-
- Private work.
- Nearly 700 videos on the list of breakout sessions from reinvent. Will go through and make a list of the ones I’d be interested in.
- Gemini released by Google: https://blog.google/technology/ai/google-gemini-ai/#sundar-note
- More AWS Q problems in vscode:
- Sometimes, it just doesn’t answer (replying it “can’t”) – and then if you resubmit with one word different, it answers perfectly.
- UI is messed up. Sometimes will render left of the window (cut off by sidebar). Sometimes will NOT render code snippets, instead showing plaintext.
- AWS secrets manager is 40c/secret/month, and then access costs.
- Standard # for comments in SAM templates. Full line OR inline.
- You can also compose template.yaml by importing other yaml files. Helpful to split large SAM configs by resource: one file for your lambdas, one for your security groups, etc.
- Updated vscode to 1.85.
- The Amex platinum benefit is every 6mo. You get $50 from jan-jun, and another $50 from jul-dec. Created recurring calendar event. Created online account. Easy.
- Mint still can’t connect to solium.
- Supercontest.
- Thought a bit about the hardest part of SAM: my existing rds db. Config is sensitive, there’s an RI around it, etc – just more sticky to move to IaC. I think I’ll use regular creds for now. Then during the serverless ticket, I’ll move RDS to SAM, and will create a lambda that runs pgrestore after db creation.
- Remember you have to configure the lambda to access rds. This is in the vpcconfig in sam: set the subnet IDs to those of the RDS DB, and the security group which allows RDS access.
- This obviously does not happen in
local invoke.
- Secrets Manager vs Systems Manager Parameter Store. Overall: use secrets manager for secrets, and systems manager parameter store for any other configuration.
- Secrets manager is more expensive.
- Secrets manager does automatic rotation.
- Secrets manager only supports strings.
- Systems manager supports all configurations and types, not just secrets and strings.
- Systems manager is more generic.
- Note that the apigateway resource changes when you (only) change the lambda function behind it. This is just to reconnect to the lambda, since the rest api depends on the backend function.
- Gave the lambdas vpc access to the rds db (via sam policies) to get past the “can’t resolve address” error.
- Then started seeing auth errors where boto3’s token generation didn’t work. Couldn’t get it to auth properly. Ended up just passing password (via Secrets Manager). Remember you can define multiple KV pairs in a secret, so I included username/engine/dbname/etc.
- Works from the command line, but remember you have to give the lambda perms to pull the secret:
SecretsManagerReadWrite.
- Another hangup: SecretsManager is internet-facing. If the lambda is running in a VPC, then you need to add a VPC endpoint to your SecretsManager resource in order for the lambda to be able to reach it (connectivity is diff than authorization!).
- Sidenote: you can only have one endpoint per subnet in each availability zone. Since I have two subnets each in us-west-1a and us-west-1c, I can’t include all 4 subnets in the vpcendpoint for secrets manager. Just choice one from each AZ.
- And: make sure your security groups allow ingress/egress appropriately. The lambda needs to be able to reach the internet (for secrets manager) and the vpc endpoint for the secrets manager needs to allow the lambda to reach it.
- E2E.
- The old path: eventbridge -> lambda -> cloudfront -> loadbalancer -> nginx -> flask -> rds
- The new path: eventbridge -> lambda -> secretsmanager -> rds
- We lose a little time on serverless cold start, but the network path is actually a little shorter.
-
- Private work.
- Finished the re:invent innovation talks.
- Overall, not a lot gained. The keynotes have the valuable releases. The breakouts have the detail to learn/deepdive. These innovation talks are a weird middle ground.
- Multiple genAI talks started with the same proof: “AI, write me an intro”
- Developer experience. Q, codewhisperer, codecatalyst, java upgrade tool, etc.
- Codecatalyst is like an AI-managed suite of source management, issues, CICD, templates – basically gitlab but with Q.
- You can’t really access any of the cool codecatalyst features on the free/individual tier, like assigning issues to Q.
- Paid ortho.
- Streamlit is another pure-python-to-webapp tools.
- Obviously w2 = employees, w9 = contractors.
- Remember both aws codewhisperer and ms copilot are doing autocomplete/autosuggest inline in vscode.
- Prequalification is less than preapproval. It’s usually self-reported -> quick estimate Preapproval is more – the lender actual verifies your financial statement.
- 1031 exchange. Selling an investment property and buying another similar. Defers capital gains tax.
- Zoom webinar hosted by datadog: how to monitor a genAI stack.
- Remember engines are sqla’s lowlevel. You then create a connection from an engine. A session is the higher-level object that uses the ORM to interact via an engine/connection.
- For this most recent leetcode contest, 1st place was all 4 problems in 16min.
- One of the worst contaminants to look for in tap water is fluoride. Affects thyroid function. Checked a few repos, nyc is ok.
- Supercontest.
- Updated banner.
- Added multiple lambda functions (and corresponding IAM roles + API gateway endpoints) and played with them. Interactions, imports. CLI commands, generic invokes or specific calls to a func.
- Remember to
sam build before sam deploy.
AWS::ApiGateway::RestApi is from cloudformation. Use it to directly manage an API gateway. AWS::Serverless::RestApi is from SAM. It manages a lot of the config for you. Use that one.- The
Outputs section of template.yaml doesn’t feed directly to anything on the deploy of the cloud formation. It just exposes dynamic content from the stack build. You can export things like the API gateway URL, the ARNs of the created resources, etc. These print to the command line for immediate testing, and they export to the actual CF template – allowing subsequent use in other SDKs, CLIs, whatever.
- If you want to share code across multiple lambdas:
- One option is S3. Simply tell SAM that “this lambda needs this S3 bucket”, and then tell SAM which files (shared libs) to upload to that S3 bucket on every deploy. You’re just using S3 as your common-code host.
- Another best practice is Lambda Layers. SAM supports this natively. Layers are a little better because Lambda’s execution engine understands how to cache layers. S3 has caching, but it’s cross-tool instead of native.
- Successfully did #2 with
AWS::Serverless::LayerVersion. Builds the shared lib and makes it avail to the lambda.
- Added
boto3 to pyproject. Ultimately I’ll probably just maintain one large set of reqs for the whole project, create and version a single layer from that, and all serverless functions wrap around it. Then I can point my IDE at that (in vscode you can point at a requirements.txt rather than a python interpreter) for highlighting/resolution/dev.
- Added stubs to boto3, and the specific services (sqs, eventbridge, etc) that I need. Just for typechecking in serverless dev.
- Remember this error is from
psycopg2 (switched to psycopg2-binary long ago): [ERROR] ImportError: libpq.so.5: cannot open shared object file: No such file or directory.
- Now that these snippets are running in lambda, I can use
sqlalchemy directly – no need for flask-sqlalchemy since it’s not running in an app context.
artifact_store_retention = 10 in samconfig.toml to control how many deployments are stored in s3 (remember this is the template and the code and everything, so all resources like lambda/apigateway/etc can read from this).”- Local
sam build and invoke do not pass the Outputs section of the template. This is because the local workflow doesn’t deploy anything; there are no ARNs/URLs/etc to reference, since CF has not pushed any. It’s just all local.
- I’ve noticed that copilot is much better than Q so far. Q had wrong information multiple times today:
AWS::Serverless:Queue (AWS::SQS::Queue).- SAM does not auto-inject Outputs into the envs of lambda functions. You have to add it to the env section of the func resource in the template.
- A few others.
-
- Private work.
- ios from 17.1.1 to 17.1.2.
- 6 more re:invent innovation talks.
- AWS in financial services. JP morgan chase, nasdaq, others.
- Lots of genAI.
- RAG = retrieval augmented generation. Customizing a model with private data, like querying an internal db.
- This uses a lot of the new vector db capabilities.
- Would love love love if google tasks adds the ability to order within a day, while the overall list is ordered by date.
- Finished typing – done with daily tasks for now.
- New york housing. Median days on market at sale: 73 days. Normal range is 1-3mo. Going slightly down.
- Garden maintenance.
- Raw cranberries are delicious. I’ve never tried them raw in my entire life.
- Supercontest.
- Made the gitlab repo private, as I’m about to make some substantial changes to upgrade the app.
- Fixed the perm issues from yesterday. Wasn’t macbook vs desktop, it was just s3. Disabled
resolve_s3 in samconfig.toml, instead specifying s3_bucket directly.
- Remember S3 is necessary to support all your templates. This gets around the cloudformation max template size – basically it will upload all assets as necessary to s3, then the templates will reference those addresses. Not necessary for smaller serverless apps, but definitely good practice for larger apps. If you don’t specify an s3 bucket,
sam deploy will simply deploy your template to cloudformation directly.
AWS::Serverless::Function is a wrapper around AWS::Lambda::Function, which is lower level. The higher one also handles roles, APIs, etc.- Did some cleanup on the samconfig, template, events, unit tests, integration tests, and function structure itself.
- Modified the lambda name, moved some files around, explored.
- It gracefully handled the changes. Deleted the old function/apigateway/role/etc associated with the old name, added the new.
- Confirmed
requirements works in SAM. For both local invoke and cloud invoke.
- SAR is just like pypi or dockerhub for SAM apps.
- When you push a deployment from sam cli, that exact stack is what populates “Application” in lambda. You can see resources, endpoints, dashboards, more.
-
- Private work.
- Watched 5 more re:invent innovation talks (each an hour, 3x speed, so about 100min total – like watching a movie).
- Amazon Inspector to scan stuff like lambdas ($0.30/mo/lambda), EC2 ($1.25/mo/instance), and ECR ($0.09/mo/image) for security vulnerabilities.
- Talk from their new CISO. CBS -> MS -> Apple -> Capital One -> AWS.
- Manufacturing. Remember Teamcenter from Siemens. PLM = product lifecycle management.
- Storage optimization (lowlevel).
- Gen AI among some aws partner companies.
- AWS appfabric for saas interoperability.
- Remember nitro (hypervisor) to abstract a lot of compute mgmt.
- Firecracker is the lightweight virtualizer that backs lambda. Snapstart is the java-specific accelerator for java lambda functions.
- Karpenter is aws’ cluster autoscaler for k8s (open source).
- SOCI (seekable OCI) speeds up container launch by pulling and running the launch file(s) first while the rest of the image downloads.
- 49ers now +300 favorites in superbowl futures. Loved reading everything today. Even all the generic NFL bases hating on the eagles. Getting exposed, no more ekes. Security guard up for permanent ban. Deebo backing up the trash talk. Redemption from last NFC championship. Hit on swift. Just a regular season game though, let’s get ready for playoffs.
- It’s been 660 days (record) since >1″ snowfall in central park.
- Thanksgiving. Good hs murder mystery ala scream, but with a pilgrim instead of ghostface (lol).
- AWS SAM.
- Remember it’s declarative. Define your end state.
- It will create new resources if they don’t exist, and reuse existing resources if they’ve already been created (by SAM, by you manually, or otherwise).
- In that sense, it abstracts the imperative actions. No changes to the template are necessary for new vs existing.
- This also makes SAM deployments … reentrant.
- CDK is more complicated and more capable than SAM, which is geared only to (simple) serverless apps. CDK can control all AWS resources. And you can write your stack in python/javascript (rather than yaml), so you can have all of the object-oriented benefit: dependencies, static analysis, dynamic behavior, etc. They both just compile to cloudformation templates anyway.
- HP trivia.
- Supercontest.
- App is not a SPA (yet), and dynamically generates HTML app-side (EC2). I’ll leave that there. But js/css should be moved to s3, with a corresponding cicd pipeline. Created a ticket for that next.
- Looked up some
sam.yaml templates for Events section (trigger from sqs, eventbridge, etc). And some configuration parameters like timeout – all controllable from src with SAM.
- Rather than generating an access key for an IAM user and copying that locally for aws CLIs, you can use IAM Identity Center in your IDE, like vscode.
- Played with the vscode aws toolkit a decent amount.
- In the vscode aws extension, there are a few roles. Builder ID gets you stuff like codecatalyst. But the bigger one, AWS Explorer (to see resources and such), is authed with IAM creds. I have one for supercontest (admin) and one for amplify-dev.
- Installed sam on the macbook.
- For the new sam lambdas:
- Enabled xray tracing.
- Did not enable cloudwatch application insights (costs extra).
- Enabled logging in json format. This doesn’t directly cost extra, but it does make the logs a little larger, which costs a little extra.
-
- Private work.
- Right now there are 32 regions and 102 AZs in AWS.
- Js promise pools, optional chaining, array shifts, curried functions.
- Set up Alexa to announce order-tracking updates from uber eats.
- Watched 3 of the innovation talks from re:invent last week. Each 1hr, on 3x.
- Covered California is on AWS.
- Some ipv6 updates.
- Remember cloudwatch has anomaly detection.
- Remember cloudwatch has an AI query generator – type your search in natural language and it will translate to the syntax for querying logs/metrics/traces/etc.
- Mealprep. Niners eagles (well deserved, philly finally exposed). Cleaning. Equinox. Aquarium maintenance. Etc.
- Remember
mutation != reassignment. Basic, but easy to practically forget.
- Supercontest.
- ESPN scorestrip was returning EMPTY statuses for a game, which was causing errors to get flagged in the container logs.
- Example:
gameId=401547572&nfl_s_left7=Atlanta%2013%20%20%20NY%20Jets%208%20()
- Those last parentheses are supposed to contain a status, like
(07:18%20IN%203RD).
- So
KeyError: '' in game.status_id = espn_abbv_status_id_map[score["status"]] when empty.
-
- Private work.
- Started the mystery-escape-room-puzzle-riddle-advent-calendar last night!
- AWS refreshers.
- CLIs/SDKs.
- AWS CLI. The main one. Interact with resources from the command line. Generic.
- Boto3. The python SDK, allowing much of the same interactions as the generic AWS CLI, but from python.
- SAM CLI. For serverless app management.
- The Amplify CLI, and a few others like this.
- IaC.
- CloudFormation was the basis. Generic templates for provisioning most aws resources.
- Comes with a studio so you can graphically create/connect/move components in the full architecture.
- SAM extends cloudformation with common templates for serverless stacks.
- CDK is the SDK so that you can define these resources in high-level programming languages, rather than templates.
- Ultimately CDK and SAM both compile down to cloudformation templates.
- CloudFormation detail.
- Played with it a little bit.
- You CAN import a stack from existing resources. But you still have to provide a template, which is a skeleton list of all the resources. It does not auto-infer everything (which it should, since stuff like billing/cost mgmt clearly has all this info).
- You have to go to third party tools for “just provide my aws account and automatically discover all resources and configs” – CloudFormer by Anthropic, Terraformer by Gruntwork, few more.
- CDK detail.
- SAM detail.
- Simple example with (api gateway -> lambda -> dynamo) is 23 lines in SAM. >200 lines in the synthesized cloudformation template.
- You can init, build, test, deploy.
- SAM enables local testing by, for example, starting a container with the specified runtime/config and executing your lambda in it.
- You can also use SAM to test remotely (all the actual cloud resources).
- You can setup CI/CD pipelines. Not sure if this integrates with externals like gitlab, bamboo, whatever.
- Installed the SAM CLI into wsl2. Created a hello-world app with a single py lambda. Built and deployed.
- It’s a lambda function and an api gateway (primary resources). There are some secondaries (roles, permissions, etc).
- It deploys the full sam config to an s3 bucket, then converts the config to a cloudformation template, then cloudformation deploys the cloud resources.
- Interacted with the api gateway endpoint. Invoked the cloud lambda. Invoked the lambda locally. You can also host the API locally.
- Other.
- Tried the leetcode weekly contest for the first time. 4 questions worth 3 -> 4 -> 5 -> 6, totaling 18 points. Difficulties are easy -> med -> med -> hard. Lots of cheaters.
- Supercontest.
- Iteration on RDS RI cancellation.
- I may just deploy the existing html/css/js to s3 first (with cdk). Then I can upgrade to a full react app, hosted by amplify, later.
- Added codecatalyst to my aws builder profile. Basically provides templates for source, CI, CD. Application templates, at least for infra and workflows. Created a supercontest project in codecatalyst. Checked the offerings in the vscode extension.
-
- Private work.
- re:Invent.
- Watched Ruba Borno’s keynote. Just lots of small partner segments.
- Watched Werner Vogels keynote. Just some commentary, no announcements. Themes: cost as a first-class citizen in design. Designing for the cloud. And you don’t know what you don’t now – just getting metrics/sensors/observability in front of people/apps will yield improvements inherently.
- New: There’s a
myApplications interface in console home, similar to my idea for App Catalog – you can associate all aws resources with different apps, add tags/attributes/groups/metadata, and then it splits a bunch of stuff by app (analytics, costs, etc). Doesn’t do stuff like support tiering or codeowners, but a good start.
- Further reason to not invest in the reddit IPO: https://news.ycombinator.com/item?id=38423167. Wish I could short a private name.
- Changed trays.
- Icloud photo sync finished. I have ~4GB on device and ~46GB in cloud.
- Mealprepped. Fried chicken thighs, but with maseca! Brine. Dry rub (baking powder, pepper, paprika, cumin). Egg wash. Corn flour. Fry in peanut oil on high, ~3min each side, internal ~180.
- Unbelievably shitty service from AWS support continues: https://support.console.aws.amazon.com/support/home?region=us-west-1#/case/?displayId=14398223121&language=en
- Updated macbook to sonoma 14.1.2 (from 14.1.1, just a security patch but requires restart).
- Maintenance increases are insane in my building: (emailed super and asked for the itemization)
- 2021: 3.50%
- 2022: 4.89%
- 2023: 4.50%
- 2024: 5.93%
- Supercontest.
- Pinpoint confirmed that it will be up to 5d to resolve the tollfree registration issue.
- The second RI was not cancelled (and bill credited) at the cycle turnover (monthly, dec1). AWS support has been TERRIBLE these last two issues. Filed another ticket since you can’t reopen a case after 14 days: https://support.console.aws.amazon.com/support/home#/case/?displayId=14398223121&language=en
- Turned on Resource Explorer for my aws account. Basically just adds indexes in all regions so aws can query for your various resources more efficiently.
- Couldn’t get an sqla layer, built from my x86 ubuntu wsl2, to work either.
- Just gonna go full CDK/SAM for dev/test/deploy of these lambdas.
- This ticket is becoming more SERVERLESS than cache. The SQS part was easy. Getting the full infra up for lambda, cdk, sam, eventbridge, etc – that was the large majority.
