DEV Community: Hai Tran

Setup VSCode SSH with Cloud9 using CDK

Hai Tran — Wed, 27 Apr 2022 14:50:43 +0000

Summary

There are some benefit when using Cloud9, here is the aws blog vscode cloud9

Auto hibernate after 30 minutes idle
Auto turn on when open vscode
No open port

CDK stack to create a cloud9 environment

There are multiple way to launch a cloud9 such as AWS console, CLI, CloudFormation, I go with a CDK stack as below.

import { aws_cloud9, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class Cloud9CdkStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    // cloud9 environment
    const cloud9 = new aws_cloud9.CfnEnvironmentEC2(
      this,
      'CdkCloud9Example',
      {
        automaticStopTimeMinutes: 30,
        instanceType: 't2.large',
        name: 'CdkCloud9Example',
        connectionType: 'CONNECT_SSM',
        ownerArn: `arn:aws:iam::${this.account}:user/YOUR_IAM_USER_NAME`
      }
    )

    // access the ec2 and attach volume

  }
}

Configure ssh for the local machine

Generate ssh private and public key

ssh-keygen -b 4096 -C 'VS Code Remote SSH user' -t rsa

Copy the public key from the local machine

cat ~/.ssh/id_rsa.pub

Paste the key to authorized_keys in ec2 instance

echo 'key pub' >> authorized_keys

Configure ssh config for the local machine

Host cloud9
    IdentityFile ~/.ssh/id_rsa_cloud9
    User ec2-user
    HostName INSTANCE_ID
    ProxyCommand sh -c "~/.ssh/ssm-proxy.sh %h %p"

Download the ssm-proxy script from here.It will check it the Cloud9-EC2 is running or not.

If the EC2 running, it starts a ssm session and ssh tunnel via the session.
If the EC2 is stopped, it will start the instance first, then start the ssm session and tunnel ssh.

 chmod +x ~/.ssh/ssm-proxy.sh

Setup vscode ssh remote to a private EC2 instance via ssm

Hai Tran — Tue, 26 Apr 2022 13:46:34 +0000

Summary

With AWS system manager (SSM), it is possible to setup vscode ssh remote to a EC2 in a private subnet, and without open 22 port. GitHub,

Setup a connection to a private EC2 via SSM
Setup vscode ssh remote to the EC2 by proxyCommand
Create the infrastructure by a CDK stack

Reference

Architecture

CDK Stack

create a VPC with a S3 VPC endpoint



    const vpc = new aws_ec2.Vpc(
      this,
      'VpcWithS3Endpoint',
      {
        gatewayEndpoints: {
          S3: {
            service: aws_ec2.GatewayVpcEndpointAwsService.S3
          }
        }
      }
    )

add system manager VPC interface endpoint



    vpc.addInterfaceEndpoint(
      'VpcIterfaceEndpointSSM',
      {
        service: aws_ec2.InterfaceVpcEndpointAwsService.SSM
      }
    )

create an IAM role for the EC2



    const role = new aws_iam.Role(
      this,
      'RoleForEc2ToAccessS3',
      {
        roleName: 'RoleForEc2ToAccessS3',
        assumedBy: new aws_iam.ServicePrincipal('ec2.amazonaws.com'),
      }
    )

role for EC2 to communicate with SSM



    role.addManagedPolicy(
      aws_iam.ManagedPolicy.fromManagedPolicyArn(
        this,
        'PolicySSMMangerAccessS3',
        'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
      )
    )

policy for EC2 to access S3



    role.attachInlinePolicy(
      new aws_iam.Policy(
        this,
        'PolicyForEc2AccessS3',
        {
          policyName: 'PolicyForEc2AccessS3',
          statements: [
            new aws_iam.PolicyStatement(
              {
                actions: ['s3:*'],
                resources: ['*']
              }
            ),
          ]
        }
      )
    )

launch an EC2 in a private subnet



    const ec2 = new aws_ec2.Instance(
      this,
      'Ec2ConnectVpcEndpointS3',
      {
        role: role,
        keyName: 'hai_ec2_t4g_large',
        vpc: vpc,
        instanceName: 'Ec2ConnectVpcEndpointS3',
        instanceType: aws_ec2.InstanceType.of(aws_ec2.InstanceClass.T2, aws_ec2.InstanceSize.SMALL),
        machineImage: aws_ec2.MachineImage.latestAmazonLinux(),
        securityGroup: sg,
        vpcSubnets: {
          subnetType: aws_ec2.SubnetType.PRIVATE
        }
      }
    )

Setup a connection to private EC2 via SSM

follow this to install ssm plugin for the local machine
start a ssm session from the local machine



aws ssm start-session --target "EC2-INSTANCE-ID"

Setup vscode ssh remote to the EC2

follow this to nstall ssh remote extension for vscode
generate SSH key pair from the local machine



ssh-keygen -b 4096 -C 'VS Code Remote SSH user' -t rsa

configure the ~/.ssh/config file



Host ssm-private-ec2
  IdentityFile ~/.ssh/id_rsa
  HostName i-026bb5f5caaf16aa1
  User ec2-user
  ProxyCommand sh -c "~/.ssh/ssm-private-ec2-proxy.sh %h %p"

create a ssm-private-ec2-proxy.sh file



#!/bin/bash

AWS_PROFILE=''
AWS_REGION=''
MAX_ITERATION=5
SLEEP_DURATION=5

# Arguments passed from SSH client
HOST=$1
PORT=$2

echo $HOST

# Start ssm session
aws ssm start-session --target $HOST \
  --document-name AWS-StartSSHSession \
  --parameters portNumber=${PORT} \
  --profile ${AWS_PROFILE} \
  --region ${AWS_REGION}

vscode will create a ssh connection to the EC2 via the ProxyCommand script which creates a SSM session under the hood. This is the way vscode ssh remote with cloud9 works

AWS IoT Demo with CDK and Amplify

Hai Tran — Fri, 15 Apr 2022 04:54:59 +0000

Architecture

Demo
- demo react web no real-time here because we need to publish data from the test/test_pub.py
- video demo
- GitHub here
CDK
- Create an IoT thing, attach a policy to X509 certificate, then attach the cert to the IoT thing
- Create IoT rules to deliver data to Kinesis Firehose, DB
- Create a Lambda function to query from DB
Amplify
- Cognito and PubSub to subscribe to IoT topics
- Attach an AWS IoT policy to the Cognito ID
- Pre-built authentication UI (useAuthenticator)
CharJs
- Plot and update two simple charts
- Chart 1. Keep pulling data from DB via an API
- Chart 2. Subscribe to an IoT topic
- Amplify to host the react app
IoT Thing and Certificate
- Attach a X509 certificate to the physical IoT device
- Attach a AWS IoT policy to the X509 ceritifcate to allow read/write AWS IoT topics
AWS IoT topic rules
- Attach a role to a rule to enable AWS IoT rules write to S3, Firehose, DyanmoDB

Check AWS IoT Service Endpoint

aws iot describe-endpoint --region ap-southeast-1

Download AWS CA certificate

Download one of the CA certificate which required to configure mqtt client. reference 1 and reference 2.

    https://www.amazontrust.com/repository/AmazonRootCA1.pem \
    https://www.amazontrust.com/repository/AmazonRootCA2.pem \
    https://www.amazontrust.com/repository/AmazonRootCA3.pem \
    https://www.amazontrust.com/repository/AmazonRootCA4.pem \

An alternative way is to create a CA certificate reference 3

openssl genrsa -out root_CA_key_filename.key 2048

openssl req -x509 -new -nodes \
    -key root_CA_key_filename.key \
    -sha256 -days 1024 \
    -out root_CA_cert_filename.pem

Create key and certificate

I have to create key and certificates from CLI or AWS console. To create them from CDK, follow this custom resource reference 4

aws iot create-keys-and-certificate \
--set-as-active \
--certificate-pem-outfile esp-certificate.crt \
--public-key-outfile esp-public.key \
--private-key-outfile esp-private.key \
--region ap-southeast-1

Take not the CERTIFICATE_ARN
Re-download the certificate given its ID
configure aws cli output as text

aws iot describe-certificate --certificate-id

IoT Thing, X509 Certificate, and Policy

To allow the IoT thing can write data to AWS IoT core, we need to attach a X509 certificate the the physical IoT device. We also need to attach a policy to the X509 certificate in AWS to specify ALLOW actions.

Create a policy for the X509 certificate

const policy = new aws_iot.CfnPolicy(
      this,
      'PolicyForDemoDevice',
      {
        policyName: 'PolicyForDemoDevice',
        policyDocument: new aws_iam.PolicyDocument(
          {
            statements: [
              new aws_iam.PolicyStatement(
                {
                  actions: ['iot:*'],
                  resources: ['*'],
                  effect: aws_iam.Effect.ALLOW
                }
              )
            ]
          }
        )
      }
    )

Attach the policy to the X509 certificate

const attachPolicy = new aws_iot.CfnPolicyPrincipalAttachment(
      this,
      'AttachPolicyForDemoDevice',
      {
        policyName: policy.policyName!.toString(),
        principal: props.certificateArn
      }
    )

    attachPolicy.addDependsOn(
      policy
    )

Attach the X509 certificate to the IoT thing

const attachCert = new aws_iot.CfnThingPrincipalAttachment(
      this,
      'AttachCertificiateToThing',
      {
        thingName: thing.thingName!.toString(),
        principal: props.certificateArn
      }
    )

    attachCert.addDependsOn(
      thing
    )

IoT Rules and Role

To allow IoT rules to delivery data to other services such as S3, DynamoDB, Firehose, we need to attach a role to each rule.

Create a role

 const role = new aws_iam.Role(
      this,
      'RoleForIoTCoreToAccessS3',
      {
        roleName: 'RoleForIoTCoreToAccessS3',
        assumedBy: new aws_iam.ServicePrincipal('iot.amazonaws.com')
      }
    )

Attach inline policies to the role

 role.attachInlinePolicy(
      new aws_iam.Policy(
        this,
        'PolicyForIoTcoreToAccessS3',
        {
          policyName: 'PolicyForIoTcoreToAccessS3',
          statements: [
            new aws_iam.PolicyStatement(
              {
                actions: ['s3:*'],
                resources: ['arn:aws:s3:::bucketName/*']
              }
            ),
            new aws_iam.PolicyStatement(
              {
                actions: ['firehose:*'],
                resources: ['*']
              }
            ),
            new aws_iam.PolicyStatement(
              {
                actions: ['dynamodb:*'],
                resources: ['*']
              }
            )
          ]
        }
      )
    )

Create rules with actions and attached the role

const topicRule = new aws_iot.CfnTopicRule(
      this,
      'TopicRuleDemo',
      {
        ruleName: 'TopicRuleDemo',
        topicRulePayload: {
          actions: [
            {
              firehose: {
                deliveryStreamName: firehoseDeilvery.deliveryStreamName,
                roleArn: role.roleArn
              }
            },
            {
              s3: {
                bucketName: 'bucketName',
                key: 'iot-one',
                roleArn: role.roleArn
              },
            },
            {
              dynamoDb: {
                hashKeyField: 'id',
                hashKeyValue: 'device01',
                hashKeyType: 'STRING',
                rangeKeyField: 'timestamp',
                rangeKeyValue: '${timestamp()}',
                rangeKeyType: 'STRING',
                roleArn: role.roleArn,
                tableName: table.tableName
              }
            }
          ],
          sql: `SELECT *, cast(timestamp() as STRING) AS timestamp FROM 'topic/subtopic'`
        }
      }
    )

Amplify, Cognito and AWS IoT Policy

To allow Amplify (react web app) subscribe to an AWS IoT topic, we need to attach policy to Conigto ID.

Find the Cognito ID from the react web app as following

import Amplify, { Auth, PubSub } from 'aws-amplify';
Auth.currentCredentials().then(creds => console.log(creds));

The Cognito ID can be found from the creds log

Attach AWS IoT policy to the Cognito ID as following

aws iot attach-policy --policy-name 'PolicyForDemoDevice' --target ap-southeast-1:41f19265-5ecd-4c86-8b34-cc58dee6c2f0
aws iot attach-policy --policy-name 'PolicyForDemoDevice' --target ap-southeast-1:2d1afbd5-2d7d-43ec-b906-a40ac2416c10

Remote Access Private EC2 Instances via System Manager

Hai Tran — Sun, 10 Apr 2022 00:19:27 +0000

Summary

System manager enable remote access to EC2 instances (both private and public subnet) without using SSH and opening port 22. In addition, from the private EC2, it is possible to access other services such as S3 via VPC service endpoints. In this post, I would like share how to deploy these by using CDK.

Remote access a prviate EC2 by system mananger
The private EC2 can access S3 via VPC endpoint
Deply by a CDK stack
GitHub

Architecture

CDK Stack

Create a VPC with a S3 VPC endpoint

    const vpc = new aws_ec2.Vpc(
      this,
      'VpcWithS3Endpoint',
      {
        gatewayEndpoints: {
          S3: {
            service: aws_ec2.GatewayVpcEndpointAwsService.S3
          }
        }
      }
    )

Add system manager VPC interface endpoint

    vpc.addInterfaceEndpoint(
      'VpcIterfaceEndpointSSM',
      {
        service: aws_ec2.InterfaceVpcEndpointAwsService.SSM
      }
    )

Create an IAM role for the EC2

    const role = new aws_iam.Role(
      this,
      'RoleForEc2ToAccessS3',
      {
        roleName: 'RoleForEc2ToAccessS3',
        assumedBy: new aws_iam.ServicePrincipal('ec2.amazonaws.com'),
      }
    )

Role for EC2 to communicate with SSM

    role.addManagedPolicy(
      aws_iam.ManagedPolicy.fromManagedPolicyArn(
        this,
        'PolicySSMMangerAccessS3',
        'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
      )
    )

Policy for EC2 to access S3

    role.attachInlinePolicy(
      new aws_iam.Policy(
        this,
        'PolicyForEc2AccessS3',
        {
          policyName: 'PolicyForEc2AccessS3',
          statements: [
            new aws_iam.PolicyStatement(
              {
                actions: ['s3:*'],
                resources: ['*']
              }
            ),
          ]
        }
      )
    )

Launch an EC2 in a private subnet

    const ec2 = new aws_ec2.Instance(
      this,
      'Ec2ConnectVpcEndpointS3',
      {
        role: role,
        keyName: 'hai_ec2_t4g_large',
        vpc: vpc,
        instanceName: 'Ec2ConnectVpcEndpointS3',
        instanceType: aws_ec2.InstanceType.of(aws_ec2.InstanceClass.T2, aws_ec2.InstanceSize.SMALL),
        machineImage: aws_ec2.MachineImage.latestAmazonLinux(),
        securityGroup: sg,
        vpcSubnets: {
          subnetType: aws_ec2.SubnetType.PRIVATE
        }
      }
    )

Arm Gravition Versus X86 on Fibonaci and FFT Running Time

Hai Tran — Wed, 23 Mar 2022 00:12:42 +0000

Summary

According to AWS Graviton2 the Arm Graviton provides 34% better price performance than X86. In some sense, it runs faster 34% compared with X86. So I do a small experiment to check this. AWS CDK and CodeBuild with Arm based instance makes it easy to setup. So the Graviton does run about 30% faster than X86. GitHub

Runtime Python 3.8
Numpy 1.22.1
Lambda memory 2048MB
Lambda timeout 10 seconds

CDK Pipeline

CDK make it very friendly to build this pipeline, feeling like pure programming infrastructure.

Running time for Fibonaci

def recur_fibo(n):
    if n <= 1:
        return n
    else:
        return(recur_fibo(n-1) + recur_fibo(n-2))

n = 30 used for testing.

Running time for FFT single thread

data = np.random.rand(8192, 8192)
np.fft.fft(data, axis=0)

Running time for FFT multi-thread (Lambda memory 10240MB)

data = [np.random.rand(8192, 2048) for k in range(4)]
with ThreadPoolExecutor(max_worker=4) as executor:
  for x in data:
    executor.submit(np.fft.fft, x, axis=0)

CI/CD Pipeline to Deploy Lambda with Latest ECR Image Tag Using SSM Parameter Store

Hai Tran — Tue, 01 Mar 2022 05:13:41 +0000

CI/CD Pipeline for Lambda with ECR and SSM for updating tag

This note shows using SSM parameter in CI/CD for passing ECR image tag from CodeBuild to deployment stacks. So the latest ECR image is used in the latest deployed stack such as a lambda function. The default ecr tag is latest and this might cause CloudFormation think that there is not update after pushing an image to ecr. So, it is better to push image with a tag by build number, CODEBUILD_RESOLVED_SOURCE_VERSION, or Git SHA, etc. There are other solutions such as exported variables in CodeBuild, then overrideParameter in deployment stacks. Here SSM is an easy way.

CodeBuild to build a Docker image, tag, and push to an ecr repository
The tag written to SSM (system parameter store)
CodeBuild CDK synth application stack
CodeDeploy deploy the application stack, and the latest ecr tag is read from the SSM

Architecture

CodeBuild role to push ecr and put-paraemter to ssm

const role = new aws_iam.Role(
  this,
  'IamRoleForCodeBuildPushEcr',
  {
    assumedBy: new aws_iam.ServicePrincipal('codebuild.amazonaws.com')
  }
)

role.attachInlinePolicy(
  new aws_iam.Policy(
    this,
    "PushEcrPolicy", {
      statements: [
        new aws_iam.PolicyStatement({
          effect: aws_iam.Effect.ALLOW,
          actions: ['ecr:*'],
          resources: ['*']
        }),
        new aws_iam.PolicyStatement({
          effect: aws_iam.Effect.ALLOW,
          actions: ['ssm:*'],
          resources: ['*']
        })
      ]
    }
  )
)

CodeBuild project

// codebuild project
    const codeBuild = new aws_codebuild.PipelineProject(
      this,
      'CodeBuildProject',
      {
        role: role,
        environmentVariables: {
          AWS_ACCOUNT_ID: {value: 'AWS_ACCOUNT_ID'}
        },
        environment: {
          buildImage: aws_codebuild.LinuxBuildImage.STANDARD_5_0,
          computeType: aws_codebuild.ComputeType.MEDIUM,
          privileged: true
        },
        buildSpec: aws_codebuild.BuildSpec.fromObject({
          version: '0.2',
          phases: {
            install: {
              commands: [
                'echo Logging in to Amazon ECR...'
              ]
            },
            // login in ecr
            pre_build: {
              commands: [
                'aws ecr get-login-password --region ap-southeast-1 | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.ap-southeast-1.amazonaws.com'
              ]
            },
            // build ecr image
            build: {
              commands: [
                'docker build -t  ecr-image-name:${CODEBUILD_RESOLVED_SOURCE_VERSION} ./lib/lambda/',
                'docker tag ecr-image-name:${CODEBUILD_RESOLVED_SOURCE_VERSION} ${AWS_ACCOUNT_ID}.dkr.ecr.ap-southeast-1.amazonaws.com/ecr-image-name:${CODEBUILD_RESOLVED_SOURCE_VERSION}'
              ]
            },
            // push ecr image
            post_build: {
              commands: [
                'export imageTag=${CODEBUILD_RESOLVED_SOURCE_VERSION}',
                'docker push ${AWS_ACCOUNT_ID}.dkr.ecr.ap-southeast-1.amazonaws.com/ecr-image-name:${CODEBUILD_RESOLVED_SOURCE_VERSION}',
                'echo ${CODEBUILD_RESOLVED_SOURCE_VERSION}',
                'aws ssm put-parameter --name FhrEcrImageTagDemo --type String --value ${CODEBUILD_RESOLVED_SOURCE_VERSION} --overwrite'
              ]
            }
          },
          env: {
            'exported-variables': [
              'imageTag'
            ]
          }
        })
      }
    )

SSM parameters for CI/CD

create a ssm

aws ssm put-parameter --name 'parameterName' --description 'keep track ecr image tag' --value 'b05517a66933f6fde060efe2ecd78784767f6ce1' --type 'String'

get a ssm

aws ssm get-parameter --name 'parameterName'

update a ssm

aws ssm put-parameter --name 'parameterName' --type 'String' --value 'b05517a66933f6fde060efe2ecd78784767f6ce1' --overwrite

aws ssm put-parameter --name parameterName --type String --value '0a95b18303e05f2de9315bbb385da173398b9661' --overwrite

Entire pipeline

import { 
  aws_codebuild,
  aws_codecommit, 
  aws_codepipeline, 
  aws_codepipeline_actions, 
  aws_ecr, 
  aws_iam, 
  aws_lambda, 
  aws_s3, 
  aws_ssm, 
  Duration, 
  Stack, 
  StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class CodebuildPushEcrStack extends Stack {

  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    // role and polices for codebuild to push ecr image
    const role = new aws_iam.Role(
      this,
      'IamRoleForCodeBuildPushEcr',
      {
        assumedBy: new aws_iam.ServicePrincipal('codebuild.amazonaws.com')
      }
    )

    role.attachInlinePolicy(
      new aws_iam.Policy(
        this, 
        "PushEcrPolicy", {
          statements: [
            new aws_iam.PolicyStatement({
              effect: aws_iam.Effect.ALLOW,
              actions: ['ecr:*'],
              resources: ['*']
            }),
            new aws_iam.PolicyStatement({
              effect: aws_iam.Effect.ALLOW,
              actions: ['ssm:*'],
              resources: ['*']
            })
          ]
        }
      )
    )

    // codecommit 
    const repository = aws_codecommit.Repository.fromRepositoryName(
      this, 
      'CodeCommitRepository',
      `codebuild-push-ecr-${this.account}`
    )

    // codepipeline artifact 
    const artifactBucket = aws_s3.Bucket.fromBucketName(
      this, 
      'ArtifactBucket',
      'fhr-codepipeline-artifact'
    )

    // artifact folders for source, codebuild 
    const sourceOutput = new aws_codepipeline.Artifact('SourceOutput')
    const codeBuildOutput = new aws_codepipeline.Artifact("CodeBuildOutput")
    const cdkBuildOutput = new aws_codepipeline.Artifact('CdkBuildOutput')


    // codebuild project 
    const codeBuild = new aws_codebuild.PipelineProject(
      this, 
      'CodeBuildProject',
      {
        role: role,
        environmentVariables: {
          AWS_ACCOUNT_ID: {value: 'AWS_ACCOUNT_ID'}
        },
        environment: {
          buildImage: aws_codebuild.LinuxBuildImage.STANDARD_5_0,
          computeType: aws_codebuild.ComputeType.MEDIUM,
          privileged: true
        },
        buildSpec: aws_codebuild.BuildSpec.fromObject({
          version: '0.2', 
          phases: {
            install: {
              commands: [
                'echo Logging in to Amazon ECR...'
              ]
            },
            // login in ecr 
            pre_build: {
              commands: [
                'aws ecr get-login-password --region ap-southeast-1 | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.ap-southeast-1.amazonaws.com'
              ]
            },
            // build ecr image 
            build: {
              commands: [
                'docker build -t  fhr-ecr-image:${CODEBUILD_RESOLVED_SOURCE_VERSION} ./lib/lambda/',
                'docker tag fhr-ecr-image:${CODEBUILD_RESOLVED_SOURCE_VERSION} ${AWS_ACCOUNT_ID}.dkr.ecr.ap-southeast-1.amazonaws.com/fhr-ecr-image:${CODEBUILD_RESOLVED_SOURCE_VERSION}'
              ]
            },
            // push ecr image 
            post_build: {
              commands: [
                'export imageTag=${CODEBUILD_RESOLVED_SOURCE_VERSION}',
                'docker push ${AWS_ACCOUNT_ID}.dkr.ecr.ap-southeast-1.amazonaws.com/fhr-ecr-image:${CODEBUILD_RESOLVED_SOURCE_VERSION}',
                'echo ${CODEBUILD_RESOLVED_SOURCE_VERSION}',
                'aws ssm put-parameter --name FhrEcrImageTagDemo --type String --value ${CODEBUILD_RESOLVED_SOURCE_VERSION} --overwrite'
              ]
            }
          }, 
          env: {
            'exported-variables': [
              'imageTag'
            ]
          }
        })
      }
    )

    //
    const buildAction = new aws_codepipeline_actions.CodeBuildAction({
      actionName: 'BuildEcrImage',
      project: codeBuild, 
      input: sourceOutput, 
      outputs: [codeBuildOutput]
    })


    // CodeBuild project for cdk build 
    const cdkBuild = new aws_codebuild.PipelineProject(
      this, 
      'CdkBuikd',
      {
        environment: {
          buildImage: aws_codebuild.LinuxBuildImage.STANDARD_5_0
        },
        buildSpec: aws_codebuild.BuildSpec.fromObject({
          version: '0.2',
          phases: {
            install: {
              commands: [
                'npm install'
              ]
            },
            pre_build: {
              commands: [
                'npm run build',
                'npm run cdk synth -- -o dist'
              ]
            }
          },
          artifacts: {
            'base-directory': 'dist',
            files: [
              '*template.json'
            ]
          }
        })
      }
    )

    // codepipeline 
    new aws_codepipeline.Pipeline(
      this, 
      'CodePiplineProject', 
      {
        artifactBucket: artifactBucket,
        stages: [
          {
            stageName: 'Source',
            actions: [
              new aws_codepipeline_actions.CodeCommitSourceAction({
                actionName: 'ConnectRepository',
                repository: repository, 
                output: sourceOutput
              })
            ]
          }, 
          {
            stageName: 'Build', 
            actions: [
              buildAction,
              new aws_codepipeline_actions.CodeBuildAction({
                actionName: 'BuildStack',
                project: cdkBuild,
                input: sourceOutput,
                outputs: [cdkBuildOutput]
              })
            ]
          },

          {
            stageName: 'Deploy',
            actions: [
              new aws_codepipeline_actions.CloudFormationCreateUpdateStackAction({
                actionName: 'DeployLambdaEcrDemo',
                templatePath: cdkBuildOutput.atPath('ApplicationStack.template.json'),
                stackName: 'ApplicationStackEcrTagDemo',
                parameterOverrides: {
                },
                adminPermissions: true
              })
            ]
          }
        ]
      }
    )

  }
}


export class ApplicationStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props)

    // lambda fron ecr image uri
    const fn = new aws_lambda.Function(
      this,
      'LambdaFromEcrDemo',
      {
        runtime: aws_lambda.Runtime.FROM_IMAGE,
        handler: aws_lambda.Handler.FROM_IMAGE,
        timeout: Duration.seconds(90),
        environment: {
          'FHR_ENV': 'DEPLOY'
        },
        code: aws_lambda.Code.fromEcrImage(
          aws_ecr.Repository.fromRepositoryName(
            this,
            'EcrImageRepositoryDemo',
            'fhr-ecr-image',
          ),
          {
            tag: aws_ssm.StringParameter.valueForStringParameter(
              this, 
              'FhrEcrImageTagDemo'
            )
          }
        )
      }
    )
  }
}

export class RepositoryStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props)

    // create a repository 
    new aws_codecommit.Repository(
      this, 
      "CodeBuildPushEcrRepository", 
      {
        repositoryName: `codebuild-push-ecr-${this.account}`
      }
    )

  }
}

CloudWatch Monitoring and Alarm Notification for Lambda

Hai Tran — Tue, 22 Feb 2022 02:31:35 +0000

This note show a basic example how to use CloudWatch to monitor a Lambda function and notify when number of invocation greater than X within several minutes.

Metrics to monitor

CloudWatch metrics for a Lambda fuction
- Number of invocation within 5 minutes (period)
CloudWatch alarm
- Compare the metric with a threshold > X
- Evaluation period 1
- Action sends SNS notification
CloudWatch dashboard
- Number of invocation within each data point of 5 minutes
- Average duration of invocation

Some notes

CloudWatch logs are stored for 15 months, need to save to S3 if need longer
Lambda sends logs to CloudWatch per 1 minute
Principle to prevent premature/false alarm by M out of N (the trailing window)

Stack in CDK

create a lambda function

const fn = new aws_lambda.Function(
    this,
    "LambdaCloudWatchAlarmDemo",
    {
    runtime: aws_lambda.Runtime.PYTHON_3_8,
    handler: "index.handler",
    timeout: Duration.seconds(90),
    code: aws_lambda.Code.fromAsset(
        path.join(__dirname, "lambda")
    )
    }
)

create cloudwatch alarm

const alarm = new aws_cloudwatch.Alarm(
      this,
      "LambdaInvocationAlarmDemo",
      {
        metric: fn.metricInvocations(
          {
            statistic: 'sum',
            period: Duration.minutes(5)
          }
        ),
        threshold: 5,
        evaluationPeriods: 1
      }
    )

add alarm action

 alarm.addAlarmAction(
      new aws_cloudwatch_actions.SnsAction(aws_sns.Topic.fromTopicArn(
        this,
        "CodePipelineNotification",
        "arn:aws:sns:ap-southeast-1:account_id:CodePipelineNotification"
      ))
    )

cloudwatch dashboard

// title
dashboard.addWidgets(
      new aws_cloudwatch.TextWidget({
        markdown: `# Dashboard: ${fn.functionName}`,
        height: 1,
        width: 24
      })
    )
// number of invocation
 dashboard.addWidgets(
      new aws_cloudwatch.GraphWidget({
        title: "Invocation",
        left: [fn.metricInvocations(
          {
            statistic: 'sum',
            period: Duration.minutes(1)
          }
        )],
        width: 24
      })
    )
// duration 
 dashboard.addWidgets(
      new aws_cloudwatch.GraphWidget({
        title: "Duration",
        left: [fn.metricDuration()],
        width: 24
      })
    )

CDK to deploy a Lambda function

Hai Tran — Sat, 12 Feb 2022 04:35:28 +0000

There are may options to deploy a Lambda fuction:

zip the code and upload to S3
share large dependencies via EFS
inline funtion with CloudFormation

In this note, I would like to share three ways to deploy a Lambda function using AWS CDK, and integrate multiple Lambda functions with a API Gateway for testing.

1. Deploy a lambda function by files

install dependencies

python -m pip install --target path-to-lambda numpy

aws_lambda.Function

handler_file = aws_lambda.Function(
            self,
            id="lambda-handler-wo-dependencies",
            code=aws_lambda.Code.from_asset(path.join(dirname, "lambda")),
            handler="handler.handler_file",
            runtime=aws_lambda.Runtime.PYTHON_3_8,
            memory_size=512,
            timeout=Duration.seconds(90)
        )

2. Deploy a lambda function by ecr image

Note that the docker image is built from the local machine in this case. Here is the project structure

- aws_devops
    - lambda
        - Dockerfile
        - .dockerignore
        - handler.py
        - requirements.txt
     -aws_devops_stack.py

handler_ecr = aws_lambda.Function(
            self,
            id="lambda-ecr-build-local",
            code=aws_lambda.EcrImageCode.from_asset_image(
                directory=path.join(dirname, "lambda")
            ),
            handler=aws_lambda.Handler.FROM_IMAGE,
            runtime=aws_lambda.Runtime.FROM_IMAGE,
            memory_size=512,
            timeout=Duration.seconds(90)
        )

3. Deploy a lambda function with an existring ecr image

handler = aws_lambda.Function(
            self,
            id="EcrImageId",
            code=aws_lambda.EcrImageCode.from_ecr_image(
                repository=aws_ecr.Repository.from_repository_name(
                    self,
                    id="EcrImageId",
                    repository_name="EcrRepositoryName"
                )
            ),
            architecture=aws_lambda.Architecture.ARM_64,
            handler=aws_lambda.Handler.FROM_IMAGE,
            runtime=aws_lambda.Runtime.FROM_IMAGE,
            memory_size=512,
            timeout=Duration.seconds(90),
        )

4. Integrate an API Gateway with multiple lambdas

create an api gateway

api_gw = aws_apigateway.RestApi(
            self,
            id="ApiGatewayLambdaDeployOptions",
            rest_api_name="api-lambda-deploy-options"
        )

create api resource

api_file_resource = api_gw.root.add_resource(
            path_part="file"
        )

create lambda integration

 api_file_intetgration = aws_apigateway.LambdaIntegration(
            handler=handler_file
        )

add method to the resource

 api_file_resource.add_method(
            http_method="GET",
            integration=api_file_intetgration
        )

Graviton versus M1, vs x86 on FFT Performance

Hai Tran — Sat, 12 Feb 2022 04:02:25 +0000

AWS states that Graviton (ARM) is 30% faster than x86, however, I find out that FFT on the Graviton is slower than about 10% compared with the x86. Below is setup and results, hopefully, I have not correctly setup the numpy for Graviton. Anyway, multithread is 4x faster than single thread, in this case the 10240MB lambda has 6 vCPUs, I think

Lambda configuration

memory 10240 MB
timeout 90 seconds
deploy via ecr image and CDK
EC2 ARM64 to build the image for the Graviton
language python
numpy 1.22.1 and numpy.fft.fft
np.fft.fft(np.random.randint(0, 1000, (4098, 600)))

I deploy lambda by ecr image

Docker file

FROM public.ecr.aws/lambda/python:3.8

# create code dir inside container
RUN mkdir ${LAMBDA_TASK_ROOT}/source

# copy code to container
COPY . ${LAMBDA_TASK_ROOT}/source

# copy handler function to container
COPY ./handler.py ${LAMBDA_TASK_ROOT}

# install dependencies for running time environment
RUN pip3 install -r ./source/requirements.txt --target "${LAMBDA_TASK_ROOT}"

# set the CMD to your handler
CMD [ "handler.lambda_handler"]

lambda handler


import json
import numpy as np
from concurrent.futures import ThreadPoolExecutor
from datetime import datetime

def single_thread_fft(sig):
    """
    normal fft
    """
    start_time = datetime.now()
    for x in sig:
        np.fft.fft(x, axis=0)
    end_time = datetime.now()
    delta_time = end_time.timestamp() - start_time.timestamp()
    print("single thread running time {0} ms".format(delta_time * 1000))
    return delta_time

def multi_thread_fft(sig):
    """
    thread fft
    """
    start_time = datetime.now()
    with ThreadPoolExecutor(max_workers=4) as executor:
        for x in sig:
            executor.submit(np.fft.fft, x, axis=0)
    end_time = datetime.now()
    delta_time = end_time.timestamp() - start_time.timestamp()
    print("multi thread running time {0} ms".format(delta_time * 1000))
    return delta_time


def lambda_handler(event, context):
    """
    Lambda handler
    """
    # signal for one channel
    sig = [np.random.randint(0, 1000, (4098, 600)) for k in range(4)]
    # single thread
    single_thread_time = single_thread_fft(sig)
    # multi thread
    multi_thread_time = multi_thread_fft(sig)
    # response
    return {
        'statusCode': 200,
        'headers': {
            "Access-Control-Allow-Origin": "*",
            "Access-Control-Allow-Headers": "Content-Type",
            "Access-Control-Allow-Methods": "OPTIONS,GET"
        },
        'body': json.dumps({"single thread: {0}, multi thread: {1}".format(single_thread_time * 1000, multi_thread_time*1000)},
                           indent=4,
                           sort_keys=True,
                           default=str)
    }

CDK lambda api gateway stack

class LambdaFFTArm(Stack):

    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        # The code that defines your stack goes here
        handler = aws_lambda.Function(
            self,
            id="LambdaFFTArm",
            code=aws_lambda.EcrImageCode.from_ecr_image(
                repository=aws_ecr.Repository.from_repository_name(
                    self,
                    id="LambdaFFTArmImage",
                    repository_name="lambda-fft-arm-image"
                )
            ),
            architecture=aws_lambda.Architecture.ARM_64,
            handler=aws_lambda.Handler.FROM_IMAGE,
            runtime=aws_lambda.Runtime.FROM_IMAGE,
            memory_size=10240,
            timeout=Duration.seconds(90),
        )
        # api gateway
        api_gw = aws_apigateway.LambdaRestApi(
            self,
            id="ApiLambdaFFTArm",
            handler=handler
        )
        # get api endpoint
        self.url_output = CfnOutput(self, "Url", value=api_gw.url)