Route 53: How To Alias Application Load Balancers

Hello! This is a simple one but I kept getting stuck trying to figure it out. My brain was blocked on it. I'm sharing the pattern here in case you had the same problem. All I needed was a Route 53 Hosted Zone with an alias record for an Application Load Balancer. I needed these … Continue reading Route 53: How To Alias Application Load Balancers →

CloudWatch Logs: Preventing Orphaned Log Groups

Hello! When you need to publish logs to CloudWatch (e.g. from a lambda function), you need an IAM role with access to CloudWatch. It's tempting to use a simple policy like the one in the AWS docs. You might write a CloudFormation template like this: Obviously, the role is too permissive: arn:aws:logs:*:*:* But, there's another … Continue reading CloudWatch Logs: Preventing Orphaned Log Groups →

CloudFormation: Limited-Privilege IAM Policies With cfn-nag

Hello! This article is about security testing in CloudFormation, if you're looking for functional testing, check out this. When you write IAM policies, you should grant the smallest set of permissions that work. So, looking at this policy defined in a CloudFormation resource: The Resource: '*' looks wrong. It grants permission to make the DescribeInstances … Continue reading CloudFormation: Limited-Privilege IAM Policies With cfn-nag →

Lambda: Building Python 3 Packages

Hello! This is a guide for building lambda zip packages with pip dependencies in Python 3. It expands the AWS guide to: Build your code if it's either a single-file Python module or a pip-installable Python package (e.g. contains a setup.py). Track pip dependencies for single-file Python modules in the standard requirements.txt file. Show the file … Continue reading Lambda: Building Python 3 Packages →

CloudWatch Logs Structured as JSON with Python Lambda Functions

Hello! If you're setting up JSON logging in a script and instead of a lambda function, check out this instead. The pattern is a little simpler. Recently, I've been switching to logs structured as JSON. That means output like this: Instead of this: This way, your log processor can reference keys in a JSON object … Continue reading CloudWatch Logs Structured as JSON with Python Lambda Functions →

Trimming Large Backlogs

This morning, a buddy was wrangling a Trello board. It was packed with tasks and it was getting hard to plan work. Not long later, I got an email: What’s your recommendation for a Very Large Backlog? I see a lot of Very Large Backlogs in DevOps. Everybody is moving to the cloud. Everybody is … Continue reading Trimming Large Backlogs →

Simplifying Messy Conditions: Adaptive Models

Hello! Today we're getting into the thorns of programming. Beware cactus. 🌵 Years ago I found Martin Fowler's article on Adaptive Models. Adaptive models let you replace nests of conditions with a declaration of actions. That pattern has helped clean up my DevOps code a ton of times. Fowler is a better programmer than me. His … Continue reading Simplifying Messy Conditions: Adaptive Models →

How to Upgrade DevOps Code to Python 3

Python 2 is going away! It's time to upgrade. 🐍3️⃣ You shouldn't run anything in prod that's not actively supported. If there are security flaws you won't have a sure path to remediation. Start the upgrade now so you have time to finish before support ends. In DevOps you’re not usually writing much raw Python. … Continue reading How to Upgrade DevOps Code to Python 3 →

CloudFormation Gotcha: Numbers Are Strings

Good day! CloudFormation templates take parameters. There are several types. One of those types is Number. Here's a super-simple demo template: It just passes the CF param into an SSM param. It's a little funky that we can create an SSM param with type String from a CF param with type Number, but in CF all … Continue reading CloudFormation Gotcha: Numbers Are Strings →

Python DevOps Code Error Checking: Lint with Pyflakes

Hello! For those unfamiliar with linting (static analysis), read Dan Bader's introduction. There are several linters for Python, but when I'm doing DevOps I use Pyflakes. I love the opening sentence of its design principals: Pyflakes makes a simple promise: it will never complain about style, and it will try very, very hard to never … Continue reading Python DevOps Code Error Checking: Lint with Pyflakes →