Cloudformation

A long time ago I wrote about my method of book-keeping using Ledger CLI. Nearly 10 years later, I’m still using it track my finances down to the penny. It’s an amazing tool, and has helped me identify problematic spending habits. But it does have one achilles heel, it’s not very friendly to non-technical people. I share my finances with my family because I want to teach financial literacy and help them feel like they are a part of any decision-making activities related to money. Given that Ledger is text-based, it means they don’t need to install any programs. But because it is text-based, it means they need to learn to use a text editor and the terminal (I could import it into things like Gnu Cash, but I’m not going down that rabbit hole). To improve this accessibility problem, I devised an automated notification scheme whereby once I finish updating the ledger, a summary is emailed to everyone. Here’s how I did it. ...

UPDATE 2019-10-07: There is a bug in CloudFormation when outputting the LogGroup ARN. See the change below in 4. Define a Policy. UPDATE 2020-06-16: Thanks to jplock, I have fixed an error in the ARN syntax for log-group, where a / should have been a :. I notice that the AWS documentation and even their managed policies (e.g. AWSLambdaBasicExecutionRole) all provide users with insecure examples of how to setup permissions for their Lambda functions to emit their logs to CloudWatch Logs. The permissions are not least privilege, meaning they provide more permission to the Lambda function than are necessary and can lead to unintended consequences. Let’s look at the common example given to users: ...

I love using CloudFormation for provisioning AWS services but one of the more annoying aspects about working with it is that setting up the initial CloudFormation stack is an all-or-none endeavour. This is in contrast to when a stack exists and is being updated, where changes are reversible and the stack is almost always left in a working state. This annoyance is compounded when I write a stack definition with multiple resources and, as it inevitably happens, there is a typo somewhere. CloudFormation dutifully creates all the resources, trips on the error, and rolls back the entire stack to nothingness. Then I need to delete the stack and start again instead of issuing an update or changeset request. It’s a time-sink and I wanted to find a better way. ...

Secrets management is a constant topic for debate in tech and security circles, even more so for users of cloud providers. There are solutions like Hashicorp Vault, Sneaker, and Credstash (even a locked down S3 bucket) that we have looked at using at Unbounce. Each solution has its own level of complexity to setup and maintain. All of these solutions suffer from the same problem, which I like to call “Step 0” or, how the heck do I manage the master key that unlocks everything? At some point in the encryption process, trust has to be established and that is the point where encryption cannot be used (Step 0). ...

Update 2016-09-27: The AWS CloudFormation team has just released a new feature that allows you to write your templates in YAML. They even improved on the problems I outlined in this article by allowing shorthand versions of the intrinsic functions. I now suggest everyone to move to YAML as it is the clear winner. Working with CloudFormation is great once it finally clicks in your brain that you can create many AWS resources and then delete all of them to make cleaning up super easy. Other than the steep learning curve when a person first learn CloudFormation, the next annoyance people have is that they have to write in JSON. ...