-
- Private work.
- Nearly 700 videos on the list of breakout sessions from reinvent. Will go through and make a list of the ones I’d be interested in.
- Gemini released by Google: https://blog.google/technology/ai/google-gemini-ai/#sundar-note
- More AWS Q problems in vscode:
- Sometimes, it just doesn’t answer (replying it “can’t”) – and then if you resubmit with one word different, it answers perfectly.
- UI is messed up. Sometimes will render left of the window (cut off by sidebar). Sometimes will NOT render code snippets, instead showing plaintext.
- AWS secrets manager is 40c/secret/month, and then access costs.
- Standard # for comments in SAM templates. Full line OR inline.
- You can also compose template.yaml by importing other yaml files. Helpful to split large SAM configs by resource: one file for your lambdas, one for your security groups, etc.
- Updated vscode to 1.85.
- The Amex platinum benefit is every 6mo. You get $50 from jan-jun, and another $50 from jul-dec. Created recurring calendar event. Created online account. Easy.
- Mint still can’t connect to solium.
- Supercontest.
- Thought a bit about the hardest part of SAM: my existing rds db. Config is sensitive, there’s an RI around it, etc – just more sticky to move to IaC. I think I’ll use regular creds for now. Then during the serverless ticket, I’ll move RDS to SAM, and will create a lambda that runs pgrestore after db creation.
- Remember you have to configure the lambda to access rds. This is in the vpcconfig in sam: set the subnet IDs to those of the RDS DB, and the security group which allows RDS access.
- This obviously does not happen in
local invoke.
- Secrets Manager vs Systems Manager Parameter Store. Overall: use secrets manager for secrets, and systems manager parameter store for any other configuration.
- Secrets manager is more expensive.
- Secrets manager does automatic rotation.
- Secrets manager only supports strings.
- Systems manager supports all configurations and types, not just secrets and strings.
- Systems manager is more generic.
- Note that the apigateway resource changes when you (only) change the lambda function behind it. This is just to reconnect to the lambda, since the rest api depends on the backend function.
- Gave the lambdas vpc access to the rds db (via sam policies) to get past the “can’t resolve address” error.
- Then started seeing auth errors where boto3’s token generation didn’t work. Couldn’t get it to auth properly. Ended up just passing password (via Secrets Manager). Remember you can define multiple KV pairs in a secret, so I included username/engine/dbname/etc.
- Works from the command line, but remember you have to give the lambda perms to pull the secret:
SecretsManagerReadWrite.
- Another hangup: SecretsManager is internet-facing. If the lambda is running in a VPC, then you need to add a VPC endpoint to your SecretsManager resource in order for the lambda to be able to reach it (connectivity is diff than authorization!).
- Sidenote: you can only have one endpoint per subnet in each availability zone. Since I have two subnets each in us-west-1a and us-west-1c, I can’t include all 4 subnets in the vpcendpoint for secrets manager. Just choice one from each AZ.
- And: make sure your security groups allow ingress/egress appropriately. The lambda needs to be able to reach the internet (for secrets manager) and the vpc endpoint for the secrets manager needs to allow the lambda to reach it.
- E2E.
- The old path: eventbridge -> lambda -> cloudfront -> loadbalancer -> nginx -> flask -> rds
- The new path: eventbridge -> lambda -> secretsmanager -> rds
- We lose a little time on serverless cold start, but the network path is actually a little shorter.
