This AWS CloudFormation YAML template demonstrates how a Kinesis Data Stream stream can be implemented as Lambda Trigger in AWS CloudFormation.

Simply deploy the following template via the AWS CloudFormation console. In the designer the template looks like this:

Template:

Now we can gather the stream name from the CloudFormation stack outputs section and send a test event using the AWS CLI:

  aws kinesis put-record --stream-name <value> --data <value> --partition-key <value>

CLI Reference: https://docs.aws.amazon.com/cli/latest/reference/kinesis/put-record.html

The output should look like this:

Now you can check in the Lambda Console if the Lambda has been invoked and what has been written to the logs.

Read More

The following CloudFormation snippet shows how to use conditional properties in an CloudFormation template. The example configures one or two subnets in the VPCOptions section of an Elasticsearch domain, depending on whether a parameter called ZoneAwareness is set to true or not.

Parameters:
 ZoneAwareness:
      Type: String
      AllowedValues: [true, false]
      Default: true

Conditions:
  ZoneAwarenessTrue: !Equals [!Ref ZoneAwareness, true]

  ElasticsearchDomain:
    Type: AWS::Elasticsearch::Domain
    Properties:
      ...
      VPCOptions:
        SubnetIds: 
          -  !Ref SubnetA
          - Fn::If:
            - ZoneAwarenessTrue
            -  !Ref SubnetB
            - !Ref "AWS::NoValue"
        SecurityGroupIds:
          - !Ref SecurityGroup

Read more Pseudo Parameters Reference

Read More

Using the intrinsic function Ref on a Stack created within another Stack only gives you the Id of the referenced Stack. If you want to get the StackName which is generated automatically you have to do a combination of the intrinsic function Split and Select as follows:

!Select [1, !Split ["/", !Ref MyStack]]

This works since the Stack Id is structured as follows:

arn:aws:cloudformation:eu-west-1:*********:stack/test-nested-MyStack-R5E52GRQGVZH/8d90dd40-17a7-11ea-b079-02c18823f600

The statement splits the Stack Id by deleimiter “/” resulting a list which contains the StackName on index 1 which we then can select using the Select function.

Read More

Not long ago I came across the problem that I wanted to know in detail how much of the allocated memory my individual lambda functions consumes.

Since memory consumption is not part of the standard Lambda metrics, I had to find an individual solution.

As each lambda execution logs the memory usage I thought about implementing a metric filter extracting this information to create a custom metric in AWS CloudWatch.

A sample metric filter was quickly found on the AWS forums (related thread).

You can test the metric filter by applying it to the log group of a lambda function like I did in the example below:

Now since verified the metric filter is actually working I only had to implement it in CloudFormation to be able to evaluate the memory consumption. It is important that a function name is defined so that the log group belonging to the Lambda function can also be created using the CloudFormation template.

You can find the template below:

Now you can find the memory consumption metric under StackName > LambdaFunctionName > Memory in AWS CloudWatch:

Read More

Recently I had the following problem, a CloudWatch Alarm based on the Error-Metric of a critical Lambda Function occasionaly caused notifications.

The reason for the notifications was quickly found through a search in the lambda logs. The errors were caused by lambda timeouts. Since lambda timeouts are not critical in the utilised architecture I was looking for a way to ignore them in the CloudWatch Alarms.

The solution is called Metric Math.

Metric math enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics.

Source: Using Metric Math by AWS

Herewith it is possible to create a new metric excluding the timeouts by subtracting timeouts from errors. By default there is no metric for timeouts within lambda functions. But this metric can be extracted with a simple Metric Filter applied to the loggroup of the respective lambda function:

Then a CloudWatch Alarm can be created with a mathematical expression:

In the CloudWatch console the result of the template looks like this:

Read More

Recently I have experimented a little with Kinesis Firehose. The result is this concise undocumented template which setup an Kinesis Firehose S3 Delivery Stream preprocessed by Lambda in AWS CloudFormation.

Read More

In 2019 again many local summits are planned by AWS. Because the official website (https://aws.amazon.com/summits/) has not been updated yet. I’m offering here a small compilation of next year’s summits. This year the number of summits increases from 29 to 33 the dates from 2018 can be found here: AWS Global Summits 2018

AWS encourages you to participate in your local summits as follows:

Join the AWS Summit in Berlin and learn how the cloud is accelerating innovation in businesses of all sizes. Be the first to find out when registration is open in your area! Click the button below and we'll notify you when registration is live.

Source: AWS 2018

There will also be the opportunity to participate in the AWS DeepRacer League 2019 at the various AWS summits, which was announced at re:Invent 2018:

We want to make sure that developers all over the world have the same opportunity to get involved with AWS DeepRacer as re:Invent attendees. To that end I am excited to announce the AWS DeepRacer League – the world’s first global autonomous racing league, open to anyone. In 2019 there will be a series of live racing events at AWS Global Summits around the world, and we’ll also have virtual events and tournaments throughout the year. Winners and top scorers will advance to the AWS DeepRacer 2019 Championship Cup at re:invent 2019. I’ll have more detail on that soon, or you can check the AWS DeepRacer site for the latest updates.

Source: Jeff Barr 2018

AWS offers to notify you when registration is live: notify me.

EMEA (Europe, the Middle East and Africa)

• AWS Summit Berlin, Germany: Feb 26 - Feb 27, 2019
• AWS Summit Milan, Italy: Mar 12, 2019
• AWS Summit Tel Aviv, Israel: Mar 13, 2019
• AWS Summit Paris, France: Apr 02, 2019
• AWS Summit Brussels, Belgium: Apr 09, 2019
• AWS Summit Amsterdam, Netherlands: Apr 17, 2019
• AWS Summit Dubai, United Arab Emirates: Apr 17, 2019
• AWS Summit Madrid, Spain: May 07, 2019
• AWS Summit London, United Kingdom: May 08, 2019
• AWS Summit Stockholm, Sweden: May 22, 2019
• AWS Summit Warsaw, Poland: May 30, 2019
• AWS Summit Cape Town, South Africa: Jul 11, 2019
• AWS Summit Bahrain, Bahrain: Sep 15, 2019
• AWS Summit Switzerland: Oct 19, 2019

APAC (Asia-Pacific)

• AWS Summit Singapore: Apr 10 - Apr 11, 2019
• AWS Summit Seoul, South Korea: Apr 17 - Apr 18, 2019
• AWS Summit Sydney, Australia: Apr 30 - May 02, 2019
• AWS Summit Mumbai, India: May 15, 2019
• AWS Summit Canberra, Australia: Aug 19 - Aug 20, 2019
• AWS Summit New Delhi, India: Sep 03, 2019
• AWS Public Sector Summit ASEAN – Singapore: Sep 24, 2019

Greater China

• AWS Summit Taipei, Taiwan: Jun 12 - Jun 13, 2019
• AWS Summit Shanghai, China: Jun 20, 2019
• AWS Summit Hong Kong: Jun 26, 2019
• AWS Summit Beijing, China: Jul 31, 2019
• AWS Summit Shenzhen, China: Sep 26, 2019

America

• AWS Summit Santa Clara, CA: Mar 27, 2019
• AWS Summit Bogota, Colombia: Mar 28, 2019
• AWS Summit Anaheim, CA: Apr 11, 2019
• AWS Summit Atlanta, GA: May 02, 2019
• AWS Summit Ottawa, Canada: May 14, 2019
• AWS Summit Chicago, IL: May 30, 2019
• AWS Summit Washington D.C, CD: Jun 10 - Jun 12, 2019
• AWS Summit São Paulo, Brazil: Jun 27, 2019
• AWS Summit New York, NY: Jul 11, 2019
• AWS Summit Mexico City, Mexico: Aug 29, 2019
• AWS Summit Toronto, Canada: Oct 03, 2019

Japan

• AWS Summit Tokyo, Japan: Jun 12 - Jun 14, 2019
• AWS Summit Osaka: Japan, Jul 27, 2019

AWS indicates that date and locations subject may change.

Update 06.02.2019

I updated the list to the currently published state: https://aws.amazon.com/events/summits/

All information and images are based on the following source: https://aws.amazon.com/about-aws/events/

Read More

AWS has released a developer preview of AWS CDK during re:Invent 2018. A detailed description and the release informations can be found here: AWS CDK Developer Preview. AWS CDK offers the possibility to define Infrastructure as Code in different programming languages, based on CloudFormation - a kind of compiler.

The introductory session of re:Invent 2018:

Since I found some free time during the re:Invent, I have played around with this new software development framework - and the result is the following snippet. Here I create a very simple API with only one method implemented by a Lambda function that has permissions on a DynamoDB table. A very common scenario.

AWS CDK makes a very good impression and I am looking forward to further development. The api reference and the introductory tutorial helped me a lot while trying out CDK.

Read More

Somewhat unexpectedly but quite deservedly, Amazon Web Services (AWS) has released DynamoDB Transactions at this year’s re:Invent. Until now there was only one “official” additional Java library to support transactions (Java Transaction Library for DynamoDB). In other programming languages widely used in the AWS environment, such as Node.js, Python or Go, you had to use update conditions to create a transactional behavior. Since manual checks had to be implemented in many places, this easily becomes very error-prone. DynamoDB Transactions will now allow you to perform atomic write operations to multiple items of which either all, or none go through. Besides that isolated reads will ensure that read operations applied to one ore multiple items are not interfered by other transactions.

Currently the newly introduced DynamoDB operations, TransactWriteItems and TransactGetItems, are not yet inserted in the official API definition. But I will insert the sections in this post as soon as the operations are documented there.

Operation description from the AWS blog post:

• TransactWriteItems, a batch operation that contains a write set, with one or more PutItem, UpdateItem, and DeleteItem operations. TransactWriteItems can optionally check for prerequisite conditions that must be satisfied before making updates. These conditions may involve the same or different items than those in the write set. If any condition is not met, the transaction is rejected.
• TransactGetItems, a batch operation that contains a read set, with one or more GetItem operations. If a TransactGetItems request is issued on an item that is part of an active write transaction, the read transaction is canceled. To get the previously committed value, you can use a standard read.

A nice fact about transactions is that they do not incur any additional costs and they are now available globally in all commercial regions.

If you want to learn more about this topic read the official AWS blog post: New – Amazon DynamoDB Transactions containing a more detailed explanation and samples.

AWS re:Invent 2018 session introducing DynamoDB transactions:

Since I use self-built transactions very often in one of my projects I am very happy about this new feature and will try it out soon. Testimonials will follow!

via GIPHY

Read More

Two simple skeleton tempates which should be used to initialize when creating a new template from scratch. In general it is important that only the resources area is required and at least one resource must be created. All other sections are optional.

YAML skeleton

The following snippet shows the basic structure of a YAML template:

---
AWSTemplateFormatVersion: "2010-09-09"
Description: A simple skeleton
Metadata:

Parameters:

Mappings:

Conditions:

Transform:

Resources:

Outputs:

JSON skeleton

The following snippet shows the basic structure of a JSON template:

{
  "AWSTemplateFormatVersion" : "2010-09-09",

  "Description" : "A simple skeleton",

  "Metadata" : {
  },

  "Parameters" : {
  },

  "Mappings" : {
  },

  "Conditions" : {
  },

  "Transform" : {
  },

  "Resources" : {
  },

  "Outputs" : {
  }
}

Read more about the AWS CloudFormation Template Anatomy

Read More

Recently I had the following problem: I created an EKS cluster in an AWS account with the root user and could not access the cluster later with other IAM users (with all permissions on EKS) via kubectl.

After some research I came across the following paragraph in the AWS documentation:

“You must use IAM user credentials for this step, not root credentials. If you create your Amazon EKS cluster using root credentials, you cannot authenticate to the cluster.”

So I created the cluster again with my IAM user. Now I was able to connect to the cluster (after configuring kubectl as described here: configure kubectl) using my IAM user - but IAM users of colleagues still could not.

In order to authorize further IAM users to use the cluster, the following steps were necessary:

• Gather user or role ARNs
• Create a config.yaml file and insert the presets listed below

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapUsers: |
    - userarn: arn:aws:iam::<AWS account id>:user/<username of iam user>
      username: <username>
      groups:
        - system:masters
  mapRoles: |
    - rolearn: <ARN of IAM role>
      username: admin:
      groups:
        - system:masters
    - rolearn: <ARN of instance role (not instance profile)>
      username: system:node:
      groups:
        - system:bootstrappers
        - system:nodes

system:masters - Allows super-user access to perform any action on any resource. If you want to grant access more granular, please refer to the kubernetes documentation.

The last statement in the mapRoles section must always be present (and configured) in an EKS cluster to allow nodes to join the cluster.

Use the following command to apply the configuration:

 kubectl apply -f config.yaml

Using kubectl describe configmap you can validate the current aws-auth configuration

kubectl describe configmap -n kube-system aws-auth

Now the configured IAM users or users holding the defined roles can configure there kubectl pointing to your EKS cluster.

After trying managed Kubernetes cluster on AWS and Google Cloud I have to say that getting started on Google Cloud was quite easier. But after overcoming the start difficulties, EKS works as desired.

If you want to dive deeper into the subject I recommend the following article: EKS and roles

Read More

While updating some lambda functions to AWS ElasticSearch Service version 6.3 the following error occurred:

StatusCodeError: 503 -
{
"Message": "Call to Authorization engine failed"
}

The error seems to be caused by the activated IAM Access Control. By adding the following parameter I was able to solve the issue.

retry_on_status=[502, 503, 504]

Read More

Announced at reinvent 2017 in a CloudFormation Deep Dive session for “early 2018” - now (almost at the end of 2018) the time has come. AWS has added a new and long awaited feature to CloudFormation that will help in many cases: “Drift detection”.

With this feature you can see in the CloudFormation console which stacks have been changed manually. Simply select the desired stack, select “Detect drift” under actions and confirm.

In AWS words: Drift detection lets you detect whether a stack’s actual configuration has been changed outside of CloudFormation. To detect drift on a stack, select the stack, and then select Detect drift for current stack from the Actions menu.
Read more in the official documentation.
Read more in the official blog.

Read More

Implement S3 Bucket Lambda triggers in AWS CloudFormation can be quite tricky because of very often circular dependencies or errors like “Unable to validate the following destination configurations” occur. But if you take notice of the following, working with S3 Lambda triggers in CloudFormation will be easier.

• First, you have to specify a name for the Bucket in the CloudFormation template, this allows you to create policies and permission without worrying about circular dependencies.
• Secondly, you have to add a DependsOn statement to the Bucket referencing the Lambda Permission, this helps you to fix “Unable to validate the following destination configurations” errors since the bucket will only get created if the Lambda Function and all necessary policies, roles and permissions are in place.

Below you will find a GitHub Gist with a working example which takes care of all tips mentioned above. In this example, created *.txt files are read from a bucket and then deleted.

Read more: https://aws.amazon.com/premiumsupport/knowledge-center/unable-validate-destination-s3/

Read More

Amazon MQ with ActiveMQ under the hood offers several different protocols, each with its own endpoint. Unfortunately, you can’t reference or output them directly in AWS CloudFormation. To make this possible I use the following variants in a Single Broker setup, where AMQBroker is a CloudFormation resource of type AWS::AmazonMQ::Broker:

and these in an active/standby setup for high availability:

Read More

Unfortunately, it is currently not possible to output or use the domain name / URL of an Amazon API gateway via Fn::GetAtt in AWS CloudFormation. Therefore I provide the following CloudFormation snippets that enables you to do exaclty this. The snippets use a resource called RestApi of type AWS::ApiGateway::RestApi and a resource Stage of type AWS::ApiGateway::Stage.

Read More

AWS re:Invent 2018 is getting closer and closer and many will have wondered when session can be registered or reserved. Today the official re:Invent Twitter account announced that seats can be reserved from 11th October 2018.

It is important that you start your reservation as soon as the reservation is open and you have planned your schedule in advance. Last year the reservation was open 15 minutes before the announced time, so you better try it a little earlier!

You can find the 2018 session catalog here.

Reserved seating for #reInvent is available October 11th! Have you planned your time? https://t.co/Yh70mo20j3 pic.twitter.com/KN3SPe4Lwt

— AWS re:Invent (@AWSreInvent) 18. September 2018

Update from 02.10.2018 taken from the AWS News Blog: “You will be able to make reservations starting at 10 AM PT on Thursday, October 11, so mark your calendars. Reserving a seat is the best way to ensure that you will get a seat in your favorite session without waiting in a long line, so be sure to arrive at least 10 minutes before the scheduled start.” Source: https://aws.amazon.com/blogs/aws/reinvent-2018-55-days-to-go/

Read More

Recently AWS released that the Amazon Simple Queue Service (SQS) is now available as a supported event source for AWS Lambda Functions. You can read the related blog post here:  https://aws.amazon.com/blogs/aws/aws-lambda-adds-amazon-simple-queue-service-to-supported-event-sources/

Since then I have seen many instructions explaining how to integrate this trigger via AWS Serverless Application Model (AWS SAM). Using this approach I noticed that when rolling out the SAM template via AWS CloudFormation a resource of type AWS::Lambda::EventSourceMapping is created. Since this resource is supported by AWS CloudFormation it should be possible to create the SQS Lambda trigger without SAM.

So I tried it successfully and got the following CloudFormation example template:

One thing to watch out for is that the lambda function timeout is not greater than the visible timeout on the queue. The solution can be tested by sending a test message via the SQS Queue using the SQS Console.

Sending a test message via the SQS Console

Check if the Lambda Function has been invoked

Read More

Sometimes in CloudFormation a Parameter requires an array, and often an array of variable size is required, determined for example by input parameters. For instance AWS::AmazonMQ::Broker were you need to define an array of SubnetIds. In which either if SINGLE_INSTANCE is selected or if ACTIVE_STANDBY_MULTI_AZ is selected, several ids must be specified.

Using the notation proposed in the documentation this cannot be achieved:

SubnetIds:
        -  !Ref PrivSubnetA
        -  !If [ DeployAmqMultiAzCondition, !Ref PrivSubnetB, ]

But the problem can be solved as follows:

SubnetIds: !If [ DeployAmqMultiAzCondition, [ !Ref PrivSubnetA, !Ref PrivSubnetB ],  [ !Ref PrivSubnetA ]]

Read More

Read More

Sometimes its necessary to generate random passwords inside a CloudFormation template for instance to secure internet facing applications running on an EC2 or ECS instance. To achieve this you have the possibility to let the user of your Cloud Formation template insert passwords as parameters during the stack creation.

In the following, I will give an example of how to generate passwords in an AWS CloudFormation Template using a Node.js Lambda Function and Custom Resources.

Example Code

Description

We create a Custom CloudFormation Resource and pass a previously created Lambda function as the ServiceToken property. Now on every CloudFormation event (e.g. Create / Update / Delete) on the SampleString resource, the Lambda function will be called. The call contains a so-called ResponseUrl where the Lambda function shall response to. If you understood this procedure the template is really easy to understand. After the creation of the Custom Resource is complete you can use the data stored inside using Fn:GetAtt.

Using the Length property in the Custom Resource you can adjust the password length.

Note: The current version of the script generates a new random password if you performing a stack update which directly involves the Custom Resource (means if you change any parameter or property attached to the Custom Resource). To avoid this you could do a workaround like storing the password in an environment variable of the lambda function and resend it on an update. But normally updates on a custom resource this simple should not happen.

Usage

Inside the AWS Console go to CloudFormation and deploy the example-template.yml. After the stack creation is complete navigate to the Outputs tab and look for the generated password.

AWS Console CloudFormation

Rudimentary based on https://github.com/sophos/cloudformation-random-string example implemented in python.

Read More

With 100000+ total attendees 2017 in 28 summits over the year, AWS extended their reach. This year AWS is increasing the total amount of summits to 29.

In AWS words AWS Global Summits are:

... free events designed to bring together the cloud computing community to connect, collaborate, and learn about AWS. Summits are held in major cities around the world and attract technologists from all industries, segments, and learning levels who want to learn how the AWS cloud can help them innovate with speed and deliver services with scale, flexibility, and reliability. Attendees will hear from AWS Leaders and Experts, Partners, and Customers. Learn by attending technical breakout sessions, demonstrations, hands-on workshops and labs, and team challenges. Network with AWS Partners and their peers in The HUB—our Partner and Solutions Expo.

Source: AWS 2018

Update: Meanwhile the dates are officially confirmed. Visit: https://aws.amazon.com/summits/ for more.

Currently, the 2018 AWS Global Summits dates and locations are not present at the official Website (URL: https://aws.amazon.com/summits/). But AWS already released an informative pdf file for current and future sponsors which lists dates and locations.  The 2018 summits will be located in the following cities and the most dates are already determined.

EMEA (Europe, the Middle East and Africa)

• Tel Aviv - March 14
• Milan - March 27
• London - May 9 - 10
• Stockholm - May 16
• Amsterdam - May 31
• Berlin - June 6 - 7
• Paris - June 19
• Cape Town - TBD
• Madrid - TBD
• Bahrain - TBD

APAC (Asia-Pacific)

• ASEAN - April 4
• Sydney - April 10 - 12
• Seoul - April 18 - 19
• Mumbai - May 10

Greater China

• Taipei - June 27 -28
• Shanghai - June 29
• Hong Kong - July 26
• Beijing - August 9
• Shenzen - September TBD

America

• San Francisco - April 4
• Mexico City - May 31
• Sao Paulo - June 21
• New York City - July 17
• Chicago - August 2
• Los Angeles - August 23
• Atlanta - September 13
• Toronto - September 20

Japan

• Tokyo - May 30 - June 1
• Osaka - June 20

AWS indicates that date and locations subject may change.

AWS Global Summit 2018 Map

AWS Global Summit 2018 Locations and Dates

All information and images are based on the following source: https://s3-us-west-2.amazonaws.com/2018globalsummitsponsorship/2018+Global+AWS+Summit+Overview+-+Final.pdf

Read More

Lately, I’ve been searching a long time to find out that the hosted zone id for Amazon CloudFront distribution is statically set to: Z2FDTNDATAQYW2

Source: Route 53 Template Snippets

Read More

Unfortunately, BatchGetItem does currently not support operations on indexes. BatchGetItem can only read from the base table, and not from indexes (LSI, GSI). Therefore, you need to perform several query operations in parallel on your GSI to achieve a similar effect.

Read More