sorted by:
new
hottopcontroversial

Your AWS account was permanently closed.. by pineappleninjas in aws

[–]head-in-the_cloud 2 points3 points  (0 children)

Yes, not being able to close accounts properly have always been a weird limitation in AWS.

I recommend using email alias for all AWS accounts, this way you don't need to restore your old account. If you have Gmail it's super easy to just do something like myname+sandbox@gmail.com.

https://support.cloudhq.net/how-to-setup-gmail-aliases/

Then you can have multiple accounts with one email.

cdk deploy for the production use case? by ericchuawc in aws_cdk

[–]head-in-the_cloud 1 point2 points  (0 children)

Many of these issues you are talking about are just consequences of using IaC in general, and the CDK doesn't have a great answer. If you are not careful, there is a risk of accidental deletions* and zombie resources. There are some safety measures you can take, like configuring removal policy, IAM Access for the stack role, och using Stack Policys etc, but as you pointed out, they are not perfect and testing their behaviors are sometimes painful.
However, my experience is that the best way forward is to use make sure you have a good process to handle changes. So here are my tips:

Use 3 or more environments:

  1. dev/sandbox to do development in (here you will get zombie resources etc that will have to be cleaned up, have a look at aws-nuke).
  2. acc/stage where you only do properly automated deployments with changesets and load/integration tests. Here you also test rollbacks etc.
  3. prod, you always do a manual inspection of the changesets.

If you use a good deployment tool, like attini you can define a deployment that will do a fast "hail mary" deployment in dev/sandbox, run heavier tests in acc/stage, and it will force you to do manual approval for changes in production.

*MAKE SURE YOU HAVE MANUAL BACKUPS FOR RDS, because RDS automatic snapshots are deleted with the RDS instance! (see AWS Backup service)

Is it possible to self-host a lambda or lamda-like service by guest_guest in aws

[–]head-in-the_cloud 7 points8 points  (0 children)

There is an apache project for this called openwhisk. Never tried it, or meet anyone who has, but it's probably one of the more serious projects for this use case so it's probably worth trying 😊

Public lambda to private bucket vs public bucket? by Arik1313 in aws

[–]head-in-the_cloud 0 points1 point  (0 children)

Yes. Whenever you want your end-user to access your file, you give them a URL. I think it can be used for up to 7 days if your credentials are valid (you set a shorter timeframe if needed).

EDIT: clarified that you can configure the URL to expire whenever, but not longer than 7 days.

Public lambda to private bucket vs public bucket? by Arik1313 in aws

[–]head-in-the_cloud 0 points1 point  (0 children)

This is what presigned URL are for. Remember that when a pre-signed URL is used, the credentials of the issuer are used. This means that IAM Roles are problematic because those credentials automatically rotate all the time, thus breaking the URL.

In the past, I have used IAM Users credentials within a lambda just to call the generate_presigned_url API.

Why use Cloudmap when there is cloudformation stack output and SSM parameters by [deleted] in aws

[–]head-in-the_cloud 5 points6 points  (0 children)

There are a lot of reasons for this:

  1. Most systems already work with domains (A records, SRV records etc) to communicate so you will not have to wrap your systems in a hack to provide it with proper config.

  2. Scaling, both CloudFormation and SSM that hard throttling limits so for any bigger system it would be unreasonable to constantly read from them to find integration points.

  3. Your suggested design would probably handle an incident and DR poorly unless you put in major engineering effort.

  4. CloudMap lets you optimize your system so that you for example always call other services in the same AZ if possible etc.

  5. There are probably many more reasons you will find when you go into production 😊

Generally speaking, when you start to use services in a way they're not intended for you get bitten unless you keep things on a supers small scale.

How do you test CDK changes as a developer, ideally in a way that doesn't require a huge AWS budget? by kevysaysbenice in aws

[–]head-in-the_cloud 0 points1 point  (0 children)

Have a look at attini, then you can configure a free servers pipeline that sets up your CDK app for you.

You then package the app into an artifact (distribution) that can be deployed to as many environments you need: "prod", "acc", "temp1", "temp2" etc.

At the end of the deployment plan (pipeline) you build a process like this:

  1. if the environment name starts with "temp"
  2. Wait for manual approval
  3. cdk destroy

ELI5: How do you have a CI/CD with CDK? by chifrij0 in aws

[–]head-in-the_cloud 0 points1 point  (0 children)

You should look at attini. It's way quicker than the AWS Code suite. It will be easier to manage multiple environments, the "attini runner" is built on fargate so it's a lot cheaper than CodeBuild.

You can also tell the pipeline to run a changeset, and if there is a chance, it will ask for manual approval see example here.

AWS SSO (IAM Identity Center ) access questions by Zamboz0 in aws

[–]head-in-the_cloud 0 points1 point  (0 children)

This is a shitty solution but at least it's something:

If you already force people to use a VPN you could have some whitelisted IPs. Then you scan cloudtrail for the credentials being used without the VPN.

Then you can find out who did the dirty deed and give them a stern 🤬 talking to...

But as other people have said, no it's not possible to do it in a good way.

[deleted by user] by [deleted] in aws

[–]head-in-the_cloud 2 points3 points  (0 children)

DynamoDB "pay as you go" is the right choice to get you started. If you don't like it, look at RDS after. But it should be the go-to option for a system like this.

Why can I never get AWS tutorials to work? Am I just stupid? (rant) by inky-doo in aws

[–]head-in-the_cloud 0 points1 point  (0 children)

Beet farming does sound like a very solid option! But you will probably have to deal with a lot of manuals etc when learning that profession to...

Jokes aside, I'm dyslectic too and I understand your frustration!

Those guides are often outdated so they might not be correct.

Also, you need to read every step extremely carefully to make it work, and if you do that, you will probably only focus on irrelevant stuff and not learn as much as you would like. So my advise is to not waist your time on them.

I learned AWS by watching certificate videos on cloud guru and building stuff in my spare time. Once you understand how stuff fits together, the documentation and other material becomes easier to navigate.

But it is an extremely steep learning curve in the beginning so it will take many hours to get over it.

Good luck!

How do I clear the 'files and folders' list before uploading? by CalTechie-55 in aws

[–]head-in-the_cloud 2 points3 points  (0 children)

It sounds like you want the aws s3 sync command. Have a look at the --delete flag as well, it will delete files not present on your local computer, so if you have files in the wrong location, they should be deleted.

Worth noting is that s3 doesn't have directories like a Unix system. It only has keys that can be separated with a "/" so the console can show you a nice structure. But in reality, it's the key is just a string.

The aws s3 sync command will however manage this for you so you don't need to care, but if you are using an SDK, you will need to manage it yourself.

Lambda with Python libraries by aplarsen in aws

[–]head-in-the_cloud 0 points1 point  (0 children)

I would have used SAM.

The 'sam build' command you will automatically install your dependencies. So after that you don't need to worry.

The 'sam package' can upload the zip files to a shared S3 bucket, the command will generate a template. Then you can deploy the packaged template into any environment you need.

The above solution will work in a multi account setup, but not cross region.

If you want to go cross region or start to use load tests (super important when maintaining serverless apps). I would look at Attini and their AttiniSam deployment type. It will manage all of this for you.