AWS CDK and python package overview

Why AWS CDK:

‌

AWS Cloud Development Kit (AWS CDK) :‌

So Cloudformation does still have two disadvantages over terraform ‌

1. Closed Source
2. AWS provider native

But the biggest disadvantaqe of not actually being Infrastructure as CODE and state management. That’s gone for good thanks to AWS CDK.

‌

You can use the AWS CDK to define your cloud resources in a familiar programming language. The AWS CDK supports TypeScript, JavaScript, and Python.‌

Advantages of AWS CDK:

‌

• AWS CDK is open source
• Use logic (if statements, for-loops, etc) FINALLY!!
• object-oriented techniques to create a model of your system
• Organize your project into logical modules
• Share and reuse your infrastructure as a library
• Use your existing code review workflow
• State management ( diff against a deployed stack to understand the impact of a code change)

There is no charge for using the AWS CDK, however you might incur AWS charges forcreating or using AWS chargeable resources

‌

Prerequisites:

The AWS CDK is developed in TypeScript and transpiled to JavaScript. Bindings for the other supported languages make use of the AWS CDK back-end running on Node.js

‌

• Node.js (>= 8.11.x)
• You must specify both your credentials and an AWS Region to use the AWS CDK CLI

‌

Installation and Configuration needed

‌

Installation

‌

First install the aws-cdk package‌

npm install -g aws-cdk‌

Then check the cdk version with:

cdk --version‌

AWS Configuration:

‌

The CDK looks for credentials and region in the following order:‌

• Using the –profile option to cdk commands.
• Using environment variables.
• Using the default profile as set by the AWS Command Line Interface (AWS CLI)

‌

Concepts:

‌

The main concepts to know are constructs,app,stack,resources. Lets look at them one by one.‌

Constuct:

‌

Constructs are the basic building blocks of AWS CDK apps. A construct represents a “cloud component” and encapsulates everything AWS CloudFormation needs to create the component.‌

• can represent a single resource, such as an Amazon Simple Storage Service (Amazon S3) bucket, or
• it can represent a higher-level component consisting of multiple AWS CDK resources.
• The AWS CDK includes the AWS Construct Library, which contains constructs representing AWS resources.
• Constructs are classes that extend the base Construct class. After you instantiate a construct, the construct object exposes a set of methods and properties that enable you to interact with the construct and pass it around as a reference to other parts of the system.

‌

There are 3 different levels of AWS construct:‌

• low-level constructs, which we call CFN Resources. These constructs represent all of the AWS resources that are available in AWS CloudFormation.
• The next level of constructs also represent AWS resources, but with a higher-level, intent-based API. They provide the same functionality, but handle much of the details, boilerplate, and glue logic required by CFN constructs.
• The AWS Construct Library includes even higher-level constructs, which we call patterns. These constructs are designed to help you complete common tasks in AWS, often involving multiple kinds of resources.

‌

Composition:

‌

• The key pattern for defining higher-level abstractions through constructs is called composition. A high-level construct can be composed from any number of lower-level constructs, and in turn, those could be composed from even lower-level constructs.
• To enable this pattern, constructs are always defined within the scope of another construct. This scoping pattern results in a hierarchy of constructs known as a construct tree.
• In the AWS CDK, the root of the tree represents your entire AWS CDK app. Within the app, you typically define one or more stacks, which are the unit of deployment, analogous to AWS CloudFormation stacks.
• Within stacks, you define resources, or other constructs that eventually contain resources.Composition of constructs means that you can define reusable components and share them like any other code.

‌

Construct’s have 3 parameters:‌

• scope – The construct within which this construct is defined. You should almost always passthis for the scope, because it represents the current scope in which you are defining the construct.
• id – An identifier that must be unique within this scope. The identifier serves as a namespace for everything that’s encapsulated within the scope’s subtree and is used to allocate unique identities such as resource names and AWS CloudFormation logical IDs.
• props – A set of properties or keyword arguments, depending upon the supported language,that define the construct’s initial configuration. I

‌

App:

‌

All constructs that represent AWS resources must be defined, directly or indirectly, within the scope of a Stack construct.‌

Stacks

‌

The unit of deployment in the AWS CDK is called a stack. All AWS resources defined within the scope of a stack, either directly or indirectly, are provisioned as a single unit.‌

When you run the cdk synth command for an app with multiple stacks, the cloud assembly includes a separate template for each stack instance. ‌

This approach is conceptually different from how AWS CloudFormation templates are normally used, where a template can be deployed multiple times and parameterized through AWS CloudFormation parameters.‌

Environments:

‌

Each Stack instance in your AWS CDK app is explicitly or implicitly associated with an environment (env). An environment is the target AWS account and AWS Region into which this stack needs to be deployed.‌

if you don’t specify an environment when you define a stack, the stack is said to be environment agnostic.‌

When using cdk deploy to deploy environment-agnostic stacks, the CLI uses the default CLI environment configuration to determine where to deploy this stack. ‌

For production systems, we recommend that you explicitly specify the environment for each stack in your app using the env property.‌

practical:

‌

1. Initialize a python cdk app

cdk init --language python

‌

2. Create a virtual environment

python3 -m venv .env
source .env/bin/activate

‌

3. Install all the packages

pip install -r requirements.txt

‌

This would be the initial folder structure:

‌

Lets have a look at app.py

#!/usr/bin/env python3
from aws_cdk import core

from aws_cdk_example.aws_cdk_example_stack import AwsCdkExampleStack

app = core.App()AwsCdkExampleStack(app, "aws-cdk-example")
app.synth()

‌

Important parts of the code:

‌

1. from aws_cdk import core Used to import the core cdk package
2. from aws_cdk_example.aws_cdk_example_stack import AwsCdkExampleStack app = core.App()AwsCdkExampleStack(app, “aws-cdk-example”)

‌

This section is to import our stack app package created during init and then initialze the app and give it a name. You can customize it to use in different accounts and regions during deployments like this:

new MyStack(app, 'Stack-One-W', { env: { account: 'ONE', region: 'us-west-2' }}); ##in codecdk 
deploy Stack-Two-W ## during deploying

‌

3. app.synth() to create a cfn template of this.‌

Lets modify the code to create a bucket. But first lets install the package for S3.‌

pip install aws-cdk.aws-s3‌

‌ Now the new code will look like this:

 #!/usr/bin/env python3
 
from aws_cdk import (
    aws_s3 as s3,
    core
)
 
from aws_cdk_example.aws_cdk_example_stack import AwsCdkExampleStack
 
class AwsCdkExampleStack(core.Stack):
    def __init__(self, scope: core.App, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)
        bucket = s3.Bucket(self, 
        "MyFirstBucket", 
        bucket_name='my-bucket-sdfgdhbfghfjg',
        versioned=True)
 
        
 
 
 
app = core.App()
AwsCdkExampleStack(app, "aws-cdk-example")
 
app.synth() 

Just added a class (Thanks to the github python cdk examples>> Their documentation still needs some work) but the main part is this.

‌ bucket = s3.Bucket(self, 
        "MyFirstBucket", 
        bucket_name='my-bucket-sdfgdhbfghfjg',
        versioned=True) 

• Bucket is a construct. This means its initialization signature has scope, id, and props and it is a child of the stack.
• MyFirstBucket is the id of the bucket construct, not the physical name of the Amazon S3 bucket. The logical ID is used to uniquely identify resources in your stack across deployments.
• bucket_name parameter is used to give the bucket a name.

‌

Lets start with the commands‌

cdk ls To view the stacks‌

You should be able to view the stacks you will be creating aws-cdk-example in my case‌

cdk synth to view the cloudformation template that will be created from this code.

‌

cdk deploy to deploy the stack

‌

You will be able to see the changes in the cloudformation console and the bucket will also be created.

‌

Now this is the MOST INTERESTING THING about cdk and gives a tough to Terraform.‌

Although there was drift management in Cloudformation it did not compare to terraform state‌

Here comes cdk diff‌

Lets modify the code a bit to add KMS protection to the bucket

bucket = s3.Bucket(self,         "MyFirstBucket",         bucket_name='my-bucket-sdfgdhbfghfjg',        versioned=True,        encryption=s3.BucketEncryption.KMS_MANAGED,)

‌

Now run cdk diff

‌

You will see that it actually tracks that resource and shows what is going to change!! Somewhat similar to terraform state.‌

Now lets deploy this new change using cdk deploy

‌

Thats it!! ofcourse this is just the tip of the iceberg about how powerful this thing is .Essentially it can do everything that Cloudformation could do and more!!‌

Lets destroy the stack using cdk destroy

‌

It will ask for your permission before deleting . Press ‘y’ and the whole stack will be deleted. I have some plans for how to use this as this is python and I can leverage my python skills to create maybe a form type app which will create a IAC cfn template based on the inputs ( Ofcourse its done already 🙂 https://github.com/tongueroo/lono) But I can still do it as a personal project

Docker Swarm Part 2: HTTPS Nginx reverse proxy to the API

So in Part 1 , I covered the basics of Docker Swarm and created a working swarm cluster with 1 master 2 slave nodes. But with just one service, My API container.‌

So in this part I will create another service which will be a Nginx reverse proxy for the API service. Here we go !

Setting up three servers in the swarm, 2 slaves 1 master

​​‌

NGINX config file setup for reverse proxy

‌

This is the nginx config file to reverse proxy to the api container.

‌ worker_processes 1;
events { worker_connections 1024; }
 
http {
 
    
 
    upstream docker-awsapi {
        server awsapi:8080;
    }
 
 
    server {
        listen 80;
        listen 443 ssl;
 
        ssl_certificate     /etc/nginx/awsapi.com.crt;
        ssl_certificate_key /etc/nginx/awsapi.com.key;
        server_name awsapi.com;
        location / {
            proxy_pass         http://docker-awsapi;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        }
    }
 
 
}
‌
 

Going through some important blocks in the configuration file:‌

Upstream awsapi:

‌ upstream docker-awsapi {
        server awsapi:8080;
    }
    

This parameter is mostly used for load balancing in Nginx. For example:

‌ http {
    upstream myapp1 {
        server srv1.example.com;
        server srv2.example.com;
        server srv3.example.com;
    }
 
    server {
        listen 80;
 
        location / {
            proxy_pass http://myapp1;
        }
    }
} 

In the example above, there are 3 instances of the same application running on srv1-srv3. When the load balancing method is not specifically configured, it defaults to round-robin. All requests are proxied to the server group myapp1, and nginx applies HTTP load balancing to distribute the requests.‌

Ports to listen and https certificate location

‌         listen 80;
        listen 443 ssl;
 
        ssl_certificate     /etc/nginx/awsapi.com.crt;
        ssl_certificate_key /etc/nginx/awsapi.com.key;
        server_name awsapi.com; 

Here, in the first two lines we are listening on port 80 and port 443 respectively. The later will be used for https purposes. Next we have the ssl certificate location and the ssl key location (More on this later). Lastly we have a server name: awsapi.com in this case.‌

Mentioning reverse proxy to api server

‌ location / {
            proxy_pass         http://docker-awsapi;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        } 

In these lines we mention the proxy_pass to be the upstream server we mentioned above.‌

Now that the configuration file for nginx cotainer as reverse proxy is made. Lets create certificated cert and private key files to make the nginx container https.‌

Here’s how I have kept the structure for the code:

Create cert file and key ‌

openssl req -newkey rsa:2048 -nodes -keyout nginx/awsapi.com.key -x509 -days 365 -out nginx/awsapi.com.crt‌

You will have to fill in the following questions;‌

1. Country Name (2 letter code)
2. State or Province Name (full name)
3. Locality Name (eg, city)
4. Organization Name (eg, company)
5. Organizational Unit Name (eg, section)
6. Common Name (eg, fully qualified host name)
7. Email Address

‌

Once done your folder structure should look like this:

‌This is a self-signed certificate so its not a production solution perse. You will need a CA for a valid certificate. Letsencrypt and certbot is an excellent solution to it but I was unable to use it due to not having a url yet. But will definitely recommend it over a self signed certificate.

Adding service in docker compose file:

‌

This was the previous docker-compose file:

‌ version: '3.0'
 
 
 
 
services:
 
  awsapi:
 
    image: darshanraul/awsapi:latest
 
    container_name: awsapi
 
    deploy:
 
      replicas: 4
 
    ports:
 
      - "80:8080"
 
    networks:
 
      - sample_network_name
 
networks:
 
  sample_network_name: 

There was just one service with four replicas.

This is the new docker-compose.yml.

 version: '3'
  
services:
    reverseproxy:
        image: nginx:alpine
        #container_name: reverseproxy
        ports:
            - 80:80
            - 443:443
        deploy:
          replicas: 4
        volumes:
          - ./nginx/nginx.conf:/etc/nginx/nginx.conf
          - ./nginx/awsapi.com.crt:/etc/nginx/awsapi.com.crt 
          - ./nginx/awsapi.com.key:/etc/nginx/awsapi.com.key
        networks:
          - aws_network
 
        restart: always
 
    awsapi:
        depends_on:
            - reverseproxy
        #container_name: awsapi
        image: darshanraul/awsapi
        deploy:
          replicas: 4
        restart: always
        networks:
          - aws_network
 
networks:
  aws_network: 

Lets look at the main parts of the new service added: reverseproxy

 volumes:
          - ./nginx/nginx.conf:/etc/nginx/nginx.conf
          - ./nginx/awsapi.com.crt:/etc/nginx/awsapi.com.crt 
          - ./nginx/awsapi.com.key:/etc/nginx/awsapi.com.key 

Here Iam attaching the certificate files and the configuration file to their respective locations on the container.

   ports:
            - 80:80
            - 443:443 

Adding the port 443 for HTTPS connections.

Lets run the swarm now.

On completetion you can see the services using docker service ls

As you can see there are 2 services now api server and the reverseproxy. The replica count is 4 for both . This means that the tasks will be distributed across the slaves and master node.

To check the tasks running for a service, use docker service ps <service_id>

Its working 🙂 Now the only caveat here is that because the nginx conf files and cert keys are not in slave servers the reverse proxy service is not able to mount those files there. There ofcourse is a workaround this > creating a image , push it to a private remote repo and then use it.

But I will be trying for a better solution.

Terraform Overview

‌

• The main purpose of the Terraform language is declaring resources. All other language features exist only to make the definition of resources more flexible and convenient.

• A group of resources can be gathered into a module, which creates a larger unit of configuration.

• A resource describes a single infrastructure object, while a module might describe a set of objects and the necessary relationships between them in order to create a higher-level system.

• A Terraform configuration consists of a root module, where evaluation begins, along with a tree of child modules created when one module calls another.

• A module is a collection of .tf or .tf.json files kept together in a directory. The root module is built from the configuration files in the current working directory when Terraform is run, and this module may reference child modules in other directories, which can in turn reference other modules, etc.

• CLI cheatsheet:

​https://github.com/scraly/terraform-cheat-sheet/blob/master/terraform-cheat-sheet.pdf​

‌

Blocks

‌

are containers for other content and usually represent the configuration of some kind of object, like a resource. Blocks have a block type, can have zero or more labels, and have a body that contains any number of arguments and nested blocks. Most of Terraform’s features are controlled by top-level blocks in a configuration file.

‌

Arguments

‌

assign a value to a name. They appear within blocks.

‌

Expressions

‌

represent a value, either literally or by referencing and combining other values. They appear as values for arguments, or within other expressions.

‌

RESOURCE SYNTAX:

resource “aws_instance” “web” {

ami = “ami-a1b2c3d4”

instance_type = “t2.micro”

}

‌

A resource block declares a resource of a given type (“aws_instance”) with a given local name (“web”).

The name is used to refer to this resource from elsewhere in the same Terraform module, but has no significance outside of the scope of a module.

👍 Resource names must start with a letter or underscore, and may contain only letters, digits, underscores, and dashes.

‌

Meta-Arguments

‌

Terraform CLI defines the following meta-arguments, which can be used with any resource type to change the behavior of resources:

‌

• depends_on, for specifying hidden dependencies

• count, for creating multiple resource instances

• provider, for selecting a non-default provider configuration

• lifecycle, for lifecycle customizations

• provisioner and connection, for taking extra actions after resource creation

‌

Operation Timeouts

‌

Some resource types provide a special timeouts nested block argument that allows you to customize how long certain operations are allowed to take before being considered to have failed.

‌

Each of these arguments takes a string representation of a duration, such as “60m” for 60 minutes, “10s” for ten seconds, or “2h” for two hours.

resource “aws_db_instance” “example” {

# …

​

timeouts {

create = “60m”

delete = “2h”

}

}

‌

Input Variables

‌

Input variables serve as parameters for a Terraform module, allowing aspects of the module to be customized without altering the module’s own source code, and allowing modules to be shared between different configurations.

variable “image_id” {

type = string

description = “The id of the machine image (AMI) to use for the server.”

}

​

variable “availability_zone_names” {

type = list(string)

default = [“us-west-1a”]

}

The label after the variable keyword is a name for the variable, which must be unique among all variables in the same module.

‌

Assigning Values to Root Module Variables

‌

• Variables on the Command Line

‌

To specify individual modules on the command line, use the -var option when running the terraform plan and terraform apply commands:

terraform apply -var=”image_id=ami-abc123″

terraform apply -var=’image_id_list=[“ami-abc123″,”ami-def456”]’

terraform apply -var=’image_id_map={“us-east-1″:”ami-abc123″,”us-east-2″:”ami-def456”}’

‌

Variable Definitions (.tfvars) Files

‌

To set lots of variables, it is more convenient to specify their values in a variable definitions file (with a filename ending in either .tfvars or .tfvars.json) and then specify that file on the command line with -var-file:

terraform apply -var-file=”testing.tfvars”

‌

A variable definitions file uses the same basic syntax as Terraform language files, but consists only of variable name assignments:

image_id = “ami-abc123”

availability_zone_names = [

“us-east-1a”,

“us-west-1c”,

]

‌

Terraform loads variables in the following order, with later sources taking precedence over earlier ones:

‌

• Environment variables

• The terraform.tfvars file, if present.

• The terraform.tfvars.json file, if present.

• Any *.auto.tfvars or *.auto.tfvars.json files, processed in lexical order of their filenames.

• Any -var and -var-file options on the command line, in the order they are provided. (This includes variables set by a Terraform Enterprise workspace.)

‌

Output Values

‌

Output values are like the return values of a Terraform module

output “instance_ip_addr” {

value = aws_instance.server.private_ip

description = “The private IP address of the main server instance.”

depends_on = [

# Security group rule must be created before this IP address could

# actually be used, otherwise the services will be unreachable.

aws_security_group_rule.local_access,

]

}

‌

Local Values

‌

A local value assigns a name to an expression, allowing it to be used multiple times within a module without repeating it

locals {

service_name = “forum”

owner = “Community Team”

}

Local values can be helpful to avoid repeating the same values or expressions multiple times in a configuration, but if overused they can also make a configuration hard to read by future maintainers by hiding the actual values used.

‌

Modules

‌

A module is a container for multiple resources that are used together

‌

• Every Terraform configuration has at least one module, known as its root module, which consists of the resources defined in the .tf files in the main working directory.

• A module can call other modules, which lets you include the child module’s resources into the configuration in a concise way. Modules can also be called multiple times, either within the same configuration or in separate configurations, allowing resource configurations to be packaged and re-used.

‌

// Not quite having handson with modules yet. Will add more once I get to know how to really use it

‌

A complete example of a module following the standard structure is shown below. This example includes all optional elements and is therefore the most complex a module can become:

$ tree complete-module/

.

├── README.md

├── main.tf

├── variables.tf

├── outputs.tf

├── …

├── modules/

│ ├── nestedA/

│ │ ├── README.md

│ │ ├── variables.tf

│ │ ├── main.tf

│ │ ├── outputs.tf

│ ├── nestedB/

│ ├── …/

├── examples/

│ ├── exampleA/

│ │ ├── main.tf

│ ├── exampleB/

│ ├── …/

‌

Issues that can be faced

​https://github.com/hashicorp/terraform/issues/9712​

‌

References:

Ofcourse official documentation : https://www.terraform.io/docs/configuration/index.html​

‌

• ​https://medium.com/@mitesh_shamra/infrastructure-as-a-code-with-terraform-e7021bf28d7d​

• ​https://medium.com/@mitesh_shamra/state-management-with-terraform-9f13497e54cf​

• ​https://medium.com/@mitesh_shamra/manage-aws-vpc-with-terraform-d477d0b5c9c5​

• ​https://blog.gruntwork.io/how-to-create-reusable-infrastructure-with-terraform-modules-25526d65f73d​

• ​https://www.linode.com/docs/applications/configuration-management/create-terraform-module/​

• ​https://www.nearform.com/blog/writing-reusable-terraform-modules/​

Docker Swarm Part 1: Creating swarm from container image

I gave up on the idea of creating a container orchestrated API application because I would not prefer running the backend continuously so that the frontend web apps can get their responses. That is the reason I created a Serverless API backend.

But the container orchestration bug never left me. So heres another attempt to create a Container Orchestration with

1. My Container API image

2. Nginx proxy for my backend

3. Prometheus and Graphana to monitor the stack.

This will be a two part series. In first part I will just orchestrate my API container using Docker swarm. In part 2 I will expand the swarm and add monitoring services like Prometheus and Graphana.

https://dzone.com/articles/monitoring-docker-swarm

https://github.com/stefanprodan/swarmprom

Docker Swarm

A swarm is a group of machines that are running Docker and joined into a cluster. After that has happened, you continue to run the Docker commands you’re used to, but now they are executed on a cluster by a swarm manager. The machines in a swarm can be physical or virtual. After joining a swarm, they are referred to as nodes.

Implementation:

Create 3 instances: 1 master, 2 nodes

I created a 3 server instance group on GCP. You can use your local machine and use docker-machine instead. Steps

Creating docker-compose.yml file in master.

Before initiating the Swarm, We will first create a docker-compose file to define the services. Go to the instance you will be running as a swarm master and run vi docker-compose.yml

Enter this content and save the file.

version: '3.0'




services:

  awsapi:

    image: darshanraul/awsapi:latest

    container_name: awsapi

    deploy:

      replicas: 4

    ports:

      - "80:8080"

    networks:

      - sample_network_name

networks:

  sample_network_name:

Initializing the Swarm

On the instance you intend to be the swarm master, run docker swarm init

You should be seeing an output similar to docker swarm join --token <token>

Copy this and continue to the next step. Your current node is the Swarm master now.

Join the worker nodes

Go to the other 2 instances and paste the docker swarm join --token <token>

Your instances will now become the worker nodes in the swarm.

Deploying the stack on the swarm

Now our swarm is ready. You can check the master and worker node status using docker node ls

The * in front of the Id field represents the swarm node you are on.

Now lets deploy the stack. On the swarm master go to the folder where you created the docker compose file. Run docker stack deploy -c docker-compose.yml <stack_name>

Here are all the docker service commands:

Usage:  docker service COMMAND




Manage services




Commands:

  create      Create a new service

  inspect     Display detailed information on one or more services

  logs        Fetch the logs of a service or task

  ls          List services

  ps          List the tasks of one or more services

  rm          Remove one or more services

  rollback    Revert changes to a service's configuration

  scale       Scale one or multiple replicated services

  update      Update a service

List all the services created. In this case just one. You should be seeing that there are 4 replicas created. Lets see in which nodes they are created.

Run docker service ps <service_id>

You will be seeing all the running tasks of the service. tasks are nothing but containers running the service. In the NODE field. You will see that the tasks are running on different nodes of the Swarm. Mission Accomplished !

Scaling the Swarm

Now suppose you need to scale up the stack and run more tasks for a service. You simple use ` docker service scale "stack_id"="no of tasks"

In this case I scaled it to 7. You will see the progress as the service is scaled.

You can verify by running docker service ps <service_id> that there are 7 tasks running now.

Accessing the service

As the service tasks are running on multiple nodes. The exposed port 8080 is mapped to 80 on the external host. You can easily just go to the instance Ip address and check if the API is working.

1. Working on the Master instance IP

2. Working on the Node instance IP

Thats it for part 1. In part 2 I will be adding more services and also monitoring the stack.

AWS launches EC2 Instance Connect

I was always envious of GCP for their Compute instances had the facility to SSH to the instance from the Browser itself. It it this straight forward:

1. Launch a instance.
2. Connect to the instance through the browser window by clicking the SSH button.

 

But AWS EC2 instances always had to be connected using the private key’s from either Putty or Git Bash/MobaXtrem/Cygwin etc. The Java client connectivity option NEVER worked for me accross all browsers.

Enter AWS Instance Connect !

With EC2 Instance Connect, you can control SSH access to your instances using AWS Identity and Access Management (IAM) policies as well as audit connection requests with AWS CloudTrail events. In addition, you can leverage your existing SSH keys or further enhance your security posture by generating one-time use SSH keys each time an authorized user connects. Instance Connect works with any SSH client, or you can easily connect to your instances from a new browser-based SSH experience in the EC2 console.

Now these are the steps if you need to connect to your Ec2 instance :

1. Launch the instance in your preferred region following the standard steps.
2. I am using Amazon Linux 2 as it comes preconfigured with EC2 Instance Connect.
3. In other instances you will have to set it up. Its a one time step.
4. The following Linux distributions are supported for Instance Connect:
   • Amazon Linux 2 (any version)
   • Ubuntu 16.04 or later

     Steps on setting up

5. Once the instance is launched.
   1. Select the instance
   2. Click Connect button above.
   3. Select the EC2 instance connect option. In the Username let it be the default user name.
   4. Thats it. A new Browser window will appear. You have logged into the Instance !! without any of the ssh mess ! Easier and safer way right there.

 

For more Information :

Setting up instance Connect

How to connect using AWS EC2 Instance Connect

 

Creating my Portfolio Website using Gitfolio

A good portfolio website (darshan-raul.github.io) is something which is very essential to show the person in front of you the skills and the work you have done. It doesnot have to be fancy with crazy animations but it should also be engaging for the visitor to stay longer and maybe give you a job?? 😀

I write this blog and also have a couple of Github Projects I want to showcase. Ofcourse there a tons of templates freely availble on the internet which can be modified according to our taste and then published. But I needed something subtle and comprehensive.

Enter: Gitfolio

This tool was so useful in creating a boilerplate webpage showcasing all my github data and projects in a systematic matter. You can also customize the way the projects are sorted. You can choose between themes.

Its just a 3 step process:

1. Install gitfolio

npm i gitfolio -g

2. Build your gitfolio

gitfolio build <username>

<username> is your username on github. This will build your website using your GitHub username and put it in the /distfolder.

3. To run your website use run command

gitfolio run

4. Open your browser at http://localhost:3000

 

It is that straight forward. Ofcourse I made some modifications manually on the main html/css side and here is the result. Pure Black/white design 🙂

 

 

CI/CD on AWS Dashboard Web app using Jenkins

So the AWS dashboard project is now completely functional with backend API requests now working seamlessly. There was a CORS error which was holding back any progress but now that has been sorted. So now I built the code and deployed the code on a S3 bucket > converted to a Static website. Here it is:

www.awskonsole.ml

Here is the final architecture I intend with the app.

So I wanted to create a CI/CD pipeline wherein whenever I would commit the next major change on github, it should be built automatically and those /dist files should be uploaded to S3. Enter Jenkins 🙂

Creating a Jenkins Pipeline to build an Angular 7 project and deploy on S3 bucket as a static website:

‌

Prerequisites:

1. cloned Angular project: https://github.com/darshan-raul/awsdashboard

2. Jenkins Server/ubuntu with min 1gb ram configured with plugins [All suggested plugins + Blueocean,github ] https://linuxize.com/post/how-to-install-jenkins-on-ubuntu-18-04/

3. AWS cli installed and configured with a IAM user (Having S3FullAccess permissions) credentials.

4. Node Js / npm installed apt install npm nodejs

‌

Else you can use the following userdata/startup script (for ubuntu 18.04):

#! /bin/bash

sudo apt-get update

sudo apt install -y npm nodejs python-pip openjdk-8-jdk docker.io

wget -q -O - https://pkg.jenkins.io/debian/jenkins.io.key | sudo apt-key add -

sudo sh -c 'echo deb http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'

sudo apt update

sudo apt install jenkins

pip install awscli

sudo ufw enable

sudo ufw allow 8080

sudo ufw allow 22

‌

After this all you need to do is configure awscli and jenkins thats it.

‌

Steps:

 

1. Click on new item on the left side bar in Jenkins main dashboard and on the next page give the job a name.

2. Select the type as Pipeline.

‌

1. Give the job a description

2. This option determines when, if ever, build records for this project should be discarded. Build records include the console output, archived artifacts, and any other metadata related to a particular build.

3. Here you can mention the project url for the github project

‌

1. I am selecting the build periodically so that every 12 hours the job is run

2. You can choose the github hook trigger using Github plugin

3. or Poll SCM

‌

1. You can either choose to write the pipeline script here or choose the pipeline script from SCM option

2. Here you mention the pipeline script..else you can create one by using the Pipeline Syntax button given below

‌

Once done you can build the job and open blueocean and see the progress according to stage’s you set in pipeline syntax.

‌

After a while both the stages are built successfully and you can view the logs too.

‌

This was the code:

node {




   stage('Preparation') { 




      git 'https://github.com/darshan-raul/awsdashboard'




   }




   stage('Build') {

   dir("folder") {

        sh 'npm install'

        sh 'npm build --prod'

      }

    }




}

‌

1. In the preparation stage I am just cloning the repo in my workspace directory

2. In the Build stage I am changing the directory to the cloned repo and then running the npm install and npm build commands

‌

Now its time to add another stage where the code is deployed to S3 bucket:

‌

• In package.json of the Angular app , I have added a additional script to build as well as copy the files to S3 bucket where the static website is hosted.
• Make sure that you have AWS CLI installed on the Jenkins server configured with S3 full access user access keys.
• Try aws s3 ls to confirm.

‌

Now lets edit the JenkinsPipeline code.

node {




   stage('Preparation') { 

      git 'https://github.com/darshan-raul/awsdashboard'


    }

   stage('Build') {

      dir("awsdashboard") {

           sh 'pwd'

           sh 'npm install'


       }

   }

    stage('Deploy') {

       sh 'npm run deploy'

    }

}

‌

Build it and then you will see 3 stages now. Let the pipeline complete.

‌

This failed as for some reason even after configuring the correct AWS credentials the s3 upload command was failing.

‌

Enter S3 plugin.

‌

• In available plugins search for S3 and install S3 publisher.

‌

• Go to Manage jenkin’s > Configure System

‌

• Scroll Down to Amazon S3 profiles

‌

1. Give a profile name

2. Give Access key

3. Give Secret Access key and add profile

‌

Now configure the Pipeline job again and under the pipeline code, Click ‘pipeline syntax’ . It can be used to create pipeline code

‌

1. In sample step select S3upload

2. Select the S3 profile you created before

3. give the source folder

4. give the destination bucket

5. give the bucket region

‌

Copy the pipeline script that is created. Edit the pipeline script and build again.

‌

It runs smoothly 🙂

SSH Overview Part 1

This is the part 1 of a two part series on SSH. In this one Ill cover the basics of how to SSH. Not going into the fundamentals of it but in a practical way. Will cover SSH forwarding/agent/port forwarding and security features in the next part.

‌

man ssh

‌

NAME ssh — OpenSSH SSH client (remote login program)

‌

SYNOPSIS

 ssh [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file]

         [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address]

         [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]

         [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]

‌

• The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

• SSH has a client/server architecture

• An SSH server program,typically installed and run by a system administrator, accepts or rejects incoming connections to its host computer. Users then run SSH client programs, typically on other computers, to make requests of the SSH server.

  All communications between clients and serversare securely encrypted and protected from modification.

‌

Remote Terminal Sessions with ssh

‌

ssh -i private_key user@ssh_server_ip or ssh -l pat shell.isp.com / ssh pat@shell.isp.com

‌

On first contact, SSH establishes a secure channel between the client and the server so all transmissions between them are encrypted. The client then prompts for your password, which it supplies to the server over the secure channel. The server authenticates you by checking that the password is correct and permits the login. All subsequent client/server exchanges are protected by that secure channel

‌

Using Public key authentication

‌

SSH includes an ability to authenticate users using public keys. Instead of authenticating the user with a password, the server will verify a challenge signed by the user’s private key against its copy of the user’s public key.

‌

Setting up public key authentication requires you to generate a public/private key pair and install the public portion on the server. It is also possible to restrict what a given key is able to do and what addresses they are allowed to log in from.

‌

There is one client machine and one ssh server.

‌

Generating a public/private keypair on the client:

1. ssh-keygen -t rsa you mention that the you want to use rsa algorithm to create the keypair (you can use dsa too but rsa is by default)

2. Provide a name to the keypair(Else the default id_rsa will be created in .ssh folder of user’s home folder)

3. For added security you can provide a passphrase (It should be minimum 5 character’s in length)

4. Finally if you are able to see this randomart image that means the keypair was created successfully.

‌

Now if you run ll the private and public key should be visible in the folder you ran the command in.

‌

You can also choose to move the keys in a seperate folder if you would like to.

‌

Copying the public key on the SSH server:

1. Move to the .ssh folder in the home folder of the user on ssh server

2. Edit the authorized_keys file and add the content of the public key created on client machine here.

3. Use cat authorized_keys to confirm the contents of the file.

‌

Connect from client to SSH server:

1. Use the command ssh -i <private key name> <user>@<ssh server ip>

2. The first time your client connects to a ssh server, it asks you to verify the server’s key.This is done to prevent an attacker impersonating a server, which would give them the opportunity to capture your password or the contents of your session. Once you have verified the server’s key, it is recorded by the client in ~/.ssh/known_hosts so it can be automatically checked upon each connection.

3. You should be on the ssh server now.

‌

Using Password based authentication:

‌

Ssh’ing to a server using public/private key is a preffered way, but using Password based authentication to SSH to a server is also prefered. Here are the steps:

‌

Configure password login on SSH server in sshd_config:

You will need to change the configuration of your ssh server. The file to be edited is sshd_config.

‌

These are the important parameters you should be aware of:

‌

1. Port: This is the field to specify the port you can use to ssh to the server.

2. AddressFamily is to specify if ipv4, ipv6 or any address types are allowed. ListenAddress specifies the local addresses sshd should listen on.

3. HostKey specifies a file containing a private host key used by SSH. It is possible to have multiple host key files. The default is /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_rsa_key .

4. LoginGraceTime time after which the server disconnects if the user has not successfully logged in. PermitRootLogin to allow “root” to login

5. PubkeyAuthentication field allows use of public key authentication we used before

6. PasswordAuthentication is used to enable/disable password based authentication.

   

   For more info refer : open-ssh options

‌

Change the PasswordAuthentication field to yes and also because in this case the user we are using is “root” find “PermitRootLogin” parameter and change its value from “prohibit-password” to “yes“ and save the file.

‌

Now create a password for the user. sudo passwd <user_name> If all works fine you should get the output: passwd: password updated successfully

‌

Next run sudo service sshd restart

‌

Lets try to ssh again to the SSH server but this time using Password based authentication.

‌

1. Go to the Client machine and use ssh <user_name>@<ssh_server_ip>

2. You will be prompted for a password you set for the user

‌

If all went perfect you should be able to login to the SSH server using password Based authentication.

‌

Executing commands remotely

‌

Now that we are able to ssh to the server.Lets try executing some commands on the ssh_server directly from the client machine.

‌

Format: ssh user@sshserver "command"

‌

First on the ssh server: 1. Create a directory called test_directory 2. Create a file called hello.txt

‌

Now on the client machine:

1. Run ssh <user_name>@<ssh_server_ip> "ls ~/test_directory

2. Enter the password when prompted

3. The command will be executed, in this case the ls command will view the file we just creted on the ssh server.

4. After the command is executed you are still in your client machine.

‌

This method is quite useful in scripts as you can execute commands on other server’s without the need to connect to them. You can also redirect the commands output and pipe it in a local command on your client machine.

Merging multiple Github repo’s into one – Submodule way

So I am creating a gitfolio site which will display all my public repositories in a nice UI. While creating it I realized that there are a lot of single program repositories (mostly written in python ) which can easily be merged into a single repository which I can name “python-scripts”. These are the steps I followed:

‌

Creating the Main repository and cloning it :

Created a new repo in github where all the repo’s will be stored

 

Copy this URL

 

clone the repo in your machine

 

‌

Now we are going to use a new git concept called as “submodule” . More here :https://git-scm.com/docs/git-submodule​

‌

Adding all the repo’s as submodule’s in this repo:

‌

Use the command

git submodule add <repo url>

‌

Now you will be able to see all the repo’s in seperate folders:

All the repos as folders in this main repo

‌

Commit everything and push to Github

‌

If you run git status after running the above command’s you should be able to see something like this:

‌

Its time to add all to stage and commit it.

‌

After git add . and git commit -m "added all repos"

‌

Your master branch must be clean in git status.

‌

Now just push it to github. git push origin master should do it if git is properly configured in your system.

All the repo’s will be in a single repo.

​

There are many other way’s to do this but this seemed straight forward 🙂

AWS Migration services

These are all the services which can be used to migrate your on premise or other CLoud platform resources to AWS.

‌

• AWS Migration Hub

• AWS Application Discovery Service

• AWS Database Migration Service

• AWS Server Migration Service

• AWS Snowball

• AWS Snowball Edge

• AWS Snowmobile

• AWS DataSync

• AWS Transfer for SFTP

‌

AWS Migration Hub:

‌

AWS Migration Hub provides a single location to track the progress of application migrations across multiple AWS and partner solutions. Using Migration Hub allows you to choose the AWS and partner migration tools that best fit your needs, while providing visibility into the status of migrations across your portfolio of applications.

‌

AWS Migration Hub provides a single place to monitor migrations in any AWS region where your migration tools are available. There is no additional cost for using Migration Hub. You only pay for the cost of the individual migration tools you use, and any resources being consumed on AWS.

‌

• This is how the main dashboard looks like:

‌

• You have two options to migrate:

  • Perform Discovery and Then Migrate

  • Migrate Without Performing Discovery

• Once you click on discovery first then this window appears. This is the flow in which the migration will be done. Click Use discovery tools

  ​

• Which should take you to these discovery tools. Discovery connector is for VMware machines.

• AWS Discovery Agent is a tool provided by AWS which you can install on either Linux/Windows machines.

‌

• If you choose the import option instead:

  ​

  • You have to download a sample template provided by AWS. Which looks like this.Fill it up and upload to S3 .Provide the S3 object url and click Import.

  • ​

• Next these are the migration tools you can use to migrate the discovered services.

  ​

‌

Helpful Link

​AWS Migration Hub Walkthroughs – AWS Migration Hub​

‌

AWS Application Discovery Service

‌

AWS Application Discovery Service helps you plan your migration to the AWS cloud by collecting usage and configuration data about your on-premises servers. Application Discovery Service is integrated with AWS Migration Hub, which simplifies your migration tracking.

‌

After performing discovery, you can view the discovered servers, group them into applications, and then track the migration status of each application from the Migration Hub console.

‌

Two ways of performing discovery and collecting data about your on-premises servers:

‌

• Agentless discovery

• Agent-based discovery

‌

AWS Database Migration Service

‌

AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database.

‌

AWS Database Migration Service supports homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle or Microsoft SQL Server to Amazon Aurora. With AWS Database Migration Service, you can continuously replicate your data with high availability and consolidate databases into a petabyte-scale data warehouse by streaming data to Amazon Redshift and Amazon S3.

‌

• AWS DMS migrates data, tables, and primary keys to the target database. All other database elements are not migrated.

• The AWS Schema Conversion Tool (SCT) makes heterogeneous database migrations easy by automatically converting the source database schema and a majority of the custom code, including views, stored procedures, and functions, to a format compatible with the target database.

‌

AWS Server Migration Service

‌

AWS Server Migration Service (SMS) is an agentless service which makes it easier and faster for you to migrate thousands of on-premises workloads to AWS. AWS SMS allows you to automate, schedule, and track incremental replications of live server volumes, making it easier for you to coordinate large-scale server migrations.

‌

• Currently, you can migrate virtual machines from VMware vSphere and Windows Hyper-V to AWS using AWS Server Migration Service.

• AWS Server Migration Service supports migrating Windows Server 2003, 2008, 2012, and 2016, and Windows 7, 8, and 10; Red Hat Enterprise Linux (RHEL), SUSE/SLES, CentOS, Ubuntu, Oracle Linux, Fedora, and Debian Linux operating systems.

‌

AWS Snowball

‌

AWS Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of AWS.

‌

With Snowball, you don’t need to write any code or purchase any hardware to transfer your data. Simply create a job in the AWS Management Console and a Snowball appliance will be automatically shipped to you.

‌

Once it arrives, attach the appliance to your local network, download and run the Snowball client to establish a connection, and then use the client to select the file directories that you want to transfer to the appliance.

‌

Here you can either choose that the data you send in the device is sent to AWS S3 or data on Amazon S3 is put on a device and that is shipped to you or use the device for local compute and storage

​

‌

On the next slides enter your data, give job details, set teh security /notifications and you are all set

‌

AWS Snowball Edge

‌

AWS Snowball Edge is a data migration and edge computing device that comes in two options. Snowball Edge Storage Optimized provides 100 TB of capacity and 24 vCPUs and is well suited for local storage and large scale data transfer. Snowball Edge Compute Optimized provides 52 vCPUs and an optional GPU

‌

AWS Snowmobile:

‌

AWS Snowmobile is an exabyte-scale data transfer service used to move extremely large amounts of data to AWS. You can transfer up to 100 PB per Snowmobile, a 45-foot long ruggedized shipping container, pulled by a semi-trailer truck.

‌

AWS DataSync

‌

AWS DataSync is a data transfer service that makes it easy for you to automate moving data between on-premises storage and Amazon S3 or Amazon EFS.

‌

With DataSync, you deploy a DataSync agent locally as a virtual machine to connect to your existing storage array or file system over the Network File Storage (NFS) protocol, and that agent sends and receives data to and from the fully managed DataSync service in AWS.

‌

AWS Transfer for SFTP

‌

AWS Transfer for SFTP is a fully managed service that enables the transfer of files directly into and out of Amazon S3 using the Secure File Transfer Protocol (SFTP)—also known as Secure Shell (SSH) File Transfer Protocol.