- 2024-12-04 Speeding up ECS containers with SOCI
Waiting for your deployment to finish. What a painful experience. You have to wait for build. You have to wait for tests. And then you have to wait for the startup. 10 minutes later, the new task definition is up and running. Then you realize that you made a mistake...
- 2024-11-10 CloudFormation template generator with LLMs/GenAI
Today, I will be guiding you through implementation of a script that creates a CloudFormation templated based on given instructions to a large language model. With this, I will also demonstrate how to connect ell library to AWS Bedrock. Moreover, we will provide the agent with tools to fetch most...
- 2024-10-20 LLM Agents with Ell
Ell is a quite new Python library that is similar to LangChain. In my opinion it feels simpler to use but is not so featureful. It is mostly useful as a higher level API on top of LLM providers (such as OpenAI or Anthropic) and creation of agentic tools -...
- 2024-09-30 Private Self-Hosted OIDC AWS Authentication
Often times in order to connect to AWS services from our local machines or external systems, we resolve to using IAM user credentials. However, as we know, these are easy to be compromised when leaked. Unless you have very strict IAM policies that for example check the source IP, leaked...
- 2024-08-26 Cut Costs in OpenSearch Serverless with Bedrock Knowledge Base - Part 2
In the last post, we constructed all the necessary resources to create a Bedrock Knowledge Base utilizing OpenSearch Serverless. These were the CloudFormation templates, Lambda function for index creation and other static things like IAM Roles and S3 Buckets. Today, we will go through the process of combining all these...
- 2024-08-22 Cut Costs in OpenSearch Serverless with Bedrock Knowledge Base
One thing that grinds my gears about AWS OpenSearch Serverless is that it is "serverless". That means that despite the promise of serverless services, such as Lambda or Fargate, where you pay only for what you use, OpenSearch uses OCUs (capacity units) constantly. It's not a large amount but it...
- 2024-07-31 Daily Git diff into S3 - external Git repository
This is an update to my recent post about creating daily Git diffs between today's and previous day's `HEAD` commits. However, in the previous post, I relied on CodeCommit that is unfortunately being slowly shut down. What's more, a lot of users prefer external Git providers like GitHub, GitLab, or...
- 2024-07-29 Daily Git diff into S3
One thing I need for a future project is a way to collect all the changes in a Git repository (on a specific branch) and store them in some place such as S3 bucket. I thought about it extensively and came with such a solution you can find on the...
- 2024-07-13 Effective task management in Habitica using a text file and AWS Serverless
Creating tasks (to-dos) in Habitica is not the most effective and pleasant thing using the UI (although tools like Trello or Jira are far from better). Compared to editing a simple and single text file, whether formatted as Markdown or not, is much easier and gives a better overview (at...
- 2024-07-05 Track your performance using Habitica, Timestream and Grafana
Habitica is an excellent tool for keeping yourself sticking to what you planned for yourself. Although it doesn't work for everyone, it is nevertheless worth trying. (This is my third try in using Habitica and it seems to be working with the longest streak of 949 days.) As discussed in...
- 2024-06-30 Use AWS Serverless to sell items in Habitica
I use Habitica daily. It is a very strong motivator to keep me on track with my daily tasks. However, I already collected all the free pets and mounts and so I don't need most of the items I collect. Selling them is a pain as you have to sell...
- 2024-06-18 How I configured YubiKey to sign and decrypt emails on Mac
As you see on my "resume" page, I uploaded my public key for encrypting emails back when I was starting this website. However, moving private key from one place to another is never a good option. My YubiKey cost me 55€ and I barely use it for FIDO/U2F. Why not...
- 2024-05-25 AWS Storage Gateway for Home Backups
World Backup Day is long behind us but it's never too late. I was thinking about methods to backup my data at home. I have some USB disks, old computers that still contain some data - maybe valuable, maybe not. Usual cloud solutions might be of decent price -...
- 2024-04-03 Multi-Account/Environment DNS Zones
One of the best practices for running and developing a service is to separate each environment into its own account. AWS Organizations enables this to be done easily. However, we often see examples where environment names are subdomains of one of our product's domain, such as `dev.example.com` or `staging.example.com`. Let's...
- 2024-03-11 Lambda@Edge: Select test origin or stick to the old
Last Friday I joined the live stream of AWS Power Hour: Architecting Professional Season 2. As in every episode, we went through some example questions. I decided to take one of them and implement a working solution. The question I picked states: there's a company that uses CloudFront to host...
- 2024-03-01 NAT Instance on AWS - Update with Amazon Linux 2023 (ft CodeBuild and Terratest)
In one previous posts I wrote how to create a NAT instance on AWS to save on NAT Gateway costs. However, there were two issues with that solution: it worked only for one subnet, it didn't work on Amazon Linux 2023 and it didn't save the state permanently (reboot makes...
- 2024-02-10 Let's Play Machine Learning
I came to a conclusion that a thing that is not written down and explained is not learned. So as I am preparing for AWS MLS-C01, I need to refresh some of my small machine learning knowledge and expand it further. I decided to go with an exercise where I...
- 2024-01-13 Athena Workgroups and Lake Formation
In this post I would like to explore the possibilities of Athena Workgroups and Lake Formation to control costs and access to data in S3. We will implement a limit on the amount of data scanned by Athena and hide some columns and rows from the user via Lake Formation...
- 2023-12-31 A year of blogging
In January 2023 I decided to start writing a technological blog, mostly about field of my profession which is DevOps, Cloud and Infrastructure. I had this idea in mind since some time but was hesitant to do so. My greatest fear was writing something stupid. I decided to ask colleagues...
- 2023-12-23 Aurora Backtracking Demo
Amazon Aurora has a great feature that can save you hours of recovery from a backup in case you need to quickly restore a database. Backtracking let's you do point-in-time recovery into the same cluster. The only downside is the need to reconnect. However, what if we rewind our database...
- 2023-12-03 Easy MFA in AWS CLI, Terraform and others - Bash Script
Multi-factor authentication is a must-have for any serious developer and administrator. It's Security 101: you should always use second factor if offered by the service. This is true also for AWS but not only in the Management Console. AWS STS offers time-limited tokens that can be configured (with the power...
- 2023-11-21 I want to migrate to Aurora but I chose MariaDB. What now?
We all have been there. Well, not exactly, some of us planned ahead to keep the options open. But we all feared Oracle and wanted to jump to MariaDB. And now we learned about all the benefits of Aurora and we are still on this RDS, the button for "Create...
- 2023-11-10 CloudWatch Metrics? No, thank you. Timestream (feat CloudFormation)!
Ok, Hashi, that's it. I'm giving up Terraform. And even OpenTofu doesn't taste now. Amazon convinced me. CloudFormation is the leader of Infrastructure as Code. But today, I'll break even more rules. CloudWatch Metrics? Nah, let's put our CPU and Memory usage into Timestream. Because why not? Having a graph...
- 2023-10-31 Profiling AWS DocumentDB
MongoDB, a NoSQL database used since a long time as the primary database of many web applications. AWS offers a managed solution for MongoDB called DocumentDB. It is highly available, easy to scale read capacity horizontally and the storage can scale automatically. However, even with those features, we are still...
- 2023-10-21 AWS S3 Logging Options - CloudTrail and Server Access Logs
As the preparation for SCS-C02 exam, some questions came up for me regarding S3 access logging. Are anonymous requests logged? Are website requests logged? Are CloudFront requests logged? I wanted to test it out to see whether CloudTrail Data trail and Server Access Logging collect all those events or are...
- 2023-10-10 Slim app for getting SSE-C encrypted files from S3 in Go
In one of the [previous posts](https://pabis.eu/blog/2023-09-11-Slim-SSM-Parameter-Store-Go.html), we were implementing a small application in Go that was helpful to download configuration files from SSM Parameter Store. However, SSM is limited to 4KB or 8KB with Advanced tier. To solve this problem, today we will implement a similar application that will download...
- 2023-10-01 Recover SSH Access on AWS EC2 Instance
I recently started learning for AWS Security Specialty with Stephane Maarek's course and was surprised that such basic problem as losing SSH access was not needed for SysOps Administrator. However, it was exciting to see all the possible methods that are available to resolve this issue. Today, I will try...
- 2023-09-21 AWS Image Builder by example with Terraform
AWS Image Builder is a service that allows you to create AMIs using a recipe - a step-by-step pipeline that applies different "components" to the image and performs tests at the end. Pipelines that perform recipes can be scheduled to run on different dates and the resulting AMIs can be...
- 2023-09-11 Slim app for getting SSM Parameters in Go
We often use Alpine Linux for our containers. It's small, it has small footprint on memory so it is perfect for containers. However, if we want to interface with AWS services, we either have to: use SDK, use HTTP API or use AWS CLI. AWS CLI weighs a bit (200MB),...
- 2023-09-01 Format EBS disk with User Data
Additional block volumes in AWS EC2 are not deleted by default (although root ones can also be marked to be retained). It is a good practice to keep data that we want to keep on a separate volume, such as MySQL database files. However, when creating things with IaC solutions...
- 2023-08-22 Track you Google Play metrics with Grafana - Part 2
Previously we have created a Python script that pulls data from Google Play Developer Console. The repository contained a main function that used Prometheus client to expose the metrics under `/metrics` endpoint. Today, I will explain it and we will further develop the project by putting it inside a container...
- 2023-08-12 Track you Google Play metrics with Grafana
Feel the excitement. Just connect the API, place a TV or a monitor in a visible place at your home or office and stare at the graphs. Is my update liked? Are people reaching my product? What are the sentiments about the latest app I released? Grafana is a...
- 2023-08-02 Nextcloud on Elastic File System and Elastic Container Service
When preparing for AWS SysOps Associate Certification, I wondered how can I learn more about some of the components I never used. I decided to use Elastic File System which is an infinitely expanding, managed NFS service. We recently ran out of space on our Nextcloud instance's EBS volume, so...
- 2023-07-21 Testing AWS Lambda Infinite Loop Protection
Not so long ago AWS announced that Lambda functions will be stopped if they run infinitely or excessively in a loop. A common pattern for that case is when Lambda is executed from SQS queue or SNS topic and submits a message to the same queue or topic. There are...
- 2023-07-11 Create and run pipelines with GitLab API
Sometimes we have projects that build long or that we don't need builds for very often. We want to get the automated builds but only on demand. In GitLab we can set the job to manual. However, if we create jobs for each branch, the list of new pipelines will...
- 2023-07-01 How to tag S3 objects that were uploaded with presigned URL
When we generate presigned URL for S3 uploads there's not much we can set in advance. We can set the key, some metadata like `Content-Type` and `Content-Disposition`. What if we wanted to specify some metadata that cannot be set in advance? In this example the user will first create a...
- 2023-06-21 How to share files from PHP Docker image to Nginx
If we are given an image with packed PHP application and it also contains resources like images, plain HTML files, we would like to serve them directly, without involvement of FPM. On a single instance, whether it is a container or a VM, it is easy - we just point...
- 2023-06-11 NAT Instance on AWS from scratch
It's obvious that among the best practices in terms of security is to deploy some of your instance in a private network, where the outside world can't access them directly. They should be hidden behind a load balancer or some other instance. However, that prevents the instance from accessing the...
- 2023-05-31 Follow best practices with AWS Config and Security Hub
Configuring the cloud environment is not an easy task. Despite a lot of effort being taken away from ops engineers, it still takes a lot to ensure that our systems are configured correctly, and more important, securely. Today, let me introduce you to AWS Config and AWS Security Hub. ...
- 2023-05-21 Functionality decoupling into microservices - part 5
Previously we created a passthrough in our monolith service into the fruits microservice. This is useful for users that still use the old endpoints, the old frontend. However, in order to save on bandwidth, we prefer for the users to call the microservice directly. For that we will change our...
- 2023-05-11 Functionality decoupling into microservices - part 4
In the previous post we implemented the Fruits microservice. However, it is still not delivered to our users. To make everything as smooth as possible, we will keep the current monolith endpoints and route them to the microservice - implementing a strangler pattern [^1]. In the future, we plan to...
- 2023-05-01 Scan OS of your EC2 instances with Trivy
Today we will create a simple routine for scanning our instances using [Trivy](https://aquasecurity.github.io/trivy/). It is a quite lightweight tool for discovering vulnerabilities, stored secrets and other security concerns in the given targets. It can scan files in the filesystem, Docker images, and even AWS infrastructure. In this post we will...
- 2023-04-22 Functionality decoupling into microservices - part 3
In today's post we will focus on splitting the code from the monolith into an actual separate service. Previously we have already prepared the new database (Redis) and migrated the table from the old SQLite database. Code for the monolith version in the previous post is tagged as [`1.1`...
- 2023-04-12 Functionality decoupling into microservices - part 2
In the previous post we discussed and designed how do we want to split our monolith service into an independent `accounts` and `fruits` services. There are multiple approaches to do it. Let's go with the data first approach. Using this technique, we migrate the data first and during code implementation,...
- 2023-04-02 Zero-Downtime Deployments with Ansible and EC2? Yes, please!
Deploying with Ansible is easy. Just copy files over, restart services, and observe a new version of the app. But that might break some connections if some user was just waiting for the server's response. What to do then? Base infrastructure...
- 2023-03-23 Functionality Decoupling into a Microservice by a simple example
This post will be more of my hypothetical deliberation on splitting a monolith. I stumbled multiple times upon a software that was logically split in code into separate modules and programs but still used the same database, often read and write from common tables. Today, using a simple example we...
- 2023-03-13 Monitor recency of your systems with CloudWatch
In the previous post we created a Datadog check and monitor to keep track of how many packages can be upgraded on our systems, when was the last time we rebooted the system and what is the major release of the operating system. Today, we will replicate the same metrics...
- 2023-03-03 Monitor if your systems are up to date with Datadog
Updating your systems, especially those that are constantly connected to the Internet, is very important from a security standpoint. Currently, state of the art, cloud-native solution is to use containers and orchestrators such as Docker and Kubernetes. There's also an option to use virtual machines and images, made with Packer...
- 2023-02-21 Deploy SmartFox Server using Ansible - Part 4
In this post we will go through the process of converting the playbook from the previous posts into a reusable role. At the last step, we will go through the process of publishing the role in Ansible Galaxy. The finished process is [available here](https://galaxy.ansible.com/ppabis/smartfox). ...
- 2023-02-11 Scheduled sslscan with GitLab and Docker
In this post, we will schedule a scan of our website with `sslscan` using GitLab CI and Docker. We will also use a custom Docker image to run the scan and store the results in a file. We will also create a stage to analyze the results from the scan...
- 2023-02-01 Deploy SmartFox Server using Ansible - Part 3
Previously we adapted our playbook to configure more aspects of SmartFox like ports, copying Zone files and extensions. In this post, let's make the playbook support more platforms, namely RedHat based systems, like AlmaLinux, and ARM CPU systems, like AWS Graviton. We will also fix an issue where SmartFox archive...
- 2023-01-20 Deploy SmartFox Server using Ansible - Part 2
In the previous post, we created a playbook with which we could deploy SmartFox server on a Debian/Ubuntu machine. It contained basic configuration like admin username, password and SSL certificate parameters. In this part, we are going to extend the playbook and make it more configurable. If you didn't...
- 2023-01-02 Deploy SmartFox Server using Ansible - Part 1
SmartFoxServer is a software that acts as a framework for building backend for online games. It lets game developers to focus on the gameplay, while SmartFox takes care of connection, authentication, room management, in-game chat, etc. It is very simple to install and configure. I shouldn't need to introduce Ansible...
- 2023-01-01 Scared of terraform apply? Use AWS Organizations!
So you got your new job as a sole DevOps Engineer. Congratulations! For the first months your roam around your company's AWS. You see all the manually created EC2 instances, RDS databases, Elastic Load Balancers, etc. Well, they say a better practice is to use Infrastructure as Code than to...