GitHub Actions is my favorite CI/CD solution. Over the past year, I gradually switched all projects from CodePipeline to GitHub Actions. To this day, I enjoy the smooth user experience. However, GitHub-hosted runners quickly become a big item on GitHub’s monthly bill. That’s why I will share how to reduce costs for GitHub Actions with Octolense by Sandro Volpicella and HyperEnv for GitHub Actions Runner made by Michael and me in the following. Do you prefer watching a video instead of reading? Here you go! JavaScript is disabled. Please visit YouTube.com to watch the video. Get insights in ..read more

Encrypting data at rest is a widespread best practice on AWS. In 2019, Werner Vogels set the tone with his motivational slogan, “Dance like nobody’s watching. Encrypt like everyone is!”. AWS shipped the ability to encrypt data at rest for almost all its services. Many services use the AWS Key Management Service (KMS) to handle the keys for server-side encryption. KMS provides default keys, which are very simple to use, and customer-managed keys with an extra authorization layer. Are you defining key policies to strictly restrict access to customer-managed keys? Then, the following will blow yo ..read more

GitHub Actions is my preferred CI/CD solution. I’m using GitHub Actions to build and deploy applications on AWS. However, GitHub Actions does not have access to private subnets, which is required in the following scenarios: Execute database migrations for RDS (Relational Database Service). Run load or integration tests against internal ALBs or NLBs (Elastic Load Balancing). Seed ElasticSearch, OpenSearch, or ElastiCache with data. In the following, I will demonstrate how to access a VPC (Virtual Private Cloud) from GitHub Actions with the help of HyperEnv for GitHub Actions Runner, a soluti ..read more

Four years ago, we stumbled into Amazon Connect. In essence, Amazon Connect allows your users to reach your organization represented by agents via phone or chat. While chatting, Amazon Connect allows users and agents to upload attachments. For many years, there was no good solution to ensure those files were malware-free. Given that anonymous users can start Amazon Connect chats, that’s quite scary. Lucky us, Amazon Connect just released a feature that enables scanning of attachments for malware. You might think: “Great, Amazon Connect scans all files from now on”. But no, Amazon Connect enabl ..read more

The promise sounds tempting; with AWS, you can roll out your infrastructure in 28 regions worldwide. Indeed, it is an eye-opening moment when rolling out the same infrastructure into multiple regions to serve users in different parts of the world. However, a few stumbling blocks exist when rolling out an application to every available region. I’ve recently stumbled upon one of them when working on bucketAV. Currently, EC2 provides 761 instance types grouped into 116 instance families. But not all of these instance families are available in every region. Here are some interesting facts. 4 Thin ..read more

How do you monitor a container workload running on ECS (Elastic Container Service) and Fargate with on-board resources? Here are the prioritized aspects when it comes to monitoring containers on AWS. Event-driven monitoring with EventBridge Monitoring entry points like ALB, SQS, and Kinesis Monitoring inter-service communication (Service Connect) Observing container utilization Collecting and analyzing container logs Event-driven monitoring with EventBridge Most importantly, ensure that you are not missing ECS failure events. Like many AWS services, ECS sends events to EventBridge. Monitori ..read more

DynamoDB is a cloud-hosted NoSQL database from Amazon Web Services (AWS). DynamoDB is popular for two main reasons: It scales extremely effectively with little operational effort Since it is a serverless service it is also cheap, simple, and quick to run for lower throughput applications I’ve worked with companies where the scaling behavior has been crucial, but most of the time what I like about DynamoDB is the second point: no complicated VPC networking, no clusters, no minimum monthly costs. However there are also often at least two concerns with using DynamoDB: Getting DynamoDB table de ..read more

After a customer complained that a feature of marbot, our monitoring solution for AWS was not working as expected, I started debugging the issue. First, I checked the CloudWatch alarms we use to monitor all Lambda functions. All CloudWatch alarms were in status OK, and we also had not received any alerts via Slack. Next, I analyzed the CloudWatch logs. To my surprise, I found out that one of our Lambda functions failed from time to time. I was shocked about the blind spot in our monitoring configuration. Are you using CloudWatch alarms for Lambda function monitoring as well? Read on to ensure ..read more

When defining the version of a Terraform provider, do not use > or => conditions. You will run into troubles caused by breaking changes with the next major release. Instead, lock the major version of the Terraform provider by using a ~> condition. But let’s start at the beginning. Problem When running terraform apply to deploy a small change to a code base that I had not touched for a while, I ran into the following error. An argument named "enable_classiclink" is not expected here. While debugging the issue, I learned a lot about Terraform version constraints that you should ..read more

There’s work coming your way! Node.js 16 reached end-of-life on September 11th, 2023. Also, the AWS Lambda runtime environment for Node.js 18 upgraded to v3 of the AWS SDK for JavaScript. So to upgrade Lambda functions from Node.js 16 to 18, you have to migrate to AWS JavaScript SDK to v3 as well. Unfortunately, v3 is not backward compatible with v2. In the following, I will share what I stumbled upon while upgrading many Lambda functions to v3. When upgrading the AWS JavaScript SDK from v2 to v3, you should bookmark the following pages: API Reference Upgrading Notes (2.x to 3.x) Import and ..read more