DEV Community: Ivan Bliskavka The latest articles on DEV Community by Ivan Bliskavka (@ibliskavka). https://dev.to/ibliskavka https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F705329%2Ff75f9346-d8b7-49d9-a534-f7b539ca392e.PNG DEV Community: Ivan Bliskavka https://dev.to/ibliskavka en 10x API Start-up Boost Ivan Bliskavka Mon, 04 Mar 2024 22:55:18 +0000 https://dev.to/ibliskavka/10x-api-start-up-boost-2jh9 https://dev.to/ibliskavka/10x-api-start-up-boost-2jh9 <p>I while ago I optimized my <a href="https://bliskavka.com/Screen-Saver-Gallery" rel="noopener noreferrer">Screen Saver Gallery</a> API by loading a flat data file into lambda memory. A nightly job selects a random subset of the database and stores it in S3, and the API uses that file for the next 24 hours.</p> <p>This simplified my code, reduced costs, and improved performance.</p> <p>The average API calls took 50-100ms! ...but the start-up time was <strong>5 seconds</strong>!!!</p> <p>I was using a lambda warmer, so most clients didn't hit the 5-second latency, but I wondered if I could reduce it.</p> <h2> Before </h2> <ol> <li>A nightly process reads data from Dynamo DB and generates a zip file that looks like this:</li> </ol> <ul> <li>cache.zip <ul> <li>tableA.json</li> <li>tableB.json</li> </ul> </li> </ul> <ol> <li>The zip file is stored in S3</li> <li>When the lambda starts, it loads the zip file from S3, and loads it into memory (Duration: 4-5 seconds) </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">let</span> <span class="nx">cache</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">ITable</span><span class="o">&gt;</span><span class="p">;</span> </code></pre> </div> <ol> <li>All future requests are served from the in-memory cache (50-100ms)</li> </ol> <h2> Attempt 1 </h2> <p>Instead of loading from S3, store the zip file in a lambda layer, and rebuild the layer every night.</p> <p>Result: This reduced the start-up by 1 second.</p> <h2> Attempt 2 </h2> <p>The layer improved the load time, so it was a good start, but I felt like it should be faster.</p> <p>I added some basic timers to my warmup function and discovered that almost 3 seconds were spent parsing the 217 files from the zip file.</p> <p>I updated the code to parse the table files in parallel but it only shaved off 500ms.</p> <h2> Attempt 3 </h2> <p>Armed with the timing information, I understood that my load issue was computationally constrained - decompressing zip files requires CPU cycles.</p> <p>I refactored my lambda layer cache to be a single <code>cache.json</code> file that looks like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"tableA"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"tableB"</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The lambda can load the data using <code>readFileSync('/opt/cache.json')</code> and parse it immediately.</p> <p>Presto: Start-up load time is 500ms - a 10x improvement!</p> <h2> Conclusion </h2> <p>If your data is relatively static you can cache it as a flat file in a Lambda layer to reduce app complexity, costs, and startup times. Use a Lambda to periodically query a new data set and publish a new Lambda Layer Version.</p> <p>When using layers, your maximum package size is 250MB. By compressing your data files you can cache A LOT of data, but you will experience decompression latency.</p> aws lambda api performance Dynamic AWS IAM Policies Ivan Bliskavka Sat, 02 Mar 2024 12:27:50 +0000 https://dev.to/ibliskavka/dynamic-aws-iam-policies-2jcn https://dev.to/ibliskavka/dynamic-aws-iam-policies-2jcn <p>We maintain a CloudFormation custom resource provider for Amazon Connect. The provider has grown organically, and as new features were added, the default role policy has become large.</p> <p>The provider can do simple low-security tasks like <code>associateLambda</code>, or complex tasks like <code>createInstance</code>, which requires access to security-sensitive resources like <code>kms</code> and <code>iam</code>.</p> <p>During a recent security review, we discovered that the same role policy was being used across all provider instances. This meant that if we used a low-security operation, such as <code>associateLambda</code>, the role would be granted access to high-security resources like <code>kms</code> and <code>iam</code>.</p> <h2> Solution 1 - Inject a Pre-Built Role </h2> <p>For the current project, we resolved the issue by introducing an optional role prop. This allowed the developer to select specific IAM permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// PSEUDO-CODE</span> <span class="kd">class</span> <span class="nc">ConnectProvider</span> <span class="p">{</span> <span class="nl">role</span><span class="p">:</span> <span class="nx">IRole</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">props</span><span class="p">:</span> <span class="p">{</span><span class="nl">role</span><span class="p">?:</span> <span class="nx">IRole</span><span class="p">}){</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nx">props</span><span class="p">.</span><span class="nx">role</span><span class="p">){</span> <span class="c1">// Configures the default (overly permissive) permissions</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Role</span><span class="p">(...);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Uses the injected role</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Custom resource handler</span> <span class="k">this</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Function</span><span class="p">(...</span> <span class="p">{</span><span class="nl">role</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span><span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">role</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Role</span><span class="p">(...);</span> <span class="nx">role</span><span class="p">.</span><span class="nf">addToPrincipalPolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">connect:AssociateLambdaFunction</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">connect:DisassociateLambdaFunction</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">instanceArn</span><span class="p">]</span> <span class="p">})</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ConnectProvider</span><span class="p">({</span><span class="nx">role</span><span class="p">});</span> <span class="nx">provider</span><span class="p">.</span><span class="nf">associateLambda</span><span class="p">(...)</span> </code></pre> </div> <h3> Pros </h3> <ul> <li>We were able to quickly patch the current app</li> </ul> <h3> Cons </h3> <ul> <li>Each dependent app would have to be updated manually. We have A LOT!</li> <li>The app developer must know exactly which IAM permissions are required.</li> </ul> <h2> Solution 2 - Dynamically Generate the Role </h2> <p>I updated the custom resource constructs to dynamically build up the policy based on which resources are used, so I could roll out the update in a backward-compatible way.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// PSEUDO-CODE</span> <span class="kd">class</span> <span class="nc">ConnectProvider</span> <span class="p">{</span> <span class="nl">role</span><span class="p">:</span> <span class="nx">IRole</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">props</span><span class="p">:</span> <span class="p">{</span><span class="nl">role</span><span class="p">?:</span> <span class="nx">IRole</span><span class="p">}){</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nx">props</span><span class="p">.</span><span class="nx">role</span><span class="p">){</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Role</span><span class="p">(...);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">role</span> <span class="k">instanceof</span> <span class="nx">Role</span><span class="p">){</span> <span class="c1">// Convert to IRole to avoid manipulating the role</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="nx">Role</span><span class="p">.</span><span class="nf">fromArn</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">role</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Custom resource handler</span> <span class="k">this</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Function</span><span class="p">(...</span> <span class="p">{</span><span class="nl">role</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span><span class="p">})</span> <span class="p">}</span> <span class="c1">// Users call helper functions to create the custom resource</span> <span class="nf">associateLambda</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="nx">instanceArn</span><span class="p">,</span> <span class="nx">lambda</span><span class="p">){</span> <span class="k">if</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="k">instanceof</span> <span class="nx">Role</span><span class="p">){</span> <span class="c1">// Dynamically update self-managed role</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span><span class="p">.</span><span class="nf">addToPrincipalPolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">connect:AssociateLambdaFunction</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">connect:DisassociateLambdaFunction</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">instanceArn</span><span class="p">]</span> <span class="p">})</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">CustomResource</span><span class="p">({</span> <span class="na">serviceToken</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">handler</span><span class="p">.</span><span class="nx">functionArn</span><span class="p">,</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="nx">instanceArn</span><span class="p">,</span> <span class="na">functionArn</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">functionArn</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Pros </h3> <ul> <li>No manual intervention is needed for dependent apps. Simply upgrade the NPM package and redeploy.</li> </ul> <h3> Cons </h3> <ul> <li>Resource deletion does not work properly. <ul> <li>If you had a custom resource like <code>associateLambda</code>, everything works fine because the role policy is updated before the resource is created.</li> <li>But if you remove the custom resource in a future release, CloudFormation will update the role policy first (and remove the associated permission) before cleaning up the resource.</li> <li>As a result, you encounter a permission error when cleaning up the <code>associateLambda</code> resource</li> </ul> </li> <li>Circular dependencies <ul> <li>If you used the provider to <code>createInstance</code> and then used the instance ARN in another construct like <code>associateLambda</code> you will encounter a circular reference</li> <li>Details</li> <li>Invoke <code>createInstance</code> and get instance ARN</li> <li>Invoke <code>associateLambda</code> using instance ARN <ul> <li>Instance ARN is used in the dynamic policy, resulting in a circular reference</li> </ul> </li> </ul> </li> </ul> <h2> Solution 3 - Mix of both </h2> <p>In the end, I decided to use a combination of both solutions. I created a <code>ConnectProviderRoleBuilder</code> to make it easier for developers to build the role.</p> <p>Additionally, I also updated the <code>ConnectProvider</code> to automatically use the builder if a role is not provided.</p> <p>This means that we can update existing apps without any manual intervention. If the app encounters the issues described in Solution 2 during ongoing development, the team can use the <code>ConnectProviderRoleBuilder</code> to generate an appropriate role quickly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// PSEUDO-CODE</span> <span class="kd">class</span> <span class="nc">ConnectProviderRoleBuilder</span> <span class="p">{</span> <span class="nl">role</span><span class="p">:</span> <span class="nx">IRole</span><span class="p">;</span> <span class="cm">/** * Tracks if the provider was used to create an instance. * If so, we cannot limit role permissions to a specific instance * due to circular dependency. */</span> <span class="k">private</span> <span class="nx">createdInstance</span><span class="p">:</span> <span class="nx">boolean</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">props</span><span class="p">:</span> <span class="p">{</span><span class="nl">existingRole</span><span class="p">?:</span> <span class="nx">IRole</span><span class="p">}){</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nx">props</span><span class="p">.</span><span class="nx">role</span><span class="p">){</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Role</span><span class="p">(...)</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">role</span> <span class="k">instanceof</span> <span class="nx">Role</span><span class="p">){</span> <span class="c1">// Ensures role is not manipulated by the builder</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="nx">Role</span><span class="p">.</span><span class="nf">fromArn</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">existingRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">existingRole</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="cm">/** * Create an instance ARN for permission filtering * If the provider was used to create the instance the ARN will be * `instance/*` to avoid circular dependency error * Assumes this provider will operate on a single instance. */</span> <span class="nf">instanceArn</span><span class="p">(</span><span class="nx">instanceId</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">createdInstance</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// We can't reference the instanceId (circular ref)</span> <span class="k">return</span> <span class="s2">`arn:aws:connect:</span><span class="p">${</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">account</span><span class="p">}</span><span class="s2">:instance/*`</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="s2">`arn:aws:connect:</span><span class="p">${</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">account</span><span class="p">}</span><span class="s2">:instance/</span><span class="p">${</span><span class="nx">instanceId</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">allow</span><span class="p">(</span><span class="nx">actions</span><span class="p">,</span> <span class="nx">resources</span><span class="p">){</span> <span class="k">if</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="k">instanceof</span> <span class="nx">Role</span><span class="p">){</span> <span class="c1">// Only add permissions if the role is being managed by the construct.</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span><span class="p">.</span><span class="nf">addToPrincipalPolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="nx">actions</span><span class="p">,</span> <span class="nx">resources</span> <span class="p">})</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Helpers to add policy statements</span> <span class="nf">allowAssociateLambda</span><span class="p">(</span><span class="nx">instanceId</span><span class="p">,</span> <span class="p">...</span><span class="nx">functionArns</span><span class="p">){</span> <span class="k">this</span><span class="p">.</span><span class="nf">allow</span><span class="p">([</span> <span class="dl">'</span><span class="s1">connect:AssociateLambdaFunction</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">connect:DisassociateLambdaFunction</span><span class="dl">'</span><span class="p">],</span> <span class="p">[</span><span class="k">this</span><span class="p">.</span><span class="nf">instanceArn</span><span class="p">(</span><span class="nx">instanceId</span><span class="p">)]</span> <span class="p">);</span> <span class="c1">// Update lambda resource policy to allow connect invoke</span> <span class="c1">// ...</span> <span class="p">}</span> <span class="nf">allowCreateInstance</span><span class="p">(){</span> <span class="k">this</span><span class="p">.</span><span class="nx">createdInstance</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nf">allow</span><span class="p">(...)</span> <span class="c1">// ...</span> <span class="p">}</span> <span class="c1">// ...</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">ConnectProvider</span> <span class="p">{</span> <span class="nl">builder</span><span class="p">:</span> <span class="nx">ConnectProviderRoleBuilder</span><span class="p">;</span> <span class="nl">role</span><span class="p">:</span> <span class="nx">IRole</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">props</span><span class="p">:</span> <span class="p">{</span><span class="nl">role</span><span class="p">?:</span> <span class="nx">IRole</span><span class="p">}){</span> <span class="k">this</span><span class="p">.</span><span class="nx">builder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ConnectProviderRoleBuilder</span><span class="p">({</span><span class="na">role</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">role</span><span class="p">})</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">builder</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Function</span><span class="p">(...</span> <span class="p">{</span><span class="nl">role</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">role</span><span class="p">})</span> <span class="p">}</span> <span class="nf">associateLambda</span><span class="p">(</span><span class="nx">instanceId</span><span class="p">,</span> <span class="nx">lambda</span><span class="p">){</span> <span class="k">this</span><span class="p">.</span><span class="nx">builder</span><span class="p">.</span><span class="nf">allowAssociateLambda</span><span class="p">(</span><span class="nx">instanceId</span><span class="p">,</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">functionArn</span><span class="p">)</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">CustomResource</span><span class="p">({</span> <span class="na">serviceToken</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">handler</span><span class="p">.</span><span class="nx">functionArn</span><span class="p">,</span> <span class="na">properties</span><span class="p">:</span> <span class="p">{</span> <span class="nx">instanceId</span><span class="p">,</span> <span class="na">functionArn</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">functionArn</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">myLambda</span><span class="p">:</span> <span class="nx">IFunction</span><span class="p">;</span> <span class="c1">// Pre-build the role</span> <span class="kd">const</span> <span class="nx">builder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ConnectProviderRoleBuilder</span><span class="p">()</span> <span class="nx">builder</span><span class="p">.</span><span class="nf">allowAssociateLambda</span><span class="p">(</span><span class="nx">instanceId</span><span class="p">,</span> <span class="nx">myLambda</span><span class="p">.</span><span class="nx">functionArn</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ConnectProvider</span><span class="p">({</span><span class="na">role</span><span class="p">:</span> <span class="nx">builder</span><span class="p">.</span><span class="nx">role</span><span class="p">})</span> <span class="nx">provider</span><span class="p">.</span><span class="nf">associateLambda</span><span class="p">(</span><span class="nx">instanceId</span><span class="p">,</span> <span class="nx">myLambda</span><span class="p">)</span> </code></pre> </div> <h2> Conclusion </h2> <p>The simplest solution would have been to simply force the developer to inject a role but it would have created unnecessary developer friction because:</p> <ul> <li>"My app used to deploy fine, but now I have to manually create a new role".</li> <li>"I have no idea what is happening under the hood and which permissions are required", resulting in even more friction.</li> </ul> <p>This solution was certainly more work, but it solved the problem with the least effort from the downstream developers.</p> <p>No, go build secure and elegant tools!</p> aws cdk iam security Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found Ivan Bliskavka Fri, 16 Feb 2024 15:47:00 +0000 https://dev.to/ibliskavka/resolution-error-policysynthesizer-at-policysynthesizer-should-be-created-in-the-scope-of-a-stack-but-no-stack-found-5h20 https://dev.to/ibliskavka/resolution-error-policysynthesizer-at-policysynthesizer-should-be-created-in-the-scope-of-a-stack-but-no-stack-found-5h20 <p>We occasionally have a client who does not allow us to create IAM roles in their AWS account. In this scenario we must define the roles in CloudFormation, they create them, and we inject the role ARNs into the app.</p> <p>In the CloudFormation days, this would have been a significant overhaul if your app was not already set up for it. But with CDK, this is pretty easy with the <a href="https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide#using-the-customize-roles-feature-to-generate-a-report-and-supply-role-names" rel="noopener noreferrer">Role.customizeRoles</a> method.</p> <p>While working on such a project, we bumped into this weird error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Resolution error: Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found. Object creation stack: at stack traces disabled. Object creation stack: at Execute again with CDK_DEBUG=true to capture stack traces at _lookup (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/stack.js:1:3005) at _lookup (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/stack.js:1:3178) at Function.of (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/stack.js:1:2736) at Object.produce (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/resource.js:1:4264) at Reference.resolve (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/resource.js:1:4877) at DefaultTokenResolver.resolveToken (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401) at resolve (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:2711) at Object.resolve [as mapToken] (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/private/resolve.js:1:1079) at TokenizedStringFragments.mapTokens (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/string-fragments.js:1:1475) at DefaultTokenResolver.resolveString (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/resolvable.js:4:362) </code></pre> </div> <p>The above error doesn't provide any meaningful info, but if you follow the instructions like so:</p> <p><code>CDK_DEBUG=true npm run cdk -- synth</code></p> <p>You get a much more meaningful error<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Resolution error: Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found. Object creation stack: at new Intrinsic (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/private/intrinsic.js:1:942) at new Reference (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/reference.js:1:599) at new &lt;anonymous&gt; (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/resource.js:1:4806) at mimicReference (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/resource.js:1:4802) at CacheTable.getResourceArnAttribute (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/resource.js:1:4185) at new Table (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:18313) at new CacheTable (/home/ibliskavka/git/data-lakedata/packages/caching/src/constructs/CacheTable.ts:20:5) ... (truncated) Object creation stack: at Function.string (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/core/lib/lazy.js:1:953) at CacheTable.combinedGrant (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:13211) at CacheTable.grantReadWriteData (/home/ibliskavka/git/data-lakedata/node_modules/aws-cdk-lib/aws-dynamodb/lib/table.js:1:6157) ... (truncated) </code></pre> </div> <p>The <code>CacheTable.grantReadWriteData</code> stack trace deals with permissions (which we are customizing), so I traced it down to this bit of code<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">CachingLambdaRole</span> <span class="kd">extends</span> <span class="nc">Role</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CachingLambdaRoleProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">lambda.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="p">});</span> <span class="nx">props</span><span class="p">.</span><span class="nx">table</span><span class="p">.</span><span class="nf">grantReadWriteData</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>When I replaced <code>props.table.grantReadWriteData(this)</code> with policy statements in the role <code>inlinePolicy</code> the error went away and I was able to deploy.</p> <h2> TL;DR; </h2> <ol> <li>Enable CDK_DEBUG</li> <li>Check if your stack trace uses the <code>grant</code> API. If so, try replacing it with policy statements.</li> </ol> <h2> More Info </h2> <p>I was able to find only a few articles about this error message and none of them dealt with <code>customizeRoles</code>. I suspect this may be a bug in the CDK code because my app uses the <code>grant</code> API elsewhere in the code and it works as-is.</p> troubleshooting aws cdk TechHub Hackathon 2023 Ivan Bliskavka Mon, 02 Oct 2023 14:27:04 +0000 https://dev.to/ibliskavka/techhub-hackathon-2023-mkd https://dev.to/ibliskavka/techhub-hackathon-2023-mkd <p>We pulled together a team on Friday night, built an app on Saturday, and presented on Sunday. Not a win, but what a great experience!</p> <h2> The Team </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vMAnq2aw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://bliskavka.com/2023/10/02/tech-hub-hackathon-2023/store-front.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vMAnq2aw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://bliskavka.com/2023/10/02/tech-hub-hackathon-2023/store-front.jpg" alt="Juliana, Divyesh, Pavan, Ivan, Daniel" width="800" height="600"></a></p> <h2> Project Description </h2> <p>Habitat for Humanity, a renowned non-profit organization dedicated to building homes and better communities, faces several operational challenges that your hackathon team can help address:</p> <p><strong>Targeting New Audiences/Real-Time Inventory Management</strong> : Implement a solution that updates the online inventory in real-time, ensuring that customers are aware of available items and reducing discrepancies.</p> <h2> Background </h2> <p>Before starting any design work, our team decided to take a field trip to the Broward ReStore, which was 30 minutes away.</p> <p>The store manager Mark, was very gracious and spent 30 minutes talking about the store, the mission, the volunteers, and the amazing items that pass through his store.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9oFNqziJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://bliskavka.com/2023/10/02/tech-hub-hackathon-2023/store-manager.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9oFNqziJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://bliskavka.com/2023/10/02/tech-hub-hackathon-2023/store-manager.jpg" alt="Selfie with Mark, the Store Manager" width="800" height="600"></a></p> <h3> Some Interesting Points </h3> <ul> <li>Each store operates like a franchise and typically manages its own outreach, website, etc.</li> <li>Mark just came back from a conference with other ReStores where they shared ideas and approaches.</li> <li>Some stores (Los Angeles) have an excellent social media presence including viral videos on TikTok.</li> <li>Independent stores can have their own website, but there is no central platform for posting or managing inventory.</li> <li>The Broward store does not have a website, but they have a Facebook page.</li> <li>They move a lot of furniture, and the entire sales floor is typically replaced in a couple of weeks. Because each item is unique, maintaining a website inventory is a lot of overhead.</li> </ul> <h3> Donation Receiving </h3> <p>Mark said that 54% of donations are corporate. Typically the item is scratched, dented, or discontinued.</p> <p>He typically uses Google Lens to scan the item to get a feel for what the item sells for. From this price, he discounts about 50%.</p> <h2> Proposal </h2> <ul> <li>A SaaS-like platform that is owned and managed by the Habitat for Humanity “Corporate”</li> <li>Each store is a “tenant” on the platform and can manage its own inventory.</li> <li>The inventory is streamlined using a web app, on a mobile phone <ul> <li>Receiving takes a photo and adds a quality rating.</li> <li>The app uploads a photo to the cloud and uses image recognition to identify the product.</li> <li>If the product is IDed, meta-data and trending price is returned to the app.</li> <li>Price is automatically discounted based on quality rating: 3-50%, 2-60%, 1-70%</li> <li>If the item is not IDed, the app prompts for metadata and price.</li> <li>Idea: If the current user is not the manager, the item will need to be approved by the manager.</li> <li>Once approved, the item automatically shows up on the website and in the Point of Sale system.</li> <li>A QR Code sticker is printed and attached to the item. (Bluetooth printer)</li> <li>When the item is sold, the sticker is scanned, and it is automatically removed from the website.</li> </ul> </li> <li>The SaaS platform dynamically builds a storefront for each tenant <ul> <li>Adds the ability to search all stores in the vicinity.</li> <li>Customers can buy online and pick up in the store.</li> <li>Orders not picked up within X days are a donation.</li> <li>Online customer contact data can be imported into Outreach programs.</li> </ul> </li> </ul> <h3> Technical Architecture </h3> <p>With 900 stores across the country and hundreds of thousands of customers, we need to consider scalability. We chose to build using managed services in the cloud for resilience, durability, and scalability.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--I48PsQ2l--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://bliskavka.com/2023/10/02/tech-hub-hackathon-2023/architecture.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--I48PsQ2l--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://bliskavka.com/2023/10/02/tech-hub-hackathon-2023/architecture.png" alt="Architecture" width="800" height="542"></a></p> <h2> Result </h2> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/u8ERNvwUoOA"> </iframe> </p> <p>Unfortunately, we didn’t win. Here are some presentation takeaways for future reference.</p> <ul> <li> <del>Going first was a disadvantage. We didn’t know what to expect, and probably the judges didn’t either.</del> <ul> <li><del>Even if our presentation was a 10/10, there is no way a judge would assign that to the first presentation without seeing all the other stuff. And there is no way they remembered ours after 16 presentations.</del></li> <li>[Correction 10/3/23]: Going first was a challenge, we were up for it, and we did great!</li> </ul> </li> <li>We should have figured out how to screen share an iPhone. Seeing it on a phone would be more impressive.</li> <li>Personally, I was more focused on the practicality of the idea and our ability to execute (in 8-12) hours <ul> <li>Since only 2 of the judges were asking technical questions, I assume the others were more business-minded. They weren’t judging on “can these people do it”, they were judging on “as described, will this idea impact a lot of people?”</li> <li> <strong>TL;DR;</strong> Go for the big idea - not on the technical feasibility.</li> </ul> </li> <li>Currently, AI is all the rage. Reverse Image Search uses an AI model, we should have emphasized that more in the presentation.</li> </ul> <h2> Links </h2> <ul> <li><a href="https://d8ftny2i4nqz0.cloudfront.net/capture">Demo Site</a></li> <li><a href="https://bliskavka.com/2023/10/02/tech-hub-hackathon-2023/ScreenRecording.mp4">App Recording</a></li> <li><a href="https://github.com/PradatiusD/habitat-restore">Code Repo</a></li> </ul> career aws hackathon techhub Interview Pointers for Bootcamp Grads Ivan Bliskavka Wed, 05 Apr 2023 20:05:00 +0000 https://dev.to/ibliskavka/interview-pointers-for-bootcamp-grads-18ab https://dev.to/ibliskavka/interview-pointers-for-bootcamp-grads-18ab <p>I met <a href="https://www.linkedin.com/in/toddalbert/" rel="noopener noreferrer">Todd Albert</a>, the founder of <a href="https://bocacode.com/" rel="noopener noreferrer">Boca Code</a> at an AWS networking event hosted by <a href="https://www.cloudhesive.com/" rel="noopener noreferrer">CloudHesive</a>. He got a kick out of the fact that I was a plumber before I got into IT, so he invited me to speak to the 9th cohort of the Boca Code Developer Bootcamp.</p> <p>It was a great experience! The facility is cozy and everyone was super friendly. They also had great coffee and an awesome selection of laptop stickers!</p> <p>I spoke about my journey from being a plumber to being a Sr. Architect at the leading Amazon Connect integrator, there were jokes, laughter, and most importantly - questions!</p> <h2> Questions </h2> <h3> How long did it take before you finally felt confident as a developer? </h3> <p>About 3 years - but you can get there sooner! The first 2 years I worked alone and didn’t have anyone to compare to, so I assumed I wasn't very good but I kept studying and kept at it.</p> <p>The 3rd year I worked with a team of sub-contractors on a project that got scrapped - so I figured that wasn't a very good metric.</p> <p>In my fourth year I moved to another company with a full internal dev team - and I realized that in many respects I was ahead of guys with 10-15 years of experience. They knew A LOT, but much of that tech was already dead. I knew a lot MORE than them about the current tech.</p> <p>Don't forget that as a bootcamp graduate your education may be more current than the other devs. You still have to get experience, but I promise you are doing much better than your imposter syndrome is telling you.</p> <h3> What makes a good impression for new employees? </h3> <p>Typically the onboarding material includes reading, and assignments to get you familiar with the toolset. If you are spinning your wheels for 2 days on something - and the answer is in the reading, this is a strong negative.</p> <ol> <li>You did not read the assignment and you just wasted 2 days because you are afraid to ask for help.</li> <li>I would rather you do the reading, do some googling, and when you are stuck for 4-8 hours, reach out for help. This work requires communication - maybe the requirements were unclear - being able to clear that up on your own initiative is very impressive!</li> </ol> <p>Corollary - don’t ask for help for every little thing. Do your due diligence. Also, take notes - don’t ask the same thing over and over again.</p> <h3> What type of questions do you usually ask at an interview? </h3> <p>I like to gauge a candidate's skill level, and then dive a little deeper based on their response.</p> <ul> <li>For a Jr role I may ask what is the difference between an RDBMS and a NoSQL db. <ul> <li>Followup: When would you choose one over the other and why?</li> </ul> </li> <li>For a mid role I would ask them to name the 3 types of testing (Unit, Integration, Manual). <ul> <li>What is the difference?</li> <li>How would you design your code to make testing easier? (expecting mocks &amp; dependency injection)</li> </ul> </li> <li>For a senior role I would have a conversation about design patterns.</li> <li>I always love to ask about personal or favorite projects. You have to love this work to be exceptional at it. If you don’t have any code you are proud of - it’s a turn-off.</li> <li>What is the most impactful project you have participated in? What was the impact - social, financial, etc? You have to be able to speak about your work in terms of return on investment</li> </ul> <h3> What tips do you have for interviewing? </h3> <p>Be collaborative. If you are asked design questions they may be intentionally vague - ask the interviewer clarifying questions.</p> <p>If the question requires a succinct factual response, and you don't know the answer immediately, you can ask questions to get partial credit.</p> <p>For example:</p> <ul> <li>I am not familiar with the term X, would you provide a short description and I may be able to able to answer the rest of the question?</li> <li>I have never used that in my work, but I think I know what it does based on your description - can I try to guess?</li> </ul> <p>Remember not to B.S. during a technical interview. I prefer someone who says honestly "I don't know the answer, but am willing to try anyway if you give me some hints".</p> <p>In the real world you will rarely have all the facts. You will have to reach out to the client who reported the bug and ask them to do a screen share so that you can see what is happening. Asking good questions is part of the job.</p> <h3> Would you recommend I get cloud certs? </h3> <p>I work in an AWS shop. I would take an AWS certified bootcamp grad over a non-certified grad any day. It's probably less relevant if the company is not using AWS, but it still shows personal initiative and a willingness to learn.</p> <p>If you are applying to work for an AWS Partner, they have to have a minimum amount of AWS Certified engineers to maintain their partner status. Having a cert in this case is extremely useful.</p> <h2> Understanding your job economics </h2> <p>During my talk I mentioned a couple of concepts and a student asked me to elaborate on them.</p> <h3> Understanding the economics of your business </h3> <p>I work in the call center space - for each minute a customer is on a call it costs the company $1. If you have thousands of agents, and tens of thousands of calls per month, these figures start to add up!</p> <p>Reducing the average call handle time for a call by 1% for a sufficiently large business can reduce costs by millions over several years. If I can contribute that improvement consistently - my career is made.</p> <h3> Understanding the economics of your position </h3> <p>Typically IT is a cost center, not a profit center. <em>You</em> cost money. If you are doing right, you cost a <em>lot</em> of money (per hour).</p> <p><em>You</em> should <strong>NOT</strong> be doing work that a computer can do faster, better, and more consistently. For this reason you should be on the lookout for automation, devops, scripts, or processes that reduce the amount of repetitive/manual work that you do, so you can focus on real innovations.</p> <p>Example: If some nightly job runs for 3 hours - don't bother spending 3 days speeding it up. It starts at 12:00, finishes by 3:00, and the first person that needs it is at 8:00. There is a 5-hour buffer - but you just cost the company 3 days for no economic benefit.</p> <p>Not everything needs to be a script. If some work only happens once a month and takes 15 minutes - a <code>How-To</code> guide may be more appropriate. Next time you have to do the task, you can do it in 10 minutes, or simply hand it off to the new guy :)</p> <p>If you can make yourself (and others) more productive through automation and/or documentation you will also go far.</p> <h2> Conclusion </h2> <p>It was fun to reflect on my journey and share some personal experiences with budding new developers!</p> <blockquote> <p><a href="https://bocacode.com" rel="noopener noreferrer">Boca Code</a> is an intense 40/hrs a week, for 10 weeks, software development bootcamp. Having spoken with the class and founders - I highly recommend them!</p> </blockquote> career CDK package.json Scripts Ivan Bliskavka Wed, 05 Apr 2023 19:49:00 +0000 https://dev.to/ibliskavka/cdk-packagejson-scripts-2ldd https://dev.to/ibliskavka/cdk-packagejson-scripts-2ldd <p>I found the following package.json scripts very convenient when managing a complex CDK app. The key is the <code>--</code> operator, which allows us to append additional parameters to a script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tsc --noEmit"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cdk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run build &amp;&amp; cdk"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cdk:pipeline"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run build &amp;&amp; cdk --app 'npx ts-node --prefer-ts-exts bin/pipeline.ts'"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test"</span><span class="p">:</span><span class="w"> </span><span class="s2">"jest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"diff"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run cdk -- diff"</span><span class="p">,</span><span class="w"> </span><span class="nl">"synth"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run cdk -- synth --quiet"</span><span class="p">,</span><span class="w"> </span><span class="nl">"deploy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run cdk -- deploy --all --require-approval never"</span><span class="p">,</span><span class="w"> </span><span class="nl">"deploy:pipeline"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run cdk:pipeline -- deploy --all --require-approval never"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This configuration allows us to create convenient scripts like deploy/diff/synth, but we still have the ability to pass in additional parameters like:</p> <p><code>npm run deploy -- --no-rollback --profile default</code></p> <p>I can also define multiple entry points</p> <ul> <li> <code>cdk</code>: Interact with the stack directly.</li> <li> <code>cdk:pipeline</code>: Deploy a CDK Pipeline which is able patch the CDK app when new changes are pushed.</li> </ul> <p>A pipeline execution can be slow, so being able to circumvent the pipeline in a dev/sandbox environment is extremely useful.</p> aws cdk devops Synth CDK app to Custom Bucket Ivan Bliskavka Mon, 07 Feb 2022 22:50:32 +0000 https://dev.to/ibliskavka/synth-cdk-app-to-custom-bucket-2n5 https://dev.to/ibliskavka/synth-cdk-app-to-custom-bucket-2n5 <p>Some AWS customers don't use the CLI, and will not grant an external contractor CLI access. Trying to get access is a waste of time and resources. Do not fear, there is a solution!</p> <h2> Summary </h2> <ol> <li>Create a client specific staging bucket</li> <li>Share the bucket with the client account via Bucket Policy</li> <li>Synth the stack to the staging bucket</li> <li>Share template URL with client</li> <li>Client can install using the URL in CloudFormation web console with their own user credentials</li> </ol> <h2> App Staging Bucket Policy </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MyClient"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:iam::DEV_ACCOUNT_ID:root"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:iam::PROD_ACCOUNT_ID:root"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObjectVersion"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::app-staging-bucket/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Usage </h2> <ol> <li>Install CDK Assets <code>npm i -D cdk-assets</code> </li> <li> <p>Customize the stack synthesizer to use your custom staging bucket<br> </p> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="k">new</span> <span class="nc">MyApp</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">template</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">someParam</span><span class="p">:</span> <span class="dl">'</span><span class="s1">someValue</span><span class="dl">'</span><span class="p">,</span> <span class="na">synthesizer</span><span class="p">:</span> <span class="k">new</span> <span class="nc">DefaultStackSynthesizer</span><span class="p">({</span> <span class="na">fileAssetsBucketName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">app-staging-bucket</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Use a custom role which has access to the asset bucket</span> <span class="na">fileAssetPublishingRoleArn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">my-client-staging-role</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Consider using a build date or version</span> <span class="na">bucketPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2.4.1</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// The client account does not need to be bootstrapped</span> <span class="na">generateBootstrapVersionRule</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">synth</span><span class="p">();</span> </code></pre> </li> <li><p>Run <code>cdk synth</code> to generate your assets.</p></li> <li> <p>Modify <code>cdk.out/template.assets.json</code> to make the template file name more predictable</p> <ul> <li>find entry with <code>sourcePath</code>=<code>template.template.json</code> </li> <li>modify its <code>objectKey</code> to something like <code>2.4.1/template.json</code> </li> <li>(you should probably write some code to automate this)</li> </ul> </li> <li><p>Run <code>cdk-assets -v -p ./cdk.out/template.assets.json publish</code></p></li> <li><p>Share your template URL with the client. It will look something like:<br><br> <code>https://app-staging-bucket.s3.amazonaws.com/2.4.1/template.json</code></p></li> <li><p>Client can install the app using the CloudFormation web console.</p></li> </ol> <h2> Simpler Template Output </h2> <p>Not sure what the side-effects of these are, but this produces a simpler template with less CDK metadata.</p> <p><code>cdk synth --path-metadata false --version-reporting false</code></p> <h3> cdk.json </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@aws-cdk/core:newStyleStackSynthesis"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Conclusion </h2> <p>This has been very helpful for creating installers that are accessible to non-developers and usable in beginner AWS environments. I hope it save you some head-scratching!</p> <p><a href="https://bliskavka.com/2022/02/07/synth-cdk-to-custom-bucket/" rel="noopener noreferrer">Originally posted on my blog</a></p> aws cloudformation cdk devops AWS Athena SAM Policies Ivan Bliskavka Fri, 24 Dec 2021 17:04:07 +0000 https://dev.to/ibliskavka/aws-athena-sam-policies-19m6 https://dev.to/ibliskavka/aws-athena-sam-policies-19m6 <p>AWS Athena provides SQL queries over S3 data. The service depends on S3, Glue, and Athena itself so getting permissions set up can be tricky. Here is what worked for me.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">StartQueryFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">src/lambda/search.start</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">S3ReadPolicy</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DataBucket</span> <span class="pi">-</span> <span class="na">S3CrudPolicy</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AthenaResultsBucket</span> <span class="pi">-</span> <span class="na">AthenaQueryPolicy</span><span class="pi">:</span> <span class="na">WorkGroupName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AthenaWorkGroup</span> <span class="pi">-</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">glue:GetTable</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${GlueDatabase}</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${GlueDatabase}/*</span> <span class="na">GetResultFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">src/lambda/search.results</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">S3CrudPolicy</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AthenaResultsBucket</span> <span class="pi">-</span> <span class="na">AthenaQueryPolicy</span><span class="pi">:</span> <span class="na">WorkGroupName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AthenaWorkGroup</span> </code></pre> </div> <p>Cheers!</p> howto aws security Async Array Filter Ivan Bliskavka Fri, 22 Oct 2021 13:04:33 +0000 https://dev.to/ibliskavka/async-array-filter-3pja https://dev.to/ibliskavka/async-array-filter-3pja <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="nx">asyncFilter</span> <span class="o">=</span> <span class="p">(</span><span class="nx">arr</span><span class="p">,</span> <span class="nx">predicate</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span><span class="nx">arr</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">predicate</span><span class="p">))</span> <span class="p">.</span><span class="nf">then</span><span class="p">((</span><span class="nx">results</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">arr</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">_v</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">results</span><span class="p">[</span><span class="nx">index</span><span class="p">]));</span> <span class="p">}</span> </code></pre> </div> javascript Fargate + EFS Permissions using CDK Ivan Bliskavka Thu, 21 Oct 2021 21:16:20 +0000 https://dev.to/ibliskavka/fargate-with-efs-cdk-9ep https://dev.to/ibliskavka/fargate-with-efs-cdk-9ep <p>I struggled WAY too long trying to sort out the permissions for EFS. Turns out, there are 2 layers. The IAM role, and the Posix permissions. Both throw a similar looking access denied. Finally!</p> <p>Don't judge me on the single AZ. I am running a single task in Fargate and only need one instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="p">{</span><span class="nx">vpc</span><span class="p">,</span> <span class="nx">az</span><span class="p">,</span> <span class="nx">region</span><span class="p">,</span> <span class="nx">account</span><span class="p">}</span> <span class="o">=</span> <span class="nx">props</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fileSystem</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileSystem</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Efs</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">performanceMode</span><span class="p">:</span> <span class="nx">PerformanceMode</span><span class="p">.</span><span class="nx">GENERAL_PURPOSE</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">onePerAz</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">availabilityZones</span><span class="p">:</span> <span class="p">[</span><span class="nx">az</span><span class="p">]</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">accessPoint</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AccessPoint</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AccessPoint</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">fileSystem</span><span class="p">:</span> <span class="nx">fileSystem</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">task</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">FargateTaskDefinition</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Task</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cpu</span><span class="p">:</span> <span class="mi">256</span><span class="p">,</span> <span class="na">memoryLimitMiB</span><span class="p">:</span> <span class="mi">512</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">volumeName</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">efs-volume</span><span class="dl">'</span><span class="p">;</span> <span class="nx">task</span><span class="p">.</span><span class="nf">addVolume</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">volumeName</span><span class="p">,</span> <span class="na">efsVolumeConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">fileSystemId</span><span class="p">:</span> <span class="nx">fileSystem</span><span class="p">.</span><span class="nx">fileSystemId</span><span class="p">,</span> <span class="na">transitEncryption</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ENABLED</span><span class="dl">'</span><span class="p">,</span> <span class="na">authorizationConfig</span><span class="p">:{</span> <span class="na">accessPointId</span><span class="p">:</span> <span class="nx">accessPoint</span><span class="p">.</span><span class="nx">accessPointId</span><span class="p">,</span> <span class="na">iam</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ENABLED</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nx">task</span><span class="p">.</span><span class="nf">addContainer</span><span class="p">(</span><span class="dl">'</span><span class="s1">Container</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">image</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromAsset</span><span class="p">(</span><span class="dl">'</span><span class="s1">./container</span><span class="dl">'</span><span class="p">),</span> <span class="na">portMappings</span><span class="p">:</span> <span class="p">[{</span><span class="na">hostPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">80</span><span class="p">}],</span> <span class="p">});</span> <span class="nx">container</span><span class="p">.</span><span class="nf">addMountPoints</span><span class="p">({</span> <span class="na">containerPath</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/mount/data</span><span class="dl">'</span><span class="p">,</span> <span class="na">sourceVolume</span><span class="p">:</span> <span class="nx">volumeName</span><span class="p">,</span> <span class="na">readOnly</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="nx">task</span><span class="p">.</span><span class="nf">addToTaskRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">elasticfilesystem:ClientRootAccess</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">elasticfilesystem:ClientWrite</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">elasticfilesystem:ClientMount</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">elasticfilesystem:DescribeMountTargets</span><span class="dl">'</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="s2">`arn:aws:elasticfilesystem:</span><span class="p">${</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">account</span><span class="p">}</span><span class="s2">:file-system/</span><span class="p">${</span><span class="nx">fileSystem</span><span class="p">.</span><span class="nx">fileSystemId</span><span class="p">}</span><span class="s2">`</span><span class="p">]</span> <span class="p">})</span> <span class="p">);</span> <span class="nx">task</span><span class="p">.</span><span class="nf">addToTaskRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ec2:DescribeAvailabilityZones</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">]</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>I hope this save someone a headache!</p> <p><a href="https://bliskavka.com/2021/10/21/AWS-CDK-Fargate-with-EFS" rel="noopener noreferrer">Originally posted on my blog</a></p> aws cdk devops Help: Logical ID Changed in my CDK App Ivan Bliskavka Fri, 17 Sep 2021 15:52:42 +0000 https://dev.to/ibliskavka/help-logical-id-changed-in-my-cdk-app-14p0 https://dev.to/ibliskavka/help-logical-id-changed-in-my-cdk-app-14p0 <p>I recently came across a weird error in a private package CDK deploy:</p> <p><code>{dynamo table name} already exists in stack {current stack arn}</code></p> <p>Upon further investigation it turned out that one of our internal CDK modules for building the dynamo tables has changed how it was naming the construct, resulting in a different CloudFormation Logical ID. Since we were explicitly naming the table, the stack update could not complete, because the table already exists.</p> <p>This app is a self-contained NPM module, so I wasn't able to modify the construct, but I came up with a workaround.</p> <ol> <li>Back up the dynamo table data</li> <li>Copy the raw stack yaml from CloudFormation and save it on your computer</li> <li>Delete the table resource and references from the template</li> <li>Update the stack with the new template using the CloudFormation web console</li> <li>Verify that the table was deleted (and not retained) by CloudFormation</li> <li>Redeploy the CDK app, which will create a new table</li> <li>Restore the table data</li> </ol> cdk aws troubleshooting Missing Amplify UI Styles in Electron App Ivan Bliskavka Wed, 15 Sep 2021 18:57:28 +0000 https://dev.to/ibliskavka/missing-amplify-ui-styles-in-electron-app-3beg https://dev.to/ibliskavka/missing-amplify-ui-styles-in-electron-app-3beg <p>I recently discovered the <a href="https://electron-react-boilerplate.js.org/" rel="noopener noreferrer">Electron React Boilerplate</a> project and wanted to use the <a href="https://docs.amplify.aws/ui/auth/authenticator/q/framework/react/" rel="noopener noreferrer">AWS Amplify Authenticator</a>. Lo and Behold: its ugly...</p> <p>I had used the typical <code>index.tsx</code> import and I could see the CSS output, but for some reason it did not work.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// index.tsx</span> <span class="k">import</span> <span class="dl">"</span><span class="s2">@aws-amplify/ui/dist/style.css</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <p>After much Googling, it turns out that Electron React Boiler plate does some webpack-ing magic under the hood.</p> <p>The correct way to add the css is to import it in <code>App.global.css</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* App.global.css */</span> <span class="k">@import</span> <span class="s2">'~@aws-amplify/ui/dist/style.css'</span><span class="p">;</span> </code></pre> </div> <p><a href="https://bliskavka.com" rel="noopener noreferrer">Originally posted on my blog</a></p>