect, you will need to follow these steps:

Steps:

1.Create an Identity Provider in AWS

The first step is to create an Identity Provider in AWS. To do this, you will need to sign in to the AWS Management Console and navigate to the IAM (Identity and Access Management) service. From there, you can create a new identity provider and select OpenID Connect as the provider type. You will need to provide the Client ID and Client Secret for your GitHub application, which you can obtain from your GitHub Developer Settings.

Provider URL: https://token.actions.githubusercontent.com
This is the Github OpenID Connect URL for authentication requests

Audiences : sts.amazonaws.com
(Audiences is also known as client ID)
Audience is a value that identifies the application that is registered with an OpenID Connect provider

2.Assign a role

You can create a role or add an existing role.But make sure that its trust relationships of that role configured as follows.

Trust relationships of the role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "<Arn of Identity provider>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:sub": "repo:<GitHub organization name>/<GitHub repo name>:ref:refs/heads/<branch name>"
                }
            }
        }
    ]
}

You have to replace the placeholders with correct values.

Arn of Identity Provider - ARN of the Identity Provider that you created in step 1.
GitHub organization name - your GitHub Organization name
GitHub repo name - your GitHub Repository name
branch name - Your branch that you want to trigger Github actions

Permissions of the role

Set the permissions according to your requirement.
E.g:- If your Github actions need only S3 bucket access then make sure you just give only that permission.

3.Configure GitHub Actions

Next, you will need to configure GitHub Actions to use OpenID Connect for authentication. To do this, you will need to create a new GitHub Actions workflow file and add the necessary configuration. You will need to specify the ID of your AWS Identity Provider, as well as the client ID and client secret for your GitHub application.

this is an example of GitHub Actions workflow file (.github/workflows/dev.yaml) which achieve the repository and upload to s3 bucket when code pushes to dev branch.

name: Dev Branch Build and Deploy

on:
  push:
    branches:
      - dev
env:
  BUCKET_NAME_PREFIX: "test-bucket"
  AWS_REGION: "ap-southeast-1"
  GITHUB_REF: "dev"

jobs:
  build:
    name: Build and Package
    runs-on: gh-runner
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v3
        with:
          path: "./${{ env.GITHUB_REF }}"
      - name: Extract branch name
        shell: bash
        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
        id: extract_branch
      - name: Extract commit hash
        shell: bash
        run: echo "##[set-output name=commit_hash;]$(echo "$GITHUB_SHA")"
        id: extract_hash
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: <role arn>
          role-session-name: <role session-name>
          aws-region: ${{ env.AWS_REGION }}
      # Copy build directory to S3
      - name: Copy build to S3
        run: |
          cd ${{ env.GITHUB_REF }} 
          pwd
          git status 
          git archive --format=zip --output=artifact.zip ${{ steps.extract_branch.outputs.branch }}          
          aws s3 cp ./artifact.zip s3://${{ env.BUCKET_NAME_PREFIX }}-${{ steps.extract_branch.outputs.branch }}/artifact.zip

4.Test the Integration

Once you have configured GitHub Actions, you can test the integration by pushing a change to your GitHub repository. GitHub Actions should automatically trigger a build and deploy process in AWS, using the OpenID Connect authentication data to authenticate the user.

Benefits of using OIDC

One of the primary benefits of using OIDC tokens is the elimination of the need for cloud secrets. Instead of duplicating your cloud credentials as long-lived GitHub secrets, by this method, it request a short-lived access token from the provider through OIDC. This eliminates the need to store secrets in your GitHub repository, thus reducing the risk of secrets being accidentally or intentionally exposed.

Another major benefit is,OIDC tokens allow for the rotation of credentials. With OIDC, your cloud provider issues a short-lived access token that is only valid for a single job, and then automatically expires. This ensures that credentials are rotated frequently, thus reducing the likelihood of misuse or abuse.

Achieving Sustainability Goals in AWS

Chathra Serasinghe — Thu, 26 Jan 2023 00:50:41 +0000

Climate change is the defining issue of our time. It's caused by the burning of fossil fuels, and its effects are being felt worldwide. It's a planetary problem—and it will be felt for many years to come.

AWS has larger number of customers that include companies of all sizes in nearly every industry around the world
and they believes that they can help accelerate the adoption of sustainable energy for our planet. In 2000, AWS became one of the first companies in the industry to adopt a comprehensive approach to environmental stewardship, setting goals and guidelines for energy efficiency and carbon neutrality at each step along its supply chain process.

Today, AWS has taken many initiatives including Wind Farm Project in Ireland and US East in Ohio—which uses wind power to drive cloud-based services for customers data center.
AWS is on track to power their operations entirely with renewable energy by 2025, which will help various businesses in achieving environmental sustainability goals.However, this is not sufficient.

Shared responsibility model for environmental sustainability

Source: AWS documentation

AWS has data centers around the world. They are run by electricity. Electrical energy could be produced from renewable sources like solar or wind power. There are servers in data centers. They must be chilled. Water can be refreshing at times. There will be leftovers. There will be construction supplies. In essence, AWS is responsible for numerous areas within AWS and carefully examines how they are sustainable.

On the other hand, customers are responsible for sustainability for what they're doing in the cloud. AWS doesn't have control on it. Understanding the implications of the services used, measuring affects over the whole workload lifecycle, and using design principles and best practices to minimize these impacts are all part of the discipline of building cloud workloads.

AWS announced the Sustainability Pillar in re:Invent 2021 to help customers in minimizing the environmental impacts of running cloud workloads. It is available in the AWS-Well-Architected tool, which contains design principles, operational guidance, and best practices for meeting sustainability goals.

The Greenhouse Gas Protocol categorize carbon emissions into three major scopes:

All direct emissions from the activities of an organization eg:- fuel combustion by data center backup generators.
Indirect emissions from electricity purchased and used to power data centers and other facilities eg:- emissions from commercial power generation.
All other indirect emissions from activities of an organization from sources it doesn’t control (Customer's responsibility) eg:- Each workload deployed generates a fraction of the total AWS emissions

How can we optimize our workloads to reach our sustainability goals?

In order to reduce the amount of physical hardware, electricity, and carbon emissions that our workload actually produces, what we want to do is use the least amount of virtual hardware possible. Also we need to make sure to use the best and suitable technology.
AWS is always improving their existing services and introducing new ones in order to meet a variety of goals that customers want to achieve, including sustainability. Attending to re:Invent, reading AWS documentation, and following blogs can help you stay updated.

There are three major areas we could examine when discussing workloads.
Those are:

Computing
Storage
Networking.

First up, with compute services, we want to optimize the compute size, the instant size, the number of containers, and ultimately the number of instances that you're actually using to serve your end users. But the number of instances/containers should change over time based on usage, this means that when you don't need a certain amount of compute power, containers, or instances, it should automatically reduced in size. In other words, the main objective is to lowering the amount of compute required per transaction.

Some of the Design Principals for Compute:

Right sizing
Eliminate the idle resources
Using ARM processors instead of Intel(eg:-AWS Graviton processors)
Amazon EC2 Auto Scaling
Containerize the workloads to achieve maximize server utilization
Use Serverless services(eg:- Fargate, Lambda)

There are certain design principles you may use to keep your data in a sustainable manner.

Some of the Design Principals for storage:

Use S3 lifecycle rules
Use Amazon S3 Intelligent-Tiering
Use columnar data formats and compression(Columnar data formats like Parquet and ORC when applicable)
Use Amazon Data Lifecycle Manager to delete old EBS snapshots and Amazon EBS-backed Amazon Machine Images (AMIs) automatically.
Turning on data deduplication for your Amazon FSx for Windows File Server

When it comes to network optimization, it is primarily about optimizing the path data takes across a network and reducing the size of data transmitted.

Some of the Design Principals for Networking:

Using CDN network to reduce the network path( eg:-CloudFront)
Optimize CloudFront cache hit ratio
If workload is deploying only on a single region, choose a Region that is near the majority of your users
If your users are spread over multiple Regions, set up multiple copies of the data to reside in each Region. (eg:- RDS cross-Region read replicas and DynamoDB global tables)
Serve compressed files(eg:-configure CloudFront to automatically compress objects)
Use Edge-optimized API endpoints for geographically distributed clients

It's crucial to keep in mind that optimizing is a journey, not a single task. Although it's a journey, businesses can progress more faster toward their sustainability goals by putting the design principles recommended by the AWS Well-Architected framework into practice. Moreover, AWS has launched the AWS Customer Carbon Footprint Tool, which allows you to track carbon emissions from your workload and make proactive decisions to reduce carbon emissions. It is also essential to look at Cloudwatch Metrics and AWS Trusted Advisor to analyze and optimize your workloads.

AWS commissioned 451 Research, a technology market research and advisory business, to undertake a study on the energy and carbon efficiency of enterprise data centers and server architecture to assess the environmental benefits for enterprises shifting to its public cloud infrastructure.
According to the Amazon Sustainability webpage, it says that "AWS can lower customers’ workload carbon footprints by nearly 80% compared to surveyed enterprise data centers, and up to 96% once AWS is powered with 100% renewable energy".

You can always compare how much your carbon footprint has decreased after switching from on-premises data centers to AWS using the AWS Customer Carbon Footprint Tool. If you haven't considered sustainability yet, now is the time to do so in order to saving earth and future generations. If you are ready, Versent can help you in this journey(Green Brick Road), by working with your ICT team to examine and assess your ICT estate, procedures, and capabilities and align them to sustainability best practices.

References:

Understanding AWS Lambda layers

Chathra Serasinghe — Tue, 27 Sep 2022 00:55:25 +0000

What is a lambda layer?

It is an achieve type durable storage option for lambda which is typically use to store reusable code, such as libraries, dependencies, custom runtimes etc.

What are the storage options supported by Lambda functions

lambda layers (extracts into /opt)
/tmp
S3
EFS

What is the benefit of using Lambda layers?

It is one of the best practice of sharing same code libraries with multiple lambda functions e.g:-Include AWS SDK in a lambda layer and reuse it
Dependency can easily be updated
It reduce code duplication
Faster uploading your lambda code.

How to create a Lambda layer?

Typically you need to include the reusable code/binaries in a lambda layer so which can be used later by multiple lambda functions.
Once you decided which code/binaries to be included in the lambda layer, first step is to create a.zip file of it.
You need to adhere the correct directory structure based on your programming language(runtime language) of the lambda function
Eg:- if the runtime language is Python, then you may follow directory structure python/<your code or binaries> when creating the zip file.
Refer this table to understand Layer paths for each Lambda runtime configuration-layers-path
lets say you want to have boto3 and dependencies as a lambda layer. Then you can go to a terminal and run following.

pip3 install -t python boto3

This command will download all the binaries to target directory python/.

Then you create the zip file

zip -r layer.zip .
After that you can create the lambda layer using zip file as follows.

aws lambda publish-layer-version --layer-name "AWSBoto3layer" --description "My boto3 layer" --zip-file fileb://layer.zip --compatible-runtimes python3.8

You can see the new Lambda layer created in the AWS console and its version is version 1.

If you try to update the same layer it will create a new version. Then then version will be version 2.

Then you can use following cli command to attach your lambda layer to lambda function.

aws lambda update-function-configuration --function-name <lambda function name> --layers <arn of layer>:<version of the layer>

Note:- You have to make sure to link the correct version of the layer

Where does AWS lambda function extract layers in its excecution environment?

When setting up the function's execution environment, Lambda extracts the layer contents into the /opt directory.

What are important facts you should know before using Lambda layers?

You can only add up to 5 layers to a lambda function
Layer should be in the same region of lambda function(But it can be in a different account)
Lambda layers are immutable.Therefore when a new version of the layer is published, you would need to deploy an update to the Lambda functions and explicitly reference the new version.
Maximum size of lambda layer is 50MB.It make sense because the purpose of this storage option is to store static code or binaries and for most of the cases it is sufficient.
Unzipped package size lambda function including lambda layers should be 250MB.This is a hard limit for lambda function. It means lambda layers doesn't solve completely solving the sizing problem.
A layer is private to your AWS account by default. But you can expose it other account explicitly by adding a statement to the layer version's permissions policy

References:

Targeted Sentiment Analysis in real-time using Amazon Comprehend

Chathra Serasinghe — Fri, 23 Sep 2022 22:59:13 +0000

On September 21 2022, AWS announced that Amazon Comprehend supports synchronous processing for targeted sentiments. In other words, Amazon Comprehend is now capable of extracting sentiments associated with entities in a document in real-time(synchronously).Earlier we were able to do this asynchronously only using a Comprehend analysis job.

First, let's try to grasp relevant use cases.

Use cases

Enable accurate and scalable brand and competitor insights.
Live market research
Producing brand experience
Improving customer satisfaction.

Let's take one of the real world customer review to understand it further.

Why do you need targeted sentiments Analysis?

A real world customer review for a hotel:

"The hotel itself was beautiful and clean. I only give it 3 stars because paying $43 USD for parking is DISGUSTING!!!!!!! What a ripoff!!!!! As well, hotel cleaning staff don't clean the rooms anymore but yet the prices are still VERY high."

Sentiment analysis

Sentiment analysis determines the overall sentiment of an input document, but doesn't provide further information about sentiment of each entity(word) in the document.
eg: - Using Sentiment analysis you can only find out whether Customer feedback was positive, negative, neutral, or mixed.

For this scenario, after performing sentiment analysis, it suggest that the overall statement(document) sentiment is MIXED at a confidence level of 94%. However, if you want improve your hotel by understanding the negative areas, and take actions immediately for those then this information is not sufficient.

Targeted Sentiment Analysis

In Targeted sentiment analysis, you can identify the emotions connected to particular entities in your input documents.

Note:- An entity is a textual reference to the unique name of a real-world object such as people, places, and commercial items, and to precise references to measures such as dates and quantities.
When you call Targeted sentiment, it provides the following information:

It identifies the entities in the documents.
Classification of the entity type for each entity mentioned.

You can find the list of entity types here. Entity types
For each entity mentioned, the sentiment and a sentiment score will be evaluated
Groups of mentions that correspond to a single entity.

See the outputs of the targeted sentiment analysis for the same example.

As you can see, you can definitely get insights on areas of improvement in their hotel service. The staff and prices have negative sentiments where they can take immediate actions
to those areas.

Why do you need it synchronous?

You want to take action immediately to upon customer review.
When you call this new API(synchronous), you can immediately get the results and it can be send through any messaging channel(eg:-sms,whatsapp) or update in a real-time dashboard. Therefore you can update the required staff immediately upon review received from customer to take action to rectify the issues, so this new API is super helpful.

Programmatically accessing this new API

I am going to use Python to demonstrate the usage of this new API detect_targeted_sentiment. Please ensure that you have the most recent boto3 version installed, otherwise it will not work because this is a really new API.

Code

import boto3
import subprocess

session = boto3.Session()
comprehend_client = session.client(service_name='comprehend', region_name='us-east-2')
text="The hotel itself was beautiful and clean. I only give it 3 starts because paying $43 USD for parking is DISGUSTING!!!!!!! What a ripoff!!!!! As well, hotel cleaning staff don't clean the rooms anymore but yet the prices are still VERY high."
response = comprehend_client.detect_targeted_sentiment(
LanguageCode='en',
Text = text
)
print(response)

Output

Well-architected EKS Cluster using EKS Blueprints

Chathra Serasinghe — Thu, 22 Sep 2022 11:23:37 +0000

There are various approaches you can follow to deploy Kubernetes clusters in the AWS environment. However, choosing the correct set of tools and configuring them correctly is always a tricky task. It is because the Kubernetes ecosystem is rapidly growing and the things you used a few months ago may have become obsolete now. As a result, correctly implementing and administering such complex clusters is becoming a nightmare.
On the other hand, Customers always prefer to get things done quickly while yet adhering to best standards. Therefore AWS has introduced codified reference architectures called EKS blueprints, which helps you to create and manage well-architected EKS clusters with less effort and time.

Deploying EKS using EKS blueprints - Architecture

image reference: AWS blog

You can consider addons are something like modules if you coming from a terraform background. These addons can be added to the cluster to enhance the clusters capabilities. You can easily grant access to EKS cluster using Teams.
Basically, it supports two types of Teams you can define using EKS blueprints by default.

ApplicationTeam ---> Managing workloads
PlatformTeam ----> Administrating cluster

Demo

Let's get our hands dirty.
I am using CDK for this demonstration. However, terraform also can be used to build a Kubernetes cluster using EKS blueprints.

Prerequisites

First, you have to make sure that you have installed the following.
1)Nodejs
sudo apt install nodejs
2)CDK latest or at least 2.37.1
npm install -g aws-cdk@2.37.1

Create a typescript CDK project

cdk init app --language typescript

Install the eks-blueprints NPM package

npm i @aws-quickstart/eks-blueprints

Then set your AWS credentials. Refer the following AWS docs if you don't know how to do it.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

Replace your main cdk file with the following code.

Typically, it is located in the project's bin folder.(i.e bin/<root_project_directory>.ts)

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import * as blueprints from '@aws-quickstart/eks-blueprints';

const app = new cdk.App();
const account = '<your account no>';
const region = '<region>';

const addOns: Array<blueprints.ClusterAddOn> = [
    new blueprints.addons.VpcCniAddOn(),
    new blueprints.addons.CoreDnsAddOn(),
    new blueprints.addons.KubeProxyAddOn(),
    new blueprints.addons.CertManagerAddOn(),
    //Adding CalicoOperatorAddOn support Network policies
    new blueprints.addons.CalicoOperatorAddOn(),
    //Adding MetricsServerAddOn to support metrics collection
    new blueprints.addons.MetricsServerAddOn(),
    //ClusterAutoScalerAddOn will add required resources to support ClusterAutoScalling
    new blueprints.addons.ClusterAutoScalerAddOn(),
    new blueprints.addons.AwsLoadBalancerControllerAddOn(),
];

blueprints.EksBlueprint.builder()
    .account(account)
    .region(region)
    .addOns(...addOns)
    .build(app, 'eks-blueprint');

CDK bootstrap and deploy

run cdk bootstrap command to bootstrap the enviroment. If you are running for the first time this command is required to create cdk bootstrap enviroment in your AWS account.

run cdk deploy command to deploy the EKS cluster and its addons.
This process will take roughly around 20-30 mints.

Accesing the Kubernetes Cluster

Once the deployment is success you will get a similar output as shown below which consists the update-kubeconfig command to execute which typically update the~/.kube/config file and enables us to access the Kubernetes cluster.

Copy the update-kubeconfig command and run it on your terminal

Verifying the Kubernetes resources

You can run following verification steps to see what have been installed in Kubernetes cluster.

List all namespaces

List all pods in kube-system namespace

You can see the running EKS worker instance as well in EC2 page in AWS management console.

Verifying the provisioned AWS resources

Note:- Even though CDK handles the majority of the hard work for you, it is always worthwhile to review what resources CDK has provisioned. In cloudformation page, you can see that the CDK code has created 1 main stack and 2 nested stacks.

You may wish to execute the following command and see what AWS resources have been provisioned through each stack.

aws cloudformation describe-stack-resources --stack-name <stack name> --region <region> --query 'StackResources[*].ResourceType' --no-cli-pager

Customize your cluster

By default, EKS blueprint creates a Managed Node group for the EKS Cluster. If you wish to customize the default configurations of Managed Node group, you can do that via MngClusterProvider.
For example, In this scenario I want to increase the number of desired nodes to be 2.You can do that by defining the properties for MngClusterProvider as shown below.

const props: blueprints.MngClusterProviderProps = {
    version: eks.KubernetesVersion.V1_21,
    minSize: 1,
    maxSize: 3,
    //increasing worker node count to 2
    desiredSize: 2,
}
const clusterProvider = new blueprints.MngClusterProvider(props);

blueprints.EksBlueprint.builder()
    .account(account)
    .region(region)
    //Adding the cluster provider to the EksBlueprint builder.
    .clusterProvider(clusterProvider)
    .addOns(...addOns)
    .build(app, 'eks-blueprint');

Once you deploy the changes, You can notice that the old instance has been terminated, and a new managed node group with two instances has been created.

This is not the end, but the EKS blueprints provide you a great start to build your EKS cluster faster and provide a plethora of add-ons and customizations to enrich it in terms of various aspects.

AWS CodePipeline - All possible integrations

Chathra Serasinghe — Sun, 11 Sep 2022 00:17:29 +0000

AWS CodePipeline is the prime AWS native CI/CD orchestration tool, which enables you to define your software release process as a workflow. But there are other tools available on the market, such as Jenkins, Gitlab, etc., which also help to create CI/CD pipelines.
Then why do we use CodePipeline?

It is an AWS-managed Service where AWS does the heavy lifting for us, which means we do not need to manage or maintain any servers, which is a great relief.
It is also highly available and reliable.
If you plan to deploy your applications and infrastructure on AWS
(eg: S3,ECS,Cloudformation..) Then it is much easier to do with CodePipeline because it has many seamless integrations with other AWS services, so you do not need to install any plugins (e.g., Jenkins).

Let's discuss the possible integrations available in the AWS Code Pipeline Service.

Typically, any CI/CD pipeline should have a source code repository. If you are using CodeCommit, Bitbucket, Github, or S3 to store your source code, then you should be able to use CodePipeline to orchestrate your CI/CD pipeline.

However,if you are dealing with container-based applications, you may need to integrate with container registries. Then you can easily integrate ECR with CodePipeline.

You have two ways of building the code. AWS native way is using CodeBuild, Otherwise, you can integrate with Jenkins if you are required to integrate with Jenkins. My preference is using CodeBuild because

It is a fully managed service(no servers to manage)
Continuously scaling
Pay only for what you use
You can easily integrate KMS for encrypting artifacts

But Jenkins is a very mature product with many plugins besides there could be situations where you must use Jenkins to get your work done(rarely).

Both CodeBuild and Jenkins can be used, not just for building but also for testing.

Also, there are more interesting integrations available:

Device Farm: Device Farm is a mobile app testing service and it supports various application types and test frameworks/types(e.g.:-Appium).
BlazeMeter - Application Performance Testing(extends Jmeter capabilities)
Micro Focus StormRunner Load - Another Performance testing tool
Ghost Inspector - used for Web UI testing
Runscope API monitoring - API testing and monitoring tool
Synk- scan your application for open source security flaws and enables you to deliver secure applications.

Moreover, when it comes to deployment, you have miscellaneous actions/integrations to services available in AWS Code Pipeline.

Code Deploy - It is one of the "go-to" services if you want to deploy your application on an on-premises instance, EC2, Lambda, or ECS with a variety of essential deployment options.(eg:- Blue/Green,Canary).
CloudFormation - This integration is extremely useful if your CI/CD pipeline requires interaction with the CloudFormation service.
App Config - A better way of deploying your application configuration with different deployment strategies
OpsWorks - If you want to deploy your code on OpsWorks Stack, this option is available through Code Pipeline.
Service Catalog- if you want to provision Service Catalog products through a CI/CD pipeline, yes! it is possible.
Elastic Beanstalk - Code Pipeline can deploy your web application onto Elastic Beanstalk environment.

Likewise, it has direct integrations with ECS and S3 as well.

If you need to integrate a product or service which has no direct integration with AWS Code Pipeline, then you still have your AWS Lambda friend to make it happen.

Finally, if your pipeline demands even more sophisticated workflows, you could easily delegate from Code Pipeline to Step functions. Step Functions has great capabilities such as automatic error handling, a wider range of AWS service integrations, handling long-running tasks and many more to make your life easier. ;-)

Establish secure cloud foundations in AWS using Control Tower

Chathra Serasinghe — Thu, 02 Jun 2022 13:02:52 +0000

Before we discuss Control Tower, there are few other topics to discuss. You may have heard about Multi Account strategy. This is one of the best practices accepted in the industry for various reasons. In any organization, typically you have many departments, teams, products, environments etc. Segregating and placing resources in multiple accounts logically(by department/team/product/environment) which can be handy when it comes to billing.
However, if you have a large number of accounts to manage, you may encounter different problems.

How can we ensure that all accounts meet security and compliance requirements?
How can we make the account creation process more safe and precise?
Can we reduce repetitive tasks when setting up accounts?
How can we monitor these accounts?
How do we get to know if something goes wrong or if something unusual occurs in a multi-account environment?

This is where landing zone and Control Tower comes into picture.

What is a Landing Zone?

It is a preconfigured, secure, scalable multi-account environment based on best practice blueprints.

Blueprints are Well-architected design patterns that are used to set up the Landing Zone

Why do we need AWS Control Tower?

AWS Control Tower helps to automate the landing zone to set up baseline environment. In other words, this will help to build a secure environment for teams to provision development and production accounts in alignment with AWS recommendations and best practices.

What are the main AWS services used by AWS Control Tower?

AWS Organizations
AWS Cloudformation
AWS Service Catalog
AWS SSO
AWS IAM
AWS Config
AWS CloudTrail

What are guardrails and why they needed?

Guardrails are high-level rules that provides ongoing governance for your overall AWS environment which does preventive and detective controls. Typically Control Tower creates and enables some guardrails(mandatory guardrails) during the initial setup. Under the hood these are made from SCPs or AWS config rules. There 3 guardrail types called mandatory, strongly recommended and elective. This can be enabled per OU.

eg:- if you enable the detective guardrail Detect Whether Public Read Access to Amazon S3 Buckets is Allowed on an OU - you can determine whether a user would be permitted to have read access to any S3 buckets for any accounts under that OU.

You can find the details of available guardrails here: guardrails reference

What is Account Factory in Control Tower?

It is a set of pre-approved account configurations which helps to standardize the provisioning of new accounts. It includes baseline network configurations(VPC configuration options).Account factory is publish to AWS Service catalog automatically as a product.

What kind of AWS account require to setup Control Tower?

a fresh AWS master account that is both Master Payer(which pays the charges for all member accounts) and Organization Master.

What accounts Control Tower creates by default?

Log archiving account
Audit account

why? According to Well-Architected multi account environment, Any organization should have separate account for logging and for auditing. Idea of creating separate accounts is for isolation.

How long the Control Tower initial setup process will take?

Around 1 hour

What are the recommended action after the initial setup of the Control Tower?

Adding OUs to organize accounts and projects
Configure the Account factory
Enable more Guardrails - Not all guardrails are enabled by default, so you may need enable as you need. You can enable those guardrails from AWS Control Tower page.
Review the user identity store and SSO for your users across accounts
Review the settings of the shared accounts that AWS Control Tower setup for you.

How can you ensure your accounts are compliant with respect to the enabled guardrails?

When you click accounts or Organizational units, you will see list of accounts and OUs. Then check the compliance Status field under each OU or Account. It will show as shown below mentioning its compliant in green color.

Do you need to pay for AWS Control Tower Service?

No. It is a free service. However, you will have to pay for the AWS resources that Control Tower generates.

Setting up a S3 File Gateway on a EC2 Windows Server

Chathra Serasinghe — Wed, 06 Apr 2022 22:12:25 +0000

S3 File Gateway can be used to Store and access objects in Amazon S3 from NFS or SMB file data with local caching.

Typically, the architecture might look like as shown below when you connecting to your s3 file gateway from On-Premises over NFS or SMB.

But in this blog, I am using EC2 hosted Storage Gateway Appliance for demo purpose. So, in this case Storage Gateway Appliance will be placed on the AWS Cloud not On-prem as shown above.If you have your applications on AWS and want to connect through NFS or SMB where files stored in S3,then this will be the ideal setup.

Setting up a EC2 based S3 File Gateway

First, go to Storage Gateway service in the AWS management console and click create gateway. Then you will see a page as shown below.

Select Amazon S3 File Gateway and click Next.

Before select Amazon EC2 and Click next, You can use this CloudFormation template to create the Storage gateway instance and security groups to avoid bit of ClickOps and save time. :-).Otherwise you can click Launch instance to create an EC2 instance.

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  ImageId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: /aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base
  InstanceType:
    Type: String
    Default: m6i.8xlarge
    Description: "Select m6i.[xlarge, 2xlarge, 4xlarge, 8xlarge]. Default is m6i.8xlarge for production use."
    AllowedValues:
      - m6i.xlarge   # 4-vCPU, 16G-RAM, 10Gbps-NET
      - m6i.2xlarge  # 8-vCPU, 32G-RAM, 10Gbps-NET
      - m6i.4xlarge  # 16-vCPU,64G-RAM, 10Gbps-NET
      - m6i.8xlarge  # 32-vCPU,128-RAM, 10Gbps-NET
  VpcId:
    Description: VPC IDs
    Type: AWS::EC2::VPC::Id
  SubnetId:
    Description: Subnet ID
    Type: AWS::EC2::Subnet::Id
  KeyName:
    Description: The SSH keypair
    Type: AWS::EC2::KeyPair::KeyName
  VolumeType:
    Type: String
    Default: io2
  RootVolumeType:
    Type: String
    Default: gp3
  VolumeDeleteOnTermination:
    Default: True
    Type: String
  VolumeSize:
    Description: "SGW cache disk size minimum 150 GiB"
    Type: Number
    Default: 150
  RootVolumeIops:
    Description: "Recommended at least 3000 IOPS or more."
    Type: Number
    Default: 3000
  VolumeIops:
    Description: "Recommended at least 3000 IOPS or more for cache disks."
    Type: Number
    Default: 3000
Resources:
  SGWSG01:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId: !Ref VpcId
      GroupDescription: "EC2 File Storage Gateway Security Group"
      GroupName: !Sub 'ec2-sgw-sg-${AWS::StackName}'
      Tags:
      - Key: "Name"
        Value: SGWSG01
      SecurityGroupEgress:
      - IpProtocol: "-1"
        CidrIp: 0.0.0.0/0
      SecurityGroupIngress:
      - IpProtocol: "-1"
        CidrIp: 10.0.0.0/8

  SGW01:
    Type: 'AWS::EC2::Instance'
    DeletionPolicy: Delete
    Properties:
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-sgw-01'
      PropagateTagsToVolumeOnCreation: True
      KeyName: !Ref KeyName
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      SecurityGroupIds:
        - !Ref SGWSG01
      SubnetId: !Ref SubnetId
      BlockDeviceMappings:
        - DeviceName: "/dev/xvda"
          Ebs:
            VolumeType: !Ref RootVolumeType
            DeleteOnTermination: !Ref VolumeDeleteOnTermination
            Iops: !Ref RootVolumeIops
        - DeviceName: "/dev/sda1"
          Ebs:
            VolumeType: !Ref VolumeType
            DeleteOnTermination: !Ref VolumeDeleteOnTermination
            VolumeSize: !Ref VolumeSize
            Iops: !Ref VolumeIops
    DependsOn: SGWSG01

So just click Amazon EC2 and click Next.

Then you will be asked to select the Storage Gateway service Endpoint. I am choosing VPC but if you want you can choose Public based on your requirement.

In order to select VPC endpoint, make sure you have created a VPC interface endpoint as shown below.

Next you will need to connect to the storage gateway to get the Activation code. If you choose IP address option make sure your default browser can access storage gateway console. This step will automatically redirect to Storage gateway console and the generated link will be something like this:

http://<Storage GW EC2 instance IP>/?gatewayType=FILE_S3&activationRegion=<region>&no_redirect&vpcEndpoint=<vpc endpoint dns name>

If that link is not accessible from your current browser/network, copy that link and paste somewhere your storage gateway is accessible. Then it will show you the Activation Code. Then you can copy that into the given box.

Then you can enter the gateway name as you prefer and activate your gateway.

Then mention the cache disk size you want to have.

Best practice to allocate at least 150 GiB of cache storage.

Finally there is an optional step. But I would prefer to have Cloudwatch logs but its totally up to you to disable or enable logs. Enabling logging is useful for auditing purposes.

After creating the gateway you can create NFS or SMB shares up to 10 per Gateway.

S3 Batch Operations-Copy large amount objects from one bucket to another

Chathra Serasinghe — Fri, 04 Mar 2022 08:28:48 +0000

What can you do with S3 Batch operations?

You can perform a selected single operation(copy, replace tags...) on larger number of objects in a S3 bucket using a single request.

How does S3 batch operations work?

1.) Choose objects which you want to perform any operation
You can provide it using:
- Using inventory reports
- Using CSV
- S3 Replication configuration(can create a manifest)
(Note: in this case only operation will be replicate)
2.) Select an operation
- Copy
- Invoke Lambda function
- Replace all object tags
- Delete all object tags
- Replace access control list (ACL)
- Restore achieved objects
- Enable Object lock
- Enable legal hold (same protection as a retention period, but it has no expiration date)
- Replicate( this option is only available when you choose objects using S3 replication configuration based manifest)

3.) Run, View Progress and get reports

Once you run the job you will be able to see the progress and then the reports will be generated in the s3 bucket you provided for reporting. You will be able ask s3 batch operations to only generate reports for all objects or only failed objects(my preference for most of the cases).

What options you can use to copy objects from bucket to another bucket?

Amazon S3 batch operations
AWS SDK
cross-Region replication or same-Region replication
S3DistCp with Amazon EMR
AWS DataSync
Run parallel uploads using the AWS Command Line Interface (AWS CLI)

Too many options, What to choose?

AWS CLI ---> Not efficient when transferring large number of objects.

According to AWS,

custom application using an AWS SDK might be more efficient
at performing a transfer at the scale of hundreds of millions
of objects than AWS CLI

S3DistCp with Amazon EMR ---> Too expensive
AWS Data Sync ---> Still expensive and if you have files with special characters you may encounter some issues.(I have an faced issue - invalid UTF8 characters in file name)
Refer the link below:
https://forums.aws.amazon.com/thread.jspa?threadID=337210
Cross-Region replication or same-Region replication--->
It replicates new objects and changes to existing objects. If you need to transfer existing objects then its not ideal.
AWS SDK --> Extremely Powerful when uploading larger size objects but you may need to design the application to scale.
AWS Batch operations ---> It is extremely powerful to do a task on multiple objects with a single request. However, if you use the copy operation of S3 batch operations alone, there are some limitations, such as the size of the objects to be transferred, which can be up to 5 GB.

How about combining of S3 batch operations+ SDK(Invoke lambda)?

Yes. This is a great choice(at least to me). Lambda provides you flexibility to handle your things in your own way(customizations) and also provides opportunity to use powerful SDK which can copy larger files than 5GB.Then S3 batch operations provide you more convenience.

In simple terms, you are going to use S3 batch operations job using Invoke Lambda function operation.

What do you need to create?
1) A role for Lambda
2) A role for S3 batch operations
3) Lambda function(using Python Boto3)

Pre-requisites:

Source bucket
Destination bucket
Manifest file and a bucket to place it. If you are using CSV file, you will need to make sure following.
- Note:- Object keys must be URL-encoded
Bucket(s) for manifest and S3 batch operation completion reports

You can use my solution to generate csv manifest files and create s3 batch operations jobs.

Please clone my GIT repository and refer README.MD file for detailed steps. code

Note:- This code was motivated by the blog below as well as my own experience with S3 batch operations.

References:
https://aws.amazon.com/blogs/storage/copying-objects-greater-than-5-gb-with-amazon-s3-batch-operations/

Auto Scaling nodes and pods in EKS

Chathra Serasinghe — Sun, 07 Nov 2021 09:55:58 +0000

What are the options you have to Autoscale kubenertes?

Cluster Autoscaler ---> Scales nodes
HPA ---> Scales up or down your deployment/replicaset based on resource's CPU utilization
VPA ---> Automatically adjusts the CPU and memory reservations for your pods

What is Kubernetes Cluster Autoscaler?

It adjusts the size(scale up and down nodes) of a Kubernetes cluster to meet the current needs.
Supported by the major cloud platforms
Cluster Autoscaler typically runs as a Deployment in your cluster.

How does Kubernetes Cluster Autoscaler work?

Cluster AutoScaler checks the status of nodes and pods on a regular basis and takes action based on node usage or pod scheduling status.
When Cluster Autoscaler finds pending pods on a cluster, it will add nodes until the waiting pods are scheduled or the cluster exceeds its maximum node limit.
If node utilization is low, Cluster Autoscaler will remove excess nodes and pods will be able to transfer to other nodes.
So this is not based CPU or memory utilization.

What you should have before deploying Cluster Autoscaler in Kubernetes Cluster?

An IAM OIDC provider for your cluster.

Why?

Cluster Autoscaler requires AWS permission to scale up or down nodes. This permissions will be granted through IAM roles for service account. To support IAM roles for service accounts, your cluster needs to have OIDC URL.(The IAM roles for service accounts feature is available on Amazon EKS versions 1.14 and later and for EKS clusters)
The Cluster Autoscaler requires the following tags on your
Auto Scaling groups so that they can be auto-discovered.
k8s.io/cluster-autoscaler/enabled=true
k8s.io/cluster-autoscaler/<cluster-name>=owned

Demo

Lets create a EKS cluster with cluster autoscaling in Terraform way:

1) Lets create the EKS cluster using Terraform.


locals {
  name            = "eks-scalable-cluster"
  cluster_version = "1.20"
  region          = "ap-southeast-1"
}

###############
# EKS Module
###############

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  cluster_name    = local.name
  cluster_version = local.cluster_version

  vpc_id  = module.vpc.vpc_id
  subnets = module.vpc.private_subnets

  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = true

  enable_irsa = true

  worker_groups = [
    {
      name                 = "worker-group-1"
      instance_type        = "t3.medium"
      asg_desired_capacity = 1
      asg_max_size         = 4
      #Cluster autoscaler Auto-Discovery Setup
      #https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#auto-discovery-setup
      tags = [
        {
          "key"                 = "k8s.io/cluster-autoscaler/enabled"
          "propagate_at_launch" = "false"
          "value"               = "true"
        },
        {
          "key"                 = "k8s.io/cluster-autoscaler/${local.name}"
          "propagate_at_launch" = "false"
          "value"               = "owned"
        }
      ]
    }
  ]
  tags = {
    clustername = local.name
  }
}


data "aws_eks_cluster" "cluster" {
  name = module.eks.cluster_id
}

data "aws_eks_cluster_auth" "cluster" {
  name = module.eks.cluster_id
}

data "aws_availability_zones" "available" {
}

2) Creates an IAM role which can be assumed by trusted resources using OpenID Connect Federated Users (Cluster autoscaler will use these permissions to access AWS Services such as autoscaling,ec2)

data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

locals {
  k8s_service_account_namespace = "kube-system"
  k8s_service_account_name      = "cluster-autoscaler-aws"
}


module "iam_assumable_role_admin" {
  #Creates a single IAM role which can be assumed by trusted resources using OpenID Connect Federated Users.
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
  version = "~> 4.0"

  create_role                   = true
  role_name                     = "cluster-autoscaler"
  provider_url                  = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
  role_policy_arns              = [aws_iam_policy.cluster_autoscaler.arn]
  oidc_fully_qualified_subjects = ["system:serviceaccount:${local.k8s_service_account_namespace}:${local.k8s_service_account_name}"]
}

resource "aws_iam_policy" "cluster_autoscaler" {
  name_prefix = "cluster-autoscaler"
  description = "EKS cluster-autoscaler policy for cluster ${module.eks.cluster_id}"
  policy      = data.aws_iam_policy_document.cluster_autoscaler.json
}

data "aws_iam_policy_document" "cluster_autoscaler" {
  statement {
    sid    = "clusterAutoscalerAll"
    effect = "Allow"

    actions = [
      "autoscaling:DescribeAutoScalingGroups",
      "autoscaling:DescribeAutoScalingInstances",
      "autoscaling:DescribeLaunchConfigurations",
      "autoscaling:DescribeTags",
      "ec2:DescribeLaunchTemplateVersions",
    ]

    resources = ["*"]
  }

  statement {
    sid    = "clusterAutoscalerOwn"
    effect = "Allow"

    actions = [
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup",
      "autoscaling:UpdateAutoScalingGroup",
    ]

    resources = ["*"]

    condition {
      test     = "StringEquals"
      variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/${module.eks.cluster_id}"
      values   = ["owned"]
    }

    condition {
      test     = "StringEquals"
      variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
      values   = ["true"]
    }
  }
}

3) Install cluster-autoscaler using helm charts

resource "helm_release" "cluster-autoscaler" {
  depends_on = [
    module.eks
  ]

  name             = "cluster-autoscaler"
  namespace        = local.k8s_service_account_namespace
  repository       = "https://kubernetes.github.io/autoscaler"
  chart            = "cluster-autoscaler"
  version          = "9.10.7"
  create_namespace = false

  set {
    name  = "awsRegion"
    value = data.aws_region.current.name
  }
  set {
    name  = "rbac.serviceAccount.name"
    value = local.k8s_service_account_name
  }
  set {
    name  = "rbac.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
    value = module.iam_assumable_role_admin.iam_role_arn
    type  = "string"
  }
  set {
    name  = "autoDiscovery.clusterName"
    value = local.name
  }
  set {
    name  = "autoDiscovery.enabled"
    value = "true"
  }
  set {
    name  = "rbac.create"
    value = "true"
  }
}

Note:-
Make sure your public and private subnets properly tagged which enables automatic subnet discovery so Kubernetes Cloud Controller Manager (cloud-controller-manager) and AWS Load Balancer Controller (aws-load-balancer-controller) can identify which subnets going to use for provisioning a ELB when creating Loadbalancer type Service. If you creating the VPC and Subnets from scratch you may use vpc.tf . Otherwise you can tag you subnets accordingly.

  public_subnet_tags = {
    "kubernetes.io/cluster/${local.name}" = "shared"
    "kubernetes.io/role/elb"              = "1"
  }

  private_subnet_tags = {
    "kubernetes.io/cluster/${local.name}" = "shared"
    "kubernetes.io/role/internal-elb"     = "1"
  }

You will find my code in https://github.com/chathra222/tf-eks-autoscaling

Deploy all the resources using terraform

terraform init
terraform apply

Once applied,You can check it in AWS management console also.

Lets discover what Kubernetes resources have been provisioned

kubectl get deploy -n kube-system
NAME                                        READY   UP-TO-DATE   AVAILABLE   AGE
cluster-autoscaler-aws-cluster-autoscaler   1/1     1            1           8h
coredns                                     2/2     2            2           8h

As you can see there is a deployment called cluster-autoscaler-aws-cluster-autoscaler in kube-system namespace.

kubectl get deploy -n kube-system cluster-autoscaler-aws-cluster-autoscaler -o yaml|grep -i serviceAccountName
      serviceAccountName: cluster-autoscaler-aws

Lets investigate the service account cluster-autoscaler-aws

kubectl describe sa cluster-autoscaler-aws
Name:                cluster-autoscaler-aws
Namespace:           kube-system
Labels:              app.kubernetes.io/instance=cluster-autoscaler
                     app.kubernetes.io/managed-by=Helm
                     app.kubernetes.io/name=aws-cluster-autoscaler
                     helm.sh/chart=cluster-autoscaler-9.10.7
Annotations:         eks.amazonaws.com/role-arn: arn:aws:iam::272435851616:role/cluster-autoscaler
                     meta.helm.sh/release-name: cluster-autoscaler
                     meta.helm.sh/release-namespace: kube-system
Image pull secrets:  <none>
Mountable secrets:   cluster-autoscaler-aws-token-x7ds6
Tokens:              cluster-autoscaler-aws-token-x7ds6
Events:              <none>

you may notice the annotation eks.amazonaws.com/role-arn: arn:aws:iam::272435851616:role/cluster-autoscaler which says that the this serivce account can assume role arn:aws:iam::272435851616:role/cluster-autoscaler.

Lets discover cluster-autoscaler deployment

kubectl get deploy -o yaml cluster-autoscaler-aws-cluster-autoscaler
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
    meta.helm.sh/release-name: cluster-autoscaler
    meta.helm.sh/release-namespace: kube-system
  creationTimestamp: "2021-11-07T01:10:29Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: cluster-autoscaler
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: aws-cluster-autoscaler
    helm.sh/chart: cluster-autoscaler-9.10.7
  name: cluster-autoscaler-aws-cluster-autoscaler
  namespace: kube-system
  resourceVersion: "1292"
  uid: 9f0f7f3f-adfd-422f-a007-7c1aa20deb4e
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/instance: cluster-autoscaler
      app.kubernetes.io/name: aws-cluster-autoscaler
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/instance: cluster-autoscaler
        app.kubernetes.io/name: aws-cluster-autoscaler
    spec:
      containers:
      - command:
        - ./cluster-autoscaler
        - --cloud-provider=aws
        - --namespace=kube-system
        - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/eks-scalable-cluster
        - --logtostderr=true
        - --stderrthreshold=info
        - --v=4
        env:
        - name: AWS_REGION
          value: ap-southeast-1
        image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /health-check
            port: 8085
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: aws-cluster-autoscaler
        ports:
        - containerPort: 8085
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: cluster-autoscaler-aws
      serviceAccountName: cluster-autoscaler-aws
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2021-11-07T01:11:42Z"
    lastUpdateTime: "2021-11-07T01:11:42Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2021-11-07T01:10:29Z"
    lastUpdateTime: "2021-11-07T01:11:42Z"
    message: ReplicaSet "cluster-autoscaler-aws-cluster-autoscaler-74977bcc47" has
      successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

There are various parameters for cluster-autoscaler. You may refer https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-are-the-parameters-to-ca to customize according to your need.

This link is a really good if you want to understand further about cluster autoscaler.
https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md

Lets save more costs by using these autoscaling options wisely. :-)

EKS Fargate with Nginx Ingress Controller

Chathra Serasinghe — Fri, 05 Nov 2021 21:29:23 +0000

Why Fargate?

Fargate removes the requirement for you to set up and maintain EC2 instances for your Kubernetes applications. When your pods start, Fargate automatically allocates computing resources to operate them on-demand.

When to use?

If your workload/traffic patterns are irregular and unpredictable.

Why would I choose the NGINX ingress controller over the Application Load Balancer (ALB) ingress controller?

With the NGINX Ingress controller:
- can have multiple ingress objects for multiple environments or namespaces with the same network load balancer
With the ALB ingress controller:
- each ingress object requires a new load balancer.

Why Nginx ingress controller cannot run on Fargate only cluster?

Nginx ingress controller needs privilege escalation but in Fargate you are not allowed to do it. You will get following error when you try to deploy.

Pod not supported on Fargate: invalid SecurityContext fields: AllowPrivilegeEscalation

Why?

There are currently a few limitations that you should be aware of EKS fargate:

There is a maximum of 4 vCPU and 30Gb memory per pod.
Currently there is no support for stateful workloads that require persistent volumes or file systems.
You cannot run Daemonsets, Privileged pods, or pods that use HostNetwork or HostPort.
The only load balancer you can use is an Application Load Balancer.

So how can you still run your workload on fargate while using Nginx ingress controller?

You can run Nginx ingress contoller on EKS managed nodes and workload can be run on Fargate nodes.

What is a Fargate Profile?

Before you can schedule pods on Fargate in your cluster, you must define at least one Fargate profile that specifies which pods use Fargate when launched.
The Fargate profile allows an administrator to declare which pods run on Fargate.
This declaration is done through the profile’s selectors. Each profile can have up to five selectors that contain a namespace and optional labels.
If a pod matches multiple Fargate profiles, Amazon EKS picks one of the matches at random. In this case, you can specify which profile a pod should use by adding the following Kubernetes label to the pod specification: eks.amazonaws.com/fargate-profile:

How fargate profile should look like:

can have maximum 5 selectors per profile
selector must associated only one namespace
you can also specify labels for a namespace (optional)
you should have an pod execution role
You should specify subnet ids (only private subnets)

Demo:

1) Deploy EKS Fargate Cluster with a managed node

You can use this code to launch your EKS Fargate cluster



https://github.com/chathra222/eks-fargate-example

2) Use the AWS CLI update-kubeconfig command to create or update your kubeconfig for your cluster.



aws eks --region <region-code> update-kubeconfig --name <cluster_name>

Get the nodes. You will notice that there are 2 Fargate nodes and a one managed node.



kubectl get no
NAME                                                      STATUS   ROLES    AGE    VERSION
fargate-ip-172-16-1-180.ap-southeast-1.compute.internal   Ready    <none>   142m   v1.20.7-eks-135321
fargate-ip-172-16-1-81.ap-southeast-1.compute.internal    Ready    <none>   126m   v1.20.7-eks-135321
ip-172-16-1-192.ap-southeast-1.compute.internal           Ready    <none>   10m    v1.20.10-eks-3bcdcd

3) Install Nginx Ingress Controller in EKS Fargate



kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/aws/deploy.yaml

You will notice that Nginx ingress controller is deployed on managed node.



 kubectl get po -o wide -n ingress-nginx
NAME                                        READY   STATUS      RESTARTS   AGE    IP             NODE                                              NOMINATED NODE   READINESS GATES
ingress-nginx-admission-create-7fp69        0/1     Completed   0          136m   172.16.1.28    ip-172-16-1-192.ap-southeast-1.compute.internal   <none>           <none>
ingress-nginx-admission-patch-br5qg         0/1     Completed   1          136m   172.16.1.179   ip-172-16-1-192.ap-southeast-1.compute.internal   <none>           <none>
ingress-nginx-controller-5699dc4f77-x9z4j   1/1     Running     0          15m    172.16.1.196   ip-172-16-1-192.ap-southeast-1.compute.internal   <none>           <none>

In step 1, I created a fargate cluster with a fargate profile called default.

Lets create a pod called test with a label called WorkerType=fargate in namespace default

test.yaml



apiVersion: v1
kind: Pod
metadata:
  labels:
    WorkerType: fargate
  name: test
spec:
  containers:
  - image: frjaraur/non-root-nginx
    name: test

kubectl apply -f test.yaml

You will notice that it has scheduled in fargate node.



kubectl get po -o wide
NAME   READY   STATUS    RESTARTS   AGE     IP             NODE                                                      NOMINATED NODE   READINESS GATES
test   1/1     Running   0          6m25s   172.16.3.209   fargate-ip-172-16-3-209.ap-southeast-1.compute.internal   <none>           <none>

But if you run a pod which doesn't match with fargate profile's selectors, then it will not run on fargate nodes.

nomatchpod.yaml



apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nomatchpod
  name: nomatchpod
spec:
  containers:
  - image: nginx
    name: nginx

kubectl apply -f nomatchpod.yaml

You can notice that nomatchpod didn't run on fargate node because it didn't match the criteria defined in fargate profile.



 kubectl get po -o wide
NAME         READY   STATUS    RESTARTS   AGE   IP             NODE                                                      NOMINATED NODE   READINESS GATES
nomatchpod   1/1     Running   0          23s   172.16.1.41    ip-172-16-1-192.ap-southeast-1.compute.internal           <none>           <none>
test         1/1     Running   0          15m   172.16.3.209   fargate-ip-172-16-3-209.ap-southeast-1.compute.internal   <none>           <none>

Lets expose test pod as a service called testsvc



kubectl expose po test --name=testsvc --port=80
service/testsvc exposed

Then create an ingress resource ingress.yaml



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    kubernetes.io/ingress.class: nginx # make sure to add this
spec:
  rules:
    - http:
        paths:
          - path: /test
            pathType: Prefix
            backend:
              service:
                name: testsvc
                port:
                  number: 80



kubectl apply -f ingress.yaml
ingress.networking.k8s.io/minimal-ingress created



NAME              CLASS    HOSTS   ADDRESS                                                                              PORTS   AGE
minimal-ingress   <none>   *       a4c206981b7d14678bf6be5911d8223a-2122040efbe82462.elb.ap-southeast-1.amazonaws.com   80      39m

You can access the service now using http://nlb_hostname/test

This is how you can use Nginx Ingress Controller in a EKS fargate Cluster.