I posted about S3 encryption not being a panacea back in a day.

Here’s another article about why AWS S3 encryption by default won’t solve security for you and why you still have to pay attention to the bucket settings.

#aws #security

We briefly mentioned Crossplane during in our last voice chat. Here is yet another hello word-ish article about Crossplane.

However, what I like about this article that there is a link to a repository with code samples. So, you can examine the code on your own if you want as well as try to run it by yourself.

BTW, I also wrote an article long time ago. Unfortunately, I don’t have a repo with the sample code. I didn’t think of this back then :\

#kubernetes #aws #crossplane

One of the “because we can” tools: cfnctl adds Terraform commands when working with CloudFormation.

The idea is that you still have to write CloudFormation templates but the tool adds commands like plan, apply, destroy, and output.

#aws #tools

Some AWS usage statistics for 2023.

Background: survey ran from 16th Jan to 15th Feb 2023 and 331 people partisipated in it.

It provides some insights on the adoption of the AWS services as well as the satisfaction of using those.

On occasion, I want to make the last call to participate in our Kubernetes Operations Survey 2023, which goal is to better understand how people maintain Kubernetes clusters in their companies.

#aws

A new episode of our voice chat is out!

This time we talked about the best practices and guidelines for writing Terraform modules as well as Terragrunt, AWS Lambda, and other stuff.

The episode is available:
- on YouTube
- on Spotify
- Apple Podcasts
- Google Podcasts
- RSS feed

Enjoy!

#terraform #aws #azure #gcp #labmda

Remember that a couple of years ago GitHub has disabled automatic execution for its Actions?

The idea behind this decision is more or less described in this article - Build Pipeline Security. The problem described in this article is not some sort of a rocket science. Thus, any malicious actor can do something similar.

This brings me to the topic of CI integrations for public repositories. I think on some podcast or in some article I’ve heard an advice for the beginners to create their pet project and configure CI for it. So, you can show that you have some practical experience. Ok, GitHub has you covered, but what about other CIs which are available for public repositories? Thus, I might have been a good advice, if we were living in the world here all the people are kind to each other, which is not the case.

Does it mean that you cannot have a CI for your pet-project? Of course, not! Just be careful with what it actually can execute on each step. The author of the linked article suggests putting deploy scripts into a separate private repository. I think, nowadays any major VCS vendor allows one to have at least one private repository for free.

Yet, I would say that this is not good enough and you should also make sure that you should follow GitHub’s steps and enforce a mandatory approvals for CI runs as well as have some quotas in place for the compute resources available for your CI. Again, GitHub has you covered here, but if you want to use something else, you are on your own.

#cicd #security #github #aws

From our subscriber:

Till the end of June you can save up to 40% on the Linux Foundation courses with this promo code:

JUNEBBQ40

UPD. Also, AWS has extended the promo code for exam retake. So, if you fail the exam the first time, you can retake it for free. More details:

AWSRETAKE

#linux #education #kubernetes #aws

AWS NLB now supports security groups! This is amazing and it would’ve prevented a couple of questionable architectural decisions on my side in the past.

P.S. Yet, the most discussed news is the licensing changes by HashiCorp. Unpopular opinion here: nothing changes for you as a practitioner. However, companies like Spacelift and Terramate got hit. Also, big huge cloud providers won’t be able to adopt “Terraform as a Service”. That’s it. Survives the one who can adapt to the new realities the best. And the new realities is that people pay for “service platforms” and not for the code written.

#aws #hashicorp

If you have AWS Lambdas in Go, you likely know that AWS is going to deprecate the go1.x runtime and forces its users to migrate to the generic al2.provided runtime.

The premise is that the new runtime is more performant. However, here is an article that argues why this move is bad for Go users on AWS as well as goes through some caveats you may encounter during the migration.

#go #aws #serverless

The Guardian tells a story of their migration into AWS Aurora Serverless.

This article doesn’t go too deep into technical aspects, but provides a nice overview of the issues one may encounter when trying to move to Aurora.

A couple of things that I found interesting:

- Whatever cloud migration tools are there, pg_dump and pg_restore are your trusted friends.

- This paragraph:


We’re spending roughly $220/month for storage and compute for the database. For the same price we could have rented a db.m7g.xlarge (16GB RAM, 4 vCPUs) Postgres instance along with 100GB of EBS storage or a db.r7g.large (16GB RAM, 2 vCPUs) Aurora instance. I suspect both of these options would have done the job for us, and maybe not have suffered from the same cold start problems as our serverless database, but after 3 migrations, it’s probably time to get back to doing some feature work!


#databases #postgres #aws

A comparison between EKS and AKS.

Tors article provides some insights into what to expect from each managed service. It’s a pity, GKE is not included into this comparison, I’ve heard a lot of good things about GKE. I believe, this is because this article originated from a specific use-case.

#kubernetes #aws #azure

AWS Karpenter is in beta now.

Karpenter is AWS’ tool to manage and autoscale node pools in Kubernetes, which has more features compared to the Cluster Autoscaler and has deeper integration with AWS features. Yet, support for other major clouds is somewhere in the roadmap, IIRC.

This article in particular, describes what are the changes in Karpenter Beta compared to the previous versions and also guides you through depreciations and upgrade notes.

#kubernetes #aws

Here's a neat article with some good practices regarding security when configuraing an EKS cluster.

If you work with AWS and Kubernetes a lot, it won't give you any dramatic insights, but you could still use it as a checklist / cheat sheet when configuring a cluster, since it's easy to forget something when there are many moving parts.

#aws #kubernetes

Starting from February 1, 2024 AWS will charge their customers $0.005 per IP per hour

This number doesn't look huge without a perspective, however this might add some significant networking costs to some topologies. Thus, the best time to move your things into private subnets was a couple of years ago, the second best time is now.

#aws

Kubernetes: tracing requests with AWS X-Ray, and Grafana data source is a step-by-step guide on how to setup tracing in your EKS cluster using AWS X-Ray by Arseniy Zinchenko - a member of the Ukrainian DevOps community.

Also, make sure to subscribe to his Substack! He posts new things quite often and I have no idea where does he find time and willpower to do so 😅

#aws #kubernetes #observability

A nice step-by-step guide of how to test a Python AWS Lambda function locally with LocalStack.

This guide doesn't cover fixtures in LocalStack, though. In my experience, adding fixtures into LocalStack is PITA, but I have a very specific scenario where I need to create a couple of thousands of S3 objects relatively fast.

#aws #serverless #python

Ha! I was sure I shared this article with y'all before, but when I tried to find it on the channel today, I was unable to. In any case, even it was here, it won't hurt to repeat it.

So, here it is - Kubernetes: EKS, Calico and custom Admission Webhooks.

This article sheds some light on the EKS networking. The gist is that if you use anything except the native VPC CNI, your control plane pods (API, scheduler, etc.) and workload pods will end up in different networks, because you cannot install any custom pods into the control plane.

Unless you use admission webhooks, you probably won't even notice; but if you do, API won't be able to contact your admission controller pods without some workarounds.

This is the nature of managed services: you gain something - you loose something.

#kubernetes #eks #aws

A curious story about S3 billing. So, AWS charges you for unauthorized access attempts to your buckets. Thus, it’s possible to create an attack to inflate someone’s AWS bill if you know the buckets’ names.

Honestly, I’m not sure what’s the moral of this story. Make your buckets private unless public access is strictly required. Do not use common names or if you have to, use prefixes or/and suffixes to distinguish buckets or randomize the names.

#aws #s3 #security

A couple of articles I stumbled upon when researching some things for work.

- You can use ARG in the FROM definition in a Dockerfile. I didn't know that it's possible. Back in a day I tried using ENV there and it didn't work, so I assumed it's non-configurable. Apparently, it is. You may argue if it's a good practice to alter the FROM configuration this way, but I can clearly see use cases for that.

- A workaround for Terraform's `default_tags` definition. This way you can "exclude" the default_tags for some resoures in Terraform. For example, if you're using the default subnets, etc. that were imported in Terraform. You cannot change tags for those things in AWS, so you need to workaround that. Again, using defaults in AWS is probably not a good practice, but sometimes those things are in use for historical reasons, etc.

Again, these two articles have no relation whatsoever, just want to share them with you.

#aws #terraform #docker

Some say that 2024 will finally be a year of serverlessless /s

So, here’s a comparison from Ahrefs of their costs of running physical data centers vs running in a cloud.

However, many these comparisons lack an important point. At least, Ahrefs acknowledges that:

 article doesn’t take into account other aspects that would make the comparison even more complicated. These include people skills, financial controls, cash flow, capacity planning depending on the load type, etc.

Their solution? Hire all those people laid off from Big Tech!

My brother in Christ, system engineers are the last to be laid off…

P.S. It’s quite ironic to post this article from the AWS Summit :D

#aws #cloud