DEV Community: Marco Aguzzi

Got my AWS AI practitioner certification!

Marco Aguzzi — Thu, 04 Sep 2025 10:55:10 +0000

I wanted to have a more structured overview of AI, so I figured out I’d earn this certification

RSS to social integration - An example using Lambda, Python, and Amazon Translate

Marco Aguzzi — Mon, 21 Apr 2025 19:12:00 +0000

In this article we’ll explore a RSS to social (e.g. LinkedIn) integration using AWS Lambda with Python. We’ll use Amazon Translate to provide the content of the post in Italian for the social platform. The architecture will be defined via Terraform. We’ll proceed as follows:

Definition of the Lambda infrastructure in Terraform
- How Terraform manages python code
Python software components
- Production code
- Unit and integration test code
Integration examples
Upcoming improvements

Terraform infrastructure

This is the terraform scheme generated with terraform graph command plus some editing on the dot file to add some fancy graphics:

Let’s review the components:

resource blocks (solid lines)
- rss_to_linkedin main lambda function | main.tf
- python_deps lambda layer | main.tf
- rss_to_linkedin_role role for lambda permissions | iam.tf
- rss_to_linkedin_policy policy for lambda permissions. At the time of writing, only permissions to call Amazon Translate and store logs on Cloudwatch are granted | iam.tf
- rss_to_linkedin_policy_attachment link between role and policy | iam.tf
data blocks (dashed lines)
- python_src archive file for python source layer | data.tf
- python_deps archive file for python library | data.tf

Python source code in Terraform

Terraform manages python source code in the two archive_file data blocks python_src and python_deps. The first one is dedicated to the source of the lambda function. No particular setup is needed, just having .py files in the folder will do.

python_src data block

data "archive\_file" "python\_src" {
 type = "zip"
 source\_dir = "python\_src"
 output\_path = "target/python.zip"
}

The second archive_file is for python dependencies that will be used in the lambda layer

python_deps data block

data "archive\_file" "python\_deps" {
 type = "zip"
 source\_dir = "./python\_deps"
 output\_path = "./target/python\_deps.zip"
}

In this case the libraries that have been installed with pip install for the code to run locally must be installed in the folder python_deps in order to be zipped by the data block. The folder structure under python_deps must respect a peculiar path in order to be used then as a lambda layer. The path is reflected in the pip install command shown here with the target path (-t)

pip install -t python\_deps\python\lib\python3.13\site-packages\ requests feedparser beautifulsoup4 boto3

Both resources, rss_to_linkedin and lambda_deps, which reference their respective archive_file blocks, have the attribute source_code_hash defined in their blocks. These hashes tell terraform when it’s necessary to rebuild the zip files, that is the python code has changed or the installed libraries have changed.

Python sources

Before describing python sources in details, let’s review a scheme similar to the one in the previous article (An Oauth2 use case - Authenticating and posting articles with images via LinkedIn API (v. 202504)) but focused on components. The actual external calls (linkedin and boto3) have been omitted to favor simplicity

In the following paragraph, we’ll reference the numbers in the image above

Production code

main.py

The main lambda function. (1) It uses the package feedparser to parse the RSS link stored in the environment variable. It could have been also a parameter in the event payload, but this has been for the sake of simplicity. The latest entry from RSS is fetched in the first position of the item array. This is quite brutal, and it’s for sure the next improvement point. Next, the latest_entry object is converted into a result object with the fields that will be used later on. The resulting object starts with empty body and image, and then it scans the content sub-items to populate image and link attributes.

Once the post has been processed, it’s passed to the publish_to_profile function (2).

social_publish_linkedin.py

This component is responsible of prepare the post. It first hides the process of linkin the image to the content from the caller. It calls linkedin_media_share_manager prepare_media_for_post (3) to retrieve (9) the urn (registered by LinkedIn) of the image to be used inside the post.

It then prepares the text by: cleaning html via beautifulsoup4 library; translating it by calling Amazon Translate via boto3 client (10, 11). It then calls request_facade publish_to_profile method to actually post the content (12).

There are two more sub-steps in the cleaning phase that are not depicted in the graph:

the text must be escaped otherwise LinkedIn will cut off the text at the first special character like parenthesis (see below for the reference).
The text is placed into a template that adds a preview and a closing for the content such as “This is a new post” and “Continues on…”

Points 13 and 14 are simply the returns to the main caller

linkedin_media_share_manager.py

This component encapsulates the logic used by LinkedIn to use media in the posts. The steps masked by this component are:

Asking the request_facade for an upload URL and the URN to use for the media via method get_upload_url_urn (4, 5)
Download the image referenced on the RSS link to the local storage (6)
Uploading the image payload by calling request_facade upload_image (7, 8)
Returning its arn to be used in posting the content (9)

Please note that, as depicted in the diagram, if the image is not present in the post the whole “get the url and then upload” is not performed. The publish step will use the link to the post to embed an article in it.

requests_facade.py

This component masks requests body details from upper logic, such as API version changes (e.g. from LinkedIn ugcPost to 202504 api). It uses python requests library to do the http calls. We won’t go in the details of the calls because those have been addressed in the previous post

Libraries used in python

feedparser - Used for parsing the RSS feed into a json object
boto3 - Aws client used for connecting with aws translate
requests - Http client to do get, put, and post requests
beautifulsoup4 - Used to translate html tags such as headings, line breaks, and paragraphs into newlines

Test code

The code contains a stub (we can call it a mock in its literal sense) of unit and integration tests. This has made easy try the code prior to going live with the lambda otherwise troubleshooting would have been a real pain. A lot of nicer and poshier method would have been available, but those simple calls have done their job.

The command to run the test is (from the root of python source folder)

python -m unittest discover tests

Four tests are avaiable

test_remove_html_to_spaces and test_remove_html_preserve_links - these unit tests check that the cleaning of the html is as expected. It has an excerpt taken from the blog html and assert that newlines and spaces are correctly placed.
test_escape_special_chars - this unit test checks that special characters are correctly escaped
test_process_event - this is an integration test that actually calls the main entry point and run all the code util finally post to LinkedIn. It might be over the top, but it offers an instant check on the code against the final result

Integration samples

We can download the project on our machine and issue terraform init, terraform plan, and terraform apply to create the lambda. Environment variable can be passed using the syntax --var-file=file. The file should look like this (like the example on GitHub)

rss\_url = "your rss to parse"
access\_token = "access token taken from linkedin"
profile\_id = "profile id got from userInfo api"
# remember to use single quote if using powershell
message\_template = "some text before $translated\_text some text after"

Once the lambda is ready in AWS, we can invoke it from the cli:

aws lambda invoke --function-name arn:aws:lambda:us-east-1:2\*\*\*\*\*\*\*\*\*\*8:function:rss\_to\_linkedin

and its output will be

{
 "StatusCode": 200,
 "ExecutedVersion": "$LATEST"
}

What follows are two examples of actual posted content with screenshots and links

Content with link (article)

An example of content with link run against the AWS Blog

with RSS feed located here can be viewed on my Linkedin profile here

Content with image

An example of content with image run against the marcoaguzzi.it

with RSS feed located here can be viewed on my Linkedin profile here

Conclusions

This post has taken the knowledge gained the previous post and encapsulated in an AWS Lambda function. Next steps could be:

implement a mechanism to know if a post has already been posted on social media with a storage (e.g. DynamoDB)
schedule the lambda to be called within a certain frequence, like once or twice a day
better managing the difference between post with image and post with link
better unit and integration testing with proper mocks
remove RSS specific parameters from environment variable (otherwise we would have one lambda per RSS)

Thanks for the reading!

An Oauth2 use case - Authenticating and posting articles with images via LinkedIn API (v. 202504)

Marco Aguzzi — Sun, 20 Apr 2025 19:12:00 +0000

In this article we will do a review of all the steps needed for authenticating on Linkedin via its API, which rely on Oauth2 protocol. After authentication, we’ll use the API to post content with images. We’ll assume that the reader already has an active account on LinkedIn.

We’ll go in details will all the requests and responses needed for succeeding, and in each step we’ll provide a sequence diagram to better follow the process.

We’ll also refer to the last version of the LinkedIn API, which il 2025-04.

The content will be as follow:

Prerequisites before starting
Oauth2 in Action
Get the profile URN
Finally posting content

We have a LinkedIn account, what else do we need?

Let’s do a summary here:

a company page, needed for creating
an app on LinkedIn
Something capable to respond to a callback URL

A company page

In order to leverage Oauth2 protocol, a company page must be present on the profile we’ll use for posting the content.

Creating a page is quite simple, it’s free, and the mandatory information are really a few. I’ve created mine basically for technical purposes like the one of this post.

We can view the page at this link.

An app on LinkedIn developer

Once logged in onto our profile, go to developer.linkedin.com to create the app that will be between us and LinkedIn in order to grant permissions. Let’s review the app creation:

Other than the obvious name and logo (the privacy policy is not mandatory), the importand part is the company page linked to the app. We’ve put a red dot on the sentences that explain how developers, apps, and company page are regulated. Once created the app is listed like this:

Configuring the app

Let’s review the app configuration for Oauth2. This is the header we’ll be presented after creating the app:

Settings

It just shows the main information entered upon creation. We can skip the screenshot this time

Auth

This is the one that matters. It contains 3 boxes, which are

Application credentials

It is dedicated to Client ID and Client Primary secret, which are used for the authentication calls. We could do a screenshot here, but it would be all greyed out 🙂

OAuth 2.0 settings

Big stuff here. Let’s show the screenshot:

The box shows the time to live of the token (we’ll see how to have it in a minute), which is two months. Then it shows the address of the redirect urls that LinkedIn will use to send its code and state for the authentication process. Before seeing the details, let’s just say that:

The localhost address is something that will live on our PC, valid for testing purposes, and LinkedIn is completely fine about that.
The LinkedIn address has been automatically added by LinkedIn while using the procedure to manually create an authorization token via its web UI. Also this one is for testing purposes but it can come handy.

OAuth 2.0 scopes

Those are used used by LinkedIn to set boundaries for the actions. Some of them are required for posting, others for logging in. In the free tier, we can activate all the possible four options. The screenshot here will give explanation of all the cases:

Products

The products define what the app will do with LinkedIn: and our app need will “Share on Linkedin” and “OpenID Connect”

(A server for the) redirect URL

As we’ve seen above, we’ve configured redirect urls in the app, so we’ll need something to listen to those url and respond.

For this test, I’ve scraped down some python code from AI that just gets the job done. The code is meant to run on localhost, so there’s no need to make it available through some cloud. I’m putting the code in this gist in order to have the full picture to look at instead of leaving only two or three lines in between the text of this article. The pros of having something written from scratch is the possibility to see the actual calls going back and forth from LinkedIn and the local PC.

How should I run the server?

I’ve downloaded Python 3.13 and IDLE, a minimal Python shell, to run the python file on my PC. The code of the server requires some library installation, which can be done via pip install

Now we should have everything set up and ready to see

Oauth2 in action

Let’s start with a sequence diagram like the one below and follow the numbered steps.

(1) Authentication request

From local PC, issue the request with the client id, the scope(s), and the callback url. We can find all this information in the app. Let’s list them one by one:

client_id is taken from the app configuration
the redirect_uri (url encoded) http://localhost:3000/callback must match exactly one that’s registered in the app
the state is something that can range from a static string to whatever algorithm we like, and it can be used to counter CSRF attacks
the scope is the list of four ones we’ve seen above (w_member_social, profile, openid, email)

Authentication request

curl --location 'https://www.linkedin.com/oauth/v2/authorization?response\_type=code&client\_id=<client\_id>&redirect\_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&state=<state>&scope=w\_member\_social%2Cprofile%2Copenid%2Cemail' \
--header 'Content-Type: application/x-www-form-urlencoded'

(2) HTML form

LinkedIn will respond with an HTML containing the form for entering our credentials. We can issue the GET request in the browser and the HTML form contained in the response will render automatically, as shown here below

(3) Submit the form

Now we can insert login and password and submit the authentication form

(4) Redirect URL in action

If the login gets through, LinkedIn will call the redirect URL specified in call (1) and, of course, registered in the app. It will receive the status and the authorization code. The code listening on the redirect URL is in charge of validating the status, and checking if the call Is legitimate. It’s up to us to implement this step fully or just have a pass through. Let’s view the request from LinkedIn from IDLE logs

127.0.0.1 - - [17/Apr/2025 22:19:12] "GET /callback?code=<unique\_code\_from\_linkedin>&state=<arbitrary\_state> HTTP/1.1"

(5) Request for the authorization token.

Once the webhook has received the code from LinkedIn, it’s ready to issue the request for the authorization token with a post to the url

Issuing access token request

curl --location 'https://www.linkedin.com/oauth/v2/accessToken' \
--data '{
 "grant\_type": "authorization\_code",
 "code": <unique\_code\_from\_linkedin>,
 "redirect\_uri": "http://localhost:3000/callback",
 "client\_id": "<client\_id\_from\_app>", 
 "client\_secret": "<client\_secret\_from\_app>",
}'

(6) Response with authorization token

If successful, this can be used for subsequent calls to actually get stuff done. This token has a validity of two months and once expired should be renewed by redoing this same procedure. LinkedIn always requires a “manual” login before calling the api, we can also check in enterprise integration tools where we’ll be asked to enter our credentials to renew the token

Response with access token

{
"access\_token"': "[redacted]",
"expires\_in": 5183999,
"scope": "email,openid,profile,w\_member\_social",
"token\_type": "Bearer",
"id\_token": "[redacted]"
}

The answer contains: the access token, simply in the field access_token; the expiration time (60 days in seconds); the scopes we’ve entered before, the token type indicating that it will be used in header as Bearer <access_token>; a technical id. We’ll refer to the token from now on as <authorization_token>

(7) Calling post API

There are quite a few options for posting content on LinkedIn through API. The first choice is whether to use the person profile or the Company profile. We’ll explore the first option here.

Once the target has been chosen, there are three possibilities, each of them corresponding to the media option in the request

Share a text only
Share a text with (multi) image
Share a text with link to an article
Share a text with video

While text only and link cases resolve in a single call, for image (and media in general) things get quirkier. We’ll explore the image option. But, before being able to proceed, we’ll have to check for one last piece of information:

Who am I?

We need to know the URN of our profile in order to insert it in the subsequent calls. Once that this section is done, we’ll refer to it as <profile_urn>. Once given the authorization token, it’s a matter of a single call, ruled by the open_id scope, which had to be present in the oauth2 requests.

(1) userinfo request

Issuing userinfo request

curl --location 'https://api.linkedin.com/v2/userinfo' \
--header 'Content-Type: application/json' \
--header 'Authorization: <authorization\_token>' \

(2) userinfo response

Response with the profile urn

{
"sub": "---",
"email\_verified": true,
"name": "Name Surname",
"locale": {
"country": "US",
"language": "en"
},
"given\_name": "Name",
"family\_name": "Surname",
"email": "email",
"picture": "https://media.licdn.com/dms/image/v2/---"
}

The information we want to parse from this json is the “sub” attribute of the body, that has be concatenated into its urn like urn:li:person:---. This will be the <profile_urn>

Posting with images

_ Please note _ If we search on the internet abost posting with LinkedIn api, a lot of content will refer to ugcPost API, which is deprecated, and json bodies and responses are more convoluted.

Refer to this page. At the time of writing, last version is April 2025

Let’s review a sequence diagram here:

(1) Asking for the url to upload the image post

In this request we’re asking LinkedIn the address to use to upload our image and the URN that should be used when sharing the post at the end of the process

Asking the url for uploading the image

curl --location 'https://api.linkedin.com/rest/images?action=initializeUpload' \
--header 'Authorization: Bearer <authorization\_token>' \
--header 'LinkedIn-Version: 202504' \
--header 'X-RestLi-Protocol-Version: 2.0.0' \
--header 'Content-Type: application/json' \
--data '{
 "initializeUploadRequest": {
 "owner": "<profile\_urn>"
 }
}'

(2) The response with the upload url and the media urn:

Response with both the information

{
"value": {
"uploadUrlExpiresAt": 1745092254555,
"uploadUrl": "https://www.linkedin.com/dms-uploads/sp/v2/---/uploaded-image/---/0?ca=vector\_ads&cn=uploads&iri=B01-77&sync=0&v=beta&ut=---",
"image": "urn:li:image:---"
}
}

The releavent information is contained in two fields. We’ve redacted to --- unique codes generated by LinkedIn.

The upload url is in response["value"]["uploadUrl"], that is

https://www.linkedin.com/dms-uploads/sp/v2/---/uploaded-image/---/0?ca=vector\_ads&cn=uploads&iri=B01-77&sync=0&v=beta&ut=---

and the asset urn is in response["value"]["image"], that is urn:li:image:---. We’ll refer to this element as <media_urn> in subsequent API calls

(3) Upload the image

With this information we can issue the upload request with the actual image payload

Actual PUT with the image

curl --location --request PUT 'https://www.linkedin.com/dms-uploads/sp/v2/---/uploaded-image/---/0?ca=vector\_ads&cn=uploads&iri=B01-77&sync=0&v=beta&ut=---' \
--header 'Authorization: <authorization\_token>' \
--header 'Content-Type: image/webp' \
--data-binary '@kx\_V7l07P/file.webp'

(4) Upload image response

The response is just an acknowledge of the upload (201 created), we can just check for http errors

(5) Share the post

We’re finally ready to create the content, putting the authorization_token, profile_urn, and media_urn in the body of the posts API call

Finally creating content!

curl --location 'https://api.linkedin.com/rest/posts' \
--header 'Authorization: Bearer <authorization\_token>' \
--header 'X-Restli-Protocol-Version: 2.0.0' \
--header 'LinkedIn-Version: 202504' \
--header 'Content-Type: application/json' \
--data '{
 "author": "<profile\_urn>",
 "commentary": "test",
 "visibility": "PUBLIC",
 "distribution": {
 "feedDistribution": "MAIN\_FEED",
 "targetEntities": [],
 "thirdPartyDistributionChannels": []
 },
 "lifecycleState": "PUBLISHED",
 "isReshareDisabledByAuthor": false,
 "content": {
 "media": {
 "id": "<media\_urn>",
 "altText": "alt tags"
 }
 }
}'

(6) 201 Created

Once the post is published, the image will be displayed below the text, while the link will appear in a box below the text. Bear in mind that any link present in the text of the share will be automatically shortened by LinkedIn and left in its original position.

Conclusions and next steps

The process involves a lot of interactions, and there could be a lot more to talk about. To keep things simple, having the authorization token generated by the web UI is an option. Also using Postman in order to avoid writing the code that issues the requests.

Next steps could be automatically write the link in the first comment of the post, in order not to have it shortened, and introducing some automation in the process.

Thanks for reading till here!

Got my AWS solution architect certification!

Marco Aguzzi — Sat, 05 Apr 2025 14:58:34 +0000

It has been a while since last certification, so I felt that its natural next step was earning this one:

View credentials here

Got my Terraform certification!

Marco Aguzzi — Fri, 20 Sep 2024 19:00:00 +0000

Since I’m working a lot with terraform in my day-to-day job, I thought it was useful to earn a ceritication!

View credentials here

Domesticate AWS nested stacks in Java: doing the chores Cloudformation doesn't do (w/ code samples)

Marco Aguzzi — Tue, 07 May 2024 20:49:02 +0000

In this article we’ll navigate through the creation of a Nested Stack in Cloudformation using the Java SDK. The child stack will be a lambda function, and the code will be uploaded with a zip archive.

What’s Cloudformation, and what’s a nested stack?

Cloudformation is the AWS offering of infrastructure as code. Instead of navigating the web UI adding and configuring resources, Cloudformation offers the capability of reading a user - supplied file (either JSON or YAML) containing the list of resources and their relationships and create them as the code states.

These resources must be grouped in Stacks, which is the parentmost object that Cloudformation can process.

Things get interesting when stacks reference other stacks, of course :-)

A nested stack example

Doing this process with SDK, there are a couple of things that are not done automatically (or easier) than using the AWS CLI. Let’s get through them

Parent stack

Below there is the JSON for the parent stack. There is no specification that this is a stack (it’s written in the Description, but it’s arbitrary), because the command that will create the stack will ask first for a stack name to create (or update).

On the contrary, the child stack is explicitly declared as one of the resources with an AWS::CloudFormation::Stack type (line 7). Within the ChildStack element, the most important property is the TemplateURL (line 9), that points to the file (YAML in this case). The path is relative to the root template location.

Here’s the code:

Parent stack

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Root stack",
 ...
"Resources": {
"ChildStack":{
"Type" : "AWS::CloudFormation::Stack",
"Properties": {
"TemplateURL":"child-folder/child-template.yaml",
 ...
}
},
"OtherResource": {
"Type": "ResourceType",
 ...
}
}
}

Let’s view the child stack:

Child stack

Also in this case there’s no particular reference to the fact that this is a child stack. The parent stack can pass parameters to the child stack via the parameter section, but that’s it.

Child stack

AWSTemplateFormatVersion: "2010-09-09"
Description: child stack
Parameters:
...
Resources:
LambdaEdge:
Properties:
Runtime: nodejs20.x
Handler: index.handler
Code:
S3Bucket:
...
S3Key: "example value"
Role: !GetAtt LambdaRoleForCF.Arn
Type: "AWS::Lambda::Function"
Outputs:
...

The lambda reference

On line 13, the template file references a S3 location there the zip file with the code must be found. So the zip file with the code must be uploaded in S3 before the creation of the parent stack is issued, otherwise the references won’t work. As it’s noted in the next section, the AWS CLI package command can resolve references like this, but it’s not present in the SDK.

Once that the zip file with the code is uploaded onto S3, the creation of the stack can proceed.

Creating the stack

Before creating the stack, the template file must be present on S3 in order to be pointed at by the create-stack command.

This is fine, but the template contains the child stack file path that references the local machine, which won’t never work from s3.

The solution for Cloudformation is packaging the stack.

Packaging the stack

Using the CLI

Via the CLI is quite easy: there’s a package command that

detects the substack reference
searches for the referenced file
uploads it on s3
changes the reference in the parent file

Java SDK

Unfortunately, the aws-cli package command is not available in Java SDK, so a manual approach must be taken.

Here’s the code from the S3 static website project (around line 44)

The code does the same stuff that the cli do:

templateSrcPath (line 3) contains the path to the local parent template
s3PathToReplace (line 9) contains the path to the child stack template already uploaded to S3
lines 4 to 11 cycle throught the parent template,
- searches for a resource with type AWS::CloudFormation::Stack
- replaces the TemplateURL attribute with the path of the template uploaded onto S3
Then it persist the file with the substitution onto a temporary folder. Using the SDK the template can be referenced from within the disk.

Template packaging

App.screenMessage("PACKAGE TEMPLATE START");
ObjectMapper objectMapper = new ObjectMapper();
JsonNode root = objectMapper.readTree(Utils.readFileContent(templateSrcPath)); 
Iterator<JsonNode> elements = root.get("Resources").elements();
while(elements.hasNext()) {
 JsonNode node = elements.next(); 
 if ("AWS::CloudFormation::Stack".equals(node.get("Type").asText())) {
JsonNode properties = node.get("Properties");
 ((ObjectNode)properties).put("TemplateURL", s3PathToReplace);
 }
};
File file = File.createTempFile(new SimpleDateFormat("yyyyMMddHHmmss").format(new Date()),"\_compiled\_template.json");
objectMapper.writeValue(file, root);
App.screenMessage("PACKAGE TEMPLATE END");

Once that the template on the disk has all of its references ready, the CreateStack api can be called and the stack will be created along with all of its resources.

Improvements and what’s next

The actual CLI package command does not only resolve nested stack references, but also lambda code (as it has been shown) and a bunch of other stuff (as stated here).

There are two major improvements to the code for the package section

also discover other type of references (like lambda code)
automatically upload the referenced path to s3 without actually asking for it in the input parameters

If you’d like to browse to the full code here, please give it a go!

Please stop publishing AWS S3 buckets as static websites! Read here for a secure, fast, and free-ish approach [1st episode]

Marco Aguzzi — Mon, 06 May 2024 09:30:32 +0000

I promise this is not yet another tutorial on how to publish a static website using AWS S3, or at least not solely smashing the S3 content onto the web. I’d like to show you a GitHub project that uses Java to orchestrate Cloudformation when deploying the architecture of a static website.

The main purpose of this tool is going beyond the S3 out of the box website functionality, that is:

Make the S3 bucket private (so, secure )
Provide HTTPS certificates ( secure, again)
Serve the content via cloudfront cache (so, fast )
Hide the complexities of working with Cloudformation

I’m in for fast and secure, but free…ish?

Not all the resources that need to be fired up for this architecture are within the AWS free tier, expecially the domain. Nevertheless, all the costs that I’ve seen after this website was published were only live costs. Let’s review them from the most to the least expensive:

The domain: 20€ / year if hosted on Route53 (as marcoaguzzi.it) but you can host it elsewere (on cloudns, and it’s free)
Route53 and Codepipeline: 1€ / month each. It’s one for the hosted zone and one for the pipeline. The pipeline comes with a good amount of free build / minutes
Secret manager: less than 0.5€ / month (there’s a grace period when started)
Cloudfront and S3: 0.01€ / month each

Of course these are starting costs, they can go a lot higher as the usage increase, but it should be a welcomed issue, I suppose

Hide the complexities of Cloudformation

Cloudformation migth be a burden to use, especially within the web UI. These are the main issue I addressed in the project:

Have a self - contained architecture
Be repeatable. Could it deploy the same architecture on another domain?
Ease the deploy process, especially when the domain is not hosted on Route53
The nested stacks are not automatically resolved by Cloudformation

The Java tool to the rescue

While experimenting with Java and Gradle, I wondered if I could use Java to mitigate the problems listed above by orchestrating the instructions that Cloudformation needs in order to deploy the website. This turned out as a Github project: https://github.com/maguzzi/s3_static_website_gradle. The Gradle build creates a distributable archive with all the needed jars.

How to use the project

After the packaged app has been downloaded, what’s needed to run?

Java 8+
An AWS account, with authentication in place. As of now, I’ve tested it with having ACCCESS_KEY and ACCESS_SECRET as enviornment variables locally. If those are not found, the tool stops.
A dns domain. Let’s use a free service: s3staticwebsitetest.cloudns.ch
A config file named website.properties containing the website information, like this:

name = Fast, secure, free-ish S3 static website
environment = dev
domain = dev.s3staticwebsitetest.cloudns.ch

Tool commands

Let’s set the LOG_LEVEL to INFO in order not to clog the shell, and check the existing stack in our AWS account:

DISTRIBUTION

Expecting the aws account still without this infrastructure, this is the first command to run:

java -jar s3\_static\_website\_gradle-all.jar DISTRIBUTION

Here’s the output:

2024-05-01T14:14:16 [main] INFO - AWS\_REGION: us-east-1
2024-05-01T14:14:16 [main] INFO - AWS\_ACCESS\_KEY\_ID: AKIA\*\*\*\*
2024-05-01T14:14:16 [main] INFO - AWS\_SECRET: \*\*\*\*\*
2024-05-01T14:14:16 [main] INFO - AWS setup done.
2024-05-01T14:14:17 [main] INFO - reading content from file: /home/maguzzi/demo/./website.properties
2024-05-01T14:14:17 [main] INFO - Command: DISTRIBUTION environment: dev
2024-05-01T14:14:17 [main] WARN - .websitesetup file does not exists. Creating
2024-05-01T14:14:17 [main] INFO - reading content from file: /home/maguzzi/demo/./.websitesetup
2024-05-01T14:14:17 [main] INFO - Setup new pseudoRandomTimestampString to 20240501141417491
2024-05-01T14:14:17 [main] INFO - Setup new zipDate to 20240501
2024-05-01T14:14:17 [main] INFO - 
2024-05-01T14:14:17 [main] INFO - -- s3-static-website-bootstrap-stack - dev CREATION START --
2024-05-01T14:14:17 [main] INFO - 
2024-05-01T14:14:17 [main] INFO - reading content from jar: jar:file:/home/maguzzi/demo/s3\_static\_website\_gradle-all.jar!/bootstrap/bootstrap.json
2024-05-01T14:14:18 [main] INFO - Stack s3-static-website-bootstrap-stack-dev not yet completed, wait
2024-05-01T14:14:23 [main] INFO - Stack s3-static-website-bootstrap-stack-dev not yet completed, wait
...

It states:

The environment variable for the AWS configuration are in place
The website.properties file is in place
The .websitesetup file does not exist, and is created at run time.

pseudoRandomTimestampString is used to have unique names for the s3 buckets, while zipDate to identify the artifact for the lambda.

Now the bootstrap stack is being created, so that the S3 buckets will be in place when needed for:

packaging the templates
upload the lambda artifact
host the website content

The last two lines state that the tool is waiting for the completion of the bootstrap stack.

Once that the first stack has been successfully created, the tool states it and outputs the export key for the s3 buckets that will be needed in the distribution stacks:

Stack creation for stack id arn:aws:cloudformation:us-east-1:\*\*\*\*:stack/s3-static-website-bootstrap-stack-dev/\*\*\*\*\* terminated.
2024-05-01T14:14:54 [main] INFO - 
2024-05-01T14:14:54 [main] INFO - -- s3-static-website-bootstrap-stack - dev CREATION END --
2024-05-01T14:14:54 [main] INFO - 
2024-05-01T14:14:54 [main] INFO - ArtifactS3Bucket -> s3-static-website-lambda-artifact-dev-20240501141417491 (s3-static-website-bootstrap-stack-dev-LambdaArtifactBucket-Export-dev)
2024-05-01T14:14:54 [main] INFO - CompiledTemplateBucket -> s3-static-website-compiled-template-dev-20240501141417491 (s3-static-website-bootstrap-stack-dev-CompiledTemplateBucket-Export-dev)

It then continues to prepare the files that will be needed for the distribution stack (let’s view a trimmed version of the log):

2024-05-01T14:14:54 [main] INFO - -- ZIP ARTIFACT START --
...
2024-05-01T14:14:54 [main] INFO - -- ZIP ARTIFACT END --
2024-05-01T14:14:54 [main] INFO - 
2024-05-01T14:14:54 [main] INFO - ARTIFACT\_COMPRESSED\_PATH -> /tmp/cloudformation\_tmp10381003167251864437/lambda-edge-dev-20240501.zip (-)
...
2024-05-01T14:14:54 [main] INFO - -- UPLOAD FILE TO BUCKET START --
...
2024-05-01T14:14:55 [main] INFO - URL: https://s3-static-website-lambda-artifact-dev-20240501141417491.s3.amazonaws.com/lambda-edge-dev-20240501.zip
2024-05-01T14:14:55 [main] INFO - -- UPLOAD FILE TO BUCKET END --
...
2024-05-01T14:14:56 [main] INFO - -- PACKAGE TEMPLATE START --
2024-05-01T14:14:56 [main] INFO - reading content from jar: jar:file:/home/maguzzi/demo/s3\_static\_website\_gradle-all.jar!/distribution/website-distribution.json
2024-05-01T14:14:56 [main] INFO - -- PACKAGE TEMPLATE END --
2024-05-01T14:14:56 [main] INFO - 
...
2024-05-01T14:14:56 [main] INFO - -- s3-static-website-distribution-stack - dev CREATION START --
2024-05-01T14:14:56 [main] INFO - 
2024-05-01T14:14:56 [main] INFO - reading content from file: /tmp/202405011414567687239912532179902\_compiled\_template.json
2024-05-01T14:14:56 [main] INFO - 
2024-05-01T14:14:56 [main] INFO - -- s3-static-website-distribution-stack - dev CREATION END --
2024-05-01T14:14:56 [main] INFO -

In the log it can be seen that zip files for artifacts are loaded onto S3, and then the template with the sub-stack reference is packaged and put into a temporary folder before the create-stack command is issued.

DNS_INFO

Since we’re using a free domain, the tool stops here because cloudformation can’t complete its creation without configuring the domain provider (cloudns in this case). So let’s check the DNS information that has to be provided to the cloudns:

java -jar s3\_static\_website\_gradle-all.jar DNS\_INFO dns-info.txt

and the output:

2024-05-01T14:15:39 [main] INFO - AWS\_REGION: us-east-1
2024-05-01T14:15:39 [main] INFO - AWS\_ACCESS\_KEY\_ID: AK\*\*\*\*\*\*\*\*
2024-05-01T14:15:39 [main] INFO - AWS\_SECRET: \*\*\*\*\*
2024-05-01T14:15:39 [main] INFO - AWS setup done.
2024-05-01T14:15:40 [main] INFO - reading content from file: /home/maguzzi/demo/./website.properties
2024-05-01T14:15:40 [main] INFO - Command: DNS\_INFO environment: dev
2024-05-01T14:15:40 [main] INFO - reading content from file: /home/maguzzi/demo/./.websitesetup
2024-05-01T14:15:40 [main] INFO - PseudoRandomTimestampString already set to 20240501141417491
2024-05-01T14:15:40 [main] INFO - ZipDate already set to 20240501
2024-05-01T14:15:40 [main] INFO - 
2024-05-01T14:15:40 [main] INFO - -- ROUTE 53 INFO START --
2024-05-01T14:15:40 [main] INFO - 
2024-05-01T14:15:41 [main] INFO - Got hosted zone Id Optional[Z\*\*\*\*\*\*] for stack s3-static-website-distribution-stack-dev
2024-05-01T14:15:41 [main] INFO - hostedZoneId: Optional[Z\*\*\*\*\*]
2024-05-01T14:15:41 [main] INFO - Name: dev.s3staticwebsitetest.cloudns.ch. TTL: 172800
2024-05-01T14:15:41 [main] INFO - ns-1333.awsdns-38.org.
2024-05-01T14:15:41 [main] INFO - ns-1572.awsdns-04.co.uk.
2024-05-01T14:15:41 [main] INFO - ns-844.awsdns-41.net.
2024-05-01T14:15:41 [main] INFO - ns-458.awsdns-57.com.
2024-05-01T14:15:41 [main] INFO - 
2024-05-01T14:15:41 [main] INFO - -- ROUTE 53 INFO END --
2024-05-01T14:15:41 [main] INFO -

The tool conventiently outputs the DNS information (last 4 lines) in the file dns-info.txt (as specified on the command line).

It can be uploaded as-is on the cloudns web ui.

CHECK

Once that the DNS provider has propagated the DNS records provided by AWS, the tool can be started again to check if the distribution stack has been completed.

java -jar s3\_static\_website\_gradle-all.jar CHECK

The output is pretty straightforward:

2024-05-01T14:24:11 [main] INFO - AWS\_REGION: us-east-1
2024-05-01T14:24:11 [main] INFO - AWS\_ACCESS\_KEY\_ID: AKIA\*\*\*\*\*\*\*\*
2024-05-01T14:24:11 [main] INFO - AWS\_SECRET: \*\*\*\*\*
2024-05-01T14:24:11 [main] INFO - AWS setup done.
2024-05-01T14:24:12 [main] INFO - reading content from file: /home/maguzzi/demo/./website.properties
2024-05-01T14:24:12 [main] INFO - Command: CHECK environment: dev
2024-05-01T14:24:13 [main] INFO - Stack s3-static-website-distribution-stack-dev not yet completed, wait
...
2024-05-01T14:26:32 [main] INFO - Stack s3-static-website-distribution-stack-dev not yet completed, wait
2024-05-01T14:26:42 [main] INFO - Stack creation for stack id arn:aws:cloudformation:us-east-1:\*\*\*\*:stack/s3-static-website-distribution-stack-dev/\*\*\*\*\*\* terminated.

LIST

Now we can list the stacks that have been created, along with their tags. As you can see, the random string that has been setup in the beginning has been propagated onto all the stacks, along with the S3 buckets and all the taggable resources.

java -jar s3\_static\_website\_gradle-all.jar LIST

Here’s the output:

2024-05-01T14:29:59 [main] INFO - AWS\_REGION: us-east-1
2024-05-01T14:29:59 [main] INFO - AWS\_ACCESS\_KEY\_ID: AKIA\*\*\*\*\*
2024-05-01T14:29:59 [main] INFO - AWS\_SECRET: \*\*\*\*\*
2024-05-01T14:29:59 [main] INFO - AWS setup done.
2024-05-01T14:30:00 [main] INFO - reading content from file: /home/maguzzi/demo/./website.properties
2024-05-01T14:30:00 [main] INFO - Command: LIST environment: dev
2024-05-01T14:30:00 [main] INFO - reading content from file: /home/maguzzi/demo/./.websitesetup
2024-05-01T14:30:00 [main] INFO - PseudoRandomTimestampString already set to 20240501141417491
2024-05-01T14:30:00 [main] INFO - ZipDate already set to 20240501
2024-05-01T14:30:00 [main] INFO - 
2024-05-01T14:30:00 [main] INFO - -- LIST STACK START --
2024-05-01T14:30:00 [main] INFO - 
2024-05-01T14:30:01 [main] INFO - s3-static-website-distribution-stack-dev-LambdaEdgeCloudFrontStack-FZ\*\*\*\*\*\* (CREATE\_COMPLETE) - [Tag(Key=s3\_static\_website\_environment, Value=dev), Tag(Key=s3\_static\_website, Value=S3 static website test), Tag(Key=s3\_static\_website\_timestamp\_tag, Value=20240501141417491)]
2024-05-01T14:30:01 [main] INFO - s3-static-website-distribution-stack-dev (CREATE\_COMPLETE) - [Tag(Key=s3\_static\_website\_environment, Value=dev), Tag(Key=s3\_static\_website, Value=S3 static website test), Tag(Key=s3\_static\_website\_timestamp\_tag, Value=20240501141417491)]
2024-05-01T14:30:01 [main] INFO - s3-static-website-bootstrap-stack-dev (CREATE\_COMPLETE) - [Tag(Key=s3\_static\_website\_environment, Value=dev), Tag(Key=s3\_static\_website, Value=S3 static website test), Tag(Key=s3\_static\_website\_timestamp\_tag, Value=20240501141417491)]
2024-05-01T14:30:02 [main] INFO - 
2024-05-01T14:30:02 [main] INFO - -- LIST STACK END --
2024-05-01T14:30:02 [main] INFO -

At this point, the website has no content. The only thing left to do is to upload a random index.html on the S3 bucket to see if all the process worked fine. I’ve let the step out of the tool because the website content is intented to be created and uploaded by a pipeline.

You can catch the random string of the s3 bucket in the log:

aws s3 cp index.html s3 bucket

And then you can point the browser to http://dev.s3staticwebsitetest.cloudns.ch and see that it worked!

What’s next?

In the next post, we’ll integrate the CICD pipeline that uploads the website content, along with some consideration about how to delete the stack without using the UI. Cloudformation and Cloudfront force some contraints on how the resources should be deleted, so it’s worth spending some time on it.

Update Github token in Codepipeline with Cloudformation

Marco Aguzzi — Mon, 25 Mar 2024 18:12:32 +0000

The use case

This post comes from the fact that the token used by Codepipeline to connect to Github to download the source code of the website has expired. Hence, the automation “push and update the website” is not working. Here’s the error:

Let’s view how the secret is stored into cloudformation, and how codepipeline can connect.

The secret stack

The cloudformation stack is quite easy. It does not have any hard dependency on other stacks, and it’s used both to download code for dev and prod website.

{
 "AWSTemplateFormatVersion": "2010-09-09",
 "Parameters": {
 "GithubOAuthTokenParameter": {
 "Description": "Github OAuth Token",
 "NoEcho": "true",
 "Type": "String"
 }
 },
 "Resources": {
 "GithubOAuthToken": {
 "Properties": {
 "Name": "GithubOAuthToken",
 "SecretString": {
 "Ref": "GithubOAuthTokenParameter"
 }
 },
 "Type": "AWS::SecretsManager::Secret"
 }
 }
}

The next part of the post is dedicated on how to create and use this cloudformation template

Create stack

aws cloudformation create-stack --stack-name secrets-stack `
--template-body file://secrets-stack.json `
--parameters file://secret-token-sample.json

The secret-stacks.json refers to the code just shown before, and the secret-token-sample.json file is written with the parameter syntax. Here’s a sample:

[
 {
 "ParameterKey": "GithubOAuthTokenParameter",
 "ParameterValue": "sample value",
 "UsePreviousValue": false
 }
]

Check stack resources

aws cloudformation list-stack-resources `
--stack-name secrets-stack `
--query 'StackResourceSummaries[\*].[LogicalResourceId,ResourceType,ResourceStatus]'

The output is quite straightforward (the stack was already created when I re-ran the command)

[
 [
 "GithubOAuthToken",
 "AWS::SecretsManager::Secret",
 "UPDATE\_COMPLETE"
 ]
]

This is how the resource appears in AWS ui, once created (the output of the CLI is just the ARN of the stack).

The actual value (the one that’s expired) of the token can be viewed by clicking on the retrieve secret value button. Time to move to Github and generate the new token

Github account setting

While logged in into the Github profile where the repository with the code is kept, go to settings page, and then move to developer settings. Click on “fine grained tokens”:

Clicking on AWS CP shows the token settings. It can be seen that it grants read-only access to one repository and no user permission. Of course the actual key cannot be seen anymore, it’s only possible to regenerate it.

Click on regenerate token

Confirm the token regeneration. The token will be visile only for it to be copied

Cloudformation update

Now that the token is in our hands, we can update the cloudformation stack by putting the token in the place of “sample value” shown before and then issuing

aws cloudformation update-stack --stack-name secrets-stack `
--template-body file://secrets-stack.json `
--parameters file://secret-token-sample.json

Let’s check the stack after the update

Check stack

aws cloudformation describe-stacks --stack-name secrets-stack `
--query '[Stacks[0].[StackName,StackStatus,Parameters],Stacks[0].Outputs]'

Output

The null value is because there are no outputs to be used by other stacks. Please note that in the template file GithubOAuthTokenParameter is reported as “NoEcho”: “true”. In this way the real token won’t be shown neither in output logs nor in the Cloudformation ui.

[
 [
 "secrets-stack",
 "UPDATE\_COMPLETE",
 [
 {
 "ParameterKey": "GithubOAuthTokenParameter",
 "ParameterValue": "\*\*\*\*"
 }
 ]
 ],
 null
]

The token is then actually used in code pipeline

And the cloudformation code hosting the reference to the token is:

"Configuration": {
 "Branch": { "Ref": "RepoBranchParameter" },
 "OAuthToken": "{{resolve:secretsmanager:GithubOAuthToken}}",
 "Owner": {"Ref":"RepoOwnerParameter" },
 ...
},

Refresh and restart the pipeline

Navigate the AWS UI in Codepipelines, select the pipeline, click edit pipeline:

Search for the button “Edit stage” on the source stage:

Click it, and then search for the pencil in the “Github download” box:

Even if repository and branch are selected, click on “Connect to Github”

A pop-up will appear asking the oauth confirmation, click it

Insert repository and branch in their respective fields (a popup should appear, letting you select)

Scroll to the bottom of the page and click done to save (actually refresh) the changes. Now you can trigger a new pipeline and it should connect with the repo and dowload the code.

Next time I’ll check how to automate the pipeline refresh via clouformation CLI.

Thanks for reading it all!

AI to revamp your resume: is it a paid tool worth?

Marco Aguzzi — Mon, 05 Feb 2024 18:14:25 +0000

Overview

After reading a Linkedin Top Voice post, I got curious about her suggestion of using an AI tool to help revamping the resume. The website is called https://resumeworded.com/.

The website offers three main services:

Resume check - It analyzes the CV and produces a score and recommendations about it
LinkedIn profile check - Same as the resume, but with the LinkedIn profile
Resume targeting - Given a job description, it tells how far the resume is from it

This post is about my experience with it.

Free vs. paid versions

For each voice, there is a free and a paid version. The former offers the most basic checks, while the latter dives a lot deeper in the analysis.

I first played aroud with the free offer, and then decided to buy a one month subscription for the full version, to give it a proper try (full details on costs in the conclusions).

Check deep dive

Let’s dive into all the available checks.

If you’re interested in the conclusions you can skip this section, but you’ll miss all the differences between paid and free version. In order to give an order of magnitude, I’ve hid the paid checks behind a clickable dropdown.

Click on Read more for the full details

and a shortcut to conclusions.

Resume check

Along with uploading the resume, the website asks the seniority level to be checked against: Junior, Mid or Senior. From what I’ve experienced, this affects how the different sections of the resume (or linkedin profile) should weight respect to each other.

Impact

Quantifying impact - It basically searches for any number that can be put in the resume, in order to favour a quantitative over qualitative approach.
Repetition - This step encourages the applicant in removing repeated words. #Expand to view the 4 paid only checks
Weak verbs - Checks for phrases like “responsibile for” or “assisted” that reduce the impact.
Verb tenses - Checks if verbs are in the correct tense, so 1st person instead of 2nd or 3rd, and simple past instead of present continuous.
Responsibilities - Checks if the candidate words are more focused on responsibility than accomplishments (e.g. managed x people is better than responsible for).
Spelling and consistency - Checks for spelling errors or inconsistencies like always using British or American English.

Brevity

Length - Checks for resume lenght. For a senior profile 1 - 2 pages are fine.
Use of bullets - Bullet lists are deemed more effective than paragraphs.
Total bullets - For senior positions, 12 - 32 bullet points seems to an effective count. #Expand to view the 2 paid only checks
Bullet length - Each bullet point shoud be between 10 to 30 words.
Filler words - Adejctive and adverbs (filler words) should be replaced by numbers.

Style

Buzzword - Checks for words that don’t add any value, such as “good team player”, “strong leadership”.
Dates - Checks if the resume displays all the dates consistently.
Contact and personal details - Checks if the resume is not disclosing any unwanted information, such as date of birth or race.
Readability - Checks if sentences are not involuted, too long, in passive voice. Sections should be easy to find with the proper keyword. #Expand to view the 3 paid only checks
Personal Pronouns - Checks for personal pronouns, which should be avoided.
Active voice - Checks for use of passive voice, whereas active voice should be preferred.
Consistency - Consistency checks. For instance, it checks wheter bullet points are always ending with a dot, or don’t.

Sections

Summary - Checks for a summary section presence. If found, it checks for correct lenght. In the paid version, it also shows buzzword and effectiveness checks.
Education - Checks for an eduction section presence. If found, it checks if it is relevant to the candidate seniority level.
Unnecessary section - Checks for references and objecive section, which are deemed irrelevant. For a senior level resume, also hobbies and interests should be removed.
Skills - Checks for skills section presence. Soft skills are all for paying users.

Skills

Soft skills

Expand to view the 5 soft skills paid only checks

These checks are all about finding sentences about what the candidate did in his / her experiences.

Communication - Presented something or lectured about something.
Leadership - Led or coached a team, took initiative.
Analytical - Worked with numbers, designed new processes.
Teamwork - Coordinated with different departments, worked in team.
Drive - More or less same checks about Leadership.

Hard skills

This section searches for the presence of keywords that should be on the resume, for instance Java on mine.

Tools

Line Analysis - Each line is examined with the criteria as above and it can be rewritten as bullet point.
Magic write - This asks the AI to rewrite the sentences. It can be used also in a “freestyle” mode, that is, the suggestion is then editable in a free text box. It is subjected to a credit scheme. There are also “Samples from top resumes”, but it’s an hard task to merge superhero sentences in a standard resume.
Sample bullets - As the magic write, more oriented to bullets.
Action verbs - List of synonims to choose from for an higher impact.

Linkedin profile check

In this case I’m instructed to export my linkedin profile in a PDF file (using the standard export function that Linkedin offers), and then upload it on the tool. Here’s a list of what gets checked:

Headline

Headline length - This is a word count. It seems that 20 words and 168 characters are a good fit.
Reduntant words - No repeated words
Hard skills - Keyword match against their database of skills to use in the profile #Expand to view the 6 paid only checks
Job titles - Job title should be present. In my case Java Developer was deemed fine.
Language overuse - Checks for repetitions of job titles.
Boastful language - Checks for overconfident terms.
Special characters - Cheks if emojis have been overused.
Buzzwords and clichés - Checks for vaporware words such as: “motivated”, “team player” or “hardworking”.
Spelling - This checks does not affect the resume score, otherwise it would be a nigthmare, especially in tech resumes with all the languages and protocols and whatnots.

Summary

Summary length - This is a word count. It seems that 200 - 300 words are a good fit.
Use of special characters - Icons and emojs are fun, but should not be overused. This is what the check is about.
Hard skills - Same checks as in the hard skills section in the headline. #Expand to view the 9 paid only checks
Call to action - Checks if a CTA is present, such as Feel free to reach me out on…
Readability - Checks for complex sentences, which might affect the engagement.
Buzzwords and clichés - Checks for vaporware words such as: “motivated”, “team player” or “hardworking”.
Use of metrics - Checks for measurable item, such as “10+ years” or “data throughtput 100K/day”.
Active voice - Checks for passive voice sentences, which affect readability.
Sentiment analysis - Check for a positive tone of the summary
Tense - Cheks for sentences in 2nd or 3rd person, which should be avoided in favour of 1st person sentences.
Spelling - Checks the spelling as in the headline.
Special characters - Cheks if emojis have been overused.

Experience

For each experience that shows up in the profile, these checks are performed:

Hard skills - Same checks as in the hard skills section in the headline.
Specific job title - This one can be tricky, because titles as “Senior consultant” or “Java developer” are considered too vague. Two examples of how I’ve pleased the algorithm:
- Senior Java backend web developer | Unicredit | SGSS Italia (this was some years ago in consultancy)
- Java / Scala backend application and integration developer (this is my current position) #Expand to view the 8 paid only checks
Work description details - Checks for keywords and if the work description is 50+ words long
Recruiter red flag and unemployment indicators - Checks if the experience is, for example, a “planned career break”
Quantified impact - Checks for measurable item, such as “10+ years” or “data throughtput 100K/day”.
Weak language - Checks for phrases like “responsibile for” or “assisted” that reduce the impact
Spelling - This checks does not affect the resume score, otherwise it would be a nigthmare, especially in tech resumes with all the languages and protocols and whatnots.
Active voice - Checks for passive voice sentences, which affect readability.
Special characters - Cheks if emojis have been overused.
Buzzwords & clichés - Checks for vaporware words such as: “motivated”, “team player” or “hardworking”.

Education

This section checks if the education inserted matches the experience with keywords, if the dates, when not too in the past (+15 years), are reported or if there’s some reference to joining an Alumni group.

Other

Checks about other nice to have’s:

Custom profile URL
Honors and awards
Location is present
Certification section
Professional profile photo
Skills section

Keywords to Add

This section is about suggestions on keywords that can be added to the LinkedIn profile. The free version has a lot less suggestions than the paid one.

Keyword analysis

Paying users only - This tool rank the keywords found in the profile based on their placement (header, summary…).

Networking

Paying users only - Here there are listed some example of messages a user might want to send on LinkedIn for networking purpose.

Resume targeting

Given a job description, it tells you how much your CV matches it based on found keywords.

What I liked

I’ve been given a lot of ideas and suggestions navigating trought the various sections of the websites. I had some doubts on my resume and those have been cleared out (spoiler: if you think that’s a bad idea, yes, it is).
The checks are repeated through the various sections, and also that helps the overall consistence.
Going through keywords and metrics can be exhausting, but forces the resume writer to squeeze the experiences and present them in the most effective way. I’m stating this point also in the “I did not like” section below because I think it’s the other side of the coin.
I think that the LinkedIn profile analysis is the section that delivers the most value. Probably having a fixed structure to start with helps the tool a lot in categorizing the information.

What I did not like

There are no multiple versions of resumes (not even for paying users). It would have been nice if more than one resume versions were allowed, for example, a longer and a shorter version.
The free version only allows two uploads of the resume. Basically the resume should be all adjusted on the first attempt.
A lot of typos where tech keywords.
The keyword based checks are too rigid, sometimes it seems that only the exact match will let you score the point for the analysis. This is especially true in the resume targeting section. Also, the call to action search went through only when I used the keywords found in corresponding suggestion section.
The tool just craves for numbers too much. Software development metrics are a lot of times different from business ones, and it’s difficult to directly link a feature release with revenues. Most of the times these are subjects for different divisions.

Conclusions

I think that there is a lot of difference between the paid and the free versions, and 40$ a month (it gets cheaper if invoiced quarterly or yearly) is indeed quite expensive. Nowadays ATS scan resumes and it’s important to give the algorithm what the algorithm wants. Tools like this provide great help in tuning the CV for this. It’s always interesting to compare what have been done with a benchmark of some kind, be it a colleague or an automated system. As of today, I payed a one month subscription and I’m keeping it only till the end of the month.

I recommed everyone to give a try to the free version. If interested, go for a one month subscription to leverage all the possibile checks.

I’ll be more than happy to know your thoughts!

A new AWS account: leave ROOT user and look out for expenses

Marco Aguzzi — Tue, 16 Jan 2024 09:15:02 +0000

Congrats! you’ve just opened a brand new AWS account. What now? Beside getting rid of the root account, the second most wise action to do before doing anything is setting some control for bills.

I’m writing this post because some months ago I incurred in a 20 - something dollar bill from AWS for one of the accounts I opened in order to do some exercises. The account hadn’t much going on, but I left a disconnected elastic IP on for about a week… thus the mishap.

So let’s see what I’d love to have done in that situation, of course along with the respective Cloudformation templates.

Activate cost explorer

While being with the root account, you might want to turn cost explorer on. You can do it from two places: in the main UI you should see a box with “Cost and usage”, and at its center a button stating “Turn on cost explorer”

Or you can go in the upper left corner of the webpage, open the dropdown of the account by clicking on it, and go to “Billing and cost management from there”

A little wait

The AWS cost explorer needs more or less 24 hours to set up itself and start collecting spending data. Because of this, even with a root account you might see an “access denied” on the cost explorer UI once activated.

While waiting for AWS to set up its data, you can create a new admin user that you will use to manage the account and view the bills

Create a new IAM user

I’ll go quick over this procedure, since there are a lot of step by step tutorials out there.

Log in into root account and, using the search bar on the top left of the webpage, search for IAM. There will be a bunch of warning such as: “your root account does not have MFA enabled”, let’s skip those. Search for “Users” and, on the page you’ll be directed to, click on “Create user”. You’ll get to a page like this one:

Be sure to flag “Provide user access to the AWS Management Console - optional“. This will trigger some other warnings about how users are created. Since this user will be an administrator and will be used also for creating cloudformation stack later, we’ll skip those. I’m specifying the password on creation and unflag the “ask password on login” for simplicity.

Next, let’s give our newly created user the administrator powers. To do so, AWS already provides a policy that can be attached directly to the user that basically states “can do anything on any resource”. Below is the policy choice:

After linking the policy to the user, we have now an admin account that has all the power we need without being the root account. However, if we login with this user and search for Cost explorer, we’ll still see “access denied”, as shown below:

So, it’s time to log back with the root account (for the last time) and enable IAM cost control.

Enable IAM cost control

While logged in as the root user, search for “account” settings in the user menu on the top right of the page:

Scroll down on the page and search for “IAM user and role access to Billing information”:

Click on the edit button and activate it. Now you can get back to the admin user and, if you were being logged in another browser, hit refresh and you should see the cost explorer enabled, stating a reassuring 0 USD expenses.

You can now go to billing and cost management and search for the cost monitor. As expected both budget and monitor require setup. Below is what you should see before configuring both. Please note two things:

Depending on when you create the account, you can see a default cost monitor already setup, with 100 USD and 40% usage thresholds
You should still see an “access denied” below the “Total forecasted month costs”, but that’s fine, it’s only because the account has just been created.

After some time, the cost explorer preview in the home page should look like this:

As you can see, the costs are split by service and by month, and it should be clear which is the service spending more money. Now let’s get to Cloudformation.

Create Budget and Monitor

The Cloudformation file that is going to setup budget and monitor is quite simple. I’m showing the whole file first, and then I’ll get to the highlights.

Here it is what to expect after running the CloudFormation template:

Parameter section

This stack will have one input parameter: the email address were we want to send the notifications when eventually the budget or the monitor will hit the thresholds. That will go from line 3 to 8. The same email address will be used both for the budget and the monitor.

The budget

The whole section goes from line 11 to line 41. The resource type is AWS:Budgets:Budget. Some info about the properties:

Budget: You’ll have the BudgetLimit, with the amount and the unit. Even after switching my billings to EUR, the only accepted value seems to be USD. Anyway, it’s stating that the expenses should not exceed 6 bucks
TimeUnit: Here we’re saying 6 bucks a month, max
BudgetType: Just COST here. Other values would have pointed to usage or reserved instance usage, or saving plans. We’re not doing anything that fancy here
NotificationsWithSubscribers: Where to send the email when the threshold gets hit. In this case it’s stating that if the forecast is greater than 80% of the threshold (6 dollars), the email will be sent.

The budget can also be set for taking actions such as “run stuff if costs are too high”, but the architecture for this website isn’t a good fit for an actual example.

Let’s see how a budget line should show after the stack has been created:

Clicking on the line, you can see the configuration of the budget and if any alarm has been fired:

The monitor

This section goes from line 42 to the end of the file. Also in this case the instructions are for sending an email if the thresholds are hit, but in a different flavor. Lines 45 to 47 state how the costs are looked after, and lines 50 to the end tell that the monitor will scan the costs every day (Frequency:Daily, line 55), checking if any of the service in use is spending more than 10 USD. If so, the email will be sent.

In this file the monitor specification are kept as simple as possible, thus SERVICE is a mandatory value, and the type is DIMENSIONAL.

The monitor could also split the costs with a finer grain (e.g. by tags on resources), but (idk if luckly or unluckly) my costs are too low and the resources involved wouldn’t fit for such an analysis.

Here’s the page of the monitor details, showing the history of fired anomalies (luckly, none so far).

Cloudformation CLI setup

I’m going for multiline with the CLI instruction in order to minimize scrolling.

There’s no dev or prod environment in this case, since both are under the same AWS account.

Create stack

aws cloudformation create-stack --stack-name cost-control-stack \
--template-body file://cost-control.json \
--parameters ParameterKey=EmailAddressForNotificationParameter, \
ParameterValue=<email\_address>

Update stack

The only relevant point here is to use UsePreviousValue=true in order to leave the email notification parameter untouched.

aws cloudformation update-stack --stack-name cost-control-stack \
--template-body file://cost-control.json \
--parameters ParameterKey=EmailAddressForNotificationParameter, \
UsePreviousValue=true

References

Cloudformation templates for Cloudfront automatic cache invalidation using Lambda within CodePipeline

Marco Aguzzi — Wed, 03 Jan 2024 18:00:00 +0000

(original post: https://marcoaguzzi.it/2024/01/03/lambda-invalidation-cloudformation/)

In this post I’m going to show how I triggered an automatic cache invalidation for the Cloudfront distribution that is serving this website. As in the previous posts, all the resources will be provisioned via CloudFormation.

At the end of the post the CLI commands to create and / or update the resources will be shown.

The manual procedure

Once that the markdown file for a post is written and a local compilation / rendering has been made, the markdown source can be pushed on the git repo. That triggers the AWS Codepipeline that will download the source, render the markdown into html, and push the result to the S3 bucket served by Cloudfront.

Since Cloudfront is serving the S3 bucket, caching is in place. Newly pushed content won’t be visible until the cache expires, which is not feasible. So, after a successful compilation and pushing to S3, I manually get to Cloudfront distribution invalidations and fire a new invalidation. This way I’m sure that subsequent requests to the website will get the newly updated content.

In the images below the steps for manual invalidation are shown:

Go to CloudFront / Distributions, and search for “Invalidations” tab

Then selecting the last successful invalidation (shown below on the very left) and “copy to new” (upper right)

And then confirming the copy of the invalidation with the last path (the path /* is fine since AWS charges per invalidation, regardless of how much deep it is)

The invalidation takes a few minutes to be completed, and then the website is good to go. This is a mundane and forgetful-prone task, so I’m better automating it.

Automation setup

There is not an “invalidate cache” action that can be directly call from CodePipeline. A Lambda that actually creates the invalidation is needed and must be called as an action in the CodePipeline structure.

Let’s see in details the two resources:

The Lambda function

The Lambda function will leverage boto3 Python libraries to create the invalidation and notify the pipeline about the outcome (credits to the website in the reference section).

Let’s see some highlights. At the end of this section the link to the gist with the full source is provided.

Read cloudformation ID from environment
Caller notifications
Invalidation specifications

Click to view the Gist with the Lambda Python code

Lambda Cloudformation stack and how to reference it

The Lambda cloudformation stack is similar to the one presented for the 301 redirects and URL rewriting in edge locations (here’s the post); there are a few differences, though (at the end of the paragraph there is the gist with the full code):

In the lambda’s resources, an environment variable is declared and its value is read from the cloudformation stack that contains the cloudfront distribution (referenced in the python code as CLOUDFRONT_DISTRIBUTION_ID). To be able to read that from here, the cloudformation stack that contains the cloudfront distribution has to list the variable as an output and flag it to be exported:

Cloudfront distribution environment variable reference

Parameters:
CloudformationExportVar:
Type: String
...
Environment:
Variables:
CLOUDFRONT\_DISTRIBUTION\_ID:
Fn::ImportValue:
!Ref CloudformationExportVar

And here’s the export in the stack hosting the cloudfront distribution

Exported value from cloudfront distribution resource

"Outputs": {
"CloudFrontDistributionId": {
"Description": "ID of the CloudFront distribution",
"Value": { "Fn::GetAtt": ["CloudFrontDistribution", "Id"] },
"Export": {
"Name": { "Fn::Join": ["-", [{ "Fn::Sub": "${AWS::StackName}-CloudFrontDistributionId" }, { "Ref": "Stage" }]]}
 }
 }
 }

There is no need for the edge permission (only lambda.amazonaws.com is needed)

services for the AssumeRole action

AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: "sts:AssumeRole"

Other than the BasicExecutionRole, three other permissions must be granted for the creation of the invalidation and the notification back to the CodePipeline
- cloudfront:CreateInvalidation
- codepipeline:PutJobFailureResult
- codepipeline:PutJobSuccessResult

Additional permissions for basic lambda role

Policies:
- PolicyName: InvalidateCloudfrontDistributionPolicy
PolicyDocument: 
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cloudfront:CreateInvalidation
- codepipeline:PutJobFailureResult
- codepipeline:PutJobSuccessResult
Resource: "\*"

That should put the lambda in place for the purpose.

Here below you can view the full gists of the cloudformation stack of

the lambda#Click to view the Gist
the cloudfront distribution (which is the parent stack as shown in the older articles)#Click to view the Gist

CodePipeline stage

The action can be added in CodePipeline as a new stage. From there the lambda can be referenced. Here’s how the new stage will look like after cloudformation template has been deployed (You can see that the action is referring to the lambda and still no runs shown):

Codepipeline Cloudformation stack

Let’s start from the addition of the new stage in CloudFormation. We can see

the parameter that will reference the exported value from the lambda stack. The parameter value contains the name of the exported variable, and will reference the lambda function name
the action
the updated permissions in order to allow the calling of the lambda function from the pipeline:

New stage in Codepipeline

"Parameters": {
...
"InvalidationLambdaExported": {
"Description": "Lambda function performing the cache invalidation",
"Type": "String"
 }
}
... stages ...
{
"Actions": [
 {
"ActionTypeId": {
"Category": "Invoke",
"Owner": "AWS",
"Provider": "Lambda",
"Version": "1"
 },
"Configuration": {
"FunctionName": {"Fn::ImportValue":{"Ref":"InvalidationLambdaExported"}}
 },
"Name": "InvalidateCloudFrontCacheAction"
 }
 ],
"Name": "InvalidateCloudFrontCacheStage"
}
...
"Policies": [
 {
"PolicyDocument": {
"Statement": [
 {
"Action": [
...
"lambda:invokeFunction"
 ],
"Effect": "Allow",
"Resource": "\*"
 }
 ],
"Version": "2012-10-17"
 },
"PolicyName": "MyCodePipelineRolePolicy"
 }
]


The full reference to the cloudformation template can be found in the gist below:

#Click to view the Gist cloudformation for the Cloudfront distribution<script src="https://gist.github.com/maguzzi/4899697488d40105dd51ce2c37c1e327.js"></script>

Below is how the new CodePipeline stage should turn out if everything was successful:

 ![Codepipeline stage invalidation succedeed](https://marcoaguzzi.it/img/cache-invalidation-cloudformation/cloudfront_invalidation_5.png)

And that should do for adding a new stage with a new action calling the lambda and invalidating the cache

## Cloudformation CLI commands

Here’s the AWS CLI commands (legit ones!) that have been fired in order to create and / or update the cloudformation stacks (and the lambda, of course):

_CloudFront stack update_

aws cloudformation package --template-file marcoaguzzi.json --s3-bucket cf-templates-e5ht2sji9no7-us-east-1 --output-template-file target\packaged-template.yaml
aws cloudformation deploy --template-file target\packaged-template.yaml --stack-name marcoaguzzi-website-prod --capabilities CAPABILITY_NAMED_IAM --parameter-overrides Stage=prod


It should appear the exported output variable:  
 ![Export from CloudFront](https://marcoaguzzi.it/img/cache-invalidation-cloudformation/cloudfront_output.png)

_New lambda creation, passing the export from above_

cd lambda-cloudfront
compress-Archive .\index.py .\lambda-cloudfront-invalidate-prod-20240101.zip
aws s3 cp lambda-cloudfront-invalidate-prod-20240101.zip s3://lambda-artifacts-bucket-maguzzi/
aws cloudformation create-stack --stack-name lambda-invalidate-cloudfront-prod --template-body file://lambda-invalidate.yaml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=ZipDate,ParameterValue=20240101 ParameterKey=Stage,ParameterValue=prod ParameterKey=CloudformationExportVar,ParameterValue=marcoaguzzi-website-prod-CloudFrontDistributionId-prod


The new stack is created and the lambda name is exported in outputs:  
 ![Export from Lambda](https://marcoaguzzi.it/img/cache-invalidation-cloudformation/lambda_output.png)

_CodePipeline update referencing the lambda exported variable in parameters_

aws cloudformation update-stack --stack-name marcoaguzzi-stack-codepipeline-prod --template-body file://marcoaguzzi-codepipeline.json --parameters file://parameters-codepipeline-prod.json --capabilities
CAPABILITY_IAM




And now the Codepipeline should have the last stage as shown in the pictures above, ready to invalidate the cache after the website deploy to S3 :-)

## References

- [AWS: Creating a CloudFront Invalidation in CodePipeline using Lambda Actions](https://medium.com/fullstackai/aws-creating-a-cloudfront-invalidation-in-codepipeline-using-lambda-actions-49c1fd3a3c31)
- [AWS Cloudformation user guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)

SEO optimizations with Cloudformation

Marco Aguzzi — Fri, 15 Dec 2023 17:49:53 +0000

(Original post: https://marcoaguzzi.it/2023/12/15/SEO-optimization-cloudformation/)

Looking (again) at SEO metrics, I wanted to fix two misbehaviors of the website: compression and error pages.

Let’s get through the process:

HTTP compression

This has been an easy one. The SEO tool wanted the site to accept compression, so moving from requesting this (locahost:4000 is the local hexo server where the html rendering is immediately visible):

GET / HTTP/1.1Host: localhost:4000Accept-Encoding: gzip, deflate, br

and getting no matching compression to asking for this:

GET / HTTP/1.1Host: marcoaguzzi.itAccept-Encoding: gzip, deflate, br

and be answered

Content-Encoding: br

which is the confirmation that Brotli compression is enabled.

Cloudformation snippet

The configuration should be done in the cloudfront serving the site hosted on S3. Namely, in the DefaultCacheBehavior by adding Compress: True to the yaml. The other settings required in the cache (enable gzip and enable brotli) are already served by referencing the pre-made CachingOptimized CachePolicy. Here’s the snippet: for clarity, the CachePolicyId is referenced in a map,

and, in this case, its value is 658327ea-f89d-4fab-a63d-7e88639e58f6

"DefaultCacheBehavior": { "Compress": true, ..., "CachePolicyId": { "Fn::FindInMap": ["CacheMapping", "Global", "CachingOptimized"] }, ...}

References

Custom error pages

The plugin managing the pagination of the website renders links to page “0” and “last page + 1” (they’re hidden, though). Crawling the website and pointing to those links, cloudfront replies with a 403 because the pages are not mapped in the S3 bucket. Instead of exposing the 403 error with an awkward cloudfront xml, it could be better to serve a page styled as the rest of the website, and maybe returning HTTP 200 code, thus the human user will see a courtesy page, but the http client won’t know that it hit a wrong path.

This can be achieved by instructing cloudfront to serve custom error pages when a HTTP error is raised. The path of the custom error pages must be present in the served S3 bucket.

Edit the Cloudformation template

In the DistributionConfig property section of CloudfrontDistribution resource, adding a CustomErrorResponses array will do the job. In this case only the HTTP 403 error is fired for unknown paths (per the S3 bucket configuration, there should be no 404 error),

so one line in the array will be enough. The object is quite self-explanatory: ErrorCode is the error fired, ResponseCode is the error code to be returned to the client, and ResponsePagePath is the page to be shown:

"CloudFrontDistribution": { "Properties": { "DistributionConfig": { "CustomErrorResponses":[{ "ErrorCode" : 403, "ResponseCode" : 200, "ResponsePagePath" : "/errors/403.html" }], } }}

Hexo page

The error page has been created like any other page in the site that is accessible from the topbar menu:

hexo new page errors

and a folder errors with an index.md file is created.

Next, the index.md file has been renamed to 403.md in order for it to be rendered as 403.html (with the hexo generate command), as the ResponsePagePath value states. The rendered html can then be pushed on git and deployed as any other article.

For reference, the actual error page is here.

The full Gist

The full parent cloudformation template can be found in this gist:

Click to view cloudformation template on gist

DEV Community: Marco Aguzzi

Got my AWS AI practitioner certification!

RSS to social integration - An example using Lambda, Python, and Amazon Translate

Terraform infrastructure

Python source code in Terraform

Python sources

Production code

main.py

social_publish_linkedin.py

linkedin_media_share_manager.py

requests_facade.py

Libraries used in python

Test code

Integration samples

Content with link (article)

Content with image

Conclusions

Links

Icon Attributions

An Oauth2 use case - Authenticating and posting articles with images via LinkedIn API (v. 202504)

We have a LinkedIn account, what else do we need?

A company page

An app on LinkedIn developer

Configuring the app

Settings

Auth

Application credentials

OAuth 2.0 settings

OAuth 2.0 scopes

Products

(A server for the) redirect URL

How should I run the server?

Oauth2 in action

(1) Authentication request

(2) HTML form

(3) Submit the form

(4) Redirect URL in action

(5) Request for the authorization token.

(6) Response with authorization token

(7) Calling post API

Who am I?

(1) userinfo request

(2) userinfo response

Posting with images

(1) Asking for the url to upload the image post

(2) The response with the upload url and the media urn:

(3) Upload the image

(4) Upload image response

(5) Share the post

(6) 201 Created

Conclusions and next steps

Got my AWS solution architect certification!

Got my Terraform certification!

Domesticate AWS nested stacks in Java: doing the chores Cloudformation doesn't do (w/ code samples)

What’s Cloudformation, and what’s a nested stack?

A nested stack example

Parent stack

Child stack

The lambda reference

Creating the stack

Packaging the stack

Using the CLI

Java SDK

Improvements and what’s next

Please stop publishing AWS S3 buckets as static websites! Read here for a secure, fast, and free-ish approach [1st episode]

I’m in for fast and secure, but free…ish?

Hide the complexities of Cloudformation

The Java tool to the rescue

How to use the project

Tool commands

DISTRIBUTION

DNS_INFO

CHECK

LIST

What’s next?

Update Github token in Codepipeline with Cloudformation

The use case

The secret stack

Create stack

Check stack resources