Posts

I’ve been analyzing and optimizing the performance of our CI/CD pipeline in a current project and encountered some unexpected behavior with Terraform. Since my Googling didn’t lead to useful results, I’m writing this to share my experience. I’ll explain how I identified the reason why Terraform didn’t use the cached providers and how to avoid the underlying problem with platform specific hashes in the Terraform provider lock file. We’re using a private Gitlab instance as the platform to host our code and have a dedicated runner to execute our pipeline. The terraform part of the pipeline is responsible for rolling out code and infrastructure changes and consists of two stages with their own jobs - plan and apply. If you’ve used Terraform before, you probably already guessed, that the plan job creates a Terraform plan file, i.e., the diff between the current and the target state. The subsequent apply job consumes that and executes the changes (unless something else touched the state in the mean time). Depending on the configuration, the apply is sometimes automated and in other cases manual, which is one of the reasons for separating the two steps. ...

This blog post was inspired by a question on stackoverflow. The user experienced intermittent HTTP 500 error codes from CloudFront. They seemed confident, that their setup was correct, so I was intrigued. The user had deployed a static website to S3 and was using CloudFront in a continuous deployment configuration. That’s a setup, where you have two distributions - production and staging. In such a setup, you can test configuration changes in the staging distribution and divert a fraction of production traffic to it in order to to see how it behaves. Once you’re satisfied with your configuration changes in the staging environment, you promote them to the production distribution and serve all traffic from there. ...

Lambda@Edge allows you to run your own business logic as part of the CloudFront request flow. You can intercept all requests that arrive at CloudFront, all connections to the origin and the responses from the origin and to the client. Lambda@Edge functions come with a series of constraints that make them different from regular Lambda functions, but also a lot of commonalities. One of these is the concurrency quota, which you should check before a production deployment. ...

Interacting with Cloud services is rarely a tactile experience. You write some code, run some command or click a button on a screen and things happen. Today we’re going to change that. We’ll write a plugin for the Elgato Stream Deck to trigger an AWS Lambda function on demand with a customizable event. In case you haven’t heard of it, the Stream Deck is basically a set of buttons with tiny screens behind them that you can customize to do your bidding through plugins. Today, we’ll write a small plugin that invokes a Lambda function of our choosing, thereby allowing us to do pretty much anything in AWS. ...

Occasionally, you’ll do something that you think you’ve done dozens of times before and are then surprised it no longer works. While setting up a log delivery mechanism for Splunk, I had one of these experiences again. (Feel free to replace relearning with forgetting in the headline.) Splunk’s preferred method of ingesting log data from AWS is the SQS-based S3 input. In a nutshell, you ensure that all logs end up in an S3 bucket. That bucket is configured to send all object create events to an SNS topic (so that multiple systems can subscribe), to which an SQS queue is subscribed. Splunk subsequently consumes the object create events from the queue and ingests the corresponding objects from S3. ...

At some point the Touchpad on my converted Chromebook failed. I explain how I fixed it.

Lambda@Edge functions are executed in multiple regions around the world, but which ones exactly? In this post we’ll find out together, which will enable us to pre-create log groups and other resources for them.

Like many organizations, tecRacer uses HubSpot as a CRM. Integrating Hubspot with other (internal) systems enables smooth workflows for everyone involved. Since I recently built a custom integration, I thought it may be helpful to explain how to set up a secure interface with AWS.

Opportunity cost is an important economic concept, but sometimes we need to ignore it to learn something. Join me in using a variety of services and tools to figure out what is using my KMS keys and if I can safely delete them.

Links and References for my Talk at the AWS Community Day 2024 in Sofia As soon as the recording is available, it will appear here Contact If you want to get in touch, send me an e-mail hi [ät] mauricebrg.com. Presentation The slides are available as a PDF here. Links Blog Post: Using undocumented AWS APIs with Python Python Package that implements some undocumented APIs (Github) If you’re interested in (un)documented or non-production APIs for Security research, Datadog has an interesting article here ...