The latest articles on DEV Community by Fidelis Ikoroje (@fidelisesq). https://dev.to/fidelisesq https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1297324%2F146a6e16-59c7-468f-8ae5-c6e6f71f5246.jpg https://dev.to/fidelisesq en Fidelis Ikoroje Sun, 03 Aug 2025 16:49:02 +0000 https://dev.to/fidelisesq/my-devops-portfolio-site-is-live-built-with-real-infrastructure-real-tools-4ip1 https://dev.to/fidelisesq/my-devops-portfolio-site-is-live-built-with-real-infrastructure-real-tools-4ip1 <p>I finally built my portfolio website, and it is live! Built to reflect my DevOps expertise, cloud projects, and technical journey, this isn’t just another portfolio—it’s a real-world demonstration of modern infrastructure, automation, and best practices.</p> <p>👉 Check it out here: <a href="https://fidelis.fozdigitalz.com" rel="noopener noreferrer">Live Site</a></p> <h2> Why This Portfolio Stands Out </h2> <p>Most portfolios focus only on design, but mine goes further—it’s a fully automated, cloud-native project that highlights my DevOps and cloud engineering skills. Every component, from hosting to analytics, was built with scalability, security, and cost efficiency in mind.</p> <h2> Behind the Scenes: Tech Stack &amp; Infrastructure </h2> <h3> Frontend: Simple Yet Powerful </h3> <ul> <li>HTML5, CSS3, Vanilla JS – No bloated frameworks, just clean, fast code.</li> <li>Mobile-first design – Flawless on any device.</li> <li>SEO-optimized – Proper meta tags for better visibility.</li> <li>Font Awesome icons – For a polished look.</li> </ul> <h3> AWS Cloud Architecture </h3> <p>The site runs on a highly available, low-cost AWS setup:</p> <ul> <li>S3 – Static website hosting (cost-effective &amp; reliable).</li> <li>CloudFront – Global CDN with SSL/TLS for fast loading worldwide.</li> <li>Route 53 – Secure DNS management.</li> <li>ACM – Free SSL certificates for HTTPS.</li> <li>Lambda + CloudWatch – Real-time log processing &amp; monitoring.</li> <li>Athena – Deep log analytics without third-party trackers.</li> </ul> <h3> DevOps &amp; Automation </h3> <ul> <li>Terraform (IaC) – Entire infrastructure defined as code.</li> <li>GitHub Actions CI/CD – Auto-deploys on git push to main.</li> <li>Auto-destroy feature – Trigger infrastructure teardown with a commit keyword (great for testing).</li> </ul> <h3> Privacy-First Analytics (No Google Tracking!) </h3> <p>Instead of invasive trackers, I built my own GDPR-compliant analytics:<br> ✔ CloudFront logs → Lambda → CloudWatch → Real-time metrics.<br> ✔ 10+ key insights (visitors, page views, errors, geolocation).<br> ✔ Athena for SQL-based log analysis – No external dependencies.</p> <h2> Key Features at a Glance </h2> <p>✅ Global performance (CloudFront CDN)<br> ✅ Zero manual deployments (GitHub Actions CI/CD)<br> ✅ Real-time privacy-safe analytics<br> ✅ Mobile-optimized &amp; SEO-friendly<br> ✅ Direct CV download (PDF hosted securely on S3)<br> ✅ Project showcase with case studies<br> ✅ Cost-efficient (~$6-7/month for enterprise-grade infra)</p> <h2> Why This Matters </h2> <p>This project isn’t just a portfolio—it’s a working example of:</p> <ul> <li>Infrastructure as Code (Terraform)</li> <li>Automated CI/CD pipelines</li> <li>Serverless cloud architecture</li> <li>Security &amp; compliance by design</li> <li>Cost optimization in the cloud</li> </ul> <h2> What’s Your Favorite Feature? </h2> <p>I’d love to hear your thoughts! Which part of this setup do you find most interesting? Let me know in the comments!</p> <h2> Follow Me </h2> <ul> <li> <strong>Website</strong>: <a href="https://fidelis.fozdigitalz.com" rel="noopener noreferrer">https://fidelis.fozdigitalz.com</a> </li> <li> <strong>LinkedIn</strong>: <a href="https://www.linkedin.com/in/fidelis-ikoroje/" rel="noopener noreferrer">Connect with me</a> </li> <li> <strong>GitHub</strong>: <a href="https://github.com/Fidelisesq/Fidelis-Portfolio" rel="noopener noreferrer">See the full project code here</a> </li> </ul> devops aws portfolio infrastructureascode Fidelis Ikoroje Wed, 30 Jul 2025 10:51:24 +0000 https://dev.to/fidelisesq/how-to-install-amazon-q-cli-on-windows-1lln https://dev.to/fidelisesq/how-to-install-amazon-q-cli-on-windows-1lln <p>Amazon Q CLI is part of <a href="https://aws.amazon.com/q/developer/build/" rel="noopener noreferrer">Amazon Q Developer</a>, a powerful generative AI assistant that helps you build, troubleshoot, and understand code directly from your terminal. It integrates with your local development environment, enabling you to ask questions, generate boilerplate code, fix bugs, and even explain complex logic — all from the command line.</p> <p>While Amazon Q is primarily available in the AWS Management Console and VS Code (via AWS Toolkit), you can also interact with it via the AWS CLI. Whether you're working in Python, JavaScript, Java, or other languages, Amazon Q is designed to boost your productivity as a developer.</p> <p>In this guide, you’ll learn how to install and set up the Amazon Q Command Line Interface (CLI) on a Windows machine using a smooth and reliable process. Alternatively, I have included a video walkthrough of this installation and where I used Amazon Q Developer to build an arcade game.</p> <h2> Steps to Install Amazon Q CLI on Windows </h2> <h3> Step 1. Install WSL ( Windows Subsystem for Linux) </h3> <p>Run the following command in PowerShell. <code>wsl --install or wsl --distrubution Ubuntu</code> enables the WSL feature on Windows. It enables the Virtual Machine Platform required for WSL and sets up Ubuntu by default, unless you specify another distro. The command is equivalent to <code>dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart)</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>wsl --install </code></pre> </div> <p>Note: The system will ask you to choose a username and password. Ensure you remember your password.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkufxqmhrugdnboan6uo5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkufxqmhrugdnboan6uo5.png" alt="Ubuntu Installed" width="800" height="448"></a></p> <h3> Step 2: Start Ubuntu in WSL </h3> <p>This command runs a Linux shell session inside Ubuntu, right from Windows<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>wsl -d Ubuntu </code></pre> </div> <h3> Step 3: Install unzip from your home directory </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cd ~ sudo apt install unzip </code></pre> </div> <h3> Step 4: Download Amazon Q CLI Installer </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl --proto '=https' --tlsv1.2 -sSf "https://desktop-release.q.us-east-1.amazonaws.com/latest/q-x86_64-linux.zip" -o "q.zip" </code></pre> </div> <h3> Step 5: Unzip the Installer, Setup &amp; Run </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>unzip q.zip cd q chmod +x install.sh ./install.sh </code></pre> </div> <h3> Step 6: Reload &amp; login </h3> <p>Optionally reload the shell with updates path setting and use your AWS Builder ID credentials to log in to use AWS Q Developer free version.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>bash q login </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxsnlvwxxukigifyn3i1a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxsnlvwxxukigifyn3i1a.png" alt="q login" width="795" height="82"></a></p> <p>Note: To use the <code>Pro version of Amazon Q Developer</code>, you need to have <code>AWS IAM Identity Center configured</code>, and ensure the user is <code>subscribed to Amazon Q Developer</code> under your AWS organization</p> <h3> Step 7: Start Amazon Q Developer </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>q chat </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6k66b8x3sf5lcuwzzld2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6k66b8x3sf5lcuwzzld2.png" alt="q chat live" width="800" height="412"></a></p> <h2> Tips for Using Amazon Q CLI </h2> <ul> <li>Run q in any project folder to start chatting with Amazon Q about your codebase.</li> <li>You can ask things like: -- “Explain what this function does” -- “Fix this error” -- “Write a Python script to sort JSON data.”</li> <li>Combine it with VS Code + WSL for a full AI-enhanced dev experience. Run the command below to use it in VS Code. Ensure you install the Microsoft WSL VS Code Extension. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mkdir -p ~/project/amazonq_game cd ~/project/aws_amazonq_game code . </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgirr99gc5bpu3xe6f92.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgirr99gc5bpu3xe6f92.png" alt="Amazon A CLI in VS Code" width="800" height="303"></a></p> <h2> 🧠 Things to Know About Amazon Q CLI </h2> <ul> <li>Amazon Q CLI is still evolving — you may need to sign into your AWS account for access.</li> <li>It supports multiple languages (Python, JavaScript, Java, TypeScript, etc.)</li> <li>It works best when run inside your project folder</li> <li>There are GUI versions too, but the CLI version is perfect for terminal lovers and power users</li> </ul> <h3> Video Guide </h3> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/t4hACBpxDYg"> </iframe> </p> <h3> Game Development with Amazon Q CLI </h3> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/PRqJJehrIj0"> </iframe> </p> <h2> ✅ Conclusion </h2> <p>Installing Amazon Q CLI on Windows is straightforward once you have the right files and path setup. With the CLI installed, you get a smart AI pair programmer right inside your terminal. Whether you're building apps, debugging, or exploring unfamiliar code, Amazon Q helps you work faster and smarter — without leaving your shell.</p> q cli webdev aws Fidelis Ikoroje Sat, 14 Jun 2025 20:24:17 +0000 https://dev.to/fidelisesq/serverless-image-resizer-on-aws-3mge https://dev.to/fidelisesq/serverless-image-resizer-on-aws-3mge <p>The Serverless Image Resizer is a cloud-native application that enables users to upload images and automatically resize them to predefined dimensions optimized for various social media platforms. Built on AWS serverless architecture, it provides a simple web interface for image management while handling the complex image processing behind the scenes.</p> <p>The application offers a comprehensive set of features including:</p> <ul> <li>📤 Secure image upload using pre-signed URLs</li> <li>⚙️ One-click image resizing with predefined dimensions for popular social media platforms (Instagram, Facebook, X, LinkedIn, YouTube)</li> <li>🤖 Automatic image processing using AWS Lambda</li> <li>🔍 Modal-based Original Image Preview</li> <li>📥 Download Resized Images</li> <li>❌ Delete Images via API Gateway</li> <li>🕓 Timestamps and File Size Display</li> <li>🌍 CloudFront CDN integration for fast global content delivery</li> <li>🔐 CORS-enabled API for secure cross-origin requests</li> <li>🖼️ Responsive web interface with image preview and management capabilities</li> </ul> <p>All of the above happens without managing any server - AWS services handle the scaling automatically.</p> <p>Here, I'll walk you through how I built the solution using AWS services, including Lambda, S3, CloudFront, and API Gateway, all deployed with Terraform.</p> <p>In order to keep the lenght of this article moderate, I kept the project configuration out of this post. Please find them in my <a href="https://github.com/Fidelisesq/Serverless-Image-Resizer" rel="noopener noreferrer">Github Page</a>.</p> <h3> Prerequisites </h3> <ul> <li>AWS Account with appropriate permissions</li> <li>Node.js 18.x or later</li> <li>Terraform 1.0 or later</li> <li>AWS CLI configured with appropriate credentials</li> <li>Domain name registered in Route 53</li> <li>SSL certificate in AWS Certificate Manager</li> </ul> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── frontend/ # Web interface files │ ├── app.js # Frontend JavaScript application logic │ └── index.html # Main HTML interface ├── lambda/ # AWS Lambda functions │ ├── delete/ # Image deletion function │ ├── list/ # Image listing function │ ├── presign/ # Pre-signed URL generation │ └── resize/ # Image resizing function └── terraform/ # Infrastructure as Code ├── api_gateway.tf # API Gateway configuration ├── cloudfront.tf # CDN distribution setup ├── iam+s3.tf # IAM roles and S3 bucket configuration ├── lambda.tf # Lambda functions configuration ├── main.tf # Main Terraform configuration ├── outputs.tf # Output variables ├── route53.tf # DNS configuration └── variables.tf # Input variables </code></pre> </div> <h3> 🧱 Architecture Overview </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbmuxvip7sbqmbob00jxk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbmuxvip7sbqmbob00jxk.png" alt="Architecture Diagram" width="726" height="527"></a></p> <ul> <li> <strong>Frontend</strong>: HTML, Bootstrap, jQuery, and Handlebars.js</li> <li> <strong>Storage</strong>: Amazon S3 (Original and Resized Buckets)</li> <li> <p><strong>Compute</strong>: AWS Lambda for:</p> <ul> <li>Generating pre-signed URLs</li> <li>Resizing images using Sharp</li> <li>Listing images with metadata</li> <li>Deleting images</li> </ul> </li> <li><p><strong>Routing</strong>: API Gateway</p></li> <li><p><strong>Delivery</strong>: CloudFront (backed by S3 for secure and fast access)</p></li> <li><p><strong>Security</strong>: IAM roles and bucket policies for fine-grained access control</p></li> <li> <p><strong>Infrastructure Management</strong>: </p> <ul> <li>Defined via Terraform</li> <li>Deployed through GitHub Actions</li> </ul> </li> </ul> <h3> 🧩 The Development Process </h3> <h4> 1. <strong>Bucket Setup</strong> </h4> <p>I created three S3 buckets:</p> <ul> <li> <code>original-images-bucket-foz</code> - Stores original image uploads</li> <li> <code>resized-images-bucket-foz</code> - Stores Resized images</li> <li> <code>Image-resizer.fozdigitalz.com</code> - Hosts the front end</li> </ul> <p>With appropriate IAM roles and bucket policies to support Lambda functions and CloudFront delivery. Users can only access the original and resized buckets via CloudFront. </p> <h4> 2. <strong>Frontend UI</strong> </h4> <ul> <li>Used <strong>Bootstrap</strong> for responsive layout.</li> <li>Handlebars templates for dynamic image card rendering.</li> <li>Modal for viewing original images.</li> <li>Buttons to Load, Download, View, and Delete images.</li> </ul> <p>Users can click "View Original" to open a Bootstrap modal. This dynamically loads the full-size original image via CloudFront.</p> <p>I defined grouped resize sizes dynamically in JavaScript. Users can select any of these sizes from the front end.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resizeOptionsGrouped</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">groupName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Social Media Sizes</span><span class="dl">"</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Instagram 📸</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Post</span><span class="dl">"</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1080x1080</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Facebook 📘</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Shared Image</span><span class="dl">"</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1200x630</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Twitter/X 🐦</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Summary</span><span class="dl">"</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1200x675</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">LinkedIn 💼</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Link Image</span><span class="dl">"</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1200x627</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">YouTube ▶️</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Thumbnail</span><span class="dl">"</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1280x720</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="na">groupName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Standard Sizes</span><span class="dl">"</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Thumbnail 🗃️</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">150x150</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Medium</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">640x480</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Large</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">800x600</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Full HD</span><span class="dl">"</span><span class="p">,</span> <span class="na">label</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1920x1080</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">];</span> </code></pre> </div> <h4> 3. <strong>Backend: Serverless Power with API Gateway &amp; Lambda</strong> </h4> <p>The backend orchestrates image processing through a seamless AWS serverless stack:</p> <h5> <strong>API Gateway: The Traffic Controller</strong> </h5> <ul> <li>Serves as the single entry point for all frontend requests</li> <li>Configured with CORS to securely allow requests only from your frontend domain</li> <li>Routes requests to specific Lambda functions based on path/verb: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Example route definition for Presigm Lambda in Terraform</span> <span class="k">resource</span> <span class="s2">"aws_apigatewayv2_route"</span> <span class="s2">"presign_route"</span> <span class="p">{</span> <span class="nx">api_id</span> <span class="p">=</span> <span class="nx">aws_apigatewayv2_api</span><span class="p">.</span><span class="nx">image_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_key</span> <span class="p">=</span> <span class="s2">"GET /presign"</span> <span class="c1"># Routes to presign Lambda</span> <span class="nx">target</span> <span class="p">=</span> <span class="s2">"integrations/</span><span class="k">${</span><span class="nx">aws_apigatewayv2_integration</span><span class="p">.</span><span class="nx">presign_integration</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <h5> <strong>Lambda Functions: Specialized Workers</strong> </h5> <p>Four dedicated functions handle distinct tasks:</p> <p>I. <strong>Presign Lambda</strong> </p> <ul> <li>Generates secure S3 upload URLs with metadata </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">signedUrl</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSignedUrl</span><span class="p">(</span><span class="nx">s3</span><span class="p">,</span> <span class="nx">putCommand</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="mi">300</span> <span class="p">});</span> </code></pre> </div> <p>II. <strong>Resize Lambda</strong> </p> <ul> <li>Triggered by S3 upload events, uses <code>sharp</code> to resize image with <code>fit: 'inside'</code> and <code>kernel: 'lanczos3'</code> for quality. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">await</span> <span class="nf">sharp</span><span class="p">(</span><span class="nx">imageBuffer</span><span class="p">).</span><span class="nf">resize</span><span class="p">(</span><span class="nx">width</span><span class="p">,</span> <span class="nx">height</span><span class="p">).</span><span class="nf">toBuffer</span><span class="p">();</span> </code></pre> </div> <p>III. <strong>List Lambda</strong> </p> <ul> <li>Returns all uploaded images for the UI gallery with file name timestamp, and size. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">s3</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">ListObjectsV2Command</span><span class="p">({</span> <span class="na">Bucket</span><span class="p">:</span> <span class="nx">BUCKET_NAME</span> <span class="p">}));</span> </code></pre> </div> <p>IV. <strong>Delete Lambda</strong> </p> <ul> <li>Removes images from S3 when requested </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">await</span> <span class="nx">s3</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">DeleteObjectCommand</span><span class="p">({</span> <span class="na">Bucket</span><span class="p">:</span> <span class="nx">BUCKET_NAME</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="nx">fileName</span> <span class="p">}));</span> </code></pre> </div> <h4> 4. <strong>CloudFront Distribution</strong> </h4> <p>I used <strong>Origin Access Control (OAC)</strong> to ensure only CloudFront can read from the buckets and an <strong>Ordered cache behaviors</strong> in CloudFront for different prefixes (<code>/uploads/</code>, <code>/resized-*/uploads/</code>). Also, I added 3 origins to my Cloudfront distribution - one for the S3 that hosts the frontend, one each for the bucket that keeps the original image upload, and the one that stores the resized images.</p> <h4> CI/CD with GitHub Actions </h4> <p>Deployed with a workflow triggered on push to <code>main</code>. My workflow can also be manually triggered to run or destroy my infrastructure using Terraform. </p> <ul> <li>Applies Terraform</li> <li>Syncs frontend files to the S3 bucket</li> <li>Secrets like AWS credentials and hosted zone IDs are stored in GitHub Secrets </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Frontend to S3</span> <span class="na">run</span><span class="pi">:</span> <span class="s">aws s3 sync ./frontend s3://image-resizer.fozdigitalz.com --delete</span> </code></pre> </div> <h5> 🌐 Live Project </h5> <p>Check the application with the URL below.</p> <blockquote> <p><strong>URL:</strong> <a href="https://image-resizer.fozdigitalz.com" rel="noopener noreferrer">https://image-resizer.fozdigitalz.com</a></p> </blockquote> <h4> How to Use the Application </h4> <ol> <li> <strong>Open the web app</strong> – Your browser loads files from CloudFront, which fetches them from a secure S3 bucket. </li> <li> <strong>Select an image &amp; size</strong> – Choose a file and a preset dimension (e.g., Instagram’s 1080x1080). </li> <li> <strong>Request upload URL</strong> – The frontend gets a secure S3 upload link via API Gateway + Lambda. </li> <li> <strong>Upload directly to S3</strong> – Your browser sends the image to S3 using the generated link. </li> <li> <strong>Auto-resize triggered</strong> – S3 detects the upload, fires a Lambda to resize with Sharp, and saves the result in a resized folder. </li> <li> <strong>View/download images</strong> – Click "Load My Images" to see originals/resized versions, delivered via CloudFront and download the resized if you want. </li> <li> <strong>Delete anytime</strong> – Hit delete, and a Lambda removes the file from S3.</li> </ol> <h3> ✅ Results </h3> <ul> <li>Fully functional, scalable image upload and processing system</li> <li>No need for EC2 or persistent servers</li> <li>Dynamic resize and preview without exposing S3 directly</li> <li>CloudFront accelerates delivery globally</li> </ul> <h3> 🔭 Next Steps </h3> <p>My further enhancements for this project will include the following:</p> <ul> <li>Auto-tagging via Amazon Rekognition</li> <li>Auto-expiring unused images using lifecycle policies</li> <li>Authentication using Cognito</li> <li>Optimising storage costs with compression and format conversion (e.g., WebP)</li> <li>Analytics for site users and image uploads.</li> </ul> <h3> 🏁 Conclusion </h3> <p>This project was a powerful introduction to building <strong>production-grade serverless applications</strong> on AWS. With zero backend servers and minimal cost, it delivers a clean UX and powerful functionality — ideal for developers, startups, or any media-heavy app.</p> <h3> 💬 Connect With Me </h3> <ul> <li>Feel free to star, fork, or clone the <a href="https://github.com/Fidelisesq/Serverless-Image-Resizer" rel="noopener noreferrer">repository</a> or build your own version. </li> <li>Please drop your thoughts in the comment section</li> <li>Reach out to me on <a href="https://www.linkedin.com/in/fidelis-ikoroje/" rel="noopener noreferrer">LinkedIn</a> </li> </ul> webdev serverless lambda cloudfront Fidelis Ikoroje Thu, 13 Mar 2025 11:41:28 +0000 https://dev.to/fidelisesq/deploying-deepseek-model-r1-on-aws-via-terraform-github-actions-update-4b8e https://dev.to/fidelisesq/deploying-deepseek-model-r1-on-aws-via-terraform-github-actions-update-4b8e <p>Hey there! In this project documentation, I’m going to walk you through how I deployed the <strong>DeepSeek Model R1</strong> on AWS using <strong>Terraform</strong> and <strong>GitHub Actions</strong>. If you’ve ever tried deploying a machine learning model, you know it can get pretty complicated—especially when you’re juggling multiple AWS services. To make things easier, I decided to automate the whole process using Terraform for infrastructure as code and GitHub Actions for CI/CD. Spoiler alert: it worked like a charm!</p> <p>This project involved setting up an EC2 instance, an Application Load Balancer (ALB), security groups, IAM roles, and even a custom domain using Route 53. The best part? Everything was automated, so I didn’t have to manually configure resources every time I made a change. Whether you’re a seasoned DevOps pro or just getting started with cloud deployments, I hope this walkthrough gives you some useful insights (and maybe saves you a few headaches along the way).</p> <p><code>See the video below for the project breakdown and result</code><br> <iframe width="710" height="399" src="https://www.youtube.com/embed/j1yubSvJX5U"> </iframe> </p> <p>In this update, I’ve <strong>migrated my EC2 instance to a private subnet</strong> for improved security while still ensuring seamless access for application configuration and management. Here’s what changed compared to my <a href="https://dev.to/fidelisesq/deepseek-r1-deployment-on-aws-via-terraform-github-actions-32jp">first deployment</a>: </p> <p>✅ <strong>Private Subnet Deployment</strong> – The EC2 instance now runs in a private subnet instead of a public one.<br><br> ✅ <strong>Internet Access via NAT Gateway</strong> – The instance can pull updates and dependencies while remaining inaccessible from the public internet.<br><br> ✅ <strong>AWS Systems Manager (SSM) for Secure Access</strong> – Instead of SSH, I’m using SSM to manage and interact with the instance securely.<br><br> ✅ <strong>AWS WAF for Backend Protection</strong> – Added AWS Web Application Firewall (WAF) to safeguard against malicious traffic and attacks.</p> <p>This approach <strong>enhances security</strong> while maintaining full operational control over the deployment. Next steps? Further optimizing performance and security! </p> <h2> Table of Contents </h2> <ol> <li><strong>Introduction</strong></li> <li><strong>Project Overview</strong></li> <li> <strong>Terraform Configuration</strong> <ul> <li>Provider Configuration</li> <li>Security Groups</li> <li>Load Balancer (ALB)</li> <li>EC2 Instance</li> <li>IAM Roles and Instance Profile</li> <li>Route 53 DNS Record</li> <li>Terraform Backend (S3)</li> <li>AWS WAF Configuration</li> </ul> </li> <li> <strong>GitHub Actions Workflow</strong> <ul> <li>Workflow Triggers</li> <li>Setup Job</li> <li>Apply Job</li> <li>Post-Apply Job</li> <li>Destroy Job</li> </ul> </li> <li><strong>Challenges Faced</strong></li> <li><strong>Lessons Learned</strong></li> <li><strong>Future Improvements</strong></li> <li><strong>Conclusion</strong></li> </ol> <h2> 1. Introduction </h2> <p>Deploying machine learning models in production can be a complex task, especially when it involves multiple AWS services. To streamline this process, I used <strong>Terraform</strong> to define the infrastructure as code and <strong>GitHub Actions</strong> to automate the deployment pipeline. This approach ensures consistency, scalability, and repeatability.</p> <h2> 2. Project Overview </h2> <p>The goal of this project was to deploy the <strong>DeepSeek Model R1</strong> on AWS, making it accessible via a web interface (OpenWebUI) and an API (Ollama). The infrastructure includes:</p> <ul> <li> <strong>EC2 Instance</strong>: Hosts the DeepSeek model in a Docker container and associated services in a private subnet.</li> <li> <strong>AWS Systems Manager (SSM)</strong>: Provides secure connection to EC2 in private subnet via VPC Endpoints.</li> <li> <strong>Application Load Balancer (ALB)</strong>: Distributes traffic to the EC2 instance and handles SSL termination.</li> <li> <strong>Security Groups</strong>: Control inbound and outbound traffic to the ALB and EC2 instance.</li> <li> <strong>IAM Roles</strong>: Provide the necessary permissions for the EC2 instance to allow AWS Systems Manager Access</li> <li> <strong>Route 53</strong>: Manages DNS records for the ALB. I just employed a cetificate I already have in us-east-1 and a ready public hosted zone in same region.</li> <li> <strong>Terraform Backend</strong>: Stores the Terraform state file in an S3 bucket for team collaboration.</li> <li> <strong>AWF</strong>: Protects the backend against bad requests</li> </ul> <h2> 3. Terraform Configuration &amp; Data </h2> <p>The Terraform configuration is the backbone of this project. It defines all the AWS resources required for the deployment. Below is a breakdown of the key components:</p> <h3> AWS Provider &amp; VPC Configuration </h3> <p>The first step in the Terraform configuration is to define the AWS provider and specify the region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="c1"># Fetch existing VPC</span> <span class="nx">data</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main_vpc"</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> </code></pre> </div> <h3> Security Groups </h3> <p>I created 3 security groups: one for the ALB and one for the EC2 instance and the last for the VPC endpoints. The ALB security group allows HTTPS traffic (port 443). The EC2 security group restricts traffic to only allow communication from the ALB on ports 8080 (OpenWebUI) and the security group of the VPC endpoints.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">## Security Group for EC2 (Only ALB can access it)</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"deepseek_ec2_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek_ec2_sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for EC2 instance"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># Allow traffic from ALB </span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Allow all outbound traffic</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">## Security Group for ALB (Allows direct access)</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"alb_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek_alb_sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for ALB"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># Allow HTTPS from anywhere</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Allow all outbound traffic</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">## Security Group for VPC Endpoints</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"endpoint_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"vpc-endpoint-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for VPC Endpoints"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># Allow traffic from EC2 to VPC Endpoints</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">deepseek_ec2_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">deepseek_ec2_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Allow all outbound traffic</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Load Balancer (ALB) &amp; Listener </h3> <p>The ALB is configured to listen on ports 443 (HTTPS) and forwards traffic to the target group that has the EC2.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Load Balancer</span> <span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"deepseek_lb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek-alb"</span> <span class="nx">internal</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Public ALB</span> <span class="nx">load_balancer_type</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="c1"># ALB must be in public subnets</span> <span class="p">}</span> <span class="c1">## Listener for ALB (HTTPS) forwards traffic to OpenWebUI</span> <span class="nx">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"https_listener"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTPS"</span> <span class="nx">ssl_policy</span> <span class="p">=</span> <span class="s2">"ELBSecurityPolicy-2016-08"</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">certificate_arn</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">deepseek_tg</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Target Groups</span> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"deepseek_tg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek-target-group"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">interval</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> EC2, IAM &amp; VPC Endpoints </h3> <p>The EC2 instance is configured with a gp3 EBS volume (48GB) and an IAM role for necessary permissions. The instance is placed in a public subnet and associated with the EC2 security group. Note: <code>An instance with GPU support like p3.2xlarge, g4dn.xlarge etc would do better here to handle bigger model and process responses faster</code> but I didn't get one approved by AWS at the time of project execution. So, I used <code>c4.4xlarge</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># IAM Role for SSM</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ssm_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"EC2SSMRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ec2.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Attach AmazonSSMManagedInstanceCore policy</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ssm_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ssm_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"</span> <span class="p">}</span> <span class="c1"># IAM Instance Profile</span> <span class="nx">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"ssm_instance_profile"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"EC2SSMInstanceProfile"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ssm_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1"># EC2 Instance</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"deepseek_ec2"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ami_id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">deepseek_ec2_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">iam_instance_profile</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">ssm_instance_profile</span><span class="p">.</span><span class="nx">name</span> <span class="nx">root_block_device</span> <span class="p">{</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">48</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="s2">"gp3"</span> <span class="nx">delete_on_termination</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"DeepSeekModelInstance"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Attach EC2 Instance to Target Group</span> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group_attachment"</span> <span class="s2">"deepseek_tg_attachment"</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">deepseek_tg</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">deepseek_ec2</span><span class="p">.</span><span class="nx">id</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="p">}</span> <span class="c1"># VPC Endpoints for SSM</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"ssm"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.us-east-1.ssm"</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">endpoint_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># VPC Endpoint for EC2 Messages (Used by SSM)</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"ec2_messages"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.us-east-1.ec2messages"</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">endpoint_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># VPC Endpoint for SSM Messages (Used by SSM)</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"ssm_messages"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.us-east-1.ssmmessages"</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">endpoint_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h3> Route 53 DNS Record </h3> <p>A Route 53 DNS record is created to map the ALB’s DNS name to a custom domain. Like I mentioned above, I used an already existing certificate to enable SSL and I also employed an existing hosted zone in us-east-1.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"deepseek_dns"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek.fozdigitalz.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">.</span><span class="nx">dns_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> AWS WAF Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#AWS Web Application Firewall</span> <span class="nx">resource</span> <span class="s2">"aws_wafv2_web_acl"</span> <span class="s2">"deepseek_waf"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek-waf"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"WAF for ALB protecting backend"</span> <span class="nx">scope</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">allow</span> <span class="p">{}</span> <span class="p">}</span> <span class="c1"># Rate Limiting Rule</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"RateLimitRule"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">rate_based_statement</span> <span class="p">{</span> <span class="nx">limit</span> <span class="p">=</span> <span class="mi">150</span> <span class="nx">aggregate_key_type</span> <span class="p">=</span> <span class="s2">"IP"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"RateLimit"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Amazon IP Reputation List (Blocks known bad IPs, reconnaissance, DDoS)</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AmazonIPReputationRule"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesAmazonIpReputationList"</span> <span class="c1"># OPTIONAL: Override specific rules inside the group</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedIPReputationList"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedReconnaissanceList"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedIPDDoSList"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"AmazonIPReputationRule"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># AWS Managed Known Bad Inputs Rule Set</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"KnownBadInputsRule"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesKnownBadInputsRuleSet"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"KnownBadInputsRule"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># AWS Managed Common Rule Set</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CommonRuleSet"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="c1"># Ensures AWS WAF applies its built-in block actions</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="c1"># Override specific rules that are set to "Count" by default, so they actually block bad traffic.</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_URIPATH_RC_COUNT"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_BODY_RC_COUNT"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_QUERYARGUMENTS_RC_COUNT"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_COOKIE_RC_COUNT"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CommonRuleSet"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"deepseek-waf"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">#WAF Attachment to ALB</span> <span class="nx">resource</span> <span class="s2">"aws_wafv2_web_acl_association"</span> <span class="s2">"deepseek_waf_alb"</span> <span class="p">{</span> <span class="nx">resource_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">web_acl_arn</span> <span class="p">=</span> <span class="nx">aws_wafv2_web_acl</span><span class="p">.</span><span class="nx">deepseek_waf</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">,</span> <span class="nx">aws_wafv2_web_acl</span><span class="p">.</span><span class="nx">deepseek_waf</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Terraform Backend (S3) </h3> <p>The Terraform state file is stored in an S3 bucket to enable team collaboration and state management.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"foz-terraform-state-bucket"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"infra.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Variables Configuration </h3> <p>The <code>variables.tf</code> file defines all the input variables required for the Terraform configuration. These variables make the configuration reusable and customizable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The VPC ID where resources will be deployed"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"public_subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of public subnet IDs for ALB"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of private subnet IDs for EC2 instances"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ami_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AMI ID for the EC2 instance"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Instance type for the EC2 instance"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"certificate_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ARN of the SSL certificate for HTTPS"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Route 53 hosted zone ID for the domain"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h3> Terraform.tfvars </h3> <p>The <code>terraform.tfvars</code> file is used to assign values to the variables defined in <code>variables.tf</code>. This file is typically not committed to version control (e.g., Git) for security reasons, as it may contain sensitive information like AWS credentials. I added <code>terraform.tfvars</code> to <code>.gitignore</code> so it won't be tracked. I provided the variables and secrets in github using <code>environment variables</code> and <code>secrets</code>. Also, the values below are made up and not real.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vpc_id</span> <span class="err">=</span> <span class="s2">"vpc-012345678910"</span> <span class="nx">private_subnet_ids</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"subnet-0012345678910"</span><span class="p">,</span> <span class="s2">"subnet-0012345678910"</span><span class="p">,</span> <span class="s2">"subnet-0012345678910"</span><span class="p">]</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"c4.4xlarge"</span> <span class="c1"># bigger for production but t2.2xlarge test</span> <span class="nx">ami_id</span> <span class="err">=</span> <span class="s2">"ami-04b4f1a9cf54c11d0"</span> <span class="nx">certificate_arn</span> <span class="err">=</span> <span class="s2">"arn:aws:acm:us-east-1:012345678910:certificate/697cf89b-9931-435f-a5f0-c8f012345678910c"</span> <span class="nx">hosted_zone_id</span> <span class="err">=</span> <span class="s2">"Z012345678960X9UZZVPUYYW0H"</span> <span class="nx">public_subnet_ids</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"subnet-0012345678910"</span><span class="p">,</span><span class="s2">"subnet-012345678910"</span><span class="p">]</span> </code></pre> </div> <h3> Output Configuration </h3> <p>The output.tf file defines the outputs that Terraform will display after applying the configuration. I used these outputs for retrieving information like the EC2 instance’s public IP or the ALB’s DNS name that are needed for my <code>Github Action workflow</code> to configure my EC2 instances.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"ec2_public_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public IP of the EC2 instance"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">deepseek_ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"lb_url"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"DNS name of the ALB"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">.</span><span class="nx">dns_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"deepseek_ec2_sg_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">deepseek_ec2_sg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"deepseek_ec2_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">deepseek_ec2</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> 4. GitHub Actions Workflow </h2> <p>The GitHub Actions workflow automates the deployment process. It consists of four main jobs: <strong>setup</strong>, <strong>apply</strong>, <strong>post-apply</strong>, and <strong>destroy</strong>. My workflow will be triggered by pushing to the main branch or manually through the GitHub UI using workflow dispatch with an input to choose the action (apply/destroy).</p> <h3> Workflow Triggers </h3> <p>The workflow is triggered on a push to the <code>main</code> branch or manually via the <code>workflow_dispatch</code> event. The manual trigger allows you to choose between <strong>apply</strong> (to create resources) and <strong>destroy</strong> (to tear down resources).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">action</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Choose</span><span class="nv"> </span><span class="s">action</span><span class="nv"> </span><span class="s">(apply/destroy)"</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">apply"</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apply</span> <span class="pi">-</span> <span class="s">destroy</span> </code></pre> </div> <h3> Setup Job </h3> <p>The <strong>setup</strong> job initializes the environment by checking out the code, setting up Terraform, and configuring AWS credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploying DeepSeek Model R1 on AWS via Terraform &amp; GitHub Actions</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">action</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Choose</span><span class="nv"> </span><span class="s">action</span><span class="nv"> </span><span class="s">(apply/destroy)"</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">apply"</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apply</span> <span class="pi">-</span> <span class="s">destroy</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">setup</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> </code></pre> </div> <h3> Apply Job </h3> <p>The <strong>apply</strong> job runs Terraform to create the infrastructure. It generates a <code>terraform.tfvars</code> file using GitHub Secrets, initializes Terraform, and applies the configuration. This is where my <code>Github Actions Runner</code> SSH into my EC2 to install docker, pulls the images and deploy <code>Ollama</code> and <code>OpenWebUI</code>using Docker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apply</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">ec2_instance_id</span><span class="pi">:</span> <span class="s">${{ steps.get_ec2_id.outputs.ec2_id }}</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">setup</span> <span class="na">if</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(github.event_name == 'workflow_dispatch' &amp;&amp; github.event.inputs.action == 'apply') ||</span> <span class="s">(github.event_name == 'push' &amp;&amp; !contains(github.event.head_commit.message, 'destroy'))</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create terraform.tfvars</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;EOF &gt; terraform.tfvars</span> <span class="s">ami_id = "${{ secrets.AMI_ID }}"</span> <span class="s">certificate_arn = "${{ secrets.CERTIFICATE_ARN }}"</span> <span class="s">vpc_id = "${{ secrets.VPC_ID }}"</span> <span class="s">hosted_zone_id = "${{ secrets.HOSTED_ZONE_ID }}"</span> <span class="s">instance_type = "${{ secrets.INSTANCE_TYPE }}"</span> <span class="s">aws_access_key_id = "${{ secrets.AWS_ACCESS_KEY_ID }}"</span> <span class="s">aws_secret_access_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"</span> <span class="s">aws_region = "${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">public_subnet_ids = ${{ secrets.PUBLIC_SUBNET_IDS }}</span> <span class="s">private_subnet_ids = ${{ secrets.PRIVATE_SUBNET_IDS }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Mask AWS Account ID in Logs</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "::add-mask::${{ secrets.AWS_ACCOUNT_ID }}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init &amp; Apply</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init \</span> <span class="s">-backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" \</span> <span class="s">-backend-config="key=infra.tfstate" \</span> <span class="s">-backend-config="region=${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">terraform apply -auto-approve -var-file=terraform.tfvars</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Retrieve EC2 Instance ID</span> <span class="na">id</span><span class="pi">:</span> <span class="s">get_ec2_id</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "Retrieving EC2 Instance ID..."</span> <span class="s">EC2_ID=$(terraform output -raw deepseek_ec2_id)</span> <span class="s">echo "EC2_INSTANCE_ID=$EC2_ID" &gt;&gt; $GITHUB_ENV</span> <span class="s">echo "::set-output name=ec2_id::$EC2_ID"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify EC2 Instance ID</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "EC2_INSTANCE_ID=${{ env.EC2_INSTANCE_ID }}"</span> <span class="s">if [ -z "${{ env.EC2_INSTANCE_ID }}" ]; then</span> <span class="s">echo "EC2 instance ID is empty or invalid."</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for EC2</span> <span class="na">run</span><span class="pi">:</span> <span class="s">sleep 60</span> </code></pre> </div> <h3> Post-Apply Job </h3> <p>The <strong>post-apply</strong> job configures the EC2 instance after Terraform provisions it. It verifies the instance's connection via AWS SSM, checks if the SSM agent is running, and installs Docker along with necessary dependencies. After rebooting the instance, it deploys the <strong>DeepSeek Model R1</strong> inside an <strong>Ollama</strong> container and sets up <strong>Open WebUI</strong> for interaction. Finally, it confirms that the WebUI is accessible via <code>https://deepseek.fozdigitalz.com</code>. This ensures a fully automated deployment of the model and web interface on AWS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">post_apply</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">apply</span> <span class="na">if</span><span class="pi">:</span> <span class="s">success()</span> <span class="na">env</span><span class="pi">:</span> <span class="na">EC2_INSTANCE_ID</span><span class="pi">:</span> <span class="s">${{ needs.apply.outputs.ec2_instance_id }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create terraform.tfvars</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;EOF &gt; terraform.tfvars</span> <span class="s">ami_id = "${{ secrets.AMI_ID }}"</span> <span class="s">certificate_arn = "${{ secrets.CERTIFICATE_ARN }}"</span> <span class="s">vpc_id = "${{ secrets.VPC_ID }}"</span> <span class="s">hosted_zone_id = "${{ secrets.HOSTED_ZONE_ID }}"</span> <span class="s">instance_type = "${{ secrets.INSTANCE_TYPE }}"</span> <span class="s">aws_access_key_id = "${{ secrets.AWS_ACCESS_KEY_ID }}"</span> <span class="s">aws_secret_access_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"</span> <span class="s">aws_region = "${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">public_subnet_ids = ${{ secrets.PUBLIC_SUBNET_IDS }}</span> <span class="s">private_subnet_ids = ${{ secrets.PRIVATE_SUBNET_IDS }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify SSM Connection</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "Verifying SSM Connection..."</span> <span class="s">aws ssm describe-instance-information --region ${{ secrets.AWS_DEFAULT_REGION }} \</span> <span class="s">--query "InstanceInformationList[?InstanceId=='${{ env.EC2_INSTANCE_ID }}']" \</span> <span class="s">--output json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check SSM Agent Status</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ssm send-command \</span> <span class="s">--document-name "AWS-RunShellScript" \</span> <span class="s">--instance-ids "${{ env.EC2_INSTANCE_ID }}" \</span> <span class="s">--parameters '{"commands":["sudo systemctl status amazon-ssm-agent"]}' \</span> <span class="s">--region ${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Docker via SSM</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ssm send-command \</span> <span class="s">--document-name "AWS-RunShellScript" \</span> <span class="s">--targets "[{\"Key\":\"InstanceIds\",\"Values\":[\"${{ env.EC2_INSTANCE_ID }}\"]}]" \</span> <span class="s">--parameters commands='[</span> <span class="s">"sudo apt-get update",</span> <span class="s">"sudo apt-get install -y docker.io docker-compose",</span> <span class="s">"sudo systemctl enable docker",</span> <span class="s">"sudo systemctl start docker",</span> <span class="s">"sudo usermod -aG docker ubuntu",</span> <span class="s">"sudo sed -i s/^ENABLED=1/ENABLED=0/ /etc/apt/apt.conf.d/20auto-upgrades",</span> <span class="s">"sleep 10",</span> <span class="s">"sudo reboot"</span> <span class="s">]' \</span> <span class="s">--region ${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for EC2 instance to reboot ..."</span> <span class="na">run</span><span class="pi">:</span> <span class="s">sleep </span><span class="m">50</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run DeepSeek Model and WebUI via SSM</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ssm send-command \</span> <span class="s">--document-name "AWS-RunShellScript" \</span> <span class="s">--targets "[{\"Key\":\"InstanceIds\",\"Values\":[\"${{ env.EC2_INSTANCE_ID }}\"]}]" \</span> <span class="s">--parameters commands='[</span> <span class="s">"docker run -d -v ollama:/root/.ollama -p 11434:11434 --name ollama ollama/ollama",</span> <span class="s">"sleep 20",</span> <span class="s">"docker exec ollama ollama pull deepseek-r1:8b",</span> <span class="s">"sleep 15",</span> <span class="s">"docker exec -d ollama ollama serve",</span> <span class="s">"sleep 15",</span> <span class="s">"docker run -d -p 8080:8080 --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:main",</span> <span class="s">"sleep 15"</span> <span class="s">]' \</span> <span class="s">--region ${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="s">echo "Waiting for WebUI to start..."</span> <span class="s">sleep 30 </span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Confirm WebUI is Running</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ssm send-command \</span> <span class="s">--document-name "AWS-RunShellScript" \</span> <span class="s">--targets '[{"Key":"instanceIds","Values":["${{ env.EC2_INSTANCE_ID }}"]}]' \</span> <span class="s">--parameters '{"commands":["curl -I https://deepseek.fozdigitalz.com"]}' \</span> <span class="s">--region ${{ secrets.AWS_DEFAULT_REGION }}</span> </code></pre> </div> <h3> Destroy Job </h3> <p>The <strong>destroy</strong> job tears down the infrastructure when triggered manually or via a commit message containing "destroy".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">destroy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">setup</span> <span class="na">if</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(github.event_name == 'workflow_dispatch' &amp;&amp; github.event.inputs.action == 'destroy') ||</span> <span class="s">(github.event_name == 'push' &amp;&amp; contains(github.event.head_commit.message, 'destroy'))</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create terraform.tfvars</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;EOF &gt; terraform.tfvars</span> <span class="s">ami_id = "${{ secrets.AMI_ID }}"</span> <span class="s">certificate_arn = "${{ secrets.CERTIFICATE_ARN }}"</span> <span class="s">vpc_id = "${{ secrets.VPC_ID }}"</span> <span class="s">hosted_zone_id = "${{ secrets.HOSTED_ZONE_ID }}"</span> <span class="s">instance_type = "${{ secrets.INSTANCE_TYPE }}"</span> <span class="s">aws_access_key_id = "${{ secrets.AWS_ACCESS_KEY_ID }}"</span> <span class="s">aws_secret_access_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"</span> <span class="s">aws_region = "${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">public_subnet_ids = ${{ secrets.PUBLIC_SUBNET_IDS }}</span> <span class="s">private_subnet_ids = ${{ secrets.PRIVATE_SUBNET_IDS }}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Mask AWS Account ID in Logs</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "::add-mask::${{ secrets.AWS_ACCOUNT_ID }}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Destroy</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init -reconfigure \</span> <span class="s">-backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" \</span> <span class="s">-backend-config="key=infra.tfstate" \</span> <span class="s">-backend-config="region=${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">terraform destroy -auto-approve -var-file=terraform.tfvars</span> </code></pre> </div> <p><code>Completed workflow run</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flo86av94rfnki1sbl8ar.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flo86av94rfnki1sbl8ar.png" alt="completed_workflow_run" width="800" height="370"></a></p> <h2> <strong>5. The Application in Action (Result)</strong> </h2> <p>After successfully deploying the DeepSeek Model R1 on AWS, I was able to access the OpenWebUI and interact with the model. Below are some screenshots demonstrating the setup and functionality:</p> <h3> <strong>1. OpenWebUI Interface</strong> </h3> <p>The OpenWebUI provides a user-friendly interface for interacting with the DeepSeek Model R1. Here’s a screenshot of the dashboard:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsusdz8b4j8s87dinsh30.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsusdz8b4j8s87dinsh30.png" alt="OpenWebUI Dashboard" width="800" height="398"></a></p> <p><em>The OpenWebUI dashboard, accessible via the custom domain <code>deepseek.fozdigitalz.com</code>.</em><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1uk8m8au9pew0lxcd5f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr1uk8m8au9pew0lxcd5f.png" alt="OpenWebUI Welcome Page" width="800" height="399"></a></p> <h3> <strong>2. Model Interaction</strong> </h3> <p>I tested the model by asking it a few questions. Here’s an example of the model’s response:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpgi5zf6zdzsum0a4f7w.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpgi5zf6zdzsum0a4f7w.png" alt="Sample model respons" width="800" height="393"></a><br> <code>Sample model response 11</code> <br> <em>The DeepSeek Model R1 generating a response to a sample query.</em><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftr79h25gbsooqjbnzo6r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftr79h25gbsooqjbnzo6r.png" alt="Sample model response 12" width="800" height="398"></a><br> <code>Sample model response 12</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyqwhf4akh9x4wmrjxd1s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyqwhf4akh9x4wmrjxd1s.png" alt="Sample model response 21" width="800" height="399"></a><br> <code>Sample model response 21</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo1w7hpng7rphehmljk28.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo1w7hpng7rphehmljk28.png" alt="Sample model response 22" width="800" height="404"></a><br> <code>Sample model response 22</code></p> <h3> <strong>3. Infrastructure Clean Up</strong> </h3> <p>I can destroy my infrastructure when I trigger my workflow in different ways. My workflow will be triggered by pushing to the main branch or manually through the GitHub UI using workflow dispatch with an input to choose the action (apply/destroy).</p> <ul> <li>By manually triggering the workflow from the GitHub UI and selecting the <code>destroy</code> action.</li> <li>By pushing to the <code>main</code> branch with a commit message that contains the word <code>destroy.</code> </li> <li>By running the command <code>gh workflow run "workflow name" --field action=destroy</code> locally but you must have the Github CLI installed for this to work.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftdmz1ecrythx2je2231n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftdmz1ecrythx2je2231n.png" alt="Infrastructure cleanup" width="800" height="398"></a><br> <code>Infrastructure cleanup using terraform</code></p> <h2> <strong>6. Challenges Faced &amp; Lesson Learned</strong> </h2> <p>Learning from the challenges in my first deployment, modifying the setup was easier—I moved the EC2 instance to a private subnet, switched from SSH to AWS SSM for secure access, and integrated AWS WAF for better protection. However, I still researched best practices for implementing AWS-managed WAF rules to enhance security effectively.</p> <h2> 7. Future Improvements </h2> <p>While the deployment process is now functional, there are opportunities I may consider to enhance scalability, security, and cost-efficiency.</p> <p>In my first deployment, I considered improvements like moving EC2 to a private subnet, using SSM instead of SSH, and adding WAF, which I have now implemented. Additionally, I’m exploring <strong>CloudWatch for monitoring, auto-scaling for better resource management, and GPU instances for enhanced performance</strong>, though AWS approval for GPU is still pending. These refinements aim to make the deployment more secure, scalable, and cost-efficient.</p> <h2> 8. Conclusion </h2> <p>This deployment has evolved significantly from the initial setup, incorporating <strong>better security, automation, and scalability</strong> based on lessons learned. Moving EC2 to a private subnet, using <strong>AWS SSM</strong> instead of SSH, and integrating <strong>AWS WAF</strong> has strengthened security, while <strong>CloudWatch and auto-scaling</strong> are now key considerations for future improvements. As I continue refining the architecture, I’m also exploring <strong>GPU-powered instances</strong> for better performance once AWS approval is granted. These enhancements ensure a more <strong>resilient, efficient, and secure</strong> deployment of the DeepSeek Model R1 on AWS.</p> Fidelis Ikoroje Mon, 03 Mar 2025 18:26:55 +0000 https://dev.to/fidelisesq/hosting-a-serverless-resume-website-on-aws-with-terraform-and-cicd-47gd https://dev.to/fidelisesq/hosting-a-serverless-resume-website-on-aws-with-terraform-and-cicd-47gd <p><iframe width="710" height="399" src="https://www.youtube.com/embed/GZmRRK9aSso"> </iframe> </p> <p>Building a serverless resume website on AWS isn’t just about hosting a static page. It is like assembling a high-performance engine. When I decided to create my resume website, I wanted it to be more than just a digital placeholder—it had to be scalable, secure, and cost-efficient. </p> <p>Each component—S3, CloudFront, Lambda, DynamoDB, API Gateway, Route53+DNSSEC to Monitoring tools and AWS WAF—plays a critical role, while Terraform and GitHub Actions CI/CD act as the control systems, ensuring everything runs smoothly. Along the way, I encountered several <code>challenges</code> at different stages, from infrastructure setup to automation, and documented my <code>approach</code> to resolving them. The result? A scalable, secure, and cost-efficient website. Let’s take a closer look under the hood!</p> <h2> <strong>Project Overview</strong> </h2> <p>The goal of this project was to enhance the accessibility and visibility of my resume by hosting it as a responsive website. The website is built using serverless technologies, ensuring minimal operational overhead and maximum scalability. Here’s a high-level breakdown of the architecture:</p> <ol> <li><strong>Terraform Configuration</strong></li> </ol> <p>I. <strong>Provider, Identity Configuration + Terraform State Management</strong>: Terraform version specified while <strong>AWS S3</strong> stores Terraform state. </p> <p>II. <strong>Frontend</strong>: A static HTML resume hosted on <strong>Amazon S3</strong> and served via <strong>CloudFront</strong> for global content delivery. </p> <p>III. <strong>Backend</strong>: A serverless REST API built with <strong>AWS Lambda</strong> and <strong>API Gateway</strong> to handle dynamic functionality &amp; DynamoDB to store visitor count. </p> <p>IV. <strong>Monitoring and Alerts</strong>: <strong>CloudWatch</strong>, <strong>SNS</strong>, <strong>PagerDuty</strong>, and <strong>Slack</strong> for monitoring and notifications. </p> <p>V. <strong>Security &amp; DNS</strong>: <strong>AWS WAF, Route53 &amp; DNSSEC</strong> WAF to protect the website from common web exploits while Route53 for DNS management and DNSSEC for enhanced domain security. </p> <ol> <li> <strong>Code Test+ CI/CD</strong>: Automated deployment pipeline using <strong>GitHub Actions</strong>. </li> <li> <strong>End-to-End Test</strong>: Automated test of site functionality and app backend using Cypress. </li> <li> <strong>Results</strong>: The resume website is globally available, secure, and scalable. The visitor count updates dynamically via the backend, and CloudWatch monitors API health. CI/CD ensures quick updates with automated testing, improving reliability. </li> <li> <strong>Conclusion</strong>: Summary of the project and lessons learnt. </li> </ol> <h2> <strong>1. Terraform Configuration</strong> </h2> <p>The entire infrastructure is defined using Terraform (Infrastructure as Code), ensuring reproducibility and scalability. Below is a detailed explanation of the Terraform configuration. <code>Note:</code> You can find all configuration files in my <a href="https://github.com/Fidelisesq/AWS-Cloud-Resume" rel="noopener noreferrer">Github.</a></p> <h3> <strong>I. Provider Block &amp; Terraform State Management</strong> </h3> <p>The configuration uses <strong>Amazon S3</strong> for centralized state management, storing the <code>infrastructure.tfstate</code> file in the <code>foz-terraform-state-bucket</code> with encryption enabled. The <strong>AWS provider</strong> (version <code>&gt;= 5.8.0</code>) is configured for deployment in the <code>us-east-1</code> region, and the Terraform version is set to <code>&gt;= 1.10.3</code>. Additionally, the <code>aws_caller_identity</code> data resource retrieves information about the currently authenticated AWS account. This setup ensures secure, reliable state management and deployment configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"&gt;= 5.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.10.3"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="c1"># Set the deployment region</span> <span class="p">}</span> <span class="c1"># Declare the caller identity data resource</span> <span class="nx">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="c1">#Terraform Backend (S3 for State Management)</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"foz-terraform-state-bucket"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"infrastructure.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> <strong>II. Frontend: S3 &amp; CloudFront</strong> </h3> <p>The frontend consists of a static HTML file hosted on an S3 bucket and served via CloudFront. The bucket is configured with versioning, CORS, and a policy to allow access only via CloudFront. Terraform uses <code>template_file</code> to replace the API-Gateway invocation URL place holder in the script on my html document with the real URL once API-Gateway is created &amp; deployed. Once that is done, terraform copies the html to the s3 bucket.</p> <h4> <strong>S3, Policy &amp; CORS</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># S3 bucket for static website</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"cloud_resume_bucket"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bucket_name</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Cloud Resume Bucket"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"Production"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Enable versioning on S3 bucket</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"cloud_resume_versioning"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">cloud_resume_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># S3 bucket CORS configuration</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_cors_configuration"</span> <span class="s2">"cloud_resume_bucket_cors"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">cloud_resume_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cors_rule</span> <span class="p">{</span> <span class="nx">allowed_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">allowed_origins</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"https://fidelis-resume.fozdigitalz.com"</span><span class="p">]</span> <span class="c1"># Replace with your domain</span> <span class="nx">allowed_headers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">max_age_seconds</span> <span class="p">=</span> <span class="mi">3000</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># S3 bucket policy for CloudFront access</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_policy"</span> <span class="s2">"cloud_resume_policy"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">cloud_resume_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AllowCloudFrontAccess"</span><span class="p">,</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"cloudfront.amazonaws.com"</span> <span class="p">},</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${aws_s3_bucket.cloud_resume_bucket.arn}/*"</span><span class="p">,</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"AWS:SourceArn"</span> <span class="p">=</span> <span class="s2">"arn:aws:cloudfront::${data.aws_caller_identity.current.account_id}:distribution/${aws_cloudfront_distribution.cloud_resume_distribution.id}"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Read and replace placeholder in the HTML file dynamically</span> <span class="nx">data</span> <span class="s2">"template_file"</span> <span class="s2">"cloud_resume_html"</span> <span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/cloud-resume.html"</span><span class="p">)</span> <span class="nx">vars</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">api_gateway_url</span> <span class="p">=</span> <span class="s2">"https://${aws_api_gateway_rest_api.cloud_resume_api.id}.execute-api.${var.region}.amazonaws.com/${aws_api_gateway_stage.cloud_resume_stage.stage_name}"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Upload the updated HTML file to S3 after API Gateway is created</span> <span class="nx">resource</span> <span class="s2">"aws_s3_object"</span> <span class="s2">"cloud_resume_html"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">cloud_resume_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"cloud-resume.html"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">template_file</span><span class="p">.</span><span class="nx">cloud_resume_html</span><span class="p">.</span><span class="nx">rendered</span> <span class="nx">content_type</span> <span class="p">=</span> <span class="s2">"text/html"</span> <span class="nx">content_disposition</span> <span class="p">=</span> <span class="s2">"inline"</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_api_gateway_stage</span><span class="p">.</span><span class="nx">cloud_resume_stage</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Cloud Resume HTML"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"Production"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>CloudFront Distribution</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#Cloudfront Origin Access Control (OAC)</span> <span class="nx">resource</span> <span class="s2">"aws_cloudfront_origin_access_control"</span> <span class="s2">"cloud_resume_oac"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cloud-resume-oac"</span> <span class="nx">origin_access_control_origin_type</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">signing_behavior</span> <span class="p">=</span> <span class="s2">"always"</span> <span class="nx">signing_protocol</span> <span class="p">=</span> <span class="s2">"sigv4"</span> <span class="p">}</span> <span class="c1"># CloudFront distribution</span> <span class="nx">resource</span> <span class="s2">"aws_cloudfront_distribution"</span> <span class="s2">"cloud_resume_distribution"</span> <span class="p">{</span> <span class="nx">web_acl_id</span> <span class="p">=</span> <span class="nx">aws_wafv2_web_acl</span><span class="p">.</span><span class="nx">cloudfront_waf</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># Attach WAF to CloudFront</span> <span class="nx">origin</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">cloud_resume_bucket</span><span class="p">.</span><span class="nx">bucket_regional_domain_name</span> <span class="nx">origin_id</span> <span class="p">=</span> <span class="s2">"S3-cloud-resume-origin"</span> <span class="nx">origin_access_control_id</span> <span class="p">=</span> <span class="nx">aws_cloudfront_origin_access_control</span><span class="p">.</span><span class="nx">cloud_resume_oac</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">default_root_object</span> <span class="p">=</span> <span class="s2">"cloud-resume.html"</span> <span class="nx">aliases</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span><span class="p">]</span> <span class="c1"># Custom domain name</span> <span class="nx">default_cache_behavior</span> <span class="p">{</span> <span class="nx">allowed_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">cached_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">target_origin_id</span> <span class="p">=</span> <span class="s2">"S3-cloud-resume-origin"</span> <span class="nx">viewer_protocol_policy</span> <span class="p">=</span> <span class="s2">"redirect-to-https"</span> <span class="nx">forwarded_values</span> <span class="p">{</span> <span class="nx">query_string</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cookies</span> <span class="p">{</span> <span class="nx">forward</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Viewer certificate for HTTPS</span> <span class="nx">viewer_certificate</span> <span class="p">{</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">acm_certificate_arn</span> <span class="nx">ssl_support_method</span> <span class="p">=</span> <span class="s2">"sni-only"</span> <span class="nx">minimum_protocol_version</span> <span class="p">=</span> <span class="s2">"TLSv1.2_2019"</span> <span class="p">}</span> <span class="c1"># Restrictions block to meet CloudFront requirements</span> <span class="nx">restrictions</span> <span class="p">{</span> <span class="nx">geo_restriction</span> <span class="p">{</span> <span class="nx">restriction_type</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="c1">#Allows requests from all geographic locations</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>Challenges &amp; Strategies</strong> </h4> <p>CORS setting was my major challenge here as browsers were blocking requests to S3 bucket due to incorrect CORS headers. I checked AWS documentation &amp; used browser developers tools to debug and setup cache invalidation as Cloudfront was still serving old contents even though my CORS is now updated. For HTTPS &amp; custom domain, I followed AWS best practices to set up ACM and Route 53, ensuring a secure and reliable custom domain setup.</p> <h3> <strong>III. Backend: Lambda, DynamoDB, and API Gateway</strong> </h3> <p>The <strong>Lambda function</strong> handles the logic for retrieving and incrementing the visitor count, with <strong>environment variables</strong> passing the DynamoDB table name. The <strong>DynamoDB table</strong> stores the visitor count using a primary key <code>id</code>, while <strong>API Gateway</strong> exposes my Visitor_Counter Lambda function as a REST API, integrating it seamlessly for dynamic functionality.</p> <h4> <strong>Lambda Function for Visitor Count</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Lambda function for visitor count</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"visitor_counter"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"visitor_counter_lambda.zip"</span> <span class="c1"># Prebuilt zip with your Python code</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"VisitorCounter"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"visitor_counter_lambda.lambda_handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.9"</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">filebase64sha256</span><span class="p">(</span><span class="s2">"visitor_counter_lambda.zip"</span><span class="p">)</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">DYNAMODB_TABLE</span> <span class="p">=</span> <span class="nx">aws_dynamodb_table</span><span class="p">.</span><span class="nx">visitor_count</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IAM Role for Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"lambda_exec"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda_exec_role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Custom IAM Policy for Lambda to interact with DynamoDB &amp; write to Cloudwatch logs</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"lambda_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda_dynamodb_cloudwatch_policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"dynamodb:GetItem"</span><span class="p">,</span> <span class="s2">"dynamodb:PutItem"</span><span class="p">,</span> <span class="s2">"dynamodb:UpdateItem"</span><span class="p">,</span> <span class="s2">"dynamodb:Query"</span><span class="p">,</span> <span class="s2">"dynamodb:Scan"</span> <span class="p">],</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:dynamodb:*:*:table/${aws_dynamodb_table.visitor_count.name}"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span> <span class="p">],</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:logs:*:*:*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Attach policy to lambda</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"lambda_policy_attachment"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">lambda_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>DynamoDB Table</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># DynamoDB table for visitor count</span> <span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"visitor_count"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"VisitorCount"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"id"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"id"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>API-Gateway Integration</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># REST API Resource</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_rest_api"</span> <span class="s2">"cloud_resume_api"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CloudResumeAPI"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"API for visitor counter"</span> <span class="p">}</span> <span class="c1"># Root Resource ("/")</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_resource"</span> <span class="s2">"visitors"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">root_resource_id</span> <span class="nx">path_part</span> <span class="p">=</span> <span class="s2">"visitors"</span> <span class="p">}</span> <span class="c1"># API Gateway Method</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_method"</span> <span class="s2">"get_visitors"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_resource</span><span class="p">.</span><span class="nx">visitors</span><span class="p">.</span><span class="nx">id</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="s2">"GET"</span> <span class="nx">authorization</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="c1"># API Gateway Integration with Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_integration"</span> <span class="s2">"lambda_integration"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_resource</span><span class="p">.</span><span class="nx">visitors</span><span class="p">.</span><span class="nx">id</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="nx">aws_api_gateway_method</span><span class="p">.</span><span class="nx">get_visitors</span><span class="p">.</span><span class="nx">http_method</span> <span class="nx">integration_http_method</span> <span class="p">=</span> <span class="s2">"POST"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AWS_PROXY"</span> <span class="nx">uri</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">visitor_counter</span><span class="p">.</span><span class="nx">invoke_arn</span> <span class="p">}</span> <span class="c1"># Enable CORS for API Gateway- API Method Response</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_method_response"</span> <span class="s2">"cors_response"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_resource</span><span class="p">.</span><span class="nx">visitors</span><span class="p">.</span><span class="nx">id</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="nx">aws_api_gateway_method</span><span class="p">.</span><span class="nx">get_visitors</span><span class="p">.</span><span class="nx">http_method</span> <span class="nx">status_code</span> <span class="p">=</span> <span class="s2">"200"</span> <span class="nx">response_parameters</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"method.response.header.Access-Control-Allow-Origin"</span> <span class="p">=</span> <span class="kc">true</span> <span class="s2">"method.response.header.Access-Control-Allow-Methods"</span> <span class="p">=</span> <span class="kc">true</span> <span class="s2">"method.response.header.Access-Control-Allow-Headers"</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">#API Gateway Integration Response</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_integration_response"</span> <span class="s2">"cors_integration_response"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_resource</span><span class="p">.</span><span class="nx">visitors</span><span class="p">.</span><span class="nx">id</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="nx">aws_api_gateway_method</span><span class="p">.</span><span class="nx">get_visitors</span><span class="p">.</span><span class="nx">http_method</span> <span class="nx">status_code</span> <span class="p">=</span> <span class="nx">aws_api_gateway_method_response</span><span class="p">.</span><span class="nx">cors_response</span><span class="p">.</span><span class="nx">status_code</span> <span class="nx">response_parameters</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"method.response.header.Access-Control-Allow-Origin"</span> <span class="p">=</span> <span class="s2">"'https://fidelis-resume.fozdigitalz.com'"</span> <span class="s2">"method.response.header.Access-Control-Allow-Methods"</span> <span class="p">=</span> <span class="s2">"'GET,OPTIONS'"</span> <span class="s2">"method.response.header.Access-Control-Allow-Headers"</span> <span class="p">=</span> <span class="s2">"'*'"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_api_gateway_integration</span><span class="p">.</span><span class="nx">lambda_integration</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># API Gateway Deployment Stage with Throttling</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_deployment"</span> <span class="s2">"cloud_resume_deployment"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_api_gateway_integration</span><span class="p">.</span><span class="nx">lambda_integration</span><span class="p">,</span> <span class="nx">aws_api_gateway_method</span><span class="p">.</span><span class="nx">get_visitors</span><span class="p">,</span> <span class="nx">aws_api_gateway_method_response</span><span class="p">.</span><span class="nx">cors_response</span> <span class="p">]</span> <span class="p">}</span> <span class="c1">#API Gateway Stage </span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_stage"</span> <span class="s2">"cloud_resume_stage"</span> <span class="p">{</span> <span class="nx">deployment_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_deployment</span><span class="p">.</span><span class="nx">cloud_resume_deployment</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">stage_name</span> <span class="p">=</span> <span class="s2">"prod"</span> <span class="nx">access_log_settings</span> <span class="p">{</span> <span class="nx">destination_arn</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_log_group</span><span class="p">.</span><span class="nx">api_gateway_log_group</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">format</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">requestId</span> <span class="p">=</span> <span class="s2">"$context.requestId"</span> <span class="nx">ip</span> <span class="p">=</span> <span class="s2">"$context.identity.sourceIp"</span> <span class="nx">requestTime</span> <span class="p">=</span> <span class="s2">"$context.requestTime"</span> <span class="nx">httpMethod</span> <span class="p">=</span> <span class="s2">"$context.httpMethod"</span> <span class="nx">resourcePath</span> <span class="p">=</span> <span class="s2">"$context.resourcePath"</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"$context.status"</span> <span class="nx">responseLength</span> <span class="p">=</span> <span class="s2">"$context.responseLength"</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"Production"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_api_gateway_account</span><span class="p">.</span><span class="nx">api_logging</span><span class="p">,</span> <span class="nx">aws_cloudwatch_log_group</span><span class="p">.</span><span class="nx">api_gateway_log_group</span> <span class="p">]</span> <span class="p">}</span> <span class="c1">#Enabled Logging &amp; detailed Metrics for API Gateway Stage</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_method_settings"</span> <span class="s2">"cloud_resume_metrics"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">stage_name</span> <span class="p">=</span> <span class="nx">aws_api_gateway_stage</span><span class="p">.</span><span class="nx">cloud_resume_stage</span><span class="p">.</span><span class="nx">stage_name</span> <span class="nx">method_path</span> <span class="p">=</span> <span class="s2">"visitors/GET"</span> <span class="nx">settings</span> <span class="p">{</span> <span class="nx">metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">data_trace_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">logging_level</span> <span class="p">=</span> <span class="s2">"ERROR"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Permission for API Gateway to invoke Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"allow_apigateway"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowAPIGatewayInvoke"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">visitor_counter</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"apigateway.amazonaws.com"</span> <span class="nx">source_arn</span> <span class="p">=</span> <span class="s2">"${aws_api_gateway_rest_api.cloud_resume_api.execution_arn}/*/*"</span> <span class="p">}</span> <span class="c1">#Grant API Gateway Permissions to Write to CloudWatch Logs</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"api_gw_cloudwatch_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"APIGatewayCloudWatchLogsRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"apigateway.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy_attachment"</span> <span class="s2">"api_gw_logging_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ApiGatewayLoggingPolicy"</span> <span class="nx">roles</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">api_gw_cloudwatch_role</span><span class="p">.</span><span class="nx">name</span><span class="p">]</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"</span> <span class="p">}</span> <span class="c1">#Attach the IAM Role to API Gateway</span> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_account"</span> <span class="s2">"api_logging"</span> <span class="p">{</span> <span class="nx">cloudwatch_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">api_gw_cloudwatch_role</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>Challenges &amp; Strategies</strong> </h4> <p>I spent time here writing the Lambda Function code that checks DynamoDB table, retreive the count and updates it. My function needed a paramenter to recognise a unique visitor. I tried <code>Browser LocalStorage</code> but it increments count when I refresh the page on thesame browser. I also tried <code>Session</code> and <code>Cookie</code> until I settled for IP address. My function stores the hash of unique IPs in my DynamoDB table to check unique visitors. <code>The hash is a One-Way process, so I can't see the IPs and I can't recover them from the hashes.</code> I ran Postman to test my API-Gateway and fixed permission issues not allowing API-Gatway to invoke my Lambda.</p> <h3> <strong>IV. Monitoring and Alerts</strong> </h3> <p>In this section of the project, I set up comprehensive monitoring and alerting using AWS CloudWatch, SNS, PagerDuty, and Slack to ensure timely responses to issues. I created a CloudWatch alarm to monitor API Gateway errors, triggering notifications through SNS when certain thresholds are met. I also configured an SNS topic to handle notifications and a policy to restrict publishing to CloudWatch only. For incident management, I integrated PagerDuty to alert on critical issues and used AWS Lambda to forward messages to PagerDuty. Additionally, I set up Slack integration to notify the team in real-time via a Lambda function that listens to the SNS topic, ensuring the team is always in the loop.</p> <h4> <strong>CloudWatch Alarms</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># CloudWatch Alarm for API Gateway</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_metric_alarm"</span> <span class="s2">"api_errors_alarm"</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="s2">"API-Error-Alarm"</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GreaterThanOrEqualToThreshold"</span> <span class="nx">evaluation_periods</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"IntegrationLatency"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"AWS/ApiGateway"</span> <span class="nx">period</span> <span class="p">=</span> <span class="s2">"60"</span> <span class="nx">statistic</span> <span class="p">=</span> <span class="s2">"Sum"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">dimensions</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ApiId</span> <span class="p">=</span> <span class="nx">aws_api_gateway_rest_api</span><span class="p">.</span><span class="nx">cloud_resume_api</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">alarm_description</span> <span class="p">=</span> <span class="s2">"Triggers when API Gateway returns a 502 error"</span> <span class="nx">actions_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">alarm_actions</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>SNS Topic for Notifications</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># SNS topic resource for notifications</span> <span class="nx">resource</span> <span class="s2">"aws_sns_topic"</span> <span class="s2">"api_alerts"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CloudResumeAlerts"</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>SNS Policy to Allow Subscriptions &amp; Limit Publish to Only CloudWatch</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Allow HTTPS, email, &amp; Lambda subscriptions to SNS &amp; restrict publish to SNS to only CloudWatch</span> <span class="nx">resource</span> <span class="s2">"aws_sns_topic_policy"</span> <span class="s2">"api_alerts_policy"</span> <span class="p">{</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AllowCloudWatchPublish"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"cloudwatch.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"SNS:Publish"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AllowEmailSubscription"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"SNS:Subscribe"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEqualsIfExists</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"sns:Protocol"</span> <span class="p">=</span> <span class="s2">"email"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AllowHttpsSubscription"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"SNS:Subscribe"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEqualsIfExists</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"sns:Protocol"</span> <span class="p">=</span> <span class="s2">"https"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AllowLambdaSubscription"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"SNS:Subscribe"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEqualsIfExists</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"sns:Protocol"</span> <span class="p">=</span> <span class="s2">"lambda"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>Email Subscription</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#Email subscription to SNS topic</span> <span class="nx">resource</span> <span class="s2">"aws_sns_topic_subscription"</span> <span class="s2">"email_alert"</span> <span class="p">{</span> <span class="nx">topic_arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"email"</span> <span class="nx">endpoint</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">email_address</span> <span class="p">}</span> </code></pre> </div> <p><code>Lambda Error Email Notification</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp5r992xxfsno2rlpu12p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp5r992xxfsno2rlpu12p.png" alt="Lambda-Error-Notification" width="800" height="415"></a></p> <h4> <strong>PagerDuty Integration</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="c1">#Store PagerDuty Integration URL in Secret Manager</span> <span class="nx">resource</span> <span class="s2">"aws_secretsmanager_secret"</span> <span class="s2">"pagerduty_integration_url"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"pagerduty_integration_url"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_secretsmanager_secret_version"</span> <span class="s2">"pagerduty_integration_url_value"</span> <span class="p">{</span> <span class="nx">secret_id</span> <span class="p">=</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">pagerduty_integration_url</span><span class="p">.</span><span class="nx">id</span> <span class="nx">secret_string</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pagerduty_integration_url</span> <span class="p">}</span> <span class="c1">#IAM Role for PagerDuty Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"sns_to_pagerduty_lambda_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda_to_pagerduty_role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># IAM policy attachement for PagerDuty Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"sns_lambda_secrets_access"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">lambda_sns_pagerduty_access</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sns_to_pagerduty_lambda_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1">#IAM Policy for PagerDuty Lambda to Access Secret Manager &amp; Make Requests to PagerDuty API</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"lambda_sns_pagerduty_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda_sns_pagerduty_access"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow Lambda to access SNS, send events to PagerDuty, and write to CloudWatch Logs"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sns:Subscribe"</span><span class="p">,</span> <span class="s2">"sns:Publish"</span><span class="p">,</span> <span class="s2">"sns:ListSubscriptions"</span><span class="p">,</span> <span class="s2">"sns:ListSubscriptionsByTopic"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"secretsmanager:GetSecretValue"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">pagerduty_integration_url</span><span class="p">.</span><span class="nx">arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"execute-api:Invoke"</span> <span class="c1"># Permission for making API calls to PagerDuty</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:apigateway:*::/*"</span> <span class="c1"># Allow Lambda to call any API</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:logs:*:*:*"</span> <span class="c1"># Allow Lambda to write logs to any CloudWatch Log group/stream</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">#Create Lambda Layer to hold dependencies that can forward request to PagerDuty</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_layer_version"</span> <span class="s2">"pagerduty_lambda_layer"</span> <span class="p">{</span> <span class="nx">layer_name</span> <span class="p">=</span> <span class="s2">"pagerduty_lambda_layer"</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"lambda_layer.zip"</span> <span class="c1"># Path to your Lambda layer zip file</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">filebase64sha256</span><span class="p">(</span><span class="s2">"lambda_layer.zip"</span><span class="p">)</span> <span class="c1"># Ensures Terraform tracks changes</span> <span class="nx">compatible_runtimes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"python3.12"</span><span class="p">]</span> <span class="c1">#</span> <span class="p">}</span> <span class="c1"># Lambda function for PagerDuty integration + layers</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"lambda_to_pagerduty"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"lambda_to_pagerduty.zip"</span> <span class="c1"># Prebuilt zip in my terraform directory</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"lambda_to_pagerduty"</span> <span class="c1"># Lambda name</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sns_to_pagerduty_lambda_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"lambda_to_pagerduty.lambda_handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.12"</span> <span class="c1"># Or your preferred runtime</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">filebase64sha256</span><span class="p">(</span><span class="s2">"lambda_to_pagerduty.zip"</span><span class="p">)</span> <span class="c1"># Ensures Terraform tracks the zip file changes</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">PAGERDUTY_SECRET_ARN</span> <span class="p">=</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">pagerduty_integration_url</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">layers</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_lambda_layer_version</span><span class="p">.</span><span class="nx">pagerduty_lambda_layer</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># Attach the Lambda layer here</span> <span class="p">]</span> <span class="p">}</span> <span class="c1">#PagerDuty Lambda subscription to SNS</span> <span class="nx">resource</span> <span class="s2">"aws_sns_topic_subscription"</span> <span class="s2">"pagerduty_subscription"</span> <span class="p">{</span> <span class="nx">topic_arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"lambda"</span> <span class="nx">endpoint</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">lambda_to_pagerduty</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">lambda_to_pagerduty</span><span class="p">]</span> <span class="p">}</span> <span class="c1">#Ensure SNS can Invoke PageDuty_lambda</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"allow_sns_invoke"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowExecutionFromSNS"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">lambda_to_pagerduty</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"sns.amazonaws.com"</span> <span class="nx">source_arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p><code>PagerDuty Getting Alerts from Lambda</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffn9bfzsefu6btlvnhuxc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffn9bfzsefu6btlvnhuxc.png" alt="PagerDuty Alert-1" width="800" height="361"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4i6x0sit0cc0gec000qb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4i6x0sit0cc0gec000qb.png" alt="PagerDuty Alert2-3" width="800" height="181"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4911f30b8q7qe5c2q1t5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4911f30b8q7qe5c2q1t5.png" alt="PagerDuty4-5" width="800" height="867"></a></p> <h4> <strong>Slack Integration</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Create IAM Role for Slack Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"sns_to_slack_lambda_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sns_to_slack_lambda_role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">},</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">#Policy to allow Lambda Read from Secret Manager</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"sns_to_slack_lambda_role_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sns-to-slack-lambda-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sns_to_slack_lambda_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"secretsmanager:GetSecretValue"</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">slack_webhook_url</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Attach Policies to Allow Slack Lambda to Read from SNS and Write Logs to slack</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"sns_to_slack_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sns_to_slack_policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sns_to_slack_lambda_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:logs:*:*:*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span><span class="p">],</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:logs:*:*:*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sns:Subscribe"</span><span class="p">,</span> <span class="s2">"sns:Receive"</span><span class="p">],</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${aws_sns_topic.api_alerts.arn}"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${aws_lambda_function.sns_to_slack.arn}"</span> <span class="p">},</span> <span class="p">{</span> <span class="c1"># this policy allows Lambda to publish messages to SNS</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sns:Publish"</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${aws_sns_topic.api_alerts.arn}"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">#Store the Webhook URL in AWS Secrets Manager</span> <span class="nx">resource</span> <span class="s2">"aws_secretsmanager_secret"</span> <span class="s2">"slack_webhook_url"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"slack-webhook-url"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Slack Webhook URL for Lambda"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_secretsmanager_secret_version"</span> <span class="s2">"slack_webhook_url_version"</span> <span class="p">{</span> <span class="nx">secret_id</span> <span class="p">=</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">slack_webhook_url</span><span class="p">.</span><span class="nx">id</span> <span class="nx">secret_string</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">slack_webhook_url</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">slack_webhook_url</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Create Lambda_to_Slack Function &amp; retrieve slack webhook URL from AWS Secret Manager</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"sns_to_slack"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"lambda_to_slack.zip"</span> <span class="c1"># Zip your Python script before deployment</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"SNS-to-Slack"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sns_to_slack_lambda_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"lambda_to_slack.lambda_handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.9"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">SLACK_WEBHOOK_SECRET_NAME</span> <span class="p">=</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">slack_webhook_url</span><span class="p">.</span><span class="nx">name</span> <span class="c1"># Reference to the secret</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Lambda function's permission to access the secret (already done via IAM role policy)</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">slack_webhook_url</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># Grant SNS permission to invoke Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"allow_sns"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowSNSInvoke"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">sns_to_slack</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"sns.amazonaws.com"</span> <span class="nx">source_arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">sns_to_slack</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Subscribe Slack Lambda to SNS Topic</span> <span class="nx">resource</span> <span class="s2">"aws_sns_topic_subscription"</span> <span class="s2">"sns_to_slack_subscription"</span> <span class="p">{</span> <span class="nx">topic_arn</span> <span class="p">=</span> <span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">api_alerts</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"lambda"</span> <span class="nx">endpoint</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">sns_to_slack</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lambda_permission</span><span class="p">.</span><span class="nx">allow_sns</span><span class="p">]</span> <span class="c1">#Waits for Lambda perssion before subscription</span> <span class="p">}</span> </code></pre> </div> <p><code>Slack Alert from SNS-Lambda</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxxvbc2018ygpdl9is90b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxxvbc2018ygpdl9is90b.png" alt="Slack Alert" width="800" height="368"></a></p> <h4> <strong>Challenges &amp; Strategies</strong> </h4> <p>While SNS allowed HTTPS subscription for PagerDuty integration, it can't retrieve my integration URL from AWS Secret Manager and it can't natively forward messages to Slack App. So, I employed two Lamba functions, which subsribed to SNS and forwared alerts generated by CloudWatch to my Slack App &amp; PagerDuty for phone notifications.</p> <h3> <strong>V. Security &amp; DNS: AWS WAF, Route53 &amp; DNSSEC</strong> </h3> <p>The WAF configuration protects the website by blocking excessive traffic from a single IP (rate limiting), known bad IPs associated with reconnaissance and DDoS attacks, and malicious inputs. It also applies AWS-managed rule sets to prevent common vulnerabilities like cross-site scripting (XSS) and SQL injection, while providing visibility through CloudWatch metrics. Activating DNSSEC for my domain enhances security by preventing attackers from tampering with DNS responses and ensuring the integrity and authenticity of the domain's DNS data while Route53 provides the custom domain.</p> <h4> <strong>WAF Integration with Cloudfront</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># AWS WAF resource to front CloudFront</span> <span class="nx">resource</span> <span class="s2">"aws_wafv2_web_acl"</span> <span class="s2">"cloudfront_waf"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"cloudfront-waf"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"WAF for CloudFront"</span> <span class="nx">scope</span> <span class="p">=</span> <span class="s2">"CLOUDFRONT"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">allow</span> <span class="p">{}</span> <span class="p">}</span> <span class="c1"># Rate limiting rule</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"RateLimitRule"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">rate_based_statement</span> <span class="p">{</span> <span class="nx">limit</span> <span class="p">=</span> <span class="mi">2000</span> <span class="nx">aggregate_key_type</span> <span class="p">=</span> <span class="s2">"IP"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"RateLimitRule"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Amazon IP Reputation List (Blocks known bad IPs, reconnaissance, DDoS)</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AmazonIPReputationRule"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesAmazonIpReputationList"</span> <span class="c1"># OPTIONAL: Override specific rules inside the group</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedIPReputationList"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedReconnaissanceList"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedIPDDoSList"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"AmazonIPReputationRule"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># AWS Managed Known Bad Inputs Rule Set</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"KnownBadInputsRule"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesKnownBadInputsRuleSet"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"KnownBadInputsRule"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># AWS Managed Common Rule Set</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CommonRuleSet"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="c1"># Ensures AWS WAF applies its built-in block actions</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="c1"># Override specific rules that are set to "Count" by default, so they actually block bad traffic.</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_URIPATH_RC_COUNT"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_BODY_RC_COUNT"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_QUERYARGUMENTS_RC_COUNT"</span> <span class="p">}</span> <span class="nx">rule_action_override</span> <span class="p">{</span> <span class="nx">action_to_use</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_COOKIE_RC_COUNT"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CommonRuleSet"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Visibility config for the WAF ACL itself</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CloudFrontWAF"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>Route53 Custom Domain &amp; DNSSEC</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Fetch the Route 53 hosted zone info for fozdigitalz.com</span> <span class="nx">data</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"fozdigitalz_com"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fozdigitalz.com"</span> <span class="p">}</span> <span class="c1"># Route 53 DNS configuration</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"cloud_resume_record"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">fozdigitalz_com</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fidelis-resume.fozdigitalz.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_cloudfront_distribution</span><span class="p">.</span><span class="nx">cloud_resume_distribution</span><span class="p">.</span><span class="nx">domain_name</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Create the KMS key (without setting the policy initially)</span> <span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"dnssec_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"KMS key for Route 53 DNSSEC signing"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">key_usage</span> <span class="p">=</span> <span class="s2">"SIGN_VERIFY"</span> <span class="nx">customer_master_key_spec</span> <span class="p">=</span> <span class="s2">"ECC_NIST_P256"</span> <span class="p">}</span> <span class="c1"># Define the KMS key policy</span> <span class="nx">resource</span> <span class="s2">"aws_kms_key_policy"</span> <span class="s2">"dnssec_key_policy"</span> <span class="p">{</span> <span class="nx">key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">dnssec_key</span><span class="p">.</span><span class="nx">key_id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"dnssec-route53.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:GetPublicKey"</span><span class="p">,</span> <span class="s2">"kms:Sign"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">dnssec_key</span><span class="p">.</span><span class="nx">arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:*"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">dnssec_key</span><span class="p">.</span><span class="nx">arn</span> <span class="p">},</span> <span class="c1"># Allow my IAM User to get and put key policies</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/Fidelisesq"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:*"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">dnssec_key</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Create the DNSSEC key signing key</span> <span class="nx">resource</span> <span class="s2">"aws_route53_key_signing_key"</span> <span class="s2">"dnssec_kms_key"</span> <span class="p">{</span> <span class="nx">hosted_zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">fozdigitalz_com</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dnssec-kms-key"</span> <span class="nx">key_management_service_arn</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">dnssec_key</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># Enable DNSSEC for the hosted zone</span> <span class="nx">resource</span> <span class="s2">"aws_route53_hosted_zone_dnssec"</span> <span class="s2">"dnssec"</span> <span class="p">{</span> <span class="nx">hosted_zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">fozdigitalz_com</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_route53_key_signing_key</span><span class="p">.</span><span class="nx">dnssec_kms_key</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><code>DNSSEC Activated</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fugjwab8v6i0zmy20nry4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fugjwab8v6i0zmy20nry4.png" alt="DNSSEC Activated-1" width="800" height="461"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftbskckza2pc5ojxlo84d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftbskckza2pc5ojxlo84d.png" alt="DNSSEC Activated-2" width="800" height="285"></a></p> <h4> <strong>Challenges &amp; Strategies</strong> </h4> <p>Not really a challenge here but I discovered that AWS WAF won't work with the HTTP API. So, instead of just throttling rate, I opted for the REST API with WAF to protect it. Later on, I placed WAF before my Cloudfront. When WAF worked, using <code>AWSManagedRules</code> gave me issues. So, I checked the documentation for each rule and discovered the issue was me overriding some rules in my terraform config when the default actions was already set by AWS either as <code>count</code> or <code>block</code>. Secondly, I initially created a KMS key needed for my DNSSEC without an active policy that grants me necessary permission like <code>PutKeyPolicy</code> &amp; <code>Disable + DeleteKey</code> so it locked me out when I needed to modify <code>Sign</code> &amp; <code>Verify</code> permission for <code>Route53</code>. I had to contact <code>AWS</code> support for help because I can't modify it nor schedule for deletion. </p> <h2> <strong>2. Code Test + CI/CD Pipeline</strong> </h2> <p>In this workflow, I set up a GitHub Actions pipeline to deploy and manage infrastructure using Terraform. The pipeline includes steps for testing the Lambda function that counts visitors on the website and ensures the tests are successful before proceeding with the infrastructure deployment. I also added functionality for both creating and destroying resources based on user input or commit messages. For deployment, I configured Terraform to provision the necessary resources on AWS, including creating and applying a Terraform plan with secrets securely stored in GitHub. Additionally, I implemented a cleanup process that destroys infrastructure when required, ensuring efficient resource management.</p> <h3> <strong>GitHub Actions Workflow</strong> </h3> <p>The workflow is triggered on a push to the <code>main</code> branch or manually via the <code>workflow_dispatch</code> event. It supports two actions: <strong>create</strong> (deploy infrastructure) and <strong>destroy</strong> (tear down infrastructure).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Infrastructure</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">action</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Action</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">perform</span><span class="nv"> </span><span class="s">(create</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">destroy)"</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">create</span> <span class="pi">-</span> <span class="s">destroy</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">visitor-count-lambda-function-test</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Visitor</span><span class="nv"> </span><span class="s">Count</span><span class="nv"> </span><span class="s">Lambda</span><span class="nv"> </span><span class="s">Function</span><span class="nv"> </span><span class="s">Test"</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">!(github.event_name == 'workflow_dispatch' &amp;&amp; github.event.inputs.action == 'destroy') &amp;&amp;</span> <span class="s">!(github.event_name == 'push' &amp;&amp; contains(github.event.head_commit.message, 'destroy'))</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout the code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4.2.2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Python</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5.4.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">python -m pip install --upgrade pip</span> <span class="s">pip install -r requirements-test.txt</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4.1.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests with pytest</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pytest tests/visitor_counter_testscript.py</span> <span class="na">infrastructure-deployment</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">(github.event_name == 'push' &amp;&amp; !contains(github.event.head_commit.message, 'destroy') &amp;&amp; needs.visitor-count-lambda-function-test.result == 'success') ||</span> <span class="s">(github.event_name == 'workflow_dispatch' &amp;&amp; github.event.inputs.action == 'create' &amp;&amp; needs.visitor-count-lambda-function-test.result == 'success')</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Infrastructure</span><span class="nv"> </span><span class="s">Deployment"</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">visitor-count-lambda-function-test</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">1.10.3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create terraform.tfvars</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;EOF &gt; terraform/terraform.tfvars</span> <span class="s">acm_certificate_arn = "${{ secrets.ACM_CERTIFICATE_ARN }}"</span> <span class="s">aws_access_key_id = "${{ secrets.AWS_ACCESS_KEY_ID }}"</span> <span class="s">aws_secret_access_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"</span> <span class="s">aws_region = "${{ secrets.AWS_REGION }}"</span> <span class="s">bucket_name = "${{ secrets.BUCKET_NAME }}"</span> <span class="s">domain_name = "${{ secrets.DOMAIN_NAME }}"</span> <span class="s">email_address = "${{ secrets.EMAIL_ADDRESS }}"</span> <span class="s">pagerduty_integration_url = "${{ secrets.PAGERDUTY_INTEGRATION_URL }}"</span> <span class="s">pagerduty_integration_key = "${{ secrets.PAGERDUTY_INTEGRATION_KEY }}"</span> <span class="s">slack_webhook_url = "${{ secrets.SLACK_WEBHOOK_URL }}"</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Mask AWS Account ID in Logs</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "::add-mask::${{ secrets.AWS_ACCOUNT_ID }}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">id</span><span class="pi">:</span> <span class="s">init</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd terraform &amp;&amp; terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Validate</span> <span class="na">id</span><span class="pi">:</span> <span class="s">validate</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd terraform &amp;&amp; terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">id</span><span class="pi">:</span> <span class="s">plan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd terraform &amp;&amp; terraform plan -out=tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">id</span><span class="pi">:</span> <span class="s">apply</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd terraform &amp;&amp; terraform apply -auto-approve tfplan</span> <span class="na">infrastructure-cleanup</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">(github.event_name == 'push' &amp;&amp; contains(github.event.head_commit.message, 'destroy')) ||</span> <span class="s">(github.event_name == 'workflow_dispatch' &amp;&amp; github.event.inputs.action == 'destroy')</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Infrastructure</span><span class="nv"> </span><span class="s">Cleanup"</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">1.10.3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create terraform.tfvars</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;EOF &gt; terraform/terraform.tfvars</span> <span class="s">acm_certificate_arn = "${{ secrets.ACM_CERTIFICATE_ARN }}"</span> <span class="s">aws_access_key_id = "${{ secrets.AWS_ACCESS_KEY_ID }}"</span> <span class="s">aws_secret_access_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"</span> <span class="s">aws_region = "${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">bucket_name = "${{ secrets.BUCKET_NAME }}"</span> <span class="s">domain_name = "${{ secrets.DOMAIN_NAME }}"</span> <span class="s">email_address = "${{ secrets.EMAIL_ADDRESS }}"</span> <span class="s">pagerduty_integration_url = "${{ secrets.PAGERDUTY_INTEGRATION_URL }}"</span> <span class="s">pagerduty_integration_key = "${{ secrets.PAGERDUTY_INTEGRATION_KEY }}"</span> <span class="s">slack_webhook_url = "${{ secrets.SLACK_WEBHOOK_URL }}"</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Mask AWS Account ID in Logs</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "::add-mask::${{ secrets.AWS_ACCOUNT_ID }}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">id</span><span class="pi">:</span> <span class="s">init</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd terraform &amp;&amp; terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Destroy</span> <span class="na">id</span><span class="pi">:</span> <span class="s">destroy</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd terraform &amp;&amp; terraform destroy -auto-approve</span> </code></pre> </div> <p><code>Deployment workflow run</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvwk9dfkgszxm1re68eoq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvwk9dfkgszxm1re68eoq.png" alt=" " width="800" height="371"></a></p> <h4> <strong>Challenges &amp; Strategies</strong> </h4> <p>When I started I had partial success of deployment here and there. I actually lost count of the number of <code>Workflow Runs</code> before I got a clean successful run. This section came with lots of debugging, learning to use <code>event</code>status and conditions to achieve my goal.</p> <h2> <strong>3. End-to-End Test with Cypress</strong> </h2> <p>In this Cypress workflow, I run tests on the deployed resume website to ensure its functionality after the infrastructure is successfully deployed. The workflow triggers once the <code>Deploy Infrastructure</code> workflow completes, confirming the deployment was successful before starting the Cypress tests. </p> <p>The tests check various elements on the page, such as verifying that my name appears, confirming the presence of key sections like "Professional Summary" and "Personal Project Experience," and ensuring links to my GitHub, LinkedIn, and blog work correctly. Additionally, I check the visitor count and ensure that no images are broken on the page. The results are then recorded and accessible in the Cypress Dashboard for analysis.</p> <h3> <strong>Cypress Workflow</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Cypress Tests</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_run</span><span class="pi">:</span> <span class="na">workflows</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Deploy</span><span class="nv"> </span><span class="s">Infrastructure"</span><span class="pi">]</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">completed</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="c1"># Specify the branch(es) where the workflow should run</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">cypress-run</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event.workflow_run.conclusion == 'success'</span> <span class="c1"># Ensure the workflow only runs if the deployment succeeded</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">16'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cypress run</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">cypress-io/github-action@v6</span> <span class="na">with</span><span class="pi">:</span> <span class="na">wait-on</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://fidelis-resume.fozdigitalz.com/'</span> <span class="na">wait-on-timeout</span><span class="pi">:</span> <span class="m">60</span> <span class="na">record</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">env</span><span class="pi">:</span> <span class="na">CYPRESS_RECORD_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.CYPRESS_RECORD_KEY }}</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save Cypress status</span> <span class="na">id</span><span class="pi">:</span> <span class="s">cypress-status</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if [ "${{ job.status }}" == "success" ]; then</span> <span class="s">echo "Cypress tests passed!"</span> <span class="s">echo "cypress-status=success" &gt;&gt; $GITHUB_OUTPUT</span> <span class="s">else</span> <span class="s">echo "Cypress tests failed!"</span> <span class="s">echo "cypress-status=failure" &gt;&gt; $GITHUB_OUTPUT</span> <span class="s">fi</span> </code></pre> </div> <p><code>Screenshot of successful End-to-End Design Test</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffk24z1rqofqzo6zt4s6x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffk24z1rqofqzo6zt4s6x.png" alt="End-to-End Cypress Test" width="800" height="421"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fon07ky7ev2t2ie1yy92n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fon07ky7ev2t2ie1yy92n.png" alt="End-to-End Cypress Test-2" width="800" height="442"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2u5mgd56e378dvbqozx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2u5mgd56e378dvbqozx.png" alt="End-to-End Cypress Test-2" width="800" height="399"></a></p> <h4> <strong>Challenges &amp; Strategies</strong> </h4> <p>Using Cypress made it easy to run the test. I got a good part of my workflow from my Cypress Cloud dashboard after creating an account and a project on the platform. I got the Cypress Token, which I added as <code>CYPRESS_RECORD_KEY</code> in my GitHub Actions workflow. This allowed Cypress to upload test logs, screenshots, and videos to the Cypress Cloud dashboard for easier debugging. With this setup, I could monitor test history and quickly identify any failures after each deployment.</p> <h2> <strong>4. Results</strong> </h2> <p>The implementation of this architecture has resulted in a <strong>highly reliable, secure, and scalable personal website</strong>. Using <strong>Cypress</strong>, I conducted end-to-end tests to validate critical functionalities, including the visitor count, custom domain with HTTPS, API Gateway integration, and other site components, ensuring everything works as expected. Screenshots of the test results and videos demonstrating the functionality are included below. The combination of serverless components (Lambda, API Gateway, DynamoDB), global content delivery via CloudFront, and robust security measures (DNSSEC, AWS WAF, HTTPS) ensures a performant, secure, and cost-efficient solution.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyqwamb8sl230yllepxyx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyqwamb8sl230yllepxyx.png" alt="Resume Page" width="800" height="397"></a></p> <h3> A quick rundown of the resume page </h3> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/P4FAqwBIZvw"> </iframe> </p> <h2> <strong>5. Conclusion &amp; Lessons Learnt</strong> </h2> <p>This project demonstrates how to build a scalable, secure, and cost-efficient serverless resume website on AWS. By leveraging Terraform for infrastructure as code and GitHub Actions for CI/CD, the entire deployment process is automated and reproducible. </p> <p>The use of serverless technologies ensures minimal operational overhead, while monitoring and alerting systems provide visibility into the system’s health. This project reinforced the importance of automation, security, and monitoring in cloud deployments. </p> <p>Overcoming challenges with API integrations, Terraform state management, and Lambda execution improved my troubleshooting skills and deepened my understanding of AWS services.</p> Fidelis Ikoroje Sun, 09 Feb 2025 17:14:23 +0000 https://dev.to/fidelisesq/deepseek-r1-deployment-on-aws-via-terraform-github-actions-32jp https://dev.to/fidelisesq/deepseek-r1-deployment-on-aws-via-terraform-github-actions-32jp <p>Hey there! In this blog post, I’m going to walk you through how I deployed the <strong>DeepSeek Model R1 8B</strong> on AWS using <strong>Terraform</strong> and <strong>GitHub Actions</strong>. If you’ve ever tried deploying a machine learning model, you know it can get pretty complicated—especially when you’re juggling multiple AWS services. To make things easier, I decided to automate the whole process using Terraform for infrastructure as code and GitHub Actions for CI/CD. Spoiler alert: it worked like a charm!</p> <p>This project involved setting up an EC2 instance, an Application Load Balancer (ALB), security groups, IAM roles, and even a custom domain using Route 53. The best part? Everything was automated, so I didn’t have to manually configure resources every time I made a change. Whether you’re a seasoned DevOps pro or just getting started with cloud deployments, I hope this walkthrough gives you some useful insights (and maybe saves you a few headaches along the way).</p> <h2> Table of Contents </h2> <ol> <li><strong>Introduction</strong></li> <li><strong>Project Overview</strong></li> <li> <strong>Terraform Configuration</strong> <ul> <li>Provider Configuration</li> <li>Security Groups</li> <li>Load Balancer (ALB)</li> <li>EC2 Instance</li> <li>IAM Roles and Instance Profile</li> <li>Route 53 DNS Record</li> <li>Terraform Backend (S3)</li> </ul> </li> <li> <strong>GitHub Actions Workflow</strong> <ul> <li>Workflow Triggers</li> <li>Setup Job</li> <li>Apply Job</li> <li>Post-Apply Job</li> <li>Destroy Job</li> </ul> </li> <li><strong>The Application in Action (Result)</strong></li> <li><strong>Challenges Faced &amp; Lessons Learned</strong></li> <li><strong>Future Improvements</strong></li> <li><strong>Conclusion</strong></li> </ol> <h2> 1. Introduction </h2> <p>Deploying machine learning models in production can be a complex task, especially when it involves multiple AWS services. To streamline this process, I used <strong>Terraform</strong> to define the infrastructure as code and <strong>GitHub Actions</strong> to automate the deployment pipeline. This approach ensures consistency, scalability, and repeatability.</p> <h2> 2. Project Overview </h2> <p>The goal of this project was to deploy the <strong>DeepSeek Model R1</strong> on AWS, making it accessible via a web interface (OpenWebUI) and an API (Ollama). The infrastructure includes:</p> <ul> <li> <strong>EC2 Instance</strong>: Hosts the DeepSeek model in a Docker container and associated services.</li> <li> <strong>Application Load Balancer (ALB)</strong>: Distributes traffic to the EC2 instance and handles SSL termination.</li> <li> <strong>Security Groups</strong>: Control inbound and outbound traffic to the ALB and EC2 instance.</li> <li> <strong>IAM Roles</strong>: Provide the necessary permissions for the EC2 instance.</li> <li> <strong>Route 53</strong>: Manages DNS records for the ALB. I just employed a cetificate I already have in us-east-1 and a ready public hosted zone in same region.</li> <li> <strong>Terraform Backend</strong>: Stores the Terraform state file in an S3 bucket for team collaboration.</li> </ul> <h2> 3. Terraform Configuration </h2> <p>The Terraform configuration is the backbone of this project. It defines all the AWS resources required for the deployment. Below is a breakdown of the key components:</p> <h3> Provider Configuration </h3> <p>The first step in the Terraform configuration is to define the AWS provider and specify the region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> </code></pre> </div> <h3> Security Groups </h3> <p>Two security groups were created: one for the ALB and one for the EC2 instance. The ALB security group allows HTTPS traffic (port 443) and HTTP traffic (port 80) for testing purposes. It also allows TCP traffic on port 11434 for the Ollama API. The EC2 security group restricts traffic to only allow communication from the ALB on ports 8080 (OpenWebUI) and 11434 (Ollama API).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"alb_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek_alb_sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for ALB"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Load Balancer (ALB) </h3> <p>The ALB is configured to listen on ports 443 (HTTPS) and 80 (HTTP). The HTTP listener redirects traffic to HTTPS for secure communication. Additionally, I set up a separate listener for the Ollama API on port 11434. Although this is not needed because the OpenWebUI already exposes the Ollama API. I just needed to have it as a standby maybe for direct API access programmatically.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"deepseek_lb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek-alb"</span> <span class="nx">internal</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">load_balancer_type</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_ids</span> <span class="nx">enable_deletion_protection</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <h3> EC2 Instance </h3> <p>The EC2 instance is configured with a gp3 EBS volume (48GB) and an IAM role for necessary permissions. The instance is placed in a public subnet and associated with the EC2 security group. Note: <code>An instance with GPU support like p3.2xlarge, g4dn.xlarge etc would do better here to handle bigger model and process responses faster</code> but I didn't get one approved by AWS at the time of project execution. So, I used <code>c4.4xlarge</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"deepseek_ec2"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ami_id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">existing_key</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_subnet_id</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">deepseek_ec2_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="c1">#iam_instance_profile = aws_iam_instance_profile.deepseek_ec2_profile.name</span> <span class="nx">root_block_device</span> <span class="p">{</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">48</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="s2">"gp3"</span> <span class="nx">delete_on_termination</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"DeepSeekModelInstance"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> IAM Roles and Instance Profile </h3> <p>An IAM role is created for the EC2 instance, allowing it to assume the role and access necessary AWS resources. At first, I wanted to copy the model from an S3 bucket, so I created this EC2 resource. So, I don't need this now because I opted to use a docker image but will keep it for future modifications.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"deepseek_ec2_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek_ec2_role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ec2.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"deepseek_ec2_profile"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek_ec2_profile"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">deepseek_ec2_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h3> Route 53 DNS Record </h3> <p>A Route 53 DNS record is created to map the ALB’s DNS name to a custom domain. Like I mentioned above, I used an already existing certificate to enable SSL and I also employed an existing hosted zone in us-east-1.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"deepseek_dns"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deepseek.fozdigitalz.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">.</span><span class="nx">dns_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Terraform Backend (S3) </h3> <p>The Terraform state file is stored in an S3 bucket to enable team collaboration and state management.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"foz-terraform-state-bucket"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"infra.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Variables Configuration </h3> <p>The variables.tf file defines all the input variables required for the Terraform configuration. These variables make the configuration reusable and customizable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region to deploy resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Existing VPC ID where resources will be deployed"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Subnet ID for the ALB"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"public_subnet_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public subnet ID for the EC2 instance"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"key_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Key ID for EC2 instance"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"key_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the key pair to use for the EC2 instance"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ami_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Amazon Machine Image (AMI) ID"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"certificate_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ARN of the SSL certificate for HTTPS"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the existing Route 53 hosted zone for fozdigitalz.com in us-east-1"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"terraform_state_bucket"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the S3 bucket for Terraform state"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Instance type for the EC2 instance"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"my_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IP address allowed to SSH"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h3> Terraform.tfvars </h3> <p>The <code>terraform.tfvars</code> file is used to assign values to the variables defined in variables.tf. This file is typically not committed to version control (e.g., Git) for security reasons, as it may contain sensitive information like AWS credentials. I added <code>terraform.tfvars</code> to <code>.gitignore</code> so it won't be tracked. I provided the variables and secrets in GitHub using <code>environment variables</code> and <code>secrets</code>. Also, the values below are made up and not real.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">vpc_id</span> <span class="err">=</span> <span class="s2">"vpc-1234567890abcdef0"</span> <span class="nx">subnet_ids</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"subnet-1234567890abcdef0"</span><span class="p">,</span> <span class="s2">"subnet-0987654321abcdef0"</span><span class="p">]</span> <span class="nx">public_subnet_id</span> <span class="err">=</span> <span class="s2">"subnet-1234567890abcdef0"</span> <span class="nx">key_name</span> <span class="err">=</span> <span class="s2">"my-key-pair"</span> <span class="nx">key_id</span> <span class="err">=</span> <span class="s2">"key-1234567890abcdef0"</span> <span class="nx">ami_id</span> <span class="err">=</span> <span class="s2">"ami-0abcdef1234567890"</span> <span class="nx">certificate_arn</span> <span class="err">=</span> <span class="s2">"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"</span> <span class="nx">hosted_zone_id</span> <span class="err">=</span> <span class="s2">"Z1234567890ABCDEF"</span> <span class="nx">terraform_state_bucket</span> <span class="err">=</span> <span class="s2">"foz-terraform-state-bucket"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"c4.4xlarge"</span> <span class="nx">my_ip</span> <span class="err">=</span> <span class="s2">"192.168.1.1/32"</span> </code></pre> </div> <h3> Output Configuration </h3> <p>The output.tf file defines the outputs that Terraform will display after applying the configuration. I used these outputs for retrieving information like the EC2 instance’s public IP or the ALB’s DNS name that are needed for my <code>Github Action workflow</code> to configure my EC2 instances.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"ec2_public_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public IP address of the EC2 instance"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">deepseek_ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"lb_url"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"DNS name of the Application Load Balancer"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">deepseek_lb</span><span class="p">.</span><span class="nx">dns_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"deepseek_ec2_sg_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security Group ID of the EC2 instance"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">deepseek_ec2_sg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> 4. GitHub Actions Workflow </h2> <p>The GitHub Actions workflow automates the deployment process. It consists of four main jobs: <strong>setup</strong>, <strong>apply</strong>, <strong>post-apply</strong>, and <strong>destroy</strong>. My workflow will be triggered by pushing to the main branch or manually through the GitHub UI using workflow dispatch with an input to choose the action (apply/destroy).</p> <h3> Workflow Triggers </h3> <p>The workflow is triggered on a push to the <code>main</code> branch or manually via the <code>workflow_dispatch</code> event. The manual trigger allows you to choose between <strong>apply</strong> (to create resources) and <strong>destroy</strong> (to tear down resources).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">action</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Choose</span><span class="nv"> </span><span class="s">action</span><span class="nv"> </span><span class="s">(apply/destroy)"</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">apply"</span> <span class="na">type</span><span class="pi">:</span> <span class="s">choice</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apply</span> <span class="pi">-</span> <span class="s">destroy</span> </code></pre> </div> <h3> Setup Job </h3> <p>The <strong>setup</strong> job initializes the environment by checking out the code, setting up Terraform, and configuring AWS credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">setup</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> </code></pre> </div> <h3> Apply Job </h3> <p>The <strong>apply</strong> job runs Terraform to create the infrastructure. It generates a <code>terraform.tfvars</code> file using GitHub Secrets, initializes Terraform, and applies the configuration. This is where my <code>Github Actions Runner</code> SSH into my EC2 to install docker, pulls the images and deploy <code>Ollama</code> and <code>OpenWebUI</code>using Docker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apply</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">setup</span> <span class="na">if</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(github.event_name == 'workflow_dispatch' &amp;&amp; github.event.inputs.action == 'apply') ||</span> <span class="s">(github.event_name == 'push' &amp;&amp; !contains(github.event.head_commit.message, 'destroy'))</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create terraform.tfvars</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;EOF &gt; terraform.tfvars</span> <span class="s">ami_id = "${{ secrets.AMI_ID }}"</span> <span class="s">certificate_arn = "${{ secrets.CERTIFICATE_ARN }}"</span> <span class="s">vpc_id = "${{ secrets.VPC_ID }}"</span> <span class="s">subnet_ids = [${{ secrets.SUBNET_IDS }}]</span> <span class="s">key_name = "${{ secrets.KEY_NAME }}"</span> <span class="s">key_id = "${{ secrets.KEY_ID }}"</span> <span class="s">hosted_zone_id = "${{ secrets.HOSTED_ZONE_ID }}"</span> <span class="s">instance_type = "${{ secrets.INSTANCE_TYPE }}"</span> <span class="s">my_ip = "${{ secrets.MY_IP }}"</span> <span class="s">aws_access_key_id = "${{ secrets.AWS_ACCESS_KEY_ID }}"</span> <span class="s">aws_secret_access_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"</span> <span class="s">aws_region = "${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">public_subnet_id = "${{ secrets.PUBLIC_SUBNET_ID }}"</span> <span class="s">terraform_state_bucket = "${{ secrets.TERRAFORM_STATE_BUCKET }}"</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init \</span> <span class="s">-backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" \</span> <span class="s">-backend-config="key=infra.tfstate" \</span> <span class="s">-backend-config="region=${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform plan -out=tfplan -var-file=terraform.tfvars</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -auto-approve -var-file=terraform.tfvars</span> </code></pre> </div> <h3> Post-Apply Job </h3> <p>The <strong>post-apply</strong> job retrieves Terraform outputs, updates the EC2 security group to allow SSH access from the GitHub runner, installs Docker on the EC2 instance, and deploys the DeepSeek Model and OpenWebUI using Docker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">post_apply</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">apply</span> <span class="na">if</span><span class="pi">:</span> <span class="s">success()</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Retrieve Terraform Outputs</span> <span class="na">id</span><span class="pi">:</span> <span class="s">tf_outputs</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "Retrieving Terraform Outputs..."</span> <span class="s">echo "EC2_PUBLIC_IP=$(terraform output -raw ec2_public_ip)" &gt;&gt; $GITHUB_ENV</span> <span class="s">echo "LB_DNS=$(terraform output -raw lb_url)" &gt;&gt; $GITHUB_ENV</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Retrieve EC2 Security Group ID</span> <span class="na">id</span><span class="pi">:</span> <span class="s">get_sg_id</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">SECURITY_GROUP_ID=$(terraform output -raw deepseek_ec2_sg_id)</span> <span class="s">echo "SECURITY_GROUP_ID=$SECURITY_GROUP_ID" &gt;&gt; $GITHUB_ENV</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add GitHub Runner IP to Security Group</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">RUNNER_IP=$(curl -s https://checkip.amazonaws.com)</span> <span class="s">echo "Runner IP: $RUNNER_IP"</span> <span class="s">aws ec2 authorize-security-group-ingress \</span> <span class="s">--group-id "${{ env.SECURITY_GROUP_ID }}" \</span> <span class="s">--protocol tcp \</span> <span class="s">--port 22 \</span> <span class="s">--cidr "$RUNNER_IP/32" || echo "Failed to add rule to EC2 Security Group"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for Security Group to Update</span> <span class="na">run</span><span class="pi">:</span> <span class="s">sleep </span><span class="m">12</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save SSH Private Key</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">mkdir -p ~/.ssh</span> <span class="s">echo "${{ secrets.SSH_PRIVATE_KEY }}" | base64 --decode &gt; ~/.ssh/my-key.pem</span> <span class="s">chmod 600 ~/.ssh/my-key.pem</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify SSH Connection</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ssh -o StrictHostKeyChecking=no -i ~/.ssh/my-key.pem ubuntu@${{ env.EC2_PUBLIC_IP }} </span> <span class="s">echo "SSH Connection Successful"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Docker on EC2</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ssh -o StrictHostKeyChecking=no -i ~/.ssh/my-key.pem ubuntu@${{ env.EC2_PUBLIC_IP }} &lt;&lt;EOF</span> <span class="s">sudo apt-get update</span> <span class="s">sudo apt-get install -y docker.io docker-compose</span> <span class="s">sudo systemctl enable docker</span> <span class="s">sudo systemctl start docker</span> <span class="s">sudo usermod -aG docker ubuntu</span> <span class="s">sudo sed -i 's/^ENABLED=1/ENABLED=0/' /etc/apt/apt.conf.d/20auto-upgrades</span> <span class="s">sudo reboot</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for EC2 Instance to Reboot</span> <span class="na">run</span><span class="pi">:</span> <span class="s">sleep </span><span class="m">60</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run DeepSeek Model and WebUI via Docker</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ssh -o StrictHostKeyChecking=no -i ~/.ssh/my-key.pem ubuntu@${{ env.EC2_PUBLIC_IP }} &lt;&lt;EOF</span> <span class="s">docker run -d -v ollama:/root/.ollama -p 11434:11434 --name ollama ollama/ollama</span> <span class="s">sleep 20</span> <span class="s">docker exec ollama ollama pull deepseek-r1:8b</span> <span class="s">sleep 15</span> <span class="s">docker exec -d ollama ollama serve</span> <span class="s">sleep 15</span> <span class="s">docker run -d -p 8080:8080 --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:main</span> <span class="s">sleep 15</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Confirm WebUI is Running &amp; Accessible via Custom Domain</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ssh -o StrictHostKeyChecking=no -i ~/.ssh/my-key.pem ubuntu@${{ env.EC2_PUBLIC_IP }} &lt;&lt;EOF</span> <span class="s">curl -I https://deepseek.fozdigitalz.com</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Remove GitHub Runner IP from Security Group</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">RUNNER_IP=$(curl -s https://checkip.amazonaws.com)</span> <span class="s">echo "Removing Runner IP: $RUNNER_IP"</span> <span class="s">aws ec2 revoke-security-group-ingress \</span> <span class="s">--group-id "${{ env.SECURITY_GROUP_ID }}" \</span> <span class="s">--protocol tcp \</span> <span class="s">--port 22 \</span> <span class="s">--cidr "$RUNNER_IP/32"</span> </code></pre> </div> <h3> Destroy Job </h3> <p>The <strong>destroy</strong> job tears down the infrastructure when triggered manually or via a commit message containing "destroy".<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">destroy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">setup</span> <span class="na">if</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(github.event_name == 'workflow_dispatch' &amp;&amp; github.event.inputs.action == 'destroy') ||</span> <span class="s">(github.event_name == 'push' &amp;&amp; contains(github.event.head_commit.message, 'destroy'))</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create terraform.tfvars</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &lt;&lt;EOF &gt; terraform.tfvars</span> <span class="s">ami_id = "${{ secrets.AMI_ID }}"</span> <span class="s">certificate_arn = "${{ secrets.CERTIFICATE_ARN }}"</span> <span class="s">vpc_id = "${{ secrets.VPC_ID }}"</span> <span class="s">subnet_ids = [${{ secrets.SUBNET_IDS }}]</span> <span class="s">key_name = "${{ secrets.KEY_NAME }}"</span> <span class="s">key_id = "${{ secrets.KEY_ID }}"</span> <span class="s">hosted_zone_id = "${{ secrets.HOSTED_ZONE_ID }}"</span> <span class="s">instance_type = "${{ secrets.INSTANCE_TYPE }}"</span> <span class="s">my_ip = "${{ secrets.MY_IP }}"</span> <span class="s">aws_access_key_id = "${{ secrets.AWS_ACCESS_KEY_ID }}"</span> <span class="s">aws_secret_access_key = "${{ secrets.AWS_SECRET_ACCESS_KEY }}"</span> <span class="s">aws_region = "${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">public_subnet_id = "${{ secrets.PUBLIC_SUBNET_ID }}"</span> <span class="s">terraform_state_bucket = "${{ secrets.TERRAFORM_STATE_BUCKET }}"</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init &amp; Destroy</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init -reconfigure \</span> <span class="s">-backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" \</span> <span class="s">-backend-config="key=infra.tfstate" \</span> <span class="s">-backend-config="region=${{ secrets.AWS_DEFAULT_REGION }}"</span> <span class="s">terraform destroy -auto-approve -var-file=terraform.tfvars</span> </code></pre> </div> <p><code>Completed workflow run</code></p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Falaydbaybfe7t092i1fs.png" alt="Workflow-run-completed" width="800" height="370"> </h2> <h2> <strong>5. The Application in Action (Result)</strong> </h2> <p>After successfully deploying the DeepSeek Model R1 on AWS, I was able to access the OpenWebUI and interact with the model. Below are some screenshots demonstrating the setup and functionality:</p> <h3> <strong>I. OpenWebUI Interface</strong> </h3> <p>The OpenWebUI provides a user-friendly interface for interacting with the DeepSeek Model R1. Here’s a screenshot of the dashboard:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy1ue7j8mj06v0m0asygh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy1ue7j8mj06v0m0asygh.png" alt="Getting-started" width="800" height="398"></a></p> <p><em>The OpenWebUI dashboard, accessible via the custom domain <code>deepseek.fozdigitalz.com</code>.</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8z4o1z89e7grw2v5xth7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8z4o1z89e7grw2v5xth7.png" alt=" " width="800" height="399"></a></p> <h3> <strong>II. Model Interaction</strong> </h3> <p>I tested the model by asking it a few questions. Here’s an example of the model’s response:<br> <code>The DeepSeek Model R1 generating a response to a sample query.</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg2yevlrduq32r2x4q39m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg2yevlrduq32r2x4q39m.png" alt="Model-response-1" width="800" height="393"></a><br> <code>Sample model response 11</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3kmlw7os2fkovwy4qcn8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3kmlw7os2fkovwy4qcn8.png" alt="Model-response-11" width="800" height="398"></a><br> <code>Sample mode response 12</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv90wynrv6j7r9zkjew5u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv90wynrv6j7r9zkjew5u.png" alt="Model-response-21" width="800" height="399"></a><br> <code>Sample model response 21</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fffrmnecjdgtfc091x3nj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fffrmnecjdgtfc091x3nj.png" alt="Model-response-22" width="800" height="404"></a><br> <code>Sample model response 22</code></p> <h3> <strong>III. Infrastructure Clean Up</strong> </h3> <p>I can destroy my infrastructure when I trigger my workflow in different ways. My workflow will be triggered by pushing to the main branch or manually through the GitHub UI using workflow dispatch with an input to choose the action (apply/destroy).</p> <ul> <li>By manually triggering the workflow from the GitHub UI and selecting the <code>destroy</code> action.</li> <li>By pushing to the <code>main</code> branch with a commit message that contains the word <code>destroy.</code> </li> <li>By running the command <code>gh workflow run "workflow name" --field action=destroy</code> locally but you must have the Github CLI installed for this to work. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frdmende39mzmy82v2ut4.png" alt="terraform destroy" width="800" height="398"> <code>Infrastructure cleanup using terraform</code> </li> </ul> <h3> <strong>IV. Model Performance Metrics &amp; Instance Metrics</strong> </h3> <p>I measured the model’s response time and resource utilization. Here’s a summary of the performance:</p> <ul> <li> <strong>Average Response Time</strong>: 3.06 minutes</li> <li> <strong>CPU Utilization</strong>: 26.8%</li> <li> <strong>Memory Usage</strong>: 13.65GB <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7t1b34y7olwhwq65p94t.png" alt="CPU metrics" width="800" height="259"> </li> </ul> <h2> 6. Challenges Faced &amp; Lessons Learned </h2> <p>Deploying the DeepSeek Model R1 on AWS using Terraform and GitHub Actions presented several challenges, each of which taught valuable lessons for improving the deployment process and infrastructure design.</p> <h3> <strong>1. Security Configuration</strong> </h3> <ul> <li> <strong>Challenge</strong>: Configuring security groups and IAM roles to balance accessibility and security was complex. Misconfigurations could expose the EC2 instance or over-privilege IAM roles.</li> <li> <strong>Lesson Learned</strong>: Follow the principle of least privilege. Restrict SSH access to specific IPs, limit IAM permissions, and ensure only necessary ports are open.</li> </ul> <h3> <strong>2. Workflow Reliability</strong> </h3> <ul> <li> <strong>Challenge</strong>: My workflow failed countless times owing to different issues from terraform config to secerts and variables and I had to troubleshoot the issue on different ocassions employing debugging. The EC2 instance required a reboot after Docker installation, causing delays in the GitHub Actions workflow. Without proper handling, subsequent steps could fail.</li> <li> <strong>Lesson Learned</strong>: Automate delays (e.g., <code>sleep</code>) and post-reboot tasks to ensure smooth workflow execution. Modularize the workflow for better reliability.</li> </ul> <h3> <strong>3. State and Code Management</strong> </h3> <ul> <li> <strong>Challenge</strong>: Managing the Terraform state file in S3 and maintaining a monolithic configuration led to potential security risks and reduced reusability. </li> <li> <strong>Lesson Learned</strong>: Use versioning, encryption, and access controls for the Terraform state. Break configurations into reusable modules for better organization and maintainability.</li> </ul> <h2> 7. Future Improvements </h2> <p>While the deployment process is now functional, there are opportunities I may consider to enhance scalability, security, and cost-efficiency.</p> <h3> <strong>1. Scalability</strong> </h3> <ul> <li>Implement <strong>auto-scaling</strong> for the EC2 instance to handle varying loads and ensure optimal performance during peak usage.</li> </ul> <h3> <strong>2. Monitoring and Security</strong> </h3> <ul> <li>Add <strong>CloudWatch alarms and logs</strong> for real-time monitoring and troubleshooting. Enhance security by using <strong>AWS Systems Manager</strong> for instance management instead of SSH.</li> </ul> <h3> <strong>3. Cost Optimization</strong> </h3> <ul> <li>Explore <strong>spot instances</strong> or <strong>reserved instances</strong> to reduce costs. Additionally, consider upgrading to <strong>GPU-powered instances</strong> for better performance if the model is computationally intensive.</li> </ul> <h2> 8. Conclusion </h2> <p>Deploying the DeepSeek Model R1 on AWS using Terraform and GitHub Actions was a rewarding experience. It not only streamlined the deployment process but also provided a scalable and secure infrastructure. By automating the deployment pipeline, I ensured consistency and repeatability, making it easier to manage and update the infrastructure in the future.</p> Fidelis Ikoroje Sat, 28 Dec 2024 20:15:12 +0000 https://dev.to/fidelisesq/rabbitmq-monitoring-with-prometheus-and-grafana-4kj6 https://dev.to/fidelisesq/rabbitmq-monitoring-with-prometheus-and-grafana-4kj6 <p>In this project, I completed two setups for RabbitMQ monitoring with Prometheus and Grafana. The first setup is a <strong>local Docker Compose setup</strong> for quick testing while the other is a <strong>3-node RabbitMQ cluster setup on AWS EC2</strong> for scalability and real-world applications.</p> <h2> Overview of the Project </h2> <p>RabbitMQ is a popular message broker that plays a crucial role in distributed systems. This project aimed to:<br> I. Set up a RabbitMQ environment both locally and on AWS.<br> II. Monitor RabbitMQ metrics using Prometheus and visualize them with Grafana.<br> III. Test the message queuing system using Python scripts.</p> <h3> Part 1: Local RabbitMQ Setup Using Docker Compose </h3> <p><strong>Why Local Setup?</strong><br><br> The local setup serves as a quick testing environment before deploying to the cloud.</p> <p><strong>Steps to Set Up:</strong></p> <p>I. <strong>Clone the RabbitMQ Repository:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git clone https://github.com/rabbitmq/rabbitmq-server.git <span class="nb">cd </span>rabbitmq-server/deps/rabbitmq_prometheus/docker </code></pre> </div> <p>II. <strong>Run Docker Compose:</strong><br> Use Docker Compose to start the RabbitMQ cluster and Prometheus instance, along with a basic workload to generate meaningful metrics. This will start a RabbitMQ cluster, Prometheus, and Grafana with predefined configurations, collecting metrics from RabbitMQ.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> docker-compose <span class="nt">-f</span> docker-compose-metrics.yml up <span class="nt">-d</span> docker-compose <span class="nt">-f</span> docker-compose-overview.yml up <span class="nt">-d</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdije139qnjtp88gg3tz4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdije139qnjtp88gg3tz4.png" alt="docker_compose_metrics" width="800" height="369"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F36l02ap6cq2io1bmdnqh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F36l02ap6cq2io1bmdnqh.png" alt="Rabbit_Metrics" width="800" height="201"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywsuyxnbnvcwoajs0i79.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywsuyxnbnvcwoajs0i79.png" alt="Docker_Containers" width="800" height="176"></a></p> <p>III. <strong>Access RabbitMQ Dashboard:</strong></p> <ul> <li>URL: <code>http://localhost:15672</code> </li> <li>Default credentials: Username: <code>guest</code> Password: <code>guest</code> </li> </ul> <p>IV. <strong>Access Grafana Dashboard:</strong> </p> <ul> <li>URL: <code>http://localhost:3000</code> </li> <li>Default credentials: Username: <code>admin</code> Password: <code>admin</code> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv7ftl3375qtg2j3h1mof.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv7ftl3375qtg2j3h1mof.png" alt=" " width="800" height="375"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxzp9p93g5r46w34ieyyk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxzp9p93g5r46w34ieyyk.png" alt="Grafana_metrics_2" width="800" height="373"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gn88euercm3yw3yjb7w.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gn88euercm3yw3yjb7w.png" alt="Grafana_metrics_3" width="800" height="378"></a></p> <h3> Part 2: RabbitMQ 3-Node Cluster on AWS EC2 </h3> <p><strong>Why a Cluster?</strong><br><br> To ensure high availability and load distribution in production.</p> <h4> Prerequisites </h4> <p>3 AWS EC2 instances running Ubuntu 24.04 for RabbitMQ and one each for Prometheus and Grafana. Configure the Security Groups as follows:</p> <ul> <li> <p><strong>RabbitMQ Security Groups</strong>:</p> <ul> <li>Allow SSH (port 22) from your IP.</li> <li>Allow RabbitMQ Management UI (port 15672) from your IP.</li> <li>Allow RabbitMQ Prometheus Metrics (port 15692) from Prometheus instance SG.</li> </ul> </li> <li> <p><strong>Prometheus Security Groups</strong>:</p> <ul> <li>Allow HTTP (port 80) from your IP.</li> <li>Allow HTTPS (port 443) from your IP.</li> <li>Allow Grafana (port 3000) from your IP.</li> </ul> </li> <li> <p><strong>Grafana Security Groups</strong>:</p> <ul> <li>Allow HTTP (port 80) from your IP.</li> <li>Allow HTTPS (port 443) from your IP.</li> </ul> </li> </ul> <h4> Step-by-Step Guide </h4> <p>I. <strong>Install RabbitMQ on All 3 Nodes:</strong><br> Use a <strong>bash script</strong> as EC2 user data during instance launch or save it and run it on each EC2 instance. The bash script I used is named <code>rabbitmq_installation.sh</code> in my <a href="https://github.com/Fidelisesq/Cloud-DevOps-Daily-Challenge/tree/main/Day-4" rel="noopener noreferrer">git repository</a>. It includes all the plugins needed to help Prometheus scrape metrics from RabbitMQ.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhyrgsq79tbet6xd6frbb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhyrgsq79tbet6xd6frbb.png" alt="RabbitMQ_Nodes_Running" width="800" height="277"></a></p> <p>II. <strong>Cluster Configuration:</strong></p> <ul> <li> <p>Verify Erlang cookie consistency:<br> </p> <pre class="highlight shell"><code> <span class="nb">sudo cat</span> /var/lib/rabbitmq/.erlang.cookie </code></pre> <p>Ensure the same cookie is on all 3 RabbitMQ EC2 nodes.</p> </li> <li> <p>Join nodes to form a cluster:<br> Pick one EC2 as reference and run the commands below on the other two EC2's.<br> </p> <pre class="highlight shell"><code> <span class="nb">sudo </span>rabbitmqctl stop_app <span class="nb">sudo </span>rabbitmqctl reset <span class="nb">sudo </span>rabbitmqctl join_cluster rabbit@&lt;master-node-hostname&gt; <span class="nb">sudo </span>rabbitmqctl start_app </code></pre> </li> </ul> <p>III. <strong>Verify Cluster Status:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">sudo </span>rabbitmqctl cluster_status </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foozbifofrfm1a44yfbg8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foozbifofrfm1a44yfbg8.png" alt="3-EC2 Nodes Joined" width="800" height="411"></a></p> <h3> Part 3: Monitoring with Prometheus and Grafana </h3> <h4> Prometheus Setup on AWS EC2 </h4> <p>I. <strong>Install Prometheus Using a Bash Script:</strong><br> I used a Bash script named <code>prometheus.sh</code> saved in my <a href="https://github.com/Fidelisesq/Cloud-DevOps-Daily-Challenge/tree/main/Day-4" rel="noopener noreferrer">git repository</a> to install Prometheus and it includes all the plugins needed. Save this script on your Prometheus EC2 and run the script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ./prometheus.sh </code></pre> </div> <p>II. <strong>Configure Prometheus:</strong><br> Edit <code>prometheus.yml</code> to scrape RabbitMQ metrics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">scrape_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">rabbitmq'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">&lt;rabbitmq-node-1-ip&gt;:15692'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">&lt;rabbitmq-node-2-ip&gt;:15692'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">&lt;rabbitmq-node-3-ip&gt;:15692'</span><span class="pi">]</span> </code></pre> </div> <p>III. <strong>Run Prometheus:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> /usr/local/prometheus/prometheus <span class="nt">--config</span>.file<span class="o">=</span>/usr/local/prometheus/prometheus.yml </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqhv2vxfiamc2p4taoq2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqhv2vxfiamc2p4taoq2.png" alt="Prometheus_UI_Showing_RabbitMQ_Cluster" width="800" height="373"></a></p> <h4> Grafana Setup on AWS EC2 </h4> <p>I. <strong>Install Grafana Using a Bash Script:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c">#!/bin/bash</span> <span class="nb">sudo </span>apt update <span class="nt">-y</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> wget unzip wget https://dl.grafana.com/enterprise/release/grafana-enterprise-11.4.0.linux-arm64.tar.gz <span class="nb">tar </span>xvf grafana-enterprise-11.4.0.linux-arm64.tar.gz <span class="nb">sudo mv </span>grafana-11.4.0 /usr/local/grafana <span class="nb">echo</span> <span class="s1">'Grafana installed.'</span> </code></pre> </div> <p>II. <strong>Configure Grafana:</strong></p> <ul> <li>Add Prometheus as a data source in Grafana</li> <li>Import RabbitMQ dashboards - the file is named <code>RabbitMQ-Overview.json</code> </li> </ul> <p>III. <strong>Verify Metrics on Grafana:</strong></p> <ul> <li>URL: <code>http://&lt;grafana-ip&gt;:3000</code> </li> <li>Navigate to imported RabbitMQ dashboards to monitor metrics.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhyqfrzta3xlk1t7n77ci.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhyqfrzta3xlk1t7n77ci.png" alt="Grafana_running" width="800" height="381"></a></p> <h3> Part 4: Testing the Message Queue </h3> <p>Using Python scripts, I tested message publishing and consumption:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pika</span> <span class="c1"># Connection setup </span><span class="n">credentials</span> <span class="o">=</span> <span class="n">pika</span><span class="p">.</span><span class="nc">PlainCredentials</span><span class="p">(</span><span class="sh">'</span><span class="s">guest</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">guest</span><span class="sh">'</span><span class="p">)</span> <span class="n">connection</span> <span class="o">=</span> <span class="n">pika</span><span class="p">.</span><span class="nc">BlockingConnection</span><span class="p">(</span><span class="n">pika</span><span class="p">.</span><span class="nc">ConnectionParameters</span><span class="p">(</span><span class="sh">'</span><span class="s">rabbitmq-node-ip</span><span class="sh">'</span><span class="p">,</span> <span class="n">credentials</span><span class="o">=</span><span class="n">credentials</span><span class="p">))</span> <span class="n">channel</span> <span class="o">=</span> <span class="n">connection</span><span class="p">.</span><span class="nf">channel</span><span class="p">()</span> <span class="c1"># Declare queue </span><span class="n">channel</span><span class="p">.</span><span class="nf">queue_declare</span><span class="p">(</span><span class="n">queue</span><span class="o">=</span><span class="sh">'</span><span class="s">test_queue</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Publish message </span><span class="n">channel</span><span class="p">.</span><span class="nf">basic_publish</span><span class="p">(</span><span class="n">exchange</span><span class="o">=</span><span class="sh">''</span><span class="p">,</span> <span class="n">routing_key</span><span class="o">=</span><span class="sh">'</span><span class="s">test_queue</span><span class="sh">'</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="sh">'</span><span class="s">Hello RabbitMQ!</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Message published.</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Consume message </span><span class="k">def</span> <span class="nf">callback</span><span class="p">(</span><span class="n">ch</span><span class="p">,</span> <span class="n">method</span><span class="p">,</span> <span class="n">properties</span><span class="p">,</span> <span class="n">body</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Received: </span><span class="si">{</span><span class="n">body</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">channel</span><span class="p">.</span><span class="nf">basic_consume</span><span class="p">(</span><span class="n">queue</span><span class="o">=</span><span class="sh">'</span><span class="s">test_queue</span><span class="sh">'</span><span class="p">,</span> <span class="n">on_message_callback</span><span class="o">=</span><span class="n">callback</span><span class="p">,</span> <span class="n">auto_ack</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">channel</span><span class="p">.</span><span class="nf">start_consuming</span><span class="p">()</span> </code></pre> </div> <p><code>Grafana showing metrics scrapped by Prometheus</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvarj466whhgkv5mszpd9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvarj466whhgkv5mszpd9.png" alt="Grafana_showing_metrics" width="800" height="385"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiz5cfpbp3etwy38dtfdm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiz5cfpbp3etwy38dtfdm.png" alt="Grafana_showing_metrics_2" width="800" height="371"></a></p> <h3> Final Thoughts </h3> <p>This project showcased the power of RabbitMQ in a distributed setup and the importance of monitoring using Prometheus and Grafana. Whether for testing or production, the tools and techniques used here ensure a scalable and observable messaging system.</p> aws monitoring devops prometheus Fidelis Ikoroje Sat, 07 Dec 2024 08:14:25 +0000 https://dev.to/fidelisesq/distributed-logging-system-with-rabbitmq-4d0e https://dev.to/fidelisesq/distributed-logging-system-with-rabbitmq-4d0e <p>I have covered the setup procedure for my centralised distributed logging system. This system is essential for log management, message queues, and monitoring, which are critical to modern DevOps practices. The system setup includes a log producer and consumer system using RabbitMQ, which can aggregate them into a file for analysis.</p> <h2> System Setup Guide </h2> <h3> 1. Install RabbitMQ </h3> <p>First, install RabbitMQ on your server. Follow the installation instructions for your specific operating system from the official RabbitMQ website: <a href="https://www.rabbitmq.com/download.html" rel="noopener noreferrer">https://www.rabbitmq.com/download.html</a>. I installed RabbitMQ on AWS EC2 running Ubuntu<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install </span>rabbitmq-server <span class="nt">-y</span> </code></pre> </div> <p><code>Note: Ensure you add an inbound rule in the EC2 Security Group that allows SSH preferably from your IP alone</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5hiqx4axvy7cbpq5clc1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5hiqx4axvy7cbpq5clc1.png" alt="RabbitMQ_server_running" width="800" height="336"></a></p> <h3> 2. Enable RabbitMQ Management Plugin </h3> <p>The management plugin provides a user interface and HTTP-based API for managing RabbitMQ. Run the following command to enable it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>rabbitmq-plugins <span class="nb">enable </span>rabbitmq_management </code></pre> </div> <p><em>This command enables the RabbitMQ management plugin, allowing access to the web-based management interface.</em></p> <h3> 3. Create a New User </h3> <p>Create a new RabbitMQ user with a specific username and password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rabbitmqctl add_user rabituser secret_password </code></pre> </div> <p><em>This command creates a new user named <code>rabbituser</code> with the password <code>secret_password</code>.</em></p> <h3> 4. Set Permissions for the User </h3> <p>Grant the user permissions to access and manage resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rabbitmqctl set_permissions <span class="nt">-p</span> / rabbituser <span class="s2">".*"</span> <span class="s2">".*"</span> <span class="s2">".*"</span> </code></pre> </div> <p><em>This command gives the user <code>rabbituser</code> full permissions (read, write, and configure) on the default virtual host <code>/</code>.</em></p> <h3> 5. Add Management Tag to the User </h3> <p>Grant the user access to the RabbitMQ management interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rabbitmqctl set_user_tags rabbituser management </code></pre> </div> <p><em>This command adds the <code>management</code> tag to the user <code>rabbituser</code>, allowing them to log in to the RabbitMQ management interface.</em></p> <h3> 6. Configuring External Network Access </h3> <p>Edit the <code>/etc/rabbitmq/rabbitmq.conf</code> file to allow external access because <code>RabbitMQ</code> blocks localhost access by default. Add the configuration.<br> </p> <p><code>listeners.tcp.default = 5672</code><br> </p> <p>Now restart the system<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart rabbitmq-server </code></pre> </div> <h3> 7. Add a Queue </h3> <p>Once logged in, follow these steps to add a queue:</p> <ul> <li>Click on the "Queues" tab.</li> <li>Click on "Add a new queue".</li> <li>Enter the name of the queue (e.g., <code>logs_queue</code>) and configure any additional settings as needed.</li> <li>Click the "Add queue" button to create the queue.</li> </ul> <h3> 8. Adding Queue via CLI (Optional) </h3> <p>Alternatively, you can add a queue using the <code>rabbitmqadmin</code> command-line tool:</p> <ol> <li> <strong>Download <code>rabbitmqadmin</code></strong>: Navigate to <code>http://&lt;your_rabbitmq_server&gt;:15672/cli/rabbitmqadmin</code> to download the tool.</li> <li> <strong>Make it executable</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">chmod</span> +x rabbitmqadmin </code></pre> </div> <ol> <li> <strong>Declare a Queue</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ./rabbitmqadmin <span class="nb">declare </span>queue <span class="nv">name</span><span class="o">=</span>logs_queue <span class="nv">durable</span><span class="o">=</span><span class="nb">true</span> </code></pre> </div> <p><em>This command creates a durable queue named <code>logs_queue</code>.</em></p> <h3> 9. Access the RabbitMQ Management Interface </h3> <p>Open your web browser and navigate to <code>http://&lt;your_rabbitmq_server&gt;:15672/</code>. Log in with the username <code>rabbituser</code> and the password you set to verify that <code>logs_queue</code> that you created exists. <br> You may also verify using CLI command to see the queue<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>rabbitmqctl list_queues </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lh7ti7uuzbnocfyua1f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lh7ti7uuzbnocfyua1f.png" alt="logs_queue_web" width="800" height="397"></a></p> <h3> 10. Install Required Python Libraries </h3> <p>Install pika and write a python script that will produce logs and consume them. See tutorial on Rabbitmq Documentation <a href="https://www.rabbitmq.com/tutorials/tutorial-one-python" rel="noopener noreferrer">https://www.rabbitmq.com/tutorials/tutorial-one-python</a> or check my script log_producer.py &amp; log_aggregtor.py on my <a href="https://github.com/Fidelisesq/Cloud-DevOps-Daily-Challenge/blob/main/Day-3/log_aggregator.py" rel="noopener noreferrer">github</a></p> <p>Install pika<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pip install pika </code></pre> </div> <p>Run the producer script<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">python3</span> <span class="n">log_prodcer</span><span class="p">.</span><span class="n">py</span> <span class="sh">"</span><span class="s">Log Entry 1: Data ready for processing in AWS Lambda</span><span class="sh">"</span> </code></pre> </div> <p>Run the consumer script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">python3</span> <span class="n">log</span> <span class="n">aggregator</span><span class="p">.</span><span class="n">py</span> </code></pre> </div> <p><code>Note:</code> Perform step 10 several times with different messages to send and capture multiple logs</p> <h3> 11. Verify Logs </h3> <p>Open the <code>aggregated_logs.txt</code> file to ensure all logs are captured</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fen0gjk2hljbqgw2cfoeq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fen0gjk2hljbqgw2cfoeq.png" alt="log_entries" width="800" height="214"></a></p> <h2> Challenges </h2> <ul> <li>Port configuration and permission management. At first, I could not create the <code>logs_queue</code> as it was returning <code>Access Denied</code>. Then, I granted my user the needed permission to vHosts and created EC2 Security group that allows TCP port 15672 to access the RabbitMQ management console.</li> <li>After creating a queue successfully, I could not log in to the <code>RabbitMQ Management</code> console with the credentials I created. I discovered I had to tag the user as part of <code>Management</code> to be able to log in. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">rabbitmqctl</span> <span class="n">set_user_tags</span> <span class="n">username</span> <span class="n">management</span> </code></pre> </div> <h2> Key Learnings </h2> <ul> <li>Enabling Management Plugin: I learnt to enable and use the RabbitMQ management plugin for web-based monitoring and management.</li> <li>User and Permission Management: Gained skills in creating users, setting passwords, and managing permissions in RabbitMQ.</li> <li>Queue Management: I learned how to create and manage queues both via the management interface and command line.</li> <li>Port Configuration: Understanding the importance of configuring and managing RabbitMQ ports (5672 for AMQP traffic and 15672 for the management console). </li> </ul> webdev aws rabbitmq devops Fidelis Ikoroje Fri, 29 Nov 2024 23:14:11 +0000 https://dev.to/fidelisesq/advanced-aws-s3-bucket-metadata-manipulation-3aem https://dev.to/fidelisesq/advanced-aws-s3-bucket-metadata-manipulation-3aem <h2> Objective </h2> <p>Using a Python script to analyse, modify, and optimise AWS S3 bucket metadata from a JSON file. The script should achieve the following:</p> <ul> <li>Print a summary of each bucket: Name, region, size (in GB), and versioning status</li> <li>Identify buckets larger than 80 GB from every region which are unused for 90+ days.</li> <li>Generate a cost report: total s3 buckets cost grouped by region and department. Highlight buckets with: <ul> <li>Size &gt; 50 GB: Recommend cleanup operations.</li> <li>Size &gt; 100 GB and not accessed in 20+ days should be added to a deletion queue.</li> </ul> </li> <li>Provide a final list of buckets to delete (from the deletion queue). For archival candidates, suggest moving to Glacier.</li> </ul> <h2> Prerequisite </h2> <ul> <li>Install Python 3 on your system</li> <li>JSON file (buckets.json) containing S3 bucket metadata</li> </ul> <h2> Script Documentation &amp; Explanation </h2> <h3> Task 1: Importing Necessary Modules </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> </code></pre> </div> <ul> <li>json: This module is used to parse JSON data.</li> <li>datetime, timedelta: These are used to handle dates and times.</li> </ul> <h3> Task 2: Load &amp; Parse the JSON file </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">buckets.json</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="nb">file</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span> <span class="n">buckets</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">buckets</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <ul> <li>Opens the buckets.json file.</li> <li>Parses the JSON data from the file.</li> <li>Extracts the list of buckets from the parsed data.</li> </ul> <h3> Task 3: Define Helper Function </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">days_since_created</span><span class="p">(</span><span class="n">created_on</span><span class="p">):</span> <span class="n">created_date</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">strptime</span><span class="p">(</span><span class="n">created_on</span><span class="p">,</span> <span class="sh">'</span><span class="s">%Y-%m-%d</span><span class="sh">'</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">created_date</span><span class="p">).</span><span class="n">days</span> <span class="k">def</span> <span class="nf">print_bucket_summary</span><span class="p">(</span><span class="n">bucket</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Name: </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Region: </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">region</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Size (GB): </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Versioning: </span><span class="si">{</span><span class="sh">'</span><span class="s">Enabled</span><span class="sh">'</span> <span class="k">if</span> <span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">versioning</span><span class="sh">'</span><span class="p">]</span> <span class="k">else</span> <span class="sh">'</span><span class="s">Disabled</span><span class="sh">'</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <ul> <li>days_since_created: Calculates the number of days since a bucket was created.</li> <li>print_bucket_summary: Prints a summary of each bucket’s details (name, region, size, and versioning status).</li> </ul> <h3> Task 4: Initialise Data Structure for Report </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">large_unused_buckets</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">cleanup_candidates</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">deletion_queue</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">region_costs</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">department_costs</span> <span class="o">=</span> <span class="p">{}</span> </code></pre> </div> <ul> <li>large_unused_buckets, cleanup_candidates, deletion_queue: Lists to store specific buckets based on defined criteria.</li> <li>region_costs, department_costs: Dictionaries to store cost data grouped by region and department.</li> </ul> <h3> Task 5: Analyse &amp; Modify Bucket Data </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">bucket</span> <span class="ow">in</span> <span class="n">buckets</span><span class="p">:</span> <span class="nf">print_bucket_summary</span><span class="p">(</span><span class="n">bucket</span><span class="p">)</span> <span class="k">if</span> <span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">80</span> <span class="ow">and</span> <span class="nf">days_since_created</span><span class="p">(</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">createdOn</span><span class="sh">'</span><span class="p">])</span> <span class="o">&gt;</span> <span class="mi">90</span><span class="p">:</span> <span class="n">large_unused_buckets</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">bucket</span><span class="p">)</span> <span class="k">if</span> <span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">50</span><span class="p">:</span> <span class="n">cleanup_candidates</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">bucket</span><span class="p">)</span> <span class="k">if</span> <span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">100</span> <span class="ow">and</span> <span class="nf">days_since_created</span><span class="p">(</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">createdOn</span><span class="sh">'</span><span class="p">])</span> <span class="o">&gt;</span> <span class="mi">20</span><span class="p">:</span> <span class="n">deletion_queue</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">bucket</span><span class="p">)</span> <span class="n">cost_per_gb</span> <span class="o">=</span> <span class="mf">0.023</span> <span class="n">region_costs</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">region</span><span class="sh">'</span><span class="p">],</span> <span class="mi">0</span><span class="p">)</span> <span class="n">region_costs</span><span class="p">[</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">region</span><span class="sh">'</span><span class="p">]]</span> <span class="o">+=</span> <span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span> <span class="o">*</span> <span class="n">cost_per_gb</span> <span class="n">department</span> <span class="o">=</span> <span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">tags</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">team</span><span class="sh">'</span><span class="p">]</span> <span class="n">department_costs</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="n">department</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="n">department_costs</span><span class="p">[</span><span class="n">department</span><span class="p">]</span> <span class="o">+=</span> <span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span> <span class="o">*</span> <span class="n">cost_per_gb</span> </code></pre> </div> <ul> <li>Loop through buckets: Iterates over each bucket in the list.</li> <li>Print summary: Calls print_bucket_summary to display details.</li> <li>Identify large unused buckets: Adds buckets larger than 80 GB and unused for over 90 days to large_unused_buckets.</li> <li>Highlight cleanup candidates: Adds buckets larger than 50 GB to cleanup_candidates.</li> <li>Add to deletion queue: Adds buckets larger than 100 GB and not accessed for more than 20 days to deletion_queue.</li> <li>Calculate costs: Computes and updates the costs for each region and department.</li> </ul> <h3> Task 6: Generate Cost Report &amp; Cleanup Recommendation </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Cost Report by Region:</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">region</span><span class="p">,</span> <span class="n">cost</span> <span class="ow">in</span> <span class="n">region_costs</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">region</span><span class="si">}</span><span class="s">: $</span><span class="si">{</span><span class="n">cost</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Cost Report by Department:</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">department</span><span class="p">,</span> <span class="n">cost</span> <span class="ow">in</span> <span class="n">department_costs</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">department</span><span class="si">}</span><span class="s">: $</span><span class="si">{</span><span class="n">cost</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Buckets Recommended for Cleanup:</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">bucket</span> <span class="ow">in</span> <span class="n">cleanup_candidates</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">- </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (Size: </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> GB)</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <ul> <li>Cost Report by Region: Prints the total cost grouped by region.</li> <li>Cost Report by Department: Prints the total cost grouped by department.</li> <li>Buckets Recommended for Cleanup: Prints the list of buckets recommended for cleanup (those larger than 50 GB).</li> </ul> <h3> Task 7: Generate Deletion Queue &amp; Buckets to Archive </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Buckets in Deletion Queue:</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">bucket</span> <span class="ow">in</span> <span class="n">deletion_queue</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">- </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (Size: </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> GB)</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Final List of Buckets to Delete or Archive:</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">bucket</span> <span class="ow">in</span> <span class="n">deletion_queue</span><span class="p">:</span> <span class="k">if</span> <span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">- </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (Size: </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> GB) [Move to Glacier]</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">- </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (Size: </span><span class="si">{</span><span class="n">bucket</span><span class="p">[</span><span class="sh">'</span><span class="s">sizeGB</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> GB) [Delete]</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <ul> <li>Buckets in Deletion Queue: Prints the list of buckets in the deletion queue (those larger than 100 GB and not accessed for more than 20 days).</li> <li>Final List of Buckets to Delete or Archive: Prints the final list of buckets to delete or move to Glacier, based on their size.</li> </ul> <h2> Sample Output </h2> <p>Here is my output when I ran <code>python s3-analysis.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Input: Name: prod-data, Region: us-west-2, Size: 120 GB, Versioning: Enabled Name: dev-app-logs, Region: us-east-1, Size: 10 GB, Versioning: Disabled Name: backup, Region: eu-central-1, Size: 80 GB, Versioning: Enabled Name: audit-logs, Region: ap-southeast-1, Size: 50 GB, Versioning: Enabled Name: test-results, Region: us-west-1, Size: 15 GB, Versioning: Disabled Name: old-backups, Region: us-east-2, Size: 200 GB, Versioning: Enabled Name: staging-resources, Region: eu-west-1, Size: 30 GB, Versioning: Disabled Name: app-analytics, Region: ap-northeast-1, Size: 250 GB, Versioning: Enabled Name: raw-data, Region: us-west-2, Size: 90 GB, Versioning: Disabled Name: compliance-data, Region: ca-central-1, Size: 300 GB, Versioning: Enabled Cost Report by Region: us-west-2: $4.83 us-east-1: $0.23 eu-central-1: $1.84 ap-southeast-1: $1.15 us-west-1: $0.34 us-east-2: $4.60 eu-west-1: $0.69 ap-northeast-1: $5.75 ca-central-1: $6.90 Cost Report by Department: analytics: $8.51 engineering: $0.23 ops: $6.44 security: $1.15 qa: $0.34 development: $0.69 data-engineering: $2.07 compliance: $6.90 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Buckets Recommended for Cleanup: - Name: prod-data, Region: us-west-2, Size: 120 GB - Name: backup, Region: eu-central-1, Size: 80 GB - Name: old-backups, Region: us-east-2, Size: 200 GB - Name: app-analytics, Region: ap-northeast-1, Size: 250 GB - Name: raw-data, Region: us-west-2, Size: 90 GB - Name: compliance-data, Region: ca-central-1, Size: 300 GB Buckets in Deletion Queue: - Name: prod-data, Region: us-west-2, Size: 120 GB, Days Unused: 414 - Name: old-backups, Region: us-east-2, Size: 200 GB, Days Unused: 1567 - Name: app-analytics, Region: ap-northeast-1, Size: 250 GB, Days Unused: 1352 - Name: compliance-data, Region: ca-central-1, Size: 300 GB, Days Unused: 1063 Final List of Buckets to Delete or Archive: - Name: prod-data, Region: us-west-2, Size: 120 GB, Days Unused: 414 [Move to Glacier] - Name: old-backups, Region: us-east-2, Size: 200 GB, Days Unused: 1567 [Move to Glacier] - Name: app-analytics, Region: ap-northeast-1, Size: 250 GB, Days Unused: 1352 [Move to Glacier] - Name: compliance-data, Region: ca-central-1, Size: 300 GB, Days Unused: 1063 [Move to Glacier] Name: prod-data, Region: us-west-2, Size: 120 GB, Versioning: Enabled Name: dev-app-logs, Region: us-east-1, Size: 10 GB, Versioning: Disabled Name: backup, Region: eu-central-1, Size: 80 GB, Versioning: Enabled Name: audit-logs, Region: ap-southeast-1, Size: 50 GB, Versioning: Enabled Name: test-results, Region: us-west-1, Size: 15 GB, Versioning: Disabled Name: old-backups, Region: us-east-2, Size: 200 GB, Versioning: Enabled Name: staging-resources, Region: eu-west-1, Size: 30 GB, Versioning: Disabled Name: app-analytics, Region: ap-northeast-1, Size: 250 GB, Versioning: Enabled Name: raw-data, Region: us-west-2, Size: 90 GB, Versioning: Disabled Name: compliance-data, Region: ca-central-1, Size: 300 GB, Versioning: Enabled Cost Report by Region: us-west-2: $4.83 us-east-1: $0.23 eu-central-1: $1.84 ap-southeast-1: $1.15 us-west-1: $0.34 us-east-2: $4.60 eu-west-1: $0.69 ap-northeast-1: $5.75 ca-central-1: $6.90 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cost Report by Department: analytics: $8.51 engineering: $0.23 ops: $6.44 security: $1.15 qa: $0.34 development: $0.69 data-engineering: $2.07 compliance: $6.90 Buckets Recommended for Cleanup: - Name: prod-data, Region: us-west-2, Size: 120 GB - Name: backup, Region: eu-central-1, Size: 80 GB - Name: old-backups, Region: us-east-2, Size: 200 GB - Name: app-analytics, Region: ap-northeast-1, Size: 250 GB - Name: raw-data, Region: us-west-2, Size: 90 GB - Name: compliance-data, Region: ca-central-1, Size: 300 GB Buckets in Deletion Queue: - Name: prod-data, Region: us-west-2, Size: 120 GB, Days Unused: 414 - Name: old-backups, Region: us-east-2, Size: 200 GB, Days Unused: 1567 - Name: app-analytics, Region: ap-northeast-1, Size: 250 GB, Days Unused: 1352 - Name: compliance-data, Region: ca-central-1, Size: 300 GB, Days Unused: 1063 Final List of Buckets to Delete or Archive: - Name: prod-data, Region: us-west-2, Size: 120 GB, Days Unused: 414 [Move to Glacier] - Name: old-backups, Region: us-east-2, Size: 200 GB, Days Unused: 1567 [Move to Glacier] - Name: app-analytics, Region: ap-northeast-1, Size: 250 GB, Days Unused: 1352 [Move to Glacier] - Name: compliance-data, Region: ca-central-1, Size: 300 GB, Days Unused: 1063 [Move to Glacier] </code></pre> </div> <blockquote> <p>I left out the bucket metadata and script to avoid overstretching this post. </p> </blockquote> <p>Check my <a href="https://github.com/Fidelisesq/Cloud-DevOps-Daily-Challenge/blob/main/Day-2/s3-analysis.py" rel="noopener noreferrer">Github</a> for the full <code>Python</code> script and the <code>AWS S3 Bucket Metadata</code></p> <h2> Challenges </h2> <ul> <li>Data Parsing Issues: Initially faced issues with JSON parsing due to structure variations. 🛠️</li> <li>Colorisation in Terminal: Implementing colored output for better readability took some trial and error. Copilot helped me here 🎨</li> <li>Debugging and Validation: Ensuring accurate bucket metadata and handling edge cases was critical. 🕵️‍♂️</li> </ul> <h2> Conclusion </h2> <p>This analysis is crucial for organisations to manage their cloud resources effectively, optimise costs, and ensure efficient storage utilisation. Regular audits and optimisations can lead to significant savings and better resource allocation.</p> Fidelis Ikoroje Mon, 11 Nov 2024 22:14:38 +0000 https://dev.to/fidelisesq/building-a-scalable-high-availability-web-application-on-aws-with-managed-services-26cl https://dev.to/fidelisesq/building-a-scalable-high-availability-web-application-on-aws-with-managed-services-26cl <p>In this post, I’ll walk through the architecture and implementation of a redesigned multi-tier web application hosted on AWS. This updated design leverages AWS-managed services such as Amazon MQ, RDS MySQL, and ElastiCache to enhance scalability, reliability, and ease of management. I also used AWS Elastic Beanstalk for deploying the front-end application. From setting up the infrastructure to securing and optimizing it, here’s a complete look at how I implemented the architecture.</p> <p>Just before the implementation, let us see the importance and benefits of this architecture compared to the <a href="https://dev.to/fidelisesq/building-a-scalable-multi-tier-web-application-on-aws-2agm">previous architecture</a> which does not include AWS-managed services.</p> <p><strong>1. Enhanced Reliability with Managed Services</strong><br> By adopting services like Amazon RDS for MySQL, Amazon MQ, and ElastiCache, we've minimized the need for manual intervention, reducing the risk of service outages and improving overall system stability. For example, RDS offers automated backups and failover support, ensuring the application can handle disruptions seamlessly.</p> <p><strong>2. Simplified Application Deployment with Elastic Beanstalk</strong><br> Elastic Beanstalk automates application deployment, including autoscaling and load balancing. This allows us to focus on developing new features rather than managing infrastructure. For instance, the app can now auto-scale during high traffic, reducing the risk of downtime.</p> <p><strong>3. Optimized Global Performance through CloudFront</strong><br> With CloudFront as our CDN, users from different regions experience faster load times by caching content closer to them. For example, users in Europe or Asia access cached content locally instead of waiting for data to travel from a single data center.</p> <p><strong>4. Improved Security and Compliance</strong><br> Using AWS-native services strengthens security with automatic encryption and compliance controls. ACM certificates for HTTPS, combined with fine-grained IAM permissions, protect user data and comply with global standards.</p> <p><strong>5. Cost Efficiency through Automation</strong><br> Elastic Beanstalk and managed services optimize resource use, which can reduce overall costs. For example, auto-scaling ensures we only pay for resources when needed, instead of maintaining idle servers.</p> <p>Overall, this architecture improves user experience, scales effortlessly, and simplifies management, making it a sustainable solution for long-term growth.</p> <h3> Enhanced Implementation Outline with Steps: </h3> <h4> 1. Create Security Key Pairs and Security Groups </h4> <ul> <li> <strong>Key Pair</strong>: Generate a key pair for SSH access should there be a need to access the EC2 instances.</li> <li> <strong>Security Groups</strong>: Define security groups for: <ul> <li> <strong>Frontend (Elastic Beanstalk)</strong>: I allowed Elastic Beanstalk to create this with inbound rules for HTTP (port 80) and HTTPS (port 443) on its <code>Application Load Balancer</code>.</li> <li> <strong>Backend Services</strong>: I created one security group for RDS, Amazon MQ, and ElastiCache with rules that allow inbound access only from the Elastic Beanstalk environment. Also, I allowed all traffic from itself (the backend security group) so that each backend service can communicate with the other.</li> </ul> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F91sa6qguhca3q6f2zoye.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F91sa6qguhca3q6f2zoye.png" alt="Backend security group &amp; rules" width="800" height="386"></a></p> <h4> 2. Backend Services (RDS, Amazon MQ, ElastiCache) </h4> <ul> <li> <strong>Parameter Groups and Subnet Groups</strong>: <ul> <li> <strong>RDS</strong>: Configure custom settings in a parameter group for optimized performance and create a subnet group for database availability.</li> <li> <strong>Amazon MQ and ElastiCache</strong>: Create separate parameter and subnet groups to set up specific configurations for Amazon MQ and ElastiCache.</li> </ul> </li> <li> <strong>Launch Instances</strong>: <ul> <li>Launch <strong>RDS (MySQL)</strong>, <strong>Amazon MQ (ActiveMQ)</strong>, and <strong>ElastiCache (Memcached)</strong> instances with the backend security group.</li> </ul> </li> </ul> <p><code>RDS mysql running</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frjgxrv1ub7h8knuskh61.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frjgxrv1ub7h8knuskh61.png" alt="RDS mysql" width="800" height="409"></a></p> <h4> 3. Initialize Database on RDS </h4> <ul> <li> <strong>Ubuntu EC2 Instance</strong>: <ul> <li>Launch an EC2 instance with SSH access to connect to RDS. This Ubuntu instance will be our <code>mysql client</code>. Ensure RDS security group (backend) allows traffic from <code>mysql client</code>.</li> <li>Once launched, SSH to the mysql client, update packages, and install necessary tools like git to clone the repository containing database files. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ssh -i "abc-keypair.pem" ubuntu@ec2-35-179-168-111.eu-west-2.compute.amazonaws.com sudo -i apt update &amp;&amp; apt install mysql-client git -y </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1gdi18jql30rj2f0c9ac.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1gdi18jql30rj2f0c9ac.png" alt="SSH into mysql client" width="800" height="489"></a></p> <ul> <li> <strong>Database Initialization</strong>: <ul> <li>Clone the repository that contains the database info and switch to the branch <code>awsrefactor</code>, which contain <code>db_backup.sql</code> from <a href="https://github.com/hkhcoder/vprofile-project.git" rel="noopener noreferrer">here</a>. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git clone repourl git checkout awsrefactor </code></pre> </div> <p>Import the db_backup.sql file into the <code>accounts</code> database on a MySQL server hosted on Amazon RDS<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mysql -h [RDS endpoint] -u admin -p accounts &lt; src/main/resources/db_backup.sql </code></pre> </div> <ul> <li>Verify tables using MySQL commands; then terminate the <code>mysql client</code> instance if needed because we don't need it anymore. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mysql -h [RDS endpoint] -u admin -p accounts show tables; </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhb063ed2jeqz7jwq78q0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhb063ed2jeqz7jwq78q0.png" alt="account database live" width="800" height="368"></a></p> <h4> 4. Set Up Elastic Beanstalk Environment </h4> <ul> <li> <strong>Service Role Creation</strong>: Create a role with permissions (<code>AdministratorAccess-AWSElasticBeanstalk</code>, <code>AWSElasticBeanstalkCustomPlatformforEC2Role</code>, <code>AWSElasticBeanstalkRoleSNS</code>, <code>AWSElasticBeanstalkWebTier</code>) to manage Elastic Beanstalk and handle S3 and SNS notifications.</li> <li> <strong>Setting Up Elastic Beanstalk Environment</strong>: <ul> <li>Choose <strong>Tomcat 10</strong> with <strong>Corretto 21</strong> on <strong>Amazon Linux 2023</strong>.</li> <li>Configure health checks on <code>/login</code>.</li> <li>Set up <strong>HTTPS listener on port 443</strong> for the Elastic Load Balancer (ELB).</li> </ul> </li> <li> <strong>Update Backend Security Group</strong>: Allow traffic from Elastic Beanstalk to the backend services (RDS, MQ, and ElastiCache).</li> <li> <strong>Artifact Deployment</strong>: Deploy your built web application, including backend information, to Elastic Beanstalk. I simply uploaded the artifact from my system to Elastic Beanstalk. However, you can also upload to S3 and point Elastic Beanstalk to the bucket containing the file. See the process to build the artifact and also upload it to S3 in this <a href="https://dev.to/fidelisesq/building-a-scalable-multi-tier-web-application-on-aws-2agm">project</a>.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pjsqqxi16g8bg5tjyuu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pjsqqxi16g8bg5tjyuu.png" alt="Use Maven to build artifact" width="800" height="422"></a></p> <p><code>Beanstalk Environment Launched</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk9cklldoqwkbtxizeg2m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk9cklldoqwkbtxizeg2m.png" alt="Beanstalk Environment launched" width="800" height="364"></a></p> <h4> 6. Set Up CloudFront and SSL Certificate </h4> <ul> <li> <strong>SSL Certificate</strong>: Request an SSL certificate in <strong>us-east-1</strong> for CloudFront distribution.</li> <li> <strong>CloudFront Distribution</strong>: <ul> <li>Create a CloudFront distribution and set the <strong>Elastic Load Balancer</strong> as the origin domain.</li> <li>Enable HTTP and HTTPS protocols for improved compatibility and security.</li> </ul> </li> <li> <strong>DNS Mapping</strong>: Use <strong>Route 53</strong> to create a <strong>CNAME record</strong> in the public hosted zone, linking the CloudFront endpoint to the App custom domain.</li> </ul> <p><code>CloudFront endpoint mapped to App domain name in Route53</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqixlbm7yewdnigzay8qa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqixlbm7yewdnigzay8qa.png" alt="Cloudfront endpoint mapped to app domain name in Route53" width="800" height="382"></a></p> <h4> 7. Testing and Verification </h4> <ul> <li> <strong>Application Testing</strong>: Access the application via the custom domain to confirm traffic routing through CloudFront.</li> <li> <strong>CloudFront Validation</strong>: Use development tools or AWS CloudFront analytics to ensure CloudFront is serving content.</li> </ul> <p><code>App is reachable on HTTP port 80 and HTTPS port 443</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjefznhbw39aoy036uuad.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjefznhbw39aoy036uuad.png" alt="App reachable via cloudfront" width="800" height="399"></a></p> <p><code>App connected to backend services</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fucl6n0ciw2gxkbw81uwt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fucl6n0ciw2gxkbw81uwt.png" alt="App connected to backend" width="800" height="405"></a></p> <p><code>Mozilla Firefox showing traffic is coming into the App via AWS CloudFront</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fst47o0hquqfasjphl5vx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fst47o0hquqfasjphl5vx.png" alt="Traffic coming into app via cloudfront" width="800" height="396"></a></p> <h4> 8. Challenges &amp; Lessons Learned </h4> <p>I learned a lot from this project but one stood out - checking <code>documentation</code> first before considering other resources. I ran into issues creating my Elastic Beanstalk Environment. I saw the notification that <code>launch configuration</code> is now deprecated in favour of <code>launch template</code> from October 1, 2024 <a href="https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-autoscaling-launch-templates.html" rel="noopener noreferrer">details here</a>. However, I thought I would breeze through and consult other resources including <code>ChatGPT</code> which proffered some complex solutions. I managed to crack it by checking AWS Elastic Beanstalk documentation after spending a few hours researching other resources. See the error screenshots below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fausjjxhq9qjj5em5uia8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fausjjxhq9qjj5em5uia8.png" alt="Beanstalk error" width="800" height="120"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9afc7fbxtcackpmg6z1m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9afc7fbxtcackpmg6z1m.png" alt=" " width="800" height="380"></a></p> <h4> Conclusion </h4> <p>Building this multi-tier web application with AWS-managed services provided me with valuable insights into scalable architecture, automated deployment, and cloud security. Leveraging services like Amazon MQ, RDS MySQL, and ElastiCache simplified management and improved performance. Using Elastic Beanstalk for deployment streamlined the process and provided built-in support for scaling and load balancing.</p> <p>For future enhancements, I may decide to containerize my application with further automating deployment with CI/CD pipelines, or exploring serverless options for even greater scalability and cost efficiency. </p> cloudskills webdev aws devops Fidelis Ikoroje Fri, 01 Nov 2024 20:17:59 +0000 https://dev.to/fidelisesq/building-a-scalable-multi-tier-web-application-on-aws-2agm https://dev.to/fidelisesq/building-a-scalable-multi-tier-web-application-on-aws-2agm <h2> Introduction </h2> <p>In this post, I’ll walk through the architecture and implementation of a multi-tier web application hosted on AWS. Designed for scalability and high availability, this application uses an autoscaling group of EC2 instances to serve web requests, with a dedicated backend infrastructure for queue management, database storage, and caching. From setting up the infrastructure to securing and optimizing it, here’s a complete look at how I brought this project to life on AWS.</p> <h3> Requirements </h3> <p>Before diving into the implementation, let’s start with the requirements:</p> <ul> <li> <strong>Web Application Server</strong>: Hosted on Tomcat 10, listening on port 8080 on EC2 instances.</li> <li> <strong>Web Application Source Code</strong>: Build one or fork from <a href="https://github.com/Fidelisesq/AWS-multi-tier-webapp.git" rel="noopener noreferrer">github</a>. Also, all the EC2 userdata scripts are in the GitHub repository to reduce the length of this post.</li> <li> <strong>Load Balancing and Autoscaling</strong>: Application Load Balancer (ALB) in front of an EC2 Autoscaling Group to handle web traffic.</li> <li> <strong>Backend Servers</strong>: <ul> <li> <strong>RabbitMQ</strong> for message queuing services.</li> <li> <strong>MySQL</strong> for user data and web app credentials.</li> <li> <strong>Memcached</strong> for caching content to improve performance.</li> </ul> </li> <li> <strong>Domain and SSL</strong>: A custom domain with HTTPS enabled using AWS Certificate Manager (ACM).</li> <li> <strong>DNS Management</strong>: Route 53 to manage DNS for both public and private traffic.</li> <li> <strong>AWS CLI &amp; Maven</strong>: AWS CLI to interact with AWS environment &amp; Maven to build code</li> </ul> <h3> Architecture Design </h3> <p>This is a classic three-tier architecture:</p> <ol> <li> <strong>Presentation Layer</strong> (Web App Frontend): Autoscaling EC2 instances running Tomcat.</li> <li> <strong>Application Layer</strong> (Service Backend): Consists of RabbitMQ, MySQL, and Memcached instances.</li> <li> <strong>Data Layer</strong> (Database and Caching): MySQL for persistence and Memcached for caching.</li> </ol> <h3> Implementation Steps </h3> <h3> 1. Creating Key Pairs and Security Groups </h3> <ul> <li> <strong>Key Pair</strong>: Create a key pair to access all EC2 instances via SSH.</li> <li> <strong>Security Groups</strong>: Configured three security groups: <ul> <li> <strong>Web Application Security Group</strong>: Allow inbound traffic on port 8080 from the ALB.</li> <li> <strong>Backend Security Group</strong>: Allow traffic from the web application for communication with RabbitMQ (port 5672), MySQL (port 3306), and Memcached (port 11211). Also, add a rule to the backend security group that allow traffic from itself. This ensures the backend instances can communicate with themselves internally.</li> <li> <strong>Application Load Balancer Security Group</strong>: Allow inbound traffic on ports 80 (HTTP) and 443 (HTTPS) for the ALB. Also, allow SSH on port 22 into all your instances and pick the source as <em>MYIP</em> so only your permitted IP can access instances.</li> </ul> </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3ut8nuqsdykz7tlsv9f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3ut8nuqsdykz7tlsv9f.png" alt="inbound rules for backend security group" width="800" height="231"></a></p> <h3> 2. Launching EC2 Instances with User Data Scripts </h3> <ul> <li> <strong>Database Instance</strong>: Launch MySQL instance and include a user data script to automatically install the MySQL server upon boot. It will also create a user to access your webapp. SSH into the MYSQL instance from your local system then confirm the database is running. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ssh -i "keypair.pem" ubuntu@ec2-public-ip </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemclt status mariadb </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcr5rprk99r6va7lal1nk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcr5rprk99r6va7lal1nk.png" alt=" " width="800" height="421"></a></p> <p>Login with your created user details and check your database<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mysql -u username -p accounts </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>show tables; </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F497lgsl8nn2bndb92x3d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F497lgsl8nn2bndb92x3d.png" alt=" " width="800" height="415"></a></p> <ul> <li> <strong>Memcached Instance</strong>: Launch a separate instance for Memcached, using a user data script to install and configure the service.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fccqvdran00x3o276bx0p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fccqvdran00x3o276bx0p.png" alt=" " width="800" height="466"></a></p> <p>Confirm the service is running<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemctl status memcached </code></pre> </div> <ul> <li> <strong>RabbitMQ Instance</strong>: Also, using the user data script, launch and configure Rabbitmq instance for message queue handling.</li> </ul> <p>Confirm the service is running<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemctl status rabbitmq-server </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwri4mgrdrhmka99n28re.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwri4mgrdrhmka99n28re.png" alt=" " width="800" height="422"></a></p> <ul> <li> <strong>Web Application EC2</strong>: Launch a Tomcat 10 server instance to serve the web application using Ubuntu AMI. Create EC2 role that grants read and write access to s3 and attach it to the EC2.</li> </ul> <h3> 3. Configuring Route 53 for DNS </h3> <ul> <li> <strong>Domain Registration and SSL</strong>: Register a domain with Route 53, request an SSL certificate through ACM, and create a public hosted zone.</li> <li> <strong>Public DNS</strong>: Add a CNAME record pointing the ALB’s endpoint to the domain for HTTPS access.</li> <li> <strong>Private DNS</strong>: Create a private hosted zone with A records for the backend services’ private IP addresses to allow internal communication by name. Ensure you update the route53 internal record in your <em>application.properties</em> file.</li> </ul> <h3> 4. Building and Deploying the Application Code </h3> <ul> <li> <strong>S3 Bucket Creation</strong>: Create an S3 bucket to store the application artifact.</li> <li> <strong>IAM Role</strong>: Assign an IAM role to the web application EC2 instance to allow S3 access.</li> <li> <strong>Application Build</strong>: Build the application using Maven on the local machine and uploaded the artifact to S3.</li> <li> <strong>Code Deployment</strong>: SSH into the web application EC2, downloaded the artifact from S3, and deployed it to the Tomcat server. Each step is defined below.</li> </ul> <p>create a bucket that will hold the web app artifact<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws s3api create-bucket --bucket fozwebapp-artifact --region eu-west-2 --create-bucket-configuration LocationConstraint=eu-west-2 </code></pre> </div> <p>Run Maven from the directory that holds the source code in your local system<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mvn install </code></pre> </div> <p>Copy the artifact from your local system to the s3 bucket. Then, SSH into the instance, install AWS CLI and copy the artifact from s3 into the EC2 instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws s3 cp target/vprofile-artifact s3://fozwebapp-artifact </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Folajh524ctbs00bid7y4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Folajh524ctbs00bid7y4.png" alt=" " width="800" height="524"></a></p> <p>Install AWS CLI and copy artifact from s3 to /tmp/ in EC2<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>snap install aws-cli --classic </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws s3 cp s3://fozwebapp-artifact/vprofile-v2.war /tmp/ </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fycl1d1kb51hzwxe74yl8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fycl1d1kb51hzwxe74yl8.png" alt=" " width="800" height="111"></a></p> <p>Now, stop tomcat10 on the EC2, remove the default directory of tomcat10, and replace it with the artifact the restart. Run each of the commands one after the other. Lastly, you can confirm tomcat10 is running<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemctl daemon-reload systemctl stop tomcat10 rm -rf /var/lib/tomcat10/webapps/ROOT cp /tmp/vprofile-v2.war /var/lib/tomcat10/webapps/ROOT.war systemctl start tomcat10 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvhia9bb03xgrceq6oyk6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvhia9bb03xgrceq6oyk6.png" alt="tomcat10 running" width="800" height="264"></a></p> <h3> 5. Setting Up the Application Load Balancer </h3> <ul> <li> <strong>Target Group Creation</strong>: Configure an ALB target group for the autoscaling EC2 instances, setting listener and health checks on port 8080 to ensure only healthy instances serve traffic.</li> <li> <strong>HTTPS Configuration</strong>: Configure the ALB to use the SSL certificate from ACM.</li> <li> <strong>DNS Mapping</strong>: Map the domain’s CNAME record in Route 53 to the ALB for secure, HTTPS-enabled access.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56v2743h4s7xhkbu4iu7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56v2743h4s7xhkbu4iu7.png" alt="Target group" width="800" height="394"></a></p> <p>Application Loadbalance Endpoint mapped to app domain name<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2lfy6rvs3mdy88sakoo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2lfy6rvs3mdy88sakoo.png" alt="loadbalancer endpoint" width="800" height="395"></a></p> <h3> 6. Connecting to the Web Application and Verifying </h3> <ul> <li> <strong>Access Verification</strong>: Access the web app through the custom domain and verify load balancer forwarding by inspecting responses from the Tomcat server.</li> <li> <strong>Service Checks</strong>: SSH into each backend instance to ensure that RabbitMQ, MySQL, and Memcached services were running and accessible by the web application server.</li> </ul> <h3> 7. Configuring Auto Scaling for the Web Application EC2 Instances </h3> <ul> <li> <strong>Autoscaling Policies</strong>: Set up scaling policies to adjust the number of EC2 instances in response to application load.</li> <li> <strong>Monitoring and Logging</strong>: Enabled CloudWatch metrics to monitor CPU and request metrics, triggering autoscaling when defined thresholds were met.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejlvxg57pfy08uo5uzdc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fejlvxg57pfy08uo5uzdc.png" alt="webapp running and reachable on https" width="800" height="420"></a></p> <h3> How the Web Application Works </h3> <ol> <li> <strong>User Access</strong>: Users access the application via the custom domain. The ALB handles the HTTPS requests and forwards them to Tomcat servers running in the autoscaling group.</li> <li> <strong>Backend Processing</strong>: When a web request involves queuing or caching, the application server communicates with RabbitMQ and Memcached instances. For user data requests, it connects to MySQL.</li> <li> <strong>Scaling and Availability</strong>: The autoscaling group dynamically adjusts based on load, ensuring efficient handling of fluctuating traffic.</li> </ol> <h3> Possible Improvements for the Architecture </h3> <ul> <li><p>Containerization of applications and deployment with kubernetes Enhanced scalability, automated management, and flexibility for microservices deployment. </p></li> <li><p>Employ AWS serverless solutions like Lamba, API Gateway, AWS RDS in place of MYSQL, ElastiCache, and MQ in place of Memcached &amp; Rabbitmq</p></li> <li><p>Elastic Beanstalk to simplify deployment, scaling, and monitor without direct server management.</p></li> <li><p>Front load balance with Cloudfront or AWS Global Accelerator depending on the type of content the app is serving.</p></li> </ul> <h3> Lessons Learned and Final Thoughts </h3> <p>Building this multi-tier web app on AWS provided valuable insights into scalable architecture, automated deployment, and cloud security. Leveraging AWS services, I achieved a setup that balances performance with resilience, laying a foundation for future applications. Lastly, I will look into the possible improvements above in my next project.</p> webdev devops cloud architecture