DEV Community: Leonti Bielski The latest articles on DEV Community by Leonti Bielski (@leonti). https://dev.to/leonti https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F221323%2Fad402a99-57bc-45fa-a041-b2a0ce164ce3.jpeg DEV Community: Leonti Bielski https://dev.to/leonti en AWS Budget Killswitch: Disable AWS Services When Budget Is Exceeded Leonti Bielski Mon, 06 Jul 2020 03:47:39 +0000 https://dev.to/leonti/aws-budget-killswitch-disable-aws-services-when-budget-is-exceeded-36oc https://dev.to/leonti/aws-budget-killswitch-disable-aws-services-when-budget-is-exceeded-36oc <p>I like creating small projects and hosting them on AWS. AWS is what I use at work and using it for my personal projects makes sense because it's convenient and it's what I know. <br> However, my personal projects don't make me any money so a huge increase in traffic doesn't mean an increase in revenue to cover the cost of an AWS bill. <br> Sometimes I just want to put something out there and see if people like it. Call me paranoid, but I'm afraid of a situation when I wake up one day and discover that I have a <a href="https://mobile.twitter.com/ChrisShort/status/1279406322837082114">$2700 bill</a> in my AWS account for something that doesn't make any money. </p> <p>I've always wanted to have a hard limit on AWS spending on my personal account. Something like: "Stop everything when my bill reaches $100 a month". There is no such functionality on AWS and I appreciate how hard would it be to implement it. There would not be a solution which works for everyone. Some people would only want to stop services which are the main culprits, some would like to stop everything. Would you want to have your s3 buckets emptied if you have a sudden spike in your bill? Also, there is a matter of production services. Very few companies would be ok with terminating their infrastructure when the bill goes above a certain budget. <br> For people who just like to tinker and are ok with their services being down in an emergency such solution might be useful. This is where "AWS Budget Killswitch" comes in.</p> <h2> AWS Budget Killswitch </h2> <p>The solution is very simple:</p> <ol> <li>Create an emergency budget, a certain value which would constitute an unacceptable spending</li> <li>When budget is reached send an email and disable public-facing AWS services, currently only CloudFront and ApiGateway are supported</li> </ol> <p>The app is implemented as a <a href="https://aws.amazon.com/serverless/sam/">SAM</a> template:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Transform</span><span class="pi">:</span> <span class="s">AWS::Serverless-2016-10-31</span> <span class="na">Description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">NotificationEmail</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">BudgetLimit</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">KillswitchBudgetTopic</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SNS::Topic</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Subscription</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Endpoint</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">DisableServicesFunction.Arn</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">lambda"</span> <span class="na">KillswitchBudget</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Budgets::Budget</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Budget</span><span class="pi">:</span> <span class="na">BudgetLimit</span><span class="pi">:</span> <span class="na">Amount</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">BudgetLimit</span> <span class="na">Unit</span><span class="pi">:</span> <span class="s">USD</span> <span class="na">TimeUnit</span><span class="pi">:</span> <span class="s">MONTHLY</span> <span class="na">BudgetType</span><span class="pi">:</span> <span class="s">COST</span> <span class="na">NotificationsWithSubscribers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Notification</span><span class="pi">:</span> <span class="na">NotificationType</span><span class="pi">:</span> <span class="s">ACTUAL</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">GREATER_THAN</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="m">99</span> <span class="na">Subscribers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">SubscriptionType</span><span class="pi">:</span> <span class="s">EMAIL</span> <span class="na">Address</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">NotificationEmail</span> <span class="pi">-</span> <span class="na">SubscriptionType</span><span class="pi">:</span> <span class="s">SNS</span> <span class="na">Address</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">KillswitchBudgetTopic</span> <span class="na">SnsInvokeLambdaPermission</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Lambda::Permission</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">lambda:InvokeFunction</span> <span class="na">FunctionName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DisableServicesFunction</span> <span class="na">Principal</span><span class="pi">:</span> <span class="s1">'</span><span class="s">sns.amazonaws.com'</span> <span class="na">SourceArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">KillswitchBudgetTopic</span> <span class="na">DisableServicesFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CodeUri</span><span class="pi">:</span> <span class="s">disable-services</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">app.handler</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">nodejs12.x</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="s">256</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">AWSLambdaExecute</span> <span class="pi">-</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cloudfront:ListDistributions</span> <span class="pi">-</span> <span class="s">cloudfront:GetDistributionConfig</span> <span class="pi">-</span> <span class="s">cloudfront:UpdateDistribution</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">apigateway:*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> </code></pre></div> <p>It creates a budget with 2 subscriptions, email, and an SNS topic.<br><br> SNS topic is configured to invoke a Lambda which contains the logic to disable services. AWS doesn't have a big red "Disable" button for each service, each one is unique, so disabling them is different per service.<br><br> You can disable a CloudFront distribution, but ApiGateway stage can only be deleted. Luckily you can set throttling limits to 0, so it can also be made unreachable. </p> <p>Here is how the Lambda looks like:<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">cloudfront</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">CloudFront</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">apigateway</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">APIGateway</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">disableDistribution</span> <span class="o">=</span> <span class="k">async</span><span class="p">(</span><span class="nx">id</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">getDistributionConfig</span><span class="p">({</span> <span class="na">Id</span><span class="p">:</span> <span class="nx">id</span> <span class="p">}).</span><span class="nx">promise</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">disabledConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">config</span><span class="p">.</span><span class="nx">DistributionConfig</span><span class="p">,</span> <span class="na">Enabled</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">updateDistribution</span><span class="p">({</span> <span class="na">Id</span><span class="p">:</span> <span class="nx">id</span><span class="p">,</span> <span class="na">DistributionConfig</span><span class="p">:</span> <span class="nx">disabledConfig</span><span class="p">,</span> <span class="na">IfMatch</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">ETag</span> <span class="p">}).</span><span class="nx">promise</span><span class="p">()</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">disableCloudfront</span> <span class="o">=</span> <span class="k">async</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">distributions</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">cloudfront</span><span class="p">.</span><span class="nx">listDistributions</span><span class="p">().</span><span class="nx">promise</span><span class="p">()</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nx">all</span><span class="p">(</span><span class="nx">distributions</span><span class="p">.</span><span class="nx">DistributionList</span><span class="p">.</span><span class="nx">Items</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">d</span> <span class="o">=&gt;</span> <span class="nx">disableDistribution</span><span class="p">(</span><span class="nx">d</span><span class="p">.</span><span class="nx">Id</span><span class="p">)))</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">setStageLimits</span> <span class="o">=</span> <span class="k">async</span><span class="p">(</span><span class="nx">restApiId</span><span class="p">,</span> <span class="nx">stageName</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stage</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">getStage</span><span class="p">({</span> <span class="nx">restApiId</span><span class="p">,</span> <span class="nx">stageName</span><span class="p">,</span> <span class="p">}).</span><span class="nx">promise</span><span class="p">()</span> <span class="k">await</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">updateStage</span><span class="p">({</span> <span class="nx">restApiId</span><span class="p">,</span> <span class="nx">stageName</span><span class="p">,</span> <span class="na">patchOperations</span><span class="p">:</span> <span class="p">[{</span> <span class="na">op</span><span class="p">:</span> <span class="dl">'</span><span class="s1">replace</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/*/*/throttling/burstLimit</span><span class="dl">'</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">op</span><span class="p">:</span> <span class="dl">'</span><span class="s1">replace</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/*/*/throttling/rateLimit</span><span class="dl">'</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span> <span class="p">},</span> <span class="p">]</span> <span class="p">}).</span><span class="nx">promise</span><span class="p">()</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">stage</span><span class="p">)</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">disableApiGateways</span> <span class="o">=</span> <span class="k">async</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiIds</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">getRestApis</span><span class="p">().</span><span class="nx">promise</span><span class="p">()).</span><span class="nx">items</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">a</span> <span class="o">=&gt;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nx">all</span><span class="p">(</span><span class="nx">apiIds</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="k">async</span><span class="p">(</span><span class="nx">restApiId</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stages</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">getStages</span><span class="p">({</span> <span class="nx">restApiId</span> <span class="p">}).</span><span class="nx">promise</span><span class="p">()).</span><span class="nx">item</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nx">all</span><span class="p">(</span><span class="nx">stages</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">stage</span> <span class="o">=&gt;</span> <span class="nx">setStageLimits</span><span class="p">(</span><span class="nx">restApiId</span><span class="p">,</span> <span class="nx">stage</span><span class="p">.</span><span class="nx">stageName</span><span class="p">)))</span> <span class="p">}))</span> <span class="p">}</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">disableCloudfront</span><span class="p">()</span> <span class="k">await</span> <span class="nx">disableApiGateways</span><span class="p">()</span> <span class="p">};</span> </code></pre></div> <p>There is nothing else to it, it's a very blunt instrument, but it will make sure that if you have a huge spike in traffic that you don't expect you'll end up with your app down instead of paying an exorbitant bill.<br><br> This is definitely something only for tinkerers like me, not for a production use.<br><br> The proper solution would be using an <a href="https://aws.amazon.com/waf/">AWS WAF</a> but I'm too cheap to spend $6 a month for a very unlickely event of a DDoS attack on one of my small projects. </p> <p><a href="https://github.com/Leonti/aws-budget-killswitch">Here</a> is a Github repository ready to be deployed.</p> aws Testing: A Practical Approach Leonti Bielski Wed, 24 Jun 2020 07:44:28 +0000 https://dev.to/leonti/testing-a-practical-approach-f67 https://dev.to/leonti/testing-a-practical-approach-f67 <p>Automated testing is important to build software in a sustainable way. No one wants to manually test their entire application on every change. That would be slow and a waste of time.<br> On the other hand, covering an application with all possible kinds of automated tests also has a significant cost. If not done right tests can make application architecture rigid and slow to change - the exact things we aim to improve with automated testing in the first place.<br> It's an important part of our job as software developers to make calls about what needs to be tested and to what degree.<br> During my career, I had changed my views on testing from just writing tests because it's a "best practice" to a more practical approach about when and which type of tests to write.<br> In this article, I'd like to share my thoughts on software testing with the hope it can be beneficial for someone who is on the same journey of writing better software.<br> This is not meant to be a definitive testing guide, it's meant to be a starting point for a more critical view on testing practices.</p> <h1> Context </h1> <p>The context in which application is built and used is very important when thinking about testing. Are you an early-stage startup or a big fintech company? Are you working on a new experimental way display content to users or are you adding a feature to an existing product which is going to be rolled out to millions of users?<br> Kent Beck has an excellent talk "3x Explore, Expand, Extract"<br> <iframe width="710" height="399" src="https://www.youtube.com/embed/FlJN6_4yI2A"> </iframe> <br> I highly recommend it. The gist of it is this - your approach to testing and software quality, in general, should depend on at what stage of product maturity you are. If you are just starting out, exploring, and experimenting then high automated testing coverage is not needed. You might even go for a while without any automated tests at all until you know what works and what needs to be solidified.<br> Once you know which parts of your product are going to stay you should improve test coverage and code quality in those areas.</p> <h1> TDD </h1> <p>Test-Driven Development is a bit like a religion. There are people who believe in its core values and there are fundamentalists which preach the "one true way" of doing it.<br> The most popular understanding of TDD seems to be: code should have 100% test coverage at any cost and that a unit is a class (in languages that have classes).<br> This approach leads to hundreds of useless tests which mostly test mocks just for the sake of the coverage. <br> It's hard to ask for the removal of such tests because no one wants to be that guy which is against automated testing ;)<br> When I first read DHH's post about <a href="https://dhh.dk/2014/tdd-is-dead-long-live-testing.html">TDD</a> I thought the guy was crazy because TDD was meant to solve all of the problems of software quality. Now I get it.<br> There is a great talk by Ian Cooper titled "TDD, Where Did It All Go Wrong" which touches on the problems with the traditional understanding of TDD and how it differs from the original idea.<br> <iframe width="710" height="399" src="https://www.youtube.com/embed/EZ05e7EMOLM"> </iframe> <br> Here are the key takeaways:</p> <ol> <li>"Unit" is not a single class, it's a module with public API.</li> <li>Avoid mocks.</li> <li>Test behaviour, not implementation. This approach avoids so many problems. Since we are testing a public API of a module there is no need for mocks. Imagine you test a <code>Calculator</code> module which can add and multiply numbers. It uses <code>Adder</code> and <code>Multiplier</code> classes underneath. But we don't care. All we care about is whether it can successfully add and multiply numbers, so we just test that. <code>Calculator</code> module is free to change its implementation, remove <code>Adder</code> and <code>Multiplier</code> dependencies and perform calculations using a third-party <code>Math</code> library. Not a single test would have to be changed and we would still be confident that <code>Calculator</code> works correctly. Compare this to a traditional approach:</li> <li>Write a test for <code>Calculator</code> using <code>Adder</code> and <code>Multiplier</code> mocks. Make sure they are called with the right arguments.</li> <li>Write a test for <code>Adder</code>.</li> <li>Write a test for <code>Multiplier</code>. Now we have 3 brittle tests from which only 2 are testing the actual logic. If we need to switch to a third-party <code>Math</code> library we'd have to rewrite the <code>Calculator</code> test, and remove <code>Adder</code> and <code>Multiplier</code> ones. That would slow us down and more importantly when you have to change tests during refactoring how are you sure that you can rely on modified tests? It has been a joy working on projects which embrace "unit is a module" and "no mocks" approaches. Some say that if you don't test classes in isolation it leads to a tight coupling between classes. In my experience, it's not a problem at all. If developers are free to painlessly refactor and move stuff around it usually leads to a better code organisation over time. How often have you reconsidered moving a dependency because of the burden of adjusting unit tests?</li> </ol> <h1> Slow and fast tests </h1> <p>Given that everybody seems to have their own definition of what "integration test" is I prefer alternative definition where you group tests by being "fast" and "slow".<br> "Fast" tests are those which don't talk to slow IO (no matter how many classes are involved) and "slow" are those which do. Database and network calls are usually slow. Writing and reading small files to an SSD drive is usually pretty fast. Not doing any IO is even faster :)<br> The way to avoid performing IO calls during tests is to replace those parts of the code which do with stubs or "alternates". There are multiple ways to do it and functional programming particularly shines at separating IO from the rest of the code, but the main idea is to provide an interface for external interactions and 2 implementations - one for testing which responds with pre-canned values and the real one which talks to the external world (it needs to be tested separately).<br> Again, the context of your application is very important here and I would argue there is no universal "best practice" approach.<br> Imagine you have an application which takes a JSON payload and puts it into a Postgres database. What could go wrong here?</p> <ol> <li>JSON codec might be misconfigured</li> <li>Extracting data from the JSON payload and putting it into database might be broken.</li> <li>Database schema might be different from the one that the code expects.</li> </ol> <p>There is no logic to be tested here, so the test which would give you the most bang for your buck would be the one which accepts JSON payload from a string and writes it to the database.<br> There is nothing wrong with not having a "unit" test for this if it gives you no value. You can introduce it later when you have logic in your JSON-&gt;DB pipeline.</p> <h1> Conclusion </h1> <p>There is no single prescribed model for software testing. No application is the same and no team is the same. It is important to step back and evaluate your testing strategy.<br> If your current testing approach doesn't feel right maybe it's because what is considered a best practice is not right for your application. There is no point of striving for 100% unit test coverage in an application which is mostly a conduit between an HTTP request and a DB.<br> When you do write unit tests, avoiding mocks and testing behaviour instead of implementation goes a long way to achieve a balance between software quality and development speed.</p> tdd testing Deploying an SPA on AWS Leonti Bielski Mon, 22 Jun 2020 07:47:11 +0000 https://dev.to/leonti/deploying-an-spa-on-aws-34lf https://dev.to/leonti/deploying-an-spa-on-aws-34lf <p>Hosting a static website on AWS has many advantages but it has a few moving parts which need to fit together to get a fast and scalable static website.</p> <p>While working on <a href="https://avocv.com">AvoCV</a> I decided to host it on AWS for a few reasons.<br> Backend for the project is built using AWS Gateway, so hosting the frontend on AWS Gateway was a natural choice since it would reduce the burden of switching between different cloud providers.<br> Hosting a static website on AWS is also dirt-cheap, which was also important.</p> <p>In this post I’ll describe the steps you need to take between creating your SPA frontend project and being able to access it from your own domain.</p> <h1> Domain name </h1> <p>The first thing you need to do is to get a domain name from any of the domain registrars.<br> After you have your domain you need to create a hosted zone in <a href="https://console.aws.amazon.com/route53">Route53</a>, it costs $0.50 per month.<br> Route53 will create NS records automatically which you can use to “connect” your domain from your registrar to your hosted zone in Route53. Every registrar should have instructions on how to change NameServer records.</p> <h1> S3 hosting and Cloudfront </h1> <p>The easy way to make static files available publicly on AWS is to put them in a public s3 bucket. The url that you’ll get ain’t pretty though. It will look something like this: <code>http://&lt;bucket-name&gt;.s3-website-us-east-1.amazonaws.com</code><br> It’s definitely not user-friendly and it’s not HTTPS which is a must nowadays.<br> This is why we need a Cloudfront distribution in front of the bucket. It will hide the ugly url and will make sure requests are HTTPS.</p> <h1> Public S3 bucket </h1> <p>The whole setup apart from Route53 is done in CloudFormation. This is how s3 bucket setup looks like:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="na">S3BucketLogs</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">DeletionPolicy</span><span class="pi">:</span> <span class="s">Delete</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AccessControl</span><span class="pi">:</span> <span class="s">LogDeliveryWrite</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}-logs'</span> <span class="na">S3BucketRoot</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">DeletionPolicy</span><span class="pi">:</span> <span class="s">Delete</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AccessControl</span><span class="pi">:</span> <span class="s">PublicRead</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}-root'</span> <span class="na">LoggingConfiguration</span><span class="pi">:</span> <span class="na">DestinationBucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">S3BucketLogs</span> <span class="na">LogFilePrefix</span><span class="pi">:</span> <span class="s1">'</span><span class="s">cdn/'</span> <span class="na">WebsiteConfiguration</span><span class="pi">:</span> <span class="na">ErrorDocument</span><span class="pi">:</span> <span class="s1">'</span><span class="s">index.html'</span> <span class="na">IndexDocument</span><span class="pi">:</span> <span class="s1">'</span><span class="s">index.html'</span> <span class="na">S3BucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">S3BucketRoot</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Allow'</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">s3:GetObject'</span> <span class="na">Principal</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${S3BucketRoot.Arn}/*'</span> </code></pre></div> <p><code>${AWS::StackName}</code> will resolve to the name of your stack, so if you name your stack <code>my-frontend</code> the name of the bucket will be <code>my-frontend-root</code>.<br> We are telling AWS that the bucket should be publicly accessible with PublicRead access control and with a BucketPolicysaying that every object should be public.<br> This setup even includes access logs which are being put into a special <code>&lt;stack-name&gt;-logs</code> bucket.<br> Why <code>ErrorDocument</code> and <code>IndexDocument</code> are the same?<br> This is because in an SPA all requests go to index.html and then JavaScript decided which route to show.<br> When you navigate to <code>https://avocv.com/editor</code> AWS will try to find <code>editor</code> file in the bucket, but it won’t be there. Normally it would return an error page, but we are overriding it with <code>ErrorDocument: index.html</code> so it loads <code>index.html</code> anyway. Once the page is loaded JavaScript looks the url in the browser, sees <code>/editor</code> and knows that it needs to load <code>Editor</code> page.<br> If this behaviour is not desirable you can change this entry to something else, for example, <code>error.html</code>. Just make sure <code>error.html</code> is in the bucket.</p> <h1> SSL Certificate </h1> <p>Creating SSL in CloudFormation is easy:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="na">CertificateManagerCertificate</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CertificateManager::Certificate</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DomainName</span> <span class="na">SubjectAlternativeNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">www.${DomainName}</span> <span class="na">ValidationMethod</span><span class="pi">:</span> <span class="s">DNS</span> </code></pre></div> <p>The only “gotcha” is that the SSL certificate will need to be verified (you’ll have to add verification entries to your domain records). You will see a pending certificate in AWS Console and since your hosted zone is in Route53 it’s as easy as pressing a button.</p> <h1> CloudFront SSL-only distribution </h1> <p>Creating a CloudFront distribution is a little bit more involved:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="na">CloudFrontDistribution</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::Distribution</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DistributionConfig</span><span class="pi">:</span> <span class="na">Aliases</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">DomainName</span> <span class="na">CustomErrorResponses</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ErrorCachingMinTTL</span><span class="pi">:</span> <span class="m">60</span> <span class="na">ErrorCode</span><span class="pi">:</span> <span class="m">404</span> <span class="na">ResponseCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">ResponsePagePath</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/index.html'</span> <span class="pi">-</span> <span class="na">ErrorCachingMinTTL</span><span class="pi">:</span> <span class="m">60</span> <span class="na">ErrorCode</span><span class="pi">:</span> <span class="m">403</span> <span class="na">ResponseCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">ResponsePagePath</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/index.html'</span> <span class="na">DefaultCacheBehavior</span><span class="pi">:</span> <span class="na">AllowedMethods</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GET</span> <span class="pi">-</span> <span class="s">HEAD</span> <span class="na">CachedMethods</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GET</span> <span class="pi">-</span> <span class="s">HEAD</span> <span class="na">Compress</span><span class="pi">:</span> <span class="no">true</span> <span class="na">DefaultTTL</span><span class="pi">:</span> <span class="m">86400</span> <span class="na">ForwardedValues</span><span class="pi">:</span> <span class="na">Cookies</span><span class="pi">:</span> <span class="na">Forward</span><span class="pi">:</span> <span class="s">none</span> <span class="na">QueryString</span><span class="pi">:</span> <span class="no">true</span> <span class="na">MaxTTL</span><span class="pi">:</span> <span class="m">31536000</span> <span class="na">SmoothStreaming</span><span class="pi">:</span> <span class="no">false</span> <span class="na">TargetOriginId</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">S3-${AWS::StackName}-root'</span> <span class="na">ViewerProtocolPolicy</span><span class="pi">:</span> <span class="s1">'</span><span class="s">redirect-to-https'</span> <span class="na">DefaultRootObject</span><span class="pi">:</span> <span class="s1">'</span><span class="s">index.html'</span> <span class="na">Enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">HttpVersion</span><span class="pi">:</span> <span class="s">http2</span> <span class="na">IPV6Enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">Logging</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">S3BucketLogs.DomainName</span> <span class="na">IncludeCookies</span><span class="pi">:</span> <span class="no">false</span> <span class="na">Prefix</span><span class="pi">:</span> <span class="s1">'</span><span class="s">cdn/'</span> <span class="na">Origins</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">CustomOriginConfig</span><span class="pi">:</span> <span class="na">HTTPPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">HTTPSPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">OriginKeepaliveTimeout</span><span class="pi">:</span> <span class="m">5</span> <span class="na">OriginProtocolPolicy</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https-only'</span> <span class="na">OriginReadTimeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">OriginSSLProtocols</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">TLSv1</span> <span class="pi">-</span> <span class="s">TLSv1.1</span> <span class="pi">-</span> <span class="s">TLSv1.2</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">S3BucketRoot.DomainName</span> <span class="na">Id</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">S3-${AWS::StackName}-root'</span> <span class="na">PriceClass</span><span class="pi">:</span> <span class="s">PriceClass_All</span> <span class="na">ViewerCertificate</span><span class="pi">:</span> <span class="na">AcmCertificateArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CertificateManagerCertificate</span> <span class="na">SslSupportMethod</span><span class="pi">:</span> <span class="s">sni-only</span> </code></pre></div> <p>We are using the same trick with custom error pages so they all would return <code>index.html</code>.<br> By setting an alias we are making the public s3 bucket accessible from our domain.<br> SSL is configured to use the certificate created in the same stack for our custom domain.</p> <h1> Redirecting WWW users to a naked domain </h1> <p>This step is optional, but personally I prefer to have a non-www domains, so I’d like to redirect users coming to <a href="https://www.avocv.com">https://www.avocv.com</a> to <a href="https://avocv.com">https://avocv.com</a>. For this we’ll need a special s3 bucket and another CloudFront distribution:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="na">S3BucketWWW</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::S3::Bucket"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}-www-redirect'</span> <span class="na">AccessControl</span><span class="pi">:</span> <span class="s">PublicRead</span> <span class="na">WebsiteConfiguration</span><span class="pi">:</span> <span class="na">RedirectAllRequestsTo</span><span class="pi">:</span> <span class="na">HostName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DomainName}</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s">https</span> <span class="na">CloudFrontDistributionRedirect</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::Distribution</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DistributionConfig</span><span class="pi">:</span> <span class="na">Origins</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}-www-redirect.s3-website-${AWS::Region}.amazonaws.com'</span> <span class="na">Id</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">S3-${AWS::StackName}-www-redirect'</span> <span class="na">CustomOriginConfig</span><span class="pi">:</span> <span class="na">OriginProtocolPolicy</span><span class="pi">:</span> <span class="s">http-only</span> <span class="na">Enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">HttpVersion</span><span class="pi">:</span> <span class="s">http2</span> <span class="na">IPV6Enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">Logging</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">S3BucketLogs.DomainName</span> <span class="na">IncludeCookies</span><span class="pi">:</span> <span class="no">false</span> <span class="na">Prefix</span><span class="pi">:</span> <span class="s1">'</span><span class="s">cdn-redirects/'</span> <span class="na">Aliases</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">www.${DomainName}'</span> <span class="na">DefaultCacheBehavior</span><span class="pi">:</span> <span class="na">AllowedMethods</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GET</span> <span class="pi">-</span> <span class="s">HEAD</span> <span class="na">CachedMethods</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GET</span> <span class="pi">-</span> <span class="s">HEAD</span> <span class="na">TargetOriginId</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">S3-${AWS::StackName}-www-redirect'</span> <span class="na">Compress</span><span class="pi">:</span> <span class="s">True</span> <span class="na">DefaultTTL</span><span class="pi">:</span> <span class="m">604800</span> <span class="na">ForwardedValues</span><span class="pi">:</span> <span class="na">QueryString</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">Cookies</span><span class="pi">:</span> <span class="na">Forward</span><span class="pi">:</span> <span class="s">none</span> <span class="na">ViewerProtocolPolicy</span><span class="pi">:</span> <span class="s">redirect-to-https</span> <span class="na">PriceClass</span><span class="pi">:</span> <span class="s">PriceClass_All</span> <span class="na">ViewerCertificate</span><span class="pi">:</span> <span class="na">AcmCertificateArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CertificateManagerCertificate</span> <span class="na">SslSupportMethod</span><span class="pi">:</span> <span class="s">sni-only</span> </code></pre></div> <p>Public S3 buckets have ability to redirect user requests. In our case we create an empty public bucket which would redirect all requests to it to <code>https://&lt;your-domain-name&gt;</code>, so now all we have to do is to make sure all requests from <code>www.&lt;your-domain-name&gt;</code> would end up in that bucket which would then redirect them to a naked domain <code>&lt;your-domain-name&gt;</code>.<br> We do this with another simplified CloudFront distribution which has a <code>www</code> alias <code>www.${DomainName}</code>.<br> What this means is that when users navigates to <a href="http://www.avocv.com">www.avocv.com</a> request will be handled by a redirect CloudFront distribution which will send it to a redirect bucket, which in turn will redirect it to avocv.com and it will be picked up by the proper CloudFront distribution and the request will end up in the destination s3 bucket. That’s a lot of redirects!</p> <h1> Route53 records </h1> <p>The last thing we need to do is to tell Route53 that domain is “connected” to our CloudFront distributions:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="na">Route53RecordSetGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Route53::RecordSetGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">HostedZoneName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${DomainName}.'</span> <span class="na">RecordSets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DomainName</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">A</span> <span class="na">AliasTarget</span><span class="pi">:</span> <span class="na">DNSName</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">CloudFrontDistribution.DomainName</span> <span class="na">EvaluateTargetHealth</span><span class="pi">:</span> <span class="no">false</span> <span class="na">HostedZoneId</span><span class="pi">:</span> <span class="s">Z2FDTNDATAQYW2</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">www.${DomainName}'</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">A</span> <span class="na">AliasTarget</span><span class="pi">:</span> <span class="na">DNSName</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">CloudFrontDistributionRedirect.DomainName</span> <span class="na">EvaluateTargetHealth</span><span class="pi">:</span> <span class="no">false</span> <span class="na">HostedZoneId</span><span class="pi">:</span> <span class="s">Z2FDTNDATAQYW2</span> </code></pre></div> <p>Please note that <code>HostedZoneId</code> doesn’t refer to your domain’s zone id, it a special zone id (<code>Z2FDTNDATAQYW2</code>) for an alias record which points to a CloudFront distribution.<br> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html">https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html</a></p> <h1> Full setup </h1> <p>You can find the full setup in this repository: <a href="https://github.com/Leonti/aws-static-website">https://github.com/Leonti/aws-static-website</a><br> It also includes an example deploy script:<br> </p> <div class="highlight"><pre class="highlight shell"><code>aws s3 <span class="nb">sync</span> <span class="nt">--delete</span> <span class="nt">--acl</span> <span class="s2">"public-read"</span> build s3://&lt;stack-name&gt;-root aws cloudfront create-invalidation <span class="nt">--distribution-id</span> &lt;distribution-id&gt; <span class="nt">--paths</span> <span class="s2">"/index.html"</span> </code></pre></div> <p>It will sync your files with s3 bucket and invalidate <code>index.html</code> which is the only file you need to invalidate when building a modern SPA.</p> aws cloudfront cloudformation spa